1.5 BEEELLION sensitive files found exposed online dwarf Panama Papers leak Security researchers have uncovered 1.5 billion business and consumer files exposed online – just a month before Europe's General Data Protection Regulation comes into force. During the first three months of 2018, threat intel firm Digital Shadows detected 1,550,447,111 publicly available files across open Amazon Simple …
"Are rsync and FTP any better, when they allow dogs+pigs access to files?"
This does sound like a very large and widespread leak of data, but it also raises the question of how much of the "scary big number" relates to files deliberately made available to the public. There are still many, many public FTP servers out there. Being old doesn't mean it isn't entirely safe and reasonable to use it in the right circumstances.
After all, if they didn't de-dupe properly, one wonders if the 80,000 packages on Aminet are listed against each of the 6 still running European mirrors :-) (not to mention all the Linux/BSD and other open source mirrors still in use.)
@Dan55 only if it hasn't been set up by the same fuckwit who set up the rsync or FTP in the first place! These are mis-configured servers or firewalls that are causing the problem. Moving them to secure protocols won't help if they don't have any validation active - which is the problem, more than the protocol being used.
DPA, PCI DSS, GDPR blah blah blah. These all amount to nothing when the expertise is not there to implement them (and there is a good argument that PCI DSS amounts to nothing even when it is implemented properly). GDPR in spite of the heavy fines will not magically make businesses who've never even taken data protection measures under existing legislation become compliant.
The accountancy micro-business I use is very good at accountancy but I have no faith whatsoever that the copies of my passport and other identity paperwork I am obliged by law to supply them with are secure. Multiply that up by the thousands of accountancy firms, solicitors etc... who have had copies of your identity paperwork and rather than hindering the fraudsters it becomes an invaluable stash of material to promote the fraudsters' success, as admirably demonstrated by this article.
GDPR has primarily been a gravy train for FUDster consultants and will not go very far at all towards improving the protection and usage of our personal data.
GDPR in spite of the heavy fines will not magically make businesses who've never even taken data protection measures under existing legislation become compliant.
If they don't become compliant, then the heavy GDPR fines1 will make them bankrupt pretty quickly, and businesses that are compliant will expand to fill the ecosystem niche. If those people running those businesses can't be bothered to make them compliant, then they will cease to have a business to run.
GDPR has primarily been a gravy train for FUDster consultants and will not go very far at all towards improving the protection and usage of our personal data.
Au contraire mon ami, GDPR will give everyone the right to access what data is held on them, to have it corrected, or removed if there are no grounds for an organisation to hold it, and will require companies to prove that consent was given to hold that data. Companies will also have to destroy data they hold after they no longer have a need for it, and will have to be able to prove that they have done so.
1There are two tiers of fines, depending on which article is breached. The lower scale is up to 2% of annual turnover or €10M, whichever is higher. The higher scale is 4% / €20M. Note that this is based on turnover not profit.
To be fined you have fist to be prosecuted, as is the case now. The fact that the level of fines will be bigger does not mean that the level of prosecutions will be higher.
The new rights revealing the data held, the authorisation thereof and the right to be forgotten do not imply that the thousands of businesses who currently don't know what data they hold on you will suddenly know. Maybe some large enterprises have got a grip on this but the majority of SMEs have not.
I'd maintain my position that the new rights and fines will not substantially improve the situation in the real world. We may see some spectacular headline events with the likes of Facebook et al, but lower down the food chain not a lot will change.
Its actually the other way around. It just goes to show that a lot of firms couldn't be bothered to be compliant with existing data regulations as they had no teeth. The software used for data storage for most SMEs has been marketed as being compliant but the implementation of said products and services has never been done.
There's a difference between good information governance and the just keep everything attitude.
If I ask and borrow your car and use it for the weekend, drive it back on Monday morning with a full tank with no damage, happy days! If you found out that I'd taken a copy of your keys just in case I needed to borrow it again, you'd be pretty pissed and call the police.
So why do you believe that an SME (or any firm) should have the right to hold data beyond their legal or regulatory terms?
"To be fined you have fist to be prosecuted, as is the case now. The fact that the level of fines will be bigger does not mean that the level of prosecutions will be higher."
