Video-editing upstart bares users' raunchy flicks to world+dog via leaky AWS bucket A British video-editing startup exposed what is claimed to be "thousands" of user-uploaded videos, including family films and home-made pornography, in an unsecured Amazon AWS bucket. Research by Noam Rotem and Ran Locar, for security biz vpnMentor, revealed that VEED.io left an AWS bucket completely unsecured and hosting what …
Amazon could just warn owners that they have poor or no security when any kind of datasets get created. From databases, to image/videos etc.
Maybe look for certain metadata and close off public access instead of leaving it to the clueless admins to leave the barn door wide open?
Afterall, which is more frustrating, not being able to access data or having everyone and their dog have access?
Paris because I'm probably oversimplifing things...
AWS provides a number of tools for this, and other monitoring approaches… But this seems to be such a basic failing that mo amount of tooling is likely to help them… It’s situations like this that fuel the “uurgh! cloud!” negativity in relation to security, yet AWS (as the cloud host) have done nothing wrong here… Look up their “shared responsibility model”, they don’t shy away from this topic at all…
But why do we see so many examples of this? Is AWS insecure by default so users are failing to secure it or is it secure but inconveniently so that users are deliberately turning security off?
Amazon need to make it more difficult to use insecurely than securely so that nobody would jumpt through the hoops to do that.
AWS has done a lot to the S3 interface to warn users every step of the way when they are making buckets public - even putting a gigantic yellow "Public" by the bucket name. And yes, their default policy is to block all access except to bucket creator. What is really difficult/convoluted is granting limited access to S3 - I remember my first time trying to use roles to get our CI/CD server access to a particular bucket...
Since the AWS interface is fairly easy to use, I can see giving the 1st year intern the task of configuring a bucket. Lack of experience and getting frustrated probably leads to just clicking the "allow world +dog" button frequently. "I'll fix it later" never happens and the bucket is ignored...until it's not.
A couple of things. One, ensure it can only be done by a confusing user interface where anything wrong in the process leaves it secure. The other, which I've suggested above, is to ignore what the user sets and periodically just going back to default. Perhaps send out an email "We've noticed that you must have accidentally left your AWS system insecure so we've repaired that for you."
After a few cycles update the email to explain why it's really bad. Or maybe do that first and then switch to the "We've fixed it" non-explanatory version.
>> But why do we see so many examples of this?
1. Because the whole purpose of the "Cloud" is to get rid of icky -- and expensive -- tech people.
If an organization has to hire someone who actually knows what they are doing, the huge cost savings for going to the Cloud get blasted out of the water.
2. Amazon, et al, do not want to be responsible for the security of millions of hosted software instances. Read the fine print in the contract - the customer is responsible, NOT the "Cloud" provider. Thus, they provide the tools for the customer, but no more, as any more may imply that they are responsible in some way.
"AWS (as the cloud host) have done nothing wrong here… Look up their “shared responsibility model"
I have to disagree, the words 'Amazon' and 'Responsibility' placed into the same sentence is an oxymoron. Has anyone ever thought how much computer crime is committed through AWS servers?
These are paying customers of course and that's as far as Amazons responsibility goes, taking their money and not asking questions or probing what their infrastructure is doing. The same goes with Cloudflare. These people think they can solve every problem with an algorithm while ignoring the harm their lack of responsibilty brings
"
Afterall, which is more frustrating, not being able to access data or having everyone and their dog have access?
"
Depends what you are using it for. Many people deliberately *want* everyone to have access to whatever they have uploaded. Similar to most people who upload videos to "Youtube"
Not really. I'd have thought most people would want to provide controlled access. They might, for instance, want people to see their YT videos but not be able to edit them or just upload something else in their place. Or if the material is commercial in confidence they might not want anyone to see it.
Awhile back I set up an S3 bucket and intentionally left it open to the public, with the only contents some marketing videos to be embedded on a website.
Amazon repeatedly emailed me to warn me that it was insecure, and eventually said that if I didn't log in and re-reverify that the settings were intentional that they would shut off the insecure access.
So in other words, they ALREADY do what you suggest, and if insecure buckets are out there it is because the owners did it to themselves against multiple warnings from Amazon.
And in this case, the VEEDiots repeatedly ignored messages from the researchers, and from the Register. They're clearly not competent.
Personally, I'm still (despite the continual deluge of evidence) a bit amazed that people use services like this. Really, folks. You're trusting a startup with no reputation or record with your sensitive data. Even their name is stupid. Would you buy medications from a startup named PILZ.io? (Yes, I suppose many of these people would.)
"So in other words, they ALREADY do what you suggest, and if insecure buckets are out there it is because the owners did it to themselves against multiple warnings from Amazon.
You received the notices because you were the sole person running that bucket. Try to imagine a company with nobody in charge. One of those new orgs were nobody gets their own desk and you can skateboard down the halls with your smelly dog in tow. The person with the contact email account decides one day that a real job that pays in money rather than stock options is what they really need and all of the those notices go to an email account that's no longer active after that person re-reverified that wide open is what they wanted. Maybe that was due to a coworker having it off with their significant other. Nobody is in charge so nobody knows who should have been responsible so there is no place to put any blame.
Is there any reason why an account being used by a for-profit company should be set to "public"?
Securing data in the cloud, isn't the responsibility of the cloud provider (believe it or not)... even if they provide a database and leave it open to everyone. This is cloud security 101 stuff.
