Explosive Data Leakage
High-quality scans of explosives handling licenses were also found in the files, which raises the possibility of impersonating authorized explosives handling personnel. Most of the time data breaches are limited to fraud as far as potential damage goes. The knowledge and credentials contained in this one could have been used to cause some real damage.
The company ultimately responsible for the present leak, Allied-Horizontal, runs a wirelining outfit. Part of this business is known as “perforation” (the process of putting explosives in the ground and strategically blowing them up). Companies that handle such explosives are tightly regulated by the Bureau of Alcohol, Tobacco and Firearms (ATF).
This repository, which was exposed to the public internet without any authentication, is another recent example of Network-Attached-Storage devices gone awry via the remote synchronization service (rsync). One particular brand of NAS devices, which starts with a “B”, appears to be especially prone to this misconfiguration (more on that in a future post).
After downloading over 7 gigs of internal Allied-Horizontal files, which represents only a small fraction of the overall exposure, I became convinced the data was legitimate and the leak should be plugged quickly.
In my early days of breach reporting, I would start by notifying employees at the bottom and working my way up, but I’ve recently become more brash in my approach. Now I start the notification process with the most senior executive and work my way down. Things happen much faster that way.
One of the files I downloaded was a spreadsheet containing the names, titles, and personal cell phone numbers of, what appeared to be, all employees at the company.
So, I looked up the Allied-Horizontal CEO’s cell phone number and gave him a call this past Monday (Nov. 28th). After I explained a few things, he understood the potential seriousness of the situation. I asked if there was an IT department I could contact and he offered to immediately pass my phone number to them. A few minutes later the IT department gave me a ring. The leaky server was secured nearly as quickly as I could hand over the IP address. They wasted no time.
Their IT department also gets bonus points for not suggesting that I somehow “hacked” them. They were actually very grateful for the heads-up and couldn’t have been nicer to me. It’s refreshing when that happens.
The moral of this story is that companies should be regularly hitting their important IP addresses with tools like nmap and masscan (or even looking themselves up on Shodan.io or Zoomeye.org). Heck, throw Censys.io into the mix while you’re at it. Keeping an eye on all potential exposure points is a tough task. It’s unfortunate that most companies either can’t afford dedicated network security staffers, or the C-level executives don’t understand the immense impact of a data breach scenario.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Researcher, Chris Vickery.