2018-07-23
继Verizon,Deloitte与Dow Jones之后,Accenture的敏感云数据也遭到了泄露。
由亚马逊网络服务S3存储桶错误配置引发的云数据泄露是2017年令人担忧的问题之一。今年许多公司出现数据泄露,最近的则是Accenture泄漏事件。
RedLock创始人兼Accenture首席执行官Varun Badhwar指出:“虽然此次事件非常不幸,但并不令人意外。”
RedLock CSI(云安全情报)研究表明,53%的使用云存储服务(例如AWS S3)的公司,曾无意间向公共网络泄露了一次或多次这种服务,这一比例从5月份的40%增加到53%。研究人员还发现38%的公司的公共云管理账户曾遭到入侵。
该趋势表明,各种规模的企业以及企业将敏感信息委托给的第三方普遍存在安全问题。很多公司的云存储账户配置方法不当或者未对第三方公司的安全规则进行确认。因此导致客户数据泄露。
今年6月份,第三方配置错误导致美国共和党全国委员会(RNC)选民数据泄露。 Viewpost首席安全官Chris Pierson指出:“虽然可以离岸外包或外包任务与职能,但无法外包风险。”
"因此, 每一家处理敏感或有价值数据的公司都应该有一个信息保障计划来对其供应商进行风险评估,监测其安全状况以及其它因素, 并给公司提供关于第三方和风险方面的指导。”
在下文中,我们概述了今年十大AWS 泄漏事件(排名不分先后)。
Accenture
UpGuard网络风险小组最近发现,Accenture(埃森哲)公司留下了至少四个不安全S3存储桶并可供公开下载。Accenture的疏忽泄露了验证凭证、机密 API 数据、数字证书、解密密钥、客户信息和其它可用于攻击Accenture及其客户的数据,其中包括94家 “全球100强”和超过75% 的全球500强公司。
在四个被泄露的服务器中, 最大的为137 GB, 被配置为公共访问, 并可供任何人输入存储桶网址进行下载。所有这些都包含了有关Accenture云平台和使用它的客户的高度敏感数据。一个文件夹包括一个纯文本文档, 其中包含Accenture账户的主访问密钥(AWS 密钥管理服务), 从而使未公开的凭据变得易受攻击。
UpGuard 说, 这一错误可能会导致 "巨额" 的经济损失。攻击者可以使用密钥冒充Accenture员工,并留在公司的网络中收集数据,或在多个平台上启动密码重用攻击。
Viacom
Viacom(维亚康姆)是全球第六大媒体公司,价值180亿美元,内部访问凭证和其他重要数据被公开泄露,可通过AWS S3 云存储桶下载。这可能让攻击者接管其 IT 基础设施或互联网广告。
这个错误是 UpGuard网络风险研究总监克里斯维克力发现的,泄露了一个主资源调配服务器运行傀儡, 和需要建立和管理维亚康姆服务器横跨其子公司和品牌的凭证。更重要的是, 它泄露了维亚康姆的秘密云密钥, 这使得攻击者能够接管其基于云的服务器。
泄露这些信息可能会危及维亚康姆的服务器、存储或数据库, 以及维亚康姆使用的几个云实例, 包括泊坞窗、Splunk、新遗物和詹金斯。UpGuard 表示, 维亚康姆不仅在这一级别存在的数据泄露, 但重要的是, 它留下了如此敏感的内部数据, 对公众开放。
Verizon 的客户UpGuard报告了此次泄露事件,指出1400万人受到影响,但Verizon 声称只有600万人的数据被泄露了。
据报道, 由NICE系统工程师管理的基于云的文件库被创建用于记录客户呼叫数据。Verizon 使用公司后台服务和呼叫中心操作。UpGuard 指出存在客户电话号码及其相关 PIN 号码尤其令人堪忧。有了这些信息, 攻击者就可以冒充客户获取账户访问权限。
此事件表明依赖第三方供应商处理敏感数据的危险性。NICE系统配置了存储库以允许公众访问;它完全允许公众下载。
Booz Allen Hamilton
UpGuard 维克力发现情报和国防承包商博思艾伦汉密尔顿6万个文件可公开访问 S3存储桶。大约28GB 的数据缓存包括高级工程师凭证、美国政府系统密码, 以及6个未加密的用于持有绝密设备清除权限的政府承包商的密码。
这些档案提及了美国国家地理空间情报局(NGA,一个作战支持机构), 它与政府机构, 如中央情报局,从间谍卫星和无人驾驶飞机收集地理空间数据。泄露的服务器还具有数据中心操作系统的主凭证, 以及用于访问五角大楼系统的其他凭证。
"任何人未经授权都不可访问国家安全信息,这至关重要-在此事发后,排名第一的民主党人在国土安全参议院和政府事务委员会美国参议员克莱尔麦卡斯基尔说到,博思艾伦汉密尔顿把密码和其他敏感信息使得全世界都能看到, 。
WWE
早在7月, Kromtech 安全研究人员发现世界摔跤娱乐(WWE)存在一个大规模的、未设防的数据库。这些数据存储在 AWS S3 服务器上, 它没有用户名或密码保护, 任何人都可以访问该网址。
研究人员发现了两个可公开访问的 S3 桶, 估计约12% 的信息被设置为公共访问。第一个不安全存储桶包含了几条2014-2015客户的敏感信息, 包括姓名, 家庭地址和电子邮件地址, 生日, 教育, 年龄, 种族, 和其孩子的年龄和性别。总记录数为3065805条。
第二个存储桶包含另一个数据宝库;这一次从2016年和特定的欧洲客户。这包括计费详细信息:例如,地址和用户名, 总部涉及数十万人。其它泄露的文件包括电子表格,里面有可追踪WWE的社交媒体和一个Twitter帖子的缓存。
Dow Jones
Dow Jones & Co数据泄露了数百万客户的姓名、账户信息、物理和电子邮件地址, 以及最后四数字的信用卡号码。这次泄露由 UpGuard 维克力发现的, 也影响了道琼斯风险和合规的160万项, 这是一组在金融公司中使用的用于遵守反洗钱法规的规章。
AWS S3 bucket中泄露的所有用户数据, 都是由于错误配置使得任何AWS认证用户都可以使用存储库URL下载数据。由于亚马逊将 "身份验证用户" 定义为拥有免费 AWS 账户的任何人, 因此该数据可供超过100万人使用。道琼斯报道220万人受到影响;UpGuard "保守估计" 这个数字高达400万。
出版商声称, "没有理由相信"所有的数据被盗, 并确认泄露的信息不包括完整的信用卡号码或登录信息, 可能给客户带来重大风险。
RNC
RNCDeep Root分析是一家数据分析公司, 代表共和党全国委员会(RNC), 通过一个不安全的AWS S3存储桶泄露了1亿9800万美国选民的个人资料。这些被泄露的数据包括生日、电话号码、自我报告的种族背景、家庭和邮寄地址以及党派归属等数以百万计的记录。
Deep Root存储桶被配置为公共而不是私有, 因此, 其内容可以在网络上查看。根据 UpGuard 的消息, 大多数记录都具有下载权限, 并且没有密码就可以访问文件, 这也发现并报告了此漏洞。
继Deep Root事件之后, 专家们警告说, 这种信息存在落入坏人之手的危险。Microtargeting是犯罪分子使用的一个强大的工具,可用于执行鱼叉式钓鱼攻击和社会工程攻击。
TigerSwan
TalentPen,一家负责处理新求职者的第三方供应商, 因错误配置的AWS S3 桶缺乏密码保护导致数以千计的美国个人数据被泄露。在泄露的9402份文件中, 大部分是个人安全公司TigerSwan的简历和申请。
这个错误泄露了某些分级安全审查的绝密个人信息。在安全审查的顶部, 这些文件包含了敏感信息, 包括驾照号码、护照号码和至少部分社会保险号码。泄密揭露了联合国、美国特勤局、国防情报局、国防部和国土安全部所雇用的国防、情报、执法、语言和后勤专家的工作历史。
UpGuard发现并向TigerSwan报告了泄漏的信息:“泄露的文件几乎完全属于美国退伍军人, 对其过去的用名提供了详细的信息,包括精英或敏感国防和情报的人物。”
Time Warner Cable
Time Warner Cable(时代华纳有线)泄漏事件凸显了外包的危险,约对美国400万时代华纳电缆 (TWC)客户造成了影响。Kromtech 安全中心发现了两个 AWS S3 桶被全球通信软件和服务提供商 Broadsoft泄露在网上。公司拥有600多家服务提供商, 并支持数百万订阅用户。合作伙伴包括时代华纳有线电视、AT&T、Sprint 和沃达丰。
在这种情况下, 这两个桶包含了TWC Broadsoft 客户端 "数以千计的记录和报告"。这包括内部开发信息, 如 SQL 数据库转储、具有访问凭证的代码和访问日志。一个文本文件包含超过400万记录, 其中包括用户名、Mac访问、序列号、账户号和交易id等信息。其他数据库有 TWC 客户的地址和电话号码。
两个桶都配置为公共访问;Kromtech 表示,那些从未关闭过公共配置可能已经被工程师遗忘了, 因此使得任何人都可以在线访问数据。任何有互联网连接的人都可以访问敏感数据, 任何 "经过身份验证的用户" 都可以从URL下载数据或使用其它应用程序。
ES&S
UpGuard发现了此次泄漏事件。著名的投票机器和相关软件提供商ES&S错误配置的 AWS S3 桶被泄露并可以公开下载。
此次错误泄露了180万芝加哥的个人信息,包括姓名地址、电话号码、驾照号码和部分社保号。泄露的数据库似乎是在2016大选期间,芝加哥选举委员会委员们创建的。
《10 Major Cloud Storage Security Slip-Ups (So Far) this Year》
10/13/2017
09:30 AM
