Slashdot Mirror
Passwords For 540,000 Car Tracking Devices Leaked Online (thehackernews.com)
An anonymous reader quotes a report from The Hacker News: Login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking have leaked online, potentially exposing the personal data and vehicle details of drivers and businesses using its service. Just two days ago, Viacom was found exposing the keys to its kingdom on an unsecured Amazon S3 server, and this data breach is yet another example of storing sensitive data on a misconfigured cloud server. The Kromtech Security Center was first to discover a wide-open, public-facing misconfigured Amazon Web Server (AWS) S3 cloud storage bucket containing a cache belonging to SVR that was left publicly accessible for an unknown period. Stands for Stolen Vehicle Records, the SVR Tracking service allows its customers to track their vehicles in real time by attaching a physical tracking device to vehicles in a discreet location, so their customers can monitor and recover them in case their vehicles are stolen. The leaked cache contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users' vehicle data, like VIN (vehicle identification number), IMEI numbers of GPS devices. The leaked database also exposed 339 logs that contained photographs and data about vehicle status and maintenance records, along with a document with information on the 427 dealerships that use SVR's tracking services.
My penis. Your butt. Let's go, before the world ends.
Maybe they should have facial recognition scanners!
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Well, technically they were already called stolen vehicle records, so no harm, no foul.
exposing the keys to its kingdom on an unsecured Amazon S3 server, and this data breach
I wouldn't quite call that a 'data breach'
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
If you have done nothing wrong, you have nothing to fear.
What's really going to bring humanity to it's knees? Dumbasses who can't manage to keep our data secure!
Can anyone explain why Amazon even allows users to set up databases with no passwords? It seems to me that this type of leak happens monthly, if not more frequently. Surely the bad press Amazon gets by association is enough by itself for them to make passwords mandatory? I truly do not understand how this keeps happening again and again and again.
When oh when will people learn that connecting everything to the internet just because you can is a path to disaster?
When oh when will people learn that trusting your credentials to these corporations connected to the internet is a path the disaster?
When oh when will people learn that the minor convenience of these features isn't worth the hassle of identity theft?
When oh when will governments start taking these security breaches as seriously as those of us who are left to clean up the mess?
When oh when will we just cut the red tape and make credit monitoring as universal as a social security card?
Is there a single person left whose credential have not been leaked in a security breach?
How many licks does it take to get to the center of a Tootsie Pop -- the world may never know?
Why it happens again and again? Because having a master's degree in music makes you obviously highly qualified to be the chief security officer, of course. On a more serious note, well not more serious but different anyways, it's because security costs money, and nobody wants to pay for it. On the bright side, the more of these stories we see, the more valuable my degree in cybersecurity becomes...
At least if Sys admins were doing mistakes, and leaving opened server on the LAN, nobody cared.
Now, with everything on AWS, Azure, etc... they become an easy target.
The cellular device has the IMEI number
What's the point? You think these companies are going to be more secure with all your data as long as they're not working with it through an Amazon interface?
Amazon is painting targets for us. You should thank them.
Posting AC, because I deal with this.
As a web developer, I am posed with two choices: Working step by step on defense in depth, with proper database security with the AWS environment audited, had the database properly secured, and the front end secured and sanitized. Or, I can get the code done that the customer wants, the features online, push IT out of the way to get features and code into production with an optimal CI/CD cycle for us, perhaps with a unit test to check code before a pull request is granted.
One way sucks, but it keeps the pay going. The other way will ensure myself and other devs get fired and all the work offshored, because the PM demands the new layout and new features -now-, and he is the one that writes the paychecks... and the pink slips.
So, we take shortcuts. Test in production? Fine. We know something is not working very quickly in that environment, and it is cheaper to push and fix there than have headcount a QA team cycle. Security? The hackers will pwn our asses no matter what, so why even bother? Sorry, and I hate saying this, as a DevOps person, security doesn't make money. The code goes into production as fast as possible, or else our asses are "right-sized" and other people will get paid to do what we are doing. Just the way of life.
Lets be real here. The blackhats will win no matter what, so I don't even bother. I have a far greater chance of being fired if marketing doesn't get their new and improved UI on time than I do with a breach, because the breach will be forgotten about, while the UI on an app will be in people's faces constantly. We can talk security, but realistically, nobody gives a rat's ass about it. Security breach? People will forget in a wee. I can code a secure site, but I will get fired, and the guy from the H-1B contract house that replaces me will code the site and the corresponding iOS web app that the PM wants.
It's not just databases. s3 is file storage, and it can be used for hosting static resources, whole static sites, etc. You can't do any of that if it's required to be password protected.
The *real* pain in the ass is that setting everything back to private in s3 is a NIGHTMARE, if you ever open them up, and visibility is god awful. You'll *think* you've set things back to private, but you literally have to test every file from an incog window to be sure.
S3 is a generic hosting system. Whether you use it for public or private storage is entirely up to you. Many websites are build with Amazon serving their content, for example.
There's really no way to cure abject stupidity like this. You can always build a better idiot.
Irony: Agile development has too much intertia to be abandoned now.
Once again, Amazon S3 buckets are created by default with NO ACCESS to anyone but the owner. Someone has to intentionally open up the bucket for open access. More specifically, the bucket owner or an administrator created by the account owner must do this. Any addressable resource on the internet is a potential open target when managed by incompetent administrators. #SkillsMatter