Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/22/2017
02:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Cloud Security Lessons from the Voter Data Leak

A poorly configured Amazon S3 bucket that led to a massive data leak could easily happen to any organization not adopting proper cloud security measures.

CORRECTED: In addition to exposing personal data on 198 million American voters, Deep Root Analytics' data leak this week exposed dangerous cloud security missteps that should serve as a cautionary tale for businesses.

The compromised data, millions of records with personal information including birthdates, phone numbers, self-reported racial background, home and mailing addresses, and party affiliation, was stored in an Amazon Web Services S3 bucket storage account owned by Deep Root Analytics, a data analytics firm working on behalf of the Republican National Committee (RNC). 

Deep Root had set its S3 storage bucket files to public instead of private, a mistake which left them viewable to the open Internet.

Most records had permissions to be downloaded, and the files could be accessed without a password, according to UpGuard, which discovered and reported the leak.

Deep Root's data leak can serve as a lesson to businesses planning to make a secure transition to the cloud.

"Amazon, and all cloud service models, are easy to deploy, set up, and manage, but out of the box, they’re not secure by default," says Chris Pierson, chief security officer for Viewpost. Engineers have to go in and choose the access control list for the S3 instance they're setting up, choose to turn on encryption, and select identity and management rights for the S3 bucket.

The incident highlights the hazard of outsourcing, he continues. Businesses planning to outsource services to third parties, as the RNC did with Deep Root, should set up an information assurance program to ensure the right data security policies are in place.

As part of this type of program, businesses vet potential third parties through audits, website scanning, and penetration and vulnerability tests. They should ensure the company storing their data has the right infrastructure, people, and policies in place to secure it. Who can access the data? Is it encrypted?

"The biggest thing the RNC could have done - and I don't know if they did - was ensure they have an information assurance program that is in place, operating, and reviewing the risk third parties have to their organization," he emphasizes. "It's all about risk."

Votiro CEO Itay Glick calls Deep Root's mistake "careless" and explains how any company providing consumer services needs to protect themselves with basic security steps: properly setting default credentials, enabling two-factor authentication, and ensuring a vendor is using encryption.

The data leak could have broader implications if threat actors gain access to the information and use it for microtargeting, a common strategy used among political parties to define and appeal to voters.

"While this data leak is bad, what is worse is the potential of this data falling into the wrong hands," says Steve Malone, director of security product management at Mimecast."[Microtargeting] is an incredibly powerful tool when in the hands of a cybercriminal, who can use this data to implement very targeted spearphishing and social engineering attacks."

This could happen again  

Experts agree this type of leak could be replicated. "Upguard's capabilities can be used by nation-states, cybercriminals, anyone out there," notes Pierson. "As people move more to the cloud, as they don't implement the same security measures and don't implement the same types of controls, there will be data leakage and exposures like this. You can bet cybercriminals will try to expose that."

In general, corporate assets should have the same protection regardless of where they reside, says Anthony Giandomenico, senior security strategist and researcher at Fortinet FortiGuard Labs. Many errors in the data center will carry over to the cloud and be amplified, which is often the result of an "out of sight, out of mind" mentality related to cloud storage.

"As assets move to the cloud, there is the potential to lose visibility," he says. "Also, sometimes, companies that initially move assets to the cloud leave the connections open to the Internet with just a simple password."

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

He advises companies define a standard level of security configurations for all assets and use a monitoring process to ensure those assets stay within that set security level.

Many businesses are struggling with who is responsible for securing cloud-based data. A new survey from Barracuda Networks discovered 71% of IT decision-makers feel cloud providers are responsible for customer data in the public cloud, and 66% believe cloud providers are responsible for their applications in the public cloud.

Lack of skilled talent is part of the problem, notes Bufferzone CTO Eyal Dotan. Five years ago, a security engineer's worst fear was a hostile employee might access resources from an internal server. Now the threats are much bigger.

"Now those engineers with that same training are taken into the cloud, and thus into a more hostile public, where your servers can be accessed both by your regular employees or some hacker on the other side of the world," he explains.

"Jumping into the cloud era, they need to be more trained and skilled as they are confronted with larger and more hostile potential threats."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
6/27/2017 | 11:22:01 AM
Public voter registration info
Of course, what many people fail to realize is that voter-record information for the vast majority of registered voters in the US is already publicly available. Maybe not party records, but certainly name, party registration, residential address, and the like. There are rare exceptions to the general rule of public release of this data (generally, one has to be a victim of domestic violence or the like to get one's information taken out of the public rolls).
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10855
PUBLISHED: 2019-05-23
Computrols CBAS 18.0.0 mishandles password hashes. The approach is MD5 with a pw prefix, e.g., if the password is admin, it will calculate the MD5 hash of pwadmin and store it in a MySQL database.
CVE-2019-10866
PUBLISHED: 2019-05-23
In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the /models/Submissioc parameter.
CVE-2016-7550
PUBLISHED: 2019-05-23
asterisk 13.10.0 is affected by: denial of service issues in asterisk. The impact is: cause a denial of service (remote).
CVE-2016-8897
PUBLISHED: 2019-05-23
Exponent CMS version 2.3.9 suffers from a sql injection vulnerability in framework/modules/help/controllers/helpController.php.
CVE-2016-8899
PUBLISHED: 2019-05-23
Exponent CMS version 2.3.9 suffers from a Object Injection vulnerability in framework/modules/core/controllers/expCatController.php related to change_cats.