back to article 1.5 BEEELLION sensitive files found exposed online dwarf Panama Papers leak

Security researchers have uncovered 1.5 billion business and consumer files exposed online – just a month before Europe's General Data Protection Regulation comes into force. During the first three months of 2018, threat intel firm Digital Shadows detected 1,550,447,111 publicly available files across open Amazon Simple …

Silver badge
FAIL

No exposed RDP?

Not even an honorable mention?

10
2
Facepalm

Re: No exposed RDP?

RDP being a protocol to run interactive desktop sessions and not a protocol to directly access files.

4
2
Silver badge

Re: No exposed RDP?

You map drives and copy files over RDP.

On a related note (MS sieve-like protocols), who the hell still allows SMB over the Internet?

20
1
Anonymous Coward

Re: No exposed RDP?

Are rsync and FTP any better, when they allow dogs+pigs access to files?

6
0
Silver badge

Re: No exposed RDP?

"Are rsync and FTP any better, when they allow dogs+pigs access to files?"

This does sound like a very large and widespread leak of data, but it also raises the question of how much of the "scary big number" relates to files deliberately made available to the public. There are still many, many public FTP servers out there. Being old doesn't mean it isn't entirely safe and reasonable to use it in the right circumstances.

After all, if they didn't de-dupe properly, one wonders if the 80,000 packages on Aminet are listed against each of the 6 still running European mirrors :-) (not to mention all the Linux/BSD and other open source mirrors still in use.)

5
1
Silver badge

Re: No exposed RDP?

I highly suspect that open FTP servers for websites offering downloads weren't included - if they were, the security firm would look rather silly and lose its credibility.

3
0
Thumb Up

Re: No exposed RDP?

Have a thumbs-up for mentioning Aminet.

3
0
Silver badge
Happy

Re: No exposed RDP?

Didn't we all make minor changes every three months to whatever piece of software it was we wrote, uploaded the new version so it would go on the latest CD, and then claim yet another free copy, or was it just me?

2
0
Silver badge

Re: No exposed RDP?

Are rsync and FTP any better, when they allow dogs+pigs access to files?

Depends if they're lying down together.

The point is there is a migration path to something more secure for rsync and FTP, but for SMB and RDP there is nothing but pwnage.

0
3
Silver badge

Re: No exposed RDP?

@Dan55 only if it hasn't been set up by the same fuckwit who set up the rsync or FTP in the first place! These are mis-configured servers or firewalls that are causing the problem. Moving them to secure protocols won't help if they don't have any validation active - which is the problem, more than the protocol being used.

3
0
Silver badge

Re: No exposed RDP?

Are rsync and FTP any better

Both are relatively easy to secure.. To any semi-sane and competent sysadmin anyway.

4
0

Re: No exposed RDP?

Not just you, no...

2
0
Silver badge

Nothing to see here...

Quantity is not the same as quality. Not good to leak personal records like payroll etc as it might open an individual to potential fraud, but billions of dull files are rather less important than the stuff in the Panama Papers, which was really very revealing.

8
6

Just goes to prove

DPA, PCI DSS, GDPR blah blah blah. These all amount to nothing when the expertise is not there to implement them (and there is a good argument that PCI DSS amounts to nothing even when it is implemented properly). GDPR in spite of the heavy fines will not magically make businesses who've never even taken data protection measures under existing legislation become compliant.

The accountancy micro-business I use is very good at accountancy but I have no faith whatsoever that the copies of my passport and other identity paperwork I am obliged by law to supply them with are secure. Multiply that up by the thousands of accountancy firms, solicitors etc... who have had copies of your identity paperwork and rather than hindering the fraudsters it becomes an invaluable stash of material to promote the fraudsters' success, as admirably demonstrated by this article.

GDPR has primarily been a gravy train for FUDster consultants and will not go very far at all towards improving the protection and usage of our personal data.

12
12
Silver badge

Re: Just goes to prove

GDPR in spite of the heavy fines will not magically make businesses who've never even taken data protection measures under existing legislation become compliant.

If they don't become compliant, then the heavy GDPR fines1 will make them bankrupt pretty quickly, and businesses that are compliant will expand to fill the ecosystem niche. If those people running those businesses can't be bothered to make them compliant, then they will cease to have a business to run.

GDPR has primarily been a gravy train for FUDster consultants and will not go very far at all towards improving the protection and usage of our personal data.

Au contraire mon ami, GDPR will give everyone the right to access what data is held on them, to have it corrected, or removed if there are no grounds for an organisation to hold it, and will require companies to prove that consent was given to hold that data. Companies will also have to destroy data they hold after they no longer have a need for it, and will have to be able to prove that they have done so.

1There are two tiers of fines, depending on which article is breached. The lower scale is up to 2% of annual turnover or €10M, whichever is higher. The higher scale is 4% / €20M. Note that this is based on turnover not profit.

22
3

Re: Just goes to prove

You also have to remember that with GDPR prison and a criminal record will be possible and the ICO can go after you personally if you are a processor not just the firm you happen to work for at the time.

6
0

Re: Just goes to prove

To be fined you have fist to be prosecuted, as is the case now. The fact that the level of fines will be bigger does not mean that the level of prosecutions will be higher.

The new rights revealing the data held, the authorisation thereof and the right to be forgotten do not imply that the thousands of businesses who currently don't know what data they hold on you will suddenly know. Maybe some large enterprises have got a grip on this but the majority of SMEs have not.

I'd maintain my position that the new rights and fines will not substantially improve the situation in the real world. We may see some spectacular headline events with the likes of Facebook et al, but lower down the food chain not a lot will change.

11
3

Re: Just goes to prove

Its actually the other way around. It just goes to show that a lot of firms couldn't be bothered to be compliant with existing data regulations as they had no teeth. The software used for data storage for most SMEs has been marketed as being compliant but the implementation of said products and services has never been done.

There's a difference between good information governance and the just keep everything attitude.

If I ask and borrow your car and use it for the weekend, drive it back on Monday morning with a full tank with no damage, happy days! If you found out that I'd taken a copy of your keys just in case I needed to borrow it again, you'd be pretty pissed and call the police.

So why do you believe that an SME (or any firm) should have the right to hold data beyond their legal or regulatory terms?

7
1
Silver badge

Re: Just goes to prove

@jonathan1, that is provided the ICO *bothers* to.

2
0
Silver badge
Big Brother

Re: Just goes to prove

"To be fined you have fist to be prosecuted, as is the case now. The fact that the level of fines will be bigger does not mean that the level of prosecutions will be higher."

Money talks. And fines go direct to the Treasury. I wonder if the ICO will suddenly see a budget increase in the very near future? Speculate to accumulate!!

4
0
Bronze badge

Re: Just goes to prove

GDPR itself wont force change,

But if the first fine of 4% global turnover goes to someone big, it will make everyone sit up.

just for context, Amazon only make 2% profit on turnover, so a max fine would eat its profits for two years.

8
1
Silver badge

Re: Just goes to prove

but I have no faith whatsoever that the copies of my passport and other identity paperwork I am obliged by law to supply them with are secure

Which will mean that they either secure them properly or go out of business. I forsee more work for companies offering solution to SMBs - the annual cost of a good support contract is an order of magnitude smaller than the GDPR fines.

3
0
Silver badge

Re: Just goes to prove

"Note that this is based on turnover not profit."

And not just turnover but global turnover which will make a big difference for some corporations.

2
0
Silver badge

Re: Just goes to prove

"I'd maintain my position that the new rights and fines will not substantially improve the situation in the real world."

I think the knowledge of this extends well down the scale of business size. The problem is more likely getting a firm grip on sales and marketing pestering departments who have the mentality of 4 year old children including the same response to being told "No".

4
0
Anonymous Coward

Re: Just goes to prove

Global makes no difference. There will only be the EU (or UK) based shell company which as it isn't technically part of the actual company will only pay based on their turnover, not the turnover of the actual company itself.

1
0

Just because you have found a file on the internet doesn't mean it's a security issue.

Can someone tell us how these researchers know all the files were not supposed to be public documents?

3
2
FAIL

Re: Just because you have found a file on the internet doesn't mean it's a security issue.

If the researchers are reporting it is peoples Tax Returns then apart from Child in Chief Trump they shouldn't be public tax returns. Oh, wait, Trump hasn't published his Tax Returns either, only his predecessors did that.

12
3
Silver badge

Re: Just because you have found a file on the internet doesn't mean it's a security issue.

The specific file may be innocuous but the underlying problem is not. The fact a massive amount of data is exposed to whomever may want to gobble it is troubling. In this pile, most of it will be chaff but enough of it will be rather valuable to the miscreant gets their hands on it.

6
0
WTF?

Re: Just because you have found a file on the internet doesn't mean it's a security issue.

