Stories
Slash Boxes
Comments

SoylentNews is people

7% of All Amazon S3 Servers' Settings Are Open, Leading to Breaches

posted by Fnord666 on Tuesday September 26 2017, @06:42PM   Printer-friendly
from the left-the-door-open dept.

FakeBeldin writes:

Bleeping Computer reports that researchers looked into the settings of Amazon S3 servers... and found that the default setting is open (configured to allow public access),

This means that anyone with a link to the S3 server could access, view, or download its content.

Sure, you still need to have the unique link... but there's stuff on Github that enables you to "enumerate Amazon S3 buckets" - i.e., get at the secret links. So yeah....

According to statistics by security firm Skyhigh Networks, 7% of all S3 buckets have unrestricted public access, and 35% are unencrypted, meaning this is an endemic problem of the entire Amazon S3 ecosystem.

Oops.

Original Submission

 
This discussion has been archived. No new comments can be posted.
7% of All Amazon S3 Servers' Settings Are Open, Leading to Breaches | Log In/Create an Account | Top | 18 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by FakeBeldin on Wednesday September 27 2017, @08:22AM

    by FakeBeldin (3360) on Wednesday September 27 2017, @08:22AM (#573698) Journal

    A list of "breaches" attributed to this (from the fine article, emphasis mine):

    Below is a (most likely incomplete) list of all the major data leaks caused by companies leaving Amazon S3 buckets configured with public access during the past few months.
    ⬨ Top defense contractor Booz Allen Hamilton leaks 60,000 files, including employee security credentials and passwords to a US government system.
    ⬨ Verizon partner leaks personal records of over 14 million Verizon customers, including names, addresses, account details, and for some victims — account PINs.
    ⬨ An AWS S3 server leaked the personal details of WWE fans who registered on the company's sites. 3,065,805 users were exposed.
    ⬨ Another AWS S4 bucket leaked the personal details of over 198 million American voters. The database contained information from three data mining companies known to be associated with the Republican Party.
    ⬨ Another S3 database left exposed only leaked the personal details of job applications that had Top Secret government clearance.
    ⬨ Dow Jones, the parent company of the Wall Street Journal, leaked the personal details of 2.2 million customers.
    ⬨ Omaha-based voting machine firm Election Systems & Software (ES&S) left a database exposed online that contained the personal records of 1.8 million Chicago voters.
    ⬨ Security researchers discovered a Verizon AWS S3 bucket containing over 100 MB of data about the company's internal system named Distributed Vision Services (DVS), used for billing operations.
    ⬨ An auto-tracking company leaked over a half of a million records with logins/passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships.

    Something's rotten in the state of Amazonia.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2