The personal details of thousands of individuals who submitted job applications to an international security firm were exposed online due to an unprotected storage server set up by a recruiting services provider.
Chris Vickery of cyber resilience firm UpGuard discovered on July 20 an Amazon Web Services (AWS) S3 storage bucket that could be accessed by anyone over the Internet. The server stored more than 9,400 documents, mostly representing resumes of people who had applied for a job at TigerSwan, an international security and global stability firm.
The documents included information such as names, physical addresses, email addresses, phone numbers, driver’s license numbers, passport numbers and at least partial social security numbers (SSNs). In many cases, the resumes also provided information on security clearances from U.S. government agencies, including the Department of Defense, the Secret Service, and the Department of Homeland Security. Nearly 300 of the exposed resumes listed the applicant as having a “Top Secret/Sensitive Compartmented Information” clearance.
Review of this article
Security by obfuscation, is it a good way to protect data ?The security by obfuscation is a so often practice. But it's a bad habit and, in fact, not secure at all. A good security principle is the second Kerchkoffs' principle and obfuscation is in fondamental opposition to this principle.
This Kerchkoffs' principle states that a system must be able to fall in the hand of the enemy and the enemy cannot decrypt it without the private key.
The obfuscation works by hiding the system and only hoping the enemy will not find it.
Risk of data leakageThe access control on public storages, as the Amazon S3 for example, is often done via an unique link with a randomized part. It is the most scalable way to share an element but it is not secure.
The obfuscation here is the link itself. With the hope that the enemy (ie not authorized people) will not find it. It is an illusion. Bots crawl the Internet all the time. It's just a matter of time before a link is found and exploited.
So, how to do a good access control ? By involving cryptography. The very well known is, of course, the password. In that case, cryptography is involved in the system to store the password, to make sure that it wont be stollen. When the user types its password, the system compares it with the encrypted one. Generally hash is used for that.