Eskenzi PR Eskenzi PR
  • About Us
Tuesday, 9 March, 2021
IT Security Guru
Eskenzi PR
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Unprotected AWS Server exposes over 350m passwords

Ethical hackers have discovered 350 million exposed email addresses on an unsecured server which were likely to have either been stolen or acquired back in October 2018.

by Guru's
August 14, 2020
in Cyber Bites
Breach
Share on FacebookShare on Twitter

Ethical hackers have discovered 350 million exposed email addresses on an unsecured server which were likely to have either been stolen or acquired back in October 2018.

 

The find was made after the CyberNews threat researchers came across an unprotected depository (also known as a bucket) on an Amazon S3 server which is said to have been left online for 18 months and available to view or download before it was taken down in June.

 

Email addresses are one of the first pieces of sensitive information hackers require to help them steal a victim’s identity or access financial accounts. If you believe you may have been affected, CyberNews has put together a data breach checker. Alternatively, Have I Been Pwned is widely used in the industry.

 

The following cybersecurity experts have given their thoughts:

 

Martin Jartelius, CSO at Outpost24:

 

“It is important to differentiate between signal and noise when it comes to alerts. The fact that you have an email, and what that email is, is something that you continually share when using the Internet. This is also the reason you receive substantial amounts of spam and direct marketing. Comparing this to for example the Yahoo breach where we are talking about accounts, leading to potential credentials breach, and on the other hand this case – a “breach” where emails constitute a means of contacting someone or at worst their username, is an incorrect parallel to draw.

 

The main risk here is that the individuals concerned will receive more unwanted emails. No more, no less.

 

As a collective, the security industry has a bad habit of making something benign sound worse than it is, making it hard for those with less insight to focus their efforts. This is clearly such a case, where we can even see recommendations such as changing passwords even though no passwords have been leaked, at least based on what is detailed in the disclosure.”

 

Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre)

“Cloud storage solutions are convenient and cost-effective, but we must not forget that proper configuration of any cloud service means configuring components, like S3 buckets, securely. Securely in this context implies that a review of the security requirements for the data stored, but also ensures that regulations like the Privacy Act 2020 are respected. If an organisation is struggling to understand the full requirements from either of a security or a privacy perspective, then they should engage with professionals or consultancies skilled in conducting threat models, software architecture reviews and performing penetration testing. Independent of any regulatory sanctions, these security reviews help avoid the reputational damage that is an inevitable result from a data breach while containing the costs of both forensic reviews and the incident response itself.”

 

Joe Moles, VP, Customer Security Operations at Red Canary

“Unsecure servers containing databases with large swaths of email addresses can be a tremendous resource for any adversary, whether they’re conducting an indiscriminate spam campaign or a targeted spear-phishing attack. While there isn’t any indication that these email addresses were ever exposed to an adversary, organizations can protect themselves from possible threats by shoring up email filters and implementing or improving employee security awareness training.

 

Additionally, given increased reliance on cloud hosted systems and decentralized systems, it is incredibly important that IT and security teams educate themselves on the various access control settings for the cloud services they use. At the end of the day this is a symptom of immature IT hygiene. Most of this risk can be reduced through maturing processes to better track configuration, inventory, etc. Simply put: better security through better IT.”

0 0 vote
Article Rating
FacebookTweetLinkedIn
ShareTweetShare
Previous Post

Update your browser now! Chrome bug allows bypassing of CSP protection

Next Post

Google attempting new URL displays to tackle phishing and other scams

Subscribe
Notify of
guest
guest
0 Comments
Inline Feedbacks
View all comments

Recent News

International Women’s Day: the road towards equality is still long for the cybersecurity industry

March 8, 2021
Malaysia Airlines

Malaysia and Singapore Airlines Breached in Third Party Hacks

March 5, 2021
Fraud attempts skyrocketed in 2020 according to latest Financial Crime Report from Feedzai

Fraud attempts skyrocketed in 2020 according to latest Financial Crime Report from Feedzai

March 4, 2021

Top 10 awards to enter for cybersecurity 

March 3, 2021

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Women in Cyber 2020
    • Women in Cyber 2020 [SPONSORS]
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

More information
wpDiscuz
0
0
Would love your thoughts, please comment.x
()
x
| Reply
Privacy Settings / PENDINGGDPR Compliance

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Accept