Meeting and Hotel Booking Provider's Data Found in Public Amazon S3 Bucket (threatpost.com)

← Back to Stories (view on slashdot.org)

Meeting and Hotel Booking Provider's Data Found in Public Amazon S3 Bucket (threatpost.com)

Posted by msmash on Monday August 21, 2017 @07:20AM from the security-woes dept.

Leaks of personal and business information from unsecured Amazon S3 buckets are piling up. From a report: The latest belongs to Groupize, a Boston-area business that sells tools to manage small group meetings as well as a booking engine that handles hotel room-block reservations. Researchers at Kromtech Security found a publicly accessible bucket containing business and personal data, including contracts and agreements between hotels, customers and Groupize, Kromtech said. The data included some credit card payment authorization forms that contained full payment card information including expiration data and CVV code. The researchers said the database stored in S3 contained numerous folders, below; one called "documents" held close to 3,000 scanned contracts and agreements, while another called all_leads had more than 3,100 spreadsheets containing critical Groupize business data including earnings. There were 37 other folders in the bucket containing tens of thousands of files, most of them storing much more benign data.

37 comments

Min score:

Reason:

Sort:

Jay Reilly tried to DMCA Kromtech by Anonymous Coward · 2017-08-21 07:24 · Score: 0

He was embarrassed at having 3,100 spreadsheets in place of a database
"a Boston-area business that sells tools" by Anonymous Coward · 2017-08-21 07:37 · Score: 0

Not anymore.
Internet usage needs to be licensed. by Nutria · 2017-08-21 07:39 · Score: 2

Not just that, but a license to manage every server you manage and/or create. It sure would cut down on stuff like this and IoT issues.
(Except that I'm certain that MSFT would use that as a technique for not licensing OSX and Linux users.)

--
"I don't know, therefore Aliens" Wafflebox1
1. Re:Internet usage needs to be licensed. by Anonymous Coward · 2017-08-21 08:01 · Score: 1
  
  Internet usage needs to be licensed.
  Well, start with the easy things - there are rules for PCIDSS compliance to accept credit cards.
  Is someone paying a big fine?
  LOL. Of course not...
2. Re:Internet usage needs to be licensed. by SvnLyrBrto · 2017-08-21 18:21 · Score: 1
  
  PCIDSS is a contractural requirement required by the credit card companies in order to accept payments. It's not a law enforced by government, such as HIPAA. So no, there could never be a fine for a breach. I guess it's possible that there may be a penalty fee specified in the contract, but that's different than a legal fine. Mostly, you just lose your ability to take credit card payments which would sink many businesses.
  
  --
  Imagine all the people...
3. Re:Internet usage needs to be licensed. by Anonymous Coward · 2017-08-21 18:29 · Score: 0
  
  So this is what "moving to the cloud" means. More accurately, this is what you get when untrained idiots can create and use IT services, which is pretty much what cloud providers enable.
4. Re:Internet usage needs to be licensed. by AmiMoJo · 2017-08-21 19:36 · Score: 1
  
  Just impose heavy fines for people who are this grossly negligent. In the UK there is something called the Information Commissioner's Office, which can and does fine companies for this kind of mis-handling of sensitive, personal data.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
Not very good at English either by Anonymous Coward · 2017-08-21 07:47 · Score: 1

Not very good at English either. In many places on their website, the Groupize trumpets that they can "Reign in your small meetings spend." One presumes they mean "Rein in" and perhaps "cost of small meetings."
1. Re:Not very good at English either by Anonymous Coward · 2017-08-21 07:50 · Score: 4, Funny
  
  Sir, I'm going to need you to repeat your words as a syngerized statement.
2. Re:Not very good at English either by Anonymous Coward · 2017-08-21 09:45 · Score: 2, Funny
  
  It's ok the small meetings have been synergized, so the needful has been done.
Not S3's fault... by TFlan91 · 2017-08-21 08:06 · Score: 1

This is no where near the vendors fault, this is 100% end-user error.
AWS sent an email to us a while ago alerting us to a single bucket (of many) still in use, for an old client running "legacy" code, having public read/write.
Within 5 minutes of reading the email, which was not requested, the permissions were fixed.
1. Re:Not S3's fault... by Anonymous Coward · 2017-08-21 09:03 · Score: 0
  
  Of course its the user's fault. But S3 by default is open to the internet from a network perspective. Most traditional environments wouldn't allow this sort of access to this kind of data.
  Part of the issue is all of these developers with no operational experience are setting up all of these sites with other people's information, and exposing them to the internet.
  This issue shows a pretty glaring reason why so many ops people hold their breath when they hear the term DevOps.
2. Re:Not S3's fault... by Anonymous Coward · 2017-08-21 09:48 · Score: 0
  
