In what has become an alarmingly routine occurrence, an unsecured Amazon S3 server – this time affiliated with FedEx – has exposed personal information of tens of thousands of users.
Kromtech Security Center researchers in the US came across the exposed information, which included 119,000 scanned documents such as passports, driver's licences, security IDs and the like, on an open S3 server belonging to Bongo International, a company FedEx purchased in 2014 and which became part of the shipping firm's now-shuttered FedEx CrossBorder service.
“IDs were accompanied by scanned "Applications for Delivery of Mail Through Agent" forms (PS Form 1583) - which also contained names, home addresses, phone numbers and zip codes,” Bob Diachenko, head of communications at Kromtech Security Center, wrote in a blog post.
“The problem is a percentage of people will always skip over the access control restrictions part of documentation, or may even believe to have implemented it correctly,” said Alex Heid, white hat hacker and chief research officer at SecurityScorecard, noting that the latest leak “appears to be yet another result of the implementation of new technologies without a full understanding of the features and access controls.”
The cloud brings about rapid changes in developing and operating software, "but unfortunately all too often we fail to adapt our security measures accordingly. If you move from a horse & carriage pace of dev to a BMW, your security risks change,” said Guy Podjarny, CEO and cofounder of Snyk. “You have to add automated traction sensors and air bags to protect you without human intervention, which will fail when you're going that fast. Until we build in automated security controls that can keep up and scale, we can expect more and more of those breaches.”
Contending that S3 “buckets are being left vulnerable, or compromised entirely, because while they're private and restricted to owners by default, most organisations use them for the storage of application-generated data and change restricted settings for a variety of reasons – such as providing access to customers or other third-parties,” Rod Soto, director of security research at JASK, pointed out that “bad actors are consistently utilising tools to discover vulnerable S3 buckets, often by performing attacks that hint at the use of certain ones.”
Tim Prendergast, CEO of Evident.io, agreed. "There's a whole hacker cottage industry around finding and exploiting S3 buckets, and it's growing because as cloud environments grow, so do the number of unsecured assets that are discoverable," he said. “Hackers are going after S3 buckets and other repositories because that's where the data is, but also because they're easy to find."
When the restrictive settings are removed, “it becomes seamless for an attacker to probe for bucket existence, access privileges and then proceed to obtain information – often leading to blackmail and extortion attempts,” said Soto, who cautioned organisation to “set the right restrictions on IAM Policies, Bucket Policies and Access Control Lists” so that “they'll be in control of what can be seen publicly, who has access to the information and the privileges individuals have within the organisation.”
George Avetisov, CEO of HYPR, said the FedEx leak underscores "how centralisation of data inevitably results in unauthorised access due to hacking or accidental loss."
He maintained that "decentralising credentials, such as biometrics, PINs, and passwords, so they remain safe in the care of those they belong to rather than being stored on a single centralised server, is critical to securing our connected world." As other high-profile hacks have demonstrated, "It is not a matter of if, but when our personal data gets caught up in a mass credentials breach," Avetisov said.
The FedEx incident is also a cautionary tale for companies involved in mergers and acquisitions. “With any acquisition comes new data, servers and additional sources that need to be properly secured and set with the right access privileges, especially those that contain customer information,” said Soto.