Cheap-and-cheerful cloud storage solutions are abundant, but so are the cases of misconfigurations that can lead to hackings or data leaks.
On 1 Sep 2020, more than 108,000 scanned images of over 54,000 Australian driving licenses were found to have been leaked online. The leak was discovered by a Ukrainian security consultant who stumbled upon the folder on an Amazon storage service, which also contained phone numbers, addresses, birth dates and other data, all available for public view.
The leak personal data could be used to apply for credit or impersonate a victim in social media scams and countless other fraudulent activities. According to the security consultant, the images were accessed from a mis-configured Amazon S3 storage bucket, and some data containing information related to Roads and Maritime Services Toll Notices was also collected.
According to Boris Cipot, Senior Security Engineer, Synopsys Software Integrity Group: “In the past, when cloud storage services were not as common as they are today, an attacker would have to be really inventive to break into a secured network and steal data stored on a server. Unfortunately, this no longer applies today. We read and hear about instances of misconfigured cloud storage so often that it seems to have become the norm.”
Cipot said it would be good if cloud service providers would take this matter into their own hands and stop misconfigurations that allow public access to data. However, this would require service providers to be active in the setup, as well as act as a consultant, leading users through the settings and advising against bad decisions.
“Secure cloud storage is unattainable without the guidance of someone who is familiar with the topic of security in the cloud. Therefore, cloud users need to be more alert on how they use the service,” Cipot reiterated. “They need to recruit a consultant to set up the infrastructure so that it conforms to the use case, and they need to create plans for resilience, response and recovery in every part of this infrastructure. This is the only way they can make attempts at hacking so difficult that it dissuades the attacker from even trying.”
Chua Bo Si, Security Solutions Architect at HackerOne, commented: “When moving to the cloud, it’s important that developers have a clear change management process in place when pushing code to a live environment as the most impactful bugs affect cloud platforms, with incorrect configurations leading to information disclosure vulnerabilities that can be used to obtain sensitive information.
Wrongly configured storage buckets will be detected and, in a worst-case scenario, exploited – since criminals are running 24/7 automated scans to detect these types of misconfigurations.”
He added: “When it comes to securing the data to prevent it leak of ever more informed consumers, it’s more important than ever that vulnerabilities or misconfigurations like these are reported quickly and effectively through a defined channel and process. When storing any data in a cloud environment, maintaining an understanding who is accessing what and when is key, so the risk of unauthorized access is minimized.”
While today’s engineering teams consist of many professionals who can improve on infrastructure and security, just as many of these people can make a mistake.
“No matter how dedicated your internal team, they aren’t always looking at security in the same way an external attacker would and, therefore, the best way to augment your existing resource is to engage ethical hackers who will be running the same scans as the criminals, reporting any vulnerability they find to patch it before it’s exploited to steal information,” said Chua.
“It used to be that you had to notify cloud providers before you could run a security test, letting them know the pentester’s details, the date of testing, and the time frame. However, this no longer applies, and it’s easy to have cloud-hosted environments in scope for security testing.”