Heh, so out of curiousity, i have a very high confidence that the state of Tennessee leaked a lot of data as well. How i know:
- i use fastmail, and use the alias@myemail.mydomain.com to alias everything.
- tennessee has a way to let you remind to renew your plates, so i used licenceplate@myemail.mydomain.com
- i got a phishing email licenceplate@myemail.mydomain.com
- i contacted them, and the investigator said they allow third parties access, so basically it was too hard to track it down.
I really don't know what to do, maybe send it to a newspaper?
I once found a state website exposing info they probably (?) shouldn't have been in some JSON fields. The sensitive data was not shown on the rendered page but it was in the browsers memory all nicely formatted. I thought of reporting it, but thought it was more likely they would try to save face by accusing me of being a hacker because I pressed F12 (and that I might have to fight charges in a far away state), rather than accept their mistake.
I chose to stay quiet.
I guess I'm not the only one to have faced this dilemma.
I found a Windows 2003 server (back in the day) with RDP open directly to it. It wasn't behind much (if any) external firewall. It also wasn't patched, and I got in using some exploit I found within a few mins of googlin.
Here it was a citys (pop 2mil+) water system. I didn't need a name or password to it once I got into the server itself.
I screenshotted the login, the exploit, their water system (it reminded me of MS Paint, which a lot of those system seem to look like), then created a fresh e-mail using Tor, sent a few e-mails to several e-mail addresses I could find for contacting them, and within a few days it was no longer accessible.
For a longer time than I should have, I felt bad for doing it, but at the same time, I doubt they would have done much if I just e-mailed them without showing proof.
I never received anything, threats or thanks, in that e-mail account. So hopefully someone appreciated it.
A friend was once in a similar situation and reached out to the Electronic Frontier Foundation... She didn't end up taking it very far (for other reasons) but their legal team was interested in at least hearing what she had to say, and potentially connecting her with legal advice if it fell in their scope of work.
I did try to use their "fraud waste and abuse" line, thats how i got to an investigator. I just think the report went into the circular filing cabinet.
This is a neat approach. Mind sharing more how you've set it up? I've never used fastmail but looking at their pricing page would `licenceplate@` be an additional user that you have to pay monthly for?
Sure! It is actually free with fastmail, and is the equivalent to "myusername+alias@gnail.com".
I have a custom domain, so i set my email to firstname@mydomain.com. They allow you to use alias@firstname.mydomain.com to alias to firstname@mydomain.com and you can use as many aliases as you want. That is at no additonal charge. To me, that alone is worth it to use fastmail.
I do basically the same thing. Their iOS app works exceptionally well for this flow, remembering that the last place I left it was the alias creation form. I can typically do this in 30 seconds.
Like the parent, I have name@example.com as the official account email for a single user account. All aliases are alias@example.com.
I like Fastmail but they require mobile phone number as your identity is big no to me. Basically you can't have two fastmail accounts on one phone number.
You can't typically cannot have two trial accounts on one phone number. But you can have as many paid accounts as you like with or without a phone number.
Sadly this is not the first time an Oklahoma state agency has famously leaked personal information online. 11 years ago, the Oklahoma Corrections Department made the Social Security numbers of registered sex offenders available through simple SQL injection on an Internet-facing website:
I am not convinced that this was responsible behavior on the part of upguard. They discovered a breach, and apparently downloaded all the files. The report details the kinds of files and sample of the information in them.
If upguard's behavior were responsible, why would they have downloaded any more data than necessary to determine that it was sensitive stuff? They would have noticed it, reported it (without downloading) and perhaps helped fix it. I doubt very much that the OK Dept of Securities would have subsequently given them access to the files so as to do some kind of audit on sensitivity, in a non-NDA manner.
This post reads more like an ad for upguard than a responsible disclosure.
Knowing a little bit about how government works, if they didn't have proof of what happened it is not unthinkable that they would close the immediate leak and then deny anything ever happened. Nobody would win in that case, because nobody competent actually verified that a fix was done. And nobody would know, either - it'd just be two parties denying the other's point of view.
I don't see any paragraph where they talk about whether/when/by whom the data was actually accessed. Granted I was only skimming. (Because I was looking for that.) But yeah if an IP address falls in the forest and no one is around to connect to it, does it make a sound?
There's likely no way to really know, in this kind of situation. There only would be if audit logs were created and then retained from the rsync server (unlikely to have been retained) or some device in front of it (unlikely to have been generated in a usable format). A large portion of breaches that occur are just like this... significant potential exposure, but actual exposure unknown.
That said, they located the open rsync server via shodan, which is not exactly the elite tactics of the security world. Lots of people, both benevolent and malicious, watch shodan queries for things like this and triage new findings. So it might be more appropriate to say "if an IP address falls in a forest that a lot of people are watching", but that rather tangles the metaphor. In my experience rsync probing is significantly rarer than SMB and NFS probing, so I'd hazard a guess that there are also fewer people watching Shodan for rsync than more commonly exposed file share protocols, but I'd wager that it's still more people than just this one research outfit.
The big impact of Shodan, as the best known large-scale internet scan and the only one I know of that exposes so much data to the public, is that things like a lone exposed service on a random IP can't comfortably be assumed to be obscure any more. Once Shodan sees it, anyone can know about it with trivial effort.
What is a state government even doing with a securities regulator? Isn’t that a federal concern? Surely any publicly traded company has equity holders in multiple states, it makes no sense for them to have independent rules.
- i use fastmail, and use the alias@myemail.mydomain.com to alias everything.
- tennessee has a way to let you remind to renew your plates, so i used licenceplate@myemail.mydomain.com - i got a phishing email licenceplate@myemail.mydomain.com
- i contacted them, and the investigator said they allow third parties access, so basically it was too hard to track it down.
I really don't know what to do, maybe send it to a newspaper?