Addressing the Addressable

By Charles Parker, II; Cybersecurity Lab Engineer

When academics and students are writing papers, research is required. The research not only focused on the germane topic, however, also the adequacy of the research itself. At times this research can be massive, depending on the subject. The more technical the subject matter, the more references may be used. These act as support for the researcher’s thoughts, ideas, applications, and work in general. For these references to be useful, they have to be from peer-reviewed journals. These peer-reviewed journals indicate the work is not a sole person’s opinion but is accepted and vetted by the researcher’s peers. These journals provide the resource which has been analyzed and reviewed by other professions. This, in theory, removes the opportunity for biased research and research-based on faulty methods. These articles are searchable through various sources. One of these respected tools used for the search is Elsevier.

Issue

As this service has been in use for an extended period of time, the systems should be up-to-date with application versions, patches, etc., and there should not have been a problem. Unfortunately, due to human error or other problems, one of their servers was left open to the public to peruse through. This server happened to hold the user email addresses and passwords. Yes, this is as bad as it sounds. The users included anyone having access, including those from universities and other educational institutions across the globe. Elsevier was not aware of how long this condition was in effect, which is detrimental. They also did not know how many users or accounts were impacted. These aspects are odd, as the servers were under their control and someone should be able to understand through a simple review of these numbers.

The problem at hand is with credential stuffing. The affected user may use the same email account and password for other services from other providers (e.g. same email and/or password for Panera Bread, Amazon, the interface to your vehicle, etc.). This could prove to make someone’s day very interesting.

Remediation

Once Elsevier was notified of this, as they did not discover the issue, the organization did correct the issue with the configuration. They are investigating what occurred for this to vulnerable. This does however simply appear to be human error. They did not believe the server or any data had been inappropriately used. The organization did notify the users and reset their accounts.

This shows the importance, again of proper configurations. Server configurations, as with cybersecurity in general, are not a static or single action. This is dynamic and does require being addressed at regular intervals. Without this in place, the servers are open to anyone, which is not a good thing.

Resources

Beau HD. (2019, March 18). Education and science giant Elsevier left users’ passwords exposed online. Retrieved from https://it.slashdot.org/story/19/03/18/2052211/education-and-science-giant-elsevier-left-users-passwords-exposed-online

Brown University. (n.d.). Password leak at Elsevier. Retrieved from https://it.brown.edu/alerts/read/password-leak-elsevier

Cox, J. (2019, March 18). Education and science giant Elsevier left users’ passwords exposed online. Retrieved from https://motherboard.vice.com/en_us/article/vbw8b9/elsevier-user-passwords-exposed-online

Drexel Library. (2019, March 21). Notice: Elsevier usernames & passwords accidentally exposed. Retrieved from https://www.library.drexel.edu/news-and-events/news/libraries-news/2019/March/Elsevier_Usernames/

Hashim, A. (2019, March 25). Elsevier exposed user credentials publicly through the misconfigured server. Retrieved from https://latesthackingnews.com/2019/03/25/elsevier-exposed-user-credentials-publicly-through-misconfigured-server/

Stalfort, H. (2019, March 29). Notice: Elsevier data leak-action required. Retrieved from https://blogs.library.jhu.edu/2019/03/notice-elsevier-data-leak-action-required/

Vaas, L. (2019, March 20). Elsevier exposes users’ emails and passwords online. Retrieved from https://nakedsecurity.sophos.com/2019/03/20/elsevier-exposes-users-emails-and-passwords-online/

About The Author

Charles Parker, II has been in the computer science/InfoSec industry for over a decade in working with medical, sales, labor, OEM and Tier 1 manufacturers, and other industries. Presently, he is a Cybersecurity Lab Engineer at a Tier 1 manufacturer and professor. To further the knowledge base for others in various roles in other industries, he published in blogs and peer-reviewed journals. He has completed several graduate degrees (MBA, MSA, JD, LLM, and PhD), completed certificate programs in AI from MIT and other institutions, and researches AI’s application to InfoSec, FinTech, and other areas.