S3 Bucket Security – Anatomy of the recent Facebook breach


Leaky Buckets and Cloud Security

Looks like Facebook caught on the wrong side of security and privacy has become worthy of an “It’s Complicated” relationship status. It started with a German court’s finding that Facebook did not seek consent from users to collect their data for advertising purposes, the Cambridge Analytica data scandal followed, and ever since security and privacy seem to be haunting Facebook every week. 2018 would be a year that the Information and Privacy professionals at Facebook wished never came. That said, from the way 2019 is turning out, things appear to be worse for Facebook.

S3 Buckets

In the first week of April 2019, reports came that the social media giant Facebook suffered a significant data breach. According to the reports, two publicly exposed datasets one controlled by a Mexican media company and the other held by a Facebook-integrated app “At the Pool” were exposed. Both these datasets were exposed through unprotected S3 buckets, allowing anyone to access the data. While the first data set was about 146 gigabytes of files containing more than 540 million Facebook user data including account IDs, names, and comments among other things, the second data set contained user IDs, friends, photos, location check-ins, and unprotected passwords.

Who is at fault?

Using S3 buckets to store data is common for organizations operating workloads and accounts in AWS. But, as the Facebook incident highlights these buckets can be easily accessible, and security teams are unable to identify a potential vulnerability simply because of lack of visibility.

Can AWS be said to be at fault? No, remember the shared responsibility model!!!

Can Facebook be held to be responsible? In reality, it is the third party who should be held accountable for carelessly putting content received from Facebook in publicly accessible S3 Buckets, but an enterprise of Facebook’s scale and size should have enforced necessary guardrails to protect Facebook user data when third parties collect them. This appears to be a clear case of lack of alignment in security maturity between Facebook and the third parties they work with. For a company that has been trying to prove to the investigators, and mainly to the world that they value privacy and security, breaches such as these come as a huge blow.

What is an S3 Bucket?

S3- Simple Storage Service provides cloud storage for websites; mobile applications; back-up and restore; archive; enterprise applications; IoT devices; and big data analytics. It helps you organize data and configure access controls to meet specific requirements.

What is an S3 Bucket?

S3- Simple Storage Service provides cloud storage for websites; mobile applications; back-up and restore; archive; enterprise applications; IoT devices; and big data analytics. It helps you organize data and configure access controls to meet specific requirements.

Not just Facebook

The saving grace for Facebook is that they are not alone in their battle with leaky buckets and from reports it appears they are in good company.

  • Booz Allen HamiltonFiles related to the National Geospatial-Intelligence Agency which handles battlefield satellite and drone images.
  • Deep Root AnalyticsUS Voter information
  • Dow Jones and CoPersonal information of more than 2 million customers
  • Time Warner CableCustomer information and administrator credentials
  • FedExPersonal details of customers
  • GoDaddyInternal business secrets including GoDaddy’s architecture, configuration information, pricing information, and discounts

How C3M could have helped?

S3 Buckets are private and secure by default( AWS has recently made changes that make it difficult to misconfigure an S3 Bucket ) and can be used only by those who have access. Only the account owner and resource creator have access to S3 Bucket, hence unless misconfigured there is no data exposure to the public.

S3 Buckets can still be misconfigured easily if created/edited via API’s

The following checks can help prevent an S3 bucket leakage:

  • Set-up proper access permissions for the bucket through policies
  • Alerts and notifications in the event of data access from bad actors and resource configuration changes
  • Default encryption of S3 buckets

In this particular scenario, the C3M Policy Engine would have detected the misconfigured bucket and alerted(via email) administrators about the possible risk. If the policy was configured with “auto-remediation” enabled, access to the S3 Bucket would have been turned off immediately, thereby preventing data exfiltration and loss. Going a step ahead, C3M could have also ensured Facebook shares its cloud security best practices with all the third parties they work with, thereby ensuring an alignment in security maturity and enforcement of industry best security controls.

C3M gives enterprises automated security intelligence and actionable insights, detecting misconfigured instances and remediating those in real-time through automation. Once a cloud account is onboard, C3M implements security policies and best practices and runs these policies in real-time 24*7 to evaluate policy compliance. Alerts are released as soon as any vulnerabilities are detected, C3M Bots remediate such vulnerabilities thereby giving the enterprise complete security assurance with minimal human intervention.

Interested to learn more?

Check us @ www.c3m.io

For a demo and free trial

reach us at sales@www.c3m.io

Resources

Comments are disabled.