Cloud Security Lessons from the RNC Leak

Cloud Security Lessons from the RNC Leak

A poorly configured Amazon S3 bucket that led to a massive data leak could easily happen to any organization not adopting proper cloud security measures.

This week’s leak of Republican National Committee voter data – one of the largest known voter data leaks in the US – exposed dangerous cloud security missteps that should serve as a cautionary tale for businesses.

The compromised data, millions of records with personal information including birthdates, phone numbers, self-reported racial background, home and mailing addresses, and party affiliation, was stored in an Amazon Web Services S3 bucket storage account owned by Deep Root Analytics, the firm contracted by the RNC. Deep Root had set its S3 storage bucket files to public instead of private, a mistake which left them viewable to the open Internet.

Most records had permissions to be downloaded, and the files could be accessed without a password, according to UpGuard, which discovered and reported the leak.

RNC’s data leak can serve as a lesson to businesses planning to make a secure transition to the cloud.

“Amazon, and all cloud service models, are easy to deploy, set up, and manage, but out of the box, they’re not secure by default,” says Chris Pierson, chief security officer for Viewpost. Engineers have to go in and choose the access control list for the S3 instance they’re setting up, choose to turn on encryption, and select identity and management rights for the S3 bucket.

The incident highlights the hazard of outsourcing, he continues. Business planning to outsource cloud services to third parties, as the RNC did with Deep Root, should set up an information assurance program to ensure the right policies are in place.

As part of this type of program, businesses vet potential third parties through audits, website scanning, and penetration and vulnerability tests. They should ensure the company storing their data has the right infrastructure, people, and policies in place to secure it. Who can access the data? Is it encrypted?

“The biggest thing the RNC could have done – and I don’t know if they did – was ensure they have an information assurance program that is in place, operating, and reviewing the risk third parties have to their organization,” he emphasizes. “It’s all about risk.”

Vitrio CEO Itay Glick calls the mistake “careless” and explains how any company providing consumer services needs to protect themselves with basic security steps: properly setting default credentials, enabling two-factor authentication, and ensuring a vendor is using encryption.

The RNC leak could have broader implications if threat actors gain access to the information and use it for microtargeting, a common strategy used among political parties to define and appeal to voters.

“While this data leak is bad, what is worse is the potential of this data falling into the wrong hands,” says Steve Malone, director of security product management at Mimecast. “[Microtargeting] is an incredibly powerful tool when in the hands of a cybercriminal, who can use this data to implement very targeted spearphishing and social engineering attacks.”

This could happen again  

Experts agree this type of leak could be replicated. “Upguard’s capabilities can be used by nation-states, cybercriminals, anyone out there,” notes Pierson. “As people move more to the cloud, as they don’t implement the same security measures and don’t implement the same types of controls, there will be data leakage and exposures like this. You can bet cybercriminals will try to expose that.”

In general, corporate assets should have the same protection regardless of where they reside, says Anthony Giandomenico, senior security strategist and researcher at Fortinet FortiGuard Labs. Many errors in the data center will carry over to the cloud and be amplified, which is often the result of an “out of sight, out of mind” mentality related to cloud storage.

“As assets move to the cloud, there is the potential to lose visibility,” he says. “Also, sometimes, companies that initially move assets to the cloud leave the connections open to the Internet with just a simple password.”

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.


He advises companies define a standard level of security configurations for all assets and use a monitoring process to ensure those assets stay within that set security level.

Many businesses are struggling with who is responsible for securing cloud-based data. A new survey from Barracuda Networks discovered 71% of IT decision-makers feel cloud providers are responsible for customer data in the public cloud, and 66% believe cloud providers are responsible for their applications in the public cloud.

Lack of skilled talent is part of the problem, notes Bufferzone CTO Eyal Dotan. Five years ago, a security engineer’s worst fear was a hostile employee might access resources from an internal server. Now the threats are much bigger.

