Et tu Accenture? Then fall S3er: Consultancy giant leaks private keys, emails and more online Yet another organization has been caught exposing sensitive data to the public internet: this time it is Accenture – consultants to the great and the good – with a misconfigured AWS S3 bucket leaking access keys and other private documents. On September 17, veteran cloud watchdog Chris Vickery at security shop Upguard found …
"Chris Vickery at security shop Upguard found four AWS S3 storage buckets open to the public"
As I understand it that would take a deliberate effort. I cant imagine why you would ever want public access to bucket storage... And it implies an utter lack of security controls / reviews.
I have a few buckets in S3 and they are all deliberately open for public read access. A common way to do this is with HTTP(s) authorization headers. This way you can open them for specified HTTP methods like GET only. All cloud vendors have tutorial code for this on their website. I think serving public web assets with CloudFront accelerations is actually by far the most common object storage use case?
However, people don't seem to understand what these headers do and just copy code outright to user-cases where is really not appropriate.
If you guys want to have a field with S3 buckets check this out. https://www.darknet.org.uk/2017/09/awsbucketdump-aws-s3-security-scanning-tool/ I was playing with this and brute force subdomain scanner as result I am sure I could start a twitter account called fortune500_RSA_key_dump as there are enough major company keys there to dump one each day.
Ps. Sorry to post anonymously, but found my own company keys there as well.
"Someones P45 is on the way I think."
Several one would hope. The whole chain of command that allows someone to set up sensitive stuff like this without someone else performing a sanity check.
It's all very well to make reassuring sounds about multiple layers of security waffle waffle. Having multiple layers isn't very useful if you hang up a set of keys on the front of the building. I think I'd like reassurance at a greater level of responsibility and understanding than a PR mouthpiece. These bankers handle my pension.
Someones P45 is on the way I think.
I suspect you don't have much knowledge of companies such as Accenture or Deloitte.
Right now someone is very busy creating an amazing PowerPoint presentation which will detail what the problem was, how 'we' discovered it, how 'we' dealt with it and how the naughty offshore sub-contractor has now been severely reprimanded and standards put into place to ensure this never, ever happens again.
Right now someone is very busy creating an amazing PowerPoint presentation which will detail what the problem was, how 'we' discovered it, how 'we' dealt with it and how the naughty offshore sub-contractor has now been severely reprimanded and standards put into place to ensure this never, ever happens again.
Yes, I can confirm that - that is exactly what's going to happen. Someone will probably even be promoted over this.
To be fair to awsacp0175, he or she probably couldn't get past page 123 of the Accenture S3 procedures and standards documentation.
Remember, this is Accenture we are talking about, the outfit that measures progress (and billing) by the page count of documents presented to the customer.
Why is the article written with the odd assumption that no one found those before the white hat researcher?
Maybe because its Accenture. Just because a bank vault is left wide open doesn't mean there's money in it. Do Accenture know enough about anything tor that knowledge to be worth stealing?
A former boss was a huge fan of cloud. In his mind, cloud was more secure because the provider had a dedicated staff working around the clock, focusing on nothing other than constant network and security analysis.
I am one holey bucket away from declaring this notion utter hogwash. The most dedicated team of crack security analysts will never be able to fully protect data from the risk of lazy or incompetent admins. Your typical on-prem shop may not have a 24/7 NOC and security staff, but threat actors will at least need to go through the formality of breaching the network in order to gain access to that [Everyone/Full Control] file share that some idiot admin just created.
Don't forget that the cloud providers, bit barn landlords and outsourcers make all sorts of rash and half-true promises, but what REALLY differentiates them from in house, is
1) A marketing budget and greasy, heavily incentivised salesmen. What is the in house team's marketing budget? And how many professional salesmen can it deploy with your own directors?
2) Even if that weren't a problem, the outsource team have more access to your directors than you'll ever get. Faced with dull senior manager Bob from IT coming to demand another bucket of cash for a server refresh, or the offer of golf and a free lunch with Scumbaghost's Galactic President of Customer Service EMEA (or a free "fact finding" visit to Prague), where will your CTO, FD, CEO invest their time?
