Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security

5/22/2018
08:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

TeenSafe Data Leak Shows Cloud Security Weaknesses

The news that TeenSafe, which allows parents to monitor the activity of their children's phone use, leaked personal info that shows some of the issues with moving so much sensitive data into the cloud.

The news that TeenSafe, a service that allows anxious parents to monitor the use of their children's smartphones, has been leaking data of adults and teens alike, seems like a typical data-breach case.

However, the story also contains some vital lessons for enterprise security pros and those businesses that are increasingly reliant on moving large amounts of data to the cloud.

The issue started when security researcher Robert Wiggins noticed that the TeenSafe service had at least two leaky servers. The servers were hosted on Amazon Web Services and were left unprotected and accessible to anyone without a password, according to ZDNet, which first reported the issue on May 20.

The TeenSafe service allows parents to monitor phone calls, location of the devices, as well as web browsing history -- itself a wealth of personal information.

(Source: Pixabay)\r\n
(Source: Pixabay)\r\n

The database that ZDNet discovered did contain the parent's email address, the corresponding child's Apple ID and email, the device name, as well as plaintext passwords. Since two-factor authentication needs to be disabled for the service to work, someone from the outside would have no trouble matching the emails, IDs and passwords.

This in itself is pretty bad security, but it also seems that TeenSafe did not factor in good, cloud computing practices either and this is where the lessons lie for others entrusting their infrastructure, applications or data to AWS, Microsoft Azure or one of the other big players.

In general, the trend of most service level agreements (SLAs) is that the cloud provider is responsible for the security and integrity of the infrastructure, whether that's infrastructure-as-a-service (IaaS) or software-as-a-service (SaaS), but the customer -- in this case TeenSafe -- is responsible for the data from its customers. (See As Public Cloud Use Increases, So Does Data Theft.)

In an email, Chris Morales, head of security analytics at San Jose-based Vectra, noted the shared responsibility of security when it comes to cloud, and that TeenSafe clearly neglected its end of the bargain.

He notes that it's a poor security practice to store a parent's email address that is associated with their child's Apple ID email address, along with the child's device name, unique identifier and plaintext passwords for the child's Apple ID in the cloud without proper security controls.

"Cloud is a shared responsibility and as a provider of a cloud service, TeenSafe is responsible for securing their customer's information in the cloud," Morales writes. "Even if this server was on-premises at TeenSafe within their perimeter security controls, this type of data should be secured with encryption and administrative access controls."

Sanjay Kalra, the co-founder and chief product officer at Lacework, which offers cloud security solutions, noted in an email to Security Now that AWS offers a range of good products, but that customers, in their eagerness to move to the cloud and spin up resources as needed, many times don't have the security skills in place to deal with a cloud-centric world.

"Properly configuring AWS for security requires a new set of skills and understanding of how to manage cloud resources," Kalra wrote. "It is unfortunately too easy to overlook the configuration of AWS resources such as S3 buckets where data is often stored. Hackers have discovered that many organizations have left these buckets open to public access."

Despite the current agreement between provider and customer, Mukul Kumar, the CISO and vice president of Cyber Practice at Cavirin, notes that AWS, Microsoft and others are working to build new security tools for companies that lack these types of skills and expertise. (See AWS Adds Security Management to Growing Portfolio.)

"The cloud providers probably need to do more, and in fact they are moving in this direction, to protect the cloud assets of organizations with little or no expertise," Kumar wrote in an email. "When spinning up on EC2 instance and S3 storage bucket is almost as easy as learning how to ride a bike, the providers need to implement process checks that take into account little or no cloud knowledge."

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16632
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
CVE-2021-32073
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
CVE-2021-33033
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
CVE-2021-33034
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
CVE-2019-25044
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.