“Now those engineers with that same training are taken into the cloud, and thus into a more hostile public, where your servers can be accessed both by your regular employees or some hacker on the other side of the world,” he explains.

“Jumping into the cloud era, they need to be more trained and skilled as they are confronted with larger and more hostile potential threats.”

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

More Insights

from Dark Reading – All Stories

KPMG: Cybersecurity Has Reached a ‘Tipping Point’ from Tech to CEO Business Issue

KPMG: Cybersecurity Has Reached a ‘Tipping Point’ from Tech to CEO Business Issue

Still, a majority of US-based chief execs say they will be maintaining and not investing in security technology over the next three years, a recent study shows.

Generally, cybersecurity is thought of as a defensive strategy. Companies build defenses based on known vulnerabilities for future attacks and leverage forensic technology for clean-up in the wake of a breach. While defense is one hallmark of a sound cyber strategy, can cybersecurity be used offensively? Can we flip the old sports adage into “the best defense is a good offense?”

KPMG recently released our 2017 CEO Outlook Study of 400 US chief executives, which offers a roadmap of the three-year outlook of CEOs across the country. Take a dive into the report’s cybersecurity section and you’ll find an interesting statistic: 76% percent of US CEOs see investment in cybersecurity as an opportunity to innovate and find new revenue streams.

This statistic directly parallels insights that we derived from our 2016 KPMG Consumer Loss Barometer. We found that consumers would be more loyal and more likely to do business with a company that is more transparent about its cybersecurity offerings and provides clear communications about how the consumer would be protected, how consumers could better educate themselves on protecting their data/PII, and how the company would remediate any problems in the wake of a hack.

This means the tipping point of cybersecurity as a technology issue into a business issue has happened, both at the business/executive level as well as the consumer level.

So with more than two-thirds of CEOs saying that an investment in cybersecurity will open more doors to new business and innovation, how many of those CEOs are investing in cybersecurity in the next three years? Shockingly enough, the majority (44%) of CEOs say they will not be investing, or only maintaining their current investment in security technologies during this time. Even though 32% of CEOs state that they would be significantly investing in cyber security in the next three years, the majority won’t.

The response begets the question: Why would CEOs say that they know investing in cybersecurity will drive business by investing and then not invest? A few possible reasons come to mind:

  • They invest in cybersecurity as part of their new design/build so it doesn’t look like a new and different cyber program while the cyber component is actually being addressed.
  • They are not yet investing because they think maintenance of their programs (that they just spent several years hyperinvesting into) is all that is required.
  • They are just missing the boat.

Obviously, there is no one-size fits all rational for this behavior because every company faces different problems. The good news is that we can now envision a future where cybersecurity will drive business growth, where security will be baked in on the front end of the product lifecycle, and where marketing campaigns will tout cybersecurity capabilities as one of the main drivers of the product.

Based on the no-room-for-error environment that these companies operate in, I see about 32% of those companies thriving and 44% scrambling to catch up.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

Related Content:

Tony Buffomante is the US cyber security services leader for KPMG based in Chicago. Over the past 16 years, he has managed and executed Information Technology (IT) security, audit and control reviews and implementations for some of the largest companies in the United States, … View Full Bio

More Insights

from Dark Reading – All Stories

Average Cost of Breach Goes Down For the First Time Ever

NEW YORK–The global average cost of a data breach last year dropped 11.4 percent from 2015 to $3.6 million. The reduction is attributed mostly to a strong U.S. dollar, with wins also offset by a 1.8 percent increase in the size of breaches in 2016.

The numbers come from Peter Allor, senior cyber security strategist, with IBM Security, who at the Borderless Cyber event, discussed a just-released IBM-sponsored Ponemon Institute Cost of a Data Breach Study.

