The latest roundtable discussion from Security on Screen analyses the recent data breach of musical instrument marketplace, Reverb – is this another classic example of a simply misconfigured system?
Reverb, the musical instrument marketplace, has suffered a recent data breach after an unsecured data base containing customer information was exposed online. The online market, dedicated to promoting new, used, and classic musical devices and tools, started receiving data breach notifications stating that buyer info was uncovered, together with prospects’ names, addresses, telephone numbers, and e-mail addresses.
The Reverb team clarified in a statement: “As soon as we learned of this issue, we immediately worked to resolve it. We conducted an investigation of the situation to determine what happened and are taking steps to prevent something like this from happening again.
“As a general reminder, we recommend that you change your Reverb password on a regular basis. If you’d like to update your password, you can do so easily from your Account Settings page. Your trust is important to us, and we are committed to improving our safety procedures to keep your information secure.”
While Reverb’s notification doesn’t clarify how they uncovered the data, Safety Researcher Bob Diachenko has claimed to have found an unsecured Elasticsearch server publicly uncovered on the Internet that contained greater than 5.6 million data.
Each document contained details about a specific itemizing on Reverb.com, together with the full title, e-mail deal with, telephone quantity, mailing deal with, PayPal e-mail, and itemizing/order info. After finding an unsecured database, Diachenko notifies the company to secure the database and after analysing this data, he noticed many users with @reverb.com email addresses and matched orders in the database with those on the site.
“To confirm my thought, I ran a quick check and was able to find several high-profiled sellers details, including Bill Ward of Black Sabbath, Jimmy Chamberlin of the Smashing Pumpkins, Alessandro Cortini of Nine Inch Nails and more,” explained in a report by Diachenko.
According to Diachenko, by the time he confirmed the database belonged to Reverb, the site had already secured the database. While the database was likely unsecured for only a short period, if a security researcher could find the database, so could a threat actor and with this in mind, it is safer to assume that one’s data was exposed and that they should be on the lookout for possible phishing emails using this information.
In response to this revelation, Paul Norris, Senior Systems Engineer EMEA at Tripwire comments: “Misconfigurations like these are becoming all too common. Exposing sensitive data doesn’t require a sophisticated vulnerability, and the rapid growth of cloud-based data storage has exposed weaknesses in processes that leave data available to anyone. A misconfigured database on an internal network might not be noticed, and if noticed might not go public, but the stakes are higher when your data storage is directly connected to the Internet.”
Norris continues: “Organisations should identify processes for securely configuring all systems, including cloud-based storage, like Elasticsearch. Once a process is in place, the systems must be monitored for changes to their configurations. Change detection (hardening) is key for securing your cloud infrastructure and preventing inadvertent exposures as we’ve seen here. These are solvable problems, and tools exist today to help.”
Trevor Morgan, Product Manager at Comforte AG, agrees that just because a product is freely available and highly scalable doesn’t mean you can skip the basic security recommendations and configurations.
He continues: “Beyond ensuring that products and services are correctly deployed and maintained by competent, experienced staff, organisations must also secure their cloud-based data by adopting a data-centric security model that protects the data at rest, in motion, and in use – even if a properly configured system is compromised. If anyone is still snoozing while dreaming that their data is safe while ‘hidden in plain sight’ on an ‘anonymous’ cloud resource, the string of lapses around ElasticSearch instances is a wakeup call in the form of a 3 am fire alarm.”
According to Sergio Loureiro, Cloud Security Director at Outpost24, Elastic themselves quote on one of their blogs on securing Elastiscsearch: ‘It’s especially dangerous if the cluster is connected directly to the Internet where anyone can connect without using a password.’
Loureiro continues to say: “This is just another typical example of a misconfigured system. It should have never been possible for anyone on the Internet, especially without authentication, to access the data stored in the database. Everyone needs to be playing from the same music sheet when it comes to security and with the countless possibilities of ‘quickly deploying a system in the cloud’, security is -still- often overlooked by organisations.
“As datasets grow to these sizes, the data is becoming increasingly valuable to businesses and in some cases even more valuable than money. Unfortunately, not everyone protects it like the valuable asset it is.”
Javvad Malik, Security Awareness advocate at KnowBe4 agrees: “Cloud databases make it easy for many organisations to store data easily and efficiently. However, like most cloud services, the security of data and ensuring the right permissions are set remain the responsibility of the organisation. Therefore, it’s important that security is considered, evaluated, and implemented whenever any cloud offering is acquired.”
He concludes: “It’s why building a culture of security is important so that all staff understand what their responsibilities are, and can do their part in ensuring the right security controls are considered.”