As we enter into the new GDPR regulated future, just how easy is it to identify personal data breaches or otherwise private information? When utilising Open Source Intelligence (OSINT) sources, the answer is: surprisingly easily.
As discussed in our previous blog post, Scare file, file sharing platforms are increasingly popular with both private companies and individual users. In this post we focus on the prevalence of publicly accessible Google Drives discovered via various locations online.
Whilst corporate file sharing platforms are often monitored, users commonly try to evade security practices set up by their company by using free services such as Google Drive and Dropbox – quick and easy online services to share documents.
Enter, shadow IT. With non-authorised IT services users are trying to expedite work through the use of convenient mechanisms, often foregoing security controls and policies, and in many cases, not taking it into consideration at all. One example of this is a user creating a shared Google drive / folder but deciding not to implement authentication controls, leaving files (that should remain private) open to anyone identifying the shared link via the method detailed in this post.
Currently, a new Google Drive folder will be created with a string length of 33 pseudo-random characters a-z, A-Z, 0-9, underscores and dashes, meaning each element of the folder name will be any one of 64 characters, 1zgerG-gXsfAwVgsXaT_IZWf8qTwPtzYW, for example.
The keyspace for this, which means the quantity of possible combinations of folder names, is 64^33 which is equal to 401734511064747568885490523085290650630550748445698208825344. This quantity of potential folder names makes enumerating open shares infeasible and therefore relatively secure.
So when does this become a threat?
When links to open shares are revealed publicly. How do open shares become public?
Using open source intelligence resources, it is possible to identify various open Google Drives containing a variety of data and content. Whilst many drives are open for a reason, such as to share music, pictures and even malware, many of the identified files appear to be private in nature.
Open Source Intelligence (OSINT) research was used to identify open ‘drive.google.com’ URLs utilising a simple script combined with manual identification and analysis. We observed shared folders and content such as bank account details, passports and a data breach containing the personal data of visitors to a business conference.
Why are these links and the data exposed?
This can be attributed to users that may be security savvy who will use online resources to check the security of links before visiting them, however, searching for them in a public manner also exposes the links. With more than 1 million external links to Google Drive referenced on the web it is likely that this is only the tip of the iceberg for content that can be discovered. The same mechanism could be used for content on other ‘closed’ sources such as the Dropbox file sharing platform.
Is the content usually safe?
The simple answer to this is no. Malware is commonly found on any file sharing platform that allows unauthenticated access. Attacking parties frequently use these platforms to host phishing documents and malicious content. A quick search identified over 1000 malicious documents hosted on Google Drive, examples of which can be seen below.
Figure 1. example of thousands of malicious and phishing documents stored on Google Drive
Attacking parties will commonly send links to such files via malspam campaigns, sometimes targeting organisations and reusing credentials and compromised accounts to increase the number of infections, such as in O365 chain attacks. Attackers largely rely on the gullibility or naivety of the intended victims. Hosting template Office, DocuSign and Dropbox content on a Google Drive should be enough of a warning in itself.
However, the prevalence of its use, identified through the sheer number of discovered files through our continued Cyber Threat Intelligence malspam research, highlights the efficacy of such attacks. One open drive we discovered had tutorial videos for spoofing government email addresses, with enough metadata available to potentially identify the author.
Figure 2. Shows an example of a spoofed mail sent using a .gov address.
Most security minded individuals will either ignore links outright, deleting suspicious emails, or investigate them further. These investigations can reveal usable intelligence, such as links containing malicious content, but can also accidentally reveal legitimate content. The use of site sandboxing and caching technology sites can be used to provide a safe way to examine contents in a link but also often leave a trail that allows others to also examine the content. Sometimes this content should not be shared openly.
So what data did we find?
A simple test of link caching and sandboxing test sites revealed the extent to which a link supplied is crawled and interacted with, even months after they’ve been created.
We supplied several Canarytokens, to benign test sites as a method of understanding when the site had visitors and observed web scrapers hitting the content within the first five minutes. Alerts for these tokens have subsequently fired up to 8 months after submitting them, assuming some level of caching by web crawlers leading to subsequent revisits. In other words, once a link is public, you can be sure it remains public and the content you thought was private, may not be the case.