In a data-heavy talk today, Allor noted U.S. residents have a one-in-four chance of becoming a breach victim over the next two years. Those same individuals have an 2.1 percent increase in the likelihood of a recurring material data breach. People living in South Africa are in the highest risk pool with a 41 percent chance of being breached, followed by India (40 percent) and Brazil (39 percent). Canadians and Germans are the least likely to be breached, both with a 15 percent odds.

For businesses, he said, the loss of customers is the biggest contributor to the total cost of a breach.

“When you look at loss of business costs, breaches create much higher rates of turnover or churn. The question is, what is the cost of gaining a new customer to replace a lost customer and how much was lost in opportunities?” Allor said. That drop in customers occurs approximately 170 days after the initial breach.

By IBM’s calculations, loss of business represents 41 percent of breach’s impact. That’s followed by 27 percent of costs going toward forensics and determining the root cause of an incident. About 25 percent is spent on help desk support, legal costs and identity protection services. About 3.6 percent is spent on disclosure notifications to victims and regulators.

Interestingly, the report found that when businesses identified and contained a breach in under 100 days it significantly reduced the overall costs of the breach by as much as 26 percent.

When it comes to how companies are getting breached, malicious attackers or insiders are the top culprits representing 47 percent of breaches. “Malicious insider understands where and how the internal data is stored,” Allor said. “They know how you protect the data.”

After hackers, human error such as those tied to phishing are tied to 28 percent of breaches, followed by “system glitches” representing 25 percent. “A system glitch is an IT process or business process just failing,” he said.

So what actually lowers the cost of a data breach? According to the Cost of a Data Breach Study, having an incident response team in place, extensive use of encryption and employee training helps the most. Factors increasing the cost of a breach, after the fact, are third-party involvement, extensive cloud migration and compliance failures, according the report.

Harder-to-estimate losses to business, and not captured in the study, are reputational losses that may have long term impact on a company, said Allor.

from Threatpost – English – Global – thr…

News in brief: AI comes to Mars; WannaCry hits speed cameras; Edge bounty program extended

Your daily round-up of some of the other stories in the news

There’s (AI) life on Mars

We are increasingly used to self-driving vehicles and machine learning here on Earth, but now AI is helping an autonomous vehicle on Mars, too.

Curiosity Rover, the exploratory robot that landed on the Red Planet back in 2012, has been getting on with its mission of analysing rocks with direction from back on Earth – but now it’s increasingly choosing which rocks to analyse without any input from the home planet.

The AI software – Autonomous Exploration For Gathering Increased Science, or Aegis – has been rolling out for the past year, and has helped the robot pick which rocks to zap with its lasers for analysis. That “allows the rover to get more science done while Curiosity’s human controllers are out of contact”, said NASA on Wednesday.

The software means that if Curiosity gets to a new area before it can receive instructions from its humans, it can choose which rocks to zap for the scientists to examine later.

“Time is precious on Mars. Aegis allows us to make use of time that otherwise wasn’t available because we were waiting for someone on Earth to make a decision,” said Raymond Francis of NASA.

WannaCry hits Australian speed cameras

WannaCry, the ransomware that paralysed the UK’s National Health Service, among other organisations, last month, is still causing grief, with the latest outbreak hitting traffic cameras in the Australian state of Victoria.

Australia’s 3AW693 radio network reported that some 55 cameras had been infected, with local law enforcement authorities responding that “a system patch has been applied, which prevents the spread of the virus”, and added that the outbreak had apparently been caused by connecting “infected hardware” to the cameras.

Local authorities added that the accuracy of the cameras hadn’t been hit, but said that if any motorists had been wrongly fined because of the outbreak, their fines would be withdrawn.

Microsoft extends Edge bug bounty program

Bug hunters, Microsoft has extended its bug bounty program for its Edge browser, having paid out more than $200,000 over the past 10 months.

Microsoft said in a blog post that the “collaboration with the research community has resulted in significant improvements in Edge security” and as a result, they are changing the Edge on Windows Insider Preview bounty scheme “from a time-bound to a sustained bounty program”.