3) They are New. Fresh. Clean. Everybody knows about the challenges, costs and problems of what you have in house today. But like an external job applicant, the outsource team don't have any baggage, and nobody ever looks very hard to find the (often ample) dirt of their failures at other companies.
The cloud provider may have better SecOps, but they aren't paid to look at the doors customers accidentally leave open. If they did, they would spend all their time liaising with end-users instead of doing the work that underpins their KPIs.
Besides, customer's don't like to be told they are stoopid. SecOps would very quicky tread on the Sales team's toes, and even end up getting fired. So that won't happen.
At the end of the day someone's else's security interests don't ensure your own security. Outsourcing that does not make it any less of a responsibility, except in the mind of hapless management. However until they are made responsible for the customer and corporate data they 'own' as a matter of routine, nothing will change...
Yeah. Shame that apparently none of those layers include not publishing passwords in unsecured repositories (cloud or not).
I don't give a damn about your security model. What just happened is a clear breach of security and if I were a customer I would be raising holy hell right now.
@Mark 85: "WTF is it about AWS S3 and all the breeches of late? Why is anyone using it if it's this insecure or set up such that the renter can't secure it? This is an obvious steaming pile"....
It's not the fault of AWS per se. What happened is, since moving to the 'cloud', they let go their more experienced staff and hired on minimum wage trainees to do the job. Not having installed/configured a real database, they don't fully comprehend the security implications of relying on a URL to provide security.
Why is anyone using it if it's this insecure or set up such that the renter can't secure it?
It's a feature, not a bug. Some people *want* to make their buckets publically accessible, and the end-user can configure their buckets to be so. It's not the default of course; the user has to make an active choice to publish their data to the whole world.
I'm surprised that Amazon don't sell an "Enterprise S3" service which has public buckets disabled. They could charge more for this.
“Secure Store” which held a plaintext file of the master access key for Accenture’s account with AWS' Key Management Service,
Also in that archive were a number of client.jks key stores which, while encrypted, had what appeared to be the passwords to unlock them written down in files next to them in plaintext.
40 000 plain text passwords
etc, etc, etc ...
This, this, this is really the sort of braindead behavior you would expect from Accenture.
Even on a hardened AWS instance, this is simply braindead, n00bS ... as I have written time and time again, Accenture are a bunch retards.
Note, again, that you have to "open up" the AWS instance to expose it in this manner, clicking away several WARNINGS in the process ... just saying ...
Hans 1
Accenture MHP
Accenture run our email system. They have a spam reporting system instruction that goes...
Drag spam email to desktop
Zip spam email
Email spam zip to Accenture
Delete zip
Delete original email in Outlook
The trouble is that they auto-reply to you thanking you for sending the spam email to them, and then go on to tell you how to send a spam email to them, by the very method you have just used. As far as I am concerned their auto-reply is spam as it has no useful purpose. I politely explained this to them and their answer was “you need to set up a rule in Outlook to dump our auto-reply in the bin on receipt”.
What superb customer service.
I no longer report spam emails.
Cocks!
.... your autoreply could say you followed their directions to 'put the spam in the can', but that they keep on sending more and that maybe they should do something about it since they own the spam problem, not you?
Then in Outlook setup another auto delete rule for the avalanche of auto-replies. See who wins, your workstation, or their spam-server. At a minimum you will need to compact your Outlook's .pst file once a day and keep an eye on anything else that might use disk space.
Perhaps someone should black-list all Insultants from business, as well as IT.
Some years back our regional power utility did not renew their ERP outsourcing contract with Accenture. OK, that in itself is already a bit unusual and it made the papers.
What was even more unusual is that, in the article, the utility made it very clear that Accenture would not even be considered in the upcoming RFP for the replacement contract.
Mind you, I'd seen that team at work on an ERP migration for that exact utility - planning to rewrite the ERP vendor's core paycheck engine in late summer, just in time for a Jan 1st mandatory payroll system switchover. Despite not having managed to load any _unconverted_ records from the old system at that time, let alone converted any of them. So coding this all up using faked data and badgering their underpaid sub-contractors - never saw Accenture folk doing any actual work - into signing off the unit tests from that.
LOL. Un-funny thing though is you can't swing a dead cat around without hitting an ex-Accenture manager in ERP user land.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
