Unsecured backup devices continue to be a hot mess

After a few years of headlines blaring mega-numbers of records exposed by misconfigured RSYNC backups, we might hope that we would be seeing fewer errors by now. But it seems that RSYNC errors continue at a high rate, exposing massive amounts of data.

This month, part of what I did was look at RSYNC errors by hosting companies, as these mistakes would affect a number of clients, and in turn, the clients’ data. Here’s just a small sample of what I found, keeping in mind that I was not sorting or looking for leaks with large numbers — small leaks are as significant to small businesses as large leaks are to large companies. And for small to medium businesses, picking the right IT host can be the difference between secure data and data at frequent risk.

USCNet (IT services firm in New Jersey)

On November 21, this researcher discovered an RSYNC device that was open on port 843. By looking at the list of clients and additional information, the device appeared to belong to USCNet.com, that USCNet,com, an IT services firm in New Jersey with an established history and reputation.

Email notification was first sent on November 29 and then again on December 2 when they did not respond to the first notification. Notifications were also sent to USCNet’s clients on December 2 via email or through website contact forms.

Despite asking for acknowledgement of notifications, neither the vendor nor the clients acknowledged any notification, although the data were locked down after the December 2 notifications.

Here’s a brief summary of what was in the exposed backup:

  • Applied Research + Consulting had 82.48GB of data consisting of internal documents, resumes, invoices, billing and other documents related to their research and clients, who include: Novartis, Consolidated Edison, Centocor, Abbott Laboratories, Animas, Accelerating Transitions, Accenture, Amalfe Brothers, Amgen, Avaya, Brookhaven, COBI, Columbia University Medical Center, Comcast, Cutter Farms, CIBA, Colgate, ComEd, Cordis, Danbury Health Systems, DentalEZ, Dept of Watershed, Devon, Elizabeth Presbytery, Empowerment Group Seminar, Ethicon, FDA, Fenestra, Ferring Pharmaceuticals, Janssen Ortho Realignment, Janssen Biotech Inc, Janssen Pharm, Johnson and Johnson, Janssen Pharmaceuticals Inc, KeySpan, LifeScan, Lo, wenstein Sandler, Lowe’s, MEF, Boro Traffic & Transportation, Chamber of Commerce, FPC First Presbyterian Church, NY Presbyterian, OCD, OMJPI-Marketing, OPQ, OraPharma, Ortho Biotech, Ortho-McNeil Pharmaceuticals, OrthoNeutrogena, Maternal and Child Health of Northern NJ, Pfizer, Prudential, Rothman Institute, Boehringer Ingelheim, AstraZeneca, AZ Medical Services, CHUBB, Corning, Deloitte & Touche, ETHICON, Financial Women’s Association, Humana, J&J Consortium, McGraw-Hill, Equiva, Extra Materials WLJ, Goldman Sachs, J&J Corp, J&J Consumer, J&J Cordis, J&J Healthcare System, J&J Finance Women’s Leadership, J&J PRD, JP Morgan Chase, Morgan Stanley, Rutgers, Tibotec, The Next Level, Thomas Miller, Trinitas, Velez, VNAHG, Tyco Healthcare, Verizon, Vistage, Veteran’s Admin, Vistakon, and Wyeth.
  • The Law Office Of Angela C. Femino, LLC had 47.37GB of data in 2074 folders, although there appeared to be a number of duplicates. Clients names often appeared as part of Folder names, and files included Aetna EOBs, Beneficiary Lists, clients, collections, expenses, estate documents, property sales, bestcase.com information and documents, wills, deeds, agreements, personal documents, medicare documents and other documents you might expect to see in a law firm.
  • Affinity Health Plan had 397.29GB of data that included Affinity Care of NJ Payroll, claims, billing, timesheets, finances, and patient data that goes back to 2012 or perhaps even earlier.
  • Catholic Family and Community Services (Diocese of Paterson) had 184.44G bytes of data, including what appeared to be a complete company backup of all files including client information.
  • Jersey Joe’s Barbeque and Grill had  33.09GB of data.
  • Mount Holly Surgical Supplies had 152.76GB of data, including QuickBook files, personal files of an employee, and Medicare information.
  • Mannan Nahiam Karim & Associates had 519.10GB of data including ProSystemTax files, files from ublonline.com, files from ProConnect ProSeries Professional Edition, and Quickbooks
  • Spectrum Psychological Operations (Spectrum Healthcare) had 284.34GB of client information from scanned documents, forms, desktop backups, images, patient and provider information.