Any vulnerabilities found must be reproducible on the most recent slow track of the Windows Insider Preview version of the browser, and critical remote code executions or important design issues that hit privacy or security could get a bounty, which range from $500 up to $15,000 – or possibly even more.

Catch up with all of today’s stories on Naked Security

from Naked Security – Sophos

Microsoft Says Fireball Threat ‘Overblown’

Check Point has ramped down its projections on the impact of the recently disclosed Fireball malware after Microsoft called its initial numbers into question.

Details on Fireball were published June 1 by Check Point, which said the malware was the work of a Chinese digital marketing agency called Rafotech and that it hijacked browsers for the purpose of ad revenue generation.

Today, Microsoft countered Check Point’s initial analysis that 250 million computers and 20 percent of corporate networks were infected with Fireball.

“While the threat is real, the reported magnitude of its reach might have been overblown,” said Hamish O’Dea of the Windows Defender research team. Check Point said today that it has been working with Microsoft since being notified of the new analysis.

“We tried to reassess the number of infections, and from recent data we know for sure that numbers are at least 40 million, but could be much more,” said Maya Horowitz, Group Manager, Check Point Threat Intelligence.

Microsoft said it has been tracking Fireball infections since 2015 and that the malware has been consistently bundled with programs users are downloading when looking for apps, media, pirated games, or keygens that would activate certain software. The malware arrives in these “clean programs,” Microsoft said, which are used as host processes to load the malware and evade detection by security software.

“In almost three years of tracking this group of threats and the additional malware they install, we have observed that its components are designed to either persist on an infected machine, monetize via advertising, or hijack browser search and home page settings,” O’Dea wrote in a report published today.

Microsoft detects two malware samples under the Fireball family, SupTab and Sasquor. The payload hijacks a browser homepage and default search settings, modifying browser settings or by changing shortcuts used to launch the browser. The malware’s search page loads without the user’s consent, Microsoft said, and generates revenue from searches for the attacker.

Microsoft said in its report that Check Point arrived at its number of 250 million infections based on the number of visits to search pages, rather than by collecting endpoint device data. With Windows Defender and the Microsoft Software Removal Tool, Microsoft said it is in position to collect what it believes is more accurate data.

It says, based on monthly scans of more than 500 million machines since October when detection for Fireball was added, Microsoft security tools have detected and cleaned 4.9 million SupTab infections and 1.3 million Sasquor infections. Xadupi and Ghokswa infections, two other malware samples dropped in Fireball infections, have been detected and cleaned a collective 4.9 million times.

“Not every machine that visits one of these sites is infected with malware. The search pages earn revenue regardless of how a user arrives at the page. Some may be loaded by users who are not infected during normal web browsing, for example, via advertisements or domain parking,” Microsoft said.

“[Check Point’s] estimates were made from analyzing Alexa ranking data, which are estimates of visitor numbers based on a small percentage of Internet users. Alexa’s estimates are based on normal web browsing,” Microsoft said. “They are not the kind of traffic produced by malware infections, like the Fireball threats, which only target Google Chrome and Mozilla Firefox. The Alexa traffic estimates for the Fireball domains, for example, differ from Alexa competitor SimilarWeb.”

Rafotech denies any wrongdoing, Check Point said in its June 1 report, adding the caveat that Fireball could be tweaked for more than browser hijacking and revenue generation.

“Fireball has the ability to spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines, this creates a massive security flaw in targeted machines and networks,” researchers said.

According to Check Point, victims are infected with Fireball via stealth installs bundled with desirable Rafotech apps such as Deal Wifi, Mustang Browser, Soso Desktop and FVP Imageviewer. Additionally, it has been distributed via third-party freeware and spam campaigns.

from Threatpost – English – Global – thr…

What does looking under the hood of your browser reveal about you?

Imagine you’re running a nonprofit site dedicated to keeping seniors safe online. You write articles about conmen bilking people out of their life savings, romance scams, identity theft and the like.

