On Wed, 1 Mar 2017, Nick Buraglio wrote:
Is this actually a realistic fear?
Let me put it this way, I have personally found an anon-ftp server with company confidential documents on it, that was reachable from the outside without the owners knowledge, because there was a port-forward in the residential gateway that the owner wasn't actively aware of, and the NAS had anon-ftp turned on without the owners active knowledge.
So google had indexed all files on this NAS. I contacted the person (did some digging using pictures etc on this NAS) via their employer, and talked to the person who had no idea.
Now, with unfiltered IPv6 it would be harder to actually find this NAS, but once found, there is no need for port forward for it to be reachable from the Internet.
So yes, I can understand the fear and I agree that it's realistic. That's why most ISPs have chosen to have stateful filtering toward the customers by default.
-- Mikael Abrahamsson email: [email protected]
