When Your Employees Post Passwords Online
Security Bot last edited by
Storing passwords in plaintext online is never a good idea, but it:undefined:’:undefined:s remarkable how many companies have employees who are doing just that using online collaboration tools likeTrello.com. Last week, KrebsOnSecurity notified a host of companies that employees were using Trello to share passwords for sensitive internal resources. Among those put at risk by such activity included an insurance firm, a state government agency and ride-hailing serviceUber.com.
By default, Trello boards for both enterprise and personal use are set to either private (requires a password to view the content) or team-visible only (approved members of the collaboration team can view).
But that doesn:undefined:’:undefined:t stop individual Trello users from manually sharing personal boards that include proprietary employer data, information that may be indexed by search engines and available to anyone with a Web browser. And unfortunately for organizations, far too many employees are posting sensitive internal passwords and other resources on their own personal Trello boards that are left open and exposed online.
A personal Trello board created by an Uber employee included passwords that might have exposed sensitive internal company operations.
KrebsOnSecurity spent the past week using Google to discover unprotected personal Trello boards that listed employer passwords and other sensitive data. Pictured above was a personal board set up by some Uber developers in the company:undefined:’:undefined:s Asia-Pacific region, which included passwords needed to view a host of internal Google Documents and images.
Uber spokespersonMelanie Ensign said the Trello board in question was made private shortly after being notified by this publication, among others.
:undefined:“:undefined:We had a handful of members in random parts of the world who didn:undefined:’:undefined:t realize they were openly sharing this information,:undefined:”:undefined: Ensign said. :undefined:“:undefined:We:undefined:’:undefined:ve reached out to these teams to remind people that these things need to happen behind internal resources. Employee awareness is an ongoing challenge, but so far we haven:undefined:’:undefined:t found any user data on any of the exposed boards. We may have dodged a bullet here, and it definitely could have been worse.:undefined:”:undefined:
Ensign said the initial report about the exposed board came throughthe company:undefined:’:undefined:s bug bounty program, and that the person who reported it would receive at least the minimum bounty amount :undefined:—:undefined: $500 :undefined:—:undefined: for reporting the incident (Uber hasn:undefined:’:undefined:t yet decided whether the award should be higher for this incident).
The Uber employees who created the board :undefined:“:undefined:used their work email to open a public board that they weren:undefined:’:undefined:t supposed to,:undefined:”:undefined: Ensign said. :undefined:“:undefined:They didn:undefined:’:undefined:t go through our enterprise account to create that. We first found out about it through our bug bounty program, and while it:undefined:’:undefined:s not technically a vulnerability in our products, it:undefined:’:undefined:s certainly something that we would pay for anyway. In this case, we got multiple reports about the same thing, but we always pay the first report we get.:undefined:”:undefined:
Of course, not every company has a bug bounty program to incentivize the discovery and private reporting of internal resources that may be inadvertently exposed online.
Screenshots that KrebsOnSecurity took of many far more shocking examples of employees posting dozens of passwords for sensitive internal resources are not pictured here because the affected parties still have not responded to alerts provided by this author.
Trello is one of many online collaboration tools made byAtlassian Corporation PLC, a technology company based in Sydney, Australia. Trello co-founderMichael Pryor said Trello boards are set to private by default and must be manually changed to public by the user.
:undefined:“:undefined:We strive to make sure public boards are being created intentionally and have built in safeguards to confirm the intention of a user before they make a board publicly visible,:undefined:”:undefined: Pryor said. :undefined:“:undefined:Additionally, visibility settings are displayed persistently on the top of every board.:undefined:”:undefined:
If a board is Team Visible it means any members of that team can view, join, and edit cards. If a board is Private, only members of that specific board can see it. If a board is Public, anyone with the link to the board can see it.
A Trello spokesperson said the privacy changes were made to bring the company:undefined:’:undefined:s policies in line withnew EU privacy laws that come into enforcement later this month. But they also clarify that Trello:undefined:’:undefined:s enterprise features allow the enterprise admins to control the security and permissions around a work account an employee may have created before the enterprise product was purchased.
Uber spokesperson Ensign called the changes welcome.
:undefined:“:undefined:As a result companies will have more security control over Trello boards created by current/former employees and contractors, so we:undefined:’:undefined:re happy to see the change,:undefined:”:undefined: she said.
Make ISO from DVD
In this case I had an OS install disk which was required to be on a virtual node with no optical drive, so I needed to transfer an image to the server to create a VM
Find out which device the DVD is:lsblk
Output:NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 465.8G 0 disk ├─sda1 8:1 0 1G 0 part /boot └─sda2 8:2 0 464.8G 0 part ├─centos-root 253:0 0 50G 0 lvm / ├─centos-swap 253:1 0 11.8G 0 lvm [SWAP] └─centos-home 253:2 0 403G 0 lvm /home sdb 8:16 1 14.5G 0 disk /mnt sr0 11:0 1 4.1G 0 rom /run/media/rick/CCSA_X64FRE_EN-US_DV5
Therefore /dev/sr0 is the location , or disk to be made into an ISO
I prefer simplicity, and sometimes deal with the fallout after the fact, however Ive repeated this countless times with success.dd if=/dev/sr0 of=win10.iso
Where if=Input file and of=output file
I chill out and do something else while the image is being copied/created, and the final output:8555456+0 records in 8555456+0 records out 4380393472 bytes (4.4 GB) copied, 331.937 s, 13.2 MB/s
Recreate postrgresql database template encode to ASCIIUPDATE pg_database SET datistemplate = FALSE WHERE datname = 'template1';
Now we can drop it:DROP DATABASE template1;
Create database from template0, with a new default encoding:CREATE DATABASE template1 WITH TEMPLATE = template0 ENCODING = 'UNICODE'; UPDATE pg_database SET datistemplate = TRUE WHERE datname = 'template1'; \c template1 VACUUM FREEZE;