Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Google Data Storage Privacy

Has Google Indexed Your Backup Drive? 121

itwbennett writes Depending on how you've configured the device, your backup drive may have been indexed by Google, making some seriously personal information freely available online to anyone who knows what they're looking for. Using a few simple Google searches, CSO's Steve Ragan discovered thousands of personal records and documents online, including sales receipts with credit card information and tax documents with social security numbers. In all cases, the files were exposed because someone used a misconfigured device acting as a personal cloud, or FTP (File Transfer Protocol) was enabled on their router.
This discussion has been archived. No new comments can be posted.

Has Google Indexed Your Backup Drive?

Comments Filter:
  • by Craig Cruden ( 3592465 ) on Thursday April 09, 2015 @09:13PM (#49443813)
    There was a link on another webpage that pointed to that server in the first place.

    Not only the most insecure set up, but he already had links to that insecure setup.
    • Google's crawler also indexes "sites" that exist as an IP address... leave a home router connected with its web interface coming out the WAN port, you better have a robots.txt file blocking Google, Bing, etc.

    • by Anonymous Coward

      Google also index websites mentioned in Google's services. E-mail the address of your server to yourself or a friend and you are added to the list of sites to take a peek at.

    • by AmiMoJo ( 196126 ) *

      Google uses the malware protection in Chrome and Firefox to index sites that are not linked to anywhere. When a user visits an unindexed site with one of these browsers, by default the browser pings Google with the URL (in an allegedly anonymous way) so that it can be checked for malware and added to the search index.

      So, if you have any publicly accessible but unlinked pages they can be found after you visit them yourself. I'm not sure how it deals with things like "unlisted" URLs that Google likes to use f

  • by Midnight_Falcon ( 2432802 ) on Thursday April 09, 2015 @09:13PM (#49443815)
    When I read this, I immediately thought "Has Google Indexed the Contents of your Google Drive?", in the context of those automatic backups you might have enabled for photos, etc on your Android device. In fact, you're only at risk here if you have configured some type of FTP server or WebDAV (like a QNAP, etc) to have a public IP and have no security whatsoever. So that means having enough technical prowess to accomplish that much, only to leave all your stuff open on the internet for "ease"?!?

    I think much of Slashdot might agree with me that if you're silly enough to deploy a public-facing server with no or default authentication, yeah, you'll probably deserved get indexed by Google.

    • by snowgirl ( 978879 ) on Thursday April 09, 2015 @09:24PM (#49443849) Journal

      yeah, you'll probably deserved get indexed by Google.

      deservedly*

      But not only that, it's not like Google can infer intent to share the data... you put it out there, and Google said, "hey, this is publically available, obviously people want this to be indexed!"

      There's no adequate way to fix this either, because if it's opt-in, then unknowing individuals will fail to opt-in for indexing... if it's opt-out, then unknowing individuals will fail to properly opt-out (robots.txt for example)

      If you put up private data publically on the internet then you simply have to accept the fact that no one else could have known that you didn't want to share the data...

      • s/you'll/you/g :)
      • But that's the thing, the DID want to share it, probably not with everyone granted, but then they should have secured it so only the people they did want to give access to it would have access. I love the way the article implies it's somehow google's fault that some clueless idiot didn't click on a tick box and enter a user name and password. If people don't want to RTFM then they are going to get burned.
      • There's no adequate way to fix this either, because if it's opt-in

        If a NAS is doing uPNP on purpose or is acting as a router, then the NAS manufacturer has an obligation to provide appropriate guidance to their users. If they don't then their reputation should be thoroughly punished in reviews.

        Oh, but why buy a $120 NAS when there's a $20 box available on eBay?

        • I have a Synology. It tries to do uPNP, but luckily, it has no idea how to do so with my Verizon FiOS router, so I guess I dodged that bullet. It never occurred to me that Google would Index it, and I do IT for a living. I feel like a moron :)

          • Yeah, my OpenBSD machine specifically refuses to do uPnP as well, because "security"... I've looked into getting some sort of uPnP working... but in the end, I'm just like, "nah... it makes my life a little bit more of a pain, but at least I know what ports are open"

        • If a NAS is doing uPNP on purpose or is acting as a router, then the NAS manufacturer has an obligation to provide appropriate guidance to their users.

