Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security

5/22/2018
08:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

TeenSafe Data Leak Shows Cloud Security Weaknesses

The news that TeenSafe, which allows parents to monitor the activity of their children's phone use, leaked personal info that shows some of the issues with moving so much sensitive data into the cloud.

The news that TeenSafe, a service that allows anxious parents to monitor the use of their children's smartphones, has been leaking data of adults and teens alike, seems like a typical data-breach case.

However, the story also contains some vital lessons for enterprise security pros and those businesses that are increasingly reliant on moving large amounts of data to the cloud.

The issue started when security researcher Robert Wiggins noticed that the TeenSafe service had at least two leaky servers. The servers were hosted on Amazon Web Services and were left unprotected and accessible to anyone without a password, according to ZDNet, which first reported the issue on May 20.

The TeenSafe service allows parents to monitor phone calls, location of the devices, as well as web browsing history -- itself a wealth of personal information.

(Source: Pixabay)\r\n
(Source: Pixabay)\r\n

The database that ZDNet discovered did contain the parent's email address, the corresponding child's Apple ID and email, the device name, as well as plaintext passwords. Since two-factor authentication needs to be disabled for the service to work, someone from the outside would have no trouble matching the emails, IDs and passwords.

This in itself is pretty bad security, but it also seems that TeenSafe did not factor in good, cloud computing practices either and this is where the lessons lie for others entrusting their infrastructure, applications or data to AWS, Microsoft Azure or one of the other big players.

In general, the trend of most service level agreements (SLAs) is that the cloud provider is responsible for the security and integrity of the infrastructure, whether that's infrastructure-as-a-service (IaaS) or software-as-a-service (SaaS), but the customer -- in this case TeenSafe -- is responsible for the data from its customers. (See As Public Cloud Use Increases, So Does Data Theft.)

In an email, Chris Morales, head of security analytics at San Jose-based Vectra, noted the shared responsibility of security when it comes to cloud, and that TeenSafe clearly neglected its end of the bargain.

He notes that it's a poor security practice to store a parent's email address that is associated with their child's Apple ID email address, along with the child's device name, unique identifier and plaintext passwords for the child's Apple ID in the cloud without proper security controls.

"Cloud is a shared responsibility and as a provider of a cloud service, TeenSafe is responsible for securing their customer's information in the cloud," Morales writes. "Even if this server was on-premises at TeenSafe within their perimeter security controls, this type of data should be secured with encryption and administrative access controls."

Sanjay Kalra, the co-founder and chief product officer at Lacework, which offers cloud security solutions, noted in an email to Security Now that AWS offers a range of good products, but that customers, in their eagerness to move to the cloud and spin up resources as needed, many times don't have the security skills in place to deal with a cloud-centric world.

"Properly configuring AWS for security requires a new set of skills and understanding of how to manage cloud resources," Kalra wrote. "It is unfortunately too easy to overlook the configuration of AWS resources such as S3 buckets where data is often stored. Hackers have discovered that many organizations have left these buckets open to public access."

Despite the current agreement between provider and customer, Mukul Kumar, the CISO and vice president of Cyber Practice at Cavirin, notes that AWS, Microsoft and others are working to build new security tools for companies that lack these types of skills and expertise. (See AWS Adds Security Management to Growing Portfolio.)

"The cloud providers probably need to do more, and in fact they are moving in this direction, to protect the cloud assets of organizations with little or no expertise," Kumar wrote in an email. "When spinning up on EC2 instance and S3 storage bucket is almost as easy as learning how to ride a bike, the providers need to implement process checks that take into account little or no cloud knowledge."

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20859
PUBLISHED: 2021-12-01
ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-19...
CVE-2021-20860
PUBLISHED: 2021-12-01
Cross-site request forgery (CSRF) vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and ...
CVE-2021-20861
PUBLISHED: 2021-12-01
Improper access control vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC...
CVE-2021-20862
PUBLISHED: 2021-12-01
Improper access control vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-175...
CVE-2021-20863
PUBLISHED: 2021-12-01
OS command injection vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GS...