Everyone thinks he can configure his own business or private server or NAS/cloud more secure than Google & Co. as a result we got another massive data leak – 1.5 billion files were found by Digital Shadows researcher, these leak expose millions of people and companies.
Misconfigured FTP, SMB, Rsync, and S3 Buckets
Research found over 1.5 billion files in the first 3 months this year on the Internet which shouldn’t be available for someone outside the network. The reason is obvious people think they can escape ‘spying’ so they build their own networks, what people still not realize is that this opens a lot of holes due misconfiguration on their server or clients. The result is always the same, new data breaches.
Copy & Pasta configurations
What I often see on GitHub and other platforms is that ‘smart’ people trying to spread their FUD or so-called security configuration to the mass without mention that these ‘example configurations‘ are never been audited or tested from security experts, they often advertise their configuration as hardened or more secure without any proof.
Some classified documents were even found in source code, pictures, other documents on ftp servers or even the servers which are supposed to be secure. Patent letters with real names, addresses were no exceptions.
Europe Union before USA
The shocking news is that the most found files are from Europe Union and not from the USA like maybe expected because NSA & Co.
- USA 240 Mio. files (16%)
- Europe 537 Mio. files (37%) incl. Great Britain it’s around 40%
- Germany 122 Mio. files
- France 115 Mio. files
- Poland around 36 Mio. files
Getting files is easier
The researchers also mentioned that getting the files was not hard, some servers were not well protected against known scanning methods or attacks. The research paper doesn’t go much into more details in order to protect affected people.
Nothing really surprises me on this story, most people sharing everything, blaming Facebook afterwards – btw mates, Facebook never said there a social network with zero-knowledge or end-to-end encryption – but’s easier to blame others right? And then let us make big news aka clickbait about it. Oh boy!
I moreover see the real problem by people/organizations which not telling you the entire truth, they say ‘here use my configuration/products or my YouTube video in order to secure your server’ – that’s horrible wrong because this ends up with data breaches. Simply because you think you’re secure or more secure and then the real strange thing happens, they uploaded files on Facebook, Twitter & Co. linking to their ‘secure’ server and wonder why is there another leak. The ignorance her is at a maximum level. Security is something you can’t get with a configuration file or a software, it’s more like a concept you can follow, monitor and constantly improve but this is hard work which most people aren’t willingly to spent.
I overall think there two sides of the medal, one which love to blame social networks or industrial groups in general and the other side which says people and their configurations are to blame. Both sides should be aware of the fact that the combination from both things holding some kind of a balance here and. When you don’t upload every toilet video from you on WhatsApp or Giphy there will simply no data breach because no upload means no data or persons can be exposed with such data.
The Internet is no room for kids, I guess that should be clear by now, everyone any everything tries to get your data, trying to fake something or do something to get your money, it’s like in the real world – the bill has to be paid at the end.
What you can do?
- Don’t upload every shit in your own or an external cloud, yes it’s more comfortable but how about a USB drive?
- If you have no clue, simply ask someone who has a clue, don’t use any configuration available on GitHub which promises you more security.
- If you use a NAS then simply don’t upload any private documents, the chance to get exposed goes to zero.
- Using alternative Clients which claim to be more secure or hardened is a cool thing, to make it awesome, ask if there is a security audit, if not just stay away.
- Consider to use secure clouds (if really needed) and encrypt your data in this cloud so that not even the provider gets access to the file.
- Use a YubiKey (or alternatives) and a strong password. Well, it’s a $30 dollar device which you need to buy once, it’s worth. Two-factor authentication provides an extra layer of security and should preferable, stay away from services and websites which don’t use allow it or which are not plan to add support for it, it’s suspicious.
- Don’t blame social networks because they try to make money with your content – welcome to the real world! Some services do really need money in order to provide you with free services/apps etc. Yup, that must be a shocking news to some people. Again welcome to the real world.
- You don’t need high security encryption apps, 1337 configs or other BS when you simply don’t upload data which can expose you. New info, nope!
- Harden your configurations and server/bas files and setup is cool, also ensure that you regularly check it and audit the latest changes – let an expert take a look at it. They cost money but it’s maybe worth, especially if you really need to hosts confidential files on it. Do this on a regular basis every xyz months. 4 eyes see more than 2 – sounds logical – well, it is!
- Even if you obey these rules, there is one aspect you can’t control. What other people sharing about you, so inform these pricks about the 10 rules here.
- When Sharing Is Not Caring: Over 1.5 Billion Files Exposed Through Misconfigured Services (digitalshadows.com)
- ‘Digital Shadow’ Exposes Exactly How Much Facebook Knows About You (theatlantic.com)