Tag Archives: Amazon

Amazon Inside Delivery Security Already Compromised

Remember a few weeks ago when Amazon said they had a solution to packages being stolen off people’s porches?  It involved a remote control door lock and a security camera.  Many people – not just security people – winced at the idea.  After all, what could possibly go wrong?

Well just a couple of weeks later we now know the FIRST answer to that question.

That Internet enabled camera was connected to the door lock via the Zigbee wireless protocol and via WiFi to the Internet.  Neither of those channels are terribly secure.

Researchers have now demonstrated that from a computer within WiFi range (probably even a phone) running a simple program, the camera can either be disabled or left with the last image frozen on the screen.  The viewer (the homeowner) would either see a blank screen or perhaps the closed door from just before the rogue delivery person enters the house and robs you blind.

The hack is incredibly simple and a well known attack.  The crook sends the camera a “deauth” command, kicking it off the WiFi network (which is why, at the very least, you want that camera to be hard wired to the Internet.  That is not as cheap, easy or pretty as doing it via WiFi.  If you send that command, the camera will keep getting kicked off or really will never get back online.  The camera/server, for some stupid reason, does not generate an alarm warning the user that the house may be burgled, but rather it just shows the last frame that it captured.

At this point the delivery person/burglar opens the door again, moves outside of the field of view of the camera and stops attacking the camera.  Now the crook sends a lock command and everything looks like it should look.

After stealing all your stuff, the bad guy exits the house via a different exit (door or window).

The attacker could also trigger the deauth right as the driver is leaving and since kicking the camera off WiFi would also disable the lock since it piggybacks off the WiFi camera, the driver would think he locked the door when he did not.  Hopefully, the driver will verify that the door is actually locked before he leaves.

These attacks require a great deal of patience to implement, so they are not high risk and Amazon plans to issue a patch, although a deauth is a valid thing to do. Maybe they will generate an alert.

Amazon also says that they will call a customer if the lock remains unlocked (at least unlocked in the mind of the computer) for more than a few minutes – assuming they can reach the customer and assuming the customer is close to the house.  If the door is unlocked and the customer is in another city or state, what good does a call do?

And, attacks often become more sophisticated over time.  This is only the very first attack.

Stay tuned, this game is not over yet.

Information for this post came from Wired.

Facebooktwitterredditlinkedinmailby feather

Another Day, Another Amazon Data Exposure – And How Not To Handle It

Last week I wrote about an incident with a vendor to the City of Chicago who left close to two million voter records exposed on Amazon and how the vendor, in spite of the initial mistake of exposing the data, handled the breach very well (see blog post).

Today we have another case and, this time, an example of how not to handle it.

Today’s case also came from researcher Chris Vickery and the data in question was an Amazon storage bucket with resumes for what the news is calling “mercenaries”.  In fact, the company is Tigerswan, a private security firm.

Like many private security firms that cater to the military or paramilitary world, many of the employees and applicants are ex-military and hold or have held high level security clearances.

On July 20th, Vickery discovered an Amazon S3 bucket named TigerswanResumes with almost 10,000 resumes of veterans and others who were interested in working for Tigerswan.  As is typical for resumes, they included a lot of personal details including former activities in the military and clearance information.  This data was totally exposed to anyone who happened on it – including, potentially, agents of foreign powers who might want to blackmail (or worse) these people.

On July 21st Chris emailed Tigerswan about the situation.  He followed up on the 22nd with a phone call and email and was told they were working with Amazon to secure the data.

On August 10th, with the data still exposed, Chris reached out to Tigerswan again and was told that they were unsure as to why the data was exposed and would bring it to the IT director’s attention.

Finally, on August 24th, a month after being notified, Tigerswan the data was secured.

THE ONLY REASON THAT THE DATA WAS SECURED ON AUGUST 24TH WAS BECAUSE CHRIS WAS ABLE TO GET AMAZON TO INTERVENE.

