Configuration mistakes by staff can be a huge embarrassment to organizations, defeating even the biggest IT security budget. Often these mistakes result in databases of sensitive information being left open on the internet for a lucky hacker to trip over.
The latest publicly-identified victim is Microsoft. Researchers at Comparitech, a U.K.-based site that reviews consumer IT security products said this morning they recently found five Elasticsearch servers belonging to the software giant with identical copies of nearly 250 million customer service and support exposed without password or other authentication needed for access.
The records contained logs of conversations between Microsoft support agents and customers from all over the world, spanning a 14-year period from 2005 to last December. All of the data was left accessible to anyone with a web browser, with no password or other authentication needed.
Microsoft quickly secured the data after being notified.
Independent researcher Bob Diachenko, who lead the team, was quoted as saying most of the personally identifiable information such as email aliases, contract numbers, and payment information was redacted in the data.
However, many records contained plain text data, including customer email addresses, IP addresses, locations, descriptions of claims and cases, Microsoft support agent emails, case numbers, resolutions, and remarks, and internal notes marked as “confidential”.
One can speculate that a Microsoft employee wanting to look for trends in the customer support data figured with the personally identifiable information redacted the database didn’t need to be password protected.
However, Comparitech argues that readable data could still be valuable to hackers, particularly to give credibility to those involved in Microsoft tech support scams. For example, knowing a customer’s email address would allow a scammer to craft an email starting “Following up on your recent support incident.”
Diachenko is one of several researchers who use the Shodan search engine to find and expose companies with unprotected databases, often sitting on Amazon AWS infrastructure. In 2018 he found a MongoDB server of data management company Veeam Software. Just over a year ago he and a team found an open database belonging to a Texas data processing company.
Other researchers are also finding easy pickings. In 2018 one found Canadian and British government staffers misconfigured some of their web-based Trello project management software and exposed details of software bugs and security plans, as well as passwords for servers and other sensitive information.
Many of these discoveries — as in the Microsoft case — are repositories of data held by Elasticsearch searches. Last summer, for example, Canadian security consultant Darryl Burke found two open Elasticsearch databases, one of which held sensitive personal information of Middle East residents looking to immigrate to Canada.
Elasticsearch is an open-source analytics search engine organizations use to hunt through their data. What many companies don’t realize, Burke said in an interview at the time, is that it keeps a cache of data it indexes. If the Elasticsearch server is open to the Internet but not secured with a username and password — and, ideally, two-factor authentication — then that data is open to discovery by an attacker.
To combat misconfigurations cloud storage providers like Amazon AWS and Microsoft Azure are either making storage closed to the Internet by default or beefing up their security detection tools.