back to article Aw, not you too, Verizon: US telco joins list of leaky AWS S3 buckets

Yet another major company has burned itself by failing to properly secure its cloud storage instances. Yes, it's Verizon. Researchers with Kromtech Security say they were able to access an AWS S3 storage bucket that contained data used by the US telco giant's billing system and the Distributed Vision Service (DVS) software …

  1. Anonymous Coward
    Anonymous Coward

    “some of which contained usernames, passwords”

    Plain text passwords? Jesus wept.... how hard can it be???

    1. Anonymous Coward
      Anonymous Coward

      "how hard can it be???"

      Pretty hard actually... Especially if you rush to the Cloud cliff-edge like lemmings. Meantime offshore / outsource / shitcan reliable tech staff, because Bonuses are paid out before things collapse! Hello??? Clawbacks needed for Wall Street & Silicon Valley...

      https://www.bloomberg.com/gadfly/articles/2017-09-19/equifax-hack-executive-pay-is-still-protected

    2. macjules Silver badge

      It is not hard at all. It is simply down to plain laziness. I have a policy for my company that no passwords or usernames be stored on GitHub, Confluence, Jira or anywhere but LastPass for Teams. Getting people to stick to that method is the hard bit.

  2. Fazal Majid

    Usability is to blame

    AWS and S3's permissions system has got to be some of the most baroque, over-engineered and complicated permissions format ever devised. It's not surprising so many fail to get it right.

    1. Anonymous Coward
      Anonymous Coward

      Re: Usability is to blame

      Big companies have no excuses. They can clear afford to hire people to have it done right, but wont.

      1. Anonymous Coward
        Anonymous Coward

        Re: Usability is to blame

        No, they can't because they have to pay back their investors first, before they blow you off and sell out.

    2. Tom Samplonius

      Re: Usability is to blame

      "AWS and S3's permissions system has got to be some of the most baroque, over-engineered and complicated permissions format ever devised. It's not surprising so many fail to get it right."

      Yes, it might take an entire hour to read the S3 permissions docs, so obviously it is a usability problem. It is way too hard.

      http://docs.aws.amazon.com/AmazonS3/latest/dev/how-s3-evaluates-access-control.html

    3. macjules Silver badge

      Re: Usability is to blame

      You mean that it is hard to write a bucket policy like this, that would restrict access to just certain IP addresses?

      {

      "Version": "2012-10-17",

      "Id": "S3PolicyId1",

      "Statement": [

      {

      "Sid": "IPAllow",

      "Effect": "Allow",

      "Principal": "*",

      "Action": "s3:*",

      "Resource": "arn:aws:s3:::examplebucket/*",

      "Condition": {

      "IpAddress": {"aws:SourceIp": "54.240.143.0/24"},

      "NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"}

      }

      }

      ]

      }

      1. Anonymous Coward
        Anonymous Coward

        Re: Usability is to blame

        Yes, because if you put the wrong numbers in, you end up locking YOURSELF out.

  3. Anonymous Coward
    Anonymous Coward

    Is it just me ..

    .. or has finding unsecured content on AWS become somewhat of a sport?

    Un-friggin-believable.

    1. Anonymous Coward
      Anonymous Coward

      Re: Is it just me ..

      It is ehunting. Github is more prolific about tokens, keys and passwords.

  4. Pascal Monett Silver badge

    This is exactly why I don't like the Cloud

    An engineer had made a storage space and put confidential data in it without bothering to secure the vault. Was it company-mandated ? Apparently not.

    It is simply beyond me that anyone can consider storing data that is considered critical (like the client list, invoicing history, etc) or confidential (access passwords of any kind) on a server that you do not control.

    That is obviously not an issue to many people though, including people who 1) should know better and 2) have the required technical level to do things right, yet visibly still don't.

    And it's going to get worse before it gets better.

  5. David 55

    Disable file listings already!

    Amazon should really have made the ability to let others do file listings on a bucket that you own an obscure feature hidden away in the permissions. I can barely imagine a usecase for it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019