Tigerswan blamed the situation on a former recruiting vendor – in order words, the data was effectively abandoned and unprotected.  No one “Owned” that data.

Chris’s blog post provides a lot of examples of the backgrounds of people who’s information was exposed and, it would seem, this information would be attractive to intelligence agents.  Included in the resumes were police officers, sheriff deputies, people who worked at Guantanamo and many others.

Also on some of the resumes were references with contact information including one former director of the CIA clandestine services.  You kind of get the idea.

The fact that this took a month to secure the data is an indication of a lack of an effective incident response program and also a lack of a program to manage the location and ownership of data inside the company.  The fact that Amazon finally had to intervene makes the situation even worse.  Unfortunately, neither of these is unusual.

While it does take some work to build and maintain the data maps to document data storage locations – which should include data managed by vendors and ex-vendors on behalf of the company – compared to taking a month to fix a problem like this, the cost is low.  Very low.  For the veterans who were affected, the cost, assuming this data is now in the hands of our adversaries (and I can only assume that if Chris could find it, so could the Russians or the Chinese), is high and those veterans and others will have to deal with it.  That could, realistically, be sufficient grounds for a class action lawsuit against tigerswan.

Information for this post came from Upguard and ZDNet.

 

 

Facebooktwitterredditlinkedinmailby feather

Why An Incident Response Program Is Critical

Do you have a written incident response program?

Do the people who are part of it – the outside legal team, crisis communications team, forensics team, for example – know they are part of it?

Are contracts signed with outside service providers – or at least providers periodically reviewed and selected vendor already approved?

Has the team – both internal and external – conducted a mock disaster drill within the last 12 months?

Are the people answering the phones, email, chat and social media – from reception to help desk – trained in what to do when there is an inbound communication regarding a potential breach (you may remember the FBI called the Democratic National Committee several times last year to warn them but the person who answered the phone thought it was a prank)?

All of this needs to be in place and ready to go so that when (not if) an event occurs you are ready to spring into action.

Case in point.

One of our favorite white hat security researchers, Chris Vickery of Upguard, discovered a cache of voter information of Chicago residents unprotected on Amazon (does this ring a familiar bell – come on folks, lets get it together).  1.8 million voters.  Names, addresses, birth dates, partial socials, drivers license, etc.

He was able to associate it to a service provider to the City of Chicago, ES&S and Chris notified them.

Without regard to the fact that for some reason, someone at ES&S changed the default Amazon permissions from private to public – and I would certainly like to understand that, other than that, they handled the incident well.

Unlike the DNC who blew off the FBI, the email got to the right person.  As a side note, if someone wanted to notify your company, how would they know who to contact?  Is there information on your web site about what to do about security issues, for example?

While the details are still private, based on the results, they had a security incident response program.  They quickly – even though they were notified after business hours – investigated the report and within a few hours, the data was gone from Amazon.

Their crisis communications team released information that the data that was breached was limited and that no vote data was compromised.  They explained that it was a backup of a database that was unprotected, so the vote process integrity was intact.

They notified their customer, the Chicago Election Board.

Bottom line, they responded to a crisis quickly and worked to limit the damage.

I am sure that the City of Chicago will have more questions, but at least from the public side, they did what needed to be done and they did it quickly.

Can you say the same for your company?

Information for this post came from The Register.

Facebooktwitterredditlinkedinmailby feather

Verizon Loses Control of Customer Information

Different sources are reporting different numbers, but the personal information on between 6 million and 14 million Verizon Wireless customers has been exposed.

Verizon Store by Mike Mozart-Flickr-Creative Commons Commercial License

The information includes name, address, phone number, general information on calls made to customer service and, in some cases, the user’s security PIN.

The details of this are going to sound all too familiar.

  1. The data was stored in the Amazon cloud
  2. The data was not password protected
  3. The data was not encrypted
  4. The data was not stored there by Verizon, but rather a third party business partner.