One day, somebody recommends a chat app called Tawk that enables you to respond in real time when your visitors write in with questions. The price is right, particularly for a nonprofit: it is, in fact, free.

All you have to do is copy a simple line of JavaScript into the HTML of your website, and you’re off and running: the chat widget starts working instantly.

…as does your ability to see, in real time, everything your visitors type, even when they hit backspace and delete-delete-delete whatever thoughts first popped into their heads and which never made it into the fully baked, eventually sent message. “Whoa!” you well might think, if, in fact, you haven’t previously encountered how easy it is to set up a site to harvest form data before a user hits “submit.”

That’s precisely what happened to fellow Naked Security writer Christopher Burgess, who recently set up Tawk to work with Senior Online Security.

Christopher recorded a sample of the JavaScript wizardry that caught him by surprise. The video below captures what he saw when I stopped by the site, engaged him in chat, forgot that undercover investigative reporters aren’t supposed to tell anybody that they’re undercover and so backspaced over that detail (though obviously not before he saw me type it and captured the entry), and then threatened to report him to the FBI before changing my mind about entering that “just kidding!” notion into the form.

I come in around minute 1:10:


Note that Christopher recorded this chat just for the purposes of providing a demo. He normally wouldn’t be screen-capturing chats with site visitors. Nor does the Tawk app have an option of recording all keystrokes. But it’s worth keeping in mind that, clearly, Christopher, or anybody else at either end of an online chat, could record conversations if they chose… just as everything we type while in a browser can be tracked and logged, even if the characters are never displayed on screen.

We write about cursor tracking a fair amount, likely because people are often taken aback when they’re reminded that they’re being tracked online. In fact, one of the designers behind a site created to show users how tracking happens said that in spite of being “quite internet-aware”, she’s still very often “surprised that after I watched something on a website, a second later I get instantly personalized ads”.

That site, called ClickClickClick, was set up in November to track visitors and to show them exactly how they’re being tracked, including each and every pointer movement, x/y coordinates of where they moved, whether they zigzagged or moved straight, how many pixels their pointer traveled, how long they were inactive/active, what browser they’re using, when they leave the site, the time zone they’re in, whether they should actually be at work, and more. The designers’ intent: to remind people about the serious themes of big data and privacy.

There’s nothing unique about ClickClickClick’s tracking, just as there’s nothing unique about Tawk’s ability to track everything I enter into a form. Well, ok, there is one unique characteristic of ClickClickClick’s tracking: it’s upfront about it, displaying its tracking in an ongoing log that streams on-screen.

As for Tawk, there’s a unique slant there too – the app was from Christopher’s perspective. He hadn’t before gotten a glimpse into the tracking power typically tucked away from us as site visitors, but that power is evident to those who code sites. JavaScript makes it pretty easy with “events” with names like onkeydown, onkeypress and onkeyup, which you can “hook” (ie connect to a JavaScript function of your choice) in order to allow precise control of the keyboard, such as for games and interactive browser apps.

What’s typically tucked away is the fact that capturing the X and Y coordinates of a mouse pointer is a simple task in JavaScript, and it has been for a very long time.

Back in 2013, Facebook was mulling silently tracking users’ mouse movements to see which ads we like. Some reacted to the possibility by swearing off Facebook entirely.

It’s not just Facebook, though: any site can do it. It’s very easy and it’s very useful.

It’s the job of user interface designers to understand how people interact with web interfaces. Their job is to figure out where users have problems and how to improve their overall experience.

Collecting user behavior on sites enables those designers to work on issues such as where and why users drop off at a checkout page on an e-commerce site, for example.

They do it through mouse tracking, heat maps, click tracking, or eye tracking, among other techniques.

When we write about these subjects, readers often react with outrage. Fellow Naked Security writer Mark Stockley notes that people have a mental model of how the web works, and (incorrectly, but understandably) it doesn’t encompass voices, keystrokes, mouse movements and incomplete forms being harvested. They are shocked to find out that it’s possible at all, never mind that it’s easy.

