Personally identifiable information, proprietary source code, confidential employee contracts, even human genome sequences – these are just a few examples of sensitive data collected by a security firm examining a feature of Amazon’s web services.
“We were very surprised with both the amount and the sensitivity of the data that was shared publicly,” NVTEH CEO Ivo Ugrina told us.
Since launching AWS a little over a decade ago, Amazon has made commendable efforts to provide quality training for companies looking to implement its cloud computing solutions into their already existing IT infrastructure.
But despite these attempts, it’s still extremely easy for uninformed users to make costly mistakes – mistakes that could not only cost a business millions of dollars, but also leave invaluable data vulnerable to breaches.
As a consultant for cloud solutions, Croatian firm NVTEH is no stranger to the shocking scale of neglect behind internal data protection measures affecting both nascent startups and seasoned Fortune 500 listers.
“The problem of neglect is a serious problem that can lead to huge losses,” Ugrina said.
“Using cloud services inherently means storing data on computers you don’t own. Mistakes made in the cloud are therefore more likely to become public and the impact can range from inconvenience to loss of customer data, ”Ugrina continued.
One thing that particularly annoyed the Croatian cloud expert was the careless way in which some companies relied on Elastic block store (EBS) snapshots to share sensitive information between employees and with partners.
For those unfamiliar with the subject, EBS provides highly available block-level storage volumes for use with Elastic computing cloud (EC2) instances.
In a way, the relationship between EC2 and EBS is similar to that between a server and a hard drive: Think of EC2 instances as virtual servers and EBS volumes as the virtual hard drives that power those servers.
Like hard drives, EBS volumes have their own backup system, more commonly known as EBS snapshots within AWS. Snapshots are one-time backups of EBS volumes that function virtually like copies of the data stored on those volumes.
“If you want to back up the data on your EC2 instance, you probably want to create EBS snapshots of the EBS volumes attached to the instance,” says Neven Vucinic, NVTEH Research Manager. “Users with appropriate access can then copy your snapshot and create their own EBS volumes based on your snapshot, while your original snapshot is unaffected. “
In other words, if you get your hands on an EBS snapshot, you have access to all the data stored on that “hard drive”.
What makes EBS snapshots particularly convenient for sharing data is the ease and speed of their retrieval. That’s why Amazon has included the feature to share snapshots between users – and even the ability to do so publicly.
As NVTEH points out, while Amazon has good reason to include the ability to create easily accessible public snapshots, the internet giant seems well aware of the dangers associated with the move. Indeed, the company explicitly addresses this risk in its Documentation:
When you share a snapshot (whether by sharing it with another AWS account or making it public to everyone), you give others access to all of the data in the snapshot. Share snapshots only with people you want to share with all your instant data.
It seems, however, that not all AWS users are going with the flow. “Unfortunately, there are dozens of publicly created EBS snapshots daily that contain types of data that shouldn’t be publicly available,” Ugrina tells us.
In an effort to warn users of the dangers of recklessly sharing unencrypted EBS snapshots publicly, the consulting firm has come to the conclusion that the best way to raise awareness is to deliberately play the villainous role.
In preparation for this move, NVTEH developed an AI-based tracking system that would automatically monitor AWS and send notifications whenever it detected that someone had shared a public EBS snapshot.
It also refined the algorithm to specifically probe snapshots containing potentially sensitive data.
As the experts expected, it didn’t take long for the notifications to start arriving.
After a heavy monitoring cycle, the company was surprised by the sheer volume of sensitive information it was able to recover from its ethical “fishing” operation.
Among other things, NVTEH researchers were able to extract data containing detailed patient records (including genomic sequences) belonging to major US universities, as well as AWS security credentials and API access keys. shared frivolously by Fortune 100 companies.
Experts have also discovered tons of potentially damaging data, such as web server configurations, SSH keys, and valuable source code for proprietary software.
To verify that this information was intended to be kept confidential, NVTEH traced the recovered EBS snapshots to the companies to which they belonged and contacted them to disclose the leaks.
While companies reacted quickly, most remained cautious about the possibility that their data had indeed been breached … until Ugrina and Vucinic began to back up their claims with concrete evidence.
“You could see a rapid change in their facial expressions [at that moment], noted the consultants.
NVTEH says that while responses to its disclosure have varied, it has left more than a few companies in absolute dismay.
“We will have to call a board meeting to discuss it,” one company said, according to NVTEH, while another said directly that the leak “could ruin [them] completely.”
To thwart such a disaster before it happens, Ugrina believes that businesses and “users should be aware that confidential data can be compromised even if exposed in the blink of an eye.”
“Based on our experience, employees who think security and privacy are important are more likely to follow specific procedures,” he continued. “Employees should be aware that data has become the lifeblood of many organizations and that exposed data can be used to harm the company’s brand. “
However, given the pace at which AWS and other cloud providers are expanding their range of services, keeping up with the latest trends in cloud computing is harder than it looks.
Just last week, Amazon launched a training and certification portal specifically dedicated to attracting technical talent to AWS. But while the initiative is certainly a step in the right direction, it will likely take longer before it starts producing a skilled workforce at stable rates.
In the meantime, Ugrina advises companies to take matters into their own hands and set up their own cloud research and development teams.
One important thing to point out is that sharing unencrypted EBS snapshots is just one of the many bad habits of AWS users.
Just a few days ago, the popular access management service OneLogin revealed that a threat actor had obtained a set of AWS keys to break into the AWS API to “perform discovery”. The company did not reveal precisely how the attack took place, but did warn that it was possible that the attacker also obtained the ability to decrypt the stolen data.
Strangely enough, the breach occurred on the same day NVTEH published his own article on the dangers of inappropriate standard operating procedures – although there is no suggestion that the two are related.
In another recent incident, the cybersecurity company UpGuard found a “publicly exposed file repository containing highly sensitive US military data” stored in an unprotected AWS S3 bucket.
These are just two isolated incidents. What’s really scary is that, if businesses continue to blissfully ignore the importance of putting in place proper guidelines for managing data in the cloud, the trend is likely to continue – and breaches are called. to multiply.