          INDEED! If they screw that up, it's bad, and they should be the ones holding the responsibility if it accidentally exposes data that they don't want exposed through uPnP... no one else is able to properly infer the right thing to do.

    • by hawguy ( 1600213 )

      When I read this, I immediately thought "Has Google Indexed the Contents of your Google Drive?", in the context of those automatic backups you might have enabled for photos, etc on your Android device. In fact, you're only at risk here if you have configured some type of FTP server or WebDAV (like a QNAP, etc) to have a public IP and have no security whatsoever. So that means having enough technical prowess to accomplish that much, only to leave all your stuff open on the internet for "ease"?!?

      I think much of Slashdot might agree with me that if you're silly enough to deploy a public-facing server with no or default authentication, yeah, you'll probably deserved get indexed by Google.

      Yeah, I thought the same thing as you when I saw the headline. I'm a little less interested to learn that if you open your data to the public (even if you didn't mean to), it's viewable by the public.

      • It might be interesting to figure out why people unwittingly open their data to the public, and what can be done about it, so the average person is highly unlikely to do it by accident.

    • "Crawled your file server" would have been more accurate.
    • Get your whole life indexed by Google with this one weird trick! You won't believe what happens next!

  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Thursday April 09, 2015 @09:13PM (#49443817)
    Comment removed based on user account deletion
    • by jedidiah ( 1196 )

      No, it sounds like they have allowed a machine on their network to become a part of the Google botnet. It's like that brand of TV (LG I believe) that likes to snoop around. All it takes is installing the wrong app and then not fully understanding it.

      Any software or hardware you allow on your network could be up to no good and reporting back to the mothership. This kind of nonsense isn't just for Microsoft or Sony anymore.

      Unfortunately, most people are rubes and are actively encouraged to stay that way.

    • by Dutch Gun ( 899105 ) on Thursday April 09, 2015 @10:15PM (#49444015)

      I own a Synology NAS, and it comes with all sorts of nifty software that lets it do general server-like things. You can view photos or watch movies from anywhere on the internet. You can set up Wikis, serve webpages, and do all sorts of other stuff.

      I partake in none of this. I use it as a file system, a data backup, and for streaming media to my videogame consoles, and absolutely nothing else. Frankly, opening up your NAS to the internet in any capacity is insane. It's where the phrase "A little knowledge is a dangerous thing" is never more appropriate. Even if you set up everything correctly, you're only a single security flaw away from the entire box being compromised. Most people see all these cool features and are encouraged to experiment with them a bit. No one ever tells them "Hey, if you screw this up, you could accidentally leak all your personal information to bad guys on the Internet."

      It's funny, because you're seeing the same sort of learning process that the professional programmers and IT people have already gone through (or are STILL going through in the worst examples). People first think of cool things they can do with the internet, and then security-related thoughts come only after a disaster strikes. I'm not sure if there's really a fix for this. People will make silly mistakes and get burned, unfortunately. And then they'll know better. Life goes on.

      • by dbIII ( 701233 )

        It's funny, because you're seeing the same sort of learning process that the professional programmers and IT people have already gone through

        Except we've gone through it on dev networks, virtual networks, or no network at all with machines that we can just happily wipe and start over if necessary.

        • Hmm, I would say the big difference is that the professionals tend to lose control of their customers' data rather than their own.

          • by dbIII ( 701233 )
            I'd say the big difference is the professionals lose stuff where it doesn't matter before they can seriously be called professionals by their peers. I'm sorry that was not obvious enough from the above post.
            • Ah, I see, you're talking about training. Apologies, I didn't quite catch that.

              I wasn't exactly talking about that necessarily. I was talking about the tendency of people (programmers like myself in particular) to ask "what cool stuff can we do with this?" first, long before anyone considers the question "what bad stuff could also be done with this?" as well.

              For instance, when e-mail programs first allowed any file to be added as an attachment, it seems no one thought about the fact that it would be trivi

              • by dbIII ( 701233 )

                it seems no one thought about the fact that it would be trivial to send a computer virus that way

                Apart from publications even as mainstream as "Scientific American" you mean? I remember reading stuff along those lines in the very early 1980s.

                Or in more modern terms, did no one ever stop to consider that it's trivial to transmit malicious code through a website with 3rd party advertisements that can use scripting?

                Lots of us did but we were all ignored because we stood in the way of convenience. The history

            • LOL, again, most of the professionals I know who know to be wary, cautious, paranoid, methodical, and overly attentive to the process at hand have all gotten that way from having seen the process fail (or almost fail) in a place where it really did matter.

              There's nothing like that giant "oh, shit" moment to make you realize "I shall never do this carelessly again".

              In my experience, the people who have only lost stuff where it doesn't matter can sometimes be an accident waiting to happen, because they don't

        • You know, that sounds awesome and all ... but you'd be utterly shocked at the number of companies who simply don't have testbeds, and have only a live system.

          it's the old thing about the cobblers children having no shoes ... the internal spending/dilligence/investment on IT in many tech firms can be pretty pathetic.

          Often times there's short sighted management who thinks they can't afford these things, right up until they find themselves with a massive and costly outage that can't be easily fixed.

          It's like b

          • by dbIII ( 701233 )

            but you'd be utterly shocked at the number of companies who simply don't have testbeds, and have only a live system.

            Hence utterly ridiculous shit like the massive security holes in dropbox in it's early days (eg. being able to get in without a password and the file hash trick to get other people's files without permission). Not shocked just annoyed at the number of cowboys and turkeys. I had a web hosting bunch near me go broke overnight because their only "backup" was an online mirror that faithfully cop

      • by Anonymous Coward

        People first think of cool things they can do, and then safety-related thoughts come only after a disaster strikes. I'm not sure if there's really a fix for this. People will make silly mistakes and get burned, unfortunately. And then they'll know better. Life goes on.

        FTFY. People think of cool things all the time, without looking at the risks, not only related to the internet. Especially in the requests or changes in the law, they rarely think of the possibility that this new rule may one dat apply to themselves as well.

      • Good observation.

        Many people implement best practices regarding data backups the second time around.

    • by Scoth ( 879800 )

      I stumbled across some of these myself recently, while googling on a random obscure Windows dll I thought was broken on a box - I found a bunch of Windows installations backed up on these. I suspect it may have something to do with upnp or port triggering. These Western Digital backup devices seem to have FTP access, but they also allow setting it up completely open. I have to assume people are enabling this option to allow internal usage and backing up without realizing it's making it public. I really doub

      • by cusco ( 717999 )

        Did something like this deliberately once on an internal network, because the person needing access to the files was too inept to follow even the most basic instructions but too highly ranked to ignore. It was supposed to be temporary, but I then **forgot** to turn the security back on in the morning. A month later one of my bosses noticed she could get into HR data that she wasn't supposed to access and raised a red flag. Oops. Thank all the gods that our network didn't have remote access yet.

    • You make it sound like #2 is hard, in linux you would surely do some "advanced" command line thingies[*] but if you ever installed a ftp server on Windows in the late 90s/early 00s (to get around SMB shares not found, not working, authentication error etc.) you'd know that can be as easy as checking a box or even leaving the default alone.

      What's more : File Explorer in Windows XP (or old IE) behaves very conveniently, you feed it "ftp://192.168.0.1" and it works like a regular file manager window, AND you c

      • by tlhIngan ( 30335 )

        What's more : File Explorer in Windows XP (or old IE) behaves very conveniently, you feed it "ftp://192.168.0.1" and it works like a regular file manager window, AND you can access the ftp at least download-only from every web browser in the house. So it is very convenient, very easy to set up and works all the time, and in other words rewarding to the user.

        It works still in Windows 8.1.

