Users unwittingly shared sensitive docs publicly

Discussion in 'Business & Enterprise Computing' started by power, Mar 29, 2017.

  1. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    42,776
    Location:
    Brisbane
    Yes, I'm surprised this hasn't been done. Immediately reset the availability of all docs to the doc owner only, and force sharing to be on a per-account/email basis, manually added by the owner.

    There'll be accessibility fallouts for edge cases, but that's far less of an issue than the current problem (and better than turning it all off and locking out people from their own data).
     
  2. OP
    OP
    power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    64,875
    Location:
    brisbane
    exactly, kind of like when there's a big password breach so everyone gets a password reset (remember when eBay did this?).

    Far better than the current response of, it's working right, you're just doing it wrong approach.
     
  3. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,729
    Location:
    Brisbane
    They dont give a shit as it's on the end user to ensure the settings are correct.
     
  4. gav1ski

    gav1ski Member

    Joined:
    Aug 9, 2001
    Messages:
    141
    Location:
    Sydney
    Yeh, but any CTO/CIO/IT Manager worth anything will be looking at this and saying don't even think about implementing that here. So from a marketing side of things they should be just switch sharing off for everyone send the "why we have done this email and how to re-share" and patch to private by default (as it should have been in the first place) yesterday.
     
  5. broccoli

    broccoli Member

    Joined:
    Feb 21, 2010
    Messages:
    21,502
    Location:
    Perth
    Which is probably the point. Everyone now needs to sign up to have them control everything. For a fee.
     
  6. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,286
    Cloud First - Mobile First.

    Now everything available in the cloud, is available to EVERYONE to access on their mobile.

    Mission Accomplished.
     
  7. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    42,776
    Location:
    Brisbane
    This. Check out the compliance and DLP shit Google are putting in to GSuite. Plus their IS27001 and HIPAA compliance tools. For big orgs paying big dollars, there's no way they're going with something that has the reputation of docs.com now.
     
  8. luke o

    luke o Member

    Joined:
    Jun 15, 2003
    Messages:
    3,644
    Location:
    WA
    Microsoft...

    Just went there tried a few generic searches like surgery, medical and blood test... Tonnes of personal results. If you want to know random peoples blood iron levels this is the site for you...
     
  9. tin

    tin Member

    Joined:
    Jul 31, 2001
    Messages:
    6,420
    Location:
    Narrabri NSW
    Anyone else notice a huge amount of duplication - at least at a preview level? Same title, same preview, different owner. I wonder if any of those plagiarism detection tools look on docs.com :D
     
  10. chook

    chook Member

    Joined:
    Apr 9, 2002
    Messages:
    3,792
    Am I correct in assuming when we use the word "admin" in this thread we mean the son of the CEO who is doing a degree in computer science and totally knows about this stuff?

    Just wanted to make sure the meaning on the word hadn't changed to something foolish like "a guy with a clue"

    Then again, that might have been my twisted cynical inside voice on the outside.

    Heard at work for real last week from one of the sys admins:

    How do you restart a VM? I can't find the power button.
     
  11. Mike Cartwright

    Mike Cartwright New Member

    Joined:
    Apr 27, 2017
    Messages:
    5
    Re:

    I don't want to sound mean, but I'm absolutely thankful I haven't used docs.com; although I'm pretty friggin guilty of using the cloud and subscribing to different cloud solutions.
     
  12. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    So an option here is instead of complaining here, if you see something bad, use the comments field on the offending content, and inform them that it is public.

    I have made direct contact (outside of docs) with some of the people and the content has been hidden/removed.
     
  13. AzonIc

    AzonIc Member

    Joined:
    Jan 7, 2002
    Messages:
    1,373
    Location:
    Adelaide
    No doubt lots of credit card information on there too. :shock:
     
  14. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    To be frank, Credit Card info is far, far less important than Personal Info.

    CC cards get replaced. Costs are borne by the card issuer.

    You don't get a new identity, and you suffer the costs for life.
     
  15. AzonIc

    AzonIc Member

    Joined:
    Jan 7, 2002
    Messages:
    1,373
    Location:
    Adelaide
    Fair points and having recently taken over a private clinic & hospital's IT systems I'm currently very paranoid about the state of our data controls here, it's everything bad about BYOD.

    However I'd bet people are mining docs.com for CC's to make dodgy purchases
     
  16. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,154
    Location:
    Canberra
    Health in Aus is waiting for a major security event.

    Having been party to several Medicare local audits for various medical practices - even the audit itself is lax, let alone what GP's and specialists do to handle patient data in reality for the 35.5 months between audits.

    The policy language is getting better, but enforcement and attitude is just atrocious.
     
  17. bcann

    bcann Member

    Joined:
    Feb 26, 2006
    Messages:
    5,994
    Location:
    NSW
    Yeah just did a 1 hour audit for the Specialist Medical office my wife works at,

    1. Windows 7 RDP Ports exposed to the outside world, 1 with absolutely NO PASSWORD on it, using alternate ports because security through obscurity always wins.
    2. Using Microsoft Security Essentials as an AV
    3. Backup medical database only, onto one hard drive only, and nothing else is being backed up including 10+ years of patient health scan data specifically excluded, this is what piqued my interest initially with my wife, walked in one day and she said she was doing the backups at the end of shift, it took 1 minute and i said hang on that shit ain't right.
    4. ups plugged into server, hell even in correct battery backup port, but no monitoring cable or software to shut it down properly.

    and numerous other things.

    This was just me spending 30 minutes looking for big things to do her employer a favour, it really needs looking at things at the micro level once they fix that shit up.

    The more disturbing thing was the fact that yet another MSP in this damn town is being paid to look after this shit and doing yet another pisspoor job of it.
     
  18. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    I might line you up with a guy in your area, can compare notes.

    Royal Melbourne Hospital's Pathology labs would consider what they had to be a pretty major security event ;)

    http://www.theage.com.au/victoria/r...-damaging-computer-virus-20160118-gm8m3v.html
     
  19. AzonIc

    AzonIc Member

    Joined:
    Jan 7, 2002
    Messages:
    1,373
    Location:
    Adelaide
    We're drifting way off topic here but shortly after I started here the core server hardware running your typical vmware / vaeem environment crashed due to a bug long since patched; investigations found none of the environment had been updated - firmware / os / software etc despite us paying $2k a month to a MSP to manage it :rolleyes:

    I would genuinely appreciate that because I don't know if my standards are too high (and I'm far from a security expert) or if what I'm dealing with here is really is as crazy as I think it is. Fortunately I have CEO / Board support and an external security review has just been approved.
     
    Last edited: Jun 5, 2017
  20. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,154
    Location:
    Canberra
    Unless you know more about this incident - this isn't actually anything serious.

    When 10,000 people have their medical particulars published online for all to see, and the identity theft that happens afterwards - thats when you'll see things change.
     

Share This Page

Advertisement: