back to article When it absolutely, positively needs to be leaked overnight: 120k FedEx customer files spill from AWS S3 silo

Another day, another unsecured Amazon Web Services S3 storage bucket spilling secrets onto the public internet. This time it's a misconfigured AWS cloud silo belonging to FedEx, which openly exposed an archive of more than 119,000 scanned documents – including passports and drivers licenses – plus customer records including …

  1. Anonymous Coward
    Anonymous Coward

    Would it be too much for "locked down" to be the default ACL when setting up an AWS instance...requiring manual intervention to make it accessible to anything outside the same instance?

    1. Anonymous Coward
      Anonymous Coward

      No. Which is why that's what S3 does.

    2. foo_bar_baz
      Big Brother

      They are

      Even says so in TFA.

    3. OnlyMee

      End user issue

      Working on IBM Cloud this would be a good time to blame competitor but in fact, the end customer is at fault here. S3 bucket ACL is fully private by default allowing access to bucket owner only (not even other admins on the same account). You need to explicitly change policy to get into mess like this one.

      I have been sorting a mess on few customer cases with badly configured buckets.When customers change their buckets open to all they usually don't understand they are doing that, and that is because they aren't generally directly applying the change to the portal or with CLI.

      What actually happens is customers start to use Python, Java or Js library in their application to use S3 directly as storage backend. A good example I know would be Django-Storage https://simpleisbetterthancomplex.com/tutorial/2017/08/01/how-to-setup-amazon-s3-in-a-django-project.html these libraries expect you to pass AWS console API keys as env variables and do "required changes on buckets they create..."

      As these libs where most parts designed as storage for website static assets like user uploaded public profile pics security has never been much of a design point. Next some dev figures these libs are also pretty handy for storing more sensitive content. I mean once configured with the backend, they are just tag you can use directly in web forms, a security review is not part of CI/CD test suite and the rest is history...

  2. elDog

    When companies slurp other companies for lotsa dinaros, is there some hold-back

    For assurances that the acquired company actually has the goods, and that the goods are well-secured? Is this something one of those big London insurers guarantee for 10 years?

    And how does one place a value on a 3 year old passport with lots of other information? Is the value to Bongo or FedEx or to the document owner? How to recompense the actual document holder when her private details are broadcast several years later?

    Along with "who owns my genes" that we have monumental issues of ownership and privacy. And these issues aren't something that "my" government (US) wants to take up except to rape our freedoms even more.

  3. Daggerchild Silver badge
    Mushroom

    I give up

    Seriously. If this goes without a punishment you can see from orbit, what is the point anymore.

    To keep things simple, maybe there should be an International Treaty of Finey McFineyface.

    By law, every identity database must have his identity. Any entity found anywhere with an accessible part of this screamingly searchable identity will be automatically fined no questions asked, with the fine exponentially increasing with each occurrence.

  4. Yet Another Anonymous coward Silver badge

    Productivity

    In the old days you would have to go out to a club. get drunk and leave a lptop in the back of a taxi.

    Now with 21st century internety cloudy multi-something services you can do it all from the comfort of your desk

    ,

  5. Anonymous Coward
    Anonymous Coward

    'hosted by a third-party / discontinued after acquisition'

    Same old get-out-of-jail-free card.... Blame the contractor / blame the acquired-corp... Clam 'no evidence' exists the data was ever used etc. Because, and lets be clear here, you're sure not going looking for any!

  6. Lazy Jack
    Mushroom

    Expand GDPR

    I suggest we expand GDPR. Expand the scope to the whole world and expand the fines from from 4% / 20M to being nuked and shot in the back of the head.

    Looks like that is the only lesson the IT world will learn.

    1. Muscleguy

      Re: Expand GDPR

      I blame the suits. This sort of stuff happens when some techno phobe suit, often and older man, can't or can't be bothered to remember his password and bullies the sysadmin to change the flags to make login easier.

      1. Anonymous Coward
        Anonymous Coward

        Re: Expand GDPR

        I blame the suits.

        I don't. How often does anyone in a suit go near the data?

        This is what happens when you let developers think they can do DevOps without actually knowing anything about Ops. The mindset is "I'll just stick this data up here in the cloud, oh, I can't get to it from the office, I'll just turn off all the security".

        I would bet you all my pay that there's been no sysadmin involved in the process.

        1. Anonymous Coward
          Anonymous Coward

          DevOps

          For those that can't do Dev.

          1. handleoclast

            Re: DevOps

            Or Ops.

        2. Adam 52 Silver badge

          Re: Expand GDPR

          I tend to blame both. Developers are sloppy and set permissions to get their app working. Suits motivate them to do that by rewarding quick development over secure development.

          1. Rocket_Rabbit

            Re: Expand GDPR

            The buck stops with the Management though. They're the ones who accept the risk and whom the targets cascade down from.

      2. Doctor Syntax Silver badge

        Re: Expand GDPR

        "This sort of stuff happens when some techno phobe suit, often and older man, can't or can't be bothered to remember his password"

        Older man? Sounds more like a millennial.

    2. Doctor Syntax Silver badge

      Re: Expand GDPR

      "I suggest we expand GDPR. Expand the scope to the whole world"

      If the operation covers any EU residents it will be within scope. For those of you who are non-EU residents dealing with non-EU businesses, you need a regulatory system that will look after you better. At least even the Brexit-minded HMG has to put it into UK law so it will apply even when we're outside the EU.

  7. Adam 52 Silver badge

    "no one seems to be paying any attention"

    A bit harsh. I paid attention and deleted a few buckets that the tool flagged. They were false positives but easy enough to fix. I imagine thousands of others have too, we just don't come to the attention of the press.

  8. David Roberts
    Holmes

    Alternative suggestion

    AWS scan the bit buckets and mail the owners asking for positive confirmation that the bucket should be public.

    Without a positive response the bucket is locked down until the owner confirms in writing that it should be public.

    That should at least clear all the forgotten ones, and may even make some people think before they click on the prompt to open the whole thing up to the world.

  9. MachDiamond Silver badge

    A good hack

    "There is no evidence that the data was compromised" can also be construed as "The hackers were very competent and didn't leave any fingerprints".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like