Amazon cloud backups were found leaking sensitive data, like VPN configurations, passwords

[tacobell fan]

How safe are your secrets? If you used Amazon’s Elastic Block Storage, you might want to check your settings.

New research just presented at the Def Con security conference reveals how companies, startups and governments are inadvertently leaking their own files from the cloud.

You may have heard of exposed S3 buckets — those Amazon-hosted storage servers packed with customer data but often misconfigured and inadvertently set to “public” for anyone to access. But you may not have heard about exposed EBS snapshots, which poses as much, if not a greater, risk.

These elastic block storage (EBS) snapshots are the “keys to the kingdom,” said Ben Morris, a senior security analyst at cybersecurity firm Bishop Fox, in a call with TechCrunch ahead of his Def Con talk. EBS snapshots store all the data for cloud applications. “They have the secret keys to your applications and they have database access to your customers’ information,” he said.

“When you get rid of the hard disk for your computer, you know, you usually shredded or wipe it completely,” he said. “But these public EBS volumes are just left for anyone to take and start poking at.”

He said that all too often cloud admins don’t choose the correct configuration settings, leaving EBS snapshots inadvertently public and unencrypted. “That means anyone on the internet can download your hard disk and boot it up, attach it to a machine they control, and then start rifling through the disk to look for any kind of secrets,” he said.

Morris built a tool using Amazon’s own internal search feature to query and scrape publicly exposed EBS snapshots, then attach it, make a copy and list the contents of the volume on his system.

“If you expose the disk for even just a couple of minutes, our system will pick it up and make a copy of it,” he said.

It took him two months to build up a database of exposed data and just a few hundred dollars spent on Amazon cloud resources. Once he validates each snapshot, he deletes the data.

Morris found dozens of snapshots exposed publicly in one region alone, he said, including application keys, critical user or administrative credentials, source code and more. He found several major companies, including healthcare providers and tech companies.

He also found VPN configurations, which he said could allow him to tunnel into a corporate network. Morris said he did not use any credentials or sensitive data, as it would be unlawful.

Among the most damaging things he found, Morris said he found a snapshot for one government contractor, which he did not name, but provided data storage services to federal agencies. “On their website, they brag about holding this data,” he said, referring to collected intelligence from messages sent to and from the so-called Islamic State terror group to data on border crossings.

“Those are the kind of things I would definitely not want to be exposed to the public internet,” he said.

He estimates the figure could be as many as 1,250 exposures across all Amazon cloud regions.

Morris plans to release his proof-of-concept code in the coming weeks.

“I’m giving companies a couple of weeks to go through their own disks and make sure that they don’t have any accidental exposures,” he said.

[Sreeven]

Idi expected...

[Spartan]

u store ur back up in AWS, ur fcked up..as simple as that....

[tacobell fan]

16 minutes ago, Spartan said:

u store ur back up in AWS, ur fcked up..as simple as that....

It’s not economical for a company to maintain two completely different storage methods. Like one for backups and another for traditional read/write for on-going projects 

[Spartan]

25 minutes ago, tacobell fan said:

It’s not economical for a company to maintain two completely different storage methods. Like one for backups and another for traditional read/write for on-going projects 

economical vs security and compliance chuskunte..always backup should be stored on private DC.

if ur applications go through Audit..this is the basic criteria...

 

[tacobell fan]

2 minutes ago, Spartan said:

economical vs security and compliance chuskunte..always backup should be stored on private DC.

if ur applications go through Audit..this is the basic criteria...

 

Separate DC is different than vendor solution know. Separate DC is basic in enterprise for COB/BCP

[Spartan]

22 minutes ago, tacobell fan said:

Separate DC is different than vendor solution know. Separate DC is basic in enterprise for COB/BCP

u depend on vendor to host ur application, but backups must be stored on-premise.

backup kuda vendor gadiki iste..inka assame...

[tacobell fan]

2 minutes ago, Spartan said:

u depend on vendor to host ur application, but backups must be stored on-premise.

backup kuda vendor gadiki iste..inka assame...

Cloud Vendors and AWS is trying to market on storage by showing ease of use solutions. Even  and Google are providing consumers free storage including complete  phone backups on cloud. Best example are latest smartphones, i never depend on cloud backups always rely on local backups for privacy reasons but it’s extremely challenging for you to do it as future evolves and they discourage you to do these at the convenience of it. 

[Spartan]

Just now, tacobell fan said:

Cloud Vendors and AWS is trying to market on storage by showing ease of use solutions. 

no matter how good the solution is, all these kind of errors happen because of not maintaining proper secure workflows.

this could have prevented, had the organization put a rule on no-backup of EBS unless it is encrypted ani.

simple config will prevent this. offcourse anni companies lo Org Account undadu kabatti..

always follow the secure princples.

just ran a scan check on our orgs 1000+ accounts, there are none.

[Power Star]

nothing is secret once you upload anything to internet ( cloud , social media , etc )