PG&E denies any wrongdoing, says it was only a test server. MacKeeper security researcher Chris Vickery, the scourge of all companies that run unprotected MongoDB databases, revealed yesterday another case of such server, this time exposing sensitive data from energy sector giant Pacific Gas and Electric (PG&E).
Vickery says that, sometime last week, he discovered a MongoDB server exposed to the Internet with no administrator account password.
A further investigation revealed to him that the server belonged to PG&E, and the data contained inside was typical for asset management systems, central hubs where network and system administrators keep a central repository of information about hardware equipment and software programs.
Such servers are regularly found in large-scale businesses, where the number of computers can overwhelm even the best sysadmin.
Server contained details of PG&E IT network
Vickery claims that this server contained details about over 47,000 computers from PG&E’s network. This included regular PCs, virtual machines, servers, and all sorts of other devices and equipment.
Looking closer at the data, Vickery said he discovered the typical details you’d expect to find in an asset management system, such as IP addresses, MAC addresses, OS versions, hostnames, physical locations, and hashed and cleartext passwords for various PG&E employees.
As you can imagine, and as Vickery pointed out, this data can be a treasure trove of information for any private or nation-backed cyber-espionage group.
Researcher willing to make data available to US authorities
After the researcher told PG&E about the exposed server last Thursday, the company took it down and immediately told Vickery it was only a test server with fake data.
“Fictitious databases do not generally have areas specifically marked development, production, and enterprise,” Vickery replied to PG&E’s explanation. “Fictitious databases do not generally have over 688,000 unique log record entries. This database did.”
The researcher says he currently has a copy of the database on hand, and he’ll be willing to provide it to the US Department of Homeland Security for analysis, just in case a state-sponsored group also managed to download this “fake” data as well.
Unlike other databases Vickery discovered in the past, the PG&E instance is of greater importance because the DHS considers any company from the energy sector as part of the country’s “critical infrastructure” and will open an inquiry if alerted.