Companies that use Amazon's
popular cloud computing service
have accidentally disclosed
confidential information
including sales records and
source code, highlighting the risks of moving sensitive data to
the Web, according to new
research. Rapid7, a Boston-based security
firm,said that it found more than
126 billion files posted online
belonging to customers of
Amazon Simple Storage Service, or Amazon S3, earlier this year.
Rapid7 analyzed more than
40,000 of the files, most of
which contained sensitive data,
the company said. Among its findings were sales
records from a large auto
dealership, source code for a
mobile gaming company and
spreadsheets containing
employees' personal information and member lists.
Rapid7 said the documents
were public because many of
Amazon's customers overrode a
key security mechanism
intended to keep such information private, likely by
accident as the result of poorly
designed third-party
management software. It's often the case with security:
Simple mistakes can splash
confidential data all over the
Internet, such as when South
Carolina failed to encrypt Social
Security numbers in its tax systems and lost millions of
records to Russian hackers, or
when a low-level employee at
RSA pulled an e-mail message
out of the junk folder and
opened it, allowing in attackers who stole critical data from the
security firm. In the cloud, it's an especially
acute concern for companies
worried about losing control of
their data. Spending on cloud
technologies will surpass $130
billion this year, according to Gartner Inc. "Cloud hosting and cloud
storage is all the rage, but there
are still some common pitfalls
that many organizations
overlook," Will Vandevanter, a
Rapid7 researcher, wrote in a blog post. Amazon said in a statement
that the issue did not involve a
vulnerability in its service and
that the company's technicians
routinely reach out to
customers to help with misconfigurations. "Amazon S3 provides
authentication mechanisms to
secure data stored in Amazon S3
against unauthorized access,"
the statement said. "Unless the
customer specifies otherwise, only the AWS account owner
can access data uploaded to
Amazon S3." The companies affected were
not publicly identified, and after
Rapid7 alerted Amazon to its
research, many of the files were
no longer visible. The issue Rapid7 discovered
was that many Amazon cloud
customers disabled the default
"private" setting on the
"buckets" used to store data in
Amazon S3, which is part of Amazon Web Services. Many of the documents in the
public buckets were marked
"confidential" or "private," and
much of the information could
be used to break into online
accounts or hack into the companies' computer networks,
according to the report. HD Moore, chief security officer
of Rapid7, alerted Amazon of
the issue in January. The e-
commerce giant then notified
customers of the findings and
has been "extremely responsive," Rapid7 said.
No comments:
Post a Comment