CE Retailers Using AWS Urged To Check Online Operations
Australian retailers along with several large distributors and banks whose backend data operations reside on Amazon servers are today being urged to check whether confidential information has been compromised.
Recently security researchers posted “friendly warnings” to users of Amazon’s cloud data storage AWS, service because they believe confidential information could have been compromised.
In Europe the BBC found almost 50 warnings posted to the firm’s servers. Many had more than one warning uploaded to them.
There was a rash of data breaches involving Amazon Web Services in 2017.
Misconfigured settings were repeatedly blamed.
In Australia several large retailers online operations along with several banks have their services hosted on AWS.
One message said: “Please fix this before a bad guys finds it.”
Security researcher Robbie Wiggins, who regularly seeks out insecure cloud systems, said he had received a range of reactions when telling an organisation that their data was wide open.
“I’ve had a few responses ranging from monetary rewards to thanks,” he told the BBC. “I’ve struggled with a good few, especially the government for Argentina.”
Often companies made it difficult to report problems because no contact details were available for security teams or server administrators.
Mr Wiggins said he currently had a list of about 2,000 insecure data stores, also known as buckets, about which he was steadily informing affected organisations.
“Lots of buckets appear to been abandoned and forgotten about,” said Mr Wiggins.
The main target of the security experts scanning for mistakes are servers supporting Amazon’s Simple Storage Service (S3) – part of its AWS business.
Over the last 18 months, Uber, Verizon, Alteryx, the WWE, US defence contractor Booz Allen Hamilton, Dow Jones and three data mining companies have exposed data via misconfigured S3 buckets. Between them the firms lost data covering the digital identities of hundreds of millions of people.
Robin Wood, who wrote a bucket-scanning tool that many researchers use, said the ease with which the storage can be bought and configured made them very attractive to a lot of companies.
A recent AWS warning urged cloud account owners to tighten up their settings.
“It’s amazing how many larger firms have a website or web hosting package that the security and IT teams know nothing about,” he told the BBC.
Other stores were left open to get around configuration problems that can crop up when several different firms work on the same project, he said.
“What tends to happen is that if something is not working properly they will open it up a bit to see if that fixes it,” said Mr Wood. “They just keep clicking until it works.”
Anyone coming across the data might be able to scoop up valuable information, such as database files and login data, that could help them gain access to other networks of the same company, he said.
Scanning for vulnerable buckets was straightforward because of the way Amazon organised its service, he added.