
Oklahoma Department of Securities Leaked Millions of Files - wglb
https://www.upguard.com/breaches/rsync-oklahoma-securities-commission
======
kop316
Heh, so out of curiousity, i have a very high confidence that the state of
Tennessee leaked a lot of data as well. How i know:

\- i use fastmail, and use the alias@myemail.mydomain.com to alias everything.

\- tennessee has a way to let you remind to renew your plates, so i used
licenceplate@myemail.mydomain.com \- i got a phishing email
licenceplate@myemail.mydomain.com

\- i contacted them, and the investigator said they allow third parties
access, so basically it was too hard to track it down.

I really don't know what to do, maybe send it to a newspaper?

~~~
Buttons840
I once found a state website exposing info they probably (?) shouldn't have
been in some JSON fields. The sensitive data was not shown on the rendered
page but it was in the browsers memory all nicely formatted. I thought of
reporting it, but thought it was more likely they would try to save face by
accusing me of being a hacker because I pressed F12 (and that I might have to
fight charges in a far away state), rather than accept their mistake.

I chose to stay quiet.

I guess I'm not the only one to have faced this dilemma.

~~~
LeftTurnSignal
I found a Windows 2003 server (back in the day) with RDP open directly to it.
It wasn't behind much (if any) external firewall. It also wasn't patched, and
I got in using some exploit I found within a few mins of googlin.

Here it was a citys (pop 2mil+) water system. I didn't need a name or password
to it once I got into the server itself.

I screenshotted the login, the exploit, their water system (it reminded me of
MS Paint, which a lot of those system seem to look like), then created a fresh
e-mail using Tor, sent a few e-mails to several e-mail addresses I could find
for contacting them, and within a few days it was no longer accessible.

For a longer time than I should have, I felt bad for doing it, but at the same
time, I doubt they would have done much if I just e-mailed them without
showing proof.

I never received anything, threats or thanks, in that e-mail account. So
hopefully someone appreciated it.

------
hyperrail
Sadly this is not the first time an Oklahoma state agency has famously leaked
personal information online. 11 years ago, the Oklahoma Corrections Department
made the Social Security numbers of registered sex offenders available through
simple SQL injection on an Internet-facing website:

[https://web.archive.org/web/20080415231058/http://thedailywt...](https://web.archive.org/web/20080415231058/http://thedailywtf.com/Articles/Oklahoma-
Leaks-Tens-of-Thousands-of-Social-Security-Numbers%2c-Other-Sensitive-
Data.aspx)

------
lvs
Probably the link should be changed to the Forbes piece or the original
disclosure. This was not Newsweek's original reporting.

[https://www.forbes.com/sites/thomasbrewster/2019/01/16/massi...](https://www.forbes.com/sites/thomasbrewster/2019/01/16/massive-
oklahoma-government-data-leak-exposes-7-years-of-fbi-investigations/)

[https://www.upguard.com/breaches/rsync-oklahoma-
securities-c...](https://www.upguard.com/breaches/rsync-oklahoma-securities-
commission)

~~~
tlb
Changed from [https://www.newsweek.com/oklahoma-data-breach-may-expose-
yea...](https://www.newsweek.com/oklahoma-data-breach-may-expose-years-fbi-
investigations-report-1293862), thanks.

------
techslave
I am not convinced that this was responsible behavior on the part of upguard.
They discovered a breach, and apparently downloaded all the files. The report
details the kinds of files and sample of the information in them.

If upguard's behavior were responsible, why would they have downloaded any
more data than necessary to determine that it was sensitive stuff? They would
have noticed it, reported it (without downloading) and perhaps helped fix it.
I doubt very much that the OK Dept of Securities would have subsequently given
them access to the files so as to do some kind of audit on sensitivity, in a
non-NDA manner.

This post reads more like an ad for upguard than a responsible disclosure.

~~~
krageon
Knowing a little bit about how government works, if they didn't have proof of
what happened it is not unthinkable that they would close the immediate leak
and then deny anything ever happened. Nobody would win in that case, because
nobody competent actually verified that a fix was done. And nobody would know,
either - it'd just be two parties denying the other's point of view.

------
andrew_
I for one hope we get to see all of the saucy details.

~~~
datavirtue
They are in the first few paragraphs of the post.

------
saosebastiao
I'm wondering if the FBI investigations are for securities fraud. Why would
the OK Dept of Securities have this data in the first place?

------
rdiddly
I don't see any paragraph where they talk about whether/when/by whom the data
was actually accessed. Granted I was only skimming. (Because I was looking for
that.) But yeah if an IP address falls in the forest and no one is around to
connect to it, does it make a sound?

~~~
jcrawfordor
There's likely no way to really know, in this kind of situation. There only
would be if audit logs were created and then retained from the rsync server
(unlikely to have been retained) or some device in front of it (unlikely to
have been generated in a usable format). A large portion of breaches that
occur are just like this... significant potential exposure, but actual
exposure unknown.

That said, they located the open rsync server via shodan, which is not exactly
the elite tactics of the security world. Lots of people, both benevolent and
malicious, watch shodan queries for things like this and triage new findings.
So it might be more appropriate to say "if an IP address falls in a forest
that a lot of people are watching", but that rather tangles the metaphor. In
my experience rsync probing is significantly rarer than SMB and NFS probing,
so I'd hazard a guess that there are also fewer people watching Shodan for
rsync than more commonly exposed file share protocols, but I'd wager that it's
still more people than just this one research outfit.

The big impact of Shodan, as the best known large-scale internet scan and the
only one I know of that exposes so much data to the public, is that things
like a lone exposed service on a random IP can't comfortably be assumed to be
obscure any more. Once Shodan sees it, anyone can know about it with trivial
effort.

~~~
rdiddly
Thanks for the micro-education!

------
closeparen
What is a state government even doing with a securities regulator? Isn’t that
a federal concern? Surely any publicly traded company has equity holders in
multiple states, it makes no sense for them to have independent rules.

