Hmm, nanny state bad, nanny site good?
Hapless AWS engineer spilled passwords, keys, confidential internal training info, customer messages on public GitHub
An Amazon Web Services engineer published exchanges with customers and "system credentials including passwords, AWS key pairs, and private keys" to a public GitHub repository by accident. On 13 January, infosec biz UpGuard discovered a 954MB repository containing AWS resource templates – used to create cloud services – plus …
COMMENTS
-
-
Thursday 23rd January 2020 17:12 GMT cbars
Re: Should not passwords be one way encrypted ?
Ho ho, what fun! Prepare for misinformation!!
Server side hash: essential (and a salt, and just dont bother it's really hard to do right)
Client side hash: changing one password into another (as you still have to send something to the application to verify, a MITM doesn't care what you started with, just what the server needs to see)
Client side encryption: Recursion. ("What shall I do with this secret key that encrypts the secret key that encrypts the secret key that encrypts our AWS password??"
"Stick it in the same project, but in the 'secret' folder, and make sure you don't load *that* to github!")
If you're a dev with a repository that's logging into other services like AWS, you're client side...
-
-
Thursday 23rd January 2020 18:17 GMT Anonymous Coward
Another take home...
NEVER MIX WORK AND PLEASURE!
Sorry to shout but it could very likely be a case of being lazy and not correctly separating work repos (and thus secured private repos unless your workplace is a tight arse, in which case just roll your own git/CVS locally) and personal pet projects on public repos.
Personally I take it a step further and just keep work on a work dev machine and everything else on my own machines. No chance of forgetting which git I'm signed into.
-
Thursday 23rd January 2020 20:50 GMT Doctor Syntax
"A common reason is that developers trying out some new ideas hardcode credentials into applications and then publish the code without thinking through the implications."
Even if these are new ideas being tried out if that's the mindset of the developers it doesn't inspire much confidence in the security of the finished product.
-
-
-
-
Friday 24th January 2020 14:38 GMT Anonymous Coward
Re: Engineer ?
Maybe its changing because of things like Boeing where people who considered themselves to be software engineers weren't and people lost their lives. So unless you are an actual engineer, you shouldn't be calling yourself one?
Granted, I am a software engineer, but not a PE. Way back when... Software engineering or even computer engineering wasn't really appropriate for a PE. (Mechanical, Electrical, Civil tended to require it.) But I'm aging myself. I don't know when it changed.
-
-
Friday 24th January 2020 16:34 GMT Mike Pellatt
Re: Engineer ?
Because unless you have a professional engineering qualification and undertake CPD, validated by a recognised professional association, you shouldn't have the label "engineer".
Germany is (or at least, was) very, very, very hot on this.
Our lives are as much in engineers' hands as doctors', and woe betide anyone who calls themselves a doctor of medicine when they're not. Should be the same for engineers.
Presumably amongst the divergence that our wonderful UK Government wants from EU regulations, the current Eur Ing recognition will be one we have inflicted on us.
-
Friday 24th January 2020 17:10 GMT Claptrap314
Re: Engineer ?
About such things, I tend to respond, "My ancestors left there 150 years ago for a reason."
In the US, there have been lawsuits over these. The first amendment just keeps winning.
Now, I would never condone someone representing themselves as a Professional Engineer who lacked the credentials. I would never fail to mock someone would hired a "Professional Engineer" without checking credentials.
The professions of PE and MD differ dramatically. The customer of an MD is typically an individual of average intelligence with no knowledge of the profession, and who is somewhat stessed. If challenged, even with the help of the InterTubes, they would be unable to check the credentials of the MD.
The customer of a PE is a business or a government, generally working through some sort of bidding process. The person doing so has as their job description to validate the quality of the bids.
Of course, I charged my engineering calculus students 10 points out of 10 for sign errors--I don't want bridges built with gravity going the wrong way.
-
Friday 24th January 2020 18:04 GMT Michael Wojcik
Re: Engineer ?
Frankly, I'm not so complacent about the medical industry's co-option of the term "doctor", either. Both etymologically and in other fields it means "scholar", and many medical doctors, while upstanding members of their profession, do no research and don't even have much time to follow current research in clinical practice. (That's why Cochrane metastudies exist: so that a team of experts can review research in an area and digest it down into clinical recommendations.)
