Tech & Science : Your most sensitive data is likely exposed online. These people try to find it - - PressFrom - Australia
  •   
  •   

Tech & Science Your most sensitive data is likely exposed online. These people try to find it

10:25  12 may  2019
10:25  12 may  2019 Source:   cnet.com

Alleged hoons arrested after burnout footage posted online

Alleged hoons arrested after burnout footage posted online Ahmad Chahal and William Hall were arrested late on Friday, and their cars were seized by police. Both men have been charged. © A Current Affair Footage posted online shows drivers doing burnouts on the Hume Highway. © A Current Affair Two people have been charged. Assistant Commissioner Michael Corboy condemned the alleged actions of both men. Footage appears to show other hoons blocking off a stretch of the highway, bring other traffic to a standstill in the 110km/hr zone, as two drivers perform burnouts. The video was shot by Aaron Greer of West End Media. © A Current Affair Ahmad Chahal has been arrested.

These people try to find it . Don’t worry. They want it to be safe. But many software tools that help put databases on the cloud leave the data exposed by default. Even when the tools do make data private from the start, not every organization has the expertise to know it should leave those

These people try to find it . Posted on May 13, 2019 by admin. c/net: “Justin Paine sits in a pub in Oakland, California, searching the internet for your most sensitive data . It doesn’t take him long to find a promising lead.

Your most sensitive data is likely exposed online. These people try to find it© CNET

Your login credentials could be on the cloud for anyone to grab.

Justin Paine sits in a pub in Oakland, California, searching the internet for your most sensitive data. It doesn't take him long to find a promising lead.

On his laptop, he opens Shodan, a searchable index of cloud servers and other internet-connected devices. Then he types the keyword "Kibana," which reveals more than 15,000 databases stored online. Paine starts digging through the results, a plate of chicken tenders and fries growing cold next to him.

"This one's from Russia. This one's from China," Paine said. "This one is just wide open."

From there, Paine can sift through each database and check its contents. One database appears to have information about hotel room service. If he keeps looking deeper, he might find credit card or passport numbers. That isn't far-fetched. In the past, he's found databases containing patient information from drug addiction treatment centers, as well as library borrowing records and online gambling transactions.

NAPLAN glitch affects thousands of students mid-test

NAPLAN glitch affects thousands of students mid-test Students sitting today’s NAPLAN test online were affected by a nationwide system glitch half way through the exam. In Western Australia, several hundred schools experienced delays with the online test, according to a WA Department of Education spokesperson. “We are aware that a number of schools across Australia - both public and private -experienced delays logging on and accessing NAPLAN tests today,” the spokesperson confirmed. A system glitch paused the online NAPLAN test for up to four minutes midway through students sitting through today's exam.

These People Try To Find It . LonnyEmanuel0523343. And Germany is a "leader" in fighting online disinformation campaigns between regulation and an abundance of watchdog groups. This isn't to say that bots are always bad, or that democracies are defenseless against influence campaigns.

These people try to find it . by Sabrina I. Pacifici on May 12, 2019. But many software tools that help put databases on the cloud leave the data exposed by default. Even when the tools do make data private from the start, not every organization has the expertise to know it should leave those .

Paine is part of an informal army of web researchers who indulge an obscure passion: scouring the internet for unsecured databases. The databases -- unencrypted and in plain sight -- can contain all sorts of sensitive information, including names, addresses, telephone numbers, bank details, Social Security numbers and medical diagnoses. In the wrong hands, the data could be exploited for fraud, identity theft or blackmail.

The data-hunting community is both eclectic and global. Some of its members are professional security experts, others are hobbyists. Some are advanced programmers, others can't write a line of code. They're in Ukraine, Israel, Australia, the US and just about any country you name. They share a common purpose: spurring database owners to lock down your info.

New Intel chip flaw leaves your PC exposed again

New Intel chip flaw leaves your PC exposed again The Meltdown and Spectre flaws were just the beginning, researchers say.

These people try to find it . By steven36, May 11 in Security & Privacy News. But many software tools that help put databases on the cloud leave the data exposed by default. Even when the tools do make data private from the start, not every organization has the expertise to know it should leave

These people try to find it . But many software tools that help put databases on the cloud leave the data exposed by default. Even when the tools do make data private from the start, not every organization has the expertise to know they should leave those protections in place.

The pursuit of unsecured data is a sign of the times. Any organization -- a private company, a nonprofit or a government agency -- can store data on the cloud easily and cheaply. But many software tools that help put databases on the cloud leave the data exposed by default. Even when the tools do make data private from the start, not every organization has the expertise to know it should leave those protections in place. Often, the data just sits there in plain text waiting to be read. That means there'll always be something for people like Paine to find. In April, researchers in Israel found demographic details on more than 80 million US households, including addresses, ages and income level.

How to find your nearest federal election polling centre

How to find your nearest federal election polling centre If you are one of the 12 million Australians yet to vote in the federal election, here is how to find your nearest polling booth, sausage sizzle and cake stall.

These people try to find it . May 11, 2019. Laura Huatala has a nice piece about those who hunt for leaking databases, find them, and then try to get companies to secure them.

These people try to find it . By Government Slaves on 05/12/2019. Emigrate while you still can! Justin Paine sits in a pub in Oakland, California, searching the internet for your most sensitive data . It doesn’t take him long to find a promising lead. On his laptop, he opens Shodan, a searchable index

No one knows how big the problem is, says Troy Hunt, a cybersecurity expert who's chronicled on his blog the issue of exposed databases. There are far more unsecured databases than those publicized by researchers, he says, but you can only count the ones you can see. What's more, new databases are constantly added to the cloud.

"It's one of those tip-of-the-iceberg situations," Hunt said.

To search out databases, you have to have a high tolerance for boredom and a higher one for disappointment. Paine said it would take hours to find out whether the hotel room service database was actually a cache of exposed sensitive data. Poring over databases can be mind-numbing and tends to be full of false leads. It isn't like searching for a needle in a haystack; it's like searching fields of haystacks hoping one might contain a needle. What's more, there's no guarantee the hunters will be able to prompt the owners of an exposed database to fix the problem. Sometimes, the owner will threaten legal action instead.

Database jackpot

The payoff, however, can be a thrill. Bob Diachenko, who hunts databases from his office in Ukraine, used to work in public relations for a company called Kromtech, which learned from a security researcher that it had a data breach. The experience intrigued Diachenko, and with no experience he dove into hunting databases. In July, he found records on thousands of US voters in an unsecured database, simply by using the keyword "voter."

UAP volunteer 'exposed himself' at booth

UAP volunteer 'exposed himself' at booth Police have fined a 62-year-old man for offensive behaviour at a Sydney polling booth. It's understood he was volunteering for the United Australia Party.

These people try to find it . Justin Paine sits in a pub in Oakland, California, searching the internet for your most sensitive data . It doesn't take him long to find to find a promising lead.

These people try to find it . Justin Paine sits in a pub in Oakland, California, searching the internet for your most sensitive data . Not every company understands what it means for data to be exposed , something Dissent has documented on her website Databreaches.net.

"If me, a guy with no technical background, can find this data," Diachenko said, "then anybody in the world can find this data."

In January, Diachenko found 24 million financial documents related to US mortgages and banking on an exposed database. The publicity generated by the find, as well as others, helps Diachenko promote SecurityDiscovery.com, a cybersecurity consulting business he set up after leaving his previous job.

Publicizing a problem

Chris Vickery, a director of cyberrisk research at UpGuard, says big finds raise awareness and help drum up business from companies anxious to make sure their names aren't associated with sloppy practices. Even if the companies don't choose UpGuard, he said, the public nature of discoveries helps his field grow.

Earlier this year, Vickery looked for something big by searching on "data lake," a term for large compilations of data stored in multiple file formats.

The search helped his team make one of the biggest finds to date, a cache of 540 million Facebook records that included user's names, Facebook ID numbers and about 22,000 unencrypted passwords stored in the cloud. The data had been stored by third-party companies, not Facebook itself.

"I was swinging for the fences," Vickery said, describing the process.

How comfortable are you with your phone tracking your every move?

How comfortable are you with your phone tracking your every move? Someone on jury duty arrived home to find a Facebook friend suggestion - from the person whose trial they were sitting on.

These people try to find it . Don’t worry. They want it to be safe. But many software tools that help put databases on the cloud leave the data exposed by These people try to find it . Posted on May 13, 2019 by admin. c/net: “Justin Paine sits in a pub in Oakland, California, searching the internet for your

These people try to find it . admin. May 11, 2019. Justin Paine sits in a pub in Oakland, California, searching the internet for your most sensitive data . It doesn’t take him long to find to find a promising lead.

Getting it secured

Facebook said it acted swiftly to get the data removed. But not all companies are responsive.

When database hunters can't get a company to react, they sometimes turn to a security writer who uses the pen name Dissent. She used to hunt unsecured databases herself but now spends her time prompting companies to respond to data exposures that other researchers find.

"An optimal response is, 'Thank you for letting us know. We're securing it and we're notifying patients or customers and the relevant regulators,'" said Dissent, who asked to be identified by her pen name to protect her privacy.

Not every company understands what it means for data to be exposed, something Dissent has documented on her website Databreaches.net. In 2017, Diachenko sought her help in reporting exposed health records from a financial software vendor to a New York City hospital.

It's a little bit like a drug.
Justin Paine

The hospital described the exposure as a hack, even though Diachenko had simply found the data online and didn't break any passwords or encryption to see it. Dissent wrote a blog post explaining that a hospital contractor had left the data unsecured. The hospital hired an external IT company to investigate.

Tools for good or bad

The search tools that database hunters use are powerful.

Sitting in the pub, Paine shows me one of his techniques, which has let him find exposed data on Amazon Web Services databases and which he said was "hacked together with various different tools." The makeshift approach is necessary because data stored on Amazon's cloud service isn't indexed on Shodan.

First, he opens a tool called Bucket Stream, which searches through public logs of the security certificates that websites need to access encryption technology. The logs let Paine find the names of new "buckets," or containers for data, stored by Amazon, and check whether they're publicly viewable.

Then he uses a separate tool to create a searchable database of his findings.

For someone who searches for caches of personal data down between the couch cushions of the internet, Paine doesn't display glee or dismay as he examines the results. This is just the reality of the internet. It's filled with databases that should be locked behind a password and encrypted but aren't.

Ideally, companies would hire experts to do the work he does, he says. Companies, he says, should "make sure your data isn't leaking."

If that happened more often, Paine would have to find a new hobby. But that might be hard for him.

"It's a little bit like a drug," he said, before finally getting around to digging into his fries and chicken.

Read more

Instagram influencers' account information exposed, report says.
It's the latest sensitive database left open on the internet.

—   Share news in the SOC. Networks

Topical videos:

usr: 1
This is interesting!