Has Google Indexed Your Backup Drive? 121
itwbennett writes Depending on how you've configured the device, your backup drive may have been indexed by Google, making some seriously personal information freely available online to anyone who knows what they're looking for. Using a few simple Google searches, CSO's Steve Ragan discovered thousands of personal records and documents online, including sales receipts with credit card information and tax documents with social security numbers. In all cases, the files were exposed because someone used a misconfigured device acting as a personal cloud, or FTP (File Transfer Protocol) was enabled on their router.
Re: (Score:1, Insightful)
How idiots got their backups indexed ?
As it turns out, dumbass people do dumbass things - things like taking a significant risk with something complex that you do not remotely understand. You either decline the risk entirely, learn a few fundamentals about how it works, or hire someone who has learned them. Those are your sole rational choices. Dumbasses think there's a viable fourth option: invest more heavily than you think in something you know (or should know) you don't understand.
You can see how "I am not a computer expert!" and other b
Re: (Score:2)
Bingo!
When you buy hardware/software, that's exactly what you're doing: Hiring experts.
Storage appliances should not allow anonymous access to sensitive data by default.
For those who deliberately take risks, they don't need to " ... hire someone who has learned them."
Re: (Score:2)
Until it was killed, I had Google index my backups all the time with Google Desktop. It was useful at the time for finding archived files.
The web crawler would only index it if... (Score:3)
Not only the most insecure set up, but he already had links to that insecure setup.
Re: (Score:3)
Google's crawler also indexes "sites" that exist as an IP address... leave a home router connected with its web interface coming out the WAN port, you better have a robots.txt file blocking Google, Bing, etc.
Re:The web crawler would only index it if... (Score:5, Informative)
robots.txt has nothing to do with security or blocking.
Re: (Score:1)
True, but it will tell any compliant bot to fuck off. So no matter how many links there are to your stuff, it will not be indexed (and thus easily found.)
Re: (Score:2)
robots.text is a note to Google and Bing to stop. It doesn't stop a web browser, but you can't be found in the search engines.
Re:The web crawler would only index it if... (Score:5, Insightful)
If this is what amounts to network security these days, we're doomed.
Re: The web crawler would only index it if... (Score:1)
URL looks up IP. Not different. You suck.
Re: (Score:3, Insightful)
And if you have a web interface on your WAN port then you're most likely doing things very wrong to begin with. If you want a publicly reachable interface into your LAN, don't fucking use your piece of shit router to do it. It's probably chock full of exploits anyhow, but that's a pretty moot point if you've left it wide fucking open for any random script to stumble across and access.
Hint: If you want people to take notice of advice about IT security, it may be more effective to speak respectfully than to let loose with an expletive-filled tirade
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Robots.txt is essentially a "KEEP OUT!" sign telling Google and Bing to go away... who else is crawling the Internet lately?
Re: (Score:2)
The Google and Bing bots do... who's publishing a crawl of the web that doesn't?
Re: (Score:1)
Google also index websites mentioned in Google's services. E-mail the address of your server to yourself or a friend and you are added to the list of sites to take a peek at.
Re: (Score:2)
Google uses the malware protection in Chrome and Firefox to index sites that are not linked to anywhere. When a user visits an unindexed site with one of these browsers, by default the browser pings Google with the URL (in an allegedly anonymous way) so that it can be checked for malware and added to the search index.
So, if you have any publicly accessible but unlinked pages they can be found after you visit them yourself. I'm not sure how it deals with things like "unlisted" URLs that Google likes to use f
Clickbait-ish Headline (Score:5, Insightful)
I think much of Slashdot might agree with me that if you're silly enough to deploy a public-facing server with no or default authentication, yeah, you'll probably deserved get indexed by Google.
Re:Clickbait-ish Headline (Score:5, Insightful)
yeah, you'll probably deserved get indexed by Google.
deservedly*
But not only that, it's not like Google can infer intent to share the data... you put it out there, and Google said, "hey, this is publically available, obviously people want this to be indexed!"
There's no adequate way to fix this either, because if it's opt-in, then unknowing individuals will fail to opt-in for indexing... if it's opt-out, then unknowing individuals will fail to properly opt-out (robots.txt for example)
If you put up private data publically on the internet then you simply have to accept the fact that no one else could have known that you didn't want to share the data...
Re: (Score:2)
Re: (Score:3)
Re: (Score:3)
There's no adequate way to fix this either, because if it's opt-in
If a NAS is doing uPNP on purpose or is acting as a router, then the NAS manufacturer has an obligation to provide appropriate guidance to their users. If they don't then their reputation should be thoroughly punished in reviews.