  Since DevOps became a mainstream concept, I've seen a lot more testing in production incidents, especially when the people who are supposed to be ensuring that production runs properly also have to bang a bunch of lines for a codebase and answer to the lash of that whip. Even in the past year and a half, DevOps went from "oppy" to "a developer who can use a '#' prompt."
  It is no wonder why crap like this happens. DevOps and ITIL concepts tend to not mix well, especially when devs have to make sprint deadlines or be blasted for it on a daily basis come the stand-up meetings [1], so just moving crap directly to production is a gamble often done.
  [1]: I've never understood how Scrum/Agile stand-up meetings are productive. Having a PM demand a dev account for every ticket open, with other people yelling, "wah, I'm blocked!" is the biggest waste of time I've ever seen.
3. Re:Not S3's fault... by Anonymous Coward · 2017-08-21 09:50 · Score: 0
  
  I think the term devops is misused, its to bridge dev and ops and air on the side of ops experience. However this is never followed in the business world, because devops engineers are always junior devs who can install software, unless you get the occasional true Rockstar who has ops, dev, and security on their mind.. they are worth every penny plus, but are usually not interested in working with the "devops" teams currently employed.
4. Re:Not S3's fault... by ctilsie242 · 2017-08-21 10:12 · Score: 1
  
  Part of it is an attitude I've seen with a number of smaller companies is the "lets get this on AWS no matter what." Part of it is that they feel that with no physical operators coupled with a "results oriented" DevOps process, they can completely toss all IT people, except for 1-2 coders present, with the other devs are offshored. Their idea of production is a testing environment after their unit tests, or perhaps after their push into Git.
  Of course, this starts to show when stuff like this happens. Did they even think about it? Maybe for a second, but they were more concerned with finishing their sprint than actual security work, because it is better to drop the ball and get the code done, just so they are not repeatedly yelled at by the PM for the same Jira items.
  In these environments, security has no ROI, so it gets tossed to the wayside.
5. Re:Not S3's fault... by Anonymous Coward · 2017-08-21 10:46 · Score: 0
  
  The vendor could have setup their system with a secure-by-default design. Instead they choose insecure-by-default to entice less tech savvy users to their platform. Amazon does share some of the blame, not most of it, but some as they've specifically chosen less secure choices to improve profits.
6. Re:Not S3's fault... by Anonymous Coward · 2017-08-21 11:14 · Score: 0
  
  We got that email, with a huge list. But we can't figure out whose accounts they are. We are a 4000 person company with at least a dozen AWS accounts, only 3 or 4 of them tracked. Sucks.
7. Re: Not S3's fault... by Anonymous Coward · 2017-08-21 11:26 · Score: 0
  
  Really? What about your sharp kitchen knives, do you have to enter an access code before using the blade or do you just go for it? Does your car prevent you from driving without a license?
  They maybe didnt even know what they were doing was insecure. Sometimes you just need that other person in the team who will bring up these things. It's the managers job to figure that part out and get the right team together. Don't blame Amazon.
8. Re:Not S3's fault... by SvnLyrBrto · 2017-08-21 18:48 · Score: 1
  
  S3 buckets ARE secure by default. You have to specifically and intentionally open them to the public if your use case requires it. You would know this if you'd used S3 or if, lords of Kobol forbid, you'd bothered to read the article. And using S3 in this case is fairly derpy anyway. Even though it's default private, and can certainly hold encrypted objects; it's primarily intended for data that would be shared with the public. That's why it's so dead-simple to set as the origin for a CloudFront or pretty much any other CDN, and can even function as a poor-man's web server if all you need to serve up is html and client-side javascript.
  tl;dr version:
  Put your damned PCI data on an encrypted EBS volume or RDS database in a private subnet behind a VPC!
  
  --
  Imagine all the people...
9. Re: Not S3's fault... by TheRaven64 · 2017-08-21 20:23 · Score: 1
  
  What about your sharp kitchen knives, do you have to enter an access code before using the blade or do you just go for it?
  
  My sharp kitchen knives came in a knife block the prevents me from accidentally grabbing the blade. It has handles that protect my hand. If someone sold a knife that had the blade going the full length to where the user was expected to hold it, then they'd be unpopular. Most devices come with basic safety designs and are safe in their normal and intended mode of use.
  
  --
  I am TheRaven on Soylent News
Nazi Germany has control of the newspapers and by Joe_Dragon · 2017-08-21 08:17 · Score: 0

Nazi Germany has control of the newspapers and Goebbels supervised more than 3,600 newspapers and hundreds of magazines. He met the editors of the Berlin newspapers each morning and told them what could be printed and what could not.
making it licensed will lead to a lot of 1st amendment issues.
1. Re:Nazi Germany has control of the newspapers and by Khyber · 2017-08-21 08:31 · Score: 1
  
  "making it licensed will lead to a lot of 1st amendment issues."
  Not even, you're still free to speak publicly anywhere else. You need a license in order to travel on specific roads despite the freedom to wander (You need a proper vehicular license and vehicle to go on highways) so why not need a license to get on the information superhighway?
  It would cut down on a huge chunk of stupidity on the internet, as well.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
2. Re:Nazi Germany has control of the newspapers and by Nutria · 2017-08-21 08:40 · Score: 1
  
  You need a license in order to travel on specific roads despite the freedom to wander (You need a proper vehicular license and vehicle to go on highways) so why not need a license to get on the information superhighway?
  Exactly. Of course, the reactions after Charlottesville makes pretty clear that revoking such licenses would be a pretty powerful way to silence people you disagree with.
  Whatever happened to "Fight Hate Speech with More Speech"?
  
