Register to Continue Reading

First Name
Last Name
Job Title
Thank you!
Error - something went wrong!

Too Much Information: The Sequel | New Research

One full year has passed since Digital Shadows’ Photon Research Team looked at the data exposure landscape among online file storage technologies like Server Message Block (SMB) file shares, rsync servers, and Amazon Simple Storage Service (S3) buckets. There are now 750 million more files exposed than we reported last year; not all of them are blatantly sensitive, but there is plenty of gold in these mountains. Several developments over the past year have had an effect—positive and negative—on the data exposure landscape, prompting Photon to re-examine what files are still exposed and updates within the landscape. Case studies throughout this paper highlight some of the most alarming information we were able to find.

Some of our key findings:

  • Overall, we detected 2.3 billion files exposed across SMB-enabled file shares, misconfigured network-attached storage (NAS) devices, File Transfer Protocol (FTP) and rsync servers, and Amazon S3 buckets.
  • The United States held onto its most-data-exposed title (more than 326 million files), although France and Japan lead their regions, with 151 million and 77 million files exposed, respectively.
  • Similar to last year, the SMB protocol exposed the most data among the technologies we analyzed. FTP and rsync servers claimed 20 percent and 16 percent of the exposure detected, respectively.
  • Threat actors are actively attempting to exploit this exposure. We discovered that over 17 million files across these online file repositories, which are often used for backing up data, had been encrypted by ransomware, 2 million of them linked to “NamPoHyu”, a variant of the “MegaLocker” ransomware.
  • Amazon’s new feature Block Public Access was introduced in November 2018 and has reduced the overall exposure of S3 buckets to a nearly unrecognizable amount. Having found 16 million files coming from S3 buckets in October 2018, we’re now seeing fewer than 2,000 such exposed files.
  • There are already two success stories following the General Data Protection Regulation (GDPR) being enacted in the European Union (EU): Luxembourg and the Netherlands have reduced their overall exposure and have national laws in place to implement GDPR. So far, they are the only two EU countries to do so; France, which has the greatest exposure among EU member countries, has yet to fully align to the GDPR at a national level.
  • The problem of inadvertent data exposure is not an impossible one to solve. We outline several technical mitigation steps you can take to use these file storage technologies safely and efficiently. And as with anything information security related, educating technology users is another, vital step. 
Previous Post
The Nouns of Black Hat: People, Places, and Things From Summer Camp 2019
The Nouns of Black Hat: People, Places, and Things From Summer Camp 2019

Black Hat and DEFCON are a wrap! Digital Shadows was there in a big way this year and it was ...

Next Video
Your Data at Risk – Emerging Cyber Threats to Your Enterprise with the FBI Cyber Division
Your Data at Risk – Emerging Cyber Threats to Your Enterprise with the FBI Cyber Division

The first half of 2019 has revealed no ebb in the number of massive data breaches and cybersecurity disaste...