While cloud computing itself is not a new concept, everything related to it is in a constant state of change and rapid growth. Adoption is at an all-time high, with the market projected to grow to over $302 billion by 2021 and a consistent emphasis on cloud security.
Cloud security stands as a barrier for cloud migration and remains a significant concern of not just CISOs, but the general public as well. With all of the data breaches linked to open S3 storage buckets, who can blame them? Data protection regulations grow more and more rigorous, as nobody wants to suffer the consequences of not securing their customers’ data.
To learn what those consequences can be and how can we protect ourselves in the cloud era, we turned to Vincent Yiu.
Vincent is a talented security researcher who went to Hong Kong to start his own cybersecurity consulting company where he had found a local gap in the technical abilities that needed to be filled. He is bringing a new wave of expertise to Hong Kong with his research revolving around cloud security. We got a chance to catch him in between reporting on breaches and holding talks at conferences, to get his point of view on the state of cloud security and much more.
SecurityTrails: What made you move from Manchester to Hong Kong?
Vincent Yiu: Firstly, CREST (Council of Ethical Security Testers) had just been established in Hong Kong for a few years, and was still maturing and increasing its reach and presence. HKMA (Hong Kong Monetary Authority) had started the iCAST regulatory requirements, which was similar to what we had observed in the UK with CBEST. It is a relatively immature region but has a lot of growth potential within the local market as many companies are seeking for services that can help protect them. And of course, I wanted to relocate with my girlfriend to Asia.
How did you decide that cloud security is something you wanted to focus and do extensive research on?
Vincent: From my perspective, it’s a chunk of the Internet which has servers running on it and is hosted by one company. Cloud services generally consist of infrastructure as a service such as - virtual machines, databases, even website services. Due to the popularity of using the cloud, each cloud provider has tones of sensitive and essential information from all cloud users. For example, with S3 buckets, if you have some stuff that is publicly readable and accessible, anyone could find them if they know the website. As a security professional, it’s my responsibility to provide any security concerns and advice to others.
In my opinion, it’s not about ‘who’ secures data. All that matters, in the end, is whether you’re going to be breached and data gets leaked out or not.
What are the biggest threats for company’s cloud security?
Vincent: Cloud vulnerabilities. For example, missing inventory and asset management and cloud visibility. S3 bucket issues have been highlighted for over five years now, yet they still widely exist; even with the changes, Amazon has made to notify users when they inadvertently make themselves vulnerable.
What would you say are the pros and cons of cloud computing?
Vincent: The cloud helps organizations scale with flexibility and provides a plethora of security features and hardening that can be pushed out to all customers. However, there are always security risks. Organizations appear to push security responsibilities onto the cloud vendor, but the truth is, either party should focus on improving their sides of security status. In my opinion, it’s not about ‘who’ secures data. All that matters, in the end, is whether you’re going to be breached and data gets leaked out or not.
For the last couple of years, we’ve seen numerous cases of exposed storage buckets causing data breaches. How would you describe the current state of open storage buckets?
Vincent: It’s better than a couple of years ago. When we look back, many had configured their Amazon S3 buckets as public, but then incidents happened two years ago, and they were leaking customer information. Once that incident hit the news, everyone started worrying about their cloud assets and their S3 buckets. At that point, Amazon released hardened default policies for creating an S3 bucket. Nowadays it’s not made open by default, and when it is switched to the public, a warning is given notifying the user of the implications of having the bucket set to public. It wasn’t like that before, and the change was initiated based on customer feedback, as people are now more aware of the consequences for not securing their storage buckets.
Why do you think these companies are still making mistakes and having poor security practices around S3 buckets?
Vincent: In a majority of cases, developers leave them open for testing during the development process. For example, when they are building an application, they leave them open for convenience when debugging or testing the content. However, they may not necessarily understand all of the risks involved. They might think nobody is going to find their S3 bucket, and also not every developer understands or wants to incorporate security.
The thing with storage buckets is, even if someone doesn’t look up your specific application or website, there are instances where an S3 bucket’s subdomain is the name of the S3 bucket itself. You can grab the list of all storage buckets through passive DNS records, or predictable subdomains.
What can these mistakes cost companies, both financially and reputation-wise, etc.?
Vincent: It depends. In many cases of companies being breached, they have their risk management and crisis management teams involved and even prepared for these types of incidents. When it comes to an S3 bucket breach, it depends on the kind of information that is exposed. Before, when we had those types of breaches, there wasn’t GDPR. Nowadays, with GDPR, again depending on the information that is leaked, you might be faced with fines. So people started thinking about them as a more serious issue than before. GDPR fines up to 10 million EURO or 2% of global annual turnover, whichever is higher. In some more significant violations, fines are up to 20 million EURO or 4% of global annual turnover.
