Published on January 8th, 2018 | by Vishrut Sharma
Breach of the Month, December 2017
Every Friday the SS8 Twitter feed features a notable breach, leak, or hack as our pick for the SS8 #breachoftheweek. At the end of every month, our engineers take a look at each of these ‘finalists’ and select one outstanding breach as our #BreachOfTheMonth pick. Which did we choose for December? This month’s breach threat analysis features the thoughts of Threat Researcher Vishrut Sharma:
Research Tool Discovers Data Breach at Website with 45 Million Users
Tripwire is a software tool developed by researchers at the University of San Diego aimed at detecting data breaches at websites requiring user registration. The theory behind its functioning is straightforward with a bot registering one or more accounts on a website by using a unique email id and then assigning the email id and website profile the same password. The software verifies if the email id was accessed using the common password at regular intervals of time. If the check results in a true, then it is a clear indication of a breach as an attacker used the password stolen from the website to access the unique email id. Testing Tripwire involved creating accounts at over 2300 different websites and by the end, researchers gained access to 19 websites. One of the compromised websites is said to have over 45 million registered users. The name of the website is not mentioned since the company did not volunteer to be part of the research. Tripwire is open source and its source code can be found on GitHub.
TIO Networks Breach
TIO Networks is a Canadian company which runs a network of over 60,000 utility and bills payment kiosks across North America. After being acquired by PayPal for $238 million, the company has announced a data breach involving roughly 1.6 million customers. The leaked information contained customer names, addresses and Social Security numbers along with login credentials as revealed by a spokesman from PayPal. Customers of PayPal have not been breached as the two companies use separate networks to store customer data.
US Army Data Leak
Security Expert Chris Vickery discovered a volume of NSA and US Army files on a cloud storage server. Like many effortless breaches in the past, the files were put onto the server without any encryption or password protection and were freely available to anyone with a URL. The server belonged to United States Army Intelligence and Security Command (INSCOM) and used AWS. Upon further examination of the metadata, the security team at UPGuard found an SSD image containing a large number of files classified as TOP SECRET and NOFORN (NO FOReign Nationals).
RootsWeb Data Exposure
One of Ancestry’s RootsWeb servers was responsible for exposing a file containing emails, usernames and passwords of around 300,000 users. RootsWeb is a collection of tools used to host and share genealogical information. Ancestry states in their blog post that any RootsWeb servers hosted by them do not contain PII or even financial information such as SSNs or credit cards. According to Ancestry, 55000 of the 300000 accounts were common to both ancestry.com and RootsWeb. Ancestry reset these users’ passwords and took the affected RootsWeb server offline.
Alteryx Data Leak
More than 120 million American households had their details exposed on an AWS bucket belonging to marketing analytics company Alteryx. The exposed data had 248 different fields in its schema including but not limited to Addresses, phone numbers and detailed mortgage information. Alteryx removed public access to the data and one of its spokesperson mentioned that the exposed data contained no names or any other Personal Identifying Information (PII).
The Winner for the December breach of the month is……
Alteryx Data Leak
California based marketing analytics company Alteryx accidentally left sensitive information exposed on their AWS S3 bucket. This openly accessible data was found by Chris Vickery, a security researcher at UpGuard. The massive amount of exposed data comprised of two datasets – one from the 2010 US Census and the other from a dataset called ConsumerView. While the former is publicly accessible by anyone, the latter can only be accessed for a fee. Access to ConsumerView is sold by the consumer credit reporting agency Experian. The ConsumerView database file that was found contained detailed information for over 123 million households.
After correlating entries in these two databases, a total of 248 fields were found for each household. These included addresses, number of family members, number of children categorized by different age groups, user interests and spending patterns as well as detailed mortgage and property information.
The information described above was accessible by any AWS authenticated user. This means that anyone with an AWS account could access it if they knew the URL. Since an AWS account can be created by anyone for free, granting this kind of access to the data was hardly any better than allowing access to everyone. One thing to note is that the default S3 bucket setting is to only allow access to authorized users so this was a security misconfiguration.
When asked to comment on the breach, Alteryx said that the data was only meant to be used for marketing purposes and did not have any Personal Identifying Information (PII) that could be used by identity thieves. A spokesperson for Experian, the provider of ConsumerView, said the same thing and added that they were assured by Alteryx that everything was taken care of.
Despite not containing any PII such as names or SSNs, this information can still be used by criminals. Home addresses, mortgage information, behaviors and spending patterns obtained from Alteryx database can be used to find houses worth breaking into. Loan related information can be used for social engineering attacks such as phantom debt collection where a person is asked to repay a loan that was already cleared.
Such instances of data exposure are not uncommon. There have been numerous cases in 2016 where sensitive data was exposed AWS storage buckets and even MongoDB databases due to improper access permission settings.
Companies need to make sure that protecting sensitive data is a top priority. Making excuses that any exposed data wasn’t sensitive enough to worry about is not acceptable. Web applications must be tested for common vulnerabilities. The OWASP 2017 top 10 list is a great place to start. In fact, security misconfiguration – the primary cause of this breach is in this list. Companies also need to exercise caution when sharing data with third parties. There must be a policy that clearly lays out the security measures that third parties must have in place before any data is shared with them. Had Experian done its due diligence, Alteryx (the third party in this case) would have made sure that ConsumerView was not accessible by unauthorized users.
Vishrut is a Threat Researcher at SS8. He believes that in the rapidly changing security landscape of today, signature based malware detection will have to be augmented with AI and machine learning to defend computers from next generation cyber adversaries.