Tag Archives: Amazon S3

Amazon Continues to Try and Secure S3 Storage

As we continue to hear in the news about Amazon storage bucket breaches, Amazon continues to try and stem the reputational damage.  I am not aware of any of those data spills being caused by bugs in Amazon software, but the reputation damage is still real.

Over the past year or so Amazon has made a number of changes:

  • All newly created S3 buckets are by default private.  This means that breaches of data from any S3 buckets created after the date of this change were caused by a user intentionally making the data public for some reason.
  • Next, Amazon created a tool that allows admins to figure out what S3 objects were publicly visible (See this article for more details). After this change, any admin could, with a small amount of effort, see if any their S3 data was publicly exposed.

Even after these changes, there were breaches every month.  To be really blunt, companies that were still leaking data just weren’t paying attention.  There just is no reason why we continue to have data leaks, but we do.

In fairness, part of the problem is that it is so easy to create resources on Amazon and companies often do not have the right controls in place.  People create storage repositories and forget about them or leave the company or change jobs.  Now we have orphaned data.  Sometimes publicly exposed.

Whether data is stored locally or in the cloud, proper IT governance is critical to protect company information.

Enter S3 Block Public Access.  With this new feature admins can selectively or totally block all public access from a single console.

While this may be a bit of a sledge hammer, it is pretty effective if used correctly.

This tool will actually block public access to S3 data even a user accidentally tries to make it public.  It should be totally effective if people use it correctly.

However, I predict that people will not use it, just like the tools that have already been deployed.

If this tool is used correctly, it will also protect those orphaned buckets,

What it will not protect against is unauthorized Amazon accounts that are not tied to the main corporate accounts.

Amazon is trying very hard to protect people’s information, but it requires people to do their part.

Information for this post came from Help Net Security.

Security News Bites for the Week Ending August 31, 2018

Spyware Company Leaves Terabytes of Data Unprotected

Spyfone, a software company that allows parents to spy on their kids, spouses to spy on each other and employers to spy on employees allowed the world to spy on everyone.

The data left exposed on Amazon included photos, text messages, contacts, location information, Facebook messages and other information.

In addition to leaving all of their customer’s data exposed, their own backend servers were also left unprotected.

I guess you might call it Karma for spying on people.  Source: Motherboard.

California Tech Execs Pushing Feds to Reverse Cali Privacy Law

Between GDPR, CCPA and other new privacy laws, the tech industry is concerned that their business model is at risk.

As a result Google, Microsoft, IBM, Facebook and others are lobbying aggressively to the Trump administration and Congress to pass a weak federal privacy law that would usurp California’s law and make it easier for those companies to continue their business model as is.

Whatever happens in DC (don’t count on anything happening, but you never know), that won’t affect the changes in Europe and many other countries that are passing similar laws to the EU to allow those countries to do business with the EU.  Those laws will impact US businesses if they have customers in those countries.  While they could create one policy for the US and another for the rest of the world, that would be complicated.

Historically DC has tried to pass a national privacy law, but those past attempts have been much weaker than existing state laws, which has made it difficult to get enough votes to pass it.  A tough law will be heavily lobbied against.  This is why, unlike most other countries in the world, we have no national privacy law.  Source: NY Times .

Senator Wyden Confirms Stingrays Interfere with 911 Calls

Harris Communications, maker of the Stingray has confirmed that the feature which is designed to stop the Stingray from interfering with 911 calls was never tested and never confirmed to work.

Comforting.

As if that wasn’t a big enough problem, hobbyists can build a DIY Stingray for less than $1,000 in parts.

And, foreign spies are already using them in Washington, DC.

WHAT.  COULD,  GO,  WRONG??   Source: Tech Crunch

Apple Forces Facebook VPN App Out of App Store

Facebook recently bought a company named Onavo that makes a VPN app.  The claim is that it makes your browsing experience a more secure browsing experience.

Only problem is that they had an ulterior motive.  They – Facebook – was collecting data on every web page the user visited, every app that you used, every bit of data that you transferred.  While the bad guys couldn’t eavesdrop, Facebook could.  And did.

Well apparently Apple had enough of the duplicity and told Facebook to either voluntarily withdraw the app or they would do it for Facebook.  The app is now gone for iPhone users.  It is still available to Android users.  Source: The Hacker News.

Walmart Customer Data Leaked from Amazon Storage Bucket

It seems like we are seeing this again and again – a vendor sets up some Amazon storage and sticks some data in it.  Sometimes the  vendor forgets about it or the employee responsible for it leaves and the data is basically orphaned.

