Published on September 6th, 2017 | by Akshay Nayak
Breach of the Month, August 2017 – Elections, and hotels, and white walkers, oh my!
I’m back reviewing the top breaches of the past month, and no better place to start than the Game of Thrones (GoT) breach. This is probably one of the most high-profile breaches of August. There are actually two separate security incidents associated with the highly popular TV series. It was mere coincidence that they occurred separately.
In the smaller of the two incidents, Star India, one of HBO’s distribution partners in India, leaked Season 7 episode 4 titled ‘Spoils of War.’ This accidental leak occurred in the form of a link on Star India’s website where some users were able to download the episode. The downloaded episode had Star India’s watermark on it.
The larger of the security incidents led to HBO getting breached, resulting in the hacker obtaining around 1.5 TB of data. The group responsible for this hack called themselves “Mr. Smith Group.” This data included certain episodes from the TV series Baller and Room 104, company emails and documents, as well as scripts for the upcoming Game of Thrones episodes.
The hacking group also reached out to Mashable and sent them the usernames and passwords of HBO’s different social media accounts. The hackers demanded around 6.5 Million worth of BitCoin. It seemed that these breaches caused HBO to draw too much attention to itself (or maybe its inadequate security measures) causing the hacker group OurMine to take over some of its social media accounts
If you are Game of Thrones fan, be sure to check out our GOT inspired webinar: Breaches are Coming! What to Do When They Go Beyond the Wall.
Philly area Ob/Gyn:
A data breach at Women’s Health Care Group of PA LLC caused 300,000 patient details to be compromised. The cause of the breach was a ransomware infection. According to the US Department of Health and Human Services, to whom the breach was reported, this is the 3rd largest data breach this year.
Women’s Health Care was not sure if any sensitive data was obtained by the hacker, but in case it was, they would have access to Names, Addresses, Dates-of-Birth, and Social Security Numbers.
Since this was a ransomware infection, having backups was critical and lucky for WHC group, they had that covered.
Sabre hospitality breach:
Sabre, a hospitality company that helps with hotel room reservations, was the victim of a data breach involving payment card information. The attacker obtained unauthorized access to information such as “cardholder name” along with the card number, expiration date, and maybe even the security code. The systems in each of the hotels that contained guest data were unaffected.
Chicago Voter breach:
There was a data leakage at ES&S, a company that sells voting machines and software. This exposed Personally Identifiable Information (PII) of 1.5 Million voters in Chicago. This includes both active and inactive voters. The Information exposed included voter names, dates-of-birth, phone numbers, driver license numbers, and last 4 digits of Social Security Numbers. The cause of this data exposure was a misconfigured Amazon S3 bucket that allowed the data to be downloaded publicly.
And the winner is [drumroll…] The Chicago Voter Breach
The Game of Thrones multi-incident breach may seem to be the winner, but as much as I like GoT, the Chicago Voter breach takes this one for two reasons:
- The Chicago Voter breach involved compromise of personally identifiable information which could lead to identity theft or other social engineering attacks on the affected users. GoT on the other hand, suffered what could only be called as a trivial setback because of a slight dip in viewership for the leaked episode.
- The Voter breach demonstrates the importance of securing the cloud and the disaster that ensues if a good cloud-centric security policy is not implemented
Chicago Voter Breach background:
On August 11, researchers at UpGuard found that personal details of 1.8 Million Chicago voters were exposed on an Amazon S3 bucket belonging to ES&S, a company that makes voting machines and software. Chicago Election commission has been using ES&S as a voting data storage provider since 2014. This PII (Personally Identifiable Information) included Names, dates of birth, addresses, phone numbers, driving license numbers and the last 4 digits of SSNs.
The Amazon S3 bucket was left completely open which could allow anyone with the URL to download its contents. The main repository contained two folders which had data backups and a 12 GB MSSQL file. This repository was discovered by UpGuard’s director of strategy Jon Hendren who reported it to Chris Vickery, UpGuard’s Director of Cyber Risk Research. Chris analyzed the database and the two folders that accompanied it and found lots of file names containing phrases such as BallotImages and polldata summary. He also found a table named dbo.voters which contained the personal details of Chicago voters.
Once notified, ES&S put the necessary countermeasures in place and as of August 12th, it was no longer publicly accessible.
Here is the part that’s quite strange. In most cases, it is the default security settings that lead to a security hole. However, AWS only allows data access to authorized personnel by default. In all of these data exposure scenarios the configuration setting was changed to allow public access to the data. While there is nothing wrong with changing the default settings, the organizations in question have to come up with their own way of controlling access to the data if they do not intend to use AWS’s access control.
Amazon realized that that the problem of unsecured sensitive data open to the public was getting out of hand and it released a few nifty solutions to combat it. New options were added to the AWS configuration service that helped administrators control public read and write access. It also launched AWS Macie – a service that uses machine learning to automatically detect sensitive data in public repositories.
While Amazon has done its part in tackling accidental data exposure in AWS, organizations must perform their own due diligence and practice basic security hygiene like strong data encryption and strict control of access to customer data.
Akshay Nayak is a Threat Researcher at SS8 Networks. In addition to threat hunting, he likes listening to Bollywood music and playing FIFA. A big Game of Thrones fan, he is one of those people who likes the books better than the TV series.