Windows 8.1 backups can leave sensitive files exposed to Internet

Failing to properly set up Windows File History can make private data Google-able.

The handy File History feature in Windows 8 and 8.1 is a convenience and a time-saver, but if set up without security in mind it can expose sensitive files to anyone on the Internet, security pros were told at a conference.

When picking where File History sends backups of documents, photos and the like, it's a must to be sure that the storage chosen doesn't allow for anonymous access, Kenneth Johnson, a senior associate with KPMG, warned an audience at (ISC)² Security Congress.

+ Also on Network World: Expert: Basic hacks can compromise industrial control systems |Services such as Apple Pay may make smaller banks more vulnerable to attacks |IT pros should pay attention to 'shadow IT,' Interop NY keynoters urge +

It's not a flaw in the Windows feature, he says. In fact it's a pitfall that Microsoft tells how to avoid in its instructions, but it's nevertheless easy to find files exposed in this way on the Internet.

For example, in one case, Johnson says he found on the Internet documents that detail corporate goals and employee evaluations that were backed up from a machine used by the company's former CEO. In another he found a doctor's notes about individual patients.

File History regularly backs up documents, photos, videos, music and Desktop folders so if the originals are lost, damaged or deleted, they can be quickly restored. The history is also useful for finding earlier versions of files.

Setting up File History requires naming a place where the backups are stored, such as a separate drive or network attached storage. If Internet-accessible NAS is chosen and it allows for anonymous FTP, then search engine crawlers can find the files. Using a search engine to find a File History signature - \configuration\catalog1.edb yields pages of individuals' backed-up files.

Lopping that signature off the URL and searching again moves the searcher up the file structure of the victim's storage, potentially exposing a wealth of backed up files.

If File History violates corporate policies, infosec pros can disable it altogether via a group policy object as described by Microsoft.

If businesses decide to use File History and make sure the chosen storage is secure, sensitive data can still wind up accessible to anyone on the Internet, Johnson says.

For example, if an employee copies files to a thumb drive, downloads them to a non-corporate machine that backs up to the wrong type of NAS, they are exposed, he says. In this case supplemental controls such as policies that block downloads to removable media, can help remedy the situation, he says.

Johnson says he stumbled on this weakness while researching another issue. He has found email addresses for some individuals with exposed files, and he contacted them. "If I had my data exposed I'd at least want someone to tell me," he says.

Most of them didn't respond, some corresponded with him to find out more and one berated him for snooping. (Johnson says he doesn't actually drill down into the files themselves, just to their names, which can reveal a lot about what's in them.) He's checked back on the stored files of some of those he told about their problem and many of them are no longer available, so apparently they took steps to deal with the leaks.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityWindowssoftwareoperating systems

More about AppleInteropKPMGMicrosoftNAS

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts