WebsiteGear Logo Log In
New User? Sign Up
About | Contact | FAQ
  Home News Technology Internet Security Saturday, August 24, 2019 
Add Press Release News | News Feeds Feeds | Email This News Email

Bishop Fox Finds Trove of Secrets on Amazon Elastic Block Store
Friday, August 9, 2019

PHOENIX, Aug. 9, 2019 /PRNewswire/ -- Bishop Fox, the largest private professional services firm focused on offensive security testing, has discovered a flaw in Amazon's Elastic Block Store (Amazon EBS) that makes many users' virtual hard disk available to anyone on the internet. Security Associate Ben Morris found that Amazon EBS has a "public" mode, which has exposed the secrets of thousands of people and companies who have mistakenly misconfigured their EBS accounts. He presented his research, "More Keys Than A Piano: Finding Secrets in Publicly Exposed EBS Volumes," at DEF CON on August 9.

Amazon EBS is a cloud-based block storage system provided by Amazon Web Services (AWS) that is used for storing persistent data. Some of the biggest companies in the world run on top of AWS. As part of his research, Morris found whole virtual hard drives, live sites, and apps available for anyone to read. He uncovered encryption keys, passwords, authentication tokens, PII, and even a set of root credentials. There was so much data that he had to invent a custom system, dubbed "dufflebag," to process it all.

"What's unique about this vulnerability is that the companies being compromised have no way to know they've had their discs cloned or their credentials or source code stolen because the attack is over the AWS platform and is not a direct attack," said Morris. "I cloned discs for many weeks without anyone being aware of my activities. It's not something they can monitor on AWS."

"Fortunately, there is an easy fix. Any organization using Amazon EBS needs to make sure that the box to encrypt their disc is always checked off manually," he added. "It is so simple, yet thousands of people are not doing this and could find their leaked secrets in the wrong hands."

About Bishop Fox

Bishop Fox is the largest private professional services firm focused on offensive security testing. Since 2005, the firm has provided security consulting services to the world's leading organizations -- working with over 25% of the Fortune 100 -- to help secure their products, applications, networks, and cloud resources with penetration testing and security assessments. In February 2019, Bishop Fox closed $25 million in Series A funding from ForgePoint Capital, which will allow the company to continue to grow its research capabilities and develop next generation offensive security technologies. The company is headquartered in Phoenix, AZ and has offices in Atlanta, GA; San Francisco, CA; New York, NY; and Barcelona, Spain.

Amy Blumenthal

View original content to download multimedia:

SOURCE Bishop Fox

Email This News Email | Submit To Slashdot Slashdot | Submit To Digg | Submit To | News Feeds Feeds

Nav 5 Steps to Prevent Ransomware from Destroying Your Business | Aug 22, 2019
Nav The global digital photo frame market at a CAGR of over 1% during the forecast period | Aug 20, 2019
Nav Assessment of Business Cyber Risk Shows Slight Improvement in National Risk Score and Highlights Need for Third-Party Risk Management | Aug 19, 2019
Nav Cable One Identifies Security Incident Involving Employee Email Accounts | Aug 16, 2019
Nav Water and Wastewater Treatment Market by Technology, Delivery Equipment, Chemicals, Instrumentation, Application - Global Forecast to 2025 | Aug 16, 2019
Nav Frost & Sullivan Recognizes Proofpoint as the Global Email Security Market Leader for Fifth Consecutive Year | Aug 15, 2019
Nav Amplitude launches Engage, a behavioral targeting solution for automated campaign personalization | Aug 14, 2019
Nav PAS Announces Brian Krebs as Keynote Speaker for PAS OptICS 2020 Conference | Aug 14, 2019
Nav New York School District Claims Victory Over Emotet Trojan with Malwarebytes | Aug 14, 2019

Submit News | View More News View More News