back to article Et tu Accenture? Then fall S3er: Consultancy giant leaks private keys, emails and more online

Yet another organization has been caught exposing sensitive data to the public internet: this time it is Accenture – consultants to the great and the good – with a misconfigured AWS S3 bucket leaking access keys and other private documents. On September 17, veteran cloud watchdog Chris Vickery at security shop Upguard found …

  1. Mark 110 Silver badge
    Facepalm

    Oooohhh Nooooo

    Sounds like a major titsup. And that awsacp0175 account looks like a generic login. I bet their security policy doesn't like those.

    Someones P45 is on the way I think.

    1. Anonymous Coward
      Anonymous Coward

      Re: Oooohhh Nooooo

      "Chris Vickery at security shop Upguard found four AWS S3 storage buckets open to the public"

      As I understand it that would take a deliberate effort. I cant imagine why you would ever want public access to bucket storage... And it implies an utter lack of security controls / reviews.

      1. Phil Endecott Silver badge

        Re: Oooohhh Nooooo

        > I cant imagine why you would ever want public access to bucket storage.

        You can implement websites directly using S3.

        1. Jonathan 27

          Re: Oooohhh Nooooo

          You CAN implement websites directly using S3, but only if you have exclusively static content. The more likely use I came up with was as a store for publicly-available images.

          1. Aitor 1 Silver badge

            Re: Oooohhh Nooooo

            Errr, no.

            You can implement full websites with javascript.

            The only thing is if you want waid websites to save its state.. then you have to have somewhere to save.. and users.. but most of it can also be solved.

      2. Anonymous Coward
        Anonymous Coward

        Re: Oooohhh Nooooo

        I have a few buckets in S3 and they are all deliberately open for public read access. A common way to do this is with HTTP(s) authorization headers. This way you can open them for specified HTTP methods like GET only. All cloud vendors have tutorial code for this on their website. I think serving public web assets with CloudFront accelerations is actually by far the most common object storage use case?

        However, people don't seem to understand what these headers do and just copy code outright to user-cases where is really not appropriate.

        If you guys want to have a field with S3 buckets check this out. https://www.darknet.org.uk/2017/09/awsbucketdump-aws-s3-security-scanning-tool/ I was playing with this and brute force subdomain scanner as result I am sure I could start a twitter account called fortune500_RSA_key_dump as there are enough major company keys there to dump one each day.

        Ps. Sorry to post anonymously, but found my own company keys there as well.

    2. Doctor Syntax Silver badge

      Re: Oooohhh Nooooo

      "Someones P45 is on the way I think."

      Several one would hope. The whole chain of command that allows someone to set up sensitive stuff like this without someone else performing a sanity check.

      It's all very well to make reassuring sounds about multiple layers of security waffle waffle. Having multiple layers isn't very useful if you hang up a set of keys on the front of the building. I think I'd like reassurance at a greater level of responsibility and understanding than a PR mouthpiece. These bankers handle my pension.

      1. Pu02

        Bankers? 'censure work for the Bankers.

        They aren't Bankers themselves. They're more like Mankers.

    3. macjules Silver badge

      Re: Oooohhh Nooooo

      Someones P45 is on the way I think.

      I suspect you don't have much knowledge of companies such as Accenture or Deloitte.

      Right now someone is very busy creating an amazing PowerPoint presentation which will detail what the problem was, how 'we' discovered it, how 'we' dealt with it and how the naughty offshore sub-contractor has now been severely reprimanded and standards put into place to ensure this never, ever happens again.

      1. Anonymous Coward
        Anonymous Coward

        Re: Oooohhh Nooooo

        Right now someone is very busy creating an amazing PowerPoint presentation which will detail what the problem was, how 'we' discovered it, how 'we' dealt with it and how the naughty offshore sub-contractor has now been severely reprimanded and standards put into place to ensure this never, ever happens again.

        Yes, I can confirm that - that is exactly what's going to happen. Someone will probably even be promoted over this.

        1. Anonymous Coward
          Anonymous Coward

          Re: Oooohhh Nooooo

          It is amazing seeing somebody getting promoted (or given a bonus, etc) for putting out a fire that they caused, but it definitely happens.

    4. Stevie Silver badge

      Re: Oooohhh Nooooo (4 Mark 110)

      To be fair to awsacp0175, he or she probably couldn't get past page 123 of the Accenture S3 procedures and standards documentation.

      Remember, this is Accenture we are talking about, the outfit that measures progress (and billing) by the page count of documents presented to the customer.

  2. DrG

    Ass-umption

    That's bad... crossing the streams bad

    Why is the article written with the odd assumption that no one found those before the white hat researcher?

