Careless Employees Expose Sensitive Data as Public on the Cloud

[cageymaru]

Adversis has discovered employees at numerous companies are sharing files by enabling public file sharing in Box Enterprise. This combined with the ability to brute force the the sub-domain, URL, and folder names of Box Enterprise accounts means that these sensitive files, documents, and more are easily discovered and some are even being indexed by Google. Files found by Adversis include hundreds of passport photos, social security and bank account numbers, tech prototype and design files, employee lists, financial data, invoices, VPN configurations, and more.

It is unknown how Box Enterprise can be changed to save employees from themselves. This is not a vulnerability or bug as public sharing is a feature of Box Enterprise. Adversis noted that in 2014 the issue was brought up and ignored by companies. Box released a Public Service announcement, but most companies ignored it also. Techcrunch listed some of the interesting files discovered on Box including passwords and backdoors for major municipality public works, customer phone numbers; names and email addresses, healthcare provider patient information, and more. Adversis has open-sourced its scanning tool.

Box spokesperson Denis Roy said in a statement: "We take our customers' security seriously and we provide controls that allow our customers to choose the right level of security based on the sensitivity of the content they are sharing. In some cases, users may want to share files or folders broadly and will set the permissions for a custom or shared link to public or 'open'. We are taking steps to make these settings more clear, better help users understand how their files or folders can be shared, and reduce the potential for content to be shared unintentionally, including both improving admin policies and introducing additional controls for shared links."

 

[Lakados]

People I work with get mad at me that I have forced them into OneDrive, with file level encryption, and sharing protection to prevent accidental or over sharing issues. Then I see issues like this and am vindicated.

 

[Galvin]

Don't trust other people with your files. That's what cloud is. May be more convenient but you're at more risk
I never like the idea of cloud storage, cause of stuff like this. Or a million other things that could go wrong

 

[masquap]

People I work with get mad at me that I have forced them into OneDrive, with file level encryption, and sharing protection to prevent accidental or over sharing issues. Then I see issues like this and am vindicated.

I’ll take neither hackers or Microsoft having my data, thanks.

 

[Tweak42]

Don't trust other people with your files. That's what cloud is. May be more convenient but you're at more risk
I never like the idea of cloud storage, cause of stuff like this. Or a million other things that could go wrong

Uhmmm I think you totally missed the point of the article.

In many cases these are the businesses own files. They are just over sharing them to the world wide internet because they don't understand how file sharing implementation and security works. This is the lowest hanging fruit for data theft. No need for a zero day hack, no need for social engineering, just scan and download.

Looking at the timeline at least the vendor posted very prompt PSA to their customers, but how do you protect stupid from doing stupid other than passing more laws? You could implement a yuge tldr; legal disclaimer on the sharing function but we all know how quick that gets passed through.

 

[masquap]

Uhmmm I think you totally missed the point of the article.

In many cases these are the businesses own files.

Unless I’m misunderstanding what Box is (cloud storage), no, he didn’t misunderstand.

Offering a non password protected space to share files like this isn’t something I’d generally expect businesses to use, but here at least it seems like stupid business practices rather than any real fault of Box’s

 

[Incontentia Buttocks]

With box enterprise the enterprise access control can be set to prevent anonymous links. Most people don't want to put up an extra step or two and go with anonymous permission enabled (stupid in my opinion)

This requires the user to create an account to login to Box and download the file AND in order to download the file that no longer anonymous user must have been INVITED into the folder by someone who already had/has access. All of which is captured in the audit log.

I was the Box implementation project manager at a major medical institution and we (project team plus the security folks plus the legal/compliance (HIPPA)) had a lot of discussion around this.

At the end of the day, for our user base (research data in large part), Box is less risky than allowing USB sticks, SD cards and external hard drives. The audit trail + administrative controls, i.e., acceptable use policy (don't grant the default EDITOR permission for starters), is in large part enough to deflect the wrath of the Office of Civil Rights (HIPPA, remember) from the institution to the individual.

 

[spugm1r3]

It is unknown how Box Enterprise can be changed to save employees from themselves. This is not a vulnerability or bug as public sharing is a feature of Box Enterprise.

You default to private, you make the first available option "Share with all internal <enter company name here> only", and require a confirmation when sharing publicly. You would only have to do this with enterprise version. This would save the ignorant from themselves, and change your problem case to the willfully disobedient. A lot of enterprise tools with public sharing features have some version of this option.

 

[Kardonxt]

You default to private, you make the first available option "Share with all internal <enter company name here> only", and require a confirmation when sharing publicly. You would only have to do this with enterprise version. This would save the ignorant from themselves, and change your problem case to the willfully disobedient. A lot of enterprise tools with public sharing features have some version of this option.

I haven't worked with Box since other cloud providers became HIPPA compliant, but i'm pretty sure this is how Box already handles sharing. Thus the unknown what else to do to save users from themselves.

 

[socK]

This kind of nonsense is exactly why AWS defaults all their bucket settings to private and screams in your face as soon as you even begin to contemplate making it public now. You need to enable a switch before you can even try to change the access.

You also get a PUBLIC banner next to it for as long as the access exists to make it even more obvious.

 

[horskh]

Security is inversely proportional to convenience.