Lesson Have Not Been Learned: Unsecure DB Holds 80 Million Records

TheOne&OnlyZeke · Apr 29, 2019

Whats scary about this one is they couldn't figure out who owned the data

"Researchers Ran Locar and Noam Rotem have found an unguarded database hosted on a Microsoft server that holds sensitive info for more than 80 million US households (over half of the 128 million in the US), but doesn't have a clear owner."

https://www.engadget.com/2019/04/29/database-exposes-80-million-us-households/

Jagger100 · Apr 29, 2019

Encrypt it and wait 3 years for someone to claim it, then delete it if its not claimed.

Deleted member 88227 · Apr 29, 2019

Jagger100 said:
Encrypt it and wait 3 years for someone to claim it, then delete it if its not claimed.

No, just delete it now. Clearly they're not responsible enough to have that kind of data in the first place.

Zarathustra[H] · Apr 29, 2019

Jagger100 said:
Encrypt it and wait 3 years for someone to claim it, then delete it if its not claimed.

...and get charged with a federal crime

lcpiper · Apr 29, 2019

Zarathustra[H] said:
...and get charged with a federal crime

Yes, technically you are correct. Let's say the actual data owner is a legit business. Screwing with their data, even if unsecured, would be a Federal Charge on the one hand, and a civil law suite on the other. Would you want to give some company the opportunity to sue for damages because they can't service 80 million customers?

The Feds said any business signing up for, and complying with the SAFE Act, gets protection from civil liability if they get hacked. The Feds supplied the carrot, now where in fuck is the stick? Every one of those 80 million customers deserves the right to protection and a civil suite should be the stick used.

The Feds need to put power behind that stick. Enough power that a company that does this can be wiped out, gone. I'd be happy if they just seized the business and it's holdings, sold it all off, and divvied it up to the injured as compensation.

Jagger100 · Apr 29, 2019

lcpiper said:
Yes, technically you are correct. Let's say the actual data owner is a legit business. Screwing with their data, even if unsecured, would be a Federal Charge on the one hand, and a civil law suite on the other. Would you want to give some company the opportunity to sue for damages because they can't service 80 million customers?

The Feds said any business signing up for, and complying with the SAFE Act, gets protection from civil liability if they get hacked. The Feds supplied the carrot, now where in fuck is the stick? Every one of those 80 million customers deserves the right to protection and a civil suite should be the stick used.

The Feds need to put power behind that stick. Enough power that a company that does this can be wiped out, gone. I'd be happy if they just seized the business and it's holdings, sold it all off, and divvied it up to the injured as compensation.

You'd unencrypt if the owner came to claim it. The key problem is its orphaned. For all anyone knows the data is suppose to be encrypted. The potential to be sued from people harmed by the open data is also there.

I'm also commenting on the way the situation should be handled and if the law could be changed.

TordanGow · Apr 29, 2019

My question is how do people even find stuff like this? Try to connect to every possible IP combination that is addressable and on common server ports? Not asking so I can look myself, more asking as how anyone just happens to "stumble" across something like this... seems like you would have to be looking.

Barometer · Apr 29, 2019

TordanGow said:
My question is how do people even find stuff like this? Try to connect to every possible IP combination that is addressable and on common server ports? Not asking so I can look myself, more asking as how anyone just happens to "stumble" across something like this... seems like you would have to be looking.

Yep....they're called "Bots" and there are thousands of them continuously scanning the Net at any given instant just looking and probing.

When they find "something", they alert the human dipshit behind it, so they can see what info they can steal for their benefit.

Chiner and Russher are behind the lion's share of it.

Feel free to call me a colorful variety of names if not true.

Dead Parrot · Apr 29, 2019

If the data contains email addresses, run the list and send emails to all 80 million telling them to contact Microsoft about the exposed data. Do this enough and Microsoft and others cloud providers will start ensuring that data files hosted on their systems have at least basic security.

lcpiper · Apr 29, 2019

Jagger100 said:
You'd unencrypt if the owner came to claim it. The key problem is its orphaned. For all anyone knows the data is suppose to be encrypted. The potential to be sued from people harmed by the open data is also there.

I'm also commenting on the way the situation should be handled and if the law could be changed.

Wait, this is a thief's excuse. "I don't know who owns this watch" instead of "I know it's not mine" which is an honest person's response. Just because these guys found data and do not know who's the data owner, does not mean it's abandoned. What it means is they can't determine who the owner is and that's as far as it goes. But they did dig into the data, at least as far as the database scheme is concerned. They have determined the type of data stored, and that the server has been online for two months now. They have been making educated guesses as to the type of business that might hold this collection of data sets. What they didn't say is whether or not the database is being accessed and modified currently, as in, in use. Just a record count over time would tell them that much.

