Verizon Engineer Exposes Internal System Data
25.9.2017 securityweek Cyber
Researchers discovered an unprotected Amazon Web Services (AWS) S3 bucket containing potentially sensitive information associated with a system used internally by Verizon.
The cloud container, discovered by Kromtech Security on September 20, stored roughly 100 Mb of data from a system called Distributed Vision Services (DVS), which is used to retrieve and update billing data on all Verizon Wireless front-end applications.
While the S3 bucket did not store any Verizon customer information, it did contain usernames, passwords, and 129 Outlook messages representing internal communications.
The security firm also reported finding information that could have been used to access parts of Verizon’s internal network, B2B payment server details, PowerPoint presentations describing Verizon’s infrastructure, and global router hosts.
An investigation by Verizon revealed that the storage container was owned and operated by one of its engineers and not the company itself. Access to the files was restricted shortly after Kromtech sent a notification to Verizon on September 21.
Kromtech was told that the storage container did not hold any confidential data, but experts are not convinced.
“Verizon had $126.0 billion in consolidated revenues in 2016 and it seems like they would not leave the keys to the front door of their data servers or network out for anyone. In the corporate world any bad news can affect stock prices or other aspects of the business. However, if these files were not sensitive, why not make this information open source or publically available?” explained Bob Diachenko, chief security communications officer at Kromtech.
“As security researchers we often hear that data was not sensitive or that it was production or test data, when it is clearly not,” Diachenko added.
This was not the first time Verizon data was exposed via a misconfigured AWS S3 bucket. Back in mid-July, cyber resilience firm UpGuard reported that one of the company’s partners in Israel had exposed information on millions of Verizon customers.
Verizon determined at the time that the names, addresses, phone numbers and other details of roughly 6 million customers were exposed due to human error.
“Given the high number of incidents involving exposed S3 buckets that we have seen in the past few months, it is baffling that every organization is not carefully looking into the configurations and exposure levels of their storage in the cloud. Protecting data in the cloud from accidental exposure and theft is a business priority,” said Zohar Alon, co-founder and CEO of Dome9.
“Companies need to be held highly accountable for their lack of security on the public cloud,” Alon told SecurityWeek. “The public cloud needs a united front on security with regular configuration checks and balances – where public cloud providers, third party tools with advanced features, and a governing body all work together in order to ensure corporate and consumer data stays safe and out of the reach of hackers.”