[BreachExchange] A massive database of 8 billion Thai internet records leaks

Destry Winant destry at riskbasedsecurity.com
Thu May 28 09:21:08 EDT 2020


https://techcrunch.com/2020/05/24/thai-billions-internet-records-leak/

Thailand’s largest cell network AIS has pulled a database offline that
was spilling billions of real-time internet records on millions of
Thai internet users.

Security researcher Justin Paine said in a blog post that he found the
database, containing DNS queries and Netflow data, on the internet
without a password. With access to this database, Paine said that
anyone could “quickly paint a picture” about what an internet user (or
their household) does in real-time.

Paine alerted AIS to the open database on May 13. But after not
hearing back for a week, Paine reported the apparent security lapse to
Thailand’s national computer emergency response team, known as
ThaiCERT, which contacted AIS about the open database.

The database was inaccessible a short time later.

AIS spokesperson Sudaporn Watcharanisakorn confirmed AIS owned the
data, and apologized for the security lapse.

“We can confirm that a small amount of non-personal, non-critical
information was exposed for a limited period in May during a scheduled
test,” said the spokesperson. (TechCrunch reached out several times
prior to publication but did not hear back until after we published.)

“All of the data related to Internet usage patterns and did not
contain personal information that could be used to identify any
customer,” said the spokesperson. “On this occasion we acknowledge
that our procedures fell short, for which we sincerely apologise.”

But that isn’t true.

DNS queries are a normal side-effect of using the internet. Every time
you visit a website, the browser converts a web address into an IP
address, which tells the browser where the web page lives on the
internet. Although DNS queries don’t carry private messages, emails,
or sensitive data like passwords, they can identify which websites you
access and which apps you use.

But that could be a major problem for high-risk individuals, like
journalists and activists, whose internet records could be used to
identify their sources.

Thailand’s internet surveillance laws grant authorities sweeping
access to internet user data. Thailand also has some of the strictest
censorship laws in Asia, forbidding any kind of criticism against the
Thai royal family, national security, and certain political issues. In
2017, the Thai military junta, which took power in a 2015 coup,
narrowly backed down from banning Facebook across the country after
the social network giant refused to censor certain users’ posts.

DNS query data can also be used to gain insights into a person’s
internet activity.

Using the data, Paine showed how anyone with access to the database
could learn a number of things from a single internet-connected house,
such as the kind of devices they owned, which antivirus they ran, and
which browsers they used, and which social media apps and websites
they frequented. In households or offices, many people share one
internet connection, making it far more difficult to trace internet
activity back to a particular person.

Advertisers also find DNS data valuable for serving targeted ads.

Since a 2017 law allowed U.S. internet providers to sell internet
records — like DNS queries and browsing histories — of their users,
browser makers have pushed back by rolling out privacy-enhancing
technologies that make it harder for internet and network providers to
snoop.

One such technology, DNS over HTTPS — or DoH — encrypts DNS requests,
making it far more difficult for internet or network providers to know
which websites a customer is visiting or which apps they use.


More information about the BreachExchange mailing list