Workload and Application Security Blog

7% of all Amazon S3 web servers exposed to Cybersecurity Breaches

Written by Virsec | Sep 28, 2017 5:58:28 PM
SC Magazine, September 28, 2017

One possible explanation for so many recent exposures of data could be in part due to the discovery that 7 percent of Amazon S3 servers have been open and accessible online. Meaning, that the private information they house from all manner of companies and their customers, including personally identifiable information (PII), has been available for the taking. The apparent reason for the exposure is that companies using the servers had left them with portions configured to allow public access. This would allow anyone with a link to the server to view and download the data present there. It’s believed that roughly a third of that content is unencrypted.

Amazon S3 customers can easily misconfigure access and security for their servers either through an oversight themselves or by assuming something is covered by the hosting service when it’s not by default.  (If you’re an Amazon S3 user, you might want to check your settings ASAP….)

Some customers operate on the assumption that an unknown URL to a server is safe because it’s not known, but that doesn’t mean they aren’t knowable. They can in fact be discovered in several ways, including attackers using “MitM” or brute force attacks on corporate networks and domains. And, employees who know the URLs could potentially knowingly or unknowingly leak them.

Some of the recent leaks that could be a result of these Amazon S3 server exposures include:

  • Personal details of 198 million American voters
  • Verizon partner (records of over 14 million Verizon customers, names, addresses, and in some cases, PINs)
  • Booz Allen Hamilton defense contractor (60,000 files, containing employee security information and passwords)
  • WWE fans, over 3 million users
  • Dow Jones leak of personal info of 2.2 million customers

It's very easy for someone to fire up a server on Amazon to store company information on it and just leave it in a default, unprotected mode, Virsec Systems Vice President of Marketing Willy Leichter told SC Media.

“Most enterprises have strict rules on who can set up a physical server, but with AWS, it’s wide open,” Leichter said. “IT security teams need to regain control and treat any server – physical or virtual – as a sensitive asset, monitoring security settings, validating applications, and ensuring compliance.”