Fancy a career exposing cloud data leaks? Great news, companies are still largely clueless

Unit 42 crew tours the cloud security hellscape, finds admins have learned nothing

cloud

Anyone hoping to halt the flood of data leaks stemming from cloud services got bad news this week when Palo Alto's Unit 42 found little sign companies were improving their security practices.

The networking giant's security branch examined cloud servers hosted on AWS, Azure, and Google Cloud Platform to see how publicly-facing servers are being configured to keep out unauthorized users.

What they found was an epidemic of unpatched bugs, misconfigured servers, and overlooked vulnerabilities that could allow an intruder to easily access private data and trigger a massive leak of sensitive records.

"The sheer volume of security incidents caused by weak credentials or exposed databases have numbed the security community. Yet there is no sign that the number of related security incidents is slowing down," explained Unit 42's Jay Chen.

"Different organizations simply repeat the same mistakes at different cloud service providers."

Among the issues discovered by the team was the widespread use of SSH connections that were left open to the public-facing internet, giving anyone who stumbled upon the server a key point of entry.

This in itself is not much of a security concern, until you consider that in many cases those SSH connections did not require a key pair to login, meaning they could be brute-forced to give the intruder a shell connection. In Azure, for example, 46.53 per cent of SSH-enabled instances had only been configured to use a login and password.

"Although SSH is one of the most secure protocols, it is still too risky to expose this powerful service to the entire internet," Chen explained.

"Any misconfiguration or weak/leaked credentials can lead to host compromise."

Things were even worse when it comes to patch management. The Unit 42 crew reports that 24 per cent of the public cloud servers they probed had exposed known vulnerabilities, and more than half of those vulnerabilities had been disclosed for at least two years.

On top of that, 61 per cent of hosts used the dated TLSv1.1 or older standards, protocols that were superseded more than a decade ago.

As The Register has found first-hand, even a brief search of IP blocks with Shodan will return an overwhelming number of connections to cloud servers that have simply been set to accept any and all connections from the general public. Simply dipping your toe into this field will likely yield a result.

The parade of data-leak disclosures that dominates infosec reporting these days is not the result of highly-skilled sleuthing, rather it is a reflection of the massive pool of poorly configured cloud servers out there today.

We have a long, long way to go. ®




Biting the hand that feeds IT © 1998–2019