Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security

5/22/2018
08:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

TeenSafe Data Leak Shows Cloud Security Weaknesses

The news that TeenSafe, which allows parents to monitor the activity of their children's phone use, leaked personal info that shows some of the issues with moving so much sensitive data into the cloud.

The news that TeenSafe, a service that allows anxious parents to monitor the use of their children's smartphones, has been leaking data of adults and teens alike, seems like a typical data-breach case.

However, the story also contains some vital lessons for enterprise security pros and those businesses that are increasingly reliant on moving large amounts of data to the cloud.

The issue started when security researcher Robert Wiggins noticed that the TeenSafe service had at least two leaky servers. The servers were hosted on Amazon Web Services and were left unprotected and accessible to anyone without a password, according to ZDNet, which first reported the issue on May 20.

The TeenSafe service allows parents to monitor phone calls, location of the devices, as well as web browsing history -- itself a wealth of personal information.

The database that ZDNet discovered did contain the parent's email address, the corresponding child's Apple ID and email, the device name, as well as plaintext passwords. Since two-factor authentication needs to be disabled for the service to work, someone from the outside would have no trouble matching the emails, IDs and passwords.

This in itself is pretty bad security, but it also seems that TeenSafe did not factor in good, cloud computing practices either and this is where the lessons lie for others entrusting their infrastructure, applications or data to AWS, Microsoft Azure or one of the other big players.

In general, the trend of most service level agreements (SLAs) is that the cloud provider is responsible for the security and integrity of the infrastructure, whether that's infrastructure-as-a-service (IaaS) or software-as-a-service (SaaS), but the customer -- in this case TeenSafe -- is responsible for the data from its customers. (See As Public Cloud Use Increases, So Does Data Theft.)

In an email, Chris Morales, head of security analytics at San Jose-based Vectra, noted the shared responsibility of security when it comes to cloud, and that TeenSafe clearly neglected its end of the bargain.

He notes that it's a poor security practice to store a parent's email address that is associated with their child's Apple ID email address, along with the child's device name, unique identifier and plaintext passwords for the child's Apple ID in the cloud without proper security controls.

"Cloud is a shared responsibility and as a provider of a cloud service, TeenSafe is responsible for securing their customer's information in the cloud," Morales writes. "Even if this server was on-premises at TeenSafe within their perimeter security controls, this type of data should be secured with encryption and administrative access controls."

Sanjay Kalra, the co-founder and chief product officer at Lacework, which offers cloud security solutions, noted in an email to Security Now that AWS offers a range of good products, but that customers, in their eagerness to move to the cloud and spin up resources as needed, many times don't have the security skills in place to deal with a cloud-centric world.

"Properly configuring AWS for security requires a new set of skills and understanding of how to manage cloud resources," Kalra wrote. "It is unfortunately too easy to overlook the configuration of AWS resources such as S3 buckets where data is often stored. Hackers have discovered that many organizations have left these buckets open to public access."

Despite the current agreement between provider and customer, Mukul Kumar, the CISO and vice president of Cyber Practice at Cavirin, notes that AWS, Microsoft and others are working to build new security tools for companies that lack these types of skills and expertise. (See AWS Adds Security Management to Growing Portfolio.)

"The cloud providers probably need to do more, and in fact they are moving in this direction, to protect the cloud assets of organizations with little or no expertise," Kumar wrote in an email. "When spinning up on EC2 instance and S3 storage bucket is almost as easy as learning how to ride a bike, the providers need to implement process checks that take into account little or no cloud knowledge."

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...