The Elastic band
If you are a regular reader of this blog, you will be more than well aware that we have always been very concerned, if not paranoid about the impact of the misconfiguration of Internet facing services and applications.
We have consistently advised that a massive problem with agile development and deployment cycles, alongside a pressure to deliver in a new ‘cloud first’ world, may bypass the architectural and security principles in the boring old land of the dinosaurs, now called ‘legacy’.
In our security presentations over the last few years we have highlighted the perils of the misconfiguration of Amazon S3 buckets, which continue to be astonishingly regular.
As you will be aware, security researchers the world over spend all of their time looking for this exposed data. Good guys like the venerable Justin Paine of Cloudflare, who recently brought to the attention of an offshore gambling group (hosted out of Cyprus, licensed in Curaçao a hotbed of gambling, nothing to see here) that they had 108 million or so betting details exposed to the Internet, including user details via an unsecured ElasticSearch stack.
Having been around the block for some time, we can imagine how this came to pass. The executives or investors at the aforementioned gambling conglomerate (not Greek or Patois speakers we suspect), require up-to-the-minute reporting on their fiefdom. In order to satisfy this immediately, the long suffering IT folk (outsourced, or in-house) come up with the great idea to spin up an ElasticSearch stack to provide dashboards, slice and dice, you know, at a very reasonable ‘Zero Cost’.
Trouble is, that in the eagerness, all of the checks, controls and balances that used to be present, and yes a bit boring, in Legacy 1.0, went out of the window.
There are many tools such as Shodan which can be used to identify publically available data. If you didn’t know, Shodan is the term for the 1st dan black belt in karate, in other words the point at which you just start getting dangerous.
What you can guarantee is that if individual researchers are finding exposed data, criminals are all over it, they just don’t do the decent thing.
We urge you to have your external facing infrastructure monitored for vulnerabilities and misconfiguration, especially if third parties manage bits of it. It is your data, it can easily become public. Managing and controlling your data will become easier and more controllable than managing your scrummaging, black belt developers. Trust us.
The Elastic Band were a Welsh band from the late 1960s, we have tried listening to one of their albums, but it was a stretch. Boom Tish.
If you would like us to help with checking your Internet facing security or third-party data control, please do contact us at: [email protected] or 020 7517 3900. You can probably find our details using Shodan.