For better or worse, there seem to be more instances of
misconfigurations. This may be on servers, AWS, or other targets. The issues
range from minor to rather significant (i.e. forgetting about application security
and allowing anyone with an AWS account to log in for your instance). At this
point, significant misconfigurations really should not be occurring. There are
many opportunities and sources to learn from. One such oversight occurred in
Brazil. This provided for a massive oversight. Brazil is known for its celebrations.
Unfortunately, this country is also becoming known for cybersecurity issues.
Affected
The issue with this particular breach is a misconfigured
Apache server with CPF (Cadastro de Pessaoas Fisicas) numbers for nearly 120M
Brazilians being exposed. The CPF is their identification number provided by the
Brazilian Federal Reserve to Brazilian citizens and taxpaying residents. This
is much like the US social security numbers. This number is not optional and is
required for the monetary tasks of daily life (e.g. opening a bank account,
opening a business, paying taxes, getting a loan, and other functions). The
length of time these were exposed is unknown. As no one is sure how long the
server was misconfigured, this period could have been a lengthy period. It is
notable and odd that this period of time is not able to be estimated. Seemingly
there should be a record memorializing when the server was configured. The data exposed includes the person’s name,
birth date, email, phone number, address, employment details, bank account
details, loans and repayment history, debit and credit history, voting history,
voting registration number, and more. This is a wonderful collection for
phishing and to take over someone’s identity for fraudulent uses. To top off
the issue, all of this data is able to be sold quite easily on the dark web.
Misconfiguration
The issue was discovered in March 2018. The web server was
misconfigured to allow public access. Within its database, the file “index.html”,
a default file, was renamed to “index.html_bkp”. For someone viewing the files,
this would provide for a point of attention. This caused the webserver to
complete a directory listing of the files located within the file. The files
ranged in size from 27MB to 82GB. While the researchers at InfoArmor were
working to understand who the owner of the server was, so they could be notified,
the researchers noted an 82GB file was replaced with a raw 25GB sql file. The
file name stayed the same. What may have happened is the directory file was
used to store a database backup, and the person creating and configuring this
did not understand the files were publicly available.
Notification
The researchers were able to find the email addresses
associated with the server, and naturally emailed one of these. The email
bounced back with the “User Unknown” response. Two further attempts were done.
Finally, the researchers received a reply stating the hosts had contacted their
clients about the legal issues with leaving the data exposed. The data, however, remained exposed and wide open for several weeks after this. Later that month,
the server was secured.
Thoughts
Once the point of contact for the server was notified, it is
curious why this took so long to correct the issue. This required the
researchers attempting contact three times and still took several weeks to
correct. One question is why the data was on a third-party server. This should
not have been the case. This is clearly rather significant confidential and
sensitive data. It also is difficult to know who accessed the data and for how
long.
Resources
Abrams, L. (2018, December 12). Taxpayer ID numbers for 120
million Brazilians exposed online. Retrieved from https://www.bleepingcomputer.com/news/security/taxpayer-id-numbers-for-230-million-brazilians-exposed-online/
Cyware. (2018, December 13). Misconfigured cloud server
exposed taxpayer ID numbers of 120 million Brazilians. Retrieved from https://cyware.com/news/misconfigured-cloud-server-exposed-taxpayer-id-numbers-of-120-million-brazilians-91298892
InfoArmor. (n.d.). InfoArmor reports identification numbers
of 120 million Brazilians exposed online. Retrieved from https://cdn2.hubspot.net/nubfs/3836852/PCOs/InfoArmor_Brazilian%20Exposure%20Report.pdf
Muncaster, P. (2018, December 13). Apache misconfig leaks
data on 120 million Brazilians. Retrieved from https://www.infosecuritymagazine.com/news/apache-misconfig-leaks-data
S., Gurubaran. (2018). 120 million unique taxpayer ID
numbers exposed online from misconfigured servers. Retrieved from https://gbhackers.com/120-million-unique-taxpayer/amp
No comments:
Post a Comment