What do Brit biz consultants and X-rated cam stars have in common? Wide open... AWS S3 buckets on public internet A pair of misconfigured cloud-hosted file silos have left thousands of peoples' sensitive info sitting on the open internet. Despite attempts by Amazon to encourage its customers to be more careful, there are plenty of IT administrators and developers who are still not getting it. The latest demonstration of this comes from …
" Sex worker's privates exposed
The second info trove the team uncovered puts the "exposure" in data exposure. That instance, also a misconfigured S3 bucket, contained nearly 20GB belonging to the subtly-named adult cam network PussyCash."
On second thoughts, lack of pictures is probably for the best
There seems to be a lot of these about. Is the default setting to have it 100% open? Is the tooling difficult to use? I know there's always a trade off between security and ease of use, but for so many people to be getting it this wrong there has to be something systemically wrong surely?
I know they're not used nearly as much, but these aren't usually Azure or Google Cloud accounts that are "misconfigured"
I was at some one-day AWS shindig at the end of last year and given all the "bad press" they'd implemented a few things to safeguard S3. They're now private by default and you have to deliberately jump through dveral hoops to make them public.
As well as that I believe there is some alert that tells you (via email?) that you have a publiclly available S3. Also there is, I think, something you can run called Trusted Advisor which will point out config/security issues it thinks you should check.
AWS do say quite plainly that as part of the responsibility of it all, it's up to the user to secure anything they set up. But the catch with AWS is that it can be *very* easy to sign up and have something up and running quickly without entirely knowing what you're doing...
"1.2 billion medical images of US patients left on open servers by doctors' surgeries, hospitals and medical facilities..."
I don't believe these were hosted on AWS or an alternative cloud platform but rather just exposed an insecure protocol to the Internet and hoped for the best.
And every ElReg commentard already knows that hosting things in-house makes them completely safe, not like using public clouds...
"Got to be some kind of idiot to put PII on cloud."
Got to be some kind of idiot to put PII anywhere that you are not confident it is appropriately secured, monitored and audited.
Cloud is not itself the problem, all the tools are there to place multiple blockers between unauthorised persons and the data. We see plenty of reports of data breaches on private data centres owned and operated by the data owner.
The difference is:
a) the business taking their responsibility seriously
b) engaging the right people to implement established good practises to secure the data.
I don't particularly advocate using cloud, I generally believe it should be easier to secure the data in a building you own and control, but don't claim cloud is insecure just because your CEO let's the Marketing team do whatever they want with the company data.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
