Jump to content

Access to sensitive data...


Sponge
 Share

Recommended Posts

My NAS (RAID 10) went fubar several weeks ago, possibly initiated by one of the drives failing. I opened a support ticket with the manufacturers which they eventually responded to and asked me to open up my network so they could gain access and attempt to recover it. They have just succeeded.

I had to place the NAS in the DMZ and give Thecus (the manufacturer) a password to the NAS.

I have now removed the NAS from the DMZ and changed the admin password to the NAS, so they should no longer have access.

However, I am worried about the data they have had access to over the last few days. It's mainly pictures, home movies, films, etc, but there are also documents with sensitive data, e.g. account numbers, passwords, etc. I'm concerned that some unscrupulous employee could have been rummaging through all of this data and maybe even made copies. Do you think it warrants going through all my accounts and changing everything. It'd be no small task, but for my own peace of mind I might have to.

Am I being paranoid?

Link to comment
Share on other sites

It does raise another point though - future security of the data should something similar happen again.

I'm in the habit of creating .txt documents to hold passwords, etc as there are just too many for me to remember. I can easily search for them in Windows 7 whenever I have to log into my gas/elec, credit card account, etc. Is there a better way of doing this? Is there a file type I can use, something as simple and easy to create/use as a .txt, but which is 'lockable', say, with a password?

I suppose I could create one excel spread sheet. But I just find it so easy to type 'AMEX' into the Windows 7 search bar et voilĂ , it's there and open in seconds. No having to rummage through tons of other stuff.

Edited by Sponge
Link to comment
Share on other sites

If you want to do it properly then create a container for all your sensitive documents using something like TrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows 7/Vista/XP, Mac OS X and Linux - Downloads. Personally I wouldn't rely on the inbuilt encryption MS Office offers - these can be relatively simple to crack :o

Also, for the future, consider the advantages of going "old school". What's your greatest risk/worry, online hack or home burglary? If it's the former then why not record the details on paper and hide it in the house +++

Link to comment
Share on other sites

I'd def recommend truecrypt for creating encrypted virtual drives too! I have one on each laptop and on my buffalo terrastation!

Although the laptops also use full disk encryption IF I was presented with a fault like yours the best they could do is copy the container and brute force it, being in the industry though I have some Aladdin tokens to store the keys on!

I hope it's paranoia as well though and perhaps consider cancelling any credit cards?

If thecus are Uk based you should have some protection I would have thought. But that's more of hope!

Cheers

tone

Link to comment
Share on other sites

My NAS (RAID 10) went fubar several weeks ago, possibly initiated by one of the drives failing. I opened a support ticket with the manufacturers which they eventually responded to and asked me to open up my network so they could gain access and attempt to recover it. They have just succeeded.

I had to place the NAS in the DMZ and give Thecus (the manufacturer) a password to the NAS.

I have now removed the NAS from the DMZ and changed the admin password to the NAS, so they should no longer have access.

However, I am worried about the data they have had access to over the last few days. It's mainly pictures, home movies, films, etc, but there are also documents with sensitive data, e.g. account numbers, passwords, etc. I'm concerned that some unscrupulous employee could have been rummaging through all of this data and maybe even made copies. Do you think it warrants going through all my accounts and changing everything. It'd be no small task, but for my own peace of mind I might have to.

Am I being paranoid?

yes you're paranoid. user details are stolen by the 100,000.

every time you use a switch card theres a chance your details will be nabbed and much easier for them that way than parsing GB of data to find a password for your online bank?

did you check which of your files were actually accessed?

Link to comment
Share on other sites

yes you're paranoid. user details are stolen by the 100,000.

every time you use a switch card theres a chance your details will be nabbed and much easier for them that way than parsing GB of data to find a password for your online bank?

did you check which of your files were actually accessed?

I wouldn't know how to tbh. :o I know how to view the NAS logs and it shows IP addresses logging in, but that appears to be the extent of it.

All I know is prior to granting them access my array was inaccessible. It's now back and I can access the data. I don't know exactly what went wrong or how they fixed it.

If thecus are Uk based you should have some protection I would have thought. But that's more of hope!

The support ticket was logged via their EU site, which I think is in the Netherlands. They then passed the IP address and password I provided for the NAS to their HQ, wherever that may be...

Dear customer,

I checked the connection and it's working. I forwarded the login details to our Head Quarters, so that they can try to recover the RAID.

Kind regards,

Wouter Simons

Technical support

Thecus NL BV

Edited by Sponge
Link to comment
Share on other sites

I would say you are being paranoid, as Thecus are a legitiate company & as others have said there are far easier ways for your data to be compromised if someone wants to.

As a policy it makes sense not to allow the removal of un-encrypted sensitive data I can't see why an engineer would risk losing his (probably reasonably well paid) job getting caught trawling/removing/hacking your many GB of data for possibly no/a small reward.

Does make a lot of sense to disguise/hide pw files though as you are right we often allow people to "walk around" our systems !

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share

×
×
  • Create New...