Our lives are digital now.
Everything we do online leaves a trail that leads directly to us; something privacy advocates are fighting to eliminate. However, we're our own worst enemy when it comes to privacy, and personal cloud adoption has done nothing to help the situation.
Each day millions of people across the globe create backups of their files. These backups are supposed to offer a measure of assurance that their files are safe and easily recovered if needed. But that's not entirely true.
In fact, depending on how you've configured the device, your backups are freely available online to anyone who knows what they're looking for.
Note: The term personal cloud might seem a bit confusing. For context, as it relates to this post, a personal cloud is what you have after you've stored files online or a device in your home that you can access via the Internet. The concept is one that would allow you to access your files from anywhere, at any time, on any Web-enabled device.
For consumers, the lure is the promise of instant availability. Do you want to share files with others living in your home? There are devices that offer such a function. Perhaps you want to access files stored at home while you're away on business or on vacation. If so, plenty of software or hardware-based solutions offer this feature.
But when you trade security for access, things can go horribly wrong rather quickly.
Think about it. If everything you've ever saved to an external hard drive suddenly appeared on Google, what sort of things could a person learn about you? What could they learn about the businesses or people connected to you?
Using a few simple Google searches, XSS discovered thousands of personal records and documents online.
The items discovered were deeply personal in some cases. There were business documents too; sensitive files that could cause regulatory problems, as well as files a competitor could use to gain an advantage. This is in addition to the files owned by government agencies and school corporations.
The files were exposed because someone used a misconfigured device acting as a personal cloud, or FTP (File Transfer Protocol) was enabled on their router. If FTP was enabled, the likely cause is accidental. Yet, there were cases where the setting was enabled intentionally, but the impact of such an action wasn't fully understood.
No matter the root case, the result is the same.
The devices in question are acting as FTP servers, using the person's IP or hostname as an address. The backups are fully indexed and require no authorization to access. Because of this, search engines have treated the external drives as public archives.
Unfortunately for some people, there were enough records indexed by Google to relive their entire life. All of their wins, losses, and personal struggles over the last decade were unknowingly archived for the world to view.
What types of files are we talking about here?
Everything, seriously, and we can include the kitchen sink.
XSS discovered archives dating as far back as 2004, but several were updated as recently as March, 2015.
The indexed files included passwords, private photos (SFW / NSFW), personal journals and diaries, family genealogy documents, email correspondence, general household documentation and records, passports, state IDs, tax records, financial statements, credit card statements and account details, mortgage documents, banking statements and account details, birth records, death records, research and development planning, sales planning, customer lists, prospect lists, and more.
In one of the larger archives, XSS discovered a tremendous amount of personal information. The archive contained a family's computer backups dating back to 2009. If it was stored on the computers used by this family, it was eventually archived by their Western Digital drive and indexed by Google.
But the external drive wasn't the issue; their router – a Linksys WRT1900AC – had FTP enabled somehow. How this came to be remains unknown, but because the drive was connected to the router, its contents were treated as public records.
By looking at the files on the drive, it was entirely possible to map the family's personal and financial history over the last five years. When warned about the problem, the family shared an interesting story with XSS.
Towards the end of last year, their debit and credit cards kept getting compromised.
"I simply could not figure out how someone got the [card] info minutes after I'd activate them. My system was clean and secured more than the average person," said one member of the family, who asked that their names be left out of the story.
"Now I know. [It's not] difficult when my backups were public and being indexed on Google. I got into a habit, a bad one, of storing the card info in a text file similar to many of the ones you found... When I got all of our new cards after the second time, I didn't update the text file and the problem stopped. While there are a lot of files I wouldn't want to share with others, especially people I don't know, that was probably the most sensitive from an identity standpoint."
This family, like the others that were discovered while researching this story, were contacted about the problem, and their files have been removed from search listings.
How were the files discovered?
They were found on Google, using standard search operators.
allinurl:ftp:// XXXX filetype:txt | xls | doc | docx | jpg | jpeg | pdf
You can replace XXXX to match any host name you choose, such as:
- comcast.net
- bhn.net
- mchsi.com
- optonline.net
- cox.net
- rr.com
- verizon.net
The search tells Google to only show FTP results, where the URL contains an address from XXXX. The other search operators tell Google to look for FTP addresses that have text files, PDFs, Word documents, Excel documents, or images indexed.
Anyone with FTP enabled on their router and a storage device connected to the network; or those who use devices that offer public cloud access, but didn't configure them correctly, will appear in the search results.
How do I know if my files are online?
Search for your host name. If you're not sure what your hostname is, you can find it here.
Once you know the hostname, open a browser and point it to:
Example: ftp://xx-xx-xx-xxx.res.bhn.net
You can also search for it on Google or other engines: "xx-xx-xx-xxx.res.bhn.net"
I've found files? How do I get them offline?
You can ask Google and the other search engines to remove them.
Google's removal tool is here. The removal tool used by Bing, which is also where Yahoo gets their results, can be found here. You'll need the exact URL of the listing. You can try a generic top-level listing, but you may have to list each URL separately.
For example:
This might work: ftp://xx-xx-xx-xxx.res.bhn.net
But you should be ready to request all of the following:
ftp://xx-xx-xx-xxx.res.bhn.net
ftp://xx-xx-xx-xxx.res.bhn.net/folder/file1
ftp://xx-xx-xx-xxx.res.bhn.net/folder2/file2
Remember, removing the indexed files form the search engine does not fully fix the problem. You'll need to ensure you're using your personal cloud device correctly, or ensure your router is configured properly.
How do I make sure my router is configured correctly?
If you've discovered your files online, and you don't have any sort of personal cloud device, then it's likely your backup drive is connected directly to the router with FTP enabled. You'll have to contact your ISP for assistance.
If you are using a router not provided by your ISP, you'll need to make sure that remote management is properly implemented and that FTP access is completely disabled. The router's manual can explain it, and again, the support department can help you.
How do I make sure my personal cloud is configured properly?
While researching this story, one of the following personal cloud devices were being used by someone who had their files indexed:
- Seagate Personal Cloud
- Seagate Business NAS
- Western Digital My Cloud
- LaCie CloudBox
In each case, the user manual explains how to configure the device properly, as well as how to implement remote access securely. You should contact the respective company's support department for additional help.
Making the trade
Instant access is something everyone wants. The trick is to remember the trade-off; more access often equals less security. To put it another way, when it comes to personal clouds and data access, choose two of the following:
Unlimited access to data; easy access to data; security.