Money talks. And fines go direct to the Treasury. I wonder if the ICO will suddenly see a budget increase in the very near future? Speculate to accumulate!!
"I'd maintain my position that the new rights and fines will not substantially improve the situation in the real world."
I think the knowledge of this extends well down the scale of business size. The problem is more likely getting a firm grip on sales and marketing pestering departments who have the mentality of 4 year old children including the same response to being told "No".
but I have no faith whatsoever that the copies of my passport and other identity paperwork I am obliged by law to supply them with are secure
Which will mean that they either secure them properly or go out of business. I forsee more work for companies offering solution to SMBs - the annual cost of a good support contract is an order of magnitude smaller than the GDPR fines.
If the researchers are reporting it is peoples Tax Returns then apart from Child in Chief Trump they shouldn't be public tax returns. Oh, wait, Trump hasn't published his Tax Returns either, only his predecessors did that.
Were all of these tax papers in one or two treasure chests from some sloppy accountant(s) or were they several thousands of returns all stuck somewhere by people dealing with their own affairs? The headlines are wonderful fodder but I do wonder quite what was actually happening, e.g. were the files orphaned off by some now shuttered enterprise? Deluging authorities with complaints might be fun for some, but will it simply slow up any resolution?
There are already tens, perhaps thousands of SMEs who are being scared about GDPR and wondering what, if anything they can do. A 'business' with a few thousand pounds of turn over is clearly not in line to spend huge amounts on a consultant to verify their system, paying their increasing business rates is probably further up their action list. HMRC forcing as many as they can to go digital probably have not helped, at least an old exercise book had no online presence or rapid search function and probably held minimal personal data anyway. Middle ranking outfits possibly have more data, processes, and greater risks of missteps and a number of obsolete.systems.
The glib let them fail and put several hundred out of work is all very well, especially if they were the last available supplier. The care sector is already struggling, the loss of a few more providers would help no one I can think of.
I know of a raft of services that are being shuttered offering a range of facilities, it is a right pain in the behind, but no great harm to me, yet.
I bet I see no reduction in the crap mails and telephone calls I get.
"A 'business' with a few thousand pounds of turn over is clearly not in line to spend huge amounts on a consultant to verify their system, paying their increasing business rates is probably further up their action list."
A business with a few thousand pounds of turnover probably isn't paying huge amounts for data storage in the first place - possibly an old exercise book. It still doesn't excuse them if they write more in it than they're entitled to.
The specific file may be innocuous but the underlying problem is not. The fact a massive amount of data is exposed to whomever may want to gobble it is troubling. In this pile, most of it will be chaff but enough of it will be rather valuable to the miscreant gets their hands on it.
All the browser blockers/VPNs/one-time pins.
Living in a cabin in the woods for the last 20 years (no internet/phones/drivers licenses or credit card use) might keep you under the radar for a bit - but eventually someone will be prying around to find out why you are so private.
Still, it's fun to pretend like we are making it difficult. And raising flags by using Tor or Tails.
Like what?
And don't tell us "Things you people wouldn't believe" or "Attack ships on fire off the shoulder of Orion" or "C-beams glitter in the dark near the Tannhäuser Gate."
All those moments needn't be lost in time, like tears in rain. Tell us here, now and the Internet Archive Wayback Machine will preserve them forever; like Talby, you too can take on a form of immortality. Do it. Do it now - before they stop the Signal!
Having looked at far too many reports over the last thirty years where it is reported that businesses, the small and especially the large, that do not have a handle on what data is on their own devices let alone what is resident other people's machines (personal/work laptop, "cloud", co-location, ...). So, when that business tells you that they do not hold any data on you, can you believe them? And how, exactly, do you prove that they are lying? I would not be surprised in the least that the ICO gets carpet bombed in reports from individuals on "possible" violations to such an extent that they'll have years of backlog.
Having spent the last week sorting through files here and tucking them into their appropriate places, the only thing I'm certain of here is that no data on European subjects is resident on any of my devices, remote or local. I did find a disturbing number of intellectual property related files that were exposed and I've always thought better of myself in that regard. Oops.
I use rsync over the internet extensively - using ssh.. It's as secure as the ssh connection it runs over.
I can only assume the article is refering to some people using rsync in a misconfigured daemon mode.
(Remember, rsync in daemon mode can be used to provide an anonymous rsync service [ http://www.panticz.de/anonymous-rsync ] which could open up all sorts of holes if the directories are not set correctly - in the same way that anonymous ftp could. )
but how is rsync an issue?
Two ways - insecure transport, badly configured shared files. Oh, and unrestricted destination addresses - you might have a legitimate use for it to move files outside your network (cygwin can be installed via rsync as can some linux distros and both of those are legitimate uses - but even those should be over ssh/ssl in order to stop in-flight replacement of files with malicious binaries) but if you are sharing confidential data with outside parties you'd better make sure that the transport streams are encrypted and you firewall only allows rsync to specific addresses..
So it isn't rsync per-se that's bad, it's how the server, security and transport are configured. And since a lot of people tend to use stuff straight out of the box you'll get a lot of NAS devices that allow anonymous rsync anywhere. And most people don't run firewalls on their home networks.
It will take millions if not billions of lost profits, lives and hell why not economies before we "get it". I've been griping for years about many things and this is one of them, "data sovereignty". I never understood the "work at home" concept when it comes to certain roles like developers who work for proprietary devshops or any/every IT role that has security in its title and we all know this is the main reasons why many of these files were exposed in the first place. As a security engineer I have accepted that I will never have a job where I get to work from home and honestly once in my past it was suggested that I could do my security work from home and I flatly refused it because that would make accountable if a hack occurred and it was discovered that it came from my home system. I love technology but after 28 years of heavily using PC's I still don't trust them.
One of the other big reasons is simple, too many IT people really should not work in IT. They might have the smarts but that doesn't mean they have the proper mindset. As a security SME I have for many years and on many occasions been caught saying "Computer security is a mindset, not a skill". Tech skills can always be taught but security is more of a philosophy.
You will often have executives within any organization who want a percentage given to them on "how secure is it". This is flatly wrong but it does get the greasy sec guy off the hook until they either leave or get hacked. To add to this complete and total lack of understanding of what "proper security" means you have quite often in positions where decisions are made people who should be technical'ish but are not... at all. They often have "feelings" on what is right and what is not, honestly for a device that has taken millennia's scientific/mathematics knowledge to devise the most complex mass produced piece of technology ever you would kind of believe that those "in charge" would at least have a clue.... THERE ARE NO *FEELINGS* IN TECHNICAL MATTERS, ONLY PROOF!... it's call the scientific method because science is what got us here in the first place.
too many IT people really should not work in IT
And too many bits of commodity IT focus more on usability than anything else. After all, if people have to use some common sense to install NewShiny[1] in their home, they'll give up and use something else that's more Plug 'N Pray.
[1] IoT, I'm looking at you.
That we'll now have de-facto recourse on companies that leak email addresses...
...so when I get phishing email from "Lloyds Bank"(!), sent to an email address supplied exclusively to smallbatterypoweredcomputersdirect.com I can now get some action taken against the leaky retailer?
Had a client come in, they were still using Win XP for their business to business system - gotta wonder what their customers would have thought if they found out all the business and personal information they were sending these people was going to a hosed , not secure in any way, computer.
Can you guess what business they were in? I will give you a few clues:
Might have been retail, or banking, or medical, or credit card or credit monitoring - what the hell, it doesn't seem to matter, does it.
"gotta wonder what their customers would have thought if they found out all the business and personal information they were sending these people was going to a hosed , not secure in any way, computer."
As a customer I'd first want to know what exposure the computer had to the internet. XP off net vs W10 on net: which would you prefer?
I suspect that a number of these are meant for sharing stolen files without the papertrails created by authentication and digital signatures. Those have been around since at least the 1980s when people would look for unused live telephone wires and a plug pirate BBS into them.
...would require the users details to view it:
"Although misconfigured Amazon S3 buckets have hogged headlines recently, in this study (registration required)"
(hint: you can still view the study if you enter random data)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
