News

|

Feeds

|

Email

PHOENIX, Aug. 9, 2019 /PRNewswire/ -- Bishop Fox, the largest private professional services firm focused on offensive security testing, has discovered a flaw in Amazon's Elastic Block Store (Amazon EBS) that makes many users' virtual hard disk available to anyone on the internet. Security Associate Ben Morris found that Amazon EBS has a "public" mode, which has exposed the secrets of thousands of people and companies who have mistakenly misconfigured their EBS accounts. He presented his research, "More Keys Than A Piano: Finding Secrets in Publicly Exposed EBS Volumes," at DEF CON on August 9.

Amazon EBS is a cloud-based block storage system provided by Amazon Web Services (AWS) that is used for storing persistent data. Some of the biggest companies in the world run on top of AWS. As part of his research, Morris found whole virtual hard drives, live sites, and apps available for anyone to read. He uncovered encryption keys, passwords, authentication tokens, PII, and even a set of root credentials. There was so much data that he had to invent a custom system, dubbed "dufflebag," to process it all.

"What's unique about this vulnerability is that the companies being compromised have no way to know they've had their discs cloned or their credentials or source code stolen because the attack is over the AWS platform and is not a direct attack," said Morris. "I cloned discs for many weeks without anyone being aware of my activities. It's not something they can monitor on AWS."

"Fortunately, there is an easy fix. Any organization using Amazon EBS needs to make sure that the box to encrypt their disc is always checked off manually," he added. "It is so simple, yet thousands of people are not doing this and could find their leaked secrets in the wrong hands."

About Bishop Fox

Bishop Fox is the largest private professional services firm focused on offensive security testing. Since 2005, the firm has provided security consulting services to the world's leading organizations -- working with over 25% of the Fortune 100 -- to help secure their products, applications, networks, and cloud resources with penetration testing and security assessments. In February 2019, Bishop Fox closed $25 million in Series A funding from ForgePoint Capital, which will allow the company to continue to grow its research capabilities and develop next generation offensive security technologies. The company is headquartered in Phoenix, AZ and has offices in Atlanta, GA; San Francisco, CA; New York, NY; and Barcelona, Spain.

Contact:
Amy Blumenthal
617-879-1511
ablumenthal@bishopfox.com

View original content to download multimedia:http://www.prnewswire.com/news-releases/bishop-fox-finds-trove-of-secrets-on-amazon-elastic-block-store-300899573.html

SOURCE Bishop Fox

Email

|

Slashdot

|

Digg

|

Del.icio.us

|

Feeds

RELATED NEWS ARTICLES

Identiv Completes Thailand Manufacturing Transition, Unlocking Next-Generation Multicomponent Manufacturing for Advanced IoT Solutions | Jan 22, 2026 Guardz 2025 SMB Cybersecurity Report: Nearly 50% of U.S. Small Businesses Have Been Hit by Cyber Attack | Jan 22, 2026 Android Mobile Adware Surges in Second Half of 2025 | Jan 22, 2026 New Report Names States Most Vulnerable to Holiday Scams | Jan 22, 2026 Global Cyber Alliance Identifies Five Cybersecurity Forces That Defined 2025 - And Will Shape 2026 | Jan 22, 2026 LG ELECTRONICS INTRODUCES 2026 LG GRAM LINEUP ELEVATED BY AEROMINUM | Jan 22, 2026 Truvista Fiber Acquires SlyTel | Jan 22, 2026 pgEdge Announces pgEdge Agentic AI Toolkit for Postgres | Jan 22, 2026 Healthcare Industry Executives are Likely to be Personal Targets of Cybercrime | Jan 22, 2026 Breakthrough Progress: METiS TechBio Publishes Consecutive Research Findings in Nature Communications and the Journal for ImmunoTherapy of Cancer | Jan 22, 2026