Blog → Post


(SECURITY) Clouds
...not the happy, fluffy things that they are cracked up to be
by @News, march 13, 2019, 12:09am utc

You won't know if you got hacked

"Everything gets hacked, whether it is by malicious actors using vulnerabilities in a system or through very basic phishing emails. Despite all your efforts to choose the right online storage solution, you could still get hacked. In that case it is essential for you to be aware of the hack as quickly as possible, as you probably want to be able to take action immediately and limit potential damage.

Big companies are not famous for warning their customers after a hack if they can avoid it. They will likely hope that the hack will stay unnoticed so they can keep their users' trust, as it has happened in the past. The only way to make sure you are aware of any incursion on the server where you store your files is to have control over your own infrastructure and be able to monitor what happens with your data."

https://nextcloud.com/blog/the-issue-with-public-cloud/


Bad Cloud examples:

2019-01-26 Make Sure to Download Your Flickr Photos This Weekend - Because this Cloud Service will be deleting everything over 1,000 of your Photos if you are on the Free Account

If you have over 1,000 photos uploaded to Flickr, then you should download them now or risk losing them forever.

Back in April of last year, Yahoo sold Flickr to the company SmugMug. In November SmugMug announced it planned to end the free unlimited image storage that Flickr offered users in January, and instead limit users to 1,000 photos worth of storage for free.

If you have more than 1,000 images on Flickr, then it's a really big deal. Starting February 5th those extra photos are going to be deleted, starting with your oldest ones.

See https://lifehacker.com/make-sure-to-download-your-flickr-photos-this-weekend-1832073708

I spent weeks deleting over 10,000 of my photos off Flickr and now host them on my own hosting at https://photos.gadgeteer.co.za...


2019-06-10 US Customs And Border Protection's Database Of Traveler Photos Was Stolen In A Data Breach

HN Discussion.

US Customs breach

"CBP learned that a subcontractor ... transferred copies of license plate images and traveler images collected by CBP to the subcontractor's company network. The subcontractor's network was subsequently compromised by a malicious cyber-attack."


We have never been a proponent of cloud computing; where "cloud" can simply be defined as someone elses' computer.

The reasons were:

  • Criminal hacking,

  • (even your own) state-sponsored criminal hacking,

  • #Idiot-moves — like the one below; which can happen if you do not control your data.

Database of Over 198 Million U.S. Voters Left Exposed On Unsecured Server link


We have dis-avowed the cloud since the first trumpeting of this marketing-oriented-name emerged.

Our clients are still on dedicated machines, or on VMs &emdash; and we Will NOT use:

  • AWS (with it's 600-million dollar CIA contract);
  • Azure (with Microsoft being the #1 entrant into the NSA's spying program);
  • or iCloud for any reason.

Files that are encrypted today, done in any manner, will be easy fodder for quantum computers soon enough; and grouping them all together in someone else's cloud where THEY control the access to the files is just … well … a disaster waiting to happen.

People (read that: Companies) who put things in the cloud damn well deserve what they will get.

But God bless 'em anyway.


2017-09-22 Verizon Wireless Internal Credentials, Infrastructure Details Exposed in Amazon S3 Bucket
https://threatpost.com/verizon-wireless-internal-credentials-infrastructure-details-exposed-in-amazon-s3-bucket/128108/

Verizon is the latest company to leak confidential data through an exposed Amazon S3 bucket.


2017-10-05 (update) Yahoo says all 3 billion accounts hacked in 2013 data theft
https://www.zdnet.com/article/yahoo-believes-3-billion-affected-by-2013-hack/

"Yahoo on Tuesday said that all three billion of its accounts were hacked in a 2013 data theft, tripling its earlier estimate of the size of the largest breach in history and sharply increasing the legal exposure of its new owner, Verizon."


2017-12-19 Every Single American Household Exposed in Massive Leak
https://www.infosecurity-magazine.com/news/every-single-american-household/?utm_content=buffereb7a9&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

Yet another Amazon S3 cloud storage misconfiguration has affected 123 million Americans, across billions of data points.

Hacker News Comments: https://news.ycombinator.com/item?id=15965060


2018-01-03 Degraded performance after forced reboot due to AWS instance maintenance
https://forums.aws.amazon.com/thread.jspa?threadID=269858

Hacker News Comments: https://news.ycombinator.com/item?id=16064611


2018-01-09 Security flaw in CPU's breaks isolation between cloud containers
https://diasp.org/posts/0b6b25a88fe8fc1ca17821f669c2004d67df5841


2018-01-09 Hardcoded Backdoor Found In WD My Cloud NAS With Username "MyDlink"
https://fossbytes.com/hardcoded-backdoor-wd-mycloud-devices-username-mydlink/

"In yet another revelation of severe loopholes, a security researcher James Bercegay from Gulftech has discovered a backdoor in some models of the My Cloud NAS (Network-attached storage) drive family, manufactured by Western Digital. According to the blog post, the vulnerabilities, which include a hardcoded backdoor, can be used to access files even on a […]"


2018-01-12 "You trust the cloud?"
https://blog.jospoortvliet.com/

"What surprised me a little was how few journalists paid attention to the fact that Meltdown in particular breaks the isolation between containers and Virtual Machines - making it quite dangerous to run your code in places like Amazon S3. Meltdown means: anything you have ran on Amazon S3 or competing clouds from Google and Microsoft has been exposed to other code running on the same systems.