Accenture is the latest in a string of major companies to expose sensitive cloud data this year, following Verizon, Deloitte, and Dow Jones.
One of many concerning security trends from 2017 is the accidental exposure of cloud data via misconfigured Simple Storage Service (S3) buckets from Amazon Web Services. This year has been marked with several data leaks from major organizations, most recently Accenture.
"While this incident is very unfortunate, it's not very surprising," says RedLock cofounder and CEO Varun Badhwar of the Accenture leak.
Research from RedLock CSI (Cloud Security Intelligence) shows 53% of businesses using cloud storage services like AWS S3 have inadvertently exposed one or more of the service to the public Internet, up from 40% earlier in May. Researchers also found 38% of businesses have experienced the potential compromise of an administrative account in their public cloud.
The trend underscores a dangerous problem common among businesses of all sizes, as well as the third parties with which they entrust sensitive information. Many don't take steps to properly configure their cloud storage accounts or don't take the time to verify the security practices of third-party firms. As a result, they compromise customers' data.
"While you can offshore or outsource tasks and functions, you can never outsource the risks," said Chris Pierson, chief security officer at Viewpost, after the exposure of voter data from the Republican National Committee (RNC) via third-party misconfiguration back in June.
"As such, every company that deals in sensitive or valuable data should have an information assurance program that risk rates their vendors, monitors them for security and other factors, and provides governance to the company regarding their third party and the risk appetite set by the company."
Here, in no particular order, we round up ten major AWS leaks from this year, affecting everyone from Chicago voters to US government employees with Top Secret security clearance.
