By Alex Scroxton | Computer Weekly
A series of data leaks in the past week have once again implicated poorly secured Amazon S3 buckets, which are supposed to be private by default
The lack of care being taken to correctly configure cloud environments has once again been highlighted by two serious data leaks in the UK caused by leaking Amazon Simple Storage Service (S3) bucket databases.
As a default setting, Amazon S3 buckets are private and can only be accessed by individuals who have explicitly been granted access to their contents, so their continued exposure points to the concerning fact that consistent messaging around cloud security policy, implementation and configuration is failing to get through to many IT professionals.
The first leak related to several UK consulting firms. This was uncovered by Noah Rotem and Ran Locar, researchers at vpnMentor, who uncovered information such as passport scans, tax documents, background checks, job applications, expense claims, contracts, emails and salary details relating to thousands of consultants working in the UK.
The owner of the unsecured bucket was not clear, but Rotem and Locar (who last year revealed a similar case affecting millions of Ecuadorian citizens) were able to trace it to a mysterious company called CHS Consulting. The database contained data from several other consultancy firms, some of which have now ceased trading. Most of the data had been collected between 2014 and 2015, although some files dated back to 2011.
Following notification to Amazon Web Services (AWS) and the UK’s National Cyber Security Centre (NCSC), the database was secured by 19 December 2019.
The second leak was from a bucket belonging to Fresh Film, a UK-based production company, which specialises in TV commercials for health and beauty brands.
According to Verdict, which first reported the story, Fresh Films accidentally exposed data on 40 actors who had appeared in a 2017 commercial for Unilever brand Dove, as well as details about the production team and crew members.
Personal data points exposed included names, postal and email addresses, phone numbers, birth dates and bank details, as well as passport scans and the National Insurance numbers of some of the participants.
User error the only explanation
It bears repeating that AWS buckets are private by default, so barring targeted attacks by cyber criminals using, for example, phishing or social engineering techniques to get inside a company’s systems, in cases of exposed buckets, their contents can only be revealed by error or negligence.
Rotem and Locar said it was clear that had CHS secured its servers, implemented proper access rules and taken more care to ensure a system that doesn’t require authentication wasn’t left open to the public internet, this could have been avoided. The same can be inferred to apply to Fresh Film.
Sergio Lourerio, Outpost24
“Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private. In the case of CHS, the quickest way to fix this error would be to make the bucket private and add authentication protocols, [to] follow AWS access and authentication best practices, [and] add more layers of protection to their S3 bucket to further restrict who can access it from every point of entry,” Rotem and Locar said in their disclosure.Sergio Lourerio, cloud security director at Outpost24, said: “We are still in the early days of cloud infrastructure security and what we are seeing is a prevalence of opportunistic, not very sophisticated attacks, such as looking for publicly accessible AWS S3 data buckets.“You’d be amazed to see the data you can find there just by scanning low-hanging data in cloud infrastructures. And it only takes a couple of API [application programming interface] calls to do it. With a lot of data being migrated to the cloud for use cases like data mining, and lack of knowledge of security best practices on Azure and AWS, it is very simple to get something wrong.”
Steps to remediate
Dean Sysman, CEO and co-founder of Axonius, a security asset management platform, said it was quite easy to understand how databases held in the public cloud leak so frequently.
“Many organisations initially intend for their S3 buckets to be used solely for backups, or they’ve either misunderstood or forgot to double-check authentication permissions. Unfortunately, we’re bound to see more of these leaks in the future, as they’re incredibly easy to find even though they’re easy to avoid.
“Luckily, IT teams don’t have to wait until a breach to figure this out – to ensure they’re protected, they must first decide the intent for the cloud instance, and then monitor and enforce who can actually access the data,” said Sysman. According to Outpost24’s Lourerio, part of the solution is to make sure you perform continuous data risk assessments, something that can be easily automated, and will also go some way to mitigating any ransomware attacks that find their way into the system by limiting the amount of data ransomware can encrypt. Cloud providers do have tools to help customers tackle the issue themselves, and this can be complemented by cloud security posture management services and cloud workload protection platforms.Jonathan Deveaux, head of enterprise data protection at Comforte AG, highlighted additional steps such as activating encryption on databases containing sensitive or personally identifiable data.“Tokenising or encrypting the data itself means that no matter where the data is stored – in a database, in another database in the cloud, on another server elsewhere in the enterprise – the data is always protected in a way such that ‘security travels with the data’,” said Deveaux.He conceded, however, that this created an additional headache because said data would obviously then have to be decrypted if it was suddenly needed – a “somewhat” valid reason for leaving data exposed.
Robert Ramsden-Board, vice-president for Europe, the Middle East and Africa (EMEA) at Securonix, said the consequences of the datasets being exposed could have been far more serious had it been found by cyber criminals, and not ethical hackers such as Rotem and Locar.
And, of course, there is nothing to suggest that the data from either the CHS or Fresh Films leaks has not been found by cyber criminals – it may already have been used.
“The security and privacy consequences for those whose data had been exposed could be great. Individuals incur a heightened risk of experiencing threats such as identity theft and phishing scams,” said Ramsden-Board.
“This may be one of the first data incidents of 2020, but it follows a very similar pattern to numerous data leaks in 2019. Practising basic cyber hygiene is a must for all organisations, particularly those that are trusted with our most sensitive data, and in 2020 those that fail to secure their databases should be held accountable,” he said.
Peter Draper, EMEA technical director at Gurucul, added: “The situation of today’s digital world is that an increasing volume of personally identifying information is being harvested whenever we interact with organisations online.
“Legitimate companies can collect data about us from sources all over the internet, and then combine that data into detailed profiles which they can then sell. If this data isn’t strongly secured, and it often isn’t, this information can easily end up on the dark web.”
Censornet chief technology officer Richard Walters added: “Data leaks such as this happen because businesses do not have enough awareness or visibility of how their data is actually being stored in the cloud, and it is crucial that this changes.
“Unfortunately, a lack of accountability makes this difficult – Amazon can’t disclose whose storage this is so we don’t know what organisation is responsible. However, that is no excuse for businesses to be lax on cloud security. They and their customers will pay the final cost of lost data.”
However, Comforte AG’s Deveaux said that in the case of the CHS breach, holding those responsible accountable would be very hard.
“What may be most revealing about this sensitive data discovery is that many of the firms are no longer in business,” he said. “If one of the people were negatively affected by this data exposure discovery, and they want to hold someone, or some organisation responsible, who would that be?
“Company policies towards data need to ensure sensitive data is protected at all times, which would minimise data exposure incidents even if a company goes out of business.”
The nature of the CHS leak makes it very difficult to know exactly who can be held accountable, or if they will be held to account. However, in the case of Fresh Films, which has a legal obligation to inform the Information Commissioner’s Office of its leak, there will almost certainly be some form of blowback under the General Data Protection Regulation (GDPR).
External Link: Exposed AWS Buckets Again Implicated in Multiple Data Leaks