id=”article-body” class=”row” section=”article-body” data-component=”trackCWV”>
Justin Paine sits in a pub in Oakland, California, searching the internet for your most sensitive data. It doesn’t take him long to find a promising l, as well as and .
Paine is part of an informal army of web researchers who indulge an obscure passion: scouring the internet for unsecured databases. The databases — unencrypted and in plain sight — can contain all sorts of sensitive information, including names, addresses, telephone numbers, bank details, Social Security numbers and medical diagnoses. In the wrong hands, the data could be exploited for fraud, identity theft or blackmail.
The data-hunting community is both eclectic and global. Some of its members are professional security experts, others are hobbyists. Some are advanced programmers, others can’t write a line of code. They’re in Ukraine, Israel, Australia, the US and just about any country you name. They share a common purpose: spurring database owners to lock down your info.
The pursuit of unsecured data is a sign of the times. Any organization — a private company, a nonprofit or 뉴헤븐카지노 a government agency — can store data on the cloud easily and cheaply. But many software tools that help put databases on the cloud leave the data exposed by default. Even when the tools do make data private from the start, not every organization has the expertise to know it should leave those protections in place. Often, the data just sits there in plain text waiting to be read. That means there’ll always be something for 뉴헤븐카지노주소 people like Paine to find. In April, researchers in Israel found demographic details , including addresses, ages and income level.
No one knows how big the problem is, says Troy Hunt, a cybersecurity expert who’s chronicled on his blog the issue of exposed databases. There are far more unsecured databases than those publicized by researchers, he says, but you can only count the ones you can see. What’s more, new databases are constantly added to the cloud.
“It’s one of those tip-of-the-iceberg situations,” Hunt said.
Not every company understands what it means for data to be exposed, something Dissent has documented on her website Databreaches.net. In 2017, Diachenko sought her help in reporting from a financial software vendor to a New York City hospital.
The hospital described the exposure as a hack, even though Diachenko had simply found the data online and didn’t break any passwords or encryption to see it. Dissent explaining that a hospital contractor had left the data unsecured. The hospital hired an external IT company to investigate.
Tools for good or bad
The search tools that database hunters use are powerful.
Sitting in the pub, Paine shows me one of his techniques, which has let him find exposed data on Web Services databases and which he said was “hacked together with various different tools.” The makeshift approach is necessary because data stored on Amazon’s cloud service isn’t indexed on Shodan.
First, he opens a tool called Bucket Stream, which searches through public logs of the security certificates that websites need to access encryption technology. The logs let Paine find the names of new “buckets,” or containers for data, stored by Amazon, and check whether they’re publicly viewable.
Then he uses a separate tool to create a searchable database of his findings.
For someone who searches for caches of personal data down between the couch cushions of the internet, Paine doesn’t display glee or dismay as he examines the results. This is just the reality of the internet. It’s filled with databases that should be locked behind a password and encrypted but aren’t.
Ideally, companies would hire experts to do the work he does, he says. Companies, he says, should “make sure your data isn’t leaking.”
If that happened more often, Paine would have to find a new hobby. But that might be hard for him.
“It’s a little bit like a drug,” he said, before finally getting around to digging into his fries and chicken.