The Cyber Risk Team at UpGuard recently discovered that Accenture left at least four AWS S3 storage buckets unsecured and publicly available for download. Accenture's slip-up exposed authentication credentials, secret API data, digital certificates, decryption keys, customer information, and other data that could be leveraged to target both Accenture and its clients - which include 94 of the Fortune Global 100 and more than 75% of the Fortune Global 500.
All four exposed servers, the largest of which was 137GB, were configured for public access and could be downloaded by anyone who entered the buckets' Web address into their browser. All contained highly sensitive data about the Accenture Cloud Platform and clients who used it. One folder included a plaintext document with the master access key for Accenture's account with AWS Key Management Service, leaving an undisclosed amount of credentials vulnerable.
The mistake could lead to an "untold amount" of financial damage, says UpGuard. An attacker could have used the keys to impersonate an Accenture employee and remain in the company's network to collect data, or launch password reuse attacks on multiple platforms.
Viacom, the sixth-largest media company in the world and worth $18 billion, exposed internal access credentials and other critical data in a publicly downloadable AWS S3 cloud storage bucket. This could have let attackers take over its IT infrastructure or Internet presence.
The mistake, discovered by UpGuard's director of Cyber Risk Research Chris Vickery, exposed a master provisioning server running Puppet, and credentials needed to build and manage Viacom servers across its subsidiaries and brands. More significantly, it exposed Viacom's secret cloud keys, which could enable attackers to take over its cloud-based servers.
Leaving this information exposed could have compromised Viacom's servers, storage, or databases, as well as several cloud instances Viacom uses, including Docker, Splunk, New Relic, and Jenkins. UpGuard says Viacom is not alone in this level of data exposure, but it is significant in that it left such sensitive internal data so open to the public.
ons of US-based Verizon customers. UpGuard, which reported the leak, put the number at 14 million but Verizon claimed only six million had data exposed.
The cloud-based file repository, managed by a NICE Systems engineer, was reportedly created to log customer call data. Verizon uses the company's services in back-office and call-center operations. UpGuard notes the presence of customer phone numbers and their associated PIN numbers was especially concerning. With this information, attackers could pose as customers and gain access to their accounts.
This incident demonstrated the danger of relying on a third-party vendor to handle sensitive data. NICE Systems had configured the repository to allow public access; it was fully downloadable to the public.
UpGuard's Vickery discovered 60,000 files on a publicly accessible S3 bucket owned by intelligence and defense contractor Booz Allen Hamilton. The cache of about 28GB of data included credentials for a senior engineer, passwords to a US government system, and a half-dozen unencrypted passwords for government contractors holding Top Secret Facility Clearance.
The files contained several mentions of the US National Geospatial-Intelligence Agency (NGA), a combat support agency that works with government bodies like the CIA to gather geospatial data from spy satellites and drones. The exposed server also had master credentials for a data center operating system, and other credentials used to gain access to a Pentagon system.
"It's of vital importance that no one can gain unauthorized access to national security information - but Booz Allen Hamilton put passwords and other sensitive information out there for the world to see," said US Senator Claire McCaskill, top-ranking Democrat on the Senate Homeland Security and Governmental Affairs Committee, following the incident.
Back in July, security researchers at Kromtech found a massive unprotected database belonging to World Wrestling Entertainment (WWE). The data was stored in an AWS S3 server, which did not have user-name or password protection and was accessible to anyone with the Web address.
Researchers found two publicly accessible S3 buckets and it's estimated about 12% of all the information was set to Public access. The first unsecured bucket contained several sensitive pieces of customer information from 2014-2015 including names, physical and email addresses, birthdates, education, age, race, and their childrens' ages and genders. The total record count was 3,065,805.
The second bucket contained another trove of data; this time from 2016 and specific to European customers. This included billing details: for example, addresses and user names, for hundreds of thousands of people. Other exposed documents included spreadsheets with social media tracking for WWE's social media counts, and a cache of Twitter posts.
