Your data wants to be free – but only because you’re a terrible admin

Charley says 'Always protect your data directory before you go out somewhere...'

A midddle-aged man named Tom has been watching your porn  – the home movies you recorded, along with a woman he assumes is (or was) your wife, back in the mid 90s on a Sony Digital8 handycam. Tom is guessing it was the mid 1990s because of the decor – Laura Ashley furniture and full length mirrors. He pays attention to details. At some point, you’ve decided to digitise the videos and upload them, along with memories, documents, and music from the intervening decades.

The stains are probably still on the sofa too… | Credit: Dublin Live

You keep them on a home server which you have probably upgraded a number of times, and you access them through port 1234 on your local network. It’s good stuff – Tom particularly enjoyed watching the kids growing up, although your wife (insanely hot in the first few videos he watched) has been missing for the last ten years or so. Did she die or did she leave you? You should probably delete the porn, either way.

Other people’s unsecured data directories are a treasure trove for him. In the last week alone, Tom says he has read too many amateur half-finished teenage novels to count; He’s seen medical thin sections, He’s inspected resumes, and he’s looked through carefully curated and indexed collections of books, music, movies. Did we mention the truly staggering amount of porn?

Porn was how Tom first discovered the joys of the insecure and partially hidden parts of the internet. In the early days of the ‘World Wide Web,’ most porn sites required membership, but would publish a number of free pictures every week. A then teenage Tom was quick to discover that the address of an individual image also contained the location of its parent directory, and if access controls weren’t in place, a user could see the contents of the directories above it, and from there all of the other sub-folders – all the way back to the document root. The requirement for membership was null and void.

It became a hobby. Not just for porn – for everything. Tom liked to find things which weren’t ever meant to be seen by people other than the original uploader. It’s not ‘hacking’ – no passwords were ever used,  and for the most part, the contents are available simply by deleting the last part of a publicly available URL, and navigating from there.

You’re hosting a website from home? There’s a non-zero chance you’re exposing far, far more than you ever meant to.

Tom temporarily halted his investigations in 2008. He was living in a foreign country with limited and heavily monitored internet access, he had recently uncovered some things he refuses to specify, which got him thinking about the ethics of what he was doing. Also, Pornhub had just come onto the scene, which took care of his other… needs.

The internet is different in 2020. There aren’t as many servers actually being run from the family desktop or in Dad’s homelab. Actually, that’s not true – there’s just a lot of other stuff out there as well. It’s different, but on the whole, security hasn’t really improved, and Tom still don’t need to do any proper ‘hacking’ to find things that other people don’t necessarily want him to see. Occasionally, he needs to employ a little sophistication to see things he’s not supposed to – but not much.

WordPress

We’re starting off with the obvious. WordPress powers around 30% of the internet, is easy to install, boasting a simple, one-click process which literally no-one can mess up. It’s ideal for amateurs (such as us), and with very little tinkering, users can produce professional looking sites they’d be proud to show the world. WordPress is fairly intuitive and there are a huge range of plugins to enhance functionality and appearance. Those plugins themselves can present a serious security risk, but that’s an article for another day.

WordPress –  used by all the best sites

No what Tom wants us to talk about is the uploads directory. Pretty much everything you upload to your site ends up in the /wp-content/upload/ directory. Images, music… whatever. It’s all there, and unless you’re organised, it will stay there forever. You may decide to unpublish an article, but unless you actually take care to delete the associated media, there’s a good chance it’s accessible to anyone who happens to be strolling past on their leisurely walk along the internet superhighway.

Bought a nice theme recently? It will be in /wp-content/themes/ and unless you’ve actually paid attention to the contents of your .htaccess file, it’s there for the taking – available to upload to someone else’s WordPress site.

Running an access controlled porn site based on WordPress? We’ve seen a few where we’ve been able to browse through full directories without having to pay a penny.

Nextcloud

Here at The Crow, we love Nextcloud even more than we love WordPress. We’ve had an instance running since September and use it for file storage, recipes, video conferencing, and a lot of other stuff besides. But if you’re using the default locations for your data directory, and not using Nextcloud’s admin overview tool once installation is complete, you are exposing your secret stuff to people like Tom, who will actively seek out Nextcloud installs and append /data/ to the base URL. Depending on the version of nextcloud being used, he may need to take a stab at the username as well. yournextcloud.com/data/admin/ is usually a pretty solid guess.

Seriously, run the overview tool. If your data directory is exposed, it will tell you AND show you the changes you need to make to cover it up.

Home networks

So, You have your epic horse porn collection on the family PC in the hallway, but you want to watch it while you’re whacking off in the bathroom? It’s pretty easy to create a Samba share to the right folder, or you could even set up an Apache webserver and type in your local address and port number to access the equine smut contained within.  Is your router firewall closed on that port or did you leave it open so that you can knock one out in the toilet cubicle at work as well?

If you can access your private collection without a password while you’re out of the house, others can too.

Everyone knows what you do in there | Credit: Acabashi  CC BY SA

 

Run a search for “index of /” “parent directory” and see what turns up.

You’re visible everywhere.

Sometimes it’s not enough for Tom to stumble across sites and explore its vulnerabilities. Sometimes he actively seeks them out. He uses a free and open source tool called Masscan, which can scour the entire internet for open ports in under six seconds. If you run a server and check your access log, you’ll probably see massscan visiting several times per day.  Other times he will look through certificate registries for clues.

If a domain has a subdomain named nc or nextcloud, the chances are that it is a Nextcloud trove. Likewise nc11, nc 12, and so on. These can be found through running a certificate search on a site such as censys.io. From there, Tom has a target. “It’s not hacking,” Tom explained to the crow. “These are publicly accessible resources.”

It’s probably not entirely legal though.

The bottom line

In the scheme of things, Tom and people like him aren’t particularly villainous. They’re not breaking anything, they’re not encrypting your data directory and demanding a bitcoin ransom to let you access your own files.  It’s not necessarily nice though. It’s not nice to know that somewhere out there reading your fanfic, viewing your holiday photos and watching whatever movies you choose to curate.

But it’s your responsibility to keep your own stuff safe. It’s your responsibility to read the documentation of whatever software you’re using, and to take some pretty simple precautions. Because if you don’t, well, it’s on you.

Picture credit: geo462rge CC BY-NC-ND 2.0

 

Be the first to comment

Leave a Reply

Your email address will not be published.


*