Here’s How 2.3 Billion Files And 11 Million Photos, ‘Private’ Ones Included, Were Exposed Online

Here’s How 2.3 Billion Files And 11 Million Photos, ‘Private’ Ones Included, Were Exposed Online

” innerhtml=”

.
.

Getty.

.

Newly-published research has found that 2.3 billion files have been publicly exposed online. The files themselves, which include credit card and medical data as well as intellectual property patents, were discovered by the Digital Shadows researchers across the cloud, network-attached storage and company servers. Separately, other security researchers uncovered a vulnerability at a photo-sharing service that leaked at least 11 million photographs including many categorized as private.

.

Here’s what you need to know.

.

How have 2.3 billion files been exposed?

.

The latest Too Much Information report from the Photon Research Team at Digital Shadows found that some 2.3 billion files had been “exposed across SMB-enabled file shares, misconfigured network-attached storage (NAS) devices, File Transfer Protocol (FTP) and rsync servers and Amazon S3 buckets.” That’s a lot of cloud services, storage and small to medium business servers that are all leaking data. Indeed, it amounts to a total of 750 million more files than the same researchers found to have been leaked the previous year.

.

.

While the researchers admit that not all the files were of a sensitive or confidential nature, plenty of them were. Amongst the billions of files, accessible to researchers and hackers alike, were such things as medical data including millions of x-rays and scans, credit card details, payroll files and intellectual property patents. All stored alongside the less sensitive stuff stored in misconfigured cloud and network storage servers. Perhaps unsurprisingly, the researchers also found 17 million files that had been encrypted by ransomware—I say “perhaps,” as you might have expected more to have been caught by the ransomware attackers, as files exposed like this are a prime target for many ransomware variants.

.

What’s the problem here?

.

The common denominator across these exposed files is misconfiguration. So what’s going wrong and why are configuration errors still such a problem when you’d think that getting the security basics right would be top of the agenda for businesses and service providers alike? More importantly, what can be done to rectify the situation?

.

.

The report isn’t all bad news on this front, with the number of files leaked by Amazon S3 buckets (public cloud storage resources) dropping from 16 million last year to the thousands this. That can largely be put down to Amazon introducing a block public access feature that prevents any settings that may allow public access to data from being applied. However, this obviously isn’t really denting the overall poor picture presented by the research headline figures. With the European Union’s General Data Protection Regulation (GDPR) now in full swing though, this is a problem that needs to go away or it will get very expensive, very quickly, for the organizations concerned.

.

The security industry speaks out

.

I started my day this morning having an online group chat about this with a collective of information security professionals, encompassing everything from corporate heads of security through to security researchers, called The Beer Farmers. Here’s what they had to say on the matter.

.

Chrissy Morgan was concerned by the fact that 4.7 million medical related files were exposed online, double the amount they had found the previous year. “More funding should be given towards the education and support of IT departments within the medical world to aid with implementation of proper configuration,” she said. Ian Thornton-Trump agreed that “this is indicative of the cloud security skills-gap in IT and a lack of upskilling investment by business. Plus the shift to DevOps and amount of “Shadow IT” in companies is also part of the problem.” Something that Mike Thompson picked up on when he told me that, using the Amazon S3 buckets example, “the default security policies are deny all, so you’ve really got to introduce the risk yourself.”

.

But therein lies the rub. Broadly speaking when it comes to online storage “getting it to work is easy, getting it to work securely is hard” according to John Opdenakker, “especially if you don’t know WTF you are doing.” Thompson agrees that the assumption by many that the cloud services provider will apply all of the required security controls is both worrying and wildly inaccurate. “Companies need to apply these controls themselves and also ensure that adequate testing is carried out,” Thompson says, “well ahead of going into production.” Or, as Opdenakker puts it, “that’s why it’s important to introduce security in the software lifecycle from the beginning and have enough runway to test configurations with security features enabled.”

.

Which brought our conversation to the real heart of the matter: in order to secure your infrastructure you need to know your assets. “A lot of companies don’t have asset management in place,” Opdenakker says, concluding that this is doomed to go wrong sooner or later. Sadly, my bet is on sooner even if the data protection explosion isn’t detected until later, if at all…

.

