back to article Do you use NAS drives? For work? One just LEAKED secret cash-machine blueprints

Some personal desktop storage devices are leaking top corporate secrets to the internet – in one case, the designs for a hole-in-the-wall cash machine. That's according to intelligence biz Digital Shadows, which tries to work out how proprietary and personal information accidentally escapes network boundaries. We're told one …

COMMENTS

This topic is closed for new posts.
  1. Destroy All Monsters Silver badge
    Trollface

    Also cloudy applications with badly set permissions....

    This "easy share" feature is supposed to make passing information to other users more convenient, although it appears to be a little too convenient: miscreants aware of the "share everything" design flaw are scanning the public internet for vulnerable models, and grabbing sensitive stuff, it's claimed.

    HA HA HA! SHOW THEM ONLINE!!

  2. Richard Lucking

    It's not called "easy share" for nothing...

  3. Amorous Cowherder
    Facepalm

    So many unlocked devices out there

    Sometimes interesting to get yourself a copy of NMAP and do a range scan on a subnet and have a look just outside your "own door" from your home connection. I've found printers, NAS boxes, wide open business web servers all running on home ADSL and fibre connections. Stores with hundreds of MP3s, films and other stuff simply being shared out of home connections with no security. It's ridiculous. It's no great surprise that if people do have open storage devices on the internet, they drop work documents on them they're going to be available for anyone to pick up.

  4. Anonymous Coward
    Anonymous Coward

    Not exactly best practice

    "a contractor using a company laptop backed up his or her work to a consumer-grade storage device"

    Without encrypting it? Bye bye contractor. In the security world if customer data leaks and it came from you then you're screwed.

    I have a pin locked USB to synch my encypted project folders to once a week (should be more frequent I know but I'm only human). That USB sits in my safe and once the contract is over I wipe the lot and have, on occasion, destroyed the USB for good measure (government work related).

    I have no idea how much all the design documents for a large internet bank would go for in the black market, and I'll never know.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not exactly best practice

      Why wasn't the USB port disabled or BitLocker To Go turned on if the employee wasnt allowed to take insecure backups?

    2. Don Jefe

      Re: Not exactly best practice

      In the security world, or any other, you'd land yourself right smack in the middle of a wrongful termination or breach of contract suit, and you'd lose, if your systems didn't prevent the contractor from doing that.

      That's the downside to 'single error terminations'. If a single error is enough to warrant termination you have to prove that you did everything in your power to prevent such an error from occurring in the first place. I can tell you from experience, 'costs were too high', won't fly in court.

      All in all, it's better to educate people and carry on. It's almost always counterproductive to fire people over stupid mistakes. You poison your own well. The only lesson they'll learn is that getting fired is easier than working, pays better too. If you're in business and actually expect everyone to do everything perfectly you've made a poor career choice. People fuck up. Accept it. Otherwise you'll spend decades fighting a fight you're never going to win. All the while, smart businesspeople, who accept reality, are watching you like a science experiment to see how much pressure your business can take. We take place bets too. It's great fun.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not exactly best practice

        > It's almost always counterproductive to fire people over stupid mistakes. You poison your own well. The only lesson they'll learn is that getting fired is easier than working,

        What's worse, when they fuck up they'll try to cover it up rather than own up to it, and you'll never know about the problem until it's too late.

      2. Anonymous Coward
        Anonymous Coward

        Re: Not exactly best practice

        Sorry Don, but in the UK if the action constitutes gross misconduct under the terms of the contract then it's TS and you're out with no recompense. No day in court, nadda. Seen it happen in a bank and the result was swift and decisive.

    3. Destroy All Monsters Silver badge
      FAIL

      Re: Not exactly best practice

      Without encrypting it?

      FAIL for not comprehending the problem in the first place.

      Oh, you keep you files individually encrypted on your disk? Sure you do.

  5. NinjasFTW

    how is it vulnerable?

    Maybe I'm being slow today but I can't see how this would affect 99.5% of the user base.

    If you put the device on your home network then any service that it exposes will be restricted to the home network.

    If it is accessible from the web via a intermediate cloud service then the access controls can be restricted by the company running the service to require a password rather than having to physically update all the devices.

    Yes, if you go to an internet cafe etc then you may be vulnerable to whoever is also connected to the network or if you've set your nas to sit in your DMZ however if you can do that you probably know enough to not have a no password access.

    Not saying that its not a nasty security issue that needs to be resolved but not sure its worth doom prophecy of the article.

    1. garden-snail
      Meh

      Re: how is it vulnerable?

      Many consumer NAS devices are now exposing themselves over the Internet by design. They may use UPnP to poke holes in your firewall and/or NAT with the intention of allowing you to access your files at home even when you're out and about. I believe Netgear markets it as "Personal Cloud" (or similar) on its ReadyNAS devices.

      I would guess the vulnerability mentioned in this article relates to such a device, where it's opened itself up to the Internet without enabling authentication.

    2. Captain Scarlet Silver badge

      Re: how is it vulnerable?

      I am assuming uPnP may come into play here to make it easier for consumer users to access their NAS from the internet.

  6. Jim 59
    Stop

    Don't understand. Corporate servers and storage units are generally not internet facing. Neither is your home NAS, unless you enable it and forward the necessary ports on your router.

    1. phuzz Silver badge

      The NAS will open it's own holes in the firewall on your router automatically using UPnP, to 'help you' access your files remotely. See for example the WD My Cloud line of home NASs.

      This is why many people recommend turning UPnP off on your router, otherwise any device on your network can ask for an outward facing port to be opened to it.

  7. Anonymous Coward
    Anonymous Coward

    I wondered if it was that obvious?

  8. Tom 35

    In the interests of responsible disclosure, Digital Shadows did not name the affected NAS box

    Since the bad guys already know about it, not very responsible. If users just need to turn off a default setting they would not even have to wait for an update.

  9. Jean-Paul

    Is the NAS box really the key in this story?

    It might be me, but I don't get this article. Yes sure they could share stuff to the cloud, just like phones, tablets and many other devices do. Nothing really that special there, and devices that automatically punch holes to make themselves accessible aren't any new either...

    However, what on earth is the build like of that undisclosed company, that lets its users of its laptops back up the data to private devices in the first place? Where are the controls around their sensitive data? Why is that laptop able to share with non-regulated networks like at home, at Starbucks etc....

    As I said perhaps it is just me, but to me that is the key issue. Not that a device made to share data is sharing data....

    1. Destroy All Monsters Silver badge
      Holmes

      Re: Is the NAS box really the key in this story?

      However, what on earth is the build like of that undisclosed company, that lets its users of its laptops back up the data to private devices in the first place? Where are the controls around their sensitive data? Why is that laptop able to share with non-regulated networks like at home, at Starbucks etc....

      Very young, I see.

      You need to realize that not every company can be managed like a bank (cough CDs with depositor data transferred to Frau Merkel for extortion purposes cough) or the NSA (cough our sysop left with the goods cough) as some actually need to pull in money to finance the ultra-fortress behaviour from customers in the first place.

      I can remember that even in a certain govern-mentally checked project with fat security requirement binders so terminally dull that your head would melt when you just looked at them, interesting data could be found in inappropriate places ... nothing untoward happened though. GnuPG was indeed applied to the highest security files (I never saw what was in there, probably the IP adresses of the SNMP endpoints)

      1. Jean-Paul

        Re: Is the NAS box really the key in this story?

        Young? I wished....Rather experienced unfortunately...

        Always easy to get some extreme examples in. Those weren't related to users having a home NAS, or even a consumer NAS in a company that deals with sensitive information. It is really hard to prevent all leaks of anything, and those with actual experience in those industries can highlight many a wart on the systems, not least some of the business processes.

        However preventing the use of home network devices, backing up of local hard drives on personal devices etc is really not hard, and also not costly...It does require people that know what they are doing, and taking their job seriously....And a hint, encrypting your files doesn't prevent them from being copied ;)

  10. P. Lee

    Security fail

    Only the key should be required to be secret.

  11. JoshOvki
    Mushroom

    NAS sounds alot like...

    NAS sounds alot like... NSA... oh no they are watching us!

This topic is closed for new posts.

Other stories you might like