Careless Employees Expose Sensitive Data as Public on the Cloud

cageymaru

[H]ard as it Gets
Joined
Apr 10, 2003
Messages
19,817
Adversis has discovered employees at numerous companies are sharing files by enabling public file sharing in Box Enterprise. This combined with the ability to brute force the the sub-domain, URL, and folder names of Box Enterprise accounts means that these sensitive files, documents, and more are easily discovered and some are even being indexed by Google. Files found by Adversis include hundreds of passport photos, social security and bank account numbers, tech prototype and design files, employee lists, financial data, invoices, VPN configurations, and more.

It is unknown how Box Enterprise can be changed to save employees from themselves. This is not a vulnerability or bug as public sharing is a feature of Box Enterprise. Adversis noted that in 2014 the issue was brought up and ignored by companies. Box released a Public Service announcement, but most companies ignored it also. Techcrunch listed some of the interesting files discovered on Box including passwords and backdoors for major municipality public works, customer phone numbers; names and email addresses, healthcare provider patient information, and more. Adversis has open-sourced its scanning tool.

Box spokesperson Denis Roy said in a statement: "We take our customers' security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or 'open'. We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links."
 

masquap

Limp Gawd
Joined
Oct 2, 2011
Messages
135
People I work with get mad at me that I have forced them into OneDrive, with file level encryption, and sharing protection to prevent accidental or over sharing issues. Then I see issues like this and am vindicated.
I’ll take neither hackers or Microsoft having my data, thanks.
 

Tweak42

Gawd
Joined
Dec 1, 2010
Messages
609
Don't trust other people with your files. That's what cloud is. May be more convenient but you're at more risk
I never like the idea of cloud storage, cause of stuff like this. Or a million other things that could go wrong
Uhmmm I think you totally missed the point of the article.

In many cases these are the businesses own files. They are just over sharing them to the world wide internet because they don't understand how file sharing implementation and security works. This is the lowest hanging fruit for data theft. No need for a zero day hack, no need for social engineering, just scan and download.

Looking at the timeline at least the vendor posted very prompt PSA to their customers, but how do you protect stupid from doing stupid other than passing more laws? You could implement a yuge tldr; legal disclaimer on the sharing function but we all know how quick that gets passed through.
 

masquap

Limp Gawd
Joined
Oct 2, 2011
Messages
135
Uhmmm I think you totally missed the point of the article.

In many cases these are the businesses own files.
Unless I’m misunderstanding what Box is (cloud storage), no, he didn’t misunderstand.

Offering a non password protected space to share files like this isn’t something I’d generally expect businesses to use, but here at least it seems like stupid business practices rather than any real fault of Box’s
 
Joined
Aug 1, 2016
Messages
94
With box enterprise the enterprise access control can be set to prevent anonymous links. Most people don't want to put up an extra step or two and go with anonymous permission enabled (stupid in my opinion)

This requires the user to create an account to login to Box and download the file AND in order to download the file that no longer anonymous user must have been INVITED into the folder by someone who already had/has access. All of which is captured in the audit log.

I was the Box implementation project manager at a major medical institution and we (project team plus the security folks plus the legal/compliance (HIPPA)) had a lot of discussion around this.

At the end of the day, for our user base (research data in large part), Box is less risky than allowing USB sticks, SD cards and external hard drives. The audit trail + administrative controls, i.e., acceptable use policy (don't grant the default EDITOR permission for starters), is in large part enough to deflect the wrath of the Office of Civil Rights (HIPPA, remember) from the institution to the individual.
 

spugm1r3

[H]ard|Gawd
Joined
Sep 28, 2012
Messages
1,153
It is unknown how Box Enterprise can be changed to save employees from themselves. This is not a vulnerability or bug as public sharing is a feature of Box Enterprise.
You default to private, you make the first available option "Share with all internal <enter company name here> only", and require a confirmation when sharing publicly. You would only have to do this with enterprise version. This would save the ignorant from themselves, and change your problem case to the willfully disobedient. A lot of enterprise tools with public sharing features have some version of this option.
 

Kardonxt

2[H]4U
Joined
Apr 13, 2009
Messages
3,105
You default to private, you make the first available option "Share with all internal <enter company name here> only", and require a confirmation when sharing publicly. You would only have to do this with enterprise version. This would save the ignorant from themselves, and change your problem case to the willfully disobedient. A lot of enterprise tools with public sharing features have some version of this option.
I haven't worked with Box since other cloud providers became HIPPA compliant, but i'm pretty sure this is how Box already handles sharing. Thus the unknown what else to do to save users from themselves.
 

socK

2[H]4U
Joined
Jan 25, 2004
Messages
3,747
This kind of nonsense is exactly why AWS defaults all their bucket settings to private and screams in your face as soon as you even begin to contemplate making it public now. You need to enable a switch before you can even try to change the access.

You also get a PUBLIC banner next to it for as long as the access exists to make it even more obvious.
 
Top