There is always reputation damage, but the ultimate consequences and impact would depend on the company. For example, in monopoly scenarios, breach reports have a small effect on the company because we have to use their services regardless - there’s no other choice. Whereas if customers find it easier to use a substitute service, then it would cause a more significant impact.
I always encourage and recommend companies to consider cybersecurity and ensure that an effective process is performed to reduce the risk to an acceptable level.
What are the tools you use to discover open S3 buckets?
Vincent: I used to use sa7mon’s s3scanner, it scans edge-cases the best because it’s got good coverage of the ACL boundaries. These issues still exist, and we can find many organisations who are still putting sensitive information on S3 buckets.
After it’s already out there, you need to assume that all of the data has been exposed to the general public.
How can companies protect themselves against accidental S3 bucket leaks?
Vincent: Organisations need to have a cloud asset management team. They should know what they have on their cloud and where their assets are. It has to do with their cloud resources — how are they managed and they get approved for production usage. You can have a lot of S3 buckets across many accounts, and as a security team, you might not be able to find all of those. I think using a tool like SecurityTrails helps. If you put in the company name, and you go to subdomains and see any pointing to Amazon, you can check whether they point to Amazon s3.
The complete way is to have a comprehensive asset register, and check all of your S3 buckets, what you have stored on them, and with what access permissions.
If it actually comes to the point that a company has suffered a data leak due to exposed S3 buckets, what can they do to fix it?
Vincent: After it’s already out there, you need to assume that all of the data has been exposed to the general public. To protect your storage buckets, you need to remove all the read access to the buckets, and in the future, make sure that not all users can read your buckets. Then roll the changes out to production when it’s ready, but also check that the production configuration is working as intended.
You were working on subdomain enumeration using Azure (Microsoft Cloud). Tell us a little bit about that.
Vincent: I was first looking at CloudFront back before a security firm had automated the subdomain takeover of many domains. Now CloudFront is better protected, and AWS has put in many measures to prevent it. Subdomain takeovers are still widely existent on Azure. AzureWebsites (Cloud App), and Traffic Manager are my favourites, but these extend to Azure API management and more. Vulnerable domains include over 300 Microsoft.com domains (many of which I’ve reserved and are being billed for till this day to protect those domains), Government domains (which I report to CERT where possible), and organisation specific domains (which I report to the organisation).
|Traffic Manager||Azure Websites||Azure Edge||REFERENCE CloudFront||REFERENCE
Elastic Load Balancer
|Vulnerable GOV TLDs||5||33||2|
|Traffic Manager||Azure Websites||Azure Edge||REFERENCE
Elastic Load Balancer
|HK / Global||0,94%||0,11%||0,17%||0,12%||0,030%|
|GOV TLDs / Global||7,51%||0,24%||0,35%||0,37%||0,27%|
|Vulnerable HK / HK||0||9,89%||0|
|Vulnerable Gov / Gov||0,62%||3,95%||3,64%|
|Vulnerable Global / Global||1,51%||2,89%||7,60%|
The percentage of vulnerable instances out of the region.
You also found some open ElasticSearch instances?
Vincent: Part of our exposure research for customers, we report open ElasticSearch and Database instances. There are tons out there, but often hard to tie back to a company. I try to use PassiveDNS or tools from SurfaceBrowser to tie back to a company so that I can report it to their staff for fixing. Usually, ElasticSearch is used for data analytics, and developers or researchers store tons of chat logs and information that they use for machine learning on ElasticSearch.
Worst S3 breaches
Uber · October 2016 Personal information of 57 million users
U.S. Voter Data · June 2017 Private data belonging to 198 million American voters
Verizon Wireless · July 2017 Over 14 million customers’ data
WWE · July 2017 Private data from more than 3 million fans
Medcall Healthcare Advisors · August 2018 7GB of data from 181 companies including PII, sickness descriptions, phone recordings and employment history
Ensure your sensitive data is secure
- Audit for open buckets
- Encrypt the data
- Enable Secure Transport
- Look for any change to the policy of existing buckets
- Enable logging
- Monitor access to buckets
- Limit access
- Close the buckets!
Vincent is someone working on getting people to talk about cybersecurity, and raising awareness around it. If you are interested in learning more about what he does, or just want to be there when he reports on a new breach, follow him on Twitter and catch up with him on his blog.
Do you know a security researcher who is eager to share his findings and help us all learn something new? Or a security startup with an inspiring story? Send us an email at firstname.lastname@example.org about who you would like to see next in our interview series!