Were all of these tax papers in one or two treasure chests from some sloppy accountant(s) or were they several thousands of returns all stuck somewhere by people dealing with their own affairs? The headlines are wonderful fodder but I do wonder quite what was actually happening, e.g. were the files orphaned off by some now shuttered enterprise? Deluging authorities with complaints might be fun for some, but will it simply slow up any resolution?

There are already tens, perhaps thousands of SMEs who are being scared about GDPR and wondering what, if anything they can do. A 'business' with a few thousand pounds of turn over is clearly not in line to spend huge amounts on a consultant to verify their system, paying their increasing business rates is probably further up their action list. HMRC forcing as many as they can to go digital probably have not helped, at least an old exercise book had no online presence or rapid search function and probably held minimal personal data anyway. Middle ranking outfits possibly have more data, processes, and greater risks of missteps and a number of obsolete.systems.

The glib let them fail and put several hundred out of work is all very well, especially if they were the last available supplier. The care sector is already struggling, the loss of a few more providers would help no one I can think of.

I know of a raft of services that are being shuttered offering a range of facilities, it is a right pain in the behind, but no great harm to me, yet.

I bet I see no reduction in the crap mails and telephone calls I get.

2
0
Silver badge

Re: Just because you have found a file on the internet doesn't mean it's a security issue.

"A 'business' with a few thousand pounds of turn over is clearly not in line to spend huge amounts on a consultant to verify their system, paying their increasing business rates is probably further up their action list."

A business with a few thousand pounds of turnover probably isn't paying huge amounts for data storage in the first place - possibly an old exercise book. It still doesn't excuse them if they write more in it than they're entitled to.

1
0
Silver badge

As someone once said - Privacy is Dead

All the browser blockers/VPNs/one-time pins.

Living in a cabin in the woods for the last 20 years (no internet/phones/drivers licenses or credit card use) might keep you under the radar for a bit - but eventually someone will be prying around to find out why you are so private.

Still, it's fun to pretend like we are making it difficult. And raising flags by using Tor or Tails.

9
0
404
Silver badge

Re: As someone once said - Privacy is Dead

Don't think that will save you - still have to pay property taxes every year. If you've ever looked, public records are pretty revealing... I've seen some stuff, man... and some things... I wouldn't recommend it.

1
0
Alien

Re: I've seen some stuff, man... and some things...

Like what?

And don't tell us "Things you people wouldn't believe" or "Attack ships on fire off the shoulder of Orion" or "C-beams glitter in the dark near the Tannhäuser Gate."

All those moments needn't be lost in time, like tears in rain. Tell us here, now and the Internet Archive Wayback Machine will preserve them forever; like Talby, you too can take on a form of immortality. Do it. Do it now - before they stop the Signal!

1
0
Silver badge
Unhappy

The Elephant in the Room

Having looked at far too many reports over the last thirty years where it is reported that businesses, the small and especially the large, that do not have a handle on what data is on their own devices let alone what is resident other people's machines (personal/work laptop, "cloud", co-location, ...). So, when that business tells you that they do not hold any data on you, can you believe them? And how, exactly, do you prove that they are lying? I would not be surprised in the least that the ICO gets carpet bombed in reports from individuals on "possible" violations to such an extent that they'll have years of backlog.

Having spent the last week sorting through files here and tucking them into their appropriate places, the only thing I'm certain of here is that no data on European subjects is resident on any of my devices, remote or local. I did find a disturbing number of intellectual property related files that were exposed and I've always thought better of myself in that regard. Oops.

8
0
Anonymous Coward

Yep!

DevOps is spreading fast.

7
0
Silver badge

Re: Yep!

More a case of DevOops!

7
0
Silver badge
Unhappy

Puzzled

Excuse my extreme ignorance, but how is rsync an issue?

I use it extensively for local backups, and surely if you're using it over the Internet (I never would) it's the transport protocol that's the risk.

3
0
Silver badge

Re: Puzzled

I use rsync over the internet extensively - using ssh.. It's as secure as the ssh connection it runs over.

I can only assume the article is refering to some people using rsync in a misconfigured daemon mode.

(Remember, rsync in daemon mode can be used to provide an anonymous rsync service [ http://www.panticz.de/anonymous-rsync ] which could open up all sorts of holes if the directories are not set correctly - in the same way that anonymous ftp could. )

8
0
Silver badge

Re: Puzzled

but how is rsync an issue?

Two ways - insecure transport, badly configured shared files. Oh, and unrestricted destination addresses - you might have a legitimate use for it to move files outside your network (cygwin can be installed via rsync as can some linux distros and both of those are legitimate uses - but even those should be over ssh/ssl in order to stop in-flight replacement of files with malicious binaries) but if you are sharing confidential data with outside parties you'd better make sure that the transport streams are encrypted and you firewall only allows rsync to specific addresses..

So it isn't rsync per-se that's bad, it's how the server, security and transport are configured. And since a lot of people tend to use stuff straight out of the box you'll get a lot of NAS devices that allow anonymous rsync anywhere. And most people don't run firewalls on their home networks.

2
0
Anonymous Coward

Curious, how many of these files are jpgs of questionable reputation and heritage?

2
0

How many hard drives?

How many hard drives are required to store 12PB?

1
0

Re: How many hard drives?

one if it's big enough ;)

13
0

Been saying for years

It will take millions if not billions of lost profits, lives and hell why not economies before we "get it". I've been griping for years about many things and this is one of them, "data sovereignty". I never understood the "work at home" concept when it comes to certain roles like developers who work for proprietary devshops or any/every IT role that has security in its title and we all know this is the main reasons why many of these files were exposed in the first place. As a security engineer I have accepted that I will never have a job where I get to work from home and honestly once in my past it was suggested that I could do my security work from home and I flatly refused it because that would make accountable if a hack occurred and it was discovered that it came from my home system. I love technology but after 28 years of heavily using PC's I still don't trust them.

One of the other big reasons is simple, too many IT people really should not work in IT. They might have the smarts but that doesn't mean they have the proper mindset. As a security SME I have for many years and on many occasions been caught saying "Computer security is a mindset, not a skill". Tech skills can always be taught but security is more of a philosophy.

You will often have executives within any organization who want a percentage given to them on "how secure is it". This is flatly wrong but it does get the greasy sec guy off the hook until they either leave or get hacked. To add to this complete and total lack of understanding of what "proper security" means you have quite often in positions where decisions are made people who should be technical'ish but are not... at all. They often have "feelings" on what is right and what is not, honestly for a device that has taken millennia's scientific/mathematics knowledge to devise the most complex mass produced piece of technology ever you would kind of believe that those "in charge" would at least have a clue.... THERE ARE NO *FEELINGS* IN TECHNICAL MATTERS, ONLY PROOF!... it's call the scientific method because science is what got us here in the first place.

11
1
Silver badge

Re: Been saying for years

too many IT people really should not work in IT

And too many bits of commodity IT focus more on usability than anything else. After all, if people have to use some common sense to install NewShiny[1] in their home, they'll give up and use something else that's more Plug 'N Pray.

[1] IoT, I'm looking at you.

4
0
Anonymous Coward

Does the GDPR mean...

That we'll now have de-facto recourse on companies that leak email addresses...

...so when I get phishing email from "Lloyds Bank"(!), sent to an email address supplied exclusively to smallbatterypoweredcomputersdirect.com I can now get some action taken against the leaky retailer?

14
0
Silver badge

Re: Does the GDPR mean...

It depends entirely on whether 'smallbatterypoweredcomputersdirect.com ' operates in the EU, or is a Hong Kong based grey importer masquerading as a UK company.

6
0
Anonymous Coward

Re: Does the GDPR mean...

Doesn't matter if they operate in the EU or not. If it is the data of an EU citizen being processed GDPR applies. Now admittedly enforcing a fine could prove difficult, but the law will apply.

0
0
Anonymous Coward

Had a client come in, they were still using Win XP for their business to business system - gotta wonder what their customers would have thought if they found out all the business and personal information they were sending these people was going to a hosed , not secure in any way, computer.

Can you guess what business they were in? I will give you a few clues:

Might have been retail, or banking, or medical, or credit card or credit monitoring - what the hell, it doesn't seem to matter, does it.

3
0
Silver badge

"gotta wonder what their customers would have thought if they found out all the business and personal information they were sending these people was going to a hosed , not secure in any way, computer."

As a customer I'd first want to know what exposure the computer had to the internet. XP off net vs W10 on net: which would you prefer?

3
0
404
Silver badge

That is no choice at all -> XP off net for the win.

Now, that being said, can anyone (anyone? HELLOOOOoooooo, anybody?) write/compile/fork an OS that will run x86 Windows programs natively?

Asking for a friend.

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018