Our job is to help you stay in control over your data. Nextcloud is designed to be the easiest, most secure private cloud available. To keep it safe, it is important to keep your server up to date and we introduce the Nextcloud Private Cloud Security Scanner to help you with that. The results of our analysis have been covered in an article you might have seen in Der Spiegel.
We help you keep your data yours
Last year, Dropbox lost data from 68 Million accounts, and Yahoo famously had data from no less than 1 billion accounts compromised. People who run a private cloud server like Pydio, ownCloud or Nextcloud presumably do so to keep their data from prying eyes. Sadly, privacy means little without security and it is not trivial to keep a server secure.
Frequently, security researchers find new ways to break cryptographic systems or mistakes are found in the software you run. Where many software companies tend to try to hide security issues in their software, only to be exposed when massive dumps of user data are found on the dark web (Yahoo kept its breach secret for 3 years!), Nextcloud strives to be transparent while developing new, innovative security capabilities. The reality is that any complex piece of software has security issues and finding and fixing them is a more effective way of dealing than the Ostrich Method. We pay security researchers up to USD 5000 rather than sueing them or letting their reports fall on deaf ears, a tactic that has been proven to work well. A result is frequent updates with security related fixes.
To help you keep your system up to date, Nextcloud made updating Nextcloud servers super easy. Our new updater notifies system administrators of new versions and once started by them, automatically checks if all dependencies are there, makes a backup and then replaces the files on your server with the new version. We know updating still requires a bit of work and attention, so we keep working on lowering the barrier to an up to date and secure system.
Introducing the Private Cloud Security Scanner
From what people tell us at events and online, we know many servers still are not kept updated. That often comes with big security risks. Some problems in older versions enable an attacker to take over a server completely; others allow unauthorized downloading of some or all of the data on the server! It is the nature of security in software development that running old, un-updated versions is a risk. Also a legal risk, as Europe has strict General Data Protection Regulation.
To help you assess the security of your private cloud server, Nextcloud has developed the Private Cloud Security Scanner. By entering the URL of your server, you can learn if there is a newer version of your private cloud software and what vulnerabilities exist in the one you are currently running. A few simple checks are also done to assess other security settings on your server.
Please note that the scanner merely does a very simple, basic check, inquiring from the server what version it runs and analyze the response. No ‘hacking’ attempt is made, and there are many other things which can be broken that this minimal scan does not see.
Looking on the web
While developing the security scanner we had a look at the state of security of private cloud servers online. Many administrators might not be aware how easy it is to get a list of servers on the web! Services like shodan.io provide the ability to search for specifics and it is simple to get a list of tens of thousands of instances and look at them.
We quickly realized a VERY large percentage was insecure. Many hundreds of servers had such severe vulnerabilities they could be taken over entirely. Data from thousands can be downloaded trivially and tens of thousands more are vulnerable with only a little bit of work on part of the attacker, like obtaining a sharing link. About two-thirds of the servers we looked at were vulnerable. With an estimated 200K servers out there it extrapolates to a scary large number. We did not feel any better looking at the specific URLs, seeing political parties, hospitals, universities, large corporations and governments in the list of insecure servers.
At this point, we decided we should warn the administrators of these instances. Of course, a blog or tweet would not make much difference as some had not upgraded for years. And publicity could encourage people with more nefarious goals to look at these servers and try to break in. The events around a Drupal vulnerability have shown that, within hours of public disclosure, it might already be too late to patch servers. We discussed trying to reach out directly but thought it wasn’t really our place to contact people directly, many of whom were not even running Nextcloud.
Instead, we looked at what the usual process to follow is when you discover a big security issue like this. That is to alert the security organizations in various countries like the volunteers from the Shadowserver Foundation, the SWITCH Foundation in Switzerland, the BSI in Germany and so on and discuss what to do. They decided to reach out to users with a personal warning, including the results of the scan. This reach-out goes through different channels, depending on country and organization which handles this. Some reach out directly, others go via service providers or other channels. We made sure the security scan would not expose any private data, using unique IDs instead of URLs to present them the results and we kept as quiet as possible on our communication channels about this matter.
Results
The effort has been quite successful. Of the tens of thousands server owners who were informed, over 5% had upgraded already in the first ten days. We noticed that especially the administrators of the more active and heavily used servers responded by upgrading, securing a large number of user accounts.
The outreach through the security organizations in each country went less than perfect, too. Some don’t handle this anywhere near as nice as we’d like to have seen; there was one instance which just emailed the entire list of vulnerable URL’s to its entire customer base. Others did not alert their customers at all. But most did a reasonable job in both making clear the urgency of the issue and protecting the privacy of their users.
But we could only see and contact a subset of the total number of servers out there. Despite our significant efforts, we estimate that there are at least another 50.000 insecure private cloud servers out there we have not been able to warn. This is where, among other things, this blog post comes in: we hope to enlist the community in our efforts to reach out and get as many private cloud servers upgraded as soon as possible to the latest release of whatever software they run, explaining to system administrators how important this is. If needed, you can use information from this blog by Lukas to explain the dangers. And, of course – the article on Der Spiegel.
Future
Nextcloud has been working hard on making it easier to keep your system up to date. We rewrote the update tool for Nextcloud 10, making it easy to use it from the command line in Nextcloud 11 and Nextcloud 12 will no longer disable apps when doing a security update, making the updates less intrusive. More improvements are being worked on. Our ultimate goal is to make updates so seamless they can be done fully automatic without any administrator involvement or downtime. At this moment, we have achieved this on the Nextcloud Box, using Canonical’s Snap technology which automates updates entirely. You can read more about that in this whitepaper.
We also plan to improve the security scan. From today you can use it to scan your own server and see what the security state is, and we have already invited other open source private cloud projects to work with us and make it possible to scan their software as well. ownCloud has responded by creating their own scan.
More information
If you are wondering what the dangers are of using an outdated private cloud server, Lukas has written a great analysis of the risks and Spiegel Online has a more political view on what this kind of issues can mean for our society.
If you currently run a private cloud server like ownCloud or Nextcloud you can follow our extensive instructions on how to get updated to a secure release!
If you want to know what this entire private cloud thing is all about, read this article on CIO.com
Thanks
We would like to thank everybody who has been helping us reach out to server owners, including Der Spiegel and other press, both for keeping this quiet to give server owners time to upgrade and for helping explain the risks now.