Oh, but why buy a $120 NAS when there's a $20 box available on eBay?
Re: (Score:3)
I have a Synology. It tries to do uPNP, but luckily, it has no idea how to do so with my Verizon FiOS router, so I guess I dodged that bullet. It never occurred to me that Google would Index it, and I do IT for a living. I feel like a moron :)
Re: (Score:2)
Yeah, my OpenBSD machine specifically refuses to do uPnP as well, because "security"... I've looked into getting some sort of uPnP working... but in the end, I'm just like, "nah... it makes my life a little bit more of a pain, but at least I know what ports are open"
Re: (Score:2)
If a NAS is doing uPNP on purpose or is acting as a router, then the NAS manufacturer has an obligation to provide appropriate guidance to their users.
INDEED! If they screw that up, it's bad, and they should be the ones holding the responsibility if it accidentally exposes data that they don't want exposed through uPnP... no one else is able to properly infer the right thing to do.
Re: (Score:3)
The comment had nothing to do with Google. All search engines are opt-out. If they discover your web site, they index it. If you have no robots.txt telling them what you want them to ignore, they put it all in the index.
Re: (Score:2)
If you have no robots.txt telling them what you want them to ignore, they put it all in the index.
A quick search kicks back FTPs with robots.txt in the root directory. /
allinurl:ftp:// XXXX robots.txt
User-agent: *
Disallow:
It doesn't really seem like Google is indexing the FTP.
Instead Google seems to be crawling through and only indexing txt, doc, pdf, html, xls, xml, aspx, rtf, etc.
If Google was indexing ftps, a search like intext:"Up to higher level directory" inurl:ftp:// XXXXXX.net should kick back folder directories, but it doesn't.
Re: (Score:3)
As noted by the sibling post. Bing already does do this. And it's the right thing to do.
Re: (Score:3)
When I read this, I immediately thought "Has Google Indexed the Contents of your Google Drive?", in the context of those automatic backups you might have enabled for photos, etc on your Android device. In fact, you're only at risk here if you have configured some type of FTP server or WebDAV (like a QNAP, etc) to have a public IP and have no security whatsoever. So that means having enough technical prowess to accomplish that much, only to leave all your stuff open on the internet for "ease"?!?
I think much of Slashdot might agree with me that if you're silly enough to deploy a public-facing server with no or default authentication, yeah, you'll probably deserved get indexed by Google.
Yeah, I thought the same thing as you when I saw the headline. I'm a little less interested to learn that if you open your data to the public (even if you didn't mean to), it's viewable by the public.
Re: (Score:3)
It might be interesting to figure out why people unwittingly open their data to the public, and what can be done about it, so the average person is highly unlikely to do it by accident.
Re: (Score:2)
Re: (Score:2)
Get your whole life indexed by Google with this one weird trick! You won't believe what happens next!
What's your excuse? (Score:2)
So, you're saying you're a Republican?
Re: (Score:2)
Re: (Score:1)
Comment removed (Score:5, Interesting)
Re: (Score:2)
No, it sounds like they have allowed a machine on their network to become a part of the Google botnet. It's like that brand of TV (LG I believe) that likes to snoop around. All it takes is installing the wrong app and then not fully understanding it.
Any software or hardware you allow on your network could be up to no good and reporting back to the mothership. This kind of nonsense isn't just for Microsoft or Sony anymore.
Unfortunately, most people are rubes and are actively encouraged to stay that way.
Re:I'm a little baffled (Score:5, Insightful)
I own a Synology NAS, and it comes with all sorts of nifty software that lets it do general server-like things. You can view photos or watch movies from anywhere on the internet. You can set up Wikis, serve webpages, and do all sorts of other stuff.
I partake in none of this. I use it as a file system, a data backup, and for streaming media to my videogame consoles, and absolutely nothing else. Frankly, opening up your NAS to the internet in any capacity is insane. It's where the phrase "A little knowledge is a dangerous thing" is never more appropriate. Even if you set up everything correctly, you're only a single security flaw away from the entire box being compromised. Most people see all these cool features and are encouraged to experiment with them a bit. No one ever tells them "Hey, if you screw this up, you could accidentally leak all your personal information to bad guys on the Internet."
It's funny, because you're seeing the same sort of learning process that the professional programmers and IT people have already gone through (or are STILL going through in the worst examples). People first think of cool things they can do with the internet, and then security-related thoughts come only after a disaster strikes. I'm not sure if there's really a fix for this. People will make silly mistakes and get burned, unfortunately. And then they'll know better. Life goes on.
Re: (Score:2)
Except we've gone through it on dev networks, virtual networks, or no network at all with machines that we can just happily wipe and start over if necessary.
Re: (Score:3)
Hmm, I would say the big difference is that the professionals tend to lose control of their customers' data rather than their own.
Re: (Score:3)
Re: (Score:2)
Ah, I see, you're talking about training. Apologies, I didn't quite catch that.
I wasn't exactly talking about that necessarily. I was talking about the tendency of people (programmers like myself in particular) to ask "what cool stuff can we do with this?" first, long before anyone considers the question "what bad stuff could also be done with this?" as well.
For instance, when e-mail programs first allowed any file to be added as an attachment, it seems no one thought about the fact that it would be trivi
Re: (Score:2)
Apart from publications even as mainstream as "Scientific American" you mean? I remember reading stuff along those lines in the very early 1980s.
Lots of us did but we were all ignored because we stood in the way of convenience. The history
Re: (Score:2)
LOL, again, most of the professionals I know who know to be wary, cautious, paranoid, methodical, and overly attentive to the process at hand have all gotten that way from having seen the process fail (or almost fail) in a place where it really did matter.
There's nothing like that giant "oh, shit" moment to make you realize "I shall never do this carelessly again".
In my experience, the people who have only lost stuff where it doesn't matter can sometimes be an accident waiting to happen, because they don't
Re: (Score:2)
You know, that sounds awesome and all ... but you'd be utterly shocked at the number of companies who simply don't have testbeds, and have only a live system.
it's the old thing about the cobblers children having no shoes ... the internal spending/dilligence/investment on IT in many tech firms can be pretty pathetic.
Often times there's short sighted management who thinks they can't afford these things, right up until they find themselves with a massive and costly outage that can't be easily fixed.
It's like b
Re: (Score:2)
Hence utterly ridiculous shit like the massive security holes in dropbox in it's early days (eg. being able to get in without a password and the file hash trick to get other people's files without permission). Not shocked just annoyed at the number of cowboys and turkeys. I had a web hosting bunch near me go broke overnight because their only "backup" was an online mirror that faithfully cop
Re: (Score:1)
People first think of cool things they can do, and then safety-related thoughts come only after a disaster strikes. I'm not sure if there's really a fix for this. People will make silly mistakes and get burned, unfortunately. And then they'll know better. Life goes on.
FTFY. People think of cool things all the time, without looking at the risks, not only related to the internet. Especially in the requests or changes in the law, they rarely think of the possibility that this new rule may one dat apply to themselves as well.
Re: (Score:3)
Good observation.
Many people implement best practices regarding data backups the second time around.
Re:I'm a little baffled (Score:5, Informative)
Synology had a remote exploit last year that was exploited by ransomware. You're insane to expose your NAS to the internet, even if it apparently has security enabled. Get a VPN capable router.
Yep, I followed that breaking news fairly carefully.
Although in fairness to Synology, it was only exploitable if you didn't actually patch your device (you can do this with a single button click) for quite some time. Then again, in fairness to users, Synology NAS devices didn't have a way to schedule automatic patching for your device like they do now. I think it may have been this incident which prompted them to add that feature, which I was glad to see.
Re: (Score:2)
I stumbled across some of these myself recently, while googling on a random obscure Windows dll I thought was broken on a box - I found a bunch of Windows installations backed up on these. I suspect it may have something to do with upnp or port triggering. These Western Digital backup devices seem to have FTP access, but they also allow setting it up completely open. I have to assume people are enabling this option to allow internal usage and backing up without realizing it's making it public. I really doub
Re: (Score:2)
Did something like this deliberately once on an internal network, because the person needing access to the files was too inept to follow even the most basic instructions but too highly ranked to ignore. It was supposed to be temporary, but I then **forgot** to turn the security back on in the morning. A month later one of my bosses noticed she could get into HR data that she wasn't supposed to access and raised a red flag. Oops. Thank all the gods that our network didn't have remote access yet.
Re: (Score:3)
You make it sound like #2 is hard, in linux you would surely do some "advanced" command line thingies[*] but if you ever installed a ftp server on Windows in the late 90s/early 00s (to get around SMB shares not found, not working, authentication error etc.) you'd know that can be as easy as checking a box or even leaving the default alone.
