September 27, 2016

Misconfigured Amazon S3 storage buckets exposing private data

amazons3(LiveHacking.Com) – Some recent research has shown that thousands of Amazon customers are configuring their storage services incorrectly leading to potentially sensitive data being exposed on the Internet.  Amazon offers a cloud storage solution called Amazon Simple Storage Services, or S3 for short. This storage can be used to storage almost anything and is often used by businesses for private data like backups, company documents and logs files and for public content like web page graphics and PDF files.

Amazon organizes the S3 storage in local containers called “buckets” which have a predictable URL (http://s3.amazonaws.com/[bucket_name]/ or http://[bucket_name].s3.amazonaws.com/) and are either marked as private or public. A bucket public is one where any user can obtain a list of all the files in the bucket. Trying to access a private bucket will result in an access denied error, but accessing a public bucket will list the files in the container.

A tester a Rapid7 has performed some research to try to ascertain how many S3 buckets have been  misconfigured. The initial search for buckets revealed 12,328 buckets in total, of which 1,951 were publicly accessible. That means that 1 in 6 S3 buckets are open. According to the research these buckets contained some 126 billion files! It is unrealistic to test the access rights to so many files, but by testing a sample of 40,000 files Rapdi7 gained access to sales records and account information; affiliate tracking data; employee personal information and member lists across various spreadsheets; and video game source code and development tools for a mobile gaming firm!

The findings underline one of the core principles of computer security. Any security protection which isn’t configured correctly is the same as no security protection! For those using S3 the message is clear, check the permissions. Amazon have some useful information on protecting data stored in Amazon S3.

 

Will the Kindle Fire be Safe for Web Browsing?

(LiveHacking.Com) – Amazon has just announced its new 7 inch Android based tablet which includes what Amazon are calling “Revolutionary Cloud-Accelerated” web browsing. Amazon Silk, as it is known, splits web browsing into two domains – the things that run on the tablet and the things that run on the Amazon Elastic Compute Cloud (Amazon EC2).

As some of the world’s top web sites are hosted on EC2, Amazon say that web surfing will be faster as “many web requests will never leave the extended infrastructure of AWS, reducing transit times to only a few milliseconds.”

However the real worry is that with Silk all fetching, and probably some form of optimization and compression, will be performed on the cloud and the result send to the Kindle. Amazon explain it like this:

Silk uses the power and speed of the EC2 server fleet to retrieve all of the components of a website simultaneously, and delivers them to Kindle Fire in a single, fast stream. Transferring computing-intensive tasks to EC2 helps to conserve your Kindle Fire battery life.

To do all this Amazon needs to keep a record of what web sites you have been using. The FAQ explains it like this:

Amazon Silk optimizes and accelerates the delivery of web content by using Amazon’s cloud computing services.  To do this, the content of web pages you visit using Amazon Silk may be cached to improve performance and certain web address information will be collected to help troubleshoot and diagnose Amazon Silk technical issues.

So what about secure connections like https:

We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL (e.g.https://siteaddress.com). Amazon Silk will facilitate a direct connection between your device and that site.  Any security provided by these particular sites to their users would still exist.

A look in the terms and conditions reveals that Amazon will keep a log of your websites for “generally” no more than 30 days:

Amazon Silk also temporarily logs web addresses  known as uniform resource locators (“URLs”)  for the web pages it serves and certain identifiers, such as IP or MAC addresses, to troubleshoot and diagnose Amazon Silk technical issues.  We generally do not keep this information for longer than 30 days.

Obviously the privacy implications are enormous. It is very likely that a court order can be issued to Amazon to hand over the details of all your browsing.

There is one good bit of news however:

You can also choose to operate Amazon Silk in basic or “off-cloud” mode.  Off-cloud mode allows web pages generally to go directly to your computer rather than pass through our servers.  As such, it does not take advantage of Amazon’s cloud computing services to speed-up web content delivery.

Amazon EC2 Used to Hack Wi-Fi – WPA Now Redundant?

Wi-FiGerman researcher Thomas Roth has announced that he has successfully been able to break into a Wi-Fi network encrypted with the Wi-Fi Protected Access (WPA) protocols in under 6 minutes by using Amazon EC2 cloud computing.

Roth uses a brute force approach to try to gain entry to the network. Using Amazon’s cloud based computing, which can be used for just 28 cents per minute, his technique is to try and decrypt WPA by forceable trying up to 400,000 password per second. This means that in 6 minutes Roth’s software tries 144,000,000 password.

When speaking to Reuters Roth said “People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a ton of money to do so. But it is easy to brute force them.”

Roth will present his software to the public and teach people how to use it later this month at the Black Hat hacking conference in Washington, D.C.

Amazon have been quick to point out that using Amazon Web Services (AWS) and its Elastic Compute Cloud (EC2) computing service violates their terms and conditions (and is illegal in many places around the world) without the permission of the Wi-Fi network owner.

Live Hacking Book Sees Strong Sales on Amazon.com; New Distribution Channels to Open Before the End of the Year

Live Hacking, a recently published guide to hacking techniques and countermeasures for ethical hackers, has seen strong sales on Amazon.com and now new distribution channels have been put into place to make the book available world wide by the end of December.

Dr. Ali Jahangiri, a world-renowned computer security expert, is pleased to announce that sales of his new book Live Hacking, a complete guide to the techniques of hacking written to instruct and educate IT professionals, have been a huge success via the online store Amazon.com. Although Amazon.com ships world wide, it is primarily targeted to the North America market. To make Live Hacking available to a wider audience, new distribution channels will be available before the end of the year.

Live Hacking, which covers all of the important aspects of ethical hacking and starts with Basic Hacking Terminology and progresses to look at the different areas of hacking and security, has an accompanying website livehacking.com. Here you can find a sample chapter from the book on Wireless Networking Hacking. This chapter covers simpler topics like Wardriving and Warchalking as well as advanced topics like How To Perform an Attack on WEP & WPA and Rogue Access Points.

Considering the specialist nature of the topics covered in Live Hacking, the sales of the book have been a huge success. Written in a clear and easy to understand way the book aims to educate, train and inform. It is recommended for anyone working in IT with an interest in security.

By the end of the year Live Hacking will be available in new distribution channels which will reach a larger audience through more outlets including: retailers, bookstores, libraries, academic institutions, wholesalers, and distributors world wide. The book will be available in five continents and many reputable local book stores will have Live Hacking on the shelves.

New Book ‘Live Hacking’ Benefits Candidates of the Certified Ethical Hacker Course

Live Hacking’ aims to educate IT professionals about hacking techniques and countermeasures. At the same time it can be a valuable resource for those taking the EC-Council’s Certified Ethical Hacker course.


Dr. Ali Jahangiri, a recipient of the Instructor Circle of Excellence Award in 2009 by the EC- Council for his Certified Ethical Hacker (CEH) and Certified Hacking Forensic Investigation (CHFI) workshops, is pleased to announce the launch of his new book ‘Live Hacking’. Not only is to Live Hacking a guide to hacking techniques and countermeasures for ethical hackers, it is also a great resource for those IT professionals who are taking the EC-Council’s
Certified Ethical Hacker course.

The Certified Ethical Hacker (312-50 Exam) course from the International Council of E-Commerce Consultants (EC-Council) is a professional certification program where candidates learn to use the same tools and techniques used by hackers and so learn how to find weaknesses in IT systems and then how to make those systems more secure.

In ethical hacking, the hacker is authorized and trusted to try and penetrate a network to find its vulnerabilities. This is very different from illegal hacking where a criminal tries to access the computers without authorization.

For those interested in ethical hacking and the EC-Council’s 312-50 certification program, Live Hacking is a valuable resource. It is written to instruct and educate IT professionals and so prepare them to protect their computer systems from potential hacking threats.

Live Hacking, which is available from Amazon.com, covers all of the important aspects of ethical hacking and starts with Basic Hacking Terminology and progresses to look at the different areas of hacking and security including Google Hacking, Scanning, Password Cracking, Windows Hacking and hacking on Wireless Networks.
The Live Hacking book also has an accompanying website livehacking.com where you can find a sample chapter on Wireless Networking Hacking and other information about the book including the table of contents, index and more information about Dr. Jahangiri.

New Book Published Reveals Hacking Techniques and Countermeasures for Ethical Hackers and IT Security Experts

‘Live Hacking’ is published, a comprehensive guide to computer hacking which aims to educate IT professionals about hacking techniques and possible countermeasures.

Dr. Ali Jahangiri, a world-renowned computer and security expert, is pleased to announce the launch of his new book “Live Hacking”. Live Hacking is a complete guide to the techniques of hacking written to instruct and educate IT professionals and so prepare them to protect their computer systems from potential hacking threats.

Regardless of the size of a computer network, be it a Fortune 500 company or a small home office, computers need to be protected to limit access to confidential data, to ensure the integrity of such data and enable the computers and their data to be available at all times necessary. A hacker will try to break those goals and try to either access confidential data, change the data or remove the availability of the machines holding the information. Dr. Jahangiri’s book looks at the principles, theories and practices of hacking and empowers readers to protect themselves from potential threats.

This book, which is available from Amazon, is truly comprehensive and starts with Basic Hacking Terminology and progresses to look at the different areas of hacking and security including Google Hacking, Password Cracking, Malware and hacking on Wireless Networks. The Live Hacking book also has an accompanying website www.livehacking.com where you can find a sample chapter on Wireless Networking Hacking and other information about the book including the table of contents, index and more information about Dr. Jahangiri.

In writing about this subject Dr. Jahangiri brings his many years of academic, professional, and practical experience to the fore in order to equip his readers with the knowledge they need to defend their data against the ever-increasing cyber-thieves on the Internet.