The partner, Nice Systems of Israel, said that the data was exposed as a result of a configuration error.  I am reasonably confident that this is true, but that doesn’t seem to make any difference, really.

Like the recent discovery of the large Republican voter data leak, this leak was also discovered by Upguard; specifically researcher Chris Vickery.

Unlike some of the other leaks which got taken down immediately, it took Verizon 9 days to lock up this data.

Verizon is claiming that no data was “stolen”, but Vickery says that due to the nature of this Amazon S3 service, there is no way that Verizon could know that.  While both sides have a vested interest in this fight, I would tend to side with Upguard in this case.

This seems like a broken record to me –

What do you need to be doing –

#1 – You’ve got to set up a third party cyber risk management program.  Verizon is going to take the heat in this case, but it is is NICE’s screw up.  The third party risk management program is designed to make sure that vendors have security controls in place.

Verizon is taking the heat because the customers have the relationship with Verizon, not NICE.  In fact, until today, most customers have never heard of NICE.  This is Verizon’s problem and they have to own it.  So far, all I have heard is a bit of spin – not to worry; nothing to see – keep moving.  That does not inspire confidence.

#2 – Amazon. Amazon. Amazon.  While this is definitely not Amazon’s fault, at this point, every company that uses any cloud services – or allows their business partners to use cloud services – needs to be checking cloud permissions very carefully.  With great power comes great responsibility.

#3 – Have an incident response plan in place.  By Verizon saying that there was nothing to worry about without any explanation isn’t very comforting.  They need to work on the bedside manner (or in this case, their cloudside manner).  You have to give people a better story than don’t worry.

Why did it take Verizon 9 days to lock down this data.  Sounds like their incident response program needs some work.

While this could have happened to anyone – and has happened to several companies just in the last month, given all the occurrences that we have seen recently, companies need to step up their game or they will get skewered in the court of public opinion.

Information for this post came from Slashgear.

 

Facebooktwitterredditlinkedinmailby feather

WWE Leak Exposes Three Million Users

It is interesting to see what data companies collect on us.  Unfortunately, that usually happens when the company suffers a breach.

WWE joined the crowd of businesses that can’t quite remember to protect data that they make publicly accessible on the Internet.  One more time, the data was stored at Amazon.

In this case it is data on three million WWE fans.

And not just the usual name, address and email.

This data included birthdate and children’s age ranges and genders.  It included large amounts of social media data such as fan posts.

Another, smaller database of European fan data was also left exposed, but that did not include as wide a variety of data elements.  Maybe that is due to stricter European privacy laws.

After the researcher who discovered the unprotected databases told WWE about them, they removed the data from the Internet very quickly.

WWE is investigating how the breach happened.  They did not say how long the data sat unprotected in the Amazon cloud.

Among the data collected and exposed was each fan’s ethnicity.  Not sure why any fan would provide that data to a wrestling web site, but ……

It is interesting the number of Amazon related breaches we have seen recently.  I actually don’t think that there are more “breaches”, but rather researchers have figured out that Amazon is fertile hunting ground and so they have begun looking there more actively.

The real question is whether these breaches are just the tip of the iceberg or whether, for the most part, sensitive data stored in the cloud is protected.  I am not sure that we will ever know.

This is, however, another reminder to very carefully check the permissions on systems and services exposed to the cloud.  This includes all third party service providers such as Amazon.

Just because you outsource your IT infrastructure to a cloud provider does not take you off the hook – either legally or from a business reputation damage viewpoint.  WWE fans don’t care that they outsourced their data storage to Amazon.  Don’t care at all.

It is important to note that none of these Amazon data leaks  are in any way the fault of Amazon.  Amazon has not been – that we know of – hacked.

In fact, none of these breaches even involved stolen credentials.

They were all caused by human error.

Information for this post came from Forbes.

Facebooktwitterredditlinkedinmailby feather

What You Say Can Be Used Against You

The 5th Amendment to the U.S. Constitution guarantees that you cannot be forced to testify against yourself.

All that is about to change and I don’t mean that the Constitution is going to change.

Like the Apple-FBI fight earlier this year, Amazon is in a fight with the law and I don’t think it is going to come down the same way.

In Apple’s case, the Feds invoked a 200+ year old law to try and get Apple to develop new software to hack one of their phones.

In this case, police in Arkansas want Amazon to turn over the data from a defendant’s Amazon Echo that Amazon already has in its possession.  Amazon, so far, has refused to turn over the data.  Since the Echo doesn’t have a right against self incrimination or the incrimination of its owner, I am not clear what Amazon’s plans are.

They have already turned over purchase records and other account information – just not the data from the defendant’s Echo.

Amazon says that it will only turn over the data upon presentation of a proper warrant – one that is valid and legally binding, not overly broad or otherwise inappropriate – whatever that means – they are not explaining, but I am sure they will explain, eventually, to the court.

The case in question is a murder case.  A friend of the defendant’s was found floating in the defendant’s hot tub, somewhat worse for the wear – i.e. dead.

The police want to hear what he told his Echo and what his Echo told him.

The police already know, they say, how much hot water he used – due to a smart water meter.

I think, eventually, Amazon will turn over the data.  Whether the defendant asked his Echo “Hey Amazon, how do I kill my friend” or “Hey Echo, Can I get bleach from Amazon today?”

But what is going to be true in the future is that there is an amazing amount of data about you that can be used against you.

Whether it is GPS data from your phone, location and other data from your car or information from your water meter, there is an amazing amount of data about you.

Your smart TV is listening. Maybe so is your baby monitor.

Consider that many people have Echos in their bedrooms.  Then consider what might be said in your bedroom.  Do you want to reconsider whether that Echo in your bedroom is a good idea?

Some people have webcams inside their house.  More amazingly, some people have webcams in their bedrooms (there was a recent story about a webcam in a Houston family’s kid’s bedroom that went viral on the Internet, no doubt with some inappropriate footage.

The framers of the Constitution never considered that there would be an Internet of Things and the implications thereof.

This case is a murder case and I am sure that Amazon is grandstanding to make sure that its customers understand that it takes privacy seriously, but I predict they will turn over the data.

You may recall a couple of months ago the Director of National Intelligence said that he didn’t care much about encrypted phones because there was so much other data available for them to hack.

Guess what he was talking about?  Yup, that is it.

And while the NSA has some of the best and the brightest in terms of  hacking into devices, if recent news accounts of various IoT breaches are any indication, hacking many of these devices is like taking candy from a baby.

So while we do not know how the Amazon story will wind up, it is different than the Apple story because Amazon CAN turn over the data.

Here is an interesting question.  What if Amazon does not want to turn over the data because they are collecting more data than we think they are?  I know that borders on conspiracy theory, but ….

And, of course, subpoenaing your water heater is not limited to murder cases.  It certainly could apply to civil lawsuits as well.

Consider this.  Could your Amazon Echo testify against you in a divorce case?  Or your webcams?  Or any other appliance in your house.  Or even your car.  There is a lot of data in them there devices.

And, for those of you with legal expertise, ponder this.  In both criminal and civil cases, parties may have a “duty to preserve”, meaning that you are not allowed to destroy (read: delete) any evidence that may be relevant to the case.

How, exactly, do you preserve the data in your water heater?

Do you even know what data might exist in smart devices?

What if the data is stored in the cloud?  By a third party.  Do you even have the ABILITY to preserve it?  Who pays to preserve it?

There is NO legal precedent in this area of law.

Could you be held in contempt or lose a case because you didn’t preserve the data in your smart TV?  Seems far fetched, but I promise you, at some point, it WILL come up.

Just food for thought.

Information for this  post came from International Business Times.

Facebooktwitterredditlinkedinmailby feather