Governance & Risk Management , IT Risk Management , Legacy Infrastructure Security
Report: S. Korean Company's Database Leaking Business Data
Industrial Supplier DK-Lok's Unsecured Database Accesible Via Internet, Researchers SayAs part of an ongoing project, a pair of independent security researchers have found yet another unsecured database accessible via the internet that contains sensitive company data and other business information.
See Also: OnDemand | Measuring Your Data's Risk
The latest incident involves a database belonging to South Korean manufacturing firm DK-Lok, which has offices in the U.S., Western Europe and elsewhere. It’s known for making industrial pipe, valves and other types of fittings, according to Noam Rotem and Ran Locar, self-described security researchers and hacktivists.
The open source Elasticsearch database was first discovered by Rotem and Locar in the middle of August, according to their Thursday blog post. Despite several weeks of sending emails and other messages to DK-Lok, the database remains open and unsecured, the two researchers write in their blog.
"DK-Lok's communications are leaking, we can see records of our own emails to the company - so we know they have received our attempts to contact them," the researchers write.
Attempts by Information Security Media Group to reach DK-Lok were not successful. It's not clear how large this particular database is or if anyone has accessed the data through the internet.
Other Discoveries
Rotem and Locar are working on a large-scale web mapping project, using port scanning techniques to look at various known IP blocks and addresses. If the two find an unsecured database, they attempt to contact the owner before publishing their findings.
Elasticsearch databases are usually not designed to be accessed through a standard URL. So in the case of DK-Lok, Rotem and Locar manipulated the search criteria and were able to view the database in a single index file, they write.
Over the last several months, Rotem and Locar have uncovered similar vulnerable databases as part of their research.
In August, the two found exposed fingerprint and facial recognition records belonging to South Korean biometrics firm Suprema (see: Biometric Security Vendor Exposes Fingerprints, Face Data ).
Earlier, the researchers discovered an unprotected database belonging to Chinese e-commerce site Gearbest, which potentially exposed 1.5 million customer records (see: Gearbest Database Leaks 1.5 Million Customer Records).
In many of these cases, changing settings within these cloud-based databases to configure them to private is usually as simple as switching one option, which makes it easy to overlook says Javvad Malik, a security awareness advocate at KnowBe4, which provides security training awareness.
"Proper security oversight and assurance in cloud environments can be challenging. There is no real difference between test and live environments, and one can easily morph into the other without undergoing proper change management," Malik tells Information Security Media Group. "Some technologies exist which can perform some assurance checks, but ultimately these issues largely boil down to human or procedural errors. So it's important that a culture of security is embedded throughout the organization to ensure all the right aspects are considered at every stage."
Potential for Malicious Use
The exposed DK-Lok database contains emails and communication between employees and clients that include details about product prices and quotes, project bids, travel arrangements, private conversations as well as discussions related to suppliers, clients, projects and internal operations, according to the researchers.
Clients included in the emails are the company's customers in North America, Western Europe, the Middle East, Asia and South America, the researchers write.
Besides the correspondence between the company and its customers, the researchers note that the email would also give someone access to full names of employees and clients; internal email addresses from various international DK-Lok branches; employee IDs; customers' email addresses, full names and phone numbers; personal information sent to work emails, such as online shopping orders; and a list of events and conventions that DK-Lok employees planned to attend, the researchers note.
The biggest security threat is that this information could be used to craft phishing emails as well as messages that could start a business email compromise scheme that could target DK-Lok, one of its customers or a third-party supplier, the researchers write (see: BEC Scams Cost U.S. Companies $300 Million Per Month: Study).
"Hackers can use the knowledge gained by reading these emails for use in further corporate fraud,” the researchers write. “In any cybercrime, information is crucial. The more private information you can gather about a company, the better you can target them for fraud or malicious attacks.”