Sunday, 15 April 2018

FAQ I True Mart data leak

On Friday, I published my findings into a data leak of citizen data by a company in Thailand. The Register also picked up on this story and the reaction on Twitter was relatively low.

However on Saturday, this all changed. My Twitter mentions feed was all in Thai and my DMs were filled with people asking for their data and what they should do.

To save my sanity and stop the spread of misinformation here are some clarifications in a Q&A style

Q. Did you hack the site?
No. I found the location. It was a lucky guess is the best way of describing it.

Q. True Corp are saying it is a hack?
It is a data leak. There was no security on the S3 bucket with the data. Google could have indexed it as well as any other search engine. If you found it, it was the same as browsing to a website.

Q. Did you download all of the data that was publicly accessible?
No. I selected 4 files at random to verify the contents of the bucket. Past those initial files that confirmed that this bucket was holding sensitive data, I did not download any other files. At this point, I notified True Corp of the issue.

Q. Have you a copy of my data?
No. I have deleted all files related to this disclosure

Q. Can you help me find if my data was in the leak?
No. I do not have a copy of the data nor can I check if your data was in the leak. You can however ask True Corp to verify that your data was not in that particular location

Q. What did you do once you found the files?
I notified True Corp support as detailed in my original post

Q. How many files were involved?
45736 files which were a mix of JPG and PDF files.

Q. How did you find out there were so many files?
I used a tool called s3-ncdu to generate a list of all of the files and file sizes in the bucket. This showed the folder structure and approximate files sizes.

Q. How long was the data available?
For at least from when I found it and until the 12-April-2018. It could have been available before that as well.

Q. Could someone else have found it other than you?
Yes. If I found it, someone else could have done so

Q. Could someone else have downloaded the data?
Yes. If they wanted to, they could have downloaded the entire bucket.

Q. People are calling you a hacker, is that true?
No. There was no hack here, the files were publicly facing on an unsecured system. This means that anyone could have found them with a careful Google search for example. No tools other than your browser (IE, Chrome, Firefox etc) are needed. What I did was find the issue, alert True Corp to the mistake and push that they fixed it before anyone else could find it and use it.

Q. Why did you wait one month before publishing?
To ensure that people's data was not put at risk by me publishing this information, I had to wait until the files were not available anymore. If I had published while the files were still available, someone else could have found it and used it for bad things.

Q. Why didn't True Corp respond?
When you send in information like this to a company, some are very good and will respond within minutes and fix the issue which is good. Others, take more time or do not have the correct processes in place to handle this type of problem.

Q. What is the risk to my data?
I don't know. I can give information on the technical part of this issue.

Q. What should I do if I am worried my data was in this leak?
Contact True Corp to verify that your data was or was not in the leak. Once you know, you can decide on the correct course of action for you.

Q. How could this happen that the data was not protected?
It could have been a simple oversight due to lack of testing or understanding of the security implications. Someone could have disabled security accidentally or worse someone could have turned it off maliciously which would a more worrying issue.   

Q. Where can I find more information
Please see the ThaiCERT page here

Q: Have you been contacted by the company after this?
No. They have not contacted me to ask for clarification on any of the issues.

Friday, 13 April 2018

Another telco is failing at security

Update: 14-04-2018 : True Corp have issued a statement and clarification that this only affected their subsidiary I True Mart. Details in Thai 

Back in January 2018 while at NDC London, Scott Helme introduced me to an interesting new technique for finding Amazon S3 buckets, Using the certificate transparency logs that are created when someone creates a new certificate, you can use the domain names as the wordlist for finding buckets. Its a novel approach as normally most people use the Alexa top 1 million list.  

Luckily there was a tool already for this on GitHub called bucket stream. I demo’d it at NDC Security Day in Oslo and left it for a bit before coming back to it again in March and deciding to do some digging and see what was out there. After about one hour, I had circa 500 open addresses.

What bucket stream doesn’t show is the content of the buckets, only that they are open, and the permissions associated. To get the contents, you can either visit the site manually and scan it or find another tool. In this case, that was bucket-finder which will list the contents of an S3 bucket and give you the public or private attributes.

Having an open S3 bucket is not a bad thing. For example, you can use it as storage for a website or other such things, but when you use it for storing sensitive data and leave it open, this is a serious problem

The output from bucket-finder showed several issues such as config files, source code and other potential information disclosures. Bucket finder only gets the top 1000 files via the AWS S3 API. To simplify things, I loaded the results into a small SQL database for analysis. I found all the sites that had 1000 files and did a quick visual scan to see what they contained and if there was a way to identify the owner if the need arose. 

One such owner was True Move H, the second largest mobile operator in Thailand (source: Wikipedia). Their name was in the folder that contained many files mainly JPGs and PDFs. The interesting thing that was I first observed was it was the format of truemoveh/idcard/YYYY/MM/FILENAME. 

I checked the first couple of files in the directory and it was a picture of a Minion from Despicable Me and some were logos. This led me to believe that it was a development server, but the site name contained -prod, so I scrolled further down and opened a later file which was a scanned ID card of a Thai citizen.

At this point, I realised that they were storing scanned ID cards that they got from customers in this S3 bucket and there was no security on it at all protecting the files. Simply, if you found the URL, you could download all their customers scanned details.

In all over 32GB of data existed in this bucket totalling 46K files, neatly organised by year.

I connected with True Move H on Twitter to ask for some contact information and they sent me to their support email address.

I sent the details to their support department a full report on Saturday 10-Mar detailing how this was found, examples of the files that were available and asking to talk to their security team. 

The response was quite shocking. They admitted not having a security department and that I should contact their head office between business hours

Now it was a case of trying to figure out what to do. I contacted Scott Helme to get his advice on the most effective course of action. He suggested that I should contact some journalists to help put some pressure on them to get this blatant problem fixed. Scott connected me John Leyden of The Register who also pushed True Move H to fix it.

We had heard nothing for 2 or 3 weeks and I decided that I was going to press the issue finally and told them on Mon 02-April that I would be publishing an article the following week.

On Wed 04-04 both John and I received identical messages from True Move H, saying that a team had been informed and were working on it. 

I checked again on Thursday 12-April 10:00 to verify if the files were available still and they were. At 19:00 they had finally been made private.

Unfortunately, this is not the first time this company has had issues with ID cards. Back in 2016, True Move H issued a sim card to a thief without checking ID first and the person linked to the SIM card lost a substantial sum of money. 

Along with T-Mobile Austria last week and other telco's are serious failing at security and protecting their customers privacy. You should connect with your provider and ask what they are doing to ensure this type of thing doesn't happen.

Update: 14-04-2018 : True Corp has issued a statement and clarification that this only affected their subsidiary I True Mart. Details in Thai