NZ property management company exposed 30,000 users passports, drivers licenses via unsecured S3 bucket

Forums › Off topic › NZ property management company exposed 30,000 users passports, drivers licenses via unsecured S3 bucket

1 | 2 | 3

neb

11294 posts

Uber Geek

Trusted

Lifetime subscriber

#2524400 16-Jul-2020 21:36

frankv: No, the biggest problem is people who don't understand how to use AWS's security features,

Separate reply for a different topic: AWS is a neverending breach machine. If one or two companies/users get it wrong, the problem is the user. If a neverending stream of companies/users get it wrong, the problem is AWS.

GoodSync

GoodSync. Easily back up and sync your files with GoodSync. Simple and secure file backup and synchronisation software will ensure that your files are never lost (affiliate link).

itxtme

2102 posts

Uber Geek

#2524458 16-Jul-2020 23:24

frankv:

It's a few months since I got my AWS certification (Solutions Architect and Developer) and I haven't touched AWS since, but it's not hard to lock down access to an S3 bucket so it's only publicly accessible via a website, which in turn can be secured. So I dispute your characterisation as "profoundly unusable".

LPM's site says it was created by Black Cedar (blackcedar.co.nz). Their site is "Temporarily unavailable"... make of that what you will.

This 100%

The news article states it was a database leak, I am unsure why they are saying that it seems its just file storage. Reading between the lines the "security specialist" looked at the URL of a document and within that is the bucket address. Either that or has been googling bucket URLS until he finds one and sees if the user made it public. Once you have the URL of a bucket you can go to the root level and if the bucket is made public it will display an XML directory listing of all folders and files. However to get S3 to behave in that way you have to bypass numerous warnings telling you this is a very bad idea. I agree that the CORS bucket policy is not simple to use, but this is services aimed at certain level of IT expertise.

frankv:

Separate reply for a different topic: AWS is a neverending breach machine. If one or two companies/users get it wrong, the problem is the user. If a neverending stream of companies/users get it wrong, the problem is AWS.

I dont agree, if people dont understand the toys they are playing with they will create [their own] problems. AWS is well documented but extremely dry - its all there though.

freitasm

BDFL - Memuneh
79000 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2524523 17-Jul-2020 09:02

Geektastic: Surely the biggest problem is the person/company that chose to use AWS?

Nothing wrong with AWS. It's how you use it.

My technology disclosure

frankv

5678 posts

Uber Geek

Lifetime subscriber

#2524573 17-Jul-2020 10:02

neb:
frankv: No, the biggest problem is people who don't understand how to use AWS's security features, which aren't difficult at all.

It's the must godawful unusable security interface I've ever seen, and that includes things like RACF and VMS. To give an example, walk us through the configuration steps required to set up a bucket where Accounts has read/write access, individual employees have read access, and no-one else has any access.

From memory (but it's been a while): Create the bucket. Leave the "Block All Public Access" enabled. Add email addresses or IDs to the Access Control List for the bucket with appropriate permissions.

K8Toledo

1011 posts

Uber Geek

#2525520 19-Jul-2020 10:44

freitasm:

The new privacy law that makes reporting and acting on this a mandatory requirement doesn't come into force until December.

Does the law cover Wireless Hotspot providers like Zenbu who set up a mesh network for 34 users then leave the network wide open for 6-7 months (& counting) without any security whatsoever?

PhantomNVD

2619 posts

Uber Geek
Inactive user

#2525582 19-Jul-2020 12:53

SirHumphreyAppleby:
Sadly, this is true. A family member has a card with a major retailer and accessing their online portal now gives a security warning because they're still using the now-deprecated and very outdated TLS 1.0. What did their customer service suggest? Use another browser.

The same company also sends out e-mails with tracking links to their portal rather than showing the actual URL... bad practice IMO.

Microsoft itself has now pushed back their TLS1 retirement date...

TLS 1.0 and 1.1 retirement date in Office 365 to be October 15, 2020
Major update: Announcement started
Applied To: All

We originally paused the retirement of TLS 1.0 and 1.1 in Office 365 (MC186218 June '20) due to these unprecedented times. As companies have pivoted their supply chains and countries have started to re-open, we have re-established a retirement date for TLS 1.0 and 1.1 in Office 365 to be October 15, 2020. As previously communicated (MC126199 in Dec 2017, MC128929 in Feb 2018 and MC186827 in July 2019), we are moving all of our online services to Transport Layer Security (TLS) 1.2+ toprovide best-in-class encryption, and to ensure our service is more secure by default.

Note: If your organization has already taken steps to migrate from TLS 1.0 and 1.1 you can safely disregard this message.

freitasm

BDFL - Memuneh
79000 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2525671 19-Jul-2020 16:54

K8Toledo:

freitasm:

The new privacy law that makes reporting and acting on this a mandatory requirement doesn't come into force until December.

Does the law cover Wireless Hotspot providers like Zenbu who set up a mesh network for 34 users then leave the network wide open for 6-7 months (& counting) without any security whatsoever?

What "data leak" would you be talking about here? Someone's computer not being secured and people being able to access data residing on that end point?

I am not a lawyer and you would have to test the case but I don't see how a network operator would be responsible for someone's data being unprotected. The network is neutral.

My technology disclosure

neb

11294 posts

Uber Geek

Trusted

Lifetime subscriber

#2525788 19-Jul-2020 18:45

PhantomNVD: Microsoft itself has now pushed back their TLS1 retirement date...