    1. Anonymous Coward
      Anonymous Coward

      Re: Ass-umption

      Why is the article written with the odd assumption that no one found those before the white hat researcher?

      Maybe because its Accenture. Just because a bank vault is left wide open doesn't mean there's money in it. Do Accenture know enough about anything tor that knowledge to be worth stealing?

      1. Anonymous Coward
        Anonymous Coward

        Re: Ass-umption

        "Maybe because its Accenture. Just because a bank vault is left wide open doesn't mean there's money in it. "

        Accenture often do application support and management services. Support and build documentation would commonly contain security sensitive information...

        1. Hans 1 Silver badge

          Re: Ass-umption

          Support and build documentation would commonly contain security sensitive information...

          I have witnessed JUST THAT far too often... not even funny anymore ...

  3. Flakk Silver badge

    One More Holey Bucket

    A former boss was a huge fan of cloud. In his mind, cloud was more secure because the provider had a dedicated staff working around the clock, focusing on nothing other than constant network and security analysis.

    I am one holey bucket away from declaring this notion utter hogwash. The most dedicated team of crack security analysts will never be able to fully protect data from the risk of lazy or incompetent admins. Your typical on-prem shop may not have a 24/7 NOC and security staff, but threat actors will at least need to go through the formality of breaching the network in order to gain access to that [Everyone/Full Control] file share that some idiot admin just created.

    1. Anonymous Coward
      Anonymous Coward

      Re: One More Holey Bucket

      Right, because no one's ever filed/approved a boundary firewall request with more ports than you strictly need.

    2. Ledswinger Silver badge

      Re: One More Holey Bucket

      Don't forget that the cloud providers, bit barn landlords and outsourcers make all sorts of rash and half-true promises, but what REALLY differentiates them from in house, is

      1) A marketing budget and greasy, heavily incentivised salesmen. What is the in house team's marketing budget? And how many professional salesmen can it deploy with your own directors?

      2) Even if that weren't a problem, the outsource team have more access to your directors than you'll ever get. Faced with dull senior manager Bob from IT coming to demand another bucket of cash for a server refresh, or the offer of golf and a free lunch with Scumbaghost's Galactic President of Customer Service EMEA (or a free "fact finding" visit to Prague), where will your CTO, FD, CEO invest their time?

      3) They are New. Fresh. Clean. Everybody knows about the challenges, costs and problems of what you have in house today. But like an external job applicant, the outsource team don't have any baggage, and nobody ever looks very hard to find the (often ample) dirt of their failures at other companies.

      1. Flakk Silver badge
        Coffee/keyboard

        Re: One More Holey Bucket

        Scumbaghost's Galactic President of Customer Service EMEA

        ...and now my keyboard is full of Diet Coke.

        Serious funny. Gonna steal.

      2. Adam 52 Silver badge

        Re: One More Holey Bucket

        "what REALLY differentiates them from in house, is"

        A $10 billion R&D budget.

    3. Pu02

      Re: One More Holey Bucket

      The cloud provider may have better SecOps, but they aren't paid to look at the doors customers accidentally leave open. If they did, they would spend all their time liaising with end-users instead of doing the work that underpins their KPIs.

      Besides, customer's don't like to be told they are stoopid. SecOps would very quicky tread on the Sales team's toes, and even end up getting fired. So that won't happen.

      At the end of the day someone's else's security interests don't ensure your own security. Outsourcing that does not make it any less of a responsibility, except in the mind of hapless management. However until they are made responsible for the customer and corporate data they 'own' as a matter of routine, nothing will change...

  4. Pascal Monett Silver badge

    "We have a multi-layered security model"

    Yeah. Shame that apparently none of those layers include not publishing passwords in unsecured repositories (cloud or not).

    I don't give a damn about your security model. What just happened is a clear breach of security and if I were a customer I would be raising holy hell right now.

  5. a_yank_lurker Silver badge

    Insultants

    Accenture is just a bunch of insultants of dubious competence.

    1. PNGuinn Silver badge
      Trollface

      Re: Insultants

      "Accenture is just a bunch of insultants of dubious competence."

      I thought that their level of "competence" was somewhat well established by now ....

      Didn't they achieve "Usual Suspect" level of BS whatever approval years ago? ... For diverse meanings of BS?

    2. Dave Harvey
      FAIL

      Re: Insultants

      Come on guys - be fair to them, just look at how well they managed the NHS's National Program for IT! </sarcasm>

    3. allthecoolshortnamesweretaken Silver badge

      Re: Insultants

      I prefer the term consultards. Oh well, potato, tomato.

