You might want to double-check your settings when using Amazon’s Elastic Block Storage snapshots as the Def Con security conference reveals how companies and governments are unintentionally leaking sensitive information and other files from the cloud servers.
S3 buckets have made some headlines in the past few weeks. If you have not heard of them, they are those Amazon-hosted storage servers. These S3 buckets are normally misconfigured, and instead of setting it to private, they inadvertently set these buckets to “public” which allows anyone to access them; and they have been in the past.
Meanwhile, there is also EBS snapshots, which poses a much greater risk. These EBS snapshots are considered to be the “keys to the kingdom,” said Ben Morris, a senior security analyst at cybersecurity firm Bishop Fox.
The EBS snapshots are said to store all data for cloud applications. Which means that leakage coming from EBS will result in a leak of sensitive information, that the users have been keeping private.
Sensitive information like keys to your applications and access to customer information is one of the problems that a ”leakage” could give. According to Ben Morris, these EBS are like, to a point, the hard disk of your computer. When removing the disk, it should be that you need to wipe all information off of it completely to prevent information spillage. But these EBS volumes are different, they are just left there unwiped and is just waiting for anyone to take and start poking at it.
All too often, the admins of the cloud didn’t pick the right configuration setting, which causes the EBS snapshot to become public and unencrypted unintentionally.
“That means anyone on the internet can download your hard disk and boot it up, attach it to a machine they control, and then start rifling through the disk to look for any kind of secrets,” he said.
A tool was developed by Morris using Amazon’s system to search and filter all publicly exposed EBS snapshots, they attach it and make a list of all the snapshots that they took containing the contents of the volume on his system.
The system allows for tracking the exposure of the disk, even if it is just a couple of minutes, it will track it and make a copy of it containing all information coming from the disk.
It took a lot of time for him to build the database for the exposed data. He also spends a few hundred dollars on Amazon cloud research.
After collecting data and copying it, he validates the information and deletes the data he collected.
Data collected can come in many forms, and most publicly exposed data are in the forms of applications keys, the critical user or administrative credentials and even source codes. These data can come from small scale companies up to the major companies. Some of which may include healthcare providers and other technology companies.
Morris was also able to find a VPN which he could tunnel and lead to a corporate network. But however, he did not use any credentials or sensitive data that he was able to find because it would be unlawful for such usage of information.
Among all the information that he was able to find, one would be deemed very dangerous if exposed to the public. This is a snapshot that Morris was able to uncover upon his recent query on the Amazons network.
The information contained series of conversations coming from one government contractor, which he did not name. He said that on their website, they bragged about holding data service for some federal agents.
“Those are the kind of things I would definitely not want to be exposed to the public internet,” he said.
One thousand two hundred fifty exposures across all Amazon cloud region is the estimate of morris when it comes to the leakage of sensitive EBS information.
He plans to release his proof-of-concept code (a code that has been developed to demonstrate possible vulnerabilities in software and operating systems and to show the security risks of a particular method of attack) in the coming weeks.
Morris plans to give companies time to recheck their own disks and security measurements to make sure that they don’t accidentally expose crucial information to the public.