Stories
Slash Boxes
Comments

SoylentNews is people

7% of All Amazon S3 Servers' Settings Are Open, Leading to Breaches

posted by Fnord666 on Tuesday September 26 2017, @06:42PM   Printer-friendly
from the left-the-door-open dept.

FakeBeldin writes:

Bleeping Computer reports that researchers looked into the settings of Amazon S3 servers... and found that the default setting is open (configured to allow public access),

This means that anyone with a link to the S3 server could access, view, or download its content.

Sure, you still need to have the unique link... but there's stuff on Github that enables you to "enumerate Amazon S3 buckets" - i.e., get at the secret links. So yeah....

According to statistics by security firm Skyhigh Networks, 7% of all S3 buckets have unrestricted public access, and 35% are unencrypted, meaning this is an endemic problem of the entire Amazon S3 ecosystem.

Oops.

Original Submission

 
This discussion has been archived. No new comments can be posted.
7% of All Amazon S3 Servers' Settings Are Open, Leading to Breaches | Log In/Create an Account | Top | 18 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by edIII on Wednesday September 27 2017, @02:35AM (2 children)

    by edIII (791) on Wednesday September 27 2017, @02:35AM (#573628)

    That's just it though, you ARE expected to be there. If they configured the site to be publicly accessible, then there was an expectation of being accessed. For anyone external there is now a server at an IP address/Domain answering queries to properly formatted requests. Nobody external can determine the true intentions of the property owners, beyond the only available evidence; a publicly accessible resources explicitly configured to be so. We don't put up web servers on public IP addresses expecting nobody to drop by :)

    Now of course the site owners can argue. It was their INTENTIONS to secure the data, and the sysadmin responsible can claim IGNORANCE of the configuration settings, but in the end, a publicly accessible resource was created. Not just any resource, but one that is more like a library than a personal home. It's very existence begs it to be accessed from the start.

    That effort required is to do something that would be normal on a public server, so all of those efforts are valid legal behavior on other systems that are indistinguishable from misconfigured systems. I just don't think you can blame the user after the fact for behavior that is otherwise completely innocent. Like you said the "effort" expended to breach a secured system is grossly overstating the matter. It was normal operations, but not something the sysadmin was supposed to allow.

    Now, if every new connection received a splash screen with system policies and a clear indication of secured property, I would side with you on the trespassing since common sense would tell most people that the "building" is private and not a public space.

    --
    Technically, lunchtime is at any moment. It's just a wave function.
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 2) by bob_super on Wednesday September 27 2017, @05:17AM (1 child)

    by bob_super (1357) on Wednesday September 27 2017, @05:17AM (#573671)

    It's not a home, it's a store on a street, and they left the door propped open, even if they didn't put up a sign. Curious people may wander in, uninvited and undesired, but not maliciously or forcibly, as implied by "breach".

    Better?

    • (Score: 2) by edIII on Wednesday September 27 2017, @07:18PM

      by edIII (791) on Wednesday September 27 2017, @07:18PM (#573964)

      LOL. Somewhat better. It's really difficult to create laws for this stuff precisely because it so difficult to explain with real world analogies that we can digest.

      --
      Technically, lunchtime is at any moment. It's just a wave function.