Open in app

Sign in

Write

Sign in

Cloud Security: The Ugly Truth and the Beautiful Lie

Vincent Le
6 min readAug 3, 2018

--

Welcome back to the second installment of Team Snow White’s weekly blog post. Our team’s focus this week will be on the raw numbers behind cloud security and how we will be using those numbers to build our project. This blog post will go over the some of the most dangerous breaches on a variety of cloud service providers and show you, valued reader, the ugly truth of security in the cloud space.

Source: http://fstopspot.com

Nothing is Safe

If any industry ever claimed that they are completely safe from cyber attacks, they are lying. Cyber criminals and hackers are finding new avenues of attack every day, so much so that organizations are being bombarded with attacks continuously one after the other with no end in sight.

To no one’s surprise, the use of technology is increasing rapidly and a abundance of personal information has never been more readily available; Hackers rejoice, the stars have aligned for people’s credentials to be compromised and unfortunately, cloud’s are caught up in the storm.

My credentials can’t be compromised in Cloud, right? — They can.

Let’s take a look at some examples…

FedEx on AWS S3

A total of 116,000 compromised scanned documents. This includes passports, driver’s licenses, security IDs and more.

How? — An unsecured, open S3 Server belonging to Bongo International, a company which was acquired by FedEx in 2014. The company did not configure their user permissions and access control privileges correctly. The company was advised to update their IAM policies and bucket policies.

Tesla on AWS Kubernetes

Hundreds of unsecured Kubernetes administration consoles on Tesla’s AWS environment were discovered to be cryptojacked by RedLock Cloud Security Intelligence(CSI). Crypto mining scripts were being run in Tesla’s cloud environment.

How? — One Kubernetes console was not password protected. From there, hackers were able to gain access credentials to an S3 Bucket which included sensitive information. Cryptominers were then able to write scripts in the cloud environment and were also able to use sophisticated evasion measures to prevent being detected. For instance, the hackers configured their mining software to be harder to detect by having the software listen on a non-standard port.

DropBox

68 million user account emails and passwords were stolen and sold for bitcoins on the dark web.

How? — The company allegedly claims that one of their employee’s account was compromised by spammers revealing a document which contained sensitive account user information.

U.S. Voter Records on AWS S3

198 million American voter’s personal information was found in a cloud server owned by Deep Root Analytics, a Republican data firm. Names, date of birth, home address, phone numbers, voter registration details, and even voter ethnicities and religions were exposed.

How? — Investigation is still ongoing, however this is not the first time voters had their information compromised. 191 million voter records were exposed in late 2015 and another leak of 154 million records were leaked a year later. This seems to be a common occurrence for Deep Root. Very alarming.

Deloitte on Microsoft Azure

Deloitte, one of the world’s “Big Four” consulting and accounting firms, had a breach that may have compromised 244,000 staff members on Microsoft’s Azure cloud.

How? — Although the breach is still being kept under wraps while an investigation is going on, it is speculated that the reason the breach happened is that someone did not use two factor authentication. Attackers were then able to gain access to information from Deloitte’s major corporate and government clients in the US.

Problems and Patterns

Valued reader, do you see a problem? Is it not strange that our personal information is so easily accessible; how is our privacy so easily breached? I challenge you, valued reader, think about why that is. Where are the same advocates for privacy that haunted Zuckerberg’s Facebook or Amazon Echo’s Alexa? How can any one of us claim to be patrons of privacy when 198 million American voters private information are in the hands of hackers? Are people merely just at the whims of hackers and cyber criminals alike?

At the end of the day, culturally, society just isn’t there yet. That’s the truth. Society does not have the same sense of immediate urgency as security professionals. It is also fairly common for the regular working persons to think — there’s so many people on the internet! It’ll never be me.

Pseudo-security. With this dangerous thought process, how could anyone keep organizations, corporations, and companies accountable? Companies don’t have incentive to invest more into security, especially since it is hard to see the benefits of security when they think that they are safe. These companies fall victim to what is called security through obscurity, the idea that nobody will ever find your password, but nothing is ever safe, and that’s the truth.

Let’s humor the thought of real security.

How did all these breaches even happen? To put simply, humans are humans and humans are not perfect. Taking a look back on all the big breaches that happened in cloud environments, a clear pattern is formed: All of the breaches were caused by some form of human error.

