Poorly Configured AWS S3 Bucket Exposes More Personal Data Once Again

DooKey

[H]F Junkie
Joined
Apr 25, 2001
Messages
13,473
Once again a poorly configured AWS S3 bucket has exposed millions of users personal data. The culprit this time is social network data aggregator LocalBlox and they left their bucket of 48 million records open for anyone to take a look at. The information contained names, addresses, DOB, Twitter handles, and Zillow real estate data. All of this data was linked by IP addresses. Who knows if or when anyone will be notified if their data was exposed?

Poorly configured AWS S3 buckets have been an source of shame for Amazon Web Services and its users. Last year, the cloud platform giant introduced a tool to warn customers about insecure storage setups and earlier this year made the business version of the tool free, to avoid embarrassment by association.
 
I really want to the execs of these companies to be forced to commit seppuku, televised / streamed live, every time their company does something like this. Bet it will only take a few for security to become a more major concern for people.
 
And this will continue to happen until these companies are held legally liable for failing to protect user data.

Just think $100 per bit stolen paid to the governments of countries of people involved would erase all debt around the world in 1 year.
 
I wonder, if what we all know today about online privacy and data collection bs.

If we all knew that before ever using the net, would we still use it ?

It might of turned out differently if we knew beforehand that we have absolutely no privacy whatsoever.
 
There used to a be an infosec guy at my last job that was really anal about everything. Like, just coming into your cubicle and talking to you for nearly an hour about bit9, backups, etc etc. It was supremely annoying. I heard later on that after he'd left the position, the company neglected hiring someone else to replace him for about a year. Subsequently, they had several breaches due to spam getting through, and employees clicking all sorts of links. Come to find out, the Barracuda firewall appliance hadn't gotten some crucial firmware updates since the guy had left. Definitely made my ass a bit more serious about IT security at any level of an organization.
 
How many buckets will they continue to leave open until solving the problem? 11?
 
It sounds like this is just scraped data that was already available online? At Least no new data was mined, this is just a handy compilation of data that was already out there.
 
It seems like Amazon could force companies to use better security. To a point. They'd at least protect themselves a little by trying to stop this crap.
 
It seems like Amazon could force companies to use better security. To a point. They'd at least protect themselves a little by trying to stop this crap.
How? You buy a service from amazon, make a bucket, and then configure it as needed. Even if amazon defaults everything to only allow access to whichever administrative account created the bucket, the moment that dumb admin starts fiddling with permissions it's completely out of their hands.

This is the equivalent of me renting you a house, giving you the keys, then you leaving them in the lock and complaining when someone just walks in and takes something.
 
S3 UI has been updated a lot to current where you get a big old "public" tag on your like 1 bucket used for static web hosting.
It's harder than it was before for someone to just deploy a bucket open to the world, but then again I found someone that'd forgotten a MySQL instance they'd left up since 2011 read/write open to the world.

Sadly one of the most common things I've seen lately is when someone doesn't know how to use roles working in Redshift or trying out machine learning will open access to a bucket bc they get super frustrated when their job won't kickoff.

I mean, we aren't any farther away from 10 years ago when I found someone had opened read/write access to the world on an appliance bc they couldn't figure out how 10.10.0.0/24 and 10.10.0.80/20 conflicted. They were literally trying to push data across the open Internet within an Oracle install.

You can use Lambdas to monitor and jail stupidity. You can also have Lambda deal time limited elevated credentials like how people used to/still use Chef. It eliminates having to manage sidecar monitoring instances. I prefer limiting access and simply locking people into their lane with a combination of Service Catalog and explicitly written IAM policies......maybe a few ACLs and NACLs for filtering.
 
Well, there's no penalty for mishandling private information, so there's no incentive in paying extra for a good admin. Cant help but wonder how far down the rabbit hole this apathy over privacy can keep going.
 
Well, there's no penalty for mishandling private information, so there's no incentive in paying extra for a good admin. Cant help but wonder how far down the rabbit hole this apathy over privacy can keep going.
There's slightly more to it than that unfortunately. Dumb "admins" are certainly a part of it.

When I wound up with my current position, one of the first things I started doing was locking crap down because the previous admins had left things wide open. Of course the moment I do that, all hell broke loose and I had to sit down and explain everything to upper management who was then shocked about the lack of anything resembling security. Over the next few weeks we'd have users asking why they no longer had access to things, we'd tell them they'd need manager approval.. the next day the manager would respond and wonder why they even needed access to what they were requesting and would then say "no" lo and behold the user went back to doing their job like normal without needing whatever nonsense it was they were digging around in.
 
Back
Top