        It's actually provided by a service called "WebClient" that's basically a userspace filesystem handler for Windows. It's h

    • by JSG ( 82708 )

      Actually I suspect it's a case of the devices being "helpful":

      1. FTP switched on by default on NAS
      2. Anon access switched on by default
      3. UPnP does the rest

      OK the end user may have to enable 1 and 2 manually but they are probably unaware of what UPnP can be made to do.

      • That being said, even Anonymous FTP requires you to "log in". I'm not sure if Google should be trying to log in, even anonymously to FTP servers. I mean, if they don't other people surely will, but I don't think most people expect that web bots are connection to servers that aren't HTTP/HTTPS. I wouldn't leave an anonymous ftp server open to the internet unless I truly wanted something public, but I really wouldn't expect that well behaving bot would start indexing my FTP server if I left it open.
    • Maybe it's people connecting USB storage to their routers? I seem to recall there have been security issues regarding routers sharing these devices externally even though they're only supposed to allow local access.
  • maybe sort of related... http://freer.com/bits/wp-conte... [freer.com]
  • by pikine ( 771084 ) on Thursday April 09, 2015 @10:31PM (#49444061) Journal

    Only wimps use tape backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it ;)

    Great to see that many are following his footsteps now!

  • If you've got sensitive stuff naked on the net then you have seriously fucked up and should not be allowed near other people's sensitive stuff.
  • by Anonymous Coward

    Google indexes everything?
    -inurl:htm -inurl:html -inurl:php intitle:”index of” (mp3) “singing in the rain”

  • Wow... (Score:4, Interesting)

    by dark.nebulae ( 3950923 ) on Friday April 10, 2015 @12:17AM (#49444329)

    A quick search returned bank statements, someones 2012 1040 tax form (completed w/ soc and everything)...

    Couldn't find any porn though. I guess those aren't making it into the google indexes...

  • by Neil Boekend ( 1854906 ) on Friday April 10, 2015 @01:41AM (#49444525)

    Is Google really at fault? They handled it poorly, yes, but the data was already out there to be used by blackhats. It would be better if they placed a file on the FTP "You know these files are open to the internet because your router configuration sucks, right?.txt".

  • a one liner: "If you've made your private files available publically (either intentionally or through ignorance) then your private files are available publically."

    Removing them from google results is far less important than making the files themselves no longer available.

    Looking on google to see if they are available is sort of silly - if you're using one of these silly commercial "automatic backup" packages that came bundled with an external drive, read its manual and documentation, and review its configuration, as well as that of your router.

  • by ledow ( 319597 ) on Friday April 10, 2015 @04:46AM (#49444901) Homepage

    "Has Google Indexed Your Backup Drive?"

    Yes, if you're a pillock that's configured your backup drive in such a way that you allow authenticated remote access to it from the Internet and it has FTP or HTTP protocols enabled.

    "Has Google Indexed Your Naked Pictures Of Your Wife?"

    Similar answer.

  • so I was working at a University several years back. At the time there was an old webserver, actually a desktop. It was previously used by an admin who left and left behind a web service with notes. It was a collection of brain dumps, notes, old emails etc....which all of us admins knew about and occasionally referenced, that's why we never shut it down....or particularly considered its contents.

    That is until we saw an article in the local school student run rumor mill, which most of us read, about this fas

  • When you have millions of people using the internet and setting up devices connected to the internet when they haven't the slightest clue how to properly configure, administer and maintain such devices... yeah...

    When you hand unqualified people advanced technology, stupidity happens.

    I just hope that in the name of safety for the millions of unqualified we don't get ISP's closing down running services of any kind from home. Probably will happen though, in the name of safety. Glad I migrated all my internet

  • I'm reminded of the old bag of glass [yahoo.com] SNL skit - some products (or product features) are just plain dangerous, and saying "but we explain the risks in page 17 of the manual" isn't a good excuse.

    How much effort would it take to set defaults that (1) disable anonymous FTP for addresses outside of the local subnet, and (b) inject a fake robots.txt that prevents search engine indexing? And then add an explanation of the risks if you try to disable those defaults?

  • It was Apple.

Keep up the good work! But please don't ask me to help.

Working...