Story image

New malicious search engine trawls AWS servers for sensitive data

17 Feb 2018

As if it wasn’t easy enough already, the lives for hackers has just been made a lot easier.

A new tool, deemed BuckHacker, has been made available online by an anonymous hacker. Like a very basic version (and malicious) version of Google, the tool trawls through servers at Amazon Web Services (AWS) searching for exposed data.

The name ‘BuckHacker’ sprouts from the fact that AWS Simple Storage Servers (S3) are known as ‘buckets’, the part of AWS that the tool directly targets and accesses.

FedEx provided the perfect example of the tool’s potential to perform harm when it came to light that the global package delivery giant had an unsecured server open to the public.

The server contained data that belonged to more than 119,000 people from around the globe, including passports, driving licenses and security identification. The data had been stored on an AWS S3 storage server and hosted by a third-party public cloud provider.

FedEx spokesperson Jim McCluskey assures that the company found no indication that any of the invaluable information had been ‘misappropriated’, but it certainly illustrates what could have happened.

There have been a number of major breaches involving companies storing data on an unprotected Amazon S3 storage, including the NSA who lost 100GB of highly sensitive data and two million Dow Jones customers who had their data leaked.

And Bitglass product management VP Mike Schuricht says there’s more where that came from.

"Identifying specific attack vectors like misconfigured, public AWS buckets is now a simple act for nefarious individuals,” says Schurict.

“There are plenty of tools available today, similar to the BuckHacker search engine, that easily detect and take advantage of misconfigurations in public cloud apps.”

WinMagic COO Mark Hickman says regardless of the cloud services enterprise use, they must fulfil their part of the ‘shared responsibility’ deal when it comes to security.

"Customers should encrypt all data before it is placed in the cloud, it is the last line of defence if a hacker gains access to their cloud services. Equally important, is that encryption is employed where the keys are centrally managed and remain under the customer’s constant control, and the keys never stored on a public cloud service, or servers that could be exposed to a hack," says Hickman.

"Ultimately this is the best way to defend against direct attacks and tools such as Buckhacker. Adopting this approach means customers are protecting their data, whilst the cloud provider focuses on protecting the services – both working together to lower the risk of a data breach.”

Schuricht shares these sentiments.

“Given how readily available discovery tools are for attackers, ensuring corporate infrastructure is not open to the public Internet should be considered essential for enterprise IT. FedEx is just the latest in a laundry list of organisations with deep pockets and deep security resources that have fallen victim to this very basic, yet critical error,” Schurict says.

“One of the challenges with configuring cloud applications is ensuring that all access methods are secure so that the threat of a breach is minimised. An effective way to address cloud threats is to implement a system that provides visibility over cloud data, alerts for high-risk configurations, and automatic, real-time protection mechanisms."

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.