7% of All Amazon S3 Servers' Settings Are Open, Leading to Breaches

posted by Fnord666 on Tuesday September 26, @06:42PM
from the left-the-door-open dept.
Security

FakeBeldin writes:

Bleeping Computer reports that researchers looked into the settings of Amazon S3 servers... and found that the default setting is open (configured to allow public access),

This means that anyone with a link to the S3 server could access, view, or download its content.

Sure, you still need to have the unique link... but there's stuff on Github that enables you to to "enumerate Amazon S3 buckets" - i.e., get at the secret links. So yeah....

According to statistics by security firm Skyhigh Networks, 7% of all S3 buckets have unrestricted public access, and 35% are unencrypted, meaning this is an endemic problem of the entire Amazon S3 ecosystem.

oops.

Original Submission


«  Star Trek: Discovery Premiered Sunday Night - Thoughts?
  • (Score: 0) by Anonymous Coward on Tuesday September 26, @07:11PM (1 child)

    Bleeping Computer reports that researchers looked into the settings of Amazon S3 servers... and found that the default setting is open (configured to allow public access),

    You need a 'researcher' for looking at a setting? Where can I get my lab-coat, because I'm a researcher too...

    • (Score: 0) by Anonymous Coward on Tuesday September 26, @07:33PM

      You need a 'researcher' for looking at a setting? Where can I get my lab-coat, because I'm a researcher too...

      You will be dragged away in overly tight handcuffs after being body-slammed to the ground, kicked, and beaten. Only an elite few are called "researcher" and allowed to look for cracks in the e-pavement without retribution. Nobody knows who these people are. Cynically I believe they don't exist; it's all part of a clever plot, the mechanics of which are beyond my simple-mindedness.

  • (Score: 4, Interesting) by nobu_the_bard on Tuesday September 26, @07:23PM

    93% of them then are locking it down! That should be the headline! People less stupid than anticipated!

  • (Score: 2) by bob_super on Tuesday September 26, @07:38PM (1 child)

    If it's left open, then it's not a breach.
    It's trespassing, not "breaking and entering".

    • (Score: 0) by Anonymous Coward on Tuesday September 26, @07:55PM

      Considering it's a public server on the WWW I think you'd have a pretty hard time arguing that it was trespassing.

      Many of the people setting up the buckets probably don't care. I would guess easily 7% of S3 buckets are used for irrelevant toy projects or testbeds.

  • (Score: 3, Informative) by rigrig on Tuesday September 26, @07:49PM

    From the docs [amazon.com]

    By default, all Amazon S3 resources are private. Only a resource owner can access the resource.

    or as a link from TFA states [acloud.guru]

    Let’s clear the FUD.
    Here’s what you need to know to lock down an Amazon S3 bucket.
    Step one: do nothing.
    Yes, do nothing because — like all other AWS services — the default configuration provides a strong security posture right out of the gate.

    And unless I'm mistaken, aren't some people using these things to host Stuff, and they actually want said Stuff to be accessible by everybody? That could explain 6.99% (plus 0.01% incompetents making private data world-readable.)

    What's next? "Security researchers determine 89% of all websites publicly accessible!" (I'm just wildly making up the numbers of 10% internal websites, 1% misconfigured servers.)