Presumably because they care about supporting existing users rather than following some security-geek agenda of cutting off users at the knees because of a theoretical weakness that no-one has ever exploited in practice (an MD5+SHA1 PRF that no-one knows how to exploit, 3DES that no-one has broken as mandatory cipher), and even with the ancient TLS 1.0 the best you can get is a mostly academic CBC padding oracle vulnerability for which every other attack is far easier and less work.

Bending over backwards to support existing users is one of the reasons why they were #1 for such a long time.

Geektastic

17927 posts

Uber Geek

Trusted

Lifetime subscriber

#2525799 19-Jul-2020 18:56

freitasm:

Geektastic: Surely the biggest problem is the person/company that chose to use AWS?

Nothing wrong with AWS. It's how you use it.

Which is the point I made. The person who chose to use it, not knowing how to use it, was the problem.

freitasm

BDFL - Memuneh
79000 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2525865 20-Jul-2020 07:22

neb:

PhantomNVD: Microsoft itself has now pushed back their TLS1 retirement date...

Presumably because they care about supporting existing users rather than following some security-geek agenda of cutting off users at the knees because of a theoretical weakness that no-one has ever exploited in practice (an MD5+SHA1 PRF that no-one knows how to exploit, 3DES that no-one has broken as mandatory cipher), and even with the ancient TLS 1.0 the best you can get is a mostly academic CBC padding oracle vulnerability for which every other attack is far easier and less work. Bending over backwards to support existing users is one of the reasons why they were #1 for such a long time.

The email Microsoft sent yesterday to Office 365 admins clarifies why - there's nothing to "presume": they slowed down lots of projects because of COVID-19 and this was impacted. They now resumed work in various fronts and retiring TLS 1.0 is one of these projects.

My technology disclosure

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#2525961 20-Jul-2020 11:21

neb: Presumably because they care about supporting existing users rather than following some security-geek agenda of cutting off users at the knees because of a theoretical weakness that no-one has ever exploited in practice (an MD5+SHA1 PRF that no-one knows how to exploit, 3DES that no-one has broken as mandatory cipher), and even with the ancient TLS 1.0 the best you can get is a mostly academic CBC padding oracle vulnerability for which every other attack is far easier and less work. Bending over backwards to support existing users is one of the reasons why they were #1 for such a long time.

Any "mostly academic" vulnerability becomes a very real issue when the data being protected is important or valuable enough. Office 365 is actually certified to carry PROTECTED information, which would be revoked if they did not cut off TLS 1.0 and SSL clients, because a "mostly academic" vulnerability is just the sort of thing that a foreign state actor would use to intercept it.

As to "cutting off users at the knees" - any piece of software that can interact over HTTPS with Office 365 supports TLS 1.2. If there is any software still running that does not, then it is good that it's cut off because what other vulnerabilities lay in that code which hasn't been patched since 2015?

neb

11294 posts

Uber Geek

Trusted

Lifetime subscriber

#2525986 20-Jul-2020 12:46

Kyanar:
Any "mostly academic" vulnerability becomes a very real issue when the data being protected is important or valuable enough.

Except that you don't bypass TLS through some high-tech attack that lets you recover 32 bits of a message with a massive amount of effort, you bypass it by phishing the victim's credentials, or buying them from a data breach, or exploiting the 0day in their operating system. To quote security researcher Drew Gross, "I love crypto, it tells me which bits of the system not to bother attacking". They're not fixing anything that attackers are exploiting, so there's no particular hurry to complete the task.

ANglEAUT

2287 posts

Uber Geek

Trusted

Lifetime subscriber

#2526206 20-Jul-2020 19:43

alasta: It would be nice to think that this sort of situation could be avoided by people simply refusing to provide electronic copies of identity documents to third parties. ...

Somehow, you need to be verified digitally. Currently we lack a trustworthy & verifiable method to identify ourselves online. So we do the next best thing, we shift the physical / real world into the digital realm. Until the techies come up with a better solution, ordinary people will go about living their day to day lives the best they can. Sometimes that requires you to upload a digital copy of your government ID, be that for rental, financial or other purposes.

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

timmmay

20423 posts

Uber Geek

Trusted

Lifetime subscriber

#2526210 20-Jul-2020 19:55

neb:
frankv: No, the biggest problem is people who don't understand how to use AWS's security features, which aren't difficult at all.

It's the must godawful unusable security interface I've ever seen, and that includes things like RACF and VMS. To give an example, walk us through the configuration steps required to set up a bucket where Accounts has read/write access, individual employees have read access, and no-one else has any access.

AWS is fairly complex. I've been using AWS for years in a professional capacity, I have multiple AWS qualifications, it's still not trivial to fully secure AWS. However, securing an S3 bucket can be really simple as the console makes it difficult to make a bucket public, and constantly alerts you that the bucket is public.

To answer your question you would use a bucket policy, but I'm not going to do a walkthrough because the use case isn't as precise as it needs to be to fully specify the security.

freitasm

BDFL - Memuneh
79000 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2526226 20-Jul-2020 21:20

ANglEAUT:

alasta: It would be nice to think that this sort of situation could be avoided by people simply refusing to provide electronic copies of identity documents to third parties. ...

Somehow, you need to be verified digitally. Currently we lack a trustworthy & verifiable method to identify ourselves online. So we do the next best thing, we shift the physical / real world into the digital realm. Until the techies come up with a better solution, ordinary people will go about living their day to day lives the best they can. Sometimes that requires you to upload a digital copy of your government ID, be that for rental, financial or other purposes.

there are verification services that do not require a copy of your document.

My technology disclosure

1 | 2 | 3