There has been a recent spate of incidents involving organisations misconfiguring Amazon S3 buckets. Accenture, the US Department of Defense and Verizon have all suffered data breaches after leaving vast amounts of data on the Cloud storage system without any password protection.
The Australian Broadcasting Corporation (ABC) is the latest organisation to be breached, exposing thousands of emails, login credentials, users’ hashed passwords, media producers’ requests for licensed content and a secret access key, and login details for another repository.
Why are so many organisations making this mistake?
According to web security company Detectify Labs, many of these breaches can be traced to common errors when setting up bucket access controls.
In a report released on Thursday, Detectify’s security advisor, Frans Rosén, said network administrators often gloss over rules for configuring Amazon’s access control lists. If the systems are misconfigured, the only thing a criminal hacker needs to access the information is the name of the bucket.
“By identifying a number of different misconfigurations we discovered that we could suddenly control, monitor and break high-end websites due to weak configurations of the bucket and object ACLs [access control lists].”
Misconfigured Amazon buckets are also vulnerable to man-in-the-middle attacks, according to Skyhigh Networks chief scientist Sekhar Sarukkai. In a sample of 1,600 S3 buckets, about 4% were found to be exposed to this vulnerability.
“We have noticed that Bucket owners have either carelessly allowed public writes or have not fully understood the ramifications of read and write ACL controls, or the semantics of [Amazon Web Services] “Authenticated Users” – all of which contribute towards a wide open environment for [third] parties to exploit trusted interaction,” said Sarukkai.
Addressing misconfigurations in your organisation
The threat that misconfigured systems poses means that all organisations should be concerned. Any employee responsible for configuring buckets or any other system should carefully read the instructions. Configuration instructions for Amazon buckets are available online.
These companies almost certainly won’t be the last to make this mistake. Data breaches can be damaging at the best of times, but they are particularly frustrating and embarrassing when the vulnerability is so easy to resolve. All organisations need to acknowledge the importance of configuration, and that should begin by conducting regular network penetration tests. These will identify misconfigured software, firewalls and operating systems, allowing organisations to promptly resolve any issues.
Network penetration tests also identify unused or insecure network protocols and unpatched operating systems, applications and server management systems.