And storage isn't per-se safe, as the systems handling the storage just might also be used for running apps from other customers &emdash; who then could have gotten at that data. I wrote a bit more about this in an opinion post for Nextcloud.

We don't know if any breaches happened, of course. We also don't know that they didn't.

That's one of my main issues with the big public cloud providers: we KNOW they hide breaches from us. All the time. For YEARS. Yahoo did particularly nasty [things], but was it really such an outlier? Uber hid data stolen from 57 million users for a year, which came out just November last year."


2018-02-06 Leaky Amazon S3 Bucket Exposes Personal Data of 12,000 Social Media Influencers
https://threatpost.com/leaky-amazon-s3-bucket-exposes-personal-data-of-12000-social-media-influencers/129810


2018-02-08 Gojdue Variant Eludes Microsoft, Google Cloud Protection, Researchers Say
https://threatpost.com/gojdue-variant-eludes-microsoft-google-cloud-protection-researchers-say/129837


2018-03-30 Under Armour App Breach Exposes 150 Million Records
https://www.darkreading.com/endpoint/privacy/under-armour-app-breach-exposes-150-million-records/d/d-id/1331411?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A breach in a database for MyFitnessPal exposes information on 150 million users.


2018-05 LA County Nonprofit Exposes 3.2M PII Files via Unsecured S3 Bucket
https://www.informationweek.com/whitepaper/cybersecurity/security/the-biggest-cybersecurity-breaches-of-2018-(so-far)/399463?gset=yes&cid=cybr&_mc=cybr

"A misconfiguration accidentally compromised credentials, email addresses, and 200,000 rows of notes describing abuse and suicidal distress."

(more) https://www.darkreading.com/cloud/la-county-nonprofit-exposes-32m-pii-files-via-unsecured-s3-bucket/d/d-id/1331875?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple


2018-05-30 Honda India Left Details of 50,000 Customers Exposed on an AWS S3 Server
https://www.bleepingcomputer.com/news/security/honda-india-left-details-of-50-000-customers-exposed-on-an-aws-s3-server/

https://gbhackers.com/honda-leaked/

"Honda Car India has left the personal details of over 50,000 users exposed on two public Amazon S3 buckets, according to a report published today Kromtech Security. […]"

"Honda Car India leaked over 50,000 users Personal information of it's Honda Connect App which is stored in the publicly unsecured Amazon AWS S3 Buckets. Experts recently discovered two public unsecured Inside of the AWS Bucket contains an unprotected database which maintained by Honda Connect App. Honda-Connect is a smartphone app that boasts that it gives the user […]"


2018-06-04 Google Groups Are Leaking Your Sensitive Emails: Here's How To Fix It
https://fossbytes.com/how-to-fix-google-groups-misconfiguration/

"If you are using Google Groups, you need to check your privacy settings right now and make sure that the configuration doesn't leak any sensitive information. This message comes from Kenna Security which found that nearly one-third of 9,600 public Google Groups leaked sensitive information in emails sent through the platform. The security firm found such public […]"


2018-06-04 What is wrong with Microsoft buying GitHub
https://news.ycombinator.com/item?id=17225599

"According to Bloomberg [1]Microsoft is said to have agreed to buy GitHub. [2]GitHub which reportedly has been losing money being acquired is a major development because of its central role in the development of many open and closed source projects.

For the uninitiated here is what GitHub does in a nutshell: GitHub allows computer programmers from around the world to conveniently collaborate on projects, share bug reports and fix those bugs and allows the administration of some project documentation. The company provides this service for free to entities that provide their code for free to the world and for 'closed source' projects there is a fee to be paid. GitHub is in essence a friendly wrapper around [3]Git, an open source version control system written by Linus Torvalds (of Linux fame) and many others. Git already does decentralized repository hosting out of the box but it does not support any kind of discovery method, bug tracking or documentation features, GitHub built a community of programmers around Git and many open source contributors consider GitHub too big to fail.

Companies that are too big to fail and that lose money are a dangerous combination, people have warned about GitHub becoming as large as it did as problematic because it concentrates too much of the power to make or break the open source world in a single entity, moreso because there were valid questions about GitHubs financial viability. The model that GitHub has - sell their services to closed source companies but provide the service for free for open source groups - is only a good one if the closed source companies bring in enough funds to sustain the model. Some sort of solution should have been found - preferably in collaboration with the community -, not an 'exit' to one of the biggest sharks in the tank.

