TeenSafe stored data of parents & children in an unsecured cloud server
22 May 2018
TeenSafe, an iOS and Android app that lets parents view their children’s’ browsing history, text messages, location, and call records, stored sensitive details of both parents and children in two unsecured cloud server that were not protected by passwords and could be accessed by anyone.
TeenSafe’s unsecured servers were hosted on Amazon’s S3 cloud bucket and were discovered by UK-based security researcher Robert Wiggins. According to a report from ZDNet, the publicly-accessible cloud servers stored email addresses of both parents and children, children’s device names and their unique identifiers. At the same time, passwords for children’s’ Apple ID were stored in plain text and could be used by malicious entities to hack into such devices and to access personal data.
While one of the affected servers stored live data, the other appeared to store test data. After being alerted by ZDNet, TeenSafe shut down the server that stored live data and started alerting customers that could potentially be impacted.
Firms failing to secure cloud repositories
The discovery of an exposed server on Amazon’s S3 cloud bucket isn’t a unique one but is a frequent occurrence. Even though cloud storage services offer enhanced efficiency and security, a large number of repositories have been, in the past few years, found to be unsecured or configured for public access, thereby making it easy for cyber criminals to gain access to data belonging to millions of people without putting in much effort.
Back in April, an unsecured cloud storage repository that contained sensitive information belonging to personal and business data search service LocalBlox was left exposed to the public not only because of a lack of password protection but also because it was publicly downloadable and configured for access via the internet.
According to security researchers at UpGuard who discovered the publicly-exposed repository, it contained “48 million records of detailed personal information on tens of millions of individuals, gathered and scraped from popular social media platforms”.
In February, personal details of over 12,000 popular Instagram, Twitter, and YouTube personalities were exposed after Octoly, a Paris-based brand marketing company, failed to secure a cloud repository that contained a backup of enterprise IT operations as well as their sensitive information. The exposed details included real names, addresses, phone numbers, email addresses, birth dates, usernames for online accounts and hashed passwords which if decrypted, could lead to password reuse attacks.
In September last year, global media corporation Viacom came within inches of an unprecedented data breach after a server misconfiguration exposed the company’s entire IT infrastructure on an unsecured Amazon cloud server. Paramount Pictures, as well as hundreds of television channels including MTV, Comedy Central, VH1 and Nickelodeon, could have lost control of their vast IT infrastructure had cyber criminals stumbled upon the unsecured web server before a team of alert cyber security experts did.
Are insider mistakes hampering cloud security?
According to Matt Middleton-Leal, GM EMEA at Netwrix Corporation, even though more and more organisations are ready to commit sensitive customer data to the cloud, the threat from insider mistakes remains very real.
Organisations are appreciative of the fact that cloud services offer various benefits such as flexibility, scalability and lower running costs and are hence not against storing their data on cloud repositories. However, concerns remain and as per the Netwrix 2018 Cloud Security Report, unauthorised data access, malware infiltrations, and inability to monitor employee activity in the cloud remain the top concerns of organisations.
“More and more enterprises are ready to entrust confidential customer data to the cloud. Cloud providers offer some of the best data security best protection available. When problems surface it’s usually a sign the customer is relying too heavily on insiders for security best practice. Cloud strategies require a different set of skills from on premise yet many IT departments are not given the resources to recruit the right people.
Instead some companies are taking the more risky option of asking ordinary employees to stick to security policies at all times. A third of organizations do not have senior management buy-in and lack visibility into what their staff are doing. So long as enterprises continue to settle for lower cost, non-automated approaches to cloud security it will always be a case of when, not if, a data breach will happen,” he said.