Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud Security

// // //
5/22/2018
08:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now

TeenSafe Data Leak Shows Cloud Security Weaknesses

The news that TeenSafe, which allows parents to monitor the activity of their children's phone use, leaked personal info that shows some of the issues with moving so much sensitive data into the cloud.

The news that TeenSafe, a service that allows anxious parents to monitor the use of their children's smartphones, has been leaking data of adults and teens alike, seems like a typical data-breach case.

However, the story also contains some vital lessons for enterprise security pros and those businesses that are increasingly reliant on moving large amounts of data to the cloud.

The issue started when security researcher Robert Wiggins noticed that the TeenSafe service had at least two leaky servers. The servers were hosted on Amazon Web Services and were left unprotected and accessible to anyone without a password, according to ZDNet, which first reported the issue on May 20.

The TeenSafe service allows parents to monitor phone calls, location of the devices, as well as web browsing history -- itself a wealth of personal information.

(Source: Pixabay)\r\n
(Source: Pixabay)\r\n

The database that ZDNet discovered did contain the parent's email address, the corresponding child's Apple ID and email, the device name, as well as plaintext passwords. Since two-factor authentication needs to be disabled for the service to work, someone from the outside would have no trouble matching the emails, IDs and passwords.

This in itself is pretty bad security, but it also seems that TeenSafe did not factor in good, cloud computing practices either and this is where the lessons lie for others entrusting their infrastructure, applications or data to AWS, Microsoft Azure or one of the other big players.

In general, the trend of most service level agreements (SLAs) is that the cloud provider is responsible for the security and integrity of the infrastructure, whether that's infrastructure-as-a-service (IaaS) or software-as-a-service (SaaS), but the customer -- in this case TeenSafe -- is responsible for the data from its customers. (See As Public Cloud Use Increases, So Does Data Theft.)

In an email, Chris Morales, head of security analytics at San Jose-based Vectra, noted the shared responsibility of security when it comes to cloud, and that TeenSafe clearly neglected its end of the bargain.

He notes that it's a poor security practice to store a parent's email address that is associated with their child's Apple ID email address, along with the child's device name, unique identifier and plaintext passwords for the child's Apple ID in the cloud without proper security controls.

"Cloud is a shared responsibility and as a provider of a cloud service, TeenSafe is responsible for securing their customer's information in the cloud," Morales writes. "Even if this server was on-premises at TeenSafe within their perimeter security controls, this type of data should be secured with encryption and administrative access controls."

Sanjay Kalra, the co-founder and chief product officer at Lacework, which offers cloud security solutions, noted in an email to Security Now that AWS offers a range of good products, but that customers, in their eagerness to move to the cloud and spin up resources as needed, many times don't have the security skills in place to deal with a cloud-centric world.

"Properly configuring AWS for security requires a new set of skills and understanding of how to manage cloud resources," Kalra wrote. "It is unfortunately too easy to overlook the configuration of AWS resources such as S3 buckets where data is often stored. Hackers have discovered that many organizations have left these buckets open to public access."

Despite the current agreement between provider and customer, Mukul Kumar, the CISO and vice president of Cyber Practice at Cavirin, notes that AWS, Microsoft and others are working to build new security tools for companies that lack these types of skills and expertise. (See AWS Adds Security Management to Growing Portfolio.)

"The cloud providers probably need to do more, and in fact they are moving in this direction, to protect the cloud assets of organizations with little or no expertise," Kumar wrote in an email. "When spinning up on EC2 instance and S3 storage bucket is almost as easy as learning how to ride a bike, the providers need to implement process checks that take into account little or no cloud knowledge."

Related posts:

— Scott Ferguson is the managing editor of Light Reading and the editor of Security Now. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-38193
PUBLISHED: 2022-08-16
There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated attacker to pass strings which could potentially cause arbitrary code execution in a victims browser.
CVE-2022-38194
PUBLISHED: 2022-08-16
In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive information from a properties file.
CVE-2022-38192
PUBLISHED: 2022-08-16
A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS may allow a remote, authenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the userâ€â&b...
CVE-2022-38362
PUBLISHED: 2022-08-16
Apache Airflow Docker's Provider prior to 3.0.0 shipped with an example DAG that was vulnerable to (authenticated) remote code exploit of code on the Airflow worker host.
CVE-2022-30264
PUBLISHED: 2022-08-16
The Emerson ROC and FloBoss RTU product lines through 2022-05-02 perform insecure filesystem operations. They utilize the ROC protocol (4000/TCP, 5000/TCP) for communications between a master terminal and RTUs. Opcode 203 of this protocol allows a master terminal to transfer files to and from the fl...