Uzair Amir
It has been discovered that the data of an explosive-handling business was leaked. It is highly frightening if the information security of an explosives-handling business is compromised. It poses the threat of such sensitive information getting into the hands of criminals or even criminals who may try to obtain the explosive materials by using the employee to reach to the explosive. It puts the employees of such a company in an even more precarious situation wherein, the bad guys may try to blackmail the employees or try to influence them in even more violent ways.
The data was discovered by MacKeeper’s security researcher Chris Vickery. The leaked data included high resolution of scans of ID card of employees of the company raising concerns that it may be used by impostors to impersonate as licensed explosive handlers. Most instances of data and identity theft have motives such as scamming and fraud. However, this particular leak has the potential to cause some serious damage. The company that has been held responsible for the leak is the wire-lining company, Allied Horizontal. One of the operations of this business is carrying out strategic demolitions, by putting explosives in the ground, the process which is referred to as perforation. The regulation of such business is done under stringent control of the ATF (Bureau of Alcohol, Tobacco and Firearms).
This cloud data that was leaked on the internet without any validation is a current example of Network-Attached-Storage gone south with r-sync (remote synchronization). A brand of Network Attached Storage devices, whose name starts with B, but which shall not be named here is highly susceptible to this misconfiguration. The detail of the flaws of the said storage device will be discussed in the posts in the coming days.
To test if the leak news was legitimate Vickery downloaded more than 7 gigabytes of Allied-Horizontal files. The volume which represents only a fraction of the total exposure assured Vickery that the leak was real and must be fixed at the earliest.
A file that Vickery downloaded through the leak was an excel spreadsheet that apparently contained the personal information about all the workers of Allied Horizontal. Ironically, Vickery used the same file to look up the CEO’s personal mobile number and gave him a call last Monday (28th, November).
After hearing about the whole situation from me, he realized the gravity of the situation.Vickery asked him if he could reach the IT unit of the company and he readily made his IT people call Vickery. The leak was plugged as fast as the IP address could be handed over and they wasted no time.
Remember, Vickery is not just a security researcher but a specialist in discovering leaked and publically available unprotected databases. He is the same guy who discovered voters data of 191 Million Americans and 93.4 million Mexicans online.
Vickery also discovered 3.3 million accounts from Hello Kitty database, 13 million MacKeeper accounts, US voters’ registration records, and a terrorist database that was leaked from an unprotected database.
