FYI: Someone left 24GB of personal info on 80m US households exposed to the public internet A pair of security researchers working on a web mapping project for security biz vpnMentor have identified what they claim is a database that exposes 80 million US households. In a blog post on Monday, vpnMentor said the database resides on a Microsoft cloud server – presumably Azure – and consists of 24GB of personal …
Given the age constrains (>40 yo), it might be for retirement services (AARP?).
Or, maybe it's just a huge test database for us to try our machine-learning skills upon. Everything was anonymized and is totally random. <joking>.
Has anyone verified any of the contents of portions of the DB?
"It's not for a lack of tools, but a lack of understanding and implementation of the available tools."
Not really. It's so they can avoid - and even better, get rid of - those obstructive sods in IT who make such a fuss about who can get access and the hoops they have to jump through to do it. So much easier just to put it in the cloud. The people who run the cloud don't complicate things like IT do.
What's your explanation for this and all the other reports of unsecured databases and backups we read about?
The data centres are run by IT people. Their brief is to keep the stuff running, install new kit and swap out whatever's failed.
If a client thinks that this is all their in-house IT do (or did may be too often more appropriate) or that it's all that's necessary to be done then maybe that's where the problem lies. Your comment suggests you might be one of those client people who thinks that. If so, ask yourself what stands between you and your business's becoming the subject of the next of these reports.
> Who do you think manages the cloud if it's not IT folk?
Often no one, which is the problem. Who pays for it? Far too often, anyone with a corporate card or a boss willing to sign off on the expense report. Divisions that have poor discipline (due to poor executive leadership and accountability) and like to move fast and break shit (like the law).
Shadow IT is a real thing. Your bright-eyed junior in Finance tells his boss he can do some whizzy data analysis but it's too expensive to get a database server out of IT. But, if his boss will let him have the company credit card number he can get it up and running in Azure this afternoon.
The bright-eyed junior may know numbers, but doesn't have a clue about IT security. And shit like this happens.
Offering technical support to various people over the years, a common scenario I encounter is "Ah, you're being asked to login, enter your username and password", to which the surprising response often is "I don't have one" or "I didn't know I had one". This indicates to me the dangerous belief that "somehow the system knows it's me" without questioning "how is that possible?" Questioning these impressions make people realise there is a depth to technical systems which they had taken for granted. These are intelligent people I'm talking about here so, by extension, I can see that there is a very big problem out there.
Maybe it started with the telephone? If you were to ring the emergency services the operator taking your call can potentially identify you as the person making the call by virtue of the fact that there is a one to one mapping* between you and the operator's switchboard, even though the line between might be multiplexed. People might still think that is the case, but things like NAT knock that on the head.
*Ignoring the possibility that a telephone engineer could swap wires in a green cabinet somewhere.
That Thumbs Down came so quickly after I posted that I can't believe what I said was truly taken on-board. It is only now that banks and other sensitive websites are knuckling down to properly warning users of the implications of getting browsers to remember passwords. One has to remember that users of Cloud-based systems need a similar education. Don't forget that Cloud has been sold as a "get rid of your expensive technical staff - cloud can be setup by more general, less technical, administrative staff."
Downvote or not (it wasn't me), I think you are starting past the beginning. In my experience, most devs, who don't know as much as they want their boss to think, simply turn controls off until something that shouldn't work, like a client program that doesn't properly authenticate, starts working. Maybe later they learn how to do that - but by that time, it's live and no one wants to risk a major crash when they put access controls back on - after all, they don't even know which one made the crap client start working in the first place. They just check and uncheck boxes till the errors go away.
Just like some in the bad old days "coding at the screen" and using copy-pasta till it quit crashing, instead of knowing how to write good code from first principles.
User gets an e-mail flagged with great big security notice that its highly likely to be malicious & already being investigated, clicks on it anyway, contacts the sender when it prompts for her credentials who assures her it’s fine.
Enters her creds, the PDF says “Thanks”, she e-mails back again requesting the sender resends the original attachment as a PDF & comments that "I am starting to think this was a scam to get my credentials." ………
Three weeks later…....Thursday night she gets a hint something is amiss.
All Friday she gets e-mails & people sticking head around her door saying “Did you send this, it doesn’t sound like you”.
Finally, after finishing work on Friday (1 hour time difference BTW) & arriving home, she finally sends an e-mail in querying the fact she hasn’t received a email all day (actually since 3.15pm the previous day).
Security kicks in, changes passwords etc, she ums & arrr’s on the phone saying she might have have given her credentials away three weeks ago & then is suddenly pretty sure she didn’t. I comment that this should have been flagged a lot earlier by her colleagues if not herself, not last thing on a Friday afternoon.
A weekend of trawling through her emails reveals the chain of events above & reveals "she" sent 325+ spam e-mails.
New login ID, new hardware to be shipped to her, Other people get passwords changed & she has conveniently taken the week off suddenly “sick”.
new hardware to be shipped to her,... she has conveniently taken the week off suddenly “sick”.
And there is the problem. Why wasn't she fired for incompetence? If she'd been found to have given someone the keys to the office, or the PIN for a company credit card, she'd be looking for a new job and would perhaps understand why. As it is she's just been "educated" to believe that IT security isn't important and disregarding the rules goes unpunished. She even got a new system out of it.
Not my decision unfortunately & it also annoys the IT Director enormously, we are making sure she gets a similarly aged replacement & not one of the shiny new ones that came in last week.
Along with a guy who let "Microsoft" investigate a problem on his computer by remoting in & two guys in the space of a week with a porn stash (One may have just been dodgy links by deciding to sync Firefox\Chrome with his home account).
It sounds like a scammer's database, maybe for a robodialer. If you have a big cache of stolen data being used for a crime, you don't want any proof of ownership like holding the password or being the only user in the logs. Tons of bots, curious researchers, and prying eyes is better.
This has happened many times in the past. Maybe El Reg can dig up those articles and find the eventual outcome.
...as account credentials, passwords
Sorry, it is far worse. You can change passwords. Changing your home address or your sex or marital status, home ownership status or income bracket etc. is much more difficult. Well, you could walk out on your job, wife and kids and stop paying the mortgage, but that is a bit extreme...
If Microsoft know and have been informed and all the personal data is openly available, then they are at least allowing personal data being exposed to unauthorised access.
Take down the service, work with the owner of the data to ensure it is properly secured and do it NOW!
I am sure there are some Europeans' details on that list, so GDPR legislation also applies. Throw the book at Microsoft and the owner - and hard...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