And those 11 million photos you mentioned?

.

Ah yes, this particular leak was discovered by the vpnMentor research team consisting of Noam Rotem and Ran Locar. Calling it a “huge data leak” the researchers uncovered a vulnerability in the Theta360 photo sharing platform operated by Japanese imaging giant Ricoh. Having found that they could access “more than 11 million unencrypted posts from Theta360’s database,” the researchers inserted the Universal Unique Identifier (UUID) data into the Elasticsearch database and found this gave them access to any exposed photos. As well as being able to connect the usernames in the database to the user’s social media account in some cases, they also discovered they could access photos from accounts flagged as “private” as well as the public ones.

.

The research team was quick to point out that it examined the data but didn’t download the database itself so as to uphold their ethical hacking standards. However, that private and unlisted accounts could be found does lay open the specter of potential life-changing consequence for users whose “illicit photos” may have been revealed. “In some professions, this could cost a user their job,” the vpnMentor report points out, “for others, leaked photos may share information about affairs or even vacations that need to remain secret. Geo-tags in data can easily lead to more sensitive information about a user.”

.

The good news here is how quickly Theta360 responded to the disclosure of the vulnerability. The company was informed on May 15 and the leak was sealed by May16 “We want to note that Theta360’s response to our discovery was the most professional of any company that we’ve contacted about a leak,” the report notes, “they quickly and efficiently closed the breach to protect their users.”

“>
< div _ ngcontent-c14 ="" innerhtml="

..
.

. Getty .

.

Newly-published research has found that 2.3 billion files have been openly exposed online. The files themselves, which consist of credit card and medical data in addition to intellectual home patents, were discovered by the Digital Shadows scientists across the cloud, network-attached storage and company servers. Individually, other security scientists revealed a vulnerability at a photo-sharing service that dripped a minimum of11 million pictures consisting of many categorized as personal.

Here’s what you require to know.

How have 2.3 billion files been exposed?

The most recent Excessive Details report from the Photon Research Study Group at Digital Shadows found that some 2.3 billion files had actually been “exposed across SMB-enabled file shares, misconfigured network-attached storage (NAS) devices, File Transfer Protocol (FTP) and rsync servers and Amazon S3 buckets.” That’s a lot of cloud services, storage and small to medium company servers that are all leaking information. Certainly, it totals up to a total of 750 million more files than the very same researchers found to have been leaked the previous year.

While the researchers admit that not all the files were of a delicate or private nature, lots of them were. Among the billions of files, accessible to scientists and hackers alike, were such things as medical information consisting of countless x-rays and scans, credit card information, payroll files and copyright patents. All kept alongside the less sensitive stuff kept in misconfigured cloud and network storage servers. Perhaps unsurprisingly, the researchers likewise found 17 million files that had been encrypted by ransomware– I say “possibly,” as you may have anticipated more to have actually been captured by the ransomware assailants, as files exposed like this are a prime target for many ransomware versions.

What’s the issue here?

The common denominator throughout these exposed files is misconfiguration. So what’s going incorrect and why are configuration errors still such an issue when you ‘d think that getting the security essentials right would be top of the agenda for organisations and provider alike? More notably, what can be done to remedy the circumstance?

The report isn’t all bad news on this front, with the variety of files dripped by Amazon S3 pails (public cloud storage resources) dropping from 16 million in 2015 to the thousands this. That can mostly be put down to Amazon presenting a block public gain access to feature that prevents any settings that might enable public access to information from being applied. However, this certainly isn’t really denting the overall bad picture presented by the research study headline figures. With the European Union’s General Data Protection Regulation (GDPR) now in complete swing though, this is an issue that requires to go away or it will get extremely costly, really rapidly, for the organizations worried.

The security market speaks out

I began my day today having an online group chat about this with a collective of info security experts, encompassing whatever from business heads of security through to security researchers, called The Beer Farmers Here’s what they had to say on the matter.

