Building a slide deck, pitch, or presentation? Here are the big takeaways:
- 50.4 GB of configuration information including IP addresses, administrative credentials, passwords, and private keys was leaked by analytics firm Birst.
- No customer information was exposed in the leak.
Update: This article originally reported, based on an UpGuard post, that Capital One Bank data was involved in the leak, which is inaccurate. The article has been updated to reflect this.
Configuration data was placed in an unsecured Amazon S3 bucket by the business analytics software firm Birst, according to security researchers at UpGuard. On January 15th, UpGuard detected the unsecured bucket—which contained IP addresses, administrative credentials, passwords, and private keys. Birst secured the bucket the same day, after receiving notification from Chris Vickery, UpGuard’s director of cyber risk research.
The bucket, which was 50.4 GB in size, did not contain any customer information. The information contained in the bucket relates to a Birst appliance. According to the leak description by UpGuard:
Birst’s appliances provide security advantages that would normally protect against precisely this kind of cloud leak; by entirely cutting the on-premise Birst cloud environment off from access to the wider internet, security misconfigurations resulting in the exposure of critical information would not be possible. Copying that same data, however, to an Amazon S3 bucket that can be accessed by anyone entering a URL – and storing in that bucket not just the encrypted appliance, but the key needed to decrypt the data – enables precisely this kind of cloud leak to occur.
SEE: Auditing and logging policy (Tech Pro Research)
If a hacker successfully breached a customer’s network by means of some other exploit, the system information and administrative credentials would grant an attacker access to analytics data contained on the Birst appliance, as well as anything the appliance had access to. The role that the appliance serves is to “[virtualize] the entire analytics and data ecosystem,” according to this press release.
The Birst leak is just one in a series of leaks that have occurred as a result of incorrectly configured Amazon S3 buckets. Incorrect permissions settings on S3 buckets have resulted in documents being exfiltrated from Verizon, the NSA, the US Military, French marketing company Octoly, and analytics firm Alteryx, which included personally identifiable information (PII) originating from credit reporting bureau Experian and the US Census Bureau.
In an effort to mitigate potential damage, Amazon has provided free access to the bucket permissions check in AWS Trusted Advisor for all users. Given that this utility was previously available only to Business and Enterprise support customers, and that the aforementioned groups would have been in those support tiers, responsibility falls on the operations team to proactively configure these settings.