How anyone can find databases that companies routinely leave unprotected

Watchdog peeks in internet corners to beat bad guys to caches of sensitive data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Two more stun­ning dis­clo­sures from self-styled inter­net watch­dog Chris Vick­ery under­score how orga­ni­za­tions con­tin­ue to rou­tine­ly expose sen­si­tive data in the cloud, risk­ing dire consequences.

My find­ings clear­ly demon­strate that data breach­es hap­pen more often than the gen­er­al pub­lic real­izes, and com­pa­nies are quick to deny and cov­er up these issues,” Vick­ery says.

Last Fri­day, Vick­ery revealed how Habi­tat for Human­i­ty of Michi­gan had been mak­ing use of two back­up vir­tu­al hard dri­ves with­out tak­ing steps to block pub­lic access to those dri­ves, which con­tained “lots of background/credit checks for vol­un­teers and appli­cants, as well as thou­sands of Social Secu­ri­ty num­bers,” he says. The non­prof­it orga­ni­za­tion helps build and ren­o­vate afford­able hous­ing for needy families.

Leaked files show grim reality

Chris Vickery, security researcher and internet watchdog
Chris Vick­ery, secu­ri­ty researcher and inter­net watchdog

In mid-Octo­ber, Vick­ery broke news at IDT911’s Pri­va­cy Xchange Forum 2016, describ­ing how a Cal­i­for­nia law firm sim­i­lar­ly neglect­ed to restrict access to an inter­net cloud stor­age loca­tion where it kept copies of case files. (IDT911 spon­sors Third­Cer­tain­ty.) The legal doc­u­ments Vick­ery locat­ed includ­ed notes and sur­veil­lance footage appear­ing to show guards at a police hold­ing cell in La Habra, Cal­i­for­nia, fail­ing to take any action as a 49-year-old pris­on­er, Daniel Oppen­heimer, hanged himself.

The notes of the lawyer—whose firm spe­cial­ized in defend­ing alleged police misconduct—revealed that he looked at the sur­veil­lance video and saw “shad­ows” of a per­son twice walk­ing past Oppenheimer’s cell dur­ing the stran­gu­la­tion, Vick­ery says. The shad­ows weren’t not­ed, though, in the dis­trict attorney’s report inves­ti­gat­ing any wrong­do­ing by police in Oppenheimer’s death, and Vick­ery ques­tions whether the per­son walk­ing past the cell could have stopped the suicide.

Oppen­heimer stran­gled him­self with a tele­phone cord and the zip­per of his jail-issued jump­suit on Jan. 2, 2015. Ear­li­er that day, Oppen­heimer was arrest­ed and charged with attempt­ing to stran­gle his wife at their La Habra home.

Vick­ery says he con­tact­ed the city lawyer’s firm and an attor­ney rep­re­sent­ing Oppenheimer’s daugh­ter who filed a wrong­ful-death law­suit against the city. The firm want­ed Vick­ery to delete what he found on the inter­net, and the attor­ney rep­re­sent­ing Oppenheimer’s daugh­ter said he would sub­poe­na what was dis­cov­ered, Vick­ery says.

Vick­ery hopes some offi­cial will be appoint­ed to review what hap­pened at the hold­ing cell. “It’s impor­tant to see that jus­tice was done,” he says.

Help­ing patch problems

Who is Chris Vick­ery and what moti­vates him? Vick­ery is a long­time IT staffer. His recent­ly left his full-time posi­tion at an Austin, Texas, law firm, on good terms, to move to Cal­i­for­nia. Because of his pro­fes­sion, Vick­ery pos­sessed work­ing knowl­edge of tools, such as Ama­zon S3 buck­ets and Rsync servers, which com­pa­nies and agen­cies increas­ing­ly use to store copies of busi­ness documents.

He also was famil­iar with Shodan, a search engine that finds and index­es com­put­ing devices con­nect­ed to the inter­net, such as smart­phones, web­cams, pow­er plant con­trols, routers and servers, includ­ing servers that lack min­i­mum safe­guards, such as a password.

Relat­ed Q&A: How Shodan search engine reveals secu­ri­ty shortcomings

Work­ing in his free time from his home in Austin and using his per­son­al com­put­er, Vick­ery began hunt­ing for unpro­tect­ed data as sort of a hob­by. He real­ized, of course, that any­one else, includ­ing those with crim­i­nal intent, could be in the hunt for the same things he was look­ing for. So he adopt­ed a per­son­al pol­i­cy of noti­fy­ing orga­ni­za­tions of any major expo­sures he found, giv­ing them the oppor­tu­ni­ty to rec­ti­fy the oversight.

It feels good to find a mil­lion log-ins and know that I helped this com­pa­ny shut this down, and these mil­lion peo­ple aren’t going to have to wor­ry their email address is being stolen, or their Social Secu­ri­ty num­ber is get­ting out there or some­thing else bad is hap­pen­ing to them.” Vick­ery says. “I can imag­ine my grand­moth­er get­ting caught up in some­thing like this. And if I can pre­vent some­thing hap­pen­ing to some­body else’s grand­moth­er, it’s a nice thing to do.”

In Jan­u­ary, Vick­ery announced a part­ner­ship with MacKeeper—an inter­na­tion­al IT invest­ment and devel­op­ment company—to estab­lish “the best secu­ri­ty and pri­va­cy prac­tices.” Vick­ery assists with secu­ri­ty audit­ing, dis­cov­ers poten­tial cyber threats, pro­vides solu­tions for future vul­ner­a­bil­i­ties, and writes a blog about secu­ri­ty and data breaches.

Lock­ing down data not a priority

In an envi­ron­ment where com­pa­nies amass moun­tains of data, while also look­ing to reduce data stor­age and han­dling expens­es, poor secu­ri­ty prac­tices have become the rule, Vick­ery says.

Typ­i­cal­ly, an orga­ni­za­tion might have its live pro­duc­tion data­base up and run­ning in real time, but also need to have a back­up ver­sion avail­able for the IT staff to tin­ker with, trou­bleshoot­ing, test­ing new tech­niques and the like.

The devel­op­er team takes a copy of the live pro­duc­tion data, and puts it in a devel­op­ment serv­er,” Vick­ery says. “But for con­ve­nience sake, or because of a mis­take, they’ll for­get or just sim­ply not put a pass­word on it.”

Vick­ery empha­sizes that he is not a “hack­er,” in any tech­ni­cal sense. He is sim­ply con­duct­ing inter­net search­es using free tools any­one can learn to mas­ter, then using human intel­lect to con­nect the dots.

I’ll find this stag­ing serv­er or devel­op­ment serv­er, and because it has a full copy of the live pro­duc­tion data in it, it might as well be the live pro­duc­tion data­base; it’s got all the data in it,” he says.

Oth­er unpro­tect­ed infor­ma­tion Vick­ery has found on the inter­net includes reg­is­tra­tion infor­ma­tion of vot­ers in the Unit­ed States and Mex­i­co, Social Secu­ri­ty num­bers for mil­lions of peo­ple, and at least 10 law firms’ client files.

Vick­ery esti­mates that he spends at least 30 hours per week “crawl­ing around the far cor­ners of the inter­net look­ing for unse­cured data troves.” He con­cludes that com­pa­nies’ slop­pi­ness about data pro­tec­tion can be shortsighted.

I think that com­pa­nies seem to be so care­less because less secu­ri­ty equals more prof­it,” he says. “Wor­ry­ing about good secu­ri­ty requires hir­ing the right peo­ple and being will­ing to not only pay those peo­ple, but also to allo­cate bud­get funds for their soft­ware and appliances.”

Secu­ri­ty, Vick­ery says, “also slows down the research and devel­op­ment process. Many com­pa­nies appear unwill­ing to give up the first-to-mar­ket advan­tage just for the sake of security.”

ThirdCertainty’s Gary Stoller con­tributed to this story.

More sto­ries about com­pa­ny data breaches:
Dis­clo­sure incon­sis­tent as Cana­da data breach­es multiply 
With­out bet­ter data han­dling by pri­va­cy pros, cyber walls will do lit­tle good
Most busi­ness­es unpre­pared for email-based attacks