“some of which contained usernames, passwords”
Plain text passwords? Jesus wept.... how hard can it be???
Yet another major company has burned itself by failing to properly secure its cloud storage instances. Yes, it's Verizon. Researchers with Kromtech Security say they were able to access an AWS S3 storage bucket that contained data used by the US telco giant's billing system and the Distributed Vision Service (DVS) software …
Pretty hard actually... Especially if you rush to the Cloud cliff-edge like lemmings. Meantime offshore / outsource / shitcan reliable tech staff, because Bonuses are paid out before things collapse! Hello??? Clawbacks needed for Wall Street & Silicon Valley...
https://www.bloomberg.com/gadfly/articles/2017-09-19/equifax-hack-executive-pay-is-still-protected
"AWS and S3's permissions system has got to be some of the most baroque, over-engineered and complicated permissions format ever devised. It's not surprising so many fail to get it right."
Yes, it might take an entire hour to read the S3 permissions docs, so obviously it is a usability problem. It is way too hard.
http://docs.aws.amazon.com/AmazonS3/latest/dev/how-s3-evaluates-access-control.html
You mean that it is hard to write a bucket policy like this, that would restrict access to just certain IP addresses?
{
"Version": "2012-10-17",
"Id": "S3PolicyId1",
"Statement": [
{
"Sid": "IPAllow",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::examplebucket/*",
"Condition": {
"IpAddress": {"aws:SourceIp": "54.240.143.0/24"},
"NotIpAddress": {"aws:SourceIp": "54.240.143.188/32"}
}
}
]
}
An engineer had made a storage space and put confidential data in it without bothering to secure the vault. Was it company-mandated ? Apparently not.
It is simply beyond me that anyone can consider storing data that is considered critical (like the client list, invoicing history, etc) or confidential (access passwords of any kind) on a server that you do not control.
That is obviously not an issue to many people though, including people who 1) should know better and 2) have the required technical level to do things right, yet visibly still don't.
And it's going to get worse before it gets better.