Following recent reports of AWS users experiencing security issues, the Flaunt Digital team discuss what has actually happened and how businesses can protect their servers… Want to watch more videos like this? Make sure to subscribe to our YouTube channel.
See below for the full video transcription.
VIDEO TRANSCRIPTION
Jamie: Alright the next topic we’re gonna touch on is a recent one that BBC have covered and plenty of others have covered and it’s all to do with Amazon leaking data. Now that, sort of, headline or topic in itself is a bit controversial because what’s happening here, and Amazon have become aware of it, is even though they are responsible for providing these services that offer this data they’re not responsible for the actual leaks. So what Amazon do with the web service offering, as you may well know, is that they provide essentially building blocks for you to go away and build an infrastructure. Whether that’s a web server, a database server, a file hosting service or anything like that. You can go ahead and do that and all the provisions are in place for you to create a fully secure and efficient, you know, really good platform.
But you can misuse these things and people keep getting found out on Amazon web services, S3 in particular which is a file hosting service. And what happens is it sort of tarnishes Amazon’s name a little bit if people just attribute it back to them. And what’s happening now is there’s tons of data leaks that seem to be coming out almost on a monthly or weekly basis regarding huge privacy related documents and images, etc. So the WWE has been caught up in it, Uber too. This was all in the last 18 months. Essentially what’s happening is they’re opening up these S3 buckets, as Amazon called them, to public so anybody can look at them. Obviously they’ve done this by accident, it’s a misconfiguration but historically with Amazon AWS S3 it’s been a little bit easier to do that by accident.
Now AWS S3 was the first Amazon web services offering so it’s old, really old, compared to the rest of the stuff anyway. And way back when, obviously, these type of practices for securing these things was a little bit…it’s not as obvious as it is today, for example. So I logged in earlier and if you create a bucket now as public it’s quite difficult to do it and you get loads of warnings, and even if you look in your list of buckets if you’ve got any public ones it’s really obvious. It’s in, like, bright yellow and it says it at the top, it says it at the side, and they make it really obvious that you’re opening up to everyone. So it’s…
Lee: Well that system and setup in itself was done as a way of sharing collaborative and encouraging collaboration between, like, I know NASA did it as an open source, sort of, document store for collaboration. And that’s, sort of, getting smashed for it being insecure when that’s its purpose essentially.
Jamie: Yup and I think one of these companies that they cited or leaks they cited, the company in question had actually acquired another company which had set it up. So it’s not even their fault. It’s, like, you’re acquiring this infrastructure and, you know, it needs vetting. So what the BBC have said here is there’s actually a group of guys that are going around now and finding these leaky buckets, as people like to call it, and…
Lee: No one likes a leaky bucket.
Jamie: And notifying the administrators before the bad guys get to it. Which is obviously a nice thing to do. And there’s even tools coming out. Saw one called Buck Hacker or something earlier and it looked offline for the time being but someone had made a really easy Web UI for finding these things. So it basically just crawls all these buckets and looks for ones that are dodgy and then exposes them so you can find them. So it’s got to that level and it’s pretty bad.
But Amazon have come out and acknowledged this just recently and what they’ve got is Amazon have got a trusted adviser service, and that used to be a bit of a premium offering. You’d have to pay a bit more for and it’s more enterprise level, but they’ve been slowly moving parts of it into the free tier, basically, so you don’t have to pay for it. And what it does it basically just lists everything to do with your Amazon account and it can make cost efficiency suggestions, it can make security suggestions, and there’s tons of stuff. But they basically annexed off all the really cool stuff for if you pay a bit more money. So what they’ve done is they’ve basically taken this S3 security check and moved it into the public offering now, the free offering, and so anyone can do it.
And you just click on trusted adviser, you let it load for a minute, and it’ll just tell you if you’ve got any public writable. It’s, like, a big red flag obviously. Public readable is, like, an orange flag. Anything else is green. It’s just, like, really easy. Like a checklist system and it points out exactly what’s wrong and which bucket’s wrong. You know, been misconfigured or potentially misconfigured and it just lets you click through so you can fix it. So Amazon have realized now that they need to take a little bit of responsibility for this.
Then I mentioned the UI and UX and stuff and that’s come a long way the last few years, especially with these older services like S3. So now it is pretty difficult to make a public readable bucket, let alone a public writable one. And you get plenty of warnings now and you have to, like, go out of your way to click it and stuff. So it’s a lot more obvious what you’re doing now and it didn’t used to be like that. So a lot of these leaks are probably people that set these up years ago and the data’s just been dormant, and maybe no one’s even logged into Amazon or S3 or anything for years. And then now that it’s becoming more apparent, it’s in the news, hackers are, you know, spending a bit more time messing around trying to find these things. And there’s treasure troves of data that have been leaked.
I don’t know…I looked at one earlier and it had, like, everyone’s driver’s licenses on it and stuff. It’s like, God, you need to be a bit more careful if you’re storing stuff like that. I can’t remember which company that was but it’s like three year’s worth of every customer’s, like, driving license photocopied and stuff.
Chris: GDPR init.
Lee: Some of the ones that have been listed out in the last 18 months are Uber, Verizon, WWE, US Defense, Dow Jones, so big, big people.
Jamie: Yeah. Yeah, it’s bad. So, yeah, if you’ve got an Amazon account and you’ve ever used S3 just click trusted adviser. That’s basically all you have to do and it’ll tell you. It’ll just flag you up. So we’ve got a public readable S3 bucket. Not public writable, public readable, so it’s not quite as bad. And all we’re storing there is our email signatures. So that came up yellow for us but obviously we want that public readable. But it’ll, you know, some of them are exceptions. You can exclude them from your checks once you’ve seen it and you’ve looked and you’ve gone “Okay, that’s that. Okay, I know that.” So yeah. Just make sure you separate your buckets out, too, and then you don’t end up creating stuff in a bucket with read permissions that you wanted to be private.
Lee: No one wants a leaky bucket.
Jamie: Exactly. I don’t know why they’re called buckets. Bit of a weird name, isn’t it really? But yeah.