A Washington State internet provider, Pocket iNet, left an AWS S3 server exposed online without a password, according to UpGuard. The UpGuard cyber-risk team reported that the information exposed included 73 gigabytes of downloadable data, which included passwords and other sensitive files, ranging from spreadsheets to pictures and diagrams.
Upguard discovered and reported the exposed bucket, named pinapp2, on October 11, 2018, though Pocket iNet was initially unable to confirm the exposure. After a week’s time, the exposure was secured, according to an Upguard blog post.
“Due to the severity of this exposure, UpGuard expended significant effort during those seven days, repeatedly contacting Pocket iNet and relevant regulators, including using contact information found within the exposed dataset,” Upguard wrote.
“Internet service providers have been designated as part of the US Critical Infrastructure and represent a prime target for adverse nation-state threat groups . Finally, on October 19th the exposure was secured, preventing the exploitation of this data from any future malicious activity.”
While the bucket itself was exposed, not all of the contents were able to be downloaded. However, a folder named tech, which contained sensitive information, was downloadable within the bucket. Pocket iNet’s AWS misconfiguration also exposed several lists of plain-text passwords to multiple devices and services that belong to its employees. Included in the list of plain-text passwords were firewalls, core routers, switches, servers and wireless access points.
The issue of misconfigurations in AWS is not uncommon, but has become, “an overlooked problem that can expose massive amounts of information, harming individuals and organizations alike. It seems that leaving servers unsecured has become one of the most common security issues and, consequently, one of the most widely targeted vulnerabilities in the enterprise,” said Rich Campagna, CMO, Bitglass.
“Unfortunately, organizations of all sizes, especially smaller ISPs like Pocket iNet, have limited IT resources in terms of security tools and personnel, making them susceptible to misconfigurations. Despite this, there are tools that can help address this issue. Organizations must adopt solutions that can continuously monitor networks for misconfigurations, enforce data loss prevention policies in real time and provide user and entity behavior analytics. For organizations to succeed, it is imperative that they implement flexible, robust, cost-effective security solutions.”