On January 3rd, researchers from VPNMentor uncovered an unsecured Amazon Web Services Simple Storage Service (S3) bucket, owned by JailCore, a cloud-based app used by multiple US correctional facilities. Anyone could access the files stored on the S3 bucket using just a web browser—no password was required. Contained on the unsecured bucket were over 36,000 PDF files exposing inmate prescription records, mugshots, and other personally identifiable information. When the researchers attempted to reach out to JailCore on January 5th, JailCore refused to accept the breach notification or to confirm the researchers’ findings. However, access to the bucket was quickly closed after the researchers provided the notification to the Pentagon on January 15th.
Analyst Notes
Using advice from Amazon’s knowledge center, there are several strategies that can be used to better secure S3 buckets.
• Write AWS Identity and Access Management user policies that clearly define which users can access specific buckets and objects
• Block public access using Amazon’s built-in Amazon S3 Block Public Access
• Set access control lists on buckets and objects
More information for securing S3 buckets can be found at: https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/
For more information, please see: https://www.vpnmentor.com/blog/report-jailcore-leak/