A NUMBER OF voter data exposures have cropped up this year, in locations as disparate as Mexico, the Philippines, and the state of Georgia. But the one that dwarfs them all came to light on Monday: a publicly accessible database containing personal information for 198 million US voters—possibly every American voter going back more than 10 years.
A conservative data firm called Deep Root Analytics owns the database, and stores it on an Amazon S3 server. As Chris Vickery, cyber-risk analyst with security firm UpGuard, discovered earlier this month, all of that data was open to anyone who found it not because of clever hacking or complicated internet forces, but because of a simple misconfiguration. Think of it as leaving your valuables in a high-end safe with the door propped open.
It happens all the time, despite repeated, and repeatedly damaging, exposures of personal information. Even though it’s not a hack, server misconfiguration constitutes one of the biggest cybersecurity risks for institutions and individuals alike.
The Deep Root Analytics server Vickery found contained information that was mostly publicly accessible anyway—think names, addresses, party affiliation, and so on. But a criminal coming across such a big trove of data would find plenty of the value having all of that information already aggregated in one place—particularly when the source is an analytics firm that specializes in compiling meaningful data.
“It’s definitely the biggest find I’ve ever had,” says Vickery, who also discovered the exposed Mexican voter database and many others. “We’re starting to head in the right direction with securing this stuff, but it’s going to get worse before it gets better. This is not rock bottom.”
Part of Vickery’s research involves scanning the web for publicly accessible data that should be secured. He discovered the exposed Deep Root Analytics cloud repository during one such sweep, realizing that, as UpGuard puts it, the database “lacked any protection against access,” and could be viewed by anyone with an internet connection who guessed the Deep Root Analytics Amazon subdomain “dra-dw” (which stood for Deep Root Analytics Data Warehouse). At six characters, the string wouldn’t even be that difficult to encounter through a random generator. The server had a good amount of protected data on it, but because it was misconfigured, it exposed more than a terabyte of private information.
The situation joins other database misconfiguration incidents like those on Microsoft sites, dating services, and with the Hollywood screener system as examples of the threat publicly accessible servers pose.
Making It Right
Analysts point to a few remedies that could help reduce the number of misconfigured servers exposing data online. First, simply raising awareness can go a long way. Dramatic incidents that impact millions of people can motivate organizations to devote resources to setting servers up and maintaining properly. Making default settings for databases in the cloud more geared toward security would also help groups tighten up their controls. And some security companies have begun developing products that can scan system setups as another layer of defense, warning IT staff if it looks like something is exposed or configured in a dangerous way. (One reason UpGuard does exposure research is that it sells such a product.)
Read the complete article at wired.com
Lily Hay Newman is a security correspondent for Wired.