Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Rapid7 survey shows insecure corporate data in Amazon buckets

Rapid7 : 28 March, 2013  (Technical Article)
Amazon's simple storage service has been discovered to be used by businesses for storing critical or personal data in an insecure way
Rapid7 survey shows insecure corporate data in Amazon buckets

Rapid7 has released information about a misconfiguration in Amazon’s Simple Storage Service (S3) that many organisations have their buckets (where the data is stored) made available to the public.

During Rapid7’s research they reviewed the permissions of approximately 13,000 Amazon S3 buckets and uncovered the following:

- Many large companies are represented in the list of publicly exposed buckets
- More than 28,000 PHP source files were identified. Some contain details such as database usernames, passwords, and API keys
- The most common exposure was through log backups that were left globally accessible
- Over 218,000 CSV files were identified, many of which expose personal information such as names, email addresses, and phone numbers
- Many of the documents identified were clearly marked as confidential or obviously private in nature. In other instances, the exposed data included log files and service data that exposed sensitive details about the organization and their customers
 
Some examples of the information they found included:

- Personal photos from a medium-sized social media service
- Sales records and account information for a large car dealership
- Unprotected database backups containing site data and encrypted passwords
- Video game source code and development tools for a mobile gaming firm
- Sales “battlecards” for a large software vendor
- Employee personal information and member lists across various spreadsheets
 
In response to this research, Rapid7 worked with Amazon to disclose this misconfiguration. Rapid7 has also created an extensive blog post explaining this research here. Let me know if you'd like to speak to someone from Rapid7 on this?

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo