Side-Quest: The Internet Is Wide-Open
The corporate responsibility for the crisis we're in today
I’ve got like 6 drafts in the works right now, but I wanted to get this out today because, as a former grey-hat1 hacker, I feel a kind of responsibility to tell people when I see some crazy things going on in the world of information security.
Right now, it is perhaps as crazy as I have ever seen.
I’m constantly coming across sensitive data that is just wide-open to the public on the web. Only a tiny bit of curiosity is all it takes, and you can find yourself looking at mountains of personal data from institutions big and small, covering millions of individual people in all corners of the world.
Just this week, I uncovered entire patient records and actual medication prescriptions written by doctors working at dozens of clinics and hospitals throughout India. I found where one Chinese communications company stores all the chat files sent by their users to one another, including pictures, videos, private documents, and more. I found the data for a Singaporean education consultancy, which had all their travel documents, receipts, and detailed information on all of their official travel, including pickup and drop-off locations (usually by taxi or uber) just sitting there in the open. I found personal income statements, tax documents, passports.
Over 15 years ago, on a blog long defunct, I wrote an explainer detailing how I was able to do a google search for any subject - in my case, it was “pc computer parts store” - pick a result from the top 5, and I had a better-than-50% chance of exposing the secrets hidden in their back-end systems with minor effort.
For my very first target, a small store chain here in Australia which came up as the second result in my search, their database had plain-text credit card numbers, names, and home addresses for every order in their system, it had personnel files for their employees, who was logged on at the register in the store, everything.
The data took me all of about 15-20 minutes to obtain.
Almost no one read it at the time, save for one curious black-hat group that contacted me out of the blue one day, telling me they could use a guy like me (think that early scene in the Matrix, “Wake up, Neo”, it was a little like that, though their pills had I chosen to accept them would have lead me into organised crime.)
I said “thanks, but no thanks.”
Back then, although it didn’t take very long for me to gain access to it, it did require some effort. If you didn’t know what you were doing, much of what I was able to obtain would have remained a mystery to you. It required active knowledge, skill and sometimes patience.
Before the rise of web-apps and cloud computing, hackers often targeted home and business PCs and devices. Why? Because that’s where the data was, although what data each PC had was mostly limited to one individual.
However, over the last 10 years, everything has been moved onto the web.
This shift has lead to unprecedented levels of consumer convenience. At the same time, it has lead to a massive centralisation of information on systems whose configuration most don’t really understand. This has made data-gathering by anyone with any motive and near-zero skill a whole lot more convenient, too.
Imagine that your doctor is using a new fangled cloud-based system to manage their clinic. They store patient records, prescriptions, invoices and orders, and everything else using this unified, extremely convenient system. That system is also used by some 80% of the clinics in your area, and many local pharmacies, and even a major hospital.
In fact, this is already the world we live in, and you might not have even realised it.
In most cases, these companies that develop these systems don’t have their own data centres. Instead, they rely on a cloud storage provider, like Azure, Amazon AWS, or Digital Ocean.
Most of those companies and software developers using cloud storage to hold data will either have no idea how to properly configure the security settings in order to prevent unauthorised access, or will deliberately spurn security settings in order to make it easier for themselves, so they don’t have to deal with the hassle of authentication.
All of our data has been amassed on a handfull of cloud storage providers, which are used by mobile apps, web apps, backoffice systems, generative AI, smart home devices, law enforcement, government, education, healthcare, EVERYONE.
What most people think of as a hackers daily fare is, of course, wrong, but not just in the CSI “I will track your IP address with Visual Basic” way. Many people think hackers target specific individuals, specific people. You have no idea the number of times those that learned what I do have immediately asked “can you hack someones facebook for me??”
It’s not like that at all. Usually, it’s state actors that go after specific individuals. They have the resources and patience for that kind of operation. Individual hackers are either doing it for fun, doing it for personal gain, or doing it to defend against other hackers. For people like me, the fun is not in going after a specific target: the fun is in finding the holes in any system, holes that can make it do things the system was not designed to do or that it was designed specifically to prevent.
Hacking is and has always been a kind of mental masturbation. You need no one but yourself.
So you, personally? I can’t look up your personal income tax statement, your credit card details, your medical history, on a whim. However, those details might, right now, be sitting on a public storage server somewhere on the internet, along with millions of others, ready for anyone to scoop up and do what they will with it. Likely no one even told you that information would be stored, let alone hosted live on the internet. No one asks your permission, you’re just expected to read their “privacy statement” on their website, and assume that it’s even accurate and up-to-date (which it probably isn’t.)
Now, I can’t just go and find out if your data is in there without actually downloading and then sifting through it. Going through all that stuff looking for just one person? That’s a pretty massive undertaking, even with automated tools. It’s like looking for a needle in the worlds largest haystack.
However, that’s not what black-hats - people doing this for personal gain - are really interested in. They just scrape up whatever they can find on anyone, and see how they can make use of it, for identity theft, fraud, blackmail, etc. It’s like fishing with a giant net.
It’s also getting easier.
Every day.
Automated tools have made exposing these wide-open storage buckets so easy. There are many SaaS providers that will give you access to such tools.
So, then, what is the solution?
That’s the real problem: I don’t know.
I don’t think anyone really knows.
So far, I’ve been much less likely to find data managed by companies based in countries with more stringent data security laws and enforcement: this weeks haul was mostly from China, India, Singapore and Russia, and only a small amount from the UK, EU and US.
Still, though, there is a lot out there. The whole world runs on software. Every company is technically a software company in some shape or form. To ensure everyone is getting properly audited is an enormous task that never ends.
So, if I have no solutions, why am I telling you all this?
To give you the most important advice on this topic that I can: assume everything you give to anyone, in whatever form, will likely be found one day by someone with malicious intentions on an open data bucket somewhere on the internet, and act accordingly.
Spend the time and effort to learn the basics of information security practice. Use password management tools like Lastpass, 1Password, or my personal favourite, Bitwarden, so you never use the same password twice.
Use 2-Factor authentication for anything you wouldn’t want someone to hack into, and assume anything that isn’t 2-factor enabled will be hacked eventually.
Think about what information you send over chat/instant messenger systems and emails
For the love of god and all that is holy, don’t open file attachments unless you know what they are, even when sent by people you know well
Wherever you live, campaign for stronger data security laws, to keep companies accountable and ensure they’re spending the necessary effort to secure your stuff
That’s all I got for now. Hopefully, returning to regular programming for the next one.
There are 3 kinds of hacker: Black-Hat, who does it for personal gain, Grey-Hat, who does it for fun, and White-Hat, who tries to find and fix holes before the other two catch on. White-Hats are good guys, Black-Hats are bad guys.
Good to know. Thanks.
This is terrifying 😱 I’m so crap with stuff like this 🤦🏻♀️ thanks for informing / educating me.