At a glance.
- Misconfigured server exposes Defense Department Data.
- Oops, I hijacked your WhatsApp.
Misconfigured server exposes Defense Department Data.
TechCrunch reports that an exposed server at the US Department of Defense (DoD) has been leaking internal US military emails to the open internet for the past two weeks. Hosted on Microsoft’s Azure government cloud for Department of Defense customers, the server was used to share unclassified but nonetheless sensitive government data. Due to a configuration error, the server was not password protected, meaning anyone on the internet with knowledge of the IP address could access the data. Security researcher Anurag Sen discovered the unprotected server over the weekend and alerted the DoD, which secured the server on Monday. Approximately three terabytes of internal military emails, many pertaining to the US Special Operations Command (USSOCOM), were stored in the server. Though unclassified, the data included highly sensitive information like security clearance personnel questionnaires, information that could be a valuable bounty for foreign adversaries. Clearance Jobs notes that this isn’t the first time security clearance data have been leaked, as the Office of Personnel Management suffered breaches in 2014 and 2015 that exposed the data of 20 million security clearance applicants. USSOCOM spokesperson Ken McGraw told CNN that on Monday the command “initiated an investigation into information we were provided about a potential issue with the command’s Cloud service." He added, “The only other information we can confirm at this point is no one has hacked US Special Operations Command’s information systems.”
Amit Shaked, CEO and co-founder of Laminar, sees efficiency as a two-edged sword. “The cloud has made it easier than ever before to share data, but more digital data means more opportunity for cybercrime — period, Shaked said. "The cloud is designed to easily share information over the internet and is subject to human error mistakes as appears to be in this case, but in addition, organizations are able to quickly spin up data stores, especially in buckets or blob storage without IT or security being aware. Visibility into where companies' data resides — and where it goes — is critical. Unfortunately, however, many companies don't have a full picture of where sensitive data resides. This unknown or 'shadow' data is growing and a top concern for nearly all data security professionals."
The incident also points out the value of situational awareness with respect to one's digital assets and their environment. Shaked wrote, "In this case, the exposure was discovered by a diligent researcher. In the cloud it’s critical that enterprises rely on agile security tools for automated and continuous monitoring of data assets. When organizations have complete observability of their data with the right data monitoring and protection tools, enterprises will have the clarity they need to avoid similar exposures.”
(Added, 1:45 PM ET, February 23rd, 2023. Darren James, Senior Product Manager at Specops Software, an Outpost24 company, wrote to draw attention to the role passwords play in this sort of incident:
“This latest government breach once again shows that passwords are still the number one risk for any organization, no matter how high profile they may be. The exposure of any personal data is an extremely serious matter, having enforced strong password policy would have blocked this likely “human error.” The fact that the exposed server was being openly discussed since February 8th via searches on Shodan, shows that there is also a lack threat intelligence and vulnerability management on these government cloud networks. With the current geo political situation facing governments around the world, these types of errors serve to encourage continued, high volume, attacks from nation states as well as criminal hacking groups.”)
Oops, I hijacked your WhatsApp.
The Register discusses how wireless carriers' practice of recycling former customers' phone numbers can lead to accidental data breaches of users’ WhatsApp accounts. Accounts on the popular messaging app are linked to users’ phone numbers, and if a user changes their phone number but neglects to delete the WhatsApp account associated with it, it’s possible a stranger could receive their WhatsApp messages and even access their contacts. Eric, the father of a user who was on the receiving end of a user’s old account, stated, "This is a massive privacy violation. My son had long-lasting access to that person's private messages as well as group messages, both personal and work related." While WhatsApp admits this can happen, they say it’s very rare. "We take many steps to prevent people receiving unwanted messages, including expiring accounts after a period of sustained inactivity," a WhatsApp spokesperson explained. "If for some reason you no longer want to use WhatsApp tied to a particular phone number, then the best thing to do is transfer it to a new phone number or delete the account within the app." While WhatsApp parent company Meta admitted to Eric that the anomaly is a concern, they said it doesn’t qualify for their bug bounty program because Meta has no control over what telecom providers do with recycled numbers.