What Is Data Exposure and How to Prevent It
Just a few days into 2019, one of the largest data exposure so far this year has come to light: the data leak of millions of data from an unprotected database of a California-based Voice-over-IP (VoIP) service provider VOIPo.
Cloudflare security researcher Justin Painerevealed that VOIPo’s database had been accidentally left publicly accessible, unintentionally leaking huge volume of data, including 6.7 million VOIP call logs, 6 million SMS/MMS message logs, and other documents containing internal hostnames, usernames, passwords and API keys.
Paine said he discovered the exposed VOIPo’s database using Shodan, a search engine, which unlike Google and other search engines that index only the web, indexes pretty much everything else that’s plugged into the internet, including webcams and smart TVs.
Using Shodan, Paine said he discovered last January 8, a database running on Elasticsearch that turned out to be the database used by VOIPo. Elasticsearch is a popular open source database that’s designed to make easy querying over the internet with just a simple command line.
Shortly after Paine informed VOIPo about the data exposure, the said ElasticSearch database went offline and the exposed data is no longer searchable on Shodan.
VOIPo, in a statement, said that what was accidentally left publicly accessible was an isolated development server and its production environment wasn’t at risk. Paine, however, said that the leaked credentials and SMS/MMS and VOIP phone logs appeared likely to be production data.
Voipo chief executive Timothy Dick told TechCrunch that all of the company’s systems are behind firewalls and don’t allow external connections except internal servers. TechCrunch, however, said, “When we checked, many of the internal systems with IP or web addresses we checked loaded – even though we were outside of the alleged firewall.”
Paine said the exposed call logs had been exposed since July 2017. The good thing about the leaked call logs, he said, is that it only contained partial phone numbers. The SMS/MMS logs, he said, had been exposed since December 2015, while the internal system credentials had been exposed since June 3, 2018.
Paine said that it isn’t outside the realm of reason to speculate that some two-factor authentication (2FA) values could have been logged and leaked as part of the SMS/MMS logs, which could allow an attacker to observe in real time the SMS being sent that contained the 2FA code. “Hypothetically this could have then allowed the attacker to bypass 2FA on the user’s account,” he said.
While Paine didn’t test the internal hostnames, usernames, passwords, and API keys, the severity of this part of the leak can’t be overstated. The leaked internal hostnames in combination with the leaked usernames and passwords could have resulted in a near total compromise of all leaked production systems.
One hypothetical consequence of the exposed data in terms of Broadvox_API and Telephonic_Api, Paine said, is that “customers could have been phished and/or had their accounts deactivated which would have interrupted their service”.
Data Exposure Prevalence
The incident at VOIPo is the second incident involving accidental data exposure in the VOIP sector. In November, last year, a similar incident happened at another VOIP service provider Voxox (formerly Telcentris). The same with the discovery of the VOIPo data leak, the accidental data exposure of Voxox’s database running on Elasticsearch happened when a security researcher searched the internet using the search engine Shodan.
TechCrunchreported that Berlin-based security researcher Sébastien Kaul discovered the exposed Voxox’s database running on Elasticsearch via Shodan. The difference between VOIPo data leak and Voxox data leak is that the database of the latter was configured with a Kibana, an open source data visualization plugin for Elasticsearch, making the exposed data easily searchable via names, cell numbers and text messages.
When TechCrunch contacted Voxox about the data leak, the company took the database offline and the exposed data is no longer searchable via Shodan. At the time of its closure, TechCrunch said, the exposed Voxox database appeared to have a little over 26 million text messages year-to-date.
What Is Data Exposure?
Accidental data exposure is becoming more common nowadays. It typically happens when data is stored in the cloud but this data isn’t protected and could be easily be accessed by anyone.
Accidental data exposure often happens as a result of misconfiguration, that is, it’s simply the misfortune of failing to block public access of purely internal data or when the cloud database isn’t password-protected. And with the search engine Shodan that indexes everything connected to the internet, it’s now easy to query which cloud databases are exposed and which aren’t.
Cybersecurity Best Practices
If your VOIP service provider experienced accidental data exposure similar to VOIPo and Voxox , it’s best to change the username and password combinations, and to set-up 2FA, assuming that your service provider offers this.
If your organization stores data in the cloud, such as via Elasticsearch, it’s best to use a security tool that monitors configurations. As the cloud environment allows data to be configured for public viewing as well as private viewing, the risk of publicly exposing data that’s meant for internal use only is high.
A tool that monitors configurations can automatically locate resources as soon as they are created, determine the applications running on the resource, and apply the correct policies based on the application or resource type.
Aside from monitoring configurations, it’s also important to monitor the traffic. Unusual heavy traffic is one of the signs of accidental data exposure. Correlating the traffic data and configuration data could assist in detecting accidental data exposure.
You don’t have to fight this fight alone. Our experts are available to assist you with protecting your mission critical information. Contact ustoday to schedule a consultation with a senior cybersecurity expert.