WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
Security researchers recently came across vast amount of data belonging to both Viacom and Verizon that had been left exposed online. The data leaks are just the latest in a long series of similar breaches, including another one that exposed as many as 14 million Verizon customers' data just a few months ago.
On September 20, Kromtech Security researchers found a publicly accessible Amazon S3 bucket containing 100 MB of data belonging to Verizon Wireless.
"Although no customers' data are involved in this data leak, we were able to see files and data named 'VZ Confidential' and 'Verizon Confidential,' some of which contained user names [and] passwords... these credentials could have easily allowed access to other parts of Verizon's internal network and infrastructure," Kromtech chief security communications officer Bob Diachenko wrote in a blog post detailing the breach.
Another folder held 129 Outlook messages containing internal communications as well as passwords and login credentials.
The researchers notified the owner of the bucket on September 21, and the data was taken offline. According to Diachenko, the bucket was personally owned by a Verizon Wireless engineer, and wasn't owned or managed by Verizon. The engineer claimed "no confidential stuff" was exposed.
Keys to the Kingdom
Separately, on August 30, UpGuard researchers came across a publicly accessible Amazon S3 bucket containing 72 files of compressed backup data linked to Viacom. UpGuard director of cyber risk research Chris Vickery notified Viacom of the discovery on August 31, and the data was secured within hours.
"While Viacom has not confirmed to UpGuard the purpose of this bucket, the contents of the repository appear to be nothing less than either the primary or backup configuration of Viacom's IT infrastructure," UpGuard cyber resilience analyst Dan O'Sullivan wrote in a blog post.
The exposed data, according to O'Sullivan, included passwords and manifests for Viacom's servers, as well as Viacom's access key and secret key for its AWS account.
O'Sullivan said the data is a reminder that cloud leaks don't need to be large in disk size to be devastating. "Analysis of the Viacom leak reveals nothing less than this: they keys to a media kingdom were left publicly accessible on the Internet, completely compromising the integrity of Viacom's digital infrastructure," he wrote.
The data, O'Sullivan noted, could have enabled malicious actgors to launch phishing schemes leveraing the company's brand recognition to trick victims into providing more personal information. "The exposure of secret access keys to Viacom's AWS account, as well as the control of the company's server configurations and manifests, could also have allowed malicious actors to spin off additional servers to use Viacom IT systems as a botnet," he wrote.
Check Your Settings
The past few months have seen a flood of significant cloud leaks exposing as many as 4 million Dow Jones customers' data, over 3 million WWE fans' personal information, more than 1.8 million Chicago voters' personal data, 593,328 Alaskan voters' personal information, 48,000 Indian citizens' personal data, 11,000 KS Enterprises customers' sensitive information -- and back in June, as many as 14 million Verizon customers' data.
Dome9 co-founder and CEO Zohar Alon told eSecurity Planet by email that with so many high-profile incidents involving S3 buckets, it's baffling that every organization isn't carefully examining their cloud configurations. "Protecting data in the cloud from accidental exposure and theft is a business priority," Alon said.
"Companies need to be held highly accountable for their lack of security on the public cloud," Alon added. "The public cloud needs a united front on security with regular configuration checks and balances -- where public cloud providers, third party tools with advanced features, and a governing body all work together in order to ensure corporate and consumer data stays safe and out of the reach of hackers."
"If your organization is using Amazon S3 for any data storage, it's imperative that you review the security settings to avoid these kinds of exposures," Tripwire vice president of product management Tim Erlin said by email. "With so many of these incidents in the recent past, there's no excuse for not performing the basic checks to make sure you're not at risk."
Confusion About Security
A recent Barracuda Networks survey of 300 U.S. IT decision makers found that respondents are currently running 44 percent of their infrastructure in the public cloud, and expect this percentage to nearly double in the next five years.
And while 74 percent of respondents say security concerns are restricting their organizations' migration to the public cloud, 30 percent of organizations haven't added additional security layers to their public cloud deployments.
Seventy-seven percent of respondents believe public cloud providers are responsible for securing customer data in the cloud, and 68 percent believe cloud providers are responsible for securing customer applications as well.
"This survey confirms what we are hearing from customers and partners -- security remains a key concern for organizations evaluating public cloud, and there's confusion over where their part of the shared responsibility model begins and ends," Barracuda vice president for public cloud Tim Jefferson said in a statement.