In this case the data was new, so it was not orphaned.  The company, MBM,  is a vendor to Walmart and sells jewelry on Walmart’s web site and probably in stores also.

The data was a database (SQL) in a bucket named WalmartSQL and named MBMWEB_backup_2018_01_13_003008_2864410.bak .

In the names we see the strings Walmart, MBM and the date, Jan 13, 2018.

The backup is not encrypted, although the credit card data inside the backup, but only that data, is encrypted.

One of the reasons these breaches are so disappointing is that they could be easily avoided.

Here are some things that you should do to mitigate this risk:

  • Inventory your data.  Whether the data lives on a server in your office, a removable hard drive in someone’s briefcase, a cloud storage vendor like Dropbox or Amazon or a Software as a Service vendor such as Salesforce.com .  You MUST know where your data lives.
  • Assign a person to be responsible for this spreadsheet or database.  This is far from a full time activity, but it is an activity that will never end.
  • Create a policy that requires employees to notify the data manager any time a new vendor is added, a new data repository is created or data is moved from one location to another (like from a local server to an Amazon server).
  • Ensure that data is encrypted if at all possible, especially if the data is stored on portable media or in the cloud. If this data had been encrypted, no one would be talking about MBM or Walmart.
  • Create a policy and associated procedures that documents the rules for who has access to the data, how the access is granted AND REMOVED, and how access to the data is logged.
  • Create a process to alert when these data access rules seem to be violated – whether by a hacker or an insider.
  • Periodically audit the access rules.
  • Run periodic tests to ensure that the system is enforcing the rules.   If you  automate the testing, the tests could be run every day or every hour.
  • Finally, if there is a vendor involved, make sure the contract specifies who is responsible for implementing security, testing security, auditing security and liable in case of failure.

Information for this post came from SC Magazine.

Why Crisis Communications is Important

It used to be that large companies could control the news cycle.  Used to be, that is.

Now, with social media, in reality, no one is in control of the news cycle.

Dow Jones, the parent company of the Wall Street Journal,  whom you would think would know a thing or two about the news cycle, apparently has not sorted this out for itself yet.

So, what happened?

On May 30th, Upguard researcher Chris Vickery, who has been in the news on a regular basis lately due to his findings, found a dataset in the Amazon cloud with incorrect permissions on it.  The dataset contained Dow Jones customer information and due to this error, it was accessible for download by anyone who had an Amazon web services account – likely millions of people.  Vickery says that based on his analysis, he thinks data on around 4 million customers was exposed.   Dow Jones says that it wasn’t that bad;  their guess it that it only exposed data on 2.2 million customers.

For some reason, it took Dow Jones a week to change the permissions on this file.  A week.  Why did it take a week?  One possible reason might be tied to their head of communications explanation that this wasn’t really a big deal.  Just customer information.  Nothing to see, keep moving.

In this Amazon S3 bucket were multiple files.  Looking at the data, Chris found customer names, home and work addresses, Dow Jones account numbers,  account details, last four of their credit cards, email addresses and other information.  There were  many files in this bucket and Chris didn’t download all of them, so who knows what else was there.

Dow Jones said that is wasn’t a breach.   True, it wasn’t.  Then again no one said that it was a breach, only that people who should not be able to read the data could read the data.

Dow Jones called that a data over-exposure.  Well, certainly true – even though I have never heard that term used before.  Over-exposure is what happens when you stay out in the sun too long or set the controls on your camera incorrectly.  I have never heard anyone refer to leaking private customer information as a data over exposure.

Dow Jones Director of Communications Steve Severinghaus said that the data was over-exposed only on Amazon and not on the Internet.  I guess we should feel better that only a few million people could download it rather than a few billion people.  There is some validity to that, but a few million is a large number in its own right.

Dow Jones said that they were not going to issue a public announcement (not to worry, it is all over the media, so an announcement is not really needed) because passwords and credit cards weren’t leaked.  Probably, also, because they were hoping they could sweep this breach under the rug.

While Dow Jones’ Wall Street Journal may have a paywall to stop nosy people from reading about the breach, The Register, The Inquirer, SC Magazine, and Upguard do not have paywalls.

These are just a few things that Dow Jones did wrong.  You would think that they would have a crisis communications team.  We certainly tell our customers that they need to have one.  Maybe they do have one but this item just got out of control.

Any crisis communications team worth anything will tell you that hunkering down and hoping that no one will notice is a risky proposition.  It did not work here and likely won’t work for you.

The odd thing is that the WSJ ought to know better.  After all, they break embarrassing news stories for breakfast.  And lunch.  Even for dinner.

What were they thinking?

Information for this post came from SC Magazine, Upguard and The Register.