Our job is to help you stay in control over your data. Nextcloud is designed to be the easiest, most secure private cloud available. To keep it safe, it is important to keep your server up to date and we introduce the Nextcloud Private Cloud Security Scanner to help you with that. The results of our analysis have been covered in an article you might have seen in Der Spiegel.
We help you keep your data yours
Last year, Dropbox lost data from 68 Million accounts, and Yahoo famously had data from no less than 1 billion accounts compromised. People who run a private cloud server like Pydio, ownCloud or Nextcloud presumably do so to keep their data from prying eyes. Sadly, privacy means little without security and it is not trivial to keep a server secure.
To help you keep your system up to date, Nextcloud made updating Nextcloud servers super easy. Our new updater notifies system administrators of new versions and once started by them, automatically checks if all dependencies are there, makes a backup and then replaces the files on your server with the new version. We know updating still requires a bit of work and attention, so we keep working on lowering the barrier to an up to date and secure system.
Introducing the Private Cloud Security Scanner
From what people tell us at events and online, we know many servers still are not kept updated. That often comes with big security risks. Some problems in older versions enable an attacker to take over a server completely; others allow unauthorized downloading of some or all of the data on the server! It is the nature of security in software development that running old, un-updated versions is a risk. Also a legal risk, as Europe has strict General Data Protection Regulation.
To help you assess the security of your private cloud server, Nextcloud has developed the Private Cloud Security Scanner. By entering the URL of your server, you can learn if there is a newer version of your private cloud software and what vulnerabilities exist in the one you are currently running. A few simple checks are also done to assess other security settings on your server.
Please note that the scanner merely does a very simple, basic check, inquiring from the server what version it runs and analyze the response. No ‘hacking’ attempt is made, and there are many other things which can be broken that this minimal scan does not see.
Looking on the web
While developing the security scanner we had a look at the state of security of private cloud servers online. Many administrators might not be aware how easy it is to get a list of servers on the web! Services like shodan.io provide the ability to search for specifics and it is simple to get a list of tens of thousands of instances and look at them.
We quickly realized a VERY large percentage was insecure. Many hundreds of servers had such severe vulnerabilities they could be taken over entirely. Data from thousands can be downloaded trivially and tens of thousands more are vulnerable with only a little bit of work on part of the attacker, like obtaining a sharing link. About two-thirds of the servers we looked at were vulnerable. With an estimated 200K servers out there it extrapolates to a scary large number. We did not feel any better looking at the specific URLs, seeing political parties, hospitals, universities, large corporations and governments in the list of insecure servers.
At this point, we decided we should warn the administrators of these instances. Of course, a blog or tweet would not make much difference as some had not upgraded for years. And publicity could encourage people with more nefarious goals to look at these servers and try to break in. The events around a Drupal vulnerability have shown that, within hours of public disclosure, it might already be too late to patch servers. We discussed trying to reach out directly but thought it wasn’t really our place to contact people directly, many of whom were not even running Nextcloud.
Instead, we looked at what the usual process to follow is when you discover a big security issue like this. That is to alert the security organizations in various countries like the volunteers from the Shadowserver Foundation, the SWITCH Foundation in Switzerland, the BSI in Germany and so on and discuss what to do. They decided to reach out to users with a personal warning, including the results of the scan. This reach-out goes through different channels, depending on country and organization which handles this. Some reach out directly, others go via service providers or other channels. We made sure the security scan would not expose any private data, using unique IDs instead of URLs to present them the results and we kept as quiet as possible on our communication channels about this matter.
The effort has been quite successful. Of the tens of thousands server owners who were informed, over 5% had upgraded already in the first ten days. We noticed that especially the administrators of the more active and heavily used servers responded by upgrading, securing a large number of user accounts.
The outreach through the security organizations in each country went less than perfect, too. Some don’t handle this anywhere near as nice as we’d like to have seen; there was one instance which just emailed the entire list of vulnerable URL’s to its entire customer base. Others did not alert their customers at all. But most did a reasonable job in both making clear the urgency of the issue and protecting the privacy of their users.
But we could only see and contact a subset of the total number of servers out there. Despite our significant efforts, we estimate that there are at least another 50.000 insecure private cloud servers out there we have not been able to warn. This is where, among other things, this blog post comes in: we hope to enlist the community in our efforts to reach out and get as many private cloud servers upgraded as soon as possible to the latest release of whatever software they run, explaining to system administrators how important this is. If needed, you can use information from this blog by Lukas to explain the dangers. And, of course – the article on Der Spiegel.
Nextcloud has been working hard on making it easier to keep your system up to date. We rewrote the update tool for Nextcloud 10, making it easy to use it from the command line in Nextcloud 11 and Nextcloud 12 will no longer disable apps when doing a security update, making the updates less intrusive. More improvements are being worked on. Our ultimate goal is to make updates so seamless they can be done fully automatic without any administrator involvement or downtime. At this moment, we have achieved this on the Nextcloud Box, using Canonical’s Snap technology which automates updates entirely. You can read more about that in this whitepaper.
We also plan to improve the security scan. From today you can use it to scan your own server and see what the security state is, and we have already invited other open source private cloud projects to work with us and make it possible to scan their software as well. ownCloud has responded by creating their own scan.
We would like to thank everybody who has been helping us reach out to server owners, including Der Spiegel and other press, both for keeping this quiet to give server owners time to upgrade and for helping explain the risks now.
As part of Schleswig-Holstein's state digitization strategy, the state chancellery has announced they will work with Nextcloud to develop AI for working with government documents. This comes just after we announced the first private AI assistant last weekend with Hub 6. The German state already uses Nextcloud and their AI strategy aligns with our work on ethical, local AI technologies.
Nextcloud is on an international tour spreading the word of Nextcloud Hub 6 this October! Go to any of the following events to: Whether you’re in Germany, Italy, Latvia, Singapore or the UAE, we’re ready to share the latest of what Nextcloud has to offer nearest you. Open Source Week (OSW23) October 3-5, Rome, Italy […]
Our latest release supports a healthy meeting culture, introduces the Nextcloud Assistant and emphasizes user-centric design, transparency and user control. Thank you to our community! 💙 Nextcloud would not be the same without our dedicated, encouraging community. A huge thank you to the thousands of community members for making this release the best it can […]
Video calls and online chats are second nature for us at this point. Taking your work call virtually or communicating with your manager online can all be done from home and this style of working is generally accepted. However, what is not universally accepted is the fact that Big Tech firms are ambiguous about what […]
Over the last year, AI has become a popular topic. Some is hype, some is substance. Some is good, some is bad. We want to give you the good, not the bad, and ignore the hype! AI has a ton of opportunity – but also risk. So we put you in control – off by […]
Data Loss Prevention, or DLP, is an essential security tool for any business or organization. Since you never know when you may be at risk of a data breach, it’s important to adopt some form of DLP. A typical example are anti-virus scanners. Thanks to the new ICAP support, Nextcloud can now be made to […]