Verizon Wireless Employee Exposed Confidential Data Online
After notification, bucket was removed and in a follow up letter the owner of repository said that “no confidential stuff” was exposed.
On September 20th, Kromtech Security researchers discovered publicly accessible Amazon AWS S3 bucket containing around 100MB of data attributing to internal Verizon Wireless system called DVS (Distributed Vision Services).
DVS is the middleware and centralized environment for all of Verizon Wireless (the cellular arm of VZ) front-end applications, used to retrieve and update the billing data.
Although no customers data are involved in this data leak, we were able to see files and data named "VZ Confidential" and "Verizon Confidential", some of which contained usernames, passwords and these credentials could have easily allowed access to other parts of Verizon's internal network and infrastructure.
Another folder contained 129 Outlook messages with internal communications within Verizon Wireless domain, again, with production logs, server architecture description, passwords and login credentials.
Upon analyzing the content of the repository, we identified the alleged owner of the bucket and sent responsible notification email on September 21st. Shortly after that, online archive has been took down and it has been later confirmed that the bucket was self-owned by Verizon Wireless engineer and it did not belong or managed by Verizon.
What the Repository Contained:
Admin user info that could potentially allow access to other parts of the network
Command notes, logs including
B2B payment server names and info
Internal PowerPoints showing VZ infrastructure, with server IPs, marked as “Verizon Wireless Confidential and Proprietary information”
Global router hosts
129 saved Outlook messages with access info and internal communications
Damage Control Or Denial?
Verizon had $126.0 billion in consolidated revenues in 2016 and it seems like they would not leave the keys to the front door of their data servers or network out for anyone? In the corporate world any bad news can affect stock prices or other aspects of the business. However, if these files were not sensitive, why not make this information open source or publically available? access to production logs, scripts, instructions and administrative credentials to protected areas of Verizon's internal infrastructure.
In the aftermath of the Equifax data leak it is easy to be skeptical considering that they waited 5 months to inform regulators or the public. Then remember that Equifax executives sold off stock before the price drop. It is not out of line to consider when someone has been approached with a data leak that they might deny it. As security researchers we often hear that data was not sensitive or that it was production or test data, when it is clearly not.
Bob Diachenko, chief security communications officer, Kromtech:
“Our primary goal is to notify and secure the data not dispute if they are being honest or not. As more and more data leaks occur it makes consumers, and average individuals more vulnerable online. We believe that companies have an obligation to not only take the proper security measures but also protect the data their employee collect and store”.
Alex Kernishniuk, VP of strategic alliances, Kromtech:
An improperly configured S3 can lead to viewing, uploading, modifying, or deleting S3 objects by third parties. To prevent S3 data loss or exposure and unexpected charges on your AWS bill, you need to grant access only to trusted entities by implementing the appropriate access policies recommended in this conformity rule. Bruteforce tools are already scanning all possible bucket names, analyzing configurations letter by letter and getting closer to your information every minute.