Thought leadership. threat analysis, news and alerts.
How to Prevent Accidental Database Leaks
Florida-based marketing and data aggregation firm Exactis is the latest organization that accidentally leaked critical database online.
Security researcher Vinny Troia disclosed to Wiredthat early this month, Exactis exposed nearly 340 million records, 230 million of which pertain to U.S. consumers, while 110 million on business contacts.
"It seems like this is a database with pretty much every US citizen in it," Troia told Wired. "I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.”
The close to 2 terabytes of data exposed by Exactis didn’t contain credit card information or Social Security numbers. It, however, revealed highly personal information, including phone numbers, home addresses, email addresses, religion, age, gender of the person's children, and interests like plus-size apparel and scuba diving.
Wired confirmed the authenticity of the data exposed by Exactis, commenting that in some cases the information is inaccurate or outdated.
Prior to his disclosure to Wired, Troia said he contacted both Exactis and the FBI about his discovery. He said Exactis has since protected the data so that it's no longer accessible to the public.
The number of data unintentionally exposed by Exactis exceeds that of the 2017's Equifax breach of nearly 148 million consumer’s data. The difference though is that in the case of Exactis, victims aren’t even aware that they’re part of the company’s database.
Past Incidents of Accidental Database Leaks
While the Exactis data may have been the largest accidental database leak, in the past few years, reports about accidental database leaks have come up again and again.
Another security researcher Chris Vickery discovered a number of accidental database leaks. In December 2015, Vickery discovered that the database that housed 3.3 million Hello Kittyaccounts was exposed as a result of a misconfigured MongoDB (a free and open-source cross-platform document-oriented database program) installation.
In April 2016, Vickery discovered that voter registration details of 93.4 million Mexican citizenswere exposed via publicly accessible database hosted on an Amazon cloud server.
In January 2017, Vickery also discovered that an Ontario-based plastic surgery clinicleaked thousands of customer’s medical records online via unprotected remote synchronization (rsync), a service which allows synchronization of files between two computers or servers over the internet.
In October 2017, Redlockresearchers reported that attackers infiltrated the Kubernotes (open-source platform designed by Google to automate deploying, scaling and operating application containers) console of Aviva, a British multinational insurance company, after the company failed to secure it with a password. One of Aviva’s Kubernetes pod contained credentials to the company’s Amazon Web Service Inc. account. According to Redlock, this enabled the attackers to steal the cloud compute resources of Aviva for cryptocurrency mining, in particular, mining the cryptocurrency Bitcoin.
In February 2018, Redlockresearchers reported that attackers similarly infiltrated the Kubernotes console of Tesla after the company failed to secure it with a password. One of Tesla’s Kubernetes pod contained credentials to Telsa’s Amazon Web Service Inc. account. Redlock said this enabled the attackers to steal the cloud compute resources of Tesla to mine the cryptocurrency Monero quietly in the background.
Accidental Leaks Discovery
According to Troia, he discovered the exposed Exactis’ database by simply using Shodan, an alternative search engine used by researchers and security professionals. Troia said he used Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP addresses.
This search query resulted in about 7,000 results, Exactis database being one of them, unprotected by any firewall. ElasticSearch is a document-oriented database that's designed to be easily searched over the internet.
For his part, Vickery told ZDNet that he finds accidental database leaks via Shodan as well. There’s, however, no stopping for malicious hackers to use tools like Shodan to discover accidental database leaks. It’s a challenge then for ethical hackers like Troia and Vickery to discover and report to the concerned organizations regarding accidental database leaks before malicious hackers do.
"I’m not the first person to think of scraping ElasticSearch servers," Troia said in the case of Exactis’ accidental data leak. "I’d be surprised if someone else didn't already have this."
Data Leak Prevention
Here are some of the security best practices in preventing accidental database leaks:
1. Monitor Firewall Traffic
A firewall is your first line of defense in preventing accidental database leaks.
A firewall, which can be a hardware, software or both, monitors incoming and outgoing network traffic. It decides based on a defined set of security rules whether to allow or block specific traffic. For instance, a firewall can be configured to block data from certain locations or applications while allowing relevant data in.
RedLock reported that while firewall is one of the industry’s best practices, “85% of resources were found to have no firewall restrictions on any outbound traffic”.
While firewall is a good first line of defense, it can’t be the cure-all remedy in preventing accidental database leaks.
2. Monitor Configurations
Proper configuration is critical in preventing accidental database leaks. Configuration refers to the “Settings” menu in any software. A simple configuration monitoring could have prevented the Tesla breach.
3. Monitor Suspicious User Behavior
As shown by the above-mentioned examples, it’s not uncommon to find accidental database leaks in public cloud environments. Your organization needs to detect accidental database leaks as soon as possible before the bad guys do.
Monitoring has to go beyond geo-location or time-based anomalies but also monitoring event-based anomalies such as unusual volume of traffic or unusual volume of downloaded data.
When you team needs help, our team of experts is a phone call away. Contact ustoday and stay safe!
Steve E. Driz, I.S.P., ITCP