Dear El Reg
I'm waiting for a story on a Cloud bucket that hasn't leaked data yet ... you think you'll ever post that?
Online medical consultation service iCliniq left thousands of medical documents in a publicly accessible Amazon Web Services S3 bucket. iCliniq locked down the online silo earlier this week only after the slip-up was brought to its attention by German security researcher Matthias Gliwka. He approached El Reg after failing to …
Some organisations are remarkably ignorant about this. Doing an audit once on a government-related site we noticed that SNMP was turned on for printers with no security. We drew the attention of the management to the fact that anybody in IT with a simple monitor could read the files printed by most of the larger machines - so allowing people in HR to print files with titles like "Proposed headcount reduction 20xx" was probably not a clever idea.
Another organisation was set up so that documents printed in London went through print servers in the Midlands managed by IT workers in the North. Again simple inspection of print server records revealed interesting stuff.
There's a number of printers that need to have SNMPV3 as the only SNMP port, and a number of companies that really should think hard about not putting sensitive stuff through print servers.
Printers are a gold mine. In my most recent employer, their printers were configured with secure badge access to make a print job come out, "'cause HR and Legal print lots of sensitive documents".
Not so useful if they leave the admin passwords at the default 12345678 so anybody can walk up, log in, inspect the print queues, and reprint on demand... Perhaps out of office hours.
AWS has a self certifying protocol that is pretty comprehensive, actually. If you have actually paid attention and used the protocol to ensure you are following best practices, those buckets have been secured.
Completion of the protocols is then reviewed by Amazon and if passed “Advanced Parter” status is bestowed unto that company
To complete the protocols isn’t exactly trivial, but not impossible or even unlikely. Adherence to the protocols may slow down development slightly at worse until developers figure out how to work on their environment in a secure manner.
My opinion is that there is a certain class of software companies that have completely embraced “Agile” and behave like they are building gaming apps for cell phones, even if they are really building enterprise products that require a much more respectful attitude re: security than the current “We can do it this way and fix it properly if anyone notices”.
Tech has turned into such a self-entitlement short-sighted industry like Banksters. Founders always get paid but security / privacy remains crap while most employees are a disposable service. Slow car crash happening.
We all work in this business and yet most have to watch from the sidelines as our advice gets ignored. Tech exists now just to serve the elite who always over pay themselves while everyone else gets to take a haircut!
The buck hacker site - https://thebuckhacker.com as well as a couple of others I've seen have a massive list of open AWS S3 buckets along with the files contained. I can name two huge companies off the top of my head - Experian and Virgin that have open buckets to the public! Experian is a credit reporting company with sensitive information on record and should NOT have an open bucket like that. It is ridiculous the amount of companies that don't secure theirs.
if you are hosting public content, you will have publicly accessible buckets. The existence of public buckets doesn't mean that the sensitive info is in *THAT* bucket, even if you are Experian.
I know companies that host their publicly available content in Amazon rather than a CD network, and also was other buckets that are properly secured...AWS advanced certification and all that...
Biting the hand that feeds IT © 1998–2019