What's more : File Explorer in Windows XP (or old IE) behaves very conveniently, you feed it "ftp://192.168.0.1" and it works like a regular file manager window, AND you c
Re: (Score:2)
It works still in Windows 8.1.
It's actually provided by a service called "WebClient" that's basically a userspace filesystem handler for Windows. It's h
Re: (Score:2)
Actually I suspect it's a case of the devices being "helpful":
1. FTP switched on by default on NAS
2. Anon access switched on by default
3. UPnP does the rest
OK the end user may have to enable 1 and 2 manually but they are probably unaware of what UPnP can be made to do.
Re: (Score:2)
Re: (Score:2)
Dilbert (Score:1)
Re: (Score:1)
I wonder if I should feel bad that I know all of those acronyms so well (including that WiFi isn't normally capitalised like you had it - though personally I hate camel case).
You really do have to hope that someone RTFM before trying to use the ICBM though, and never, ever opens it up to FTP or WiFi... I'm not even sure I'd trust IBM or the FBI or NSA with an ICBM. :-)
Re: Google, NAS, NSA (Score:1)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Following Linus (Score:3)
Great to see that many are following his footsteps now!
Google is the least of your problems (Score:2)
Really (Score:1)
Google indexes everything?
-inurl:htm -inurl:html -inurl:php intitle:”index of” (mp3) “singing in the rain”
Re: (Score:2)
Re: (Score:1)
Yeah, Google Advanced Search https://www.google.ca/advanced_search
Re: (Score:2)
Did you try googling it?
http://lmgtfy.com/?q=advanced+... [lmgtfy.com]
Re: (Score:1)
Re: (Score:1)
Wow... (Score:4, Interesting)
A quick search returned bank statements, someones 2012 1040 tax form (completed w/ soc and everything)...
Couldn't find any porn though. I guess those aren't making it into the google indexes...
Subject (Score:3)
Is Google really at fault? They handled it poorly, yes, but the data was already out there to be used by blackhats. It would be better if they placed a file on the FTP "You know these files are open to the internet because your router configuration sucks, right?.txt".
Re: (Score:2)
Re: (Score:2)
Is that supposed to be hard to do? Here is me doing it...
http://i.imgur.com/cV1UBU6.png [imgur.com]
The entire article could have been replaced with (Score:3)
a one liner: "If you've made your private files available publically (either intentionally or through ignorance) then your private files are available publically."
Removing them from google results is far less important than making the files themselves no longer available.
Looking on google to see if they are available is sort of silly - if you're using one of these silly commercial "automatic backup" packages that came bundled with an external drive, read its manual and documentation, and review its configuration, as well as that of your router.
Sigh (Score:3)
"Has Google Indexed Your Backup Drive?"
Yes, if you're a pillock that's configured your backup drive in such a way that you allow authenticated remote access to it from the Internet and it has FTP or HTTP protocols enabled.
"Has Google Indexed Your Naked Pictures Of Your Wife?"
Similar answer.
Re: (Score:2)
"unauthenticated" that should be, obviously.
No but, it happened to my group at work once (Score:2)
so I was working at a University several years back. At the time there was an old webserver, actually a desktop. It was previously used by an admin who left and left behind a web service with notes. It was a collection of brain dumps, notes, old emails etc....which all of us admins knew about and occasionally referenced, that's why we never shut it down....or particularly considered its contents.
That is until we saw an article in the local school student run rumor mill, which most of us read, about this fas
Not surprising (Score:2)
When you have millions of people using the internet and setting up devices connected to the internet when they haven't the slightest clue how to properly configure, administer and maintain such devices... yeah...
When you hand unqualified people advanced technology, stupidity happens.
I just hope that in the name of safety for the millions of unqualified we don't get ISP's closing down running services of any kind from home. Probably will happen though, in the name of safety. Glad I migrated all my internet
Dumbass developers, too (Score:2)
I'm reminded of the old bag of glass [yahoo.com] SNL skit - some products (or product features) are just plain dangerous, and saying "but we explain the risks in page 17 of the manual" isn't a good excuse.
How much effort would it take to set defaults that (1) disable anonymous FTP for addresses outside of the local subnet, and (b) inject a fake robots.txt that prevents search engine indexing? And then add an explanation of the risks if you try to disable those defaults?
No. (Score:1)
Re: (Score:2)
The problem is not FTP, it would have been the same with HTTP or any protocol that allows anonymous access to files. Although it is uncommon, you can even do it with with SFTP.
The issue is that people are making private files public through misconfigured routers, and Google's crawler is very good at finding and indexing anything public.