Horangi • CloudDevSecOps Fanatic • 4 years+ working on AWS • AWS Areas of Interests: • AWS Multi-Account Architectures • Cloud Security • Totally uncertified and proud :P • Ate 24 buffalo wings at last year’s Reinvent Tatonka Challenge
Accenture Leak • Bucket(s): acp-deployment, acpcollector, acp-software, acp-ssl • Highly sensitive data about Accenture Cloud Platform, its inner workings, and Accenture clients using the platform • 40,000 passwords stored in plaintext, architectural information and code for the company's client-facing cloud platform, decryption keys, certificates, API data and administrator login credentials. • https://www.upguard.com/breaches/cloud-leak-accenture • Street Cred -- • May 2019 – Attunity Leak • Bucket(s): attunity-it, attunity-patch, attunity-support • 750 gigabytes of compressed email backup exposed, including Netflix, Ford, TD Bank • https://www.upguard.com/breaches/attunity-data-leak • Street Cred --
Partner • Bucket(s): verizon-sftp • Bucket was operated by 3rd Party Partner, NICE Systems • Names, addresses, account details, and account personal identification numbers (PINs) of as many as 14 million US customers of telecommunications carrier Verizon • https://www.upguard.com/breaches/verizon-cloud-leak • Street Cred -- • Jan 2019 – Third-Party Apps • Cultura Colectiva • Bucket(s): cc-datalake • 146 gigabytes and contains over 540 million records detailing comments, likes, reactions, account names, FB IDs and more • At the Pool • FB user data for 22K users, including plaintext passwords • https://www.upguard.com/breaches/facebook-user-data-leak • Street Cred --
to discover S3 buckets • Powered by dictionaries + pattern techniques • Some specialized tools like https://github.com/jordanpotti/ AWSBucketDump can even dump a bucket’s content or search for contents within the bucket
public access • For every bucket gives you the report with: • Indicator if your bucket is public or not • Permissions for your bucket if it is public • List of URLs to access your bucket (non-public buckets will return Access Denied) if it is public • https://github.com/kromtech/s3-inspector
opinion is that the security problem with S3 is one of product design." • Key Points • Can’t break legacy • #1: Any Authenticated Users • #2: Inconsistent ACLs and Bucket Policies (union of all the IAM policies, S3 bucket policies, and S3 ACLs that apply) • Recommendation • Split S3 up into Amazon Web Hosting and Amazon Private Storage
an unauthorized user accessed data stored in AWS S3 buckets belonging to Capital One. • The unauthorized user exfiltrated the data and stored it on GitHub under their real name, Paige Thompson, as well as boasting about the data theft in a Slack channel and on twitter using the pseudonym “erratic”. • Loss of over 100 million credit card applications and 100 thousand social security numbers
tricks a server into executing commands on behalf of a remote user, enabling the user to treat the server as a proxy for his or her requests and get access to non-public endpoints.
sacked techie who rampaged through his former employer's AWS accounts with a purloined login, nuking 23 servers and triggering a wave of redundancies, has been jailed.” • Got hold of a former colleague's AWS login and destroyed what police and prosecutors claimed was £500,000 worth of business- critical data. • Did not implement multi-factor authentication. • IP Traced - "One of their customers is Valtech, and the defendant was employed by Valtech in Manchester and was dismissed... at the time of the attack”. • https://www.theregister.co.uk/2019/03/20/st effan_needham_aws_rampage_prison_sente nce_voova/
but … • If I had to call it one thing, it would be a “Security Game Day” • Key Learnings • Assume everything is compromised • There is probably a lot more going than you think is happening. Think Motive • Avoid putting all your eggs into one basket • Hard to conduct forensics without proper tools or audit services setup properly • Avoid having long-lived keys, IAM users • Set effective guardrails
IP space that is announced by somebody not allowed by the owner of the space • In order for a leak to be accepted • A smaller prefix (10.0.0.1/32 = 1 IP vs 10.0.0.0/24 = 256 IPs) • Have better metrics than a prefix with the same length (shorter path) • This IP space is allocated to Amazon (AS16509). But the ASN that announced it was eNet Inc (AS10297) to their peers and forwarded to Hurricane Electric (AS6939), Level 3. Level 3 (AS3356) and NTT (AS2914) did not accept the announcement • Announcements • 205.251.199.0/24 over 205.251.192.0/23 • 205.251.197.0/24 over 205.251.194.0/23 • 205.251.195.0/24 over 205.251.196.0/23 • 205.251.193.0/24 Over 205.251.198.0/23
how to defend • Security is everyone’s responsibility • If you are scrambling during an incident, you are already too late • Adopt a zero trust, sceptic mindset • Don’t let people shoot themselves in their foot easily