Beyond that, the power of a single site’s tracking is multiplied exponentially, given that websites often include third-party code like AdWords or Facebook Like buttons, as well as content delivery networks (CDNs) for fast, local delivery of content. That means tens or hundreds of millions of websites share common elements served from a handful of domains. That handful of domains can set cookies on one site and read them on any other, thus tracking you across any site you visit that includes their code.

Mark has actually detailed how Twitter, for one, tracks the websites we visit and thus figures out how to target promoted tweets at individuals.

Do we have to worry about any one of the ad networks or trackers deciding to deploy “slurp your form data before you’ve finished” code that it then winds up disseminating on many millions of sites in the blink of an eye?

Fortunately, the big analytics players like Google provide aggregate views of where users click on pages, keeping the personally identifiable information (PII) out of it so that individual user sessions are anonymized. To do otherwise would be illegal, at least in the US. The Telecommunications Act prohibits sharing or selling “individually identifiable” customer information except under special circumstances, such as to enable your carrier to bill you or to help emergency services to locate you. Sorry, GoFundMe campaigns, no porn-surfing lists of named politicians or ISP industry leaders for you!

It’s worth noting, however, that Big Data can make anonymous data not all that anonymous after all. And Sarah Jamie Lewis, the doyen of .onion privacy, has concluded, after analyzing maps showing the centralization of the web via ad brokers, that “web privacy is dead”.

Should we worry about being tracked online?

Absolutely. There have already been outfits like AddThis that come up with exotic tracking techniques that do things like come up with invisible cookies that track us and which users can’t even delete.

Should we worry about an app like Tawk letting sites see what we enter into forms, even if it’s text we delete?

Yes, of course, particularly if we’re really paranoid. But if we’re that paranoid, we have no business touching a keyboard that’s attached to an internet-connected device.

We are all fish, and that kind of tracking is simply the water we swim in.

from Naked Security – Sophos

Drupal Patches Three Vulnerabilities in Core Engine

Developers with Drupal patched three vulnerabilities, one critical, one being exploited in the wild, in Drupal’s core engine on Wednesday.

The most pressing issue addressed by the update, which brings Drupal 8 to version 8.3.4 and Drupal 7 to Drupal 7.56, could have led to code execution, the content management software’s security team warned. The YAML parser in Drupal 8, PECL, failed to handle PHP objects safely during operations with Drupal Core, according to the advisory. That could have opened it up to remote code execution.

A separate, less critical issue, also existed in Drupal 8. Until it was fixed, the file REST resource failed to properly validate fields when manipulating files. Only select sites were vulnerable, Drupal says. A site would had to have had RESTful Web Services module enabled, the file REST resource enabled, and allowed PATCH requests. On top of that an attacker would have had to been able to register a user account on said site, with permissions to upload files and to modify the file resource.

The last bug affected both Drupal 7 and Drupal 8 and was being exploited by attackers for spam purposes in the wild, the advisory reads. The issue, only marked moderate criticality by developers, was an access bypass vulnerability at its crux.

“Private files that have been uploaded by an anonymous user but not permanently attached to content on the site should only be visible to the anonymous user that uploaded them, rather than all anonymous users,” the advisory reads, “Drupal core did not previously provide this protection.”

The vulnerability only affects sites that allow anonymous users to upload files into a private system.

It’s the first set of updates for Drupal since April, when the CMS fixed another access bypass vulnerability in its core engine. The service said at the time websites were vulnerable under certain conditions. Similar to the REST resource bug fixed this week, April’s bug only affected sites that had RESTful Web Services module enabled and sites that allowed attackers to get or register a user account.

As it’s a security update, Drupal is strongly recommending users on 7.x running versions prior to 7.56, and 8.x, prior to 8.3.4, to update to the latest versions.

from Threatpost – English – Global – thr…