5 developer slip-ups on storage security: Learn from them

In October 2017, marketing research firm Alteryx received grim news: The company had inadvertently exposed its database of 123 million US consumer profiles, including names, addresses, financial histories, and credit ratings.

The database, stored in a misconfigured Amazon Simple Storage Service (S3) bucket, allowed anyone authenticated to Amazon Web Services—more than one million people—to download the data. Like the political data collected by Cambridge Analytica, such information can reveal sensitive parts of people's lives, but is commonly used by marketing, political, and financial firms to target advertising and other initiatives.

Yet companies often do not take the necessary security precautions, exposing the data and endangering privacy as well as their own business interests. 

Misconfiguration is the most common issue, but other problems—such as rogue databases—have also caused security breaches. Here are five cases of data being exposed inadvertently and experts' suggestions of what can be done to limit damage.

Application Security Research Update: The State of App Sec in 2018

1. Misconfiguration: 198 million voter records on unsecured Amazon S3

Republican data firm Deep Root Analytics left 1.1TB of personal information on an unsecured Amazon Simple Storage Service (S3) bucket. The trove of data included names, dates of birth, home addresses, phone numbers, and voter registration details for 198 million US citizens, according to UpGuard, which discovered the problem in April 2018. The data is part of the Republican National Committee's massive data operation.

Deep Root Analytics misconfigured the Amazon S3 server, allowing anyone to navigate to a specific subdomain—"dra-dw"—and access the information. "The result is a database of grand scope and scale, collecting the modeled personal and political preferences of most of the country—adding up to an unsecured political treasure trove of data which was free to download online," UpGuard stated.

The unsecured storage bucket, and many other similar incidents, underscore that developers need to take secure configurations more seriously and find ways to reliably configure in-the-cloud storage services to maximize security.

2. Beware hidden assets: Personal documents for 119,000 people leaked by FedEx

In February 2018, researchers at security firm Kromtech found another misconfigured Amazon S3 bucket—this time belonging to Bongo International, a firm that helped North American companies sell goods abroad. Bongo was bought by FedEx in 2014, and the service shut down in 2017, but the data still existed online. 

While the leaked data underscores the importance of proper configuration, it also shows that mergers and acquisitions can lead to orphaned information technology. The acquiring companies should make sure to closely audit the IT assets of their purchased businesses.

You cannot blame the cloud providers for any of these issues, said Varun Badhwar, CEO and founder of RedLock, a cloud security firm.

"The cloud is a challenge and an opportunity, and the cloud providers are putting out new features just about every day."
Varun Badhwar

3. Secure your backups: Blue Chair exposes data on 1 million people

A holding company, Blue Chair LLC, left data of about 1 million people open to the public on a misconfigured remote synchronization, or Rsync, server. The data, stored in MySQL databases and backups of those databases, included names, addresses, and contact information, as well as high-school graduation dates and fields of study, in some cases.

UpGuard, which discovered the misconfigured server in February 2018, warned that the data could have been used to fuel phishing attacks. "Enterprises must ensure they are adhering to internal processes capable of avoiding such damaging gaps in their armor," the company said.

4. Lock down defaults: Ransom attack on MongoDBs

In early 2017, online criminals sought out publicly exposed MongoDB databases, copied the data, and then deleted the information, demanding a ransom for its return. The automated attacks—conducted by at least 15 different groups—hit more than 27,000 online databases that were exposed because they used the default, and insecure, configuration. At the time, nearly 100,000 MongoDB databases used the vulnerable default configuration, according to scans.

"Companies need to limit their network exposure—the newer version of MongoDB is already set up out of the box to be more secure," said Christopher Bielinski, senior database security researcher with Trustwave's SpiderLabs. "Make sure that you also change simple defaults such as the port number—that is the first thing that people will see when they are scanning for targets."

5. Build controls for sensitive data: Intelligence platform leaks 48 million profiles

In February, UpGuard found 48 million marketing profiles that included information scraped from popular social media sites, including name, address, and data about the person's Internet usage and social-media postings. Such psychographic profiles can be used to make well-informed deductions of an individual's political leanings, religious affiliation, and other sensitive information.

"This data is valuable because it can be used effectively, and this efficacy can become dangerous if put to malicious use," Upguard said in the incident report.

Cambridge Analytica's use of Facebook data to help power the Republican campaign for Donald Trump's presidential candidacy has demonstrated the dangers of such information. Regular penetration testing, automated testing, and monitoring cloud storage can help find exposed data before it is leaked, said Chris Vickery, director of cyber risk research at UpGuard.

"The path of least resistance is not changing what your developers are doing, but to get an outside agency to test you," he said. "Automated scanning, or a hybrid of automated scanning and manual review of results, can help find the low-hanging fruit before someone else does."

Longer-term solutions

In the end, education and better tools can help developers prevent data from being inadvertently exposed on a vulnerable server. Cloud providers need to create better solutions as well, Vickery said.

"These issues are not easily fixable, because it comes down to human nature," he said. "Developers are under pressure to deliver, so they skip or miss an important security step."

Unfortunately, in the age of automated security systems, if your company is not checking for vulnerable storage servers and other risk areas, an attacker is likely doing the job for you.

The result is that data stored in the cloud may be protected 99 times out of 100, but the 1% of exposed cases ends up being detected by attackers, experts said.

"There are so many different facets that need to be checked, and you have to have all your ducks in a row," said Trustwave's Bielinski. "You are not putting a database together behind closed doors anymore. What comes along with that are fundamental things that you need to be doing."

"Cloud services need to be architected in a way to give the developers no option to screw up," Vickery said. 

Topics: Security