They notified MS on the hope that MS would contact the company who owns that system's licensed copy of Server 2012, or 2016, or whatever it is. They said the database holds records for homeowners over 40 years old. Sounds like the profile of a home refinancing loan outfit. Maybe one of those reverse mortgage outfits, who knows. But if you encrypt that data and make it unusable by the data owner you could be fucking over the people who are paying for this service because you don't want these people to .... be fucked over .... what? worse?

"Yea, but it could'a been a dry fuckin"

And how does the owner come to claim it exactly?

Are they going to leave a note somehow? They can't even figure out who it belongs too? But they were able to pull the MS license key so that they could ask MS to notify the owner ..... hmmmm. They can pull the OS license key, but not the server's domain name?

"Researchers Ran Locar and Noam Rotem have found an unguarded database hosted on a Microsoft server

lcpiper · Apr 29, 2019

Dead Parrot said:
If the data contains email addresses, run the list and send emails to all 80 million telling them to contact Microsoft about the exposed data. Do this enough and Microsoft and others cloud providers will start ensuring that data files hosted on their systems have at least basic security.

Sure, because you are going to access the data illegally for good reasons

And send 80 million copies of proof.

Grimlaking · Apr 29, 2019

Like they can't run an sp_who2 to find out who is connecting with what credentials and potentially from what systems. This is stupid in the extreme and an excuse at a minimum. Microsoft should be alerted and lock this shit down. Even if they don't own the database they are hosting it. And as such could be subject to civil suites from those whom have their data exposed.

And yes I know that command isn't on every DB vendors command lists but the equivalents are.

Dead Parrot · Apr 29, 2019

lcpiper said:
Sure, because you are going to access the data illegally for good reasons

And send 80 million copies of proof.

Is doing read only access of unsecured abandoned data a crime if your intent is to inform folks listed in the database of their information being there? Not much different then contacting folks who's info is on a bunch of papers you find in the street.

SFB · Apr 29, 2019

Saw this on borncity.com this morning. Reminds me of the phrase: “The cloud is just someone else’s computer.”

lcpiper · Apr 29, 2019

Dead Parrot said:
Is doing read only access of unsecured abandoned data a crime if your intent is to inform folks listed in the database of their information being there? Not much different then contacting folks who's info is on a bunch of papers you find in the street.

Again, no one has said anything about the data being abandoned, other than someone on this forum. The server was only stood up two months ago.

Intent rarely features in what is or is not a crime.

I have to go, I'd spend more time researching, but they are closing the building on me.

pillagenburn · Apr 29, 2019

lcpiper said:
Yes, technically you are correct. Let's say the actual data owner is a legit business. Screwing with their data, even if unsecured, would be a Federal Charge on the one hand, and a civil law suite on the other. Would you want to give some company the opportunity to sue for damages because they can't service 80 million customers?

The Feds said any business signing up for, and complying with the SAFE Act, gets protection from civil liability if they get hacked. The Feds supplied the carrot, now where in fuck is the stick? Every one of those 80 million customers deserves the right to protection and a civil suite should be the stick used.

The Feds need to put power behind that stick. Enough power that a company that does this can be wiped out, gone. I'd be happy if they just seized the business and it's holdings, sold it all off, and divvied it up to the injured as compensation.

Where is the stick?

Didn't you know the same people bringing the carrot get to participate in EATING the carrot? I wouldnt expect the carrot bringers to beat themselves for any reason.

This is the sort of thing that is symptomatic of a society coming apart.

ThatITGuy · Apr 30, 2019

lcpiper said:
And how does the owner come to claim it exactly?

Are they going to leave a note somehow? They can't even figure out who it belongs too? But they were able to pull the MS license key so that they could ask MS to notify the owner ..... hmmmm. They can pull the OS license key, but not the server's domain name?

Sounds like it is a cloud hosted database (article says Microsoft hosted server... guessing Azure).... and the license key they pulled was the MSSQL license, not OS. Other than pulling connection info, there is no good way to identify ownership.

dgz · Apr 30, 2019

TordanGow said:
My question is how do people even find stuff like this? Try to connect to every possible IP combination that is addressable and on common server ports? Not asking so I can look myself, more asking as how anyone just happens to "stumble" across something like this... seems like you would have to be looking.

Try running a web server and logging each and every request it receives. The bots are probing for all kinds of stuff. Everything you can imagine, and then some.

dgz · Apr 30, 2019

Barometer said:
Yep....they're called "Bots" and there are thousands of them continuously scanning the Net at any given instant just looking and probing.

When they find "something", they alert the human dipshit behind it, so they can see what info they can steal for their benefit.

Chiner and Russher are behind the lion's share of it.

Feel free to call me a colorful variety of names if not true.

Ha, didn't lcpiper's friends get caught this to the entire fucking world? America is the worst in this regard. The fucking worst

lcpiper · Apr 30, 2019

ThatITGuy said:
Sounds like it is a cloud hosted database (article says Microsoft hosted server... guessing Azure).... and the license key they pulled was the MSSQL license, not OS. Other than pulling connection info, there is no good way to identify ownership.

Even better. Look, I get that these researchers seem to like to make a name for themselves by scouring the net looking for other people's fuck ups. I fully understand that we have a problem with businesses loosing control of people's information. I never liked the government's approach to this, that they felt the best way to incentivize businesses to cooperate with breach and hacks was to offer them civil immunity for a breach as long as they were compliant with how the government believed it should be done. It has remained my stance that the best way for the government to deal with the issue was to offer good resources that business could pull from, and ensure that citizens could get theirs in case of a breach or exposure. By protecting the little guy you keep the focus where it should be, on the business that is collecting people's data.

So with my views on this laid out, I think a person can understand why I don't think these cowboys need to be doing anything more than what they have already done. They certainly are not responsible to anyone, they sounded the alarm as best they can. I don't think they should be accessing the data in order to notify the account holders and I sure do not think they should try to force something to happen by encrypting the data or making it inaccessible. They could really screw these people over if the service this data supports is not available. They would almost certainly cause harm, how serious I can't say. But I don't think doing something that is almost certainly going to be harmful in order to hopefully prevent harm is a good practice.

So that's how I see it. And you are very likely correct about that MSSWL Key although I don't know how you would make a determination about the cloud hosting unless you simply tracked it back and dead-ended at a cloud provider. That's possible of course.

lcpiper · Apr 30, 2019

dgz said:
Ha, didn't lcpiper's friends get caught this to the entire fucking world? America is the worst in this regard. The fucking worst

It's their job, and they get paid to do it.

I wonder, where you complaining when they used to fly airplanes, loaded with radio intercept equipment and operators with big brass ones, over the border into USSR land to provoke the commies into turning on their air defense radars so they could be intercepted? After decades of that Cold War, were you pissed off that all that effort, money, and personal risk bankrupted the USSR and brought down the wall?

Isn't the new Europe and the freedom you can find there, the rise of the EU, something you are happy about?

I'm just guessing, but I bet this wasn't you down there with me;

dgz · Apr 30, 2019

lcpiper said:
It's their job, and they get paid to do it.

I wonder, where you complaining when they used to fly airplanes, loaded with radio intercept equipment and operators with big brass ones, over the border into USSR land to provoke the commies into turning on their air defense radars so they could be intercepted? After decades of that Cold War, were you pissed off that all that effort, money, and personal risk bankrupted the USSR and brought down the wall?

Isn't the new Europe and the freedom you can find there, the rise of the EU, something you are happy about?

I'm just guessing, but I bet this wasn't you down there with me;

View attachment 158007

Are you seriously insinuating that America's spying efforts are the reason the USSR collapsed and the EU is on the rise?

That's the mother of all industrial espionage.

lcpiper · Apr 30, 2019

dgz said:
Are you seriously insinuating that America's spying efforts are the reason the USSR collapsed and the EU is on the rise?

That's the mother of all industrial espionage.

I'm not insinuating anything.

You called me out, I responded;

Ha, didn't lcpiper's friends get caught this to the entire fucking world? America is the worst in this regard. The fucking worst

You said that America is the worst about what exactly? "Spying on the whole world"? If I am misunderstanding you then by all means, enlighten.

Understand that I'm not saying this isn't mostly true, America does conduct intelligence operations pretty much, acrossed the globe and I won't try to deny it.

The problem I have is that you want to make it sound like a disgusting thing while all of us have most certainly benefited from it.

The USSR collapsed for a number of reasons, mostly because it was an unsustainable model. But US policy and efforts, as the USSR's primary adversary in the world, had something to do with it. And it was information gained from US intelligence services and our allies that helped influence those efforts, and those of our allies. The collapse of the USSR, the realignment of those former East Block nations, the relief from this brought about, and the new markets that emerged all had an effect on the growth of the EU. Hell, read their own history from their own website and tell me I have it wrong.

https://europa.eu/european-union/about-eu/history_en

dgz · Apr 30, 2019

lcpiper said:
I'm not insinuating anything.

You called me out, I responded;

You said that America is the worst about what exactly? "Spying on the whole world"? If I am misunderstanding you then by all means, enlighten.

Understand that I'm not saying this isn't mostly true, America does conduct intelligence operations pretty much, acrossed the globe and I won't try to deny it.

The problem I have is that you want to make it sound like a disgusting thing while all of us have most certainly benefited from it.

The USSR collapsed for a number of reasons, mostly because it was an unsustainable model. But US policy and efforts, as the USSR's primary adversary in the world, had something to do with it. And it was information gained from US intelligence services and our allies that helped influence those efforts, and those of our allies. The collapse of the USSR, the realignment of those former East Block nations, the relief from this brought about, and the new markets that emerged all had an effect on the growth of the EU. Hell, read their own history from their own website and tell me I have it wrong.

https://europa.eu/european-union/about-eu/history_en

Look, I am not going to apologize for reminding people who's most active around the world when they point out something.