  --
  "I don't know, therefore Aliens" Wafflebox1
3. Re:Nazi Germany has control of the newspapers and by Anonymous Coward · 2017-08-21 09:41 · Score: 0
  
  Virtually all US newspapers are owned by the same five companies. I'm sure there is someone of a similar rank who meets with their editors and tells them what could be printed and what could not.
  Who needs licensing when you can just use legal threats, buyouts, or good old fashioned libel/slander to shut a place down?
4. Re:Nazi Germany has control of the newspapers and by Anonymous Coward · 2017-08-21 10:05 · Score: 1
  
  Or we just let it run its course and it will be self-sanitizing.. The ones that screw up in this way will just go out of existence, or at least pay the cost for it..
  The only thing that should be regulated, if anything, should be that for every CC or personal information (Not name, more in the line of ssn, postal address etc) they leak they should be forced to pay $500 to the person they leaked information about....
  It would result in:
  1. Companies would improve security where they save customer data.
  2. Companies would reduce the amount of customer data they save on their live systems.. It's enough to push the data to some offline system taking care of the orders or store sensitive data fully encrypted (asymmetric encryption of course).
5. Re:Nazi Germany has control of the newspapers and by Khyber · 2017-08-21 13:24 · Score: 1
  
  More people out in the streets instead of on the internet would be far more effective speech. Driving them to that is a perfectly usable method.
  
  --
  Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
Appreciation by Anonymous Coward · 2017-08-21 08:39 · Score: 0

Really Helpful Keep It Up http://www.pakinewsnetwork.com/
dont blame s3 by CimmerianX · 2017-08-21 08:53 · Score: 1

Securing a bucket in S3 is not rocket science.... If the company doesn't know how to they should really hire someone to do it.
How did they even pass a PCI audit with that information?
1. Re:dont blame s3 by Anonymous Coward · 2017-08-21 08:57 · Score: 0
  
  How did they even pass a PCI audit with that information?
  because a PCI audit is just an audit of things at a certain time... nothing stopping anyone from changing permissions the next day.
2. Re:dont blame s3 by schleimkeim · 2017-08-21 21:33 · Score: 1
  
  Or they could just not put all their data on someone elses server.
S3 is a confusing pile of crap by Anonymous Coward · 2017-08-21 08:58 · Score: 0

Most convoluted permission system I have ever seen
1. Re:S3 is a confusing pile of crap by Anonymous Coward · 2017-08-21 09:53 · Score: 0
  
  Whats is so hard about json or acls ? It's not rocket science, they even have a tool that helps you build the acl.....
  This is pure ignorance, they got emailed but, probably never responded or it went right to /dev/null (aka an exec that didn't know anything)
2. Re: S3 is a confusing pile of crap by Anonymous Coward · 2017-08-21 10:40 · Score: 0
  
  Having a tool to build an ACL JSON doc might be a sign that your permissions system is convoluted.
What is missing here... by orlanz · 2017-08-21 09:40 · Score: 1

What we are missing is the list of hotels that use these guys. Don't need to list all of them, just the big ones. Get enough media attention on big hotel names not keeping personal informantion secure and they will start paying attention.
It doesn't absolve them of their duties just because they hired a 3rd party. Maybe companies hiring out will pay more attention to details and operations after a few of these hit the news.
Just listing the party that screwed up means it goes away and another just like it fills the void. The people who took down your info have no incentive to respect its security.
1. Re:What is missing here... by ctilsie242 · 2017-08-21 09:50 · Score: 1
  
  If a bank hires a third party security service and the vault gets robbed, the blame will rest with the bank. Same thing. Just by offshoring to the lowest bidder doesn't mean that one's responsibilities are taken care of.
The day when PCI compliance is taken seriously... by Anonymous Coward · 2017-08-21 11:31 · Score: 0

Is the same day businesses like Groupize will actually care about securing their infrastructure. If they can no longer process credit cards anywhere, then they are out of business. Game over. End of story.
But the credit card industry has buffered data losses into their bottom lines and actually allows businesses to have multiple data breaches before the card companies even begin to ramp up PCI compliance rhetoric against offenders. Meanwhile, customers get their money stolen by thieves and legitimate businesses are harmed by lost merchandise, which raises the cost of living for the honest. Even with all the talk of PCI compliance that I see, I have never once seen enforcement of the policies other than a bunch of hand-waving.