How anyone can find databases that companies routinely leave unprotected
Watchdog peeks in internet corners to beat bad guys to caches of sensitive data
By Byron Acohido, ThirdCertainty
Two more stunning disclosures from self-styled internet watchdog Chris Vickery underscore how organizations continue to routinely expose sensitive data in the cloud, risking dire consequences.
“My findings clearly demonstrate that data breaches happen more often than the general public realizes, and companies are quick to deny and cover up these issues,” Vickery says.
Last Friday, Vickery revealed how Habitat for Humanity of Michigan had been making use of two backup virtual hard drives without taking steps to block public access to those drives, which contained “lots of background/credit checks for volunteers and applicants, as well as thousands of Social Security numbers,” he says. The nonprofit organization helps build and renovate affordable housing for needy families.
Leaked files show grim reality
In mid-October, Vickery broke news at IDT911’s Privacy Xchange Forum 2016, describing how a California law firm similarly neglected to restrict access to an internet cloud storage location where it kept copies of case files. (IDT911 sponsors ThirdCertainty.) The legal documents Vickery located included notes and surveillance footage appearing to show guards at a police holding cell in La Habra, California, failing to take any action as a 49-year-old prisoner, Daniel Oppenheimer, hanged himself.
The notes of the lawyer—whose firm specialized in defending alleged police misconduct—revealed that he looked at the surveillance video and saw “shadows” of a person twice walking past Oppenheimer’s cell during the strangulation, Vickery says. The shadows weren’t noted, though, in the district attorney’s report investigating any wrongdoing by police in Oppenheimer’s death, and Vickery questions whether the person walking past the cell could have stopped the suicide.
Oppenheimer strangled himself with a telephone cord and the zipper of his jail-issued jumpsuit on Jan. 2, 2015. Earlier that day, Oppenheimer was arrested and charged with attempting to strangle his wife at their La Habra home.
Vickery says he contacted the city lawyer’s firm and an attorney representing Oppenheimer’s daughter who filed a wrongful-death lawsuit against the city. The firm wanted Vickery to delete what he found on the internet, and the attorney representing Oppenheimer’s daughter said he would subpoena what was discovered, Vickery says.
Vickery hopes some official will be appointed to review what happened at the holding cell. “It’s important to see that justice was done,” he says.
Helping patch problems
Who is Chris Vickery and what motivates him? Vickery is a longtime IT staffer. His recently left his full-time position at an Austin, Texas, law firm, on good terms, to move to California. Because of his profession, Vickery possessed working knowledge of tools, such as Amazon S3 buckets and Rsync servers, which companies and agencies increasingly use to store copies of business documents.
He also was familiar with Shodan, a search engine that finds and indexes computing devices connected to the internet, such as smartphones, webcams, power plant controls, routers and servers, including servers that lack minimum safeguards, such as a password.
Related Q&A: How Shodan search engine reveals security shortcomings
Working in his free time from his home in Austin and using his personal computer, Vickery began hunting for unprotected data as sort of a hobby. He realized, of course, that anyone else, including those with criminal intent, could be in the hunt for the same things he was looking for. So he adopted a personal policy of notifying organizations of any major exposures he found, giving them the opportunity to rectify the oversight.
“It feels good to find a million log-ins and know that I helped this company shut this down, and these million people aren’t going to have to worry their email address is being stolen, or their Social Security number is getting out there or something else bad is happening to them.” Vickery says. “I can imagine my grandmother getting caught up in something like this. And if I can prevent something happening to somebody else’s grandmother, it’s a nice thing to do.”
In January, Vickery announced a partnership with MacKeeper—an international IT investment and development company—to establish “the best security and privacy practices.” Vickery assists with security auditing, discovers potential cyber threats, provides solutions for future vulnerabilities, and writes a blog about security and data breaches.
Locking down data not a priority
In an environment where companies amass mountains of data, while also looking to reduce data storage and handling expenses, poor security practices have become the rule, Vickery says.
Typically, an organization might have its live production database up and running in real time, but also need to have a backup version available for the IT staff to tinker with, troubleshooting, testing new techniques and the like.
“The developer team takes a copy of the live production data, and puts it in a development server,” Vickery says. “But for convenience sake, or because of a mistake, they’ll forget or just simply not put a password on it.”
Vickery emphasizes that he is not a “hacker,” in any technical sense. He is simply conducting internet searches using free tools anyone can learn to master, then using human intellect to connect the dots.
“I’ll find this staging server or development server, and because it has a full copy of the live production data in it, it might as well be the live production database; it’s got all the data in it,” he says.
Other unprotected information Vickery has found on the internet includes registration information of voters in the United States and Mexico, Social Security numbers for millions of people, and at least 10 law firms’ client files.
Vickery estimates that he spends at least 30 hours per week “crawling around the far corners of the internet looking for unsecured data troves.” He concludes that companies’ sloppiness about data protection can be shortsighted.
“I think that companies seem to be so careless because less security equals more profit,” he says. “Worrying about good security requires hiring the right people and being willing to not only pay those people, but also to allocate budget funds for their software and appliances.”
Security, Vickery says, “also slows down the research and development process. Many companies appear unwilling to give up the first-to-market advantage just for the sake of security.”
ThirdCertainty’s Gary Stoller contributed to this story.
More stories about company data breaches:
Disclosure inconsistent as Canada data breaches multiply
Without better data handling by privacy pros, cyber walls will do little good
Most businesses unprepared for email-based attacks