Be as all of this may be, these breaches are not meant to discourage security professionals or even call for a cultural revolution. Rather, everyone must understand two distinctions: First, everyone makes mistakes, even professionals. Second, mindsets are slow to change and likely will take a very long time for society to adopt a security mindset. The future should not be scary; the future should be secure.

Implementation

Team Snow White has done extensive research on different breaches and intrusions and is working diligently on developing a tool that allows users to scan through their own Amazon S3 Buckets for insecurities(For more on that, check out our blog post from last week here!). The tool’s objective is to give users more instruction on how to secure their own S3 Bucket, specifically instructions that help users avoid mistakes that lead to major breaches.

Understanding the impact of breaches and how dangerous they were gave the team three import things:

  1. A sense of urgency
  2. Understanding what our tool should include
  3. Insight on security in the Cloud environment

The team is using this information to decide and prioritize what our tool should include. It is important to the team that our tool is able to catch user mistakes that could potentially lead to a catastrophe.

Thoughts

In a perfect world, no one would have the need to lock their doors. The beautiful lie. In a perfect world, no company would have to secure themselves from criminals. The beautiful lie. In a perfect world, no credentials or personal information would be compromised. The beautiful lie.

Source: https://broadwaylocksmith.com/tips-tricks-prevent-getting-locked/

The ugly truth? Security matters.

Watch out for our next post soon!

Citations

  1. “7 Most Infamous Cloud Security Breaches — StorageCraft.” StorageCraft Technology Corporation, 19 Mar. 2018,blog.storagecraft.com/7-infamous-cloud-security-breaches/
  2. “Amazon Takes Steps to Reduce S3 Misconfiguration Leaks.” SC Media US, 13 Nov. 2017, www.scmagazine.com/aws-takes-steps-to-reduce-misconfiguration-leaks/article/707070/
  3. Chickowski, Ericka. “Leaky Buckets: 10 Worst Amazon S3 Breaches.” Business Insights in Virtualization and Cloud Security by Bitdefender, businessinsights.bitdefender.com/worst-amazon-breaches
  4. Jones, Rhett. “One of the World’s Biggest Accounting Firms Hacked After Basic Security Goof.” Gizmodo, Gizmodo.com, 25 Sept. 2017, gizmodo.com/one-of-the-worlds-biggest-accounting-firms-hacked-after-1818722565
  5. Newman, Lily Hay. “Hack Brief: 4-Year-Old Dropbox Hack Exposed 68 Million People’s Data.” Wired, Conde Nast, 3 June 2017, www.wired.com/2016/08/hack-brief-four-year-old-dropbox-hack-exposed-68-million-peoples-data/
  6. “Open AWS S3 Bucket Exposes Private Info on Thousands of Fedex Customers.” SC Media US, 21 Feb. 2018, www.scmagazine.com/open-aws-s3-bucket-exposes-private-info-on-thousands-of-fedex-customers/article/744812/
  7. Team, RedLock CSI. “Lessons from the Cryptojacking Attack at Tesla.” RedLock Blog, blog.redlock.io/cryptojacking-tesla
  8. “Tesla’s AWS Servers Hijacked by Cryptominers.” SC Media US, 21 Feb. 2018, www.scmagazine.com/teslas-unprotected-kubernetes-console-used-to-hijack-aws-servers/article/745474/
  9. UpGuard. “The RNC Files: Inside the Largest US Voter Data Leak.” UpGuard — The World’s First Cyber Resilience Platform, UpGuard, 1 May 2018, www.upguard.com/breaches/the-rnc-files
  10. Violino, Bob. “12 Top Cloud Security Threats for 2018: The Dirty Dozen.” CSO Online, InfoWorld, 5 Jan. 2018, www.csoonline.com/article/3043030/security/12-top-cloud-security-threats-for-2018.html
  11. Whittaker, Zack. “Massive Leak of 198 Million US Voter Records Is ‘Largest Ever.’” ZDNet, ZDNet, 19 June 2017, www.zdnet.com/article/security-lapse-exposes-198-million-united-states-voter-records/
  12. Williams, Martyn. “Inside the Russian Hack of Yahoo: How They Did It.” CSO Online, InfoWorld, 4 Oct. 2017, www.csoonline.com/article/3180762/data-breach/inside-the-russian-hack-of-yahoo-how-they-did-it.html
Security
Cloud Security

--

--

Vincent Le

Written by Vincent Le

12 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams