Databases exposed on the internet in post-GDPR era
Amazon Web Service (AWS), launched in 2006, is now the leading cloud service platform by market share. Its Simple Storage Service (S3) is particularly popular – but misconfiguration by users has led to numerous major data breaches.
AWS S3 Buckets
S3 Buckets are units of AWS storage used by businesses for additional temporary or permanent storage capacity. They act like file folders, allowing users to upload and store files and data on a potentially huge and flexible scale. In some ways, S3 is similar to Drobox or Microsoft's OneDrive; but AWS is designed for professional and corporate use.
The AWS client-base includes organizations like Netflix, AOL, Verizon and NASA. It is easy and inexpensive to use, and the content of S3 buckets often includes sensitive corporate data and personal customer information.
The AWS security and compliance policy follows the shared responsibility model. Amazon agrees to keep its infrastructure and services secure, while the customer accepts responsibility for their configuration and usage of the services. A data leak resulting from a theoretical breach in Amazon's hardware, software or networking, for example, would be Amazon's responsibility. Any loss of data from security misconfiguration, misuse of the cloud services or failed access management would be considered the fault of the user.
Any loss of data from security misconfiguration or misuse of S3 buckets would be considered as the fault of the user.
How S3 Buckets can be vulnerable
S3 buckets are simple to use, versatile and secure. Because of this, they are sometimes used by IT staff as if part of internal storage, with little thought to security and without reference to the security team. At such times access control may be omitted – effectively combining two of OWASP's top ten web application security risks: sensitive data exposure (ranked at #3) and security misconfiguration (ranked at #6).
With no configured access control, the content of S3 buckets can be seen by anyone with an internet connection.
Cyber criminals are aware of how much sensitive and valuable data S3 buckets can hold. Many automated tools have been created to scan for any misconfigured buckets, left publicly accessible, so that malicious actors can quickly find potential sources of lucrative data. The methodology varies – some tools simply brute force buckets to check for open buckets, while others take a more intelligent approach. The result is the same; if a bucket containing sensitive data is left open and misconfigured, it will be discovered sooner or later.
Cyber criminals are aware of how much sensitive and valuable data S3 buckets can hold.
Whenever an open S3 bucket is discovered – whether by a security researcher or a cyber criminal – it is de facto a data breach.
As with any data storage, the full risk depends on the sensitivity of the data being stored. Amazon's IaaS (Infrastructure as a Service) model of shared responsibility puts the blame for all the most common and likely breach causes squarely on the shoulders of the service user. Companies using AWS should assume that responsibility for any breach will fall on them. This can be especially damaging with customer data. Businesses face immense loss of customer faith and damaged reputation, as well as the harsh fiscal penalties under the GDPR for any company trading in Europe, and other privacy regulations around the world.
S3 Data Breaches
Examples of misconfigured open buckets being discovered – whether before or after exploitation by a malicious actor – occur with increasing frequency. In 2017, nearly 200 million US voter records from the 2016 presidential election were discovered in misconfigured S3 buckets. The data included 1.1 terabytes of entirely unsecured personal information compiled by Deep Root Analytics and at least two other companies, TargetPoint Consulting, Inc. and Data Trust, working for the Republican party.
In 2017, nearly 200 million US voter records from the 2016 presidential election were discovered in misconfigured S3 buckets.
Viacom, a Fortune 500 company, had its servers and critical infrastructure files exposed in the same way. This cloud leak exposed the master controls of the world’s sixth-largest media corporation, potentially enabling the takeover of Viacom’s internal IT infrastructure and internet presence by any malicious actor.
In October 2017, major international corporate consulting and management firm Accenture left multiple buckets unsecured, exposing a huge amount of both internal credentials and external customer data. One of these buckets contained 137 GB of data, including 40,000 plaintext passwords, hashed passwords, access keys for the Enstratus cloud infrastructure management platform, email data, and information on the consulting firm’s ASGARD database.
In these examples, misconfiguration gave unauthorized users read access to sensitive data. It can also work the other way. In November 2017, Skyhigh Networks described a ‘write’ attack that it called GhostWriter.
GhostWriter is a form of man-in-the-middle (MITB) attack executed against buckets configured to be publicly writable. It allows an attacker to overwrite or change files contained in the bucket and introduce malware to an organization’s cloud storage.
Of course, Amazon's cloud services are not the only cloud storage to suffer these issues. In April of this year, Digital Shadows reported that its researchers had discovered 1.5 billion files of sensitive data stored insecurely online. Amazon S3 Buckets accounted for just 7% of this data.
More US voter data was exposed in 2017 when a badly-configured server at the Kennesaw State University left the registration records of Georgia's 6.7 million voters open to public access. Georgia Tech's Prof. Rich Demillo commented: "If I wanted to influence an election, this is exactly where I would start. The information contained in this database could lead to numerous forms of armchair hacking to manipulate the way people vote."
With the U.S. midterm elections approaching (November 6, 2018) there is concern that malicious actors could use this data to influence the outcome of Georgia’s vote.
Keeping Buckets protected
The security, or its lack, for S3 buckets and other cloud storage is critical. Most (if not all) of these data exposures would have been prevented with better observation of Amazon’s best practices. Any new implementation of S3 buckets or other cloud storage needs to be properly configured and access-controlled before it's used to hold any data.
Amazon provides an ACL (access control list) with its S3 service. This needs to be properly configured and maintained by the customer. For further security, server-side encryption – also provided by Amazon – could be employed. Both require the expertise of the security team; so, the first criterion for cloud storage is that it should not be allowed without reference to company security staff.
To keep S3 buckets and other cloud storage platforms secure, a security manager must first know about all the services being used by the organization. Different departments sometimes fail to communicate with security, and sometimes an implementation of cloud storage just slips through the cracks.
Fortunately, while automated tools exist to help attackers discover unsecured storage, the same techniques can be applied to find them, so they can be protected. Some cloud service providers have their own, often paid, services to help discovery of unprotected web storage; but these services can be costly and only cover the storage platform provided by that company.
High-Tech Bridge's Immuniweb Discovery offers and non-intrusive discovery of all web-exposed services – whether that’s an S3 bucket or some other shadow IT storage. Finding is the first step to securing.
Immuniweb Discovery quickly builds a list of web-exposed services – whether that’s an S3 bucket or some other shadow IT storage. Finding is the first step to securing. The second is aws penetration testing.