Slashdot Mirror

← Back to Stories (view on slashdot.org)

Has Google Indexed Your Backup Drive?

Posted by samzenpus on from the it's-out-there dept.

itwbennett writes Depending on how you've configured the device, your backup drive may have been indexed by Google, making some seriously personal information freely available online to anyone who knows what they're looking for. Using a few simple Google searches, CSO's Steve Ragan discovered thousands of personal records and documents online, including sales receipts with credit card information and tax documents with social security numbers. In all cases, the files were exposed because someone used a misconfigured device acting as a personal cloud, or FTP (File Transfer Protocol) was enabled on their router.

28 of 121 comments (clear)

  1. The web crawler would only index it if... by CraigCruden · · Score: 2

    There was a link on another webpage that pointed to that server in the first place.

    Not only the most insecure set up, but he already had links to that insecure setup.

    1. Re:The web crawler would only index it if... by The+New+Guy+2.0 · · Score: 2

      Google's crawler also indexes "sites" that exist as an IP address... leave a home router connected with its web interface coming out the WAN port, you better have a robots.txt file blocking Google, Bing, etc.

    2. Re:The web crawler would only index it if... by Anonymous Coward · · Score: 5, Informative

      robots.txt has nothing to do with security or blocking.

    3. Re:The web crawler would only index it if... by Mashiki · · Score: 5, Insightful

      If this is what amounts to network security these days, we're doomed.

      --
      Om, nomnomnom...
    4. Re:The web crawler would only index it if... by shortscruffydave · · Score: 2, Insightful

      And if you have a web interface on your WAN port then you're most likely doing things very wrong to begin with. If you want a publicly reachable interface into your LAN, don't fucking use your piece of shit router to do it. It's probably chock full of exploits anyhow, but that's a pretty moot point if you've left it wide fucking open for any random script to stumble across and access.

      Hint: If you want people to take notice of advice about IT security, it may be more effective to speak respectfully than to let loose with an expletive-filled tirade

    5. Re:The web crawler would only index it if... by wbr1 · · Score: 2

      Robots.txt is about as secure as leaving a cash drawer with the key in it and a post-it that states "please leave cash inside".

      --
      Silence is a state of mime.
  2. Clickbait-ish Headline by Midnight_Falcon · · Score: 5, Insightful
    When I read this, I immediately thought "Has Google Indexed the Contents of your Google Drive?", in the context of those automatic backups you might have enabled for photos, etc on your Android device. In fact, you're only at risk here if you have configured some type of FTP server or WebDAV (like a QNAP, etc) to have a public IP and have no security whatsoever. So that means having enough technical prowess to accomplish that much, only to leave all your stuff open on the internet for "ease"?!?

    I think much of Slashdot might agree with me that if you're silly enough to deploy a public-facing server with no or default authentication, yeah, you'll probably deserved get indexed by Google.

    1. Re:Clickbait-ish Headline by snowgirl · · Score: 5, Insightful

      yeah, you'll probably deserved get indexed by Google.

      deservedly*

      But not only that, it's not like Google can infer intent to share the data... you put it out there, and Google said, "hey, this is publically available, obviously people want this to be indexed!"

      There's no adequate way to fix this either, because if it's opt-in, then unknowing individuals will fail to opt-in for indexing... if it's opt-out, then unknowing individuals will fail to properly opt-out (robots.txt for example)

      If you put up private data publically on the internet then you simply have to accept the fact that no one else could have known that you didn't want to share the data...

      --
      WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
    2. Re:Clickbait-ish Headline by hawguy · · Score: 2

      When I read this, I immediately thought "Has Google Indexed the Contents of your Google Drive?", in the context of those automatic backups you might have enabled for photos, etc on your Android device. In fact, you're only at risk here if you have configured some type of FTP server or WebDAV (like a QNAP, etc) to have a public IP and have no security whatsoever. So that means having enough technical prowess to accomplish that much, only to leave all your stuff open on the internet for "ease"?!?

      I think much of Slashdot might agree with me that if you're silly enough to deploy a public-facing server with no or default authentication, yeah, you'll probably deserved get indexed by Google.

      Yeah, I thought the same thing as you when I saw the headline. I'm a little less interested to learn that if you open your data to the public (even if you didn't mean to), it's viewable by the public.

    3. Re:Clickbait-ish Headline by LordWabbit2 · · Score: 2

      But that's the thing, the DID want to share it, probably not with everyone granted, but then they should have secured it so only the people they did want to give access to it would have access. I love the way the article implies it's somehow google's fault that some clueless idiot didn't click on a tick box and enter a user name and password. If people don't want to RTFM then they are going to get burned.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
    4. Re:Clickbait-ish Headline by bill_mcgonigle · · Score: 2

      There's no adequate way to fix this either, because if it's opt-in

      If a NAS is doing uPNP on purpose or is acting as a router, then the NAS manufacturer has an obligation to provide appropriate guidance to their users. If they don't then their reputation should be thoroughly punished in reviews.

      Oh, but why buy a $120 NAS when there's a $20 box available on eBay?

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    5. Re:Clickbait-ish Headline by Coren22 · · Score: 2

      The comment had nothing to do with Google. All search engines are opt-out. If they discover your web site, they index it. If you have no robots.txt telling them what you want them to ignore, they put it all in the index.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    6. Re:Clickbait-ish Headline by Coren22 · · Score: 2

      I have a Synology. It tries to do uPNP, but luckily, it has no idea how to do so with my Verizon FiOS router, so I guess I dodged that bullet. It never occurred to me that Google would Index it, and I do IT for a living. I feel like a moron :)

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    7. Re:Clickbait-ish Headline by david_thornley · · Score: 2

      It might be interesting to figure out why people unwittingly open their data to the public, and what can be done about it, so the average person is highly unlikely to do it by accident.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    8. Re:Clickbait-ish Headline by snowgirl · · Score: 2

      As noted by the sibling post. Bing already does do this. And it's the right thing to do.

      --
      WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
  3. I'm a little baffled by squiggleslash · · Score: 5, Interesting

    So there are lots of people out there who are:

    1. Enabling FTP on their NAS boxes.
    2. Enabling anonymous access on this FTP service
    3. Allowing their Firewall/Router to let incoming FTP connections directly to the NAS box.

    I mean, the authors suggest those enabling FTP do not realize the implications, but how can you do ALL THREE and not realize the implications? Any one of those, particularly disabling anonymous access, would foil random search engines (and lazy hackers) trying to get at your files. But to do all three at once?

    --
    You are not alone. This is not normal. None of this is normal.
    1. Re:I'm a little baffled by Dutch+Gun · · Score: 5, Insightful

      I own a Synology NAS, and it comes with all sorts of nifty software that lets it do general server-like things. You can view photos or watch movies from anywhere on the internet. You can set up Wikis, serve webpages, and do all sorts of other stuff.

      I partake in none of this. I use it as a file system, a data backup, and for streaming media to my videogame consoles, and absolutely nothing else. Frankly, opening up your NAS to the internet in any capacity is insane. It's where the phrase "A little knowledge is a dangerous thing" is never more appropriate. Even if you set up everything correctly, you're only a single security flaw away from the entire box being compromised. Most people see all these cool features and are encouraged to experiment with them a bit. No one ever tells them "Hey, if you screw this up, you could accidentally leak all your personal information to bad guys on the Internet."

      It's funny, because you're seeing the same sort of learning process that the professional programmers and IT people have already gone through (or are STILL going through in the worst examples). People first think of cool things they can do with the internet, and then security-related thoughts come only after a disaster strikes. I'm not sure if there's really a fix for this. People will make silly mistakes and get burned, unfortunately. And then they'll know better. Life goes on.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    2. Re:I'm a little baffled by Blaskowicz · · Score: 2

      You make it sound like #2 is hard, in linux you would surely do some "advanced" command line thingies[*] but if you ever installed a ftp server on Windows in the late 90s/early 00s (to get around SMB shares not found, not working, authentication error etc.) you'd know that can be as easy as checking a box or even leaving the default alone.

