back to article Who's leaving Amazon S3 buckets open online now? Cybercrooks, US election autodialers

Security biz Kromtech has unearthed two more embarrassing – and potentially dangerous – cases of groups leaving mass data caches unguarded on the public internet. In the first case, the culprit was an improperly configured AWS S3 bucket owned and operated by Robocent, a political robocalling company based in Virginia Beach, VA …

  1. Sureo

    "...including the audio files to be used in robocalls to voters..."

    Do us a favor and delete it all? Thanks very much.

    1. Version 1.0 Silver badge

      Re: "...including the audio files to be used in robocalls to voters..."

      Do robocalls even work anymore? On the rare occasion when I even bother to answer a ringing phone, if it even sounds vaguely like a robocall I drop it like two hot pennies.

      1. Mayday
        Megaphone

        Re: "...including the audio files to be used in robocalls to voters..."

        "On the rare occasion when I even bother to answer a ringing phone, if it even sounds vaguely like a robocall I drop it like two hot pennies"

        I do that when a human tries to flog me something too when they ring me.

        1. CrazyOldCatMan

          Re: "...including the audio files to be used in robocalls to voters..."

          I do that when a human tries to flog me

          I take it you don't work in an S&M Dungeon then?

          (I ignore any phone calls that are from numbers that I either don't recognise or are not in my local area. Especially the ones marked "International" - I have no-one who lives abroad who would contact me via my home phone. I best guess is that they are the "we are from Microsoft" scammers. While it might be amusing to waste an hour or two of their time and end it by asking them how they can live with themselves stealing money from the elderly, life is too short and there are many, many things higher up the desirability tree.. live clipping my toenails..)

      2. ThatOne Silver badge
        Flame

        Re: "...including the audio files to be used in robocalls to voters..."

        > Do robocalls even work anymore?

        Have robocalls ever worked? "Oh a tape recorder is calling me. I just have to take its opinion into consideration!"

        I'm usually quite annoyed with people wasting my time; I'm doubly annoyed if they think I'm not even worth paying an underpaid call center slave to do so.

  2. MiguelC Silver badge

    "The second case exposed by Kromtech could land a few people behind bars."

    You make it sound like it was a bad thing...

  3. Michael Hoffmann
    Facepalm

    How?

    I still don't get it. Never will. You have to actively make buckets public, you will get spammed and nagged if you do so.

    The biggest danger of the Cloud is the morons who can't understand how to set up a bucket policy. :(

    1. Kevin McMurtrie Silver badge

      Re: How?

      You don't want authentication on your credit card theft and money laundering operation. Being in possession of the login would be an easy conviction. It's harder to figure out what's going on if bots, researchers, and random curious people are poking around in it.

      On the other hand, Robocent wasn't very good at hiding the owner. Hopefully some lawyers are sniffing around in the data right now.

    2. LucreLout

      Re: How?

      The biggest danger of the Cloud is the morons

      You could just have said "The biggest danger is morons", and you'd be right for most of human history.

    3. CrazyOldCatMan

      Re: How?

      The biggest danger of the Cloud is the morons who can't understand how to set up a bucket policy. :(

      and the people commanded to make it insecure so that their manager can access the data from home..

  4. Anonymous Coward
    Anonymous Coward

    Imagine being able to target the idiots that voted for Trump, this data is a goldmine.

    1. Anonymous Coward
      Anonymous Coward

      да товарищ

      Of course it is comrade....

    2. LDS Silver badge
      Devil

      I think the real idiots are those who waste money on robocalls... but they were also surprised when the FTC head told them the law says they needed prior approval to make them to fixed lines.... that told a lot about them.

    3. LucreLout

      Imagine being able to target the idiots that voted for Trump, this data is a goldmine.

      The irony of believing everyone who disagrees with you is an idiot is truly breath taking.

      The cognitive dissonance involved to establish your position is impressive in its density, and the lack of self awareness to then parade that in public is possibly the most entertaining thing I've seen all morning. So thank you for that.

      1. Sgt_Oddball Silver badge
        Mushroom

        on being a man.... made of straw.

        He/she/It (not making a judgement call here) did not specify that everyone who voted for trump was an idiot. Only that there was idiots that voted for trump. There's probably a number of village idiots who voted the other way too. Just not enough to prevent the back, tracking friend of Russia, enemy of the environment, disliker of Mexicans and inventor of the word 'bigly' from becoming the president of the world's largest stockists of nuclear weapons....

        There are probably though a number of smart people who hoped for better than what they got, buyers remorse and all that (the UK has it just as bad with the Brexit car crash).

        1. Version 1.0 Silver badge

          Re: on being a man.... made of straw.

          LOL, I read it as about Trump, not his sheep.

      2. Anonymous Coward
        Anonymous Coward

        You have me wrong comrade, I would vote high chancellor Trump every single time. He's just done so much for the American peoples it's amazings, from net neutrality to freeing up money paid by corporations in taxes so they can pay their workers more and lets not forget those trade wars that will surely help industry. All in all he is the man and I would high five him if he didn't have such little hands.

  5. mark l 2 Silver badge
    FAIL

    So your 'clever' enough to come up with a scam to use stolen cards and jail brake iphones to buy in game currency but not protect your S3 bucket from anyone being able to view it. What a bunch of idiots.

    1. phuzz Silver badge
      Pirate

      As Kevin McMurtrie points out above, leaving it wide open doesn't stop the operation from working, and having every nosy reporter and 'greyhat' accessing it does a nice job of muddying the access logs.

      It might even be intentional.

      1. CrazyOldCatMan

        It might even be intentional.

        I suspect that you are imputing too much intelligence to the scammers..

        1. Wellyboot Silver badge

          Whoever set it up for the scammers is probably long gone with a big bag of real cash. This has been handed over to the production crew long ago :)

          Maybe it's a honeytrap to alert the builders that the other 'secure' laundering operations may now be time limited.

          1. Michael Wojcik Silver badge

            Whoever set it up for the scammers is probably long gone with a big bag of real cash. This has been handed over to the production crew long ago.

            This, the "you don't want to be caught holding the keys", and the "muddying the waters" arguments are in combination fairly plausible, I think.

            Suppose you do contract IT work for criminals. You do it under aliases, of course, so it's hard for any of your potential customers to connect you with past failures, but you can provide details of past successes to show your bona fides. You know your role will be early and brief: you set up the systems, take your bag o' virtual cash, and bail out.

            There's little incentive for you to secure those systems, and plenty to leave them open.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021