A data leak at Dow Jones & Co. compromised names, account information, physical and email address, and the last four digits of credit card numbers for millions of customers. The leak, discovered by UpGuard's Vickery, also affected 1.6 million entries in Dow Jones Risk and Compliance, a group of databases used among financial firms to comply with anti-money laundering regulations.
All of the users' data was exposed in an AWS S3 bucket, which was misconfigured to let any AWS Authenticated User download data using the repository's URL. Because Amazon defines "authenticated user" as anyone with a free AWS account, the data was available to more than one million people. Dow Jones reports 2.2 million people were affected; UpGuard "conservatively estimates" the number is as high as 4 million.
The publisher claimed there was "no reason to believe" any data was stolen and confirmed exposed information did not include full credit card number or login information that could pose a significant risk to customers.
Deep Root Analytics, a data analytics firm working on behalf of the Republican National Committee (RNC), exposed the personal data of 198 million American voters through an unsecured AWS S3 bucket. The compromised data included millions of records including birthdates, phone numbers, self-reported racial background, home and mailing address, and party affiliation.
Deep Root's storage bucket was configured to public instead of private and as a result, its contents were viewable to the Internet. Most records had permissions to be downloaded and files could be accessed without a password, according to UpGuard, which also discovered and reported this leak.
Following the Deep Root incident, experts warned about the danger of this information falling into the wrong hands. Microtargeting, for one, is a powerful tool in the possession of a cybercriminal who can use it for spearphishing and social engineering attacks.
TalentPen, a third-party vendor responsible for handling new job applicants, compromised personal data of thousands of Americans through a misconfigured AWS S3 bucket that lacked password protection. Most of the 9,402 documents exposed were resumes and applications to work for private security firm TigerSwan.
The mistake exposed personal information of individuals with classified security clearance, in some cases Top Secret. On top of security clearance, the files contained sensitive information including driver's license numbers, passport numbers, and at least partial Social Security Numbers. The leak exposed work histories for defense, intelligence, law enforcement, linguistic, and logistical experts employed by the United Nations, US Secret Service, Defense Intelligence Agency, Department of Defense, and Department of Homeland Security.
"The exposed documents belong almost exclusively to US military veterans, providing a high level of detail about their past duries, including elite or sensitive defense and intelligence roles," reported UpGuard, which discovered and reported the leak to TigerSwan.
Another leak demonstrating the dangers of outsourcing affected about four million Time Warner Cable (TWC) customers in the US. Kromtech Security Center found two AWS S3 buckets exposed on the Internet by global communication software and service provider Broadsoft. The company has more than 600 service providers and supports millions of subscribers. Partners include Time Warner Cable, AT&T, Sprint, and Vodafone.
In this case, the two buckets contained "thousands of records and reports" for Broadsoft clients with TWC. This included internal development information like SQL database dumps, code with access credentials, and access logs. One text file contained more than four million records with information like user names, Mac accesses, serial numbers, account numbers, and transaction IDs. Other databases had addresses and phone numbers for TWC customers.
Both buckets were configured for public access; Kromtech suggests the buckets were likely forgotten by engineers who never closed the public configuration and as a result, enabled anyone online to access the data. Anyone with an Internet connection could access sensitive data, and any "authenticated user" could download the data from the URL or using other applications.
Another 2017 storage slip-up specifically affected "virtually every registered Chicago voter," reported UpGuard, which found the leak. A misconfigured AWS S3 bucket was left exposed and publicly downloadable by Election Systems & Software (ES&S), a prominent provider of voting machines and related software.
The mistake compromised 1.8 million Chicagoans' personal information including names addresses, phone numbers, driver's license numbers, and partial Social Security numbers. The exposed database appeared to have been created around the time of the 2016 general election for the Chicago Board of Election Commissioners.
附件:
《10 Major Cloud Storage Security Slip-Ups (So Far) this Year》--原文.pdf
《10 Major Cloud Storage Security Slip-Ups (So Far) this Year》--译文.pdf
微信公众号