back to article Web doc iCliniq plugs leaky S3 bucket stuffed full of medical records

Online medical consultation service iCliniq left thousands of medical documents in a publicly accessible Amazon Web Services S3 bucket. iCliniq locked down the online silo earlier this week only after the slip-up was brought to its attention by German security researcher Matthias Gliwka. He approached El Reg after failing to …

  1. Version 1.0 Silver badge

    Dear El Reg

    I'm waiting for a story on a Cloud bucket that hasn't leaked data yet ... you think you'll ever post that?

  2. Anonymous Coward
    Anonymous Coward

    File names

    Some organisations are remarkably ignorant about this. Doing an audit once on a government-related site we noticed that SNMP was turned on for printers with no security. We drew the attention of the management to the fact that anybody in IT with a simple monitor could read the files printed by most of the larger machines - so allowing people in HR to print files with titles like "Proposed headcount reduction 20xx" was probably not a clever idea.

    Another organisation was set up so that documents printed in London went through print servers in the Midlands managed by IT workers in the North. Again simple inspection of print server records revealed interesting stuff.

    There's a number of printers that need to have SNMPV3 as the only SNMP port, and a number of companies that really should think hard about not putting sensitive stuff through print servers.

    1. Anonymous Coward
      Anonymous Coward

      Re: File names

      Printers are a gold mine. In my most recent employer, their printers were configured with secure badge access to make a print job come out, "'cause HR and Legal print lots of sensitive documents".

      Not so useful if they leave the admin passwords at the default 12345678 so anybody can walk up, log in, inspect the print queues, and reprint on demand... Perhaps out of office hours.

  3. Androgynous Cow Herd

    Why is this so hard

    AWS has a self certifying protocol that is pretty comprehensive, actually. If you have actually paid attention and used the protocol to ensure you are following best practices, those buckets have been secured.

    Completion of the protocols is then reviewed by Amazon and if passed “Advanced Parter” status is bestowed unto that company

    To complete the protocols isn’t exactly trivial, but not impossible or even unlikely. Adherence to the protocols may slow down development slightly at worse until developers figure out how to work on their environment in a secure manner.

    My opinion is that there is a certain class of software companies that have completely embraced “Agile” and behave like they are building gaming apps for cell phones, even if they are really building enterprise products that require a much more respectful attitude re: security than the current “We can do it this way and fix it properly if anyone notices”.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why is this so hard

      If you pay peanuts you're gonna get monkeys. It's pretty as simple as that.

  4. Anonymous Coward
    FAIL

    Goodness, gracious me!

    I blame 'Steve' in Mumbai

  5. Anonymous Coward
    Anonymous Coward

    Another security fuckup... Another round of Layoffs

    https://www.theregister.co.uk/2018/08/03/symantec_job_cuts/

    Tech has turned into such a self-entitlement short-sighted industry like Banksters. Founders always get paid but security / privacy remains crap while most employees are a disposable service. Slow car crash happening.

    We all work in this business and yet most have to watch from the sidelines as our advice gets ignored. Tech exists now just to serve the elite who always over pay themselves while everyone else gets to take a haircut!

    1. Anonymous Coward
      Anonymous Coward

      Re: Another security fuckup... Another round of Layoffs

      Many areas of tech barely pay well enough to bother starting in the industry, any more.

  6. Anonymous Coward
    Anonymous Coward

    HACKER

    Arrest him for hacking. Because changing ?interviewId=1238928 to ?interviewId=1238927 in the URL and getting someone elses medical records is totally hacking, a technique known only to sophisticated attackers intent on bypassing our strict security measures.

    1. Anonymous Coward
      Anonymous Coward

      Re: HACKER

      Yes, he so 1337 h4x0red that.

  7. Anonymous Coward
    Anonymous Coward

    Buck Hacker

    The buck hacker site - https://thebuckhacker.com as well as a couple of others I've seen have a massive list of open AWS S3 buckets along with the files contained. I can name two huge companies off the top of my head - Experian and Virgin that have open buckets to the public! Experian is a credit reporting company with sensitive information on record and should NOT have an open bucket like that. It is ridiculous the amount of companies that don't secure theirs.

    1. Androgynous Cow Herd

      Re: Buck Hacker

      if you are hosting public content, you will have publicly accessible buckets. The existence of public buckets doesn't mean that the sensitive info is in *THAT* bucket, even if you are Experian.

      I know companies that host their publicly available content in Amazon rather than a CD network, and also was other buckets that are properly secured...AWS advanced certification and all that...

  8. GnuTzu

    "far from rare"

    I'll spend the rest of the day chuckling over this little understatement. The better way to say it is: "ridiculously common".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like