What will the entities who are likely covered by HIPAA do?  DataBreaches.net reached out to them for follow-up but got no replies, even after pointing out to Affinity Health Plan that its exposed data included files that embedded patient names in the filenames.

Meanwhile, in Canada…..

JustCallDave.ca (Electronics repair firm in New Brunswick)

At the same time I was notifying USCnet in New Jersey, I was also reaching out to an electronics repair firm in New Brunswick, Canada. JustCallDave.ca responded promptly to my email notification, but somewhat aggressively, asking why I was “hacking around, trying to find ‘security breaches’.”

The machine is on a DMZ for a reason. Don’t go alarming people when there isn’t a problem, when it is none of your business.

I replied that the RSYNC and HTTP as well as RDP and MySQL were all indexed on shodan.io, and the IP address had also been indexed by Google showing an open directory.

Dave subsequently apologized for his initial response, and said that they found that “bad backup software” was to blame for the exposure error. I am not sure what that actually means in this context where port 843 had been left open. Nor do I know why Dave seemed to think he could have just fixed the problem without notifying any clients, unless he had been able to immediately determine that there had been absolutely no access to the data from any unauthorized IP addresses for the entire period that the backup device was open. That seemed unlikely,

In this case, there were 10 modules, with three belonging to 1 of his clients, and the others all representing individual other clients:

Although I also notified the clients by email, none of them acknowledged the notifications. As a result, I do not know if any of them actually asked JustCallDave.ca whether he had logs and could definitively rule out any unauthorized access to their data that might contain personal information. Veterinary hospitals such as these that collect and store personal information are likely covered by PIPEDA, and determining the risk of real harm to individuals requires either having adequate logs or assuming the worst and notifying. Similarly, if the hospitals have information on credit card transactions in their records, then PCI DSS is implicated. Because I did not download data, I do not know whether either of these are the case for these hospitals, but the fact that the device was indexed on shodan and Google makes it more probable that there may have been access to the data. But will the hospitals need to notify anyone and will they notify anyone? That may depend on what the JustCallDave.ca tells them — and whether they can rely on his assessment and advice.

Meanwhile, in Australia……

ITCrew (IT Solutions firm in Melbourne)

ITCrew’s homepage advertises: “Let the ‘crew’ provide your organization with the peace of mind it desires with our guaranteed ‘no-hassle’ IT support services.”

That somewhat ambitious promise may not have been fully realized this month.

After finding an exposed RSYNC backup that appeared to be theirs, ITCrew was sent a notification on Dec. 8. They sent an automatic acknowledgement. And 15 hours later, I received a second email from Steve Pyrros, who wrote:

Ticket closed: Thank you for the information. All steps are being taken to analyze security issues.

Since I have no idea what that means in terms of notifying clients and I hadn’t gotten around to notifying ITCrew’s clients, I’ll mention some of them here, as they showed up in the exposed data, or linked data lead pretty directly to them:

Three of the 9 modules on the backup were accessible. One module was named Backup, and appeared to be a backup of all the modules together.

So… was any of the data on these three RSYNC backups downloaded by others and possibly misused? I don’t know, and I don’t know whether these firms even notified their clients. Should they have? You may think it depends on what the firms found when they investigated the exposures.  I tend to think if a hosting firm exposed its clients’ data, it should let them know, even if they were lucky and no one accessed the data while it was exposed.

Research and reporting by Lee Johnstone, with additional reporting and editing by Dissent of DataBreaches.net.

About the author: Lee J

Security Analyst, Developer, OSINT, https://www.ctrlbox.com

Comments are closed.