The poster I replied to literally asked to be called names in case there of disagreement. Sure I didn't call him names but I am also not completely disagreeing with him.

Hatriot · Apr 30, 2019

dgz said:
Ha, didn't lcpiper's friends get caught this to the entire fucking world? America is the worst in this regard. The fucking worst

You don't have a clue what you are talking about. I have firewall logs with geolocation of IP's as evidence. What do you have to prove that , OMG...AMERICA IS LIKE TOTALLY THE WORST!

lcpiper · Apr 30, 2019

dgz said:
Look, I am not going to apologize for reminding people who's most active around the world when they point out something.

The poster I replied to literally asked to be called names in case there of disagreement. Sure I didn't call him names but I am also not completely disagreeing with him.

I can live with that.

Rub that lamp the Genie will appear, have your wishes well thought out

But by know, I think you know that I don't intend to be mean or unscrupulous, no harm intended. I'm not above eating crow or apologizing when called for.

lcpiper · Apr 30, 2019

Hatriot said:
You don't have a clue what you are talking about. I have firewall logs with geolocation of IP's as evidence. What do you have to prove that , OMG...AMERICA IS LIKE TOTALLY THE WORST!

EDITED: I just realized that I made an error and mistakenly thought you were talking to me. I must apologize. I do like my horn so I'll leave it here hooting ....... 'll take down the pics though. They mean something to me, but you guys won't care about them so.

Original post sans pics and snarky remark.

Ummmmm, because over the last 40 years, I've worked;

Ilex Systems, L3 Communications
Computer Sciences Corporation
Northrup Grumman
Stanley Corp
Raytheon
NCI
SAIC
Semper Valens Solutions

And very soon, BAE I suspect.

Hatriot · May 1, 2019

lcpiper said:
EDITED: I just realized that I made an error and mistakenly thought you were talking to me. I must apologize. I do like my horn so I'll leave it here hooting ....... 'll take down the pics though. They mean something to me, but you guys won't care about them so.

Original post sans pics and snarky remark.

Ummmmm, because over the last 40 years, I've worked;

Ilex Systems, L3 Communications
Computer Sciences Corporation
Northrup Grumman
Stanley Corp
Raytheon
NCI
SAIC
Semper Valens Solutions

And very soon, BAE I suspect.

No worries. Yeah on your side. You ever work in the panhandle of Florida by chance?

/dev/null · May 1, 2019

lcpiper said:
EDITED: I just realized that I made an error and mistakenly thought you were talking to me. I must apologize. I do like my horn so I'll leave it here hooting ....... 'll take down the pics though. They mean something to me, but you guys won't care about them so.

Original post sans pics and snarky remark.

Ummmmm, because over the last 40 years, I've worked;

Ilex Systems, L3 Communications
Computer Sciences Corporation
Northrup Grumman
Stanley Corp
Raytheon
NCI
SAIC
Semper Valens Solutions

And very soon, BAE I suspect.

For those of you who don't know, Level 3 is now "CenturyLink"

lcpiper · May 1, 2019

Hatriot said:
No worries. Yeah on your side. You ever work in the panhandle of Florida by chance?

Nope, The 98Ks (or was it 05Golfs?) used to go there back in the day, I was a 98J, RADAR intercept. I did take the wife and kids to Panama City beach back when I was a combat engineer at Benning.

lcpiper · May 1, 2019

/dev/null said:
For those of you who don't know, Level 3 is now "CenturyLink"

Well, back then (1998-2003), Ilex Systems had the ASAS field support and software sustainment contracts, and I was learning Solaris 7.

I know what your nic means, I used to use it as a game name when I terrorized people playing Delta Force. Being accused of hax was music to my ears. There is no higher compliment for a legit gamer
(y)

Couldn't use the / so it was just DevNull

Lesson Have Not Been Learned: Unsecure DB Holds 80 Million Records

100% Irish

Supreme [H]ardness

Deleted member 88227

Guest

Extremely [H]

[H]F Junkie

Supreme [H]ardness

[H]ard|Gawd

Limp Gawd

2[H]4U

[H]F Junkie

[H]F Junkie

2[H]4U

2[H]4U

Weaksauce

[H]F Junkie

[H]ard|Gawd

Gawd

Supreme [H]ardness

Supreme [H]ardness

[H]F Junkie

[H]F Junkie

Supreme [H]ardness

[H]F Junkie

Supreme [H]ardness

Limp Gawd

[H]F Junkie

[H]F Junkie

Attachments

Limp Gawd

[H]F Junkie

[H]F Junkie

[H]F Junkie