      What's more : File Explorer in Windows XP (or old IE) behaves very conveniently, you feed it "ftp://192.168.0.1" and it works like a regular file manager window, AND you can access the ftp at least download-only from every web browser in the house. So it is very convenient, very easy to set up and works all the time, and in other words rewarding to the user.

      If the user - who didn't set up the network, the ISP's dhcp/router/modem box did - tries to inform self then he/she will learn FTP stands for "file transfer protocol" but beyond that there's computer gibberish, lots of results about client or server software etc. but no real warning about security issues.

      [*] searching for which ftp daemon to install in the first place, sudo editing the /etc/vghrblubftpd.conf and sifting through a hundred commented lines, then /etc/init.d/vghrblubftpd.conf restart or whatever the flavor of the month it is..

    3. Re:I'm a little baffled by Dutch+Gun · · Score: 2

      Hmm, I would say the big difference is that the professionals tend to lose control of their customers' data rather than their own.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    4. Re:I'm a little baffled by dbIII · · Score: 2

      I'd say the big difference is the professionals lose stuff where it doesn't matter before they can seriously be called professionals by their peers. I'm sorry that was not obvious enough from the above post.

    5. Re:I'm a little baffled by Dutch+Gun · · Score: 4, Informative

      Synology had a remote exploit last year that was exploited by ransomware. You're insane to expose your NAS to the internet, even if it apparently has security enabled. Get a VPN capable router.

      Yep, I followed that breaking news fairly carefully.

      Although in fairness to Synology, it was only exploitable if you didn't actually patch your device (you can do this with a single button click) for quite some time. Then again, in fairness to users, Synology NAS devices didn't have a way to schedule automatic patching for your device like they do now. I think it may have been this incident which prompted them to add that feature, which I was glad to see.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    6. Re:I'm a little baffled by CaptainDork · · Score: 2

      Good observation.

      Many people implement best practices regarding data backups the second time around.

      --
      It little behooves the best of us to comment on the rest of us.
  4. Following Linus by pikine · · Score: 2

    Only wimps use tape backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it ;)

    Great to see that many are following his footsteps now!

    --
    I once had a signature.
  5. Re:What's your excuse? by BevanFindlay · · Score: 2

    So, someone needs to post a click-bait headline specifically aimed at Democrat supporters who think themselves smarter than Republicans...? :-) (Of course, now I'm trying to think of a politically-loaded headline that would be clickbait to anyone with strong political views...) I'm guessing from the GP's stereotyping that they're a Democrat supporter, though as an outside observer of American politics, I'm glad I don't have to vote for either party.

  6. Wow... by dark.nebulae · · Score: 4, Interesting

    A quick search returned bank statements, someones 2012 1040 tax form (completed w/ soc and everything)...

    Couldn't find any porn though. I guess those aren't making it into the google indexes...

  7. Subject by Neil+Boekend · · Score: 2

    Is Google really at fault? They handled it poorly, yes, but the data was already out there to be used by blackhats. It would be better if they placed a file on the FTP "You know these files are open to the internet because your router configuration sucks, right?.txt".

    --
    Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
  8. The entire article could have been replaced with by The+Cisco+Kid · · Score: 2

    a one liner: "If you've made your private files available publically (either intentionally or through ignorance) then your private files are available publically."

    Removing them from google results is far less important than making the files themselves no longer available.

    Looking on google to see if they are available is sort of silly - if you're using one of these silly commercial "automatic backup" packages that came bundled with an external drive, read its manual and documentation, and review its configuration, as well as that of your router.

  9. Sigh by ledow · · Score: 2

    "Has Google Indexed Your Backup Drive?"

    Yes, if you're a pillock that's configured your backup drive in such a way that you allow authenticated remote access to it from the Internet and it has FTP or HTTP protocols enabled.

    "Has Google Indexed Your Naked Pictures Of Your Wife?"

    Similar answer.