Connect with us

Incorrectly configured Apache Airflow servers leaked thousands of credentials

Published

on

The most common cause of credential leaks was unsafe encoding methods.

Specialists from the information security company Intezer discovered Incorrect configuration settings in the popular open source workflow management platform Apache Airflow. The errors have leaked sensitive information, including thousands of credentials from popular platforms and services such as Slack, PayPal, and Amazon Web Services (AWS).

In the various scenarios analyzed by the researchers, the most common cause of credential leaks was unsafe coding techniques. For example, the Intezer team found various production installations with embedded passwords inside Python DAG code.

In another misconfiguration case, researchers found Airflow servers with a publicly available configuration file. The configuration file (airflow.cfg) is created the first time you start Airflow. It contains Airflow configuration as well as passwords and keys. If the expose_config parameter in the file is mistakenly set to True, the configuration is made available to all users through the web server, which can now view secrets.

Other examples include sensitive data stored in Airflow Variables that can be edited by an unauthorized user to inject malicious code, and misuse of the Connections feature, credentials are stored in an unencrypted Extra field as JSON blobs.

The vast majority of issues were found on servers running Airflow v1.x from 2015, which are still in use by organizations across all sectors.

Airflow 2 introduced many new security features, including a REST API that requires authentication for all operations. The newer version also does not store sensitive information in the logs and forces the administrator to explicitly confirm the configuration settings rather than using the default settings.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Security

Europol detains 150 merchants on the darknet

Published

on

26.7 million euros in cash, 230 kilograms of drugs and 45 weapons were seized from the detainees.

Europol conducted an international special operation against sellers and buyers in underground markets on the darknet, informs Deutsche Welle portal.

On suspicion of trafficking in illegal goods on the darknet, 150 people were arrested around the world, 26.7 million euros in cash, 230 kilograms of drugs and 45 weapons were seized from them. Among the confiscated drugs were 152 kg of amphetamines, 27 kg of opiates and more than 25 thousand tablets of the synthetic drug “Ecstasy”.

Most of the detainees are citizens of the United States (65 people), Germany (47) and the United Kingdom (24). Also on the list are Dutch nationals (4), French citizens (3), two people from Switzerland and one Bulgarian. Almost all were big sellers on DarkMarket, which Europol disclosed earlier this year.

At the moment, investigative measures are underway in a number of European countries. In which ones, the representative of Europol did not say.

Continue Reading

Security

Zuckerberg: Facebook fell victim to defamation

Published

on

American businessman Mark Zuckerberg has denounced a series of investigations called “The Facebook Dossier”

Facebook CEO Mark Zuckerberg responded to accusations against his company from the world’s leading media. According to him, the social network is doing everything it can to get better. The company has a massive renovation plan worth tens of billions of dollars.

What is happening is slander and a distorted picture. So the head of Facebook, Mark Zuckerberg, commented on the published archive of the social network. In October, 17 US media outlets published internal company documents – the so-called Facebook Papers – which may indicate the spread of fakes and that the company is neglecting the principles of free speech and equality. The documents were submitted to the press by a former employee of the company, Frances Haugen. She has previously testified publicly in the US Congress and the British Parliament about Facebook’s internal corporate rules.

Mark Zuckerberg noted that conscientious criticism helps you improve. However, what is happening now is a coordinated effort to selectively use current documentation to present a distorted picture of Facebook.

Zuckerberg is confident that organizations should not independently decide all questions about their media policy. Sometimes government regulation is needed. When making decisions, he said, it is important to balance between free speech, social justice, reducing harmful content, or between helping law enforcement and enforcing encryption for privacy.

Zuckerberg also made a few more statements. In particular, he said that the social network Facebook has invested more than $ 5 billion this year in user security and called the tools developed by the company to combat malicious content the best in the industry. In addition, he pointed out that Facebook will invest tens of billions of dollars in virtual reality technologies in the coming years.

Continue Reading

Security

Hackers Cry Too: BlackMatter Closed Its Portal Due to Inflow of Insults

Published

on

Authorization data on the BlackMatter negotiation portal has leaked to the public.

Online-persecution of cybercriminal groups could lead to toughening of their policies for publishing data stolen from victims, experts from the information security company Emsisoft say.

Earlier this month, ransomware operators Conti threatened to disrupt the ransom negotiations if someone who is not a “respected journalist or researcher” posts a screenshot of the negotiations.

As a rule, screenshots of negotiations are uploaded to the public by unauthorized users who, out of curiosity, log in to the portals where negotiations are taking place.

This is exactly what happened with the portal of the BlackMatter grouping (presumably being reborn under the new name DarkSide). Credentials for authorization on the portal (usually indicated in a ransom note) were made publicly available, as a result of which a wave of violent insults fell on the criminals. As a result, BlackMatter was forced to shut down its portal.

How noted Emsisoft CTO Fabian Wosar, while actions like these help victims and sympathizers let off steam and seemingly take revenge, shutting down the platform also means that security researchers are deprived of one of the most valuable tools of communication with victims of ransomware.

Ransomware groups rely on the media and social media to put pressure on victims, and public opinion is very important to them. However, experts are concerned about such publicity of the ransomware. In particular, decryptors are of great concern to Emsisoft experts. When it becomes known that ransomware contains a vulnerability that allows victims to decrypt their files without paying a ransom, its operators fix the vulnerability. This vulnerability was present in DarkSide, allowing Emsisoft to secretly decrypt victims’ files.

The vulnerability was discovered in December 2020, and was fixed on January 12, the day after the publication of a free decryptor from the information security company Bitdefender, which also discovered this vulnerability.

As it turned out, having revived under the name BlackMatter, the DarkSide group made the same technical mistake again.

“We were surprised when BlackMatter made changes to its ransomware that again allowed victims to recover their data without falling ransom,” said Vosar. Now that the BlackMatter portal is down, Emsisoft can no longer help victims of the ransomware recover their files without paying the ransom.

Continue Reading

Most Popular