A database purportedly belonging to PG&E publicly accessible
California natural gas and electricity company Pacific Gas & Electric deny the claims of a researcher that the database is genuine, claiming that it’s a fake. The data – which is accessible to the public – contains a great deal of sensitive information. Chris Vickery, a researcher with MacKeep says that the information on 47 000 computers, servers, VMs and devices could be accessed by anyone – without authentication.
Not fake says researcher
The data includes hostnames, locations, MAC addresses, IP addresses, OS data and 100+ employee paswords. Some of these passwords where hashed, though there were clear text ones discovered too. Vickery was told by the company that the unsecured database was fake, though the researcher argues against this claim as he found over 688 000 different log entries. On this point he says, “Sure, it’s theoretically possible to create software that could generate massive amounts of fake data, but companies don’t do that. Even if a database is for development purposes only, they tend to fill it with real production data. They do that because production data is easily available and free. Companies generally do not pay people to sit around and create great swaths of false data when plenty of data already exists to use.”
Copy for Department of Homeland Security
Vickery noted that the database was taken down on May 26th after PG&E were notified. Before this happened, he made a copy to forward to the DHS. Vickery blogged, “To be clear, I absolutely do not believe PG&E’s claim that this is all fictitious data.” The interest of the DHS in matters like this involving utilities is because these companies are part of the critical infrastructure of the U.S. In January the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) revealed that last year 245 incidents were reported to them, and 16 percent of these affected the energy utilities sector.
American short circuit in security?
If the PG&E situation turns out to be genuine, it reflects an ongoing vulnerability in the critical infrastructure. A researcher last year uncovered serious vulnerabilities in Delmarva Power’s Android app; this company provide electricity and gas to 1.4 million customers in Maryland and Delaware.
Companies in other countries have also had vulnerabilities and weak security exposed; in 2014, one of the UK’s biggest energy suppliers, British Gas had its Twitter account hacked, and last year announced that it had purposely made online services incompatible for use with password managers.