Open S3 Buckets: From Bad to Worse

cloud-147710_640.png

Just when you thought that the whole “globally readable Amazon S3 storage buckets” thing couldn’t get any worse, it did.

According to a study by a French cybersecurity firm which looked at 100,000 Amazon S3 buckets…

  • 90% of buckets are private, and therefore not at risk of leaking data or being corrupted by attackers. Of course, that means 10% of buckets are public…

    58% of those public Buckets (in other words, 5.8% of the total number of buckets tested) contained readable files, what might allow data leakage.

    20% of public Buckets (or, if you prefer, 2% of the total buckets) are not write-protected.

    Only a tiny 5% proportion of those public, write-enabled buckets (in other words, a mere 0.1% of the total) don’t contain any files.

This is pretty bad for the companies who own the 2% of buckets which are writeable – this could lead to data corruption, ransomware, etc.

The cloud is a great way to increase efficiency and integrate best of breed solutions into your business, but it requires that administrators be trained for the specific challenges of security in cloud computing.  The information is out there – for example, Amazon has a page chock full of security advice.

Businesses should consider getting their employees trained and certified in the ways of the cloud either via vendor neutral certifications or, if you have chosen your cloud platform, via vendor specific certifications like Amazon’s and Microsoft’s.

The people who are plunging in to the cloud and messing up are making it harder for the rest of us who see the cloud as the future to sell its security to management – let’s get our acts together people!

Open S3 Buckets: From Bad to Worse

Beware of mobile number port out scams!

key-benefits-unlocking-mobile-device

I spend a lot of time telling people to use two factor authentication on their important web accounts.  This may explain why I don’t get invited to parties.

While using 2FA is a great idea, there is one issue which you (and your employees) should be aware of.

If your 2FA solution relies on text messages to deliver it’s one time passcodes, it may be vulnerable to “mobile number port out” scams.  This article from the always informative Brian Krebs explains the mechanics of this.

The solution?  If a site offers the choice between using text messages and an authenticator app, choose the app.  If you have to use text based authentication, make sure that your mobile phone account is protected from porting using a PIN or password.

 

Beware of mobile number port out scams!

Outsourced security program failure leads to $100K regulatory fine

one-hundred-thousand-100000-dollar-bill-img

Another reminder of the importance of managing third party vendor relationships…

The Commodity Futures Trading Commission fined AMP Global Clearing (an electronic trading firm) $100,000 for a disclosure of 97,000 files containing customer information to an unauthorized third party due to a misconfigured network attached storage device.

AMP had outsourced parts of it information systems security program to a third party provider who had failed to detect the exposed data during three successive vulnerability audits of AMP’s systemes.

Outsourcing can be a really effective tool for augmenting a firm’s infosec program, but business leaders and CSOs need to remember that the ultimate responsibility for protection of corporate and customer data still remains with them.  However, when the firm is a regulated entity, the risks of relying on an outsider to perform critical parts of the infosec program without adequate supervision outweigh the (admittedly attractive) cost savings.

Monitoring third party service provider performance is a hard problem.  Most firms don’t have the resources to perform in person audits and most providers don’t have the ability to allow every customer to audit them.  This is why external independent audits of third party providers’ security practices are so important.  These audits need to be performed against generally accepted security standards with objective audit criteria.  ISO27001 and SSAE18 SOC2 are two examples of such audit types.

Even if a business partner gets a clean bill of health from an independent auditor, their performance must be monitored by the line of business who engaged them as well as by the infosec department.  Recently, I have been seeing more and more inquiries from my firm’s customers coming between their annual due diligence reviews of our services.   Most of these inquiries occur when there is a “celebrity vulnerability” like Spectre/Meltdown – what I am hoping to see in the future are more questions confirming “security 101” procedures and practices.

The advent of security ratings firms like Security Scorecard and Bitsight can also be helpful in this area.  While their security ratings cover specific aspects of a vendor’s security program (practices that can be seen from the Internet), they can provide an ongoing data point to be used to detect potential problems in between those annual security reviews.  I believe that this industry is in its early stages and that the results that they provide must be examined carefully against the specific requirements of your security program.

