
Dow Jones’ watchlist of 2.4M high-risk clients has leaked - smallgovt
https://techcrunch.com/2019/02/27/dow-jones-watchlist-leak/
======
captainpete
Am I missing something or is misconfiguring your cloud the way to go if you're
a vendor of an osint product?

Information from public sources - no liability? No DJ customer details - no
loss of business? Bob Diachenko discovered it - so no dumps floating around?
3rd responsible - remains unnamed, no brand damage? Free sample included in
the high traffic TC article

It probably was not intentional, but could Dow Jones have benefited from this
press overall?

~~~
xmly
It is called shared responsibility security model.

AWS can not know what is your true intention.

------
jstanley
[https://outline.com/DEfmHq](https://outline.com/DEfmHq)

------
i_phish_cats
So, where's data?

~~~
jdsully
Now that most hacking is nation state driven we aren’t seeing these datasets
posted publicly nearly as often.

~~~
BubRoss
Do you have a source for that assumption?

------
motohagiography
Does anyone know if the targets of this database have a right of reply, and
given it is from public sources, does that mean media reports are the primary
sources that inform it?

The consequences of those questions could be quite serious.

------
georgewfraser
Can anyone explain why Dow Jones would store data like this in elasticsearch?
This seems like a classic relational database scenario.

~~~
caymanjim
The data didn't leak from Dow Jones, and the article doesn't cover how Dow
Jones stores the data internally. Some customer who had the data leaked it
from their own open system.

------
xmly
How to get a copy:)?

------
ncr100
Is Trump in the leaked "risky customer" DB?

We could find intel out about political candidates.

------
GFischer
Yet another sensitive database with probably no way to know if you're in it -
GDPR sounds like a pain but I'm coming around to believing it's a necessary
evil to stop this nonsense.

OTOH I guess this is relevant information and so they should be allowed to
have it under GDPR rules? I'm obviously not a lawyer although my work, like
most programmers' is affected by GDPR, PCI and whatnot.

~~~
Miredly
Or we could just start punishing companies for massive and widely damaging
data leaks. AFAIK about GDPR, it wouldn't prevent this. These things keep
happening because nothing bad happens to companies that let it happen.

~~~
rando444
GDPR prevents this by putting rules in place that you, as the owner of the
data, need to show that you're protecting it responsibly.

The threat of the gigantic fine is what gets people into compliance to prevent
this from happening.

Lots, possibly even the majority of companies in Europe beefed up their IT
security procedures because of this, and I wouldn't be surprised if almost
everyone that sits at a keyboard in Europe didn't get called into a meeting to
talk about how important it is for them to keep their customer's data private
and ways to do that.

Without something like this in place, companies can just not even care about
users data.. because 'oops, we did nothing to protect it' is still a valid
excuse.

~~~
Mirioron
> _Lots, possibly even the majority of companies in Europe beefed up their IT
> security procedures because of this_

On the other hand, they also don't provide internet services to people.

------
RickJWagner
So long as all the sources were public, I don't see why this is newsworthy at
all.

You could probably build most of it with Google.

~~~
ID1452319
It is newsworthly for a number of reasons. Firstly, most people do not know
that companies are scanning their customers, suppliers and employees against
these Watchlists.

Secondly, people are placed on these watchlists with no burden of proof or
right to recourse.

Thirdly, if you appear on these lists, which can be quite fuzzy, you can find
that your banks accounts are frozen, with no explanation. Banks are now very
risk adverse meaning that they are more than happy to alienate a few customers
if it means avoiding the risk of massive fines.

------
awinder
We are big aws customers at my current employer and have generally had
success, and I use amazon products, but that said:

This is totally on amazon for not having vpc-enabled elasticsearch clusters
for way too long, AND, not providing an upgrade mechanism to move an existing
internet-accessible cluster to a vpc. I was mindblown when I first utilized
elasticsearch service and was sure that there would be data leaks for only
having public net.

~~~
sailfast
While I agree and those defaults are certainly suboptimal with blame to share,
I would argue the buck stops with the individual that indexed all the
proprietary data on :9200 open to the internet. You can do all sorts of stupid
things with AWS (or any other tool). That doesn't make it Amazon's fault
entirely. The individual is responsible for attempting a basic understanding
of the tools they use.

When I learned the ropes of ES, configuring the endpoint was one of the first
things that came up in a large number of docs and posts. In this case, I also
wonder if the person doing it even realized it would be a problem since the
database was based on "Publicly Available data". "Sure, turn CORS on, let's
roll."

Thankfully this leak was of public data combined into a proprietary reporting
tool, rather than something more sinister that would cause greater harm.

~~~
awinder
Just so I'm clear -- AWS elasticsearch service was launched in October 2015,
and VPC support didnt come around until fall 2017. So for over 2 full years
the only way to utilize their elasticsearch service was to run it internet-
accessible. I'm not talking about defaults here -- it was the only option.