A surprising amount of personal documents, photos and scans were discovered, including passports and details about financial transactions and bank accounts.
Figure 3. Multiple identify documents and PII discoverable relating to companies and individuals
Bank cards were included in some drives, including business debit cards. Often these appeared to have been included for some verification purpose. However the shared link ensured that anyone could gain access to the data available therein, with much of it cached on websites that provide screenshots of URLs. Of particular interest in one folder‘s metadata, the owner refers to the importance of not sharing the information.
Figure 4. Company debit card found in a do not share folder and metadata associated with folder
Bank account information alongside personal data was frequent, with accounts potentially linked to business transactions. Whilst this example is a US bank, the same risk applies to European entities and for the purpose of this blog, we did not research every link we observed.
Figure 5. Documents such as bank statements, insurance claims and mortgage forms found on drives
Whilst information such as that above may be used fraudulently against companies and individuals it was also possible to identify files such as private encryption keys (.ppk files) for SSH access to servers. Further information provided within the same drive also supplied details of where connections should be made.
Figure 6. PPK files on open drives
Data can clearly be unwittingly shared via these links, once the sharing user supplies someone with a link they have to rely on that link remaining private or data can quickly become public. Should someone decide they want to sandbox the link via a public site in order to test for anything malicious, (often rightly so based on the mistreatment of such file sharing platforms!) they will not be aware these are scanned publically and the potential threats to companies and individuals.
In the worst case this can lead to data breaches, especially relevant with the enforcement of GDPR in Europe on May 25th 2018. One such open drive was found to contain information relating to an upcoming business conference. Personal data of registrants and speakers was collated in various files containing data such as full names, email addresses, personal phone numbers and job roles.
Figure 7. Example of available data
Figure 8. Potential data breach through Google Drive
Various file sharing services are available on line, and this is only a small sample of information and data we observed on Google Drive. Once a user creates a share and sends the link out it is out of their control. Users are becoming increasingly security conscious and familiar with online services to check the legitimacy of files and links they receive to ensure they are safe. Checking the legitimacy of such shares on open source sandboxes and via indexing and similar practices, means intended private shares are now made available to the public.
Initial examination of sites such as Dropbox show similarly open shares, identifiable via OSINT research, we know from previous research the same is also true of paid services like Citrix’s Share File. There is the possibility of a much greater degree of unintentional data leakage, particularly as many organisations use such sites to share files, sometimes sensitive and in some cases even IPR. Malicious actors can harvest data and could use the same techniques with ease.
Ultimately, users are sharing data without applying a level of authentication, and legitimate tools that could be used in a private manner are being used publicly. Publicly shared information such as the examples above highlight security risks to both individuals and companies as personal data leaked could be used fraudulently. Not only do these personal data breaches infringe GDPR, they have the potential to affect company reputation and put those involved at risk
It is not the platforms themselves at fault, rather it is the users and the use of convenient methods of file sharing, without security controls such as forced authentication, that are potentially putting users and companies at risk. In any business, it is important to understand how these file sharing sites are used. One mechanism of this is utilising rules on proxy solutions to prevent and / or control users frequenting such sites. Active monitoring should be used to identify where users are potentially putting company data at risk. However, training users in understanding the potential risk, and how to avoid it, is still the best way to mitigate this threat.
Fujitsu now offers a free Threat 360 assessment service enabling your business to identify where it’s potentially vulnerable or compromised – and then how to act to limit any exposure.
Fujitsu’s Threat 360 assessment service is a combined approach
Passive Threat Assessment (PTA) Fujitsu’s Cyber Threat Intelligence team will run a Passive Threat Assessment to look at both the clear and dark web for information and threats relating to your business. This provides a comprehensive report detailing primary target areas, any leaked information, and possible areas of concern.
Malware Assessment Service (MAS) Based on Cylance Technology, the Malware Assessment Service can identify current dormant and/or running threats on your endpoints. This allows Fujitsu Services to offer both strategic and tactical recommendations for preventing attacks via malicious code. By integrating artificial intelligence into tools and processes, our experts are able to secure your environment while swiftly identifying a compromise, resulting in a preventative security approach.