A new service designed by white hat hackers has been launched and allows anyone to search for unsecured data stored on Amazon Web Services (AWS) servers.
The Buckhacker plug-in creates a Google-like search engine that is able to crawl through AWS servers, also called buckets, to find those that are incorrectly configured and potentially contain sensitive data exposed to the Internet.
It follows a stream of data leaks in the past year in relation to high profile companies that store customer and customer data on AWS servers without password protection, the content of which is accessible to anyone with the bucket address.
Accenture, WWE, AA, Dow Jones and even the US National Security Agency have been caught by misconfigured servers and have been criticized for failing to follow the most basic security protocols.
Typically, these discoveries were done by tripping research groups on a publicly accessible server. Buckhacker, however, claims to make the process much easier, allowing users to search AWS listings using the bucket name or filenames that can be associated with a business, although it maintains that this is to raise awareness rather than help potential hackers .
Although the tool is simple in design, it can collect the results and store them in a database so that other users can view it, the developer of the tool explained to Motherboard.
"The goal of the project is to increase familiarity with bucket security, too many companies have faced wrong permits on buckets in recent years," says BuckHacker's developer. "The project is still in a real super-alpha stage (there are several errors at the moment that we are trying to fix)."
The Buckhacker plug-in is certainly not the first of its kind, because tools such as AWSBucketDump already allow users to maliciously leak leaking AWS buckets, and some server addresses can be accessed via Google if a user knows what to look for. Buckerhacker is remarkable, however, because it is by far the most user-friendly tool that emerges.
"Given the availability of detection methods for attackers, it is essential that the business infrastructure is not accessible to the public Internet as essential for corporate IT," says Mike Schuricht, VP product management at security company Bitglass.
The news of the tool coincided with the leak of 119,000 files from customers of courier company FedEx, including home and e-mail addresses, as well as driving license and passport data.
"FedEx is the latest in a laundry list of organizations with deep pockets and deep security resources that have fallen victim to this very elemental, yet critical error," added Schuricht.
Amazon unveiled in November that it introduced standard encryption for all new AWS servers, which would in theory prevent such leaks from occurring in the future. But the encryption function must be manually applied to every existing bucket, meaning that data stored on servers that a company is not aware of is still vulnerable.
IT Pro has contacted Amazon to see if it is aware of the new tool .
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.