Theres a ton of unsecured data on AWS. Its a platform that has so many options and services that it can be very difficult lock down.
Amazon needs to simplify their platform a little I think.
“Cyber resilience” company UpGuard claims to have found a publicly-accessible AWS S3 bucket full of classified US intelligence data. The company's Dan O'Sullivan says colleague Chris Vickery found an “unsecured Amazon Web Services 'S3' bucket” and that the firm's “Analysis of the exposed information suggests the overall …
"Amazon needs to simplify their platform a little I think."
Have to disagree there. If you're using a certain product which is also publically accessible then you need to ensure that you know what you're doing. I can understand that things can become confusing at some point, but it's not really an impossible task.
This is of course assuming that all of this actually happened.
Hmm pretty certain I said "can be very difficult" but I can see how that might be read as "impossible".
Yes policy management etc is far from impossible but the larger and more sprawling an AWS solution becomes the more of an administrative effort it becomes to manage it.
Whenever anything in the world of tech tries to do or provide too much you get into trouble.
Take systemd for example. People joke that it will have a word processor built in one day because of its sprawling feature set.
AWS is no different, its a massive sprawl of different services, packages, products and subscriptions.
I find it unsurprising that with something as wide ranging in scope as AWS that shit slips through the net.
Especially if the hosted infrastructure was developed by a military organisation. I dont know about the US military but the MoD has a horrible habit of overengineering things and creating needless amounts of pointless work.
Because reasons. You'd need a Harvard MBA to understand.
On a tangent: if we're talking military projects that Uncle Sam pays for, why can't a government agency like, say the NSA, provide secure cloud storage for the agencies and their contractors involved?
"why can't a government agency like, say the NSA, provide secure cloud storage for the agencies and their contractors involved?"
Because these days in the US it's all about outsourcing and subcontracting - if a government agency were to do this and these types of configuration errors were discovered then someone would have to resign. But if you sub-contract it nobody gets hurt and many people get rich. Just look at the fall out from Snowden - nothing happened at all but had he been a government employee heads would have rolled and the Republicans would be screaming for blood.
Configuration error my ass! I know the US DoD is shifting to public cloud services, but ASFIK classified data is not supposed to be stored there. There are isolated networks for that. There is no reason that TS data should be on AWS.
More than anything else, though, I am happy I am not the one having to fill out the paperwork on this spillage. If the data simply being on the host machine(s) also constitutes spillage (which it should), then the systems that it is or was previously on will have to be quarantined. Given the nature of cloud services, that would be a... difficult and involved task.
content should have been secured/encrypted regardless of the server platform used. The information, if classified, shouldn't be left in an open filing cabinet open to all. Maybe a defence contractor, but its not at all clear who's side they are working for!
Appears to be no configuration rather than a configuration mistake too.
They would be better off using dropbox by the sound of it - at least they don't have to give extra credentials to the NSA...
Whenever I smell Amazon, I think of Marines.
Thats the last sensation I had before I cracked up.
The thick smell of Amazon.
When I calmed down, they said they'd stored their files. Cheap. No encryption attached.
Now whenever I think of Marines, I think of two things.
Amazon and trouble.
Bonus thumbs up to those that see the gag.
Ai ja. Some people clearly don't understand cloud computing and think it is secure enough, and bung all their Most Sensitive Data (eg dick pics or titty pics) on any cloud storage - and think it is secure enough.
Cloud storage means you put your Most Sensitive Data on a public server somewhere in the world, and you MUST take precautions to secure said data. It is not like a privately-owned server sitting in a known, secure location in your company's building, and to which access (physical as well as networked) is controlled.
Expect more bloopers and more sensitive data leaks to occur.
Not exactly on topic, but related to comments here. We're using a clown, sorry, cloud offering for our business data storage. Let's agree for the moment to leave aside all other contentious issues of sense, reliability, and such, lol... Anyway, I had an encrypted file container stored there. It's my stash of personal junk - journal, etc.
One day I decrypted the container and found the last six weeks of data GONE. As near as I can figure, here's what happened. Any changes made are saved within the file crypt. The crypt file itself never changes size, and apparently doesn't change "modified date" either. So for some reason, the off-site servers decided to overwrite my crypt file with an old copy which to it looked like the same file.
SO BEWARE, if you're saving encrypted file containers in a "cloud" you might should make sure something about it looks different now and then.
One would hope that a requirement for ANY information to be sitting on a third party cloud provider's servers is military grade encryption. Even if the bucket was secured, Amazon employees would have access to it, as would anyone who hacked Amazon's security. If it is encrypted, then whether it is secured or not, hacked or not, it is kept safe.
Hopefully the person(s) at BAH responsible for placing this data on Amazon are fired and banned from ever getting a security clearance again. Misconfiguration could be excused as everyone makes mistakes, but storing sensitive info on a public service unencrypted shouldn't be.
One would hope that a requirement for ANY information to be sitting on a third party cloud provider's servers is military grade encryption.
I'd go one further - military and other such data should always be stored encrypted wherever.
Cloud storage is perfectly fine so long as two conditions are met :
1) Don't trust the cloud storage company
2) Don't trust the cloud storage company.
To satisfy rule #1 make sure anything you "backup" or save to "the cloud" is encrypted. Also means if they have any googletastic conditions like "all your data are belong to us forever and we can sell it and shit" (IIRC Linkedin (may they get sued out of existance ASAP!) and Flickr also have similar conditions - any photos you store on the latter you no longer own the rights to IIRC) - if a file is encrypted and only you have the key, google et al can't do much selling of it/making derivatives of it etc.
To satisfy rule #2 make sure anything you "backup" or save to "the cloud" is NOT your only copy, ie use "the cloud" as a backup but treat it as one that could disappear at any moment (company fails, has a hardware failure, system/operator error wipes your data).
Cloudyness has much to offer if used properly and treated like that friend you're sure is rather "light fingered"1 - have it around, but keep a good eye on it and make sure it can't mess with anything that truly matters.
1 Or that friend who "knows lots about IT stuff" and thoroughly screws up your media centre by faffing around with things "to make it better". Or screws up your sound system, or turns your car into an under-performing turd (not a problem for Ford owners - they're already under-performing turds (your choice as to whether I mean the car or the owner)