The handy File History feature in Windows 8 and 8.1 is a convenience and a time-saver, but if set up without security in mind it can expose sensitive files to anyone on the Internet, security pros were told at a conference.When picking where File History sends backups of documents, photos and the like, it\u2019s a must to be sure that the storage chosen doesn\u2019t allow for anonymous access, Kenneth Johnson, a senior associate with KPMG, warned an audience at (ISC)\u00b2 Security Congress.+ Also on Network World: Expert: Basic hacks can compromise industrial control systems |Services such as Apple Pay may make smaller banks more vulnerable to attacks |IT pros should pay attention to 'shadow IT,' Interop NY keynoters urge +It\u2019s not a flaw in the Windows feature, he says. In fact it\u2019s a pitfall that Microsoft tells how to avoid in its instructions, but it\u2019s nevertheless easy to find files exposed in this way on the Internet.For example, in one case, Johnson says he found on the Internet documents that detail corporate goals and employee evaluations that were backed up from a machine used by the company\u2019s former CEO. In another he found a doctor\u2019s notes about individual patients.File History regularly backs up documents, photos, videos, music and Desktop folders so if the originals are lost, damaged or deleted, they can be quickly restored. The history is also useful for finding earlier versions of files.Setting up File History requires naming a place where the backups are stored, such as a separate drive or network attached storage. If Internet-accessible NAS is chosen and it allows for anonymous FTP, then search engine crawlers can find the files. Using a search engine to find a File History signature - configurationcatalog1.edb \u2013 yields pages of individuals\u2019 backed-up files.Lopping that signature off the URL and searching again moves the searcher up the file structure of the victim\u2019s storage, potentially exposing a wealth of backed up files.If File History violates corporate policies, infosec pros can disable it altogether via a group policy object as described by Microsoft.If businesses decide to use File History and make sure the chosen storage is secure, sensitive data can still wind up accessible to anyone on the Internet, Johnson says.For example, if an employee copies files to a thumb drive, downloads them to a non-corporate machine that backs up to the wrong type of NAS, they are exposed, he says. In this case supplemental controls such as policies that block downloads to removable media, can help remedy the situation, he says.Johnson says he stumbled on this weakness while researching another issue. He has found email addresses for some individuals with exposed files, and he contacted them. \u201cIf I had my data exposed I\u2019d at least want someone to tell me,\u201d he says.Most of them didn\u2019t respond, some corresponded with him to find out more and one berated him for snooping. (Johnson says he doesn\u2019t actually drill down into the files themselves, just to their names, which can reveal a lot about what\u2019s in them.) He\u2019s checked back on the stored files of some of those he told about their problem and many of them are no longer available, so apparently they took steps to deal with the leaks.