So, here is what is wrong with this deal and why anybody active in the open source community should be upset that Microsoft is going to be the steward of this large body of code. For starters, Microsoft has a very long history of abusing its position vis-a-vis open source and other companies. I'm sure you'll be able to tell I'm a cranky old guy by looking up the dates to some of these references, but 'new boss, same as the old boss' applies as far as I'm concerned. Yes, the new boss is a nicer guy but it's the same corporate entity. Some concrete examples of the things Microsoft have done:

  • Abuse of their de facto monopoly position to squash competition, including [4]abuse of the DD process to gain insight into a competitors software

  • Bankrolling the [5]SCO Lawsuit that ran for many years in order to harm Linux in the marketplace

  • Abuse of their monopoly position to unfairly compete with other browser vendors, including [6]Netscape

  • Subverting open standards with a policy of [7]Embrace, Extend, Extinguish

  • The recent [8]Windows 10 Telemetry abuse

  • The acquisition of Skype, after which all the peer-to-peer traffic was routed through Microsoft, essentially allowing them to snoop on the conversations. To pre-empt the technical counter argument that this was done to improve the service: It only improved the service for some edge cases, for everybody else the service got worse because of the extra round-trip latency. So if that was the real reason then you'd have expected to see the traffic routed to the central servers only if one of those edge cases was detected.

  • Unfair advantage over competitors by using internal APIs for applications unavailable for competing products

  • Tied-sales and bundling

  • Abuse of [9]Patents

The list is endless. So, this is the company that you want to trust with becoming the steward of a very large chunk of the open source world? Not me. And for all you closed source customers of GitHub, do you really want the company that abused a due-diligence process faking an acquisition interest to have the inside scoop on your code?

I've deleted my GitHub account, I'll find a way to replace it and if you're halfway clever so should you. Foxes may change their coats, they don't change their nature."

References

https://www.bloomberg.com/news/articles/2018-06-03/microsoft-is-said-to-have-agreed-to-acquire-coding-site-github
https://github.com/
https://en.wikipedia.org/wiki/Git
https://en.wikipedia.org/wiki/Stac_Electronics
https://en.wikipedia.org/wiki/SCO-Linux_disputes
https://en.wikipedia.org/wiki/Browser_wars
https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguish
https://www.independent.co.uk/life-style/gadgets-and-tech/news/windows-10-sends-personal-data-to-microsoft-even-if-users-tell-it-not-to-10453549.html
https://www.computerworld.com/article/2560825/enterprise-applications/microsoft-fat-patents-upheld.html


2018-06-05 MyHeritage Alerts Users to Data Breach
https://www.darkreading.com/myheritage-alerts-users-to-data-breach/d/d-id/1331966?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A researcher found email addresses and hashed passwords of nearly 92.3 million users stored on a server outside MyHeritage.

"MyHeritage, a platform designed to investigate family history, learned of a data breach on June 4, 2018. It reports the incident affected email addresses and hashed passwords of nearly 92.3 million users who signed up for the site before and including Oct. 26, 2017, the date of the incident.

A security researcher discovered a file named "myheritage containing email addresses and passwords on a private server outside the site. Further analysis found the file was legitimate, with the data originating from Myheritage. No other data was detected on the server, and there was no evidence of account compromise. MyHeritage handles billing through third parties and stores sensitive data such as DNA and family trees on segregated servers with added security."


2018-06-07 Ticketfly cyberattack exposed data belonging to 27 million accounts
https://www.zdnet.com/article/ticketfly-cyberattack-exposed-data-belonging-to-27-million-accounts/#ftag=RSSbaffb68

Financial information is thought to be safe.


2018-06-27 A little-known Florida company may have exposed the personal data of nearly every American adult, according to a new report.

"Wired reported Wednesday that Exactis, a Palm Coast, Fla.-based marketing and data-aggregation company, had exposed a database containing almost 2 terabytes of data, containing nearly 340 million individual records, on a public server. That included records of 230 million consumers and 110 million businesses.

"It seems like this is a database with pretty much every U.S. citizen in it," security researcher Vinny Troia, who discovered the breach earlier this month, told Wired. "I don't know where the data is coming from, but it's one of the most comprehensive collections I've ever seen", he said."

https://www.marketwatch.com/story/a-new-data-breach-may-have-exposed-personal-information-of-almost-every-american-adult-2018-06-27


2018-06-29 A massive cache of law enforcement personnel data has leaked
https://www.zdnet.com/article/a-massive-cache-of-law-enforcement-personnel-data-has-leaked/#ftag=RSSbaffb68

Exclusive: The data revealed that some police departments are unable to respond in an active shooter event.


2019-06-27

Open Marketing Database Exposes 5 Million Personal Records
https://www.bleepingcomputer.com/news/security/open-marketing-database-exposes-5-million-personal-records/

Health Care breach

An unsecured MongoDB instance belonging to health insurance marketing website MedicareSupplement.com was discovered online last month containing as many as 5 million records. The data cache included personal information as well as health details.

tags: All users, Security related
Footer done in Inkscape