Weeks into 2019 and there has already been a huge database exposed. TechCrunch broke the news this week that Voipo, a telecoms company the provides VoIP services, exposed millions of customer call logs, SMS message logs and credentials.
The database had been exposed since June 2018, and contained call and message logs dating back to May 2015. Many of the files contained detailed call records (who called whom, time of call, date, and more). In total, Voipo exposed “seven million call logs, six million text messages and other internal documents containing unencrypted passwords that if used could have allowed an attacker to gain deep access to the company’s systems.”
How did this happen? One of their backend ElasticSearch databases wasn’t protected with a password. A simple misconfigured security control. If we learned anything in 2018, it’s “not only S3 buckets get left open.”
Voipo’s CEO claims that they didn’t find any evidence in their logs or their network to indicate that a data breach occurred, though according to TechCrunch he “did not say how the company concluded that nobody else accessed the data.” That is a bit hard to believe considering we are living in a world where there are hundreds of thousands of people around the globe continuously (whose job it is even) trying to exploit vulnerabilities. Maybe Voipo is one of the lucky ones.
DivvyCloud Could Have Helped:
Out of the box, DivvyCloud’s software would have detected this misconfigured instance and automated the remediation to close this vulnerability in real-time.
Like so many AWS, GCP, Azure, and Alibaba cloud services, ElasticSearch Service is an incredibly powerful and useful service. It is also very challenging for IT professionals, developers, and engineers to consistently configure these powerful services in a way that mitigates security and compliance risk.
First, it is a daunting task to learn about how to configure ever-evolving cloud services correctly — it is like drinking from a firehose. Second, it is even more daunting to know how to do this relative to the security standards (e.g., CIS Benchmark or NIST CSF) and regulatory frameworks (e.g., PCI DSS or HIPAA) that a company chooses to or must comply with. And lastly, it is difficult for any one person or group of people to achieve 100% consistency in applying these standards at the speed and throughput that we ask our tech teams to operate.
DivvyCloud solves these challenges for customers like General Electric, Discovery Communications, and Fannie Mae using cloud and container environments (AWS, Azure, GCP, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of cloud and container infrastructure allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.
In a nutshell, we mitigate security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud and container infrastructure.
*** This is a Security Bloggers Network syndicated blog from DivvyCloud authored by David Mundy. Read the original post at: https://divvycloud.com/blog/2019-data-breach-voipo/