And in the US, medical interns - who are not yet licensed medical doctors - are generally told to use the title "doctor" with the patients they see. They are scholars - they're still in school - but the medical profession wants to have it both ways: "doctor" meaning "student" and meaning "professional who has acquired some special credential".
-
Saturday 25th January 2020 02:13 GMT Martin-73
Re: Engineer ?
If you call yourself an engineer, be prepared to back it up with documents, in many US states... but not in others.
Your own personal experience will dictate what 'feels right'. However, 100% on mocking people who hire an engineer and don't check the actual qualifications. It's the reason most engineers put their qualifications after their name.
-
-
Saturday 25th January 2020 02:12 GMT Martin-73
Re: Engineer ?
In some places engineer is a protected term. In others it is not.
Example from my own field: Telephone Engineer.
Back in the day, it was actually quite apt, you had to have multiple C&G electrical and mechanical engineering courses under your belt, along with BPO (british post office) training courses, because you were dealing with fault finding and repairing highly complex electromechanical systems to individual component level.
The actual guys putting phones in were called technicians or installers.
Time happens.
2020: everyone working in the industry (fewer than ever before) is an engineer.
-
-
-
-
-
Friday 24th January 2020 14:32 GMT Loyal Commenter
I'm going to go with:
Step 1: Ooh, lets start a new quick-and-dirty test project as a proof-of-concept for something or other
Step 2: I'll create a folder for it and stick that in a new repository
Step 3: (omitted) I'll create a .gitignore so I don't waste space with object files, and all my test config files
Step 4: This bit needs some cloud services. I'll stick the key in the config file
Step 5: It's Friday afternoon, time to go to the pub; before I go for the week, lets make sure I've committed everything I'm working on...
-
Friday 24th January 2020 17:40 GMT malfeasance
so-called engineers that don't understand the tools they use
You're bang on, seen that so many times; which is confusing since you can easily have an excludes file in your ~/.gitignore a-la
[core]
excludesfile = /home/user/globals/gitignore
And then in that gitignore file have a "__localonly" line; this means, doesn't matter what project I'm working on, I create a __localonly directory and stuff all the hard-coded nonsense in there.
Never gets checked in, never gets pushed, doesn't ruin anyone elses pristine filesystem...
-
-
-
-
Friday 24th January 2020 14:15 GMT Anonymous Coward
Re: "no customer data or company systems were exposed."
AWS Security will wake up engineers to rotate passwords if they are not able to rotate passwords themselves without impact. They will also contact any impacted customers (accounts with premium support would get a phone call) to rotate passwords or keys, and run automated audits of the use of the exposed keys and accounts.
Basically action taken by this individual was a violation of security policies (and mandatory annual training that goes with it), each of which is a fire-able offense.
AWS employees get personal AWS accounts that use SSO federation, so you never need the root credentials. Service accounts are secured similarly. The only passwords AWS engineers need to remember are their own network logins and 2FA PIN/password. There are systems available that take secure care of credential and key materials.
Of course, there are services (including self-service git repos etc. etc.) available to engineers to backup any documents or code securely, there was no business need to use a github repo (or even an S3 bucket).
-
Friday 24th January 2020 14:38 GMT Loyal Commenter
Re: "no customer data or company systems were exposed."
The fact that this was an unstructured repo (not source code) and contained things such as training materials, makes me think this wasn't an engineer, but some breed of marketeer or trainer, who was using git as if it was a file managemet system such as sharepoint, for its versioning abilities, but nothing else. The fact that they seem to have had access to some client's keys implies that they might be relatively senior, in which case I expect that they will get off scott-free for their transgressions.
-
-
-
Friday 24th January 2020 17:15 GMT Claptrap314
You need a better story
The simplest story is that someone put their home directory into git. Either to facilitate a migration between computers, or to facilitate data access.
I've only heard about such things from techies. I really, really doubt marketers would have the wherewith to do such a thing.
So--someone puts their homedir into git, then realizes that they need to push the data somewhere so that they can grab it from outside the company.
Whoops. Github repos are public by default.
So yes, no customer data impact. Limited Amazon corporate data leak. Significant Amazon data leak relative to the individual. Huge personal data leak for the individual.
-
Saturday 25th January 2020 06:13 GMT MachDiamond
Re: You need a better story
"I really, really doubt marketers would have the wherewith to do such a thing."
I've worked with lots of people that know just enough to be a huge menace. They watched a bad YouTube video that never covered the downside of the operation or the person stopped watching before they got to the warnings.
-