PHOENIX, Aug. 9, 2019 /PRNewswire/ -- Bishop Fox, the largest private professional services firm focused on offensive security testing, has discovered a flaw in Amazon's Elastic Block Store (Amazon EBS) that makes many users' virtual hard disk available to anyone on the internet. Security Associate Ben Morris found that Amazon EBS has a "public" mode, which has exposed the secrets of thousands of people and companies who have mistakenly misconfigured their EBS accounts. He presented his research, "More Keys Than A Piano: Finding Secrets in Publicly Exposed EBS Volumes," at DEF CON on August 9.
Amazon EBS is a cloud-based block storage system provided by Amazon Web Services (AWS) that is used for storing persistent data. Some of the biggest companies in the world run on top of AWS. As part of his research, Morris found whole virtual hard drives, live sites, and apps available for anyone to read. He uncovered encryption keys, passwords, authentication tokens, PII, and even a set of root credentials. There was so much data that he had to invent a custom system, dubbed "dufflebag," to process it all.
"What's unique about this vulnerability is that the companies being compromised have no way to know they've had their discs cloned or their credentials or source code stolen because the attack is over the AWS platform and is not a direct attack," said Morris. "I cloned discs for many weeks without anyone being aware of my activities. It's not something they can monitor on AWS."
"Fortunately, there is an easy fix. Any organization using Amazon EBS needs to make sure that the box to encrypt their disc is always checked off manually," he added. "It is so simple, yet thousands of people are not doing this and could find their leaked secrets in the wrong hands."
About Bishop Fox
Bishop Fox is the largest private professional services firm focused on offensive security testing. Since 2005, the firm has provided security consulting services to the world's leading organizations — working with over 25% of the Fortune 100 — to help secure their products, applications, networks, and cloud resources with penetration testing and security assessments. In February 2019, Bishop Fox closed $25 million in Series A funding from ForgePoint Capital, which will allow the company to continue to grow its research capabilities and develop next generation offensive security technologies. The company is headquartered in Phoenix, AZ and has offices in Atlanta, GA; San Francisco, CA; New York, NY; and Barcelona, Spain.
SOURCE Bishop Fox