How Hackers “Slurp” Up Your Cloud DataSeptember 19, 2019 No Comments
Featured article by Debbie Fletcher, Independent Technology Author
The cloud can be a huge asset for most businesses. By leveraging the capabilities and services provided by cloud service providers, organizations can offload many of the problems and responsibilities of maintaining their own infrastructure to a third party and take advantage of the cost savings and scalability available in the cloud.
However, taking advantage of the cloud’s offerings does not absolve an organization of all responsibility regarding the data and applications that they store and run there. Part of the cloud service provider’s responsibility in providing their services is securing the aspects of a cloud deployment under their control. However, the client is responsible for securing all aspects of their cloud deployment that are under their own control.
Many cloud services providers attempt to make cloud security as easy as possible for the customer. However, the differences between an on-premises deployment and one in the cloud are significant, and users frequently misunderstand the impacts and implications of the settings under their control. As a result, many breaches of data stored on the cloud are enabled by simple misconfigurations of cloud security settings.
The Danger of Leaky S3 Buckets
Amazon’s S3 buckets are one of the best-known cloud data storage solutions available. However, a large chunk of this notoriety comes from the large number of data breaches originating from S3 buckets.
The main issue with S3 bucket security comes down to the meaning of the security settings that S3 users can apply to their data stores. The “private” option is fairly self-explanatory: access to the data store is by invitation only, which is good for security but often annoying to users. The other option for S3 bucket visibility is “public”. This setting also seems self-explanatory (i.e. the data is publicly available); however, the sheer number of breaches of sensitive data stored in public S3 buckets indicates that many S3 users have difficulty understanding it.
The level of cybersecurity knowledge that an organization has is often tied directly to the organization. It would make sense if these data breaches were originating from only small businesses without a formal security department and data security procedures.
However, the United States government, a rather large organization with access to a great deal of sensitive information, has been involved in several large-scale S3 data breaches. Publicly accessible S3 buckets belonging to the US government or one of its contractors have leaked:
1. Battlefield imagery belonging to the National Geospatial Intelligence Agency (NGA).
2. Administrative login credentials to sensitive systems within the NGA.
3. Data scraped from social media for open-source intelligence data collection.
4. Resumes of US veterans including clearance levels and PII.
5. Top Secret data and instructions for accessing sensitive Pentagon systems.
These represent only a subset of high-profile Amazon S3 bucket data breaches. Other well-known examples include the breach of US voter data by Deep Roots Analytics and sensitive information about 6 million people by Verizon Wireless.
How do these breaches happen? Sensitive data is placed in an S3 bucket labeled “public”, meaning that anyone can access it if they have the correct URL. S3 users may believe that this URL is hard to find, but a variety of different tools ensure that this is not the case.
Slurp: A Tool for Finding S3 Buckets
A variety of different tools have been developed to scan the internet for URLs associated with Amazon S3 buckets. While some of these buckets may be properly protected, any data stored in a public one is instantly accessible to an attacker.
One example of this type of AWS scanning tool is called Slurp. Written in Go, a programming language developed by Google employees, it has two different scanning modes: white-box and black-box.
In white-box mode, the scanner runs the Slurp tool using credentials from a known AWS deployment. This version is extremely useful for organizations attempting to determine their current level of cloud security. The tool will check every S3 bucket associated with those login credentials and print whether the bucket is private or public. If any public buckets are discovered, they should be closed and an incident response investigation started.
The other mode of Slurp, black-box, is designed to search for Amazon S3 buckets based upon permutations of domains and keywords. This mode is designed to find unknown S3 buckets and, like white-box mode, checks to see if discovered buckets are private or public. This mode of Slurp can either be used for benign purposes, like checking for unauthorized buckets associated with a company, or malicious ones, i.e. searching for vulnerable buckets which may contain unprotected sensitive data.
Improving Your Cloud Security
Companies are increasingly moving to the cloud due to its scalability and the ability to decrease infrastructure costs. However, placing data in the cloud can have significant security implications, as demonstrated by the number of high-profile and high-impact data breaches caused by poor cloud security.
Many organizations have suffered data breaches due to placing sensitive data in unsecured Amazon S3 buckets. Tools like Slurp make it easy for unauthorized third parties to find and gain access to the data in these buckets.
In order to properly protect their data in the cloud, organizations need to invest in security solutions built for the cloud. A cloud deployment differs dramatically from an on-premises one, and the accessibility of the cloud means that a mistake can easily become a breach. A specialized cloud security solution can help an organization achieve complete visibility into their cloud footprint (including unauthorized and insecure S3 buckets) and properly secure every aspect of it.
CLOUD COMPUTING, DATA and ANALYTICS , SECURITY, SOCIAL BUSINESS