Just like: if you purchase an application and use it at home (especially cloud connected devices/software), it's your responsibility to ensure it's secure.
In the cloud, it's YOUR responsibility to ensure any CLOUD APPLICATION you are using meets security best practices/standards.
Common sense should tell you, if something is free or low cost, then chances are, they aren't taking a lot of security precautions.
"...would upload their home-made pornography to an online video-editing website, least of all a free, unknown one?"
Oh, just a normal person, unfamiliar with the dystopic nightmare that is technology. Only some ignorant snowflake with an expectation that their stuff is safe, not "shared" or left open to the whole world.
Don't blame the user when a system is hard to correctly use. Remember, it's SUPPOSED to do what it says on the box. Users should not have to know lots of background about tech companies and anticipate what might go wrong. That's a sign of a badly done product.
I'm usually on board with the "don't blame the user" argument, as my past posts will show. In this case, though, there are quite a few red flags, significant user action was required (it's not the same as recording a potentially-embarrassing scene with your phone and failing to secure that device), and people were uploading particularly sensitive data.
While it's clear that the people behind this service should be banned from creating software until they've passed some remedial courses in basic thinking, in this case I feel at least some of the users share a significant portion of the blame.
"According to VPN Mentor, VEED ignored attempts in mid-October to alert them to the breach"
Probably why they ignored it. Why listen to sense when we're hipster and unless you agree to our startup plan, we don't want to listen to you.
That's the general way I see hipsters. I've seen a few over the years that were just like that, follow their "plan" and never question their "plan" or be made redundant.
If they are a British company, they still fall under GDPR. And if they allowed to upload contents that contain sensitive data like sexual preferences without the proper legal permissions they are even in hotter water - especially if not all parties involved in the video were aware of it.
Ignoring attempts to be notified and ignoring the leak and the GDPR requirements about it looks utterly stupid to me. Unless they were very busy shifting money to places where the upcoming fee won't be able to find them.
The default is secure. This changed ages ago. You have to actively open up buckets now.
I suspect there might be another angle here, which is that they might be using GUIDs on filenames to make URLs hard to guess, which means your only "security" against the whole lot being breached is the bucket list permission.
"Bucket list", see what I did there? I hope this company dies horribly.
It is - you need to alter your storage buckets from the default of "private" to "public".
And no, this isn't a new policy - https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html
However...if you want to give access to buckets or objects, you need to either make them public OR manage access via your application. Guess what people choose?
We still have am AWS bucket from a 'Cloud' project that failed to deliver. It was secure when we got it, and I have a tool 'CloudBerry Explorer' which allows me to check the permissions etc. The really odd thing I find about this though, is that when I authenticate to AWS, I don't get delivered directly to our bucket, but a couple of levels above, so I have to drill down. But that means I can see lots of other buckets, and I always found that odd, I know obscurity is no security, but being able to see the the bucket makes it easier to exploit from the outset.
The Pope poos in the woods.
Well, he should stop! Doesn't he know that today is World Toilet Day?
Everything is better in the Cloud, and preferably with Internet of Things too.
Sometime, for a 5-min job, finding, downloading and installing an editing tool is a bit much, instead of just finding the appropriate online tool. Of course when I did this I didn't upload anything that I wanted to keep private (it was a Youtube video and it ended up as another Youtube video).
But for anything longer, I'll use a local tool of course (last time I used shotcut, which crashed on average once per hour, so it didn't stayed on my machine once the project was done)
" It would also save cash on storage costs."
Storage is so cheap. With the right ToS/privacy policy, you don't have any legal problems except for kiddie flicks. Today's amateur pr0n star is tomorrow's statesman or perhaps, failed candidate, depending on if they have enough money for you to "accidentally delete" that bit of video.
Get yourself a FB account under a false name that you only access while at the San Francisco public library. Hmmm, ok, maybe that's not a good place with all of those windows.
Download all of the self-made pr0n, find some good frames to screen grab, post the images to FB and see if they can suggest some names to go with the faces. (just the faces you slime, Only Mr. Clinton's privates are super well known to the average punter. Maybe Jennifer Lawarence's lady bits too, but we digress). FB will likely give you an FB user name as well. Just to be helpful. With the FB user name, Spokeo may be able to sell you a full bio on the person including a home address, wife's name, kids, etc. Forget the phishing emails saying they've been spying on you through your web cam while you watch dirty movies (yeah right, I don't have a cam on my desktop), you can actually send a clip. Should be worth a few bob.
Naw, what I posted was easy to figure out based on other exploits I've seen described.
Miscreants are already using photos to stalk people by looking them up on FB to see if FB will identify them. There are data aggregators that charge a one time fee that is a pittance for a bio based on no more than an FB user name. Some of the info may even be mostly accurate. Extend that to somebody in a home made pr0n production that may not be too happy about their performance being made public and Shekels can be made.
It's another argument against self-inflicted surveillance and posting anything personal online. The divider between "The Cloud" and completely public is vanishingly thin.
I would expect that if he wasn't given direct assistance to leave this world, he may have been talked into going DIY by a kindly person that smoked heavily showing him surveillance photos/vids and some examples of the more extreme methods of torture employed around the world.
If there is anything to the conspiracy that the "body" claimed to be Mr Epstein was a stand-in, he may still be someplace being encouraged to spill names, dates, record locations until the examiners are satisfied that they know the scope of any potential fallout.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
