3 posts in this topic

Posted

By not setting their cloud storage accounts to private, businesses and developers have been inadvertently allowing unauthorized parties to retrieve sensitive documents, images and other files previously believed to be inaccessible. According to Net Security, just by probing Amazon's S3 servers with automatically generated URLs for a number of major companies and websites, security researcher Will Vandevanter was able to discover 12,328 unique S3 "buckets," 1,951 of which were left open to the public.

Vandevanter was able to generate a list of 126 billion files

From those 1,951 buckets, Vandevanter was able to generate a list of 126 billion files. The sheer scale of data available made it impossible for it all to be analyzed, but from a sample of 40,000 publicly visible files, personal data belonging to a "medium-sized social media service" was accessed, as were car dealership sales records, affiliate tracking data, employee data spreadsheets, unencrypted database backups, and videogame source code from a mobile games developer. In total, 60 percent of files were images, but different social media sites were identified to be exposing user pictures and videos. In order to harvest the files, Vandevanter took a list of Fortune1000 companies and the top 100,000 Alexa websites and tested possible server address permutations on the amazonaws.com domain, before feeding them into Bing's Search API to identify if they were open.

Amazon sets S3 accounts to private by default, but buckets can be opened to the public manually or as a result of misconfiguration. Treating Vandevanter's research with a matter of urgency, Amazon has begun warning its users that their files might be publicly accessible, and is "putting measures in place to proactively identify misconfigured files and buckets moving forward."

http://www.theverge.com/2013/3/27/4152964/researcher-exposes-data-businesses-amazon-s3

Things are only as secure as the useres.

Share this post


Link to post
Share on other sites

Posted

User stupidity. The bane of a technician's life, and our biggest source of income at the same time.