Chrissy Morgan was concerned by the reality that 4.7 million medical associated files were exposed online, double the quantity they had discovered the previous year. “More financing should be provided towards the education and support of IT departments within the medical world to aid with implementation of correct configuration,” she stated. Ian Thornton-Trump concurred that “this is a sign of the cloud security skills-gap in IT and a lack of upskilling financial investment by company. Plus the shift to DevOps and amount of “Shadow IT” in companies is also part of the issue.” Something that Mike Thompson selected up on when he informed me that, using the Amazon S3 pails example, “the default security policies are deny all, so you have actually really got to present the threat yourself.”

But therein lies the rub. Broadly speaking when it comes to online storage “getting it to work is simple, getting it to work securely is difficult” according to John Opdenakker, “specifically if you don’t know WTF you are doing.” Thompson agrees that the presumption by lots of that the cloud providers will apply all of the required security controls is both worrying and extremely unreliable. “Business require to apply these controls themselves and also make sure that sufficient screening is performed,” Thompson says, “well ahead of going into production.” Or, as Opdenakker puts it, “that’s why it is essential to present security in the software application lifecycle from the beginning and have adequate runway to test configurations with security features enabled.”

Which brought our conversation to the real heart of the matter: in order to protect your infrastructure you require to know your properties. “A lot of business do not have property management in place,” Opdenakker says, concluding that this is doomed to fail eventually. Unfortunately, my bet is on sooner even if the data protection explosion isn’t identified up until later, if at all …

And those 11 million photos you discussed?

Ah yes, this specific leak was found by the vpnMentor research group including Noam Rotem and Ran Locar. Calling it a “big data leakage” the scientists revealed a vulnerability in the Theta360 photo sharing platform run by Japanese imaging giant Ricoh. Having actually discovered that they could access “more than 11 million unencrypted posts from Theta360’s database,” the scientists inserted the Universal Special Identifier (UUID) information into the Elasticsearch database and discovered this offered them access to any exposed pictures. As well as having the ability to link the usernames in the database to the user’s social networks account in many cases, they likewise discovered they could access photos from accounts flagged as “private” along with the public ones.

The research group fasted to explain that it took a look at the information however didn’t download the database itself so as to support their ethical hacking requirements. However, that private and unlisted accounts could be discovered does lay open the specter of potential life-changing effect for users whose “illegal pictures” may have been exposed. “In some occupations, this could cost a user their task,” the vpnMentor report explains, “for others, dripped photos may share information about affairs or even vacations that require to stay secret. Geo-tags in information can easily lead to more sensitive info about a user.”

The bright side here is how quickly Theta360 reacted to the disclosure of the vulnerability. The company was notified on Might 15 and the leakage was sealed by Might16 “We want to note that Theta360’s action to our discovery was the most expert of any company that we’ve contacted about a leakage,” the report notes, “they quickly and efficiently closed the breach to protect their users.”

” >

Newly-published research study has actually discovered that 2.3 billion files have actually been openly exposed online. The files themselves, which include credit card and medical data as well as copyright patents, were discovered by the Digital Shadows researchers throughout the cloud, network-attached storage and company servers. Individually, other security scientists discovered a vulnerability at a photo-sharing service that leaked a minimum of11 million photos including many categorized as private.

Here’s what you require to understand.

How have 2.3 billion files been exposed?

The most recent Too Much Details report from the Photon Research Team at Digital Shadows found that some 2.3 billion files had been “exposed across SMB-enabled file shares, misconfigured network-attached storage (NAS) gadgets, File Transfer Protocol (FTP) and rsync servers and Amazon S3 buckets.” That’s a great deal of cloud services, storage and small to medium company servers that are all leaking data. Certainly, it totals up to a total of 750 million more files than the same researchers discovered to have actually been dripped the previous year.

While the scientists admit that not all the files were of a delicate or personal nature, lots of them were. Among the billions of files, available to researchers and hackers alike, were such things as medical data including millions of x-rays and scans, credit card information, payroll files and copyright patents. All stored together with the less delicate things stored in misconfigured cloud and network storage servers. Possibly unsurprisingly, the researchers likewise found 17 million files that had been secured by ransomware– I say “maybe,” as you may have anticipated more to have actually been caught by the ransomware opponents, as files exposed like this are a prime target for many ransomware variations.

What’s the issue here?

