back to article Viacom exposes crown jewels to world+dog in AWS S3 bucket blunder

Media monster Viacom has been caught with its security trousers down. Researchers found a wide-open, public-facing misconfigured AWS S3 bucket containing pretty much everything a hacker would need to take down the company's IT systems. The data store, found by Chris Vickery, director of Cyber Risk Research at security shop …

  1. John Brown (no body) Silver badge

    What price security?

    Why are huge companies with $billions skimping on security and storage costs and dumping data into the "cloud"? Storage is cheap. Much cheaper than the costs of a leak or even just the bad PR.

    1. Electron Shepherd

      Re: What price security?

      Because developers always want to work with the latest shiny-shiny, and they tell their clueless PHBs that the best way is "cloud", and it all goes from there.

      I've known several developers make technical decisions purely on the basis that the experience gained would look good on their CV, without any regard for the impact of their choice on the organisation itself.

      1. This post has been deleted by its author

    2. Mark 85 Silver badge

      Re: What price security?

      Why? Bonuses for manglement of course. Costs to prevent such things cut into that.

    3. Anonymous Coward
      Anonymous Coward

      Re: What price security?

      Your answer is ...........

      It is 'quick and simple' to do and therefore so is 'Security'. [or so it seems.]

      Until it all goes 'pear shaped', cost is not really an issue vs ease of implementation.

      Later, the 'ease' and 'simplicity' is examined a little more !!! :)

      Overpaid people who are lazy and don't really understand what all the 'Security' nonsense is all about.

      Not a problem as it doesn't impact their pay or bonuses ....... [yet !!!]

      When there is a problem you can issue a 'Standard letter' proclaiming your great concern for the customers and their 'lost' information but be assured the problem is being fixed and will not happen again ..... [We hope !!!]

      Just to make sure the company can 'sack' a few Techies and their managers to demonstrate they are being serious ...... [this time !!!]

      Any of this sound familiar ??!!!

    4. Walter Bishop Silver badge
      Linux

      Re: What price security?

      'Why are huge companies with $billions skimping on security and storage costs and dumping data into the "cloud"? Storage is cheap. Much cheaper than the costs of a leak or even just the bad PR.'

      Because their clueless managers have been reading about how much more efficient and economical the Cloud than the old fashioned "stuff"

    5. macjules Silver badge

      Re: What price security?

      They might well be paying major-league digital agencies to run their digital services and devops, but those companies are mostly offshoring everything in order to maximise profits. The end result is that you get a contractor in Bangalore who "knows something about DevOps" and thus you end up with this situation.

      Sadly this will not be the last case, has certainly not been the first and I daresay that there have been much worse (and kept hidden) cases than this which have resulted in data loss, user hijacking and fully compromised company security.

    6. Just Enough

      Re: What price security?

      "Why are huge companies with $billions skimping on security and storage costs and dumping data into the "cloud"?"

      This is not a cloud storage vs server storage issue. Badly configured storage is just as likely to happen on either. Sloppy security is sloppy security, whether on a client desktop, in your server room, on a hired VM, or on a enterprise cloud.

      1. Alister Silver badge

        Re: What price security?

        This is not a cloud storage vs server storage issue. Badly configured storage is just as likely to happen on either.

        I disagree.Most on-prem or managed storage is looked after by someone with clue, who can fend off the stupidities that cause this sort of leak. If a developer wants a database to be hosted, then it's done in a managed fashion, and access is granted with proper consideration of security consequences. In most cases external access from the internet is never required.

        Cloud storage with one of the megalithic suppliers encourages developers who want to host a database to just stick stuff on it, and if they can't immediately access it, they turn off the default security, as it's not their problem. External access from the internet is inevitable in this model, and to properly lock it down requires clue. No-one with clue is involved in the process.

        1. Anonymous Coward
          Anonymous Coward

          Re: What price security?

          And suppose security gets overridden by someone on the board because security itself is not on the board?

  2. Anonymous Coward
    Anonymous Coward

    "What price security?"

    "We'd rather expose the company to Cloud setbacks than pay for non-sourced / overpriced IT / Tech staff. Plus executive Golden Parachutes are still intact... So what's there to worry about".... Viacom Group CEO

  3. Anonymous Coward
    Anonymous Coward

    Why help Viacom ?

    Better (for the rest of the planet) would have been to copy the data far and wide so that Viacom took a huge hit. If the company had a large financial hole as a result of its poor security then other companies might actually think about security. (And if it collapsed then the loss of Comedy Central would not be a big loss to mankind!!!)

    1. Anonymous Coward
      Anonymous Coward

      Re: Why help Viacom ?

      "(And if it collapsed then the loss of Comedy Central would not be a big loss to mankind!!!)"

      Oh c'mon, there's erm and then err...yeah OK, you're right.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why help Viacom ?

        Two words: South Park.

        1. handleoclast Silver badge

          Re: Why help Viacom ?

          Three words: The Daily Show.

        2. Anonymous Coward
          Anonymous Coward

          Re: Why help Viacom ?

          South Park would survive the Bankruptcy and implosion when it either gets sold off or the original contracts are rendered null and void.

  4. Captain DaFt

    A bit ambiguous

    - Once Viacom became aware that information on a server – including technical information, but no employee or customer information – was publicly accessible, we rectified the issue. -

    Uhm, did they fix the leak, or just added the missing employee/customer data?

    The way it scans, it almost reads like leaving that out was the problem.

  5. Mark Exclamation

    Update from Viacom....

    We would like to thank Mr Chris Vickery for finding this glaring error of ours and pointing it out to us so we could save our company from total annihilation. We would like to pay Mr Vickery's company for his efforts, and we hereby pay him the grand sum of $1000 (one millisecond's worth of our profits).

  6. John H Woods Silver badge

    which is it?

    "no material impact" or "rectified the issue"

    The only way to really rectify the issue (from the technical perspective) is to change everything that has been exposed (keys, passwords, maybe even server names). From a management perspective, there's even more work to do to prevent even a partial repetition.

    1. Anonymous Coward
      Anonymous Coward

      Re: which is it?

      Unless it's just cheaper to pay the legal fees and go their merry way...

  7. Anonymous Coward
    Anonymous Coward

    Well, duh.

    As far as I can tell, the majority of these discoveries show data that was expected to be protected by Amazon's security which is a totally wrong security posture to start with.

    If you are going to store critical corporate data outside the door, you damn well encrypt it before it even passes said door - such data should not be one mistake away from disclosure. But hey, that takes too much effort, apparently.

    1. Phil O'Sophical Silver badge

      Re: Well, duh.

      was expected to be protected by Amazon's security

      Exactly. People are used to the idea that they can put anything they want on an on-premises system, and the corporate security bods will make sure it's safe. Move to the cloud, and they assume the cloud provider will do that, which of course they won't. Having your corporate environment in the cloud doesn't make it any less your responsibility to protect it, but of course that spoils the message that cloud is cheap because "someone else does everything" so the consultants will never mention it.

  8. GruntyMcPugh Silver badge

    Oh Noes! MTV shows could have been leaked! Some fake teenage lifestyle 'scripted reality' drivel could have got loose on the Internet, instead of being safely corralled.

    That was a close one.

  9. grumpyoldeyore
    Paris Hilton

    A folder called mcs-puppet

    s/cs-p//

    There - fixed that for you.

  10. GnuTzu Bronze badge

    Open-bucket List

    This bucket nonsense is getting so ridiculous that I just did a search on Google for: list aws bucket breaches

    If anyone's started a list of companies with open buckets of treasure, I didn't find it--at least not one that's high in the search.

    I'd start one myself, but I'd rather see El Reg. do it. Otherwise, Wikipedia might be a nice place for that.

    Anyway, I did find a nice Rapid7 article on how they found 1,951 open buckets.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019