Lessons in cloud security learned from a data breach
Welcome to Cyber Security Today. It’s Monday July 27th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Unlike my usual podcast of news highlights, today’s program is aimed at IT professionals and one of their stickiest problems: Security of applications and data stored in the cloud. For those of you who don’t know, a cloud application is one hosted not on a company’s internal servers but by an outside company like Microsoft, IBM or Amazon. Cloud storage saves money for organizations. But it can increase the risk of applications being hacked over the Internet unless IT administrators keep a close eye on things. Unfortunately slip-ups in storage configuration can allow hackers into a system.
That’s what happened earlier this month to a company called Twilio. You may not have heard of Twilio, but many of you use its capabilities. Companies buy its products to add voice and text capabilities to their applications. For example, Airbnb uses Twilio to automate text messages to confirm room or home reservations. Netflix, Twitter, Uber and Shopify are among the customers. So if someone can get into Twilio servers, they can access the apps of a lot of companies.
Last week Twilio admitted that’s what happened. On July 19th its system sent an alert that someone had modified the code that customers download from an Amazon S3 storage server. The result was that for 24 hours organizations could have downloaded bad code onto their systems. It appears the hacker wanted to force malicious ads to appear on people’s browsers.
Twilio quickly fixed the problem, but there are a couple of things that came to light on investigation after the incident. First, it took eight hours between the time the hacker changed Twilio’s code and the company was alerted. Second, the reason the hacker could modify the Twilio code was someone had made a configuration mistake in setting up the Amazon storage. For those of you with technical knowledge, it allowed the hacker to read and write to the application. But Twilio should have limited people who had access to only read the code. That mistake was made five years ago and had gone undetected until now. Twilio has now restricted direct access to its Amazon storage and improved IT monitoring to faster detect any unsafe code changes.
Configuration mistakes in protecting data stored in the cloud by IT staff or other employees is a common security problem. In preparing this podcast I interviewed Casey Kraus, president of a cloud security company called Senserva. He noted that one research firm estimates that 99 per cent of security problems in the cloud are caused by human errors including misconfigurations and improper access. Organizations have to double-check who has access to important data, he said. They also have to ensure configuration changes don’t reduce security and increase risk.
By the way Twilio doesn’t think it was targeted. It believes this incident was part of a series of attacks by a gang looking for weak access controls for poorly-secured data stored on Amazon S3 buckets.
That’s it for Cyber Security Today. Links to details about this story can be found in the text version of this podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at businesses and cybersecurity professionals. Cyber Security Today can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening.