Server and cloud misconfigs continue to plague companies and their customers: This week it came to light that a Universal Music Group contractor neglected to protect an Apache Airflow server, leaving data exposed; while a Honda affiliate in India left two Amazon S3 buckets misconfigured for more than a year.
The Honda mistake affects 50,000 users of the Honda Connect App, which is used to manage automobile service and maintenance. It can also pair with the car to offer vehicle health monitoring, “find my car” capability, trip analysis and an SOS function for emergencies.
Uncovered by independent white-hat Random Robbie, two public unsecured AWS storage sets, both belonging to Honda Car India, contained names, phone numbers and emails for both users and their trusted contacts, passwords, gender, plus information about their cars including VIN, Connect IDs and more. In other words, everything an enterprising cybercriminal needs to mount spear-phishing attacks via email or text, and from there, gain access to the app information or even the victim’s full device.
A cybercriminal could know “where someone’s car is currently located, where they went, where they typically drive, how they drive, and where they start and stop,” said Kromtech Security Center researchers. “Considering how we use our cars, this could give that attacker knowledge of the user’s daily activities, including where they live, work, shop, and play, making it very easy to stalk someone.”
Robbie uncovered the problem in February, but the buckets were still unsecured until recently, when Kromtech researchers also came across them.
“With the shear [sic] volume of discovered leaky S3 buckets and the massive amount of coverage given to them it’s just astounding to us that we are still finding them,” Kromtech said in its posting this week on the problem. “It shows that many companies of all sizes are not paying any attention to their security. Honda Car India didn’t even notice that a security researcher added a note to their buckets. There is no excuse for that, it clearly illustrates that they are simply running on auto-pilot with no monitoring at all.”
Honda Cars India “took a while” to respond, but the buckets have finally been taken private, the firm said.
Kromtech analysts also recently discovered that Agilisium, a cloud data storage contractor for Universal Music Group, had exposed UMG’s internal FTP credentials, AWS Secret Keys and Passwords, the internal and SQL root password to the open internet – all via two unprotected instances of the Apache Airflow server.
“The amount of damage a single contractor with lax security controls can do is staggering. If you don’t believe that, just ask Target and the HVAC contractor that led to that infamous breach,” Bryan Gale, chief product officer at CyberGRX, said via email. “Universal Music Group interacts with thousands of third parties on a daily basis, and it only took one – a contractor who forgot to password protect an Apache Airflow server – to leave the keys to the kingdom exposed. We will continue to see these types of breaches until organizations start prioritizing third-party risk management and actively maintain ongoing visibility into their ecosystem.”
Apache Airflow is used to manage workflows across an organization; and by design, the security default is for it to be wide open in order to effect efficient management of tasks and data across users and departments; in other words, it’s up to the user to decide what needs to be locked down and what doesn’t.
“This means that you must take the steps to secure the server,” Kromtech said in a post this week. “Those steps were obviously skipped by whomever set up this server. In skipping these steps, they inadvertently exposed everything….It is a large blunder to make!”
UMG has secured the servers.