The common measure across these exposed files is misconfiguration. So what’s going wrong and why are configuration mistakes still such an issue when you ‘d think that getting the security fundamentals right would be leading of the agenda for businesses and service companies alike? More notably, what can be done to correct the scenario?

The report isn’t all bad news on this front, with the variety of files dripped by Amazon S3 buckets (public cloud storage resources) dropping from 16 million last year to the thousands this. That can largely be put down to Amazon presenting a block public access function that prevents any settings that might permit public access to data from being applied. However, this certainly isn’t truly denting the total poor photo provided by the research study heading figures. With the European Union’s General Data Security Regulation (GDPR) now in full swing though, this is an issue that requires to go away or it will get extremely costly, very rapidly, for the companies worried.

The security market speaks out

I started my day this morning having an online group chat about this with a cumulative of information security experts, incorporating everything from corporate heads of security through to security researchers, called The Beer Farmers Here’s what they needed to say on the matter.

Chrissy Morgan was worried by the truth that 4.7 million medical related files were exposed online, double the quantity they had actually found the previous year. “More funding must be provided towards the education and assistance of IT departments within the medical world to help with implementation of correct setup,” she stated. Ian Thornton-Trump agreed that “this is indicative of the cloud security skills-gap in IT and a lack of upskilling financial investment by service. Plus the shift to DevOps and amount of “Shadow IT” in business is likewise part of the problem.” Something that Mike Thompson detected when he told me that, utilizing the Amazon S3 pails example, “the default security policies are deny all, so you’ve actually got to present the threat yourself.”

But therein lies the rub. Broadly speaking when it pertains to online storage “getting it to work is easy, getting it to work securely is tough” according to John Opdenakker , “especially if you don’t know WTF you are doing.” Thompson agrees that the assumption by numerous that the cloud providers will apply all of the necessary security controls is both stressing and hugely inaccurate. “Business need to use these controls themselves and also make sure that sufficient screening is carried out,” Thompson states, “well ahead of entering into production.” Or, as Opdenakker puts it, “that’s why it is essential to introduce security in the software lifecycle from the beginning and have sufficient runway to test setups with security features made it possible for.”

Which brought our discussion to the real heart of the matter: in order to protect your infrastructure you require to know your possessions. “A lot of business do not have property management in place,” Opdenakker says, concluding that this is destined fail quicker or later on. Regretfully, my bet is on quicker even if the information security surge isn’t found up until later on, if at all …

And those 11 million pictures you discussed?

Ah yes, this particular leakage was found by the vpnMentor research team including Noam Rotem and Ran Locar. Calling it a “big data leak” the scientists uncovered a vulnerability in the Theta 360 image sharing platform run by Japanese imaging giant Ricoh. Having discovered that they might access “more than 11 million unencrypted posts from Theta 360’s database,” the researchers inserted the Universal Distinct Identifier (UUID) information into the Elasticsearch database and found this provided access to any exposed pictures. In addition to being able to link the usernames in the database to the user’s social networks account in many cases, they likewise discovered they could access photos from accounts flagged as “private” in addition to the public ones.

The research study team fasted to point out that it analyzed the data but didn’t download the database itself so as to promote their ethical hacking requirements. However, that personal and unlisted accounts might be discovered does lay open the specter of possible life-altering repercussion for users whose “illegal photos” might have been revealed. “In some occupations, this could cost a user their task,” the vpnMentor report mentions, “for others, leaked images may share information about affairs or perhaps getaways that need to stay secret. Geo-tags in information can quickly result in more sensitive info about a user.”

The excellent news here is how rapidly Theta 360 reacted to the disclosure of the vulnerability. The business was notified on May 15 and the leakage was sealed by May16 “We desire to note that Theta 360’s response to our discovery was the most professional of any company that we’ve called about a leak,” the report notes, “they rapidly and efficiently closed the breach to secure their users.”

Learn More .

Please follow and like us:
error

1 thought on “Here’s How 2.3 Billion Files And 11 Million Photos, ‘Private’ Ones Included, Were Exposed Online

Leave a Reply

Your email address will not be published.

error

Enjoy this blog? Please spread the word :)