Thousands of Britons are exposed to cyber crime after the content of their PC was exposed on the Internet by Shodan, a website dubbed the “Google for hackers.”
The leaked data includes medical records, photographs, medical records and other sensitive documents that can be easily downloaded from the site. According to a Mail on Sunday investigation, the data was raked because of security holes in hard drives used by victims to archive the information or back up them.
Security experts speculate that millions of Britons and UK firms are at risk of being hacked because the populer Shodan website provides information about their web-connected storage devices.
By using the powerful Shodan search engine, hackers can easily locate the flawed devices and download sensitive information.
“Highly confidential files belonging to a High Street law firm were also freely available on the website, called Shodan, including full details of their clients’ financial affairs, passports and driving licences.” states the Mail on Sunday.
The experts highlight the importance to keep every electronic device connected to the internet up to dated and properly configured to avoid that hackers can find easy-to-guess passwords or use default credentials to access their systems.
“What Shodan does is shine a light on some of the more insecure aspects of this new interconnected world.” explained the Professor Tim Watson, director of the Cyber Security Centre at the University of Warwick
“We are buying kit connected by default to the internet, because we love the fact we can use it anywhere. But this comes at a price – we’re buying these features but we’re not buying security.”
In many cased the devices are open on the Interned left without password protection and presents default settings easily to guess once identified the component.
In the specific case, hackers can identify the flawed hard drives made by the company Iomega by using Shodan, such storage devices are used by thousands of individuals to back-up documents.
The discovery is not surprising for the security experts, but anyway disconcerting if we think to the possible consequence of the exposure of a huge quantity of sensitive data. Most files contained the names and addresses of their owners, as well as personal and sensitive data such as medical and financial information.
The experts at the Mail on Sunday tracked the owners of the devices warning them of the risks.
“By searching Shodan for unprotected devices in Glasgow, we discovered a hard drive containing the business files of a solicitors’ firm.Folder titles included ‘cash’, ‘clients’, ‘powers of attorney’ and ‘money laundering’, with the individual files giving full details on everything from house purchases to visa letters and even customers’ passports. One of the main folders was titled ‘MacKaur documents’ while others gave the names of the two partners and a secretary working for a Scottish law firm called MacRae & Kaur. But it denied its data had been leaked.”
“Those I represent have clarified with their IT support organisation that the computer system they employ, in particular that which deals with the storing of data securely is lawful and in accordance with legal requirements as a law firm practising in Scotland.” said the law firm.
Lenovo admitted the problem for its Iomega hard drives, confirmed that it has already fixed the issue since last year.
A spokesman said: ‘Lenovo addressed these concerns in 2014 whereby new devices did not have this problem and a fix was made available to existing customers.’
The problem is that the majority of hard drive owners is not aware of the security issues and in many cases are not able to install the updates.
Another suggestion provided by the Information Commissioner’s Office, Britain’s data watchdog, is to check the device password once installed the update.
“The first security step anyone should take when getting any new device, is to set a strong password.” said a spokesman.
“The default passwords many manufacturers use are freely available online so it’s important to get these simple passwords changed.” “If the device doesn’t have a password, then as a bare minimum, you should set one up, making sure it’s not one that can be easily guessed.”
Shodan’s founder John Matherly, explained that its company have already banned in the past individuals for abusing its service.
“I don’t believe in shooting the messenger. Shodan is the right answer to the problem,” he said. “People should be upset that the product they purchased didn’t provide better safeguards to protect their data and prevent it from being leaked on the internet.” “The way we fix these insecure-by-default devices is by raising awareness so consumers demand change from companies.”
(Security Affairs – Shodan, hard drives)