December 6, 2016

Misconfigured Amazon S3 storage buckets exposing private data

amazons3(LiveHacking.Com) – Some recent research has shown that thousands of Amazon customers are configuring their storage services incorrectly leading to potentially sensitive data being exposed on the Internet.  Amazon offers a cloud storage solution called Amazon Simple Storage Services, or S3 for short. This storage can be used to storage almost anything and is often used by businesses for private data like backups, company documents and logs files and for public content like web page graphics and PDF files.

Amazon organizes the S3 storage in local containers called “buckets” which have a predictable URL (http://s3.amazonaws.com/[bucket_name]/ or http://[bucket_name].s3.amazonaws.com/) and are either marked as private or public. A bucket public is one where any user can obtain a list of all the files in the bucket. Trying to access a private bucket will result in an access denied error, but accessing a public bucket will list the files in the container.

A tester a Rapid7 has performed some research to try to ascertain how many S3 buckets have been  misconfigured. The initial search for buckets revealed 12,328 buckets in total, of which 1,951 were publicly accessible. That means that 1 in 6 S3 buckets are open. According to the research these buckets contained some 126 billion files! It is unrealistic to test the access rights to so many files, but by testing a sample of 40,000 files Rapdi7 gained access to sales records and account information; affiliate tracking data; employee personal information and member lists across various spreadsheets; and video game source code and development tools for a mobile gaming firm!

The findings underline one of the core principles of computer security. Any security protection which isn’t configured correctly is the same as no security protection! For those using S3 the message is clear, check the permissions. Amazon have some useful information on protecting data stored in Amazon S3.

 

Will the Kindle Fire be Safe for Web Browsing?

(LiveHacking.Com) – Amazon has just announced its new 7 inch Android based tablet which includes what Amazon are calling “Revolutionary Cloud-Accelerated” web browsing. Amazon Silk, as it is known, splits web browsing into two domains – the things that run on the tablet and the things that run on the Amazon Elastic Compute Cloud (Amazon EC2).

As some of the world’s top web sites are hosted on EC2, Amazon say that web surfing will be faster as “many web requests will never leave the extended infrastructure of AWS, reducing transit times to only a few milliseconds.”

However the real worry is that with Silk all fetching, and probably some form of optimization and compression, will be performed on the cloud and the result send to the Kindle. Amazon explain it like this:

Silk uses the power and speed of the EC2 server fleet to retrieve all of the components of a website simultaneously, and delivers them to Kindle Fire in a single, fast stream. Transferring computing-intensive tasks to EC2 helps to conserve your Kindle Fire battery life.

To do all this Amazon needs to keep a record of what web sites you have been using. The FAQ explains it like this:

Amazon Silk optimizes and accelerates the delivery of web content by using Amazon’s cloud computing services.  To do this, the content of web pages you visit using Amazon Silk may be cached to improve performance and certain web address information will be collected to help troubleshoot and diagnose Amazon Silk technical issues.

So what about secure connections like https:

We will establish a secure connection from the cloud to the site owner on your behalf for page requests of sites using SSL (e.g.https://siteaddress.com). Amazon Silk will facilitate a direct connection between your device and that site.  Any security provided by these particular sites to their users would still exist.

A look in the terms and conditions reveals that Amazon will keep a log of your websites for “generally” no more than 30 days:

Amazon Silk also temporarily logs web addresses  known as uniform resource locators (“URLs”)  for the web pages it serves and certain identifiers, such as IP or MAC addresses, to troubleshoot and diagnose Amazon Silk technical issues.  We generally do not keep this information for longer than 30 days.

Obviously the privacy implications are enormous. It is very likely that a court order can be issued to Amazon to hand over the details of all your browsing.

There is one good bit of news however:

You can also choose to operate Amazon Silk in basic or “off-cloud” mode.  Off-cloud mode allows web pages generally to go directly to your computer rather than pass through our servers.  As such, it does not take advantage of Amazon’s cloud computing services to speed-up web content delivery.

Amazon EC2 Used to Hack Wi-Fi – WPA Now Redundant?

Wi-FiGerman researcher Thomas Roth has announced that he has successfully been able to break into a Wi-Fi network encrypted with the Wi-Fi Protected Access (WPA) protocols in under 6 minutes by using Amazon EC2 cloud computing.

Roth uses a brute force approach to try to gain entry to the network. Using Amazon’s cloud based computing, which can be used for just 28 cents per minute, his technique is to try and decrypt WPA by forceable trying up to 400,000 password per second. This means that in 6 minutes Roth’s software tries 144,000,000 password.

When speaking to Reuters Roth said “People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a ton of money to do so. But it is easy to brute force them.”

Roth will present his software to the public and teach people how to use it later this month at the Black Hat hacking conference in Washington, D.C.

Amazon have been quick to point out that using Amazon Web Services (AWS) and its Elastic Compute Cloud (EC2) computing service violates their terms and conditions (and is illegal in many places around the world) without the permission of the Wi-Fi network owner.