As companies outsource infrastructure, applications and services to third parties in order to concentrate on their core competencies, the importance of third party vendor management is going to continue to grow.

Outsourced security program failure leads to $100K regulatory fine

lastpass security issues found and fixed

In August of last year, a security researcher at UC Berkeley found two security vulnerabilities in LastPass while researching the security of web based password managers.  He reported the problems to LastPass, who quickly remediated them.

One of the vulnerabilities would have allowed an attacker to gain access to unencrypted credentials IF the user accessed a malicious web site and then used the LastPass “BookMarklet” to log into that site  – if you use the browser extensions for Chrome, IE, Firefox, or Safari (as 99% of LastPass users do), your account was not vulnerable to this attack.  BookMarklets are only used if the browser in use does not support LastPass directly.

The other vulnerability would have allowed an attacker who knew a user’s log in ID to retrieve an user’s encrypted password file, but not the key needed to decrypt this file.

LastPass states that they have no evidence that either of these vulnerabilities were exploited by anyone other than the researchers.

I still use and recommend LastPass – after all, if we stopped using software every time a security vulnerability was found and fixed, we would not be using Windows, Mac OS, or any browsers and plugins.   The extra security provided by using LastPass to manage unique strong passwords for the sites you log into far outweighs the risk of being compromised by vulnerabilities such as the ones described.

There is a lesson to be learned for LastPass users, though.  The security of your account is as only as good as the master password you choose for your LastPass account.  Make sure that it is hard to guess, and is constructed using letters, numbers and special characters in order to make it as hard as possible for someone to crack.

I am disappointed in how long it took LastPass to reveal this issue – when you are entrusted with users’ “keys to the kingdom,” you have a responsibility to be transparent about issues like this in a timely fashion.  I think that this is also a good time for LastPass to open up their code for third party security review to be proactive about finding and fixing security issues before the bad guys do.

 

 

lastpass security issues found and fixed

dropbox sharing flaw exposes personal documents and (unencrypted) cloud risks

encrypted.jpgA security vulnerability in the way that online storage provider DropBox (and possibly rival Box) handles links to shared files caused some documents (which were supposed to be viewable only people designated by the file owner) accessible and available to web site owners using Google’s visitor analytics and advertising tools.  The rival online storage firm which found the issue claimed to have reported the problem (which gave access to sensitive files like mortgage documents and tax returns) to Dropbox last November.  Dropbox fixed this issue, which it insists is a feature rather than a security flaw, this past Monday.

This issue highlights the need to make encryption of files and data stored on cloud service providers with keys stored on the user’s local system simple enough for non technical folks.  The solution also needs to be able to support sharing of encrypted files securely with a third party or with other cloud services you authorize.  If cloud providers can get this right (no small feat), living your life in the cloud will truly be ready for prime time.

Some solutions which currently exist:

  • Boxcryptor is a software solution which sits on top of Dropbox and other storage providers and automagically encrypts files as they are sent to and received from the cloud.  They provide secure sharing as well as mobile apps for the major platform.  Of course, since Boxcryptor is an overlay to services like DropBox, using this product would break the integration between DropBox and other cloud apps.
  • There is at least one consumer usable provider (SpiderOak) which currently claims to offer this type of Zero Knowledge Encryption.

The real answer to the issue of cloud encryption lies in having the encryption built in to the platforms in a standard and interoperable way.  C’mon cloud vendors, you can do it!

 

dropbox sharing flaw exposes personal documents and (unencrypted) cloud risks

japan cloud oopsie reveals confidential treaty data

A cautionary tale of cloud computing… apparently, a Google Groups group set up by the Japanese Ministry of the Environment to (internally) share documents and messages regarding negotiations about an international treaty was misconfigured, leaving the information therein world readable.  Cloud computing is here to stay folks and governments, companies  and other organizations (and their security folks) need to figure out ways to keep confidential data either out of the cloud or, better yet, safe in the cloud.   IMHO, we need cloud providers to come up with creative ways to allow organizations to encrypt particularly sensitive data with keys controlled by the data owner.

japan cloud oopsie reveals confidential treaty data