  6. Mark 85 Silver badge

    AWS S3 Again?

    WTF is it about AWS S3 and all the breeches of late? Why is anyone using it if it's this insecure or set up such that the renter can't secure it? This is an obvious steaming pile....

    1. Walter Bishop Silver badge
      Facepalm

      Re: AWS S3 Again?

      @Mark 85: "WTF is it about AWS S3 and all the breeches of late? Why is anyone using it if it's this insecure or set up such that the renter can't secure it? This is an obvious steaming pile"....

      It's not the fault of AWS per se. What happened is, since moving to the 'cloud', they let go their more experienced staff and hired on minimum wage trainees to do the job. Not having installed/configured a real database, they don't fully comprehend the security implications of relying on a URL to provide security.

    2. Anonymous Coward
      Anonymous Coward

      Re: AWS S3 Again?

      Why is anyone using it if it's this insecure or set up such that the renter can't secure it?

      It's a feature, not a bug. Some people *want* to make their buckets publically accessible, and the end-user can configure their buckets to be so. It's not the default of course; the user has to make an active choice to publish their data to the whole world.

      I'm surprised that Amazon don't sell an "Enterprise S3" service which has public buckets disabled. They could charge more for this.

  7. Androgynous Cupboard Silver badge

    You could not be more right.

  8. Hans 1 Silver badge
    Coffee/keyboard

    “Secure Store” which held a plaintext file of the master access key for Accenture’s account with AWS' Key Management Service,

    Also in that archive were a number of client.jks key stores which, while encrypted, had what appeared to be the passwords to unlock them written down in files next to them in plaintext.

    40 000 plain text passwords

    etc, etc, etc ...

    This, this, this is really the sort of braindead behavior you would expect from Accenture.

    Even on a hardened AWS instance, this is simply braindead, n00bS ... as I have written time and time again, Accenture are a bunch retards.

    Note, again, that you have to "open up" the AWS instance to expose it in this manner, clicking away several WARNINGS in the process ... just saying ...

    Hans 1

    Accenture MHP

  9. Hans 1 Silver badge
    Coat

    including VPN keys to dive into Accenture’s private production network, potentially allowing miscreants into the business's most crucial computers.

    The information involved could not have provided access to client systems and was not production data or applications.

    Hmmmm

  10. Anonymous Coward
    Anonymous Coward

    Cocks

    Accenture run our email system. They have a spam reporting system instruction that goes...

    Drag spam email to desktop

    Zip spam email

    Email spam zip to Accenture

    Delete zip

    Delete original email in Outlook

    The trouble is that they auto-reply to you thanking you for sending the spam email to them, and then go on to tell you how to send a spam email to them, by the very method you have just used. As far as I am concerned their auto-reply is spam as it has no useful purpose. I politely explained this to them and their answer was “you need to set up a rule in Outlook to dump our auto-reply in the bin on receipt”.

    What superb customer service.

    I no longer report spam emails.

    Cocks!

    1. Pu02

      Just setup an autp-reply to their autoreply spam, ie spam their spam!

      .... your autoreply could say you followed their directions to 'put the spam in the can', but that they keep on sending more and that maybe they should do something about it since they own the spam problem, not you?

      Then in Outlook setup another auto delete rule for the avalanche of auto-replies. See who wins, your workstation, or their spam-server. At a minimum you will need to compact your Outlook's .pst file once a day and keep an eye on anything else that might use disk space.

      Perhaps someone should black-list all Insultants from business, as well as IT.

  11. kain preacher Silver badge

    THe cloud just makes it easier for lazy corps to get hacked. Thing is no mater how many times they get hacked they will still be to lazy to fix the issue.

  12. Anonymous Coward
    Anonymous Coward

    ah, Accenture...

    Some years back our regional power utility did not renew their ERP outsourcing contract with Accenture. OK, that in itself is already a bit unusual and it made the papers.

    What was even more unusual is that, in the article, the utility made it very clear that Accenture would not even be considered in the upcoming RFP for the replacement contract.

    Mind you, I'd seen that team at work on an ERP migration for that exact utility - planning to rewrite the ERP vendor's core paycheck engine in late summer, just in time for a Jan 1st mandatory payroll system switchover. Despite not having managed to load any _unconverted_ records from the old system at that time, let alone converted any of them. So coding this all up using faked data and badgering their underpaid sub-contractors - never saw Accenture folk doing any actual work - into signing off the unit tests from that.

    LOL. Un-funny thing though is you can't swing a dead cat around without hitting an ex-Accenture manager in ERP user land.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019