Yottabytes: Storage and Disaster Recovery

May 31 2018   10:59PM GMT

Okay, Working at Upguard Must be the Best Job Ever

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Tags:
government
privacy
Security
Storage

Configuration is hard.

At least, that’s the conclusion to draw from a recent storage security issue where the Los Angeles County hotline number, 211, was storing many of the records regarding its hotline calls in the cloud. Except instead of keeping it secured, as would be required by law as a medical record, the organization had a number of its files configured to be publicly available.

Oopsie.

While not all the files themselves were publicly available, a number of them were, which meant that anyone who happened to have the URL of that Amazon AWS resource could download the information stored there. That included “access credentials for those operating the 211 system, email addresses for contacts and registered resources of LA County 211, and most troubling, detailed call notes,” according to the organization discovering the error. “These notes describe the reason for the calls, including personally identifying information for people reporting the problem, persons in need, and, where applicable, their reported abusers. Included in the more than 3 million rows of call logs are 200,000 rows of detailed notes, including graphic descriptions of elder abuse, child abuse, and suicidal distress, raising serious, large-scale privacy concerns. In many of these cases, full names, phone numbers, addresses, and even 33,000 instances of full Social Security numbers are revealed among the data.”

Los Angeles County211 blamed the issue on a configuraton problem, according to the report. Fortunately, the problem has now been fixed, and the Amazon AWS files have been properly configured.

How this was discovered is actually the more interesting part. It turns out that there’s this company called Upguard and they do the same sort of thing that hackers do – roam the world looking for open back doors and ports and unpatched systems and so on. But when they find them, instead of breaking in, they contact the company and let it know so that the problem can be corrected.

Then Upguard alerts the media so people in other companies can also be aware of these problems.

So, that’s what happened here. Somebody was playing around with Amazon AWS links, and realized they could get in, so they wandered around for a while, taking screenshots of the available data and, eventually, letting the organization and eventually the media know.

The group of people who do this are called the UpGuard Cyber Risk Research Team, and they have it down to a science. “The UpGuard Cyber Risk Research team follows the processes and procedures detailed in the internal governance document ‘UpGuard Breach Research Process’ for breach research, notification, and disclosure,” the company writes in its Cyber Risk Research Guidelines.

Needless to say, UpGuard considers itself a “white hat” or ethical hacker, as opposed to the “black hats” who do the same thing but steal the information or sell access to it. “The UpGuard Cyber Risk Research team finds publicly exposed data, helps the owners secure it, and shares information on how these exposures can be avoided,” the company explains. “Reducing data exposures is a public good, and the vast majority of individuals whose data is leaked lack the capacity to identify and remove those exposures themselves. Publicizing these findings raises awareness of the problem of data breaches, both in its scale and the severity of the data exposed.”

Ethical hacking! How chaotic good can you get?

Not that the company is doing this for purely altruistic reasons. “While we believe this activity provides a benefit to the public, and indeed to ourselves as private citizens, it also benefits UpGuard in that UpGuard provides solutions for preventing data breaches and a mature market for cyber risk mitigation would logically benefit UpGuard,” the company goes on to explain.

That said, it doesn’t try to shake down its subjects. “UpGuard never uses the discovery of a data breach to approach any affected entity in a sales capacity for UpGuard’s separate enterprise services,” the company writes. It also appears that the company is essentially doing a passive search, looking for security holes, as opposed to, say, using social engineering to try to create vulnerabilities.

It isn’t entirely clear to what extent the entities that are exposing their data have any say-so in whether the vulnerability gets published. (Once it’s secured, of course.) “The UpGuard Cyber Risk Team can also work to help secure a data exposure without publishing a report,” the company writes. “The guiding decision in a decision to publicize a breach is whether the public interest is best served by a public report. UpGuard has no obligation to report exposed data. As an institution, we feel compelled to promote visibility and address as many leaked data sets as we feel appropriate. The research team evaluates the projected impact of each data breach, and other relevant factors, in order to prioritize breach notifications.”

Though the company does go on to add, “The manner in which the breached entity responds to the data breach notification may impact the manner in which media are made aware of the situation and when the information is presented.” Heh. It would be fun to be a fly on the wall in some of those instances.

In any event, for some people, that has got to be the funnest job in the world.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: