Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

6/22/2017
02:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Cloud Security Lessons from the Voter Data Leak

A poorly configured Amazon S3 bucket that led to a massive data leak could easily happen to any organization not adopting proper cloud security measures.

CORRECTED: In addition to exposing personal data on 198 million American voters, Deep Root Analytics' data leak this week exposed dangerous cloud security missteps that should serve as a cautionary tale for businesses.

The compromised data, millions of records with personal information including birthdates, phone numbers, self-reported racial background, home and mailing addresses, and party affiliation, was stored in an Amazon Web Services S3 bucket storage account owned by Deep Root Analytics, a data analytics firm working on behalf of the Republican National Committee (RNC). 

Deep Root had set its S3 storage bucket files to public instead of private, a mistake which left them viewable to the open Internet.

Most records had permissions to be downloaded, and the files could be accessed without a password, according to UpGuard, which discovered and reported the leak.

Deep Root's data leak can serve as a lesson to businesses planning to make a secure transition to the cloud.

"Amazon, and all cloud service models, are easy to deploy, set up, and manage, but out of the box, they’re not secure by default," says Chris Pierson, chief security officer for Viewpost. Engineers have to go in and choose the access control list for the S3 instance they're setting up, choose to turn on encryption, and select identity and management rights for the S3 bucket.

The incident highlights the hazard of outsourcing, he continues. Businesses planning to outsource services to third parties, as the RNC did with Deep Root, should set up an information assurance program to ensure the right data security policies are in place.

As part of this type of program, businesses vet potential third parties through audits, website scanning, and penetration and vulnerability tests. They should ensure the company storing their data has the right infrastructure, people, and policies in place to secure it. Who can access the data? Is it encrypted?

"The biggest thing the RNC could have done - and I don't know if they did - was ensure they have an information assurance program that is in place, operating, and reviewing the risk third parties have to their organization," he emphasizes. "It's all about risk."

Votiro CEO Itay Glick calls Deep Root's mistake "careless" and explains how any company providing consumer services needs to protect themselves with basic security steps: properly setting default credentials, enabling two-factor authentication, and ensuring a vendor is using encryption.

The data leak could have broader implications if threat actors gain access to the information and use it for microtargeting, a common strategy used among political parties to define and appeal to voters.

"While this data leak is bad, what is worse is the potential of this data falling into the wrong hands," says Steve Malone, director of security product management at Mimecast."[Microtargeting] is an incredibly powerful tool when in the hands of a cybercriminal, who can use this data to implement very targeted spearphishing and social engineering attacks."

This could happen again  

Experts agree this type of leak could be replicated. "Upguard's capabilities can be used by nation-states, cybercriminals, anyone out there," notes Pierson. "As people move more to the cloud, as they don't implement the same security measures and don't implement the same types of controls, there will be data leakage and exposures like this. You can bet cybercriminals will try to expose that."

In general, corporate assets should have the same protection regardless of where they reside, says Anthony Giandomenico, senior security strategist and researcher at Fortinet FortiGuard Labs. Many errors in the data center will carry over to the cloud and be amplified, which is often the result of an "out of sight, out of mind" mentality related to cloud storage.

"As assets move to the cloud, there is the potential to lose visibility," he says. "Also, sometimes, companies that initially move assets to the cloud leave the connections open to the Internet with just a simple password."

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

He advises companies define a standard level of security configurations for all assets and use a monitoring process to ensure those assets stay within that set security level.

Many businesses are struggling with who is responsible for securing cloud-based data. A new survey from Barracuda Networks discovered 71% of IT decision-makers feel cloud providers are responsible for customer data in the public cloud, and 66% believe cloud providers are responsible for their applications in the public cloud.

Lack of skilled talent is part of the problem, notes Bufferzone CTO Eyal Dotan. Five years ago, a security engineer's worst fear was a hostile employee might access resources from an internal server. Now the threats are much bigger.

"Now those engineers with that same training are taken into the cloud, and thus into a more hostile public, where your servers can be accessed both by your regular employees or some hacker on the other side of the world," he explains.

"Jumping into the cloud era, they need to be more trained and skilled as they are confronted with larger and more hostile potential threats."

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
6/27/2017 | 11:22:01 AM
Public voter registration info
Of course, what many people fail to realize is that voter-record information for the vast majority of registered voters in the US is already publicly available. Maybe not party records, but certainly name, party registration, residential address, and the like. There are rare exceptions to the general rule of public release of this data (generally, one has to be a victim of domestic violence or the like to get one's information taken out of the public rolls).
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18216
PUBLISHED: 2019-10-20
** DISPUTED ** The BIOS configuration design on ASUS ROG Zephyrus M GM501GS laptops with BIOS 313 relies on the main battery instead of using a CMOS battery, which reduces the value of a protection mechanism in which booting from a USB device is prohibited. Attackers who have physical laptop access ...
CVE-2019-18214
PUBLISHED: 2019-10-19
The Video_Converter app 0.1.0 for Nextcloud allows denial of service (CPU and memory consumption) via multiple concurrent conversions because many FFmpeg processes may be running at once. (The workload is not queued for serial execution.)
CVE-2019-18202
PUBLISHED: 2019-10-19
Information Disclosure is possible on WAGO Series PFC100 and PFC200 devices before FW12 due to improper access control. A remote attacker can check for the existence of paths and file names via crafted HTTP requests.
CVE-2019-18209
PUBLISHED: 2019-10-19
templates/pad.html in Etherpad-Lite 1.7.5 has XSS when the browser does not encode the path of the URL, as demonstrated by Internet Explorer.
CVE-2019-18198
PUBLISHED: 2019-10-18
In the Linux kernel before 5.3.4, a reference count usage error in the fib6_rule_suppress() function in the fib6 suppression feature of net/ipv6/fib6_rules.c, when handling the FIB_LOOKUP_NOREF flag, can be exploited by a local attacker to corrupt memory, aka CID-ca7a03c41753.