Critical Infrastructure Security , Governance & Risk Management , IT Risk Management

US Physics Laboratory Exposed Documents, Credentials

Fermilab Particle Accelerator Has Fixed Exposed Ports, Services
US Physics Laboratory Exposed Documents, Credentials
MICE single cavity test stand at Fermilab (Photo: U.S. Department of Energy via Wikipedia/CC)

The Fermilab physics laboratory in the U.S. has tidied up its systems after security researchers found weaknesses exposing documents, proprietary applications, personal information, project details and credentials.

See Also: OnDemand | Cyber Resiliency: The Building Blocks for transforming Australia’s Enterprise Security and Risk Management

The findings were released on Thursday by Robert Willis, John Jackson and Jackson Henry of Sakura Samarai, a collaborative group of security researchers.

Fermilab, which is part of the U.S. Department of Energy, is a world-famous particle accelerator and physics laboratory in Batavia, Illinois.

Willis, who wrote a blog post about the group's findings, tells Information Security Media Group that he sees poor security controls often on government sites, but the group's findings with Fermilab were surprising given the sensitive work the lab does.

Fermilab's security issues could have made it a target for ransomware operators, who have been on a yearslong rampage. "It's a real possibility that with the access we had, ransomware could have been dropped on the network and equipment," Willis says.

Sakura Samurai avoided downloading or opening documents, but it was clear the lab was unintentionally exposing loads of information. One database the researchers discovered allowed unauthenticated access to 5,795 documents and 53,685 file entries.

"We stopped once we discovered/validated one of the server's credentials," Willis says. "We didn’t continue because we had enough evidence and wanted to quickly get the report together with multiple findings so they could be fixed as soon as possible."

In statement, the physics laboratory notes: "Fermilab makes the data described in the article publicly accessible to researchers in support of our worldwide collaboration in open science. Fermilab takes all reports of potential cybersecurity vulnerabilities seriously, and we are continuing to review the matter."

Exposed Data

The researchers enumerated Fermilab's subdomains by using Amass and then hunted for open directories using dirsearch and Nmap to discover open ports and enumerate services, Willis writes in his blog post. Those probes revealed multiple entry points, Willis writes.

One entry point led into Fermilab's IT ticketing system, which displayed 4,500 trouble tickets. Viewing the ticketing system revealed project names as well as configuration data and communication information. Clicking on any person in the system who had been assigned a ticket revealed their email address and title.

"In addition, many of the tickets had file attachments with sensitive information," Willis writes.

A redacted view of Fermilab's IT ticketing system (Source: Sakura Samurai)

The researchers also found credentials to run a physical trolley that is part of a Fermilab Muon g-2 experiment.

An excerpt from a manual on how to run a trolley at Fermilab (Source: Sakura Samurai)

Another discovery was a FTP server that required no password and allowed anyone to log in anonymously. The server contained data for internal applications, Willis writes, including configuration data for Fermilab’s NOvA Project, which studies neutrinos.

Within NOvA's files was one called "tomcat_tomcat_NULL.tar.gz" that contained Tomcat credentials. Those proved to be valid, and the researchers stopped pushing any further, as Willis humorously notes: "Knowing the target was Fermilab, we didn’t want to accidentally cause the creation of a black hole by touching the wrong thing."

The researchers found exposed credentials for a Tomcat server. (Source: Sakura Samurai)

On yet another part of the system, the researchers found that part of a web application exposed full names, emails, user IDs and the security workgroups and assigned login groups as well as documents.

Another one of Fermilab's subdomains also revealed credentials, Willis writes.

"One of Fermilabs’ subdomains was identified as an internal Electronic Logbook system used to communicate project data and analysis logbook entries," he writes. "Using the 'Words' filter query, we were able to identify service passwords and the IPs the services were hosted on. It’s never a good idea to put IPs and their credentials in an open log book."

Fermilab was quick to respond to the group's findings. "The time from initial contact to their validation and impact analysis to remediation was less than two weeks," Willis says.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.