An improperly set up database can inadvertently expose whatever information it contains online. It's the kind of minor error anyone might make in the course of their jobs–except with the ability to impact millions of consumers and users whose data gets exposed. Even worse, misconfigurations can put information at risk in all sorts of services, not just traditional databases.
In particular, mistakes companies have made with their Amazon S3 cloud repositories have offered bracing reminders of the extent of the misconfiguration problem. Late last week, World Wrestling Entertainment confirmed that an S3 bucket misconfiguration had exposed personal data for three million of its fans. And researchers announced on Wednesday that a badly set-up bucket exposed the data of between six and 14 million Verizon customers.
“2017 is a year where low hanging fruit—misconfigurations and bad defaults—really are the beginning of a new strain of online criminal behavior,” says security researcher Victor Gevers, who co-founded the internet safety and security-focused GDI Foundation. “It's the first time it’s become so noticeable to the public. [But it’s] something we have been warning about for years.”
Human error rests at the the core of misconfiguration insecurity, meaning it defies simple solutions. But broadly speaking, two fixes could at least reduce the frequency of these mistakes.
The first involves service-specific analysis: identifying the common errors people make in each infrastructure, and working with companies like database developers and cloud providers to spread awareness. Analysis published this week by the threat research group Detectify Labs, for example, walks through a number of common Amazon S3 repository configuration pitfalls, like mismanaging web domain exposure, or granting too many user privileges in S3’s Access Control Lists. “By identifying a number of different misconfigurations we discovered that we could suddenly control, monitor, and break high end websites due to weak configurations of the bucket,” the group writes.
Though companies like Amazon aren’t specifically at fault for customer mistakes, they could make impactful changes by creating secure defaults (instead of leaving system access open, or easily guessable by default), and even proactively scanning for exposures and checking with customers whether they are intentional. Mark Testoni, the president of SAP National Security Services, notes that many companies like Amazon already offer some of these mechanisms, but as awareness about misconfiguration grows they may be pushed to expand their offerings. Amazon did not return a request from WIRED for comment.
“There’s going to be a demand for these services, process and system audit capabilities, threat intelligence capabilities, anomaly detection,” Testoni says. “I think it’s a natural progression for companies to offer these types of services.”
The other potential fix? Looking systemically at the software development cycle that leads to rushed production and increases the chances of small, but significant mistakes. “It's like we have a great idea, let's build a quick proof of concept and show it to an investor. Then it becomes a beta service and suddenly that quick and dirty build becomes a production environment,” Gevers says. “How are you going to audit if you need to put all your energy into building the next thing to stay in the race? Privacy and security is an afterthought.”
Misconfiguration exposures come up frequently cases which bad settings carry over from a setup that was never intended to be connected to the internet. But if developers don’t reconfigure infrastructure to be public-facing, unintended weaknesses can make their way onto the web.
While experts hope situation will slowly improve over time as awareness grows, the problems are far from over. And misconfiguration problems stem fro m the only type of human error that can erode security and privacy, or that cyber criminals capitalize on. Phishing posses another prominent and increasingly prevalent threat that exploits natural user tendencies.
But where phishes take resources to develop, misconfigurations potentially offer data to bad actors on a silver platter. "We’re always going to be in a measure, counter measure game," Testoni says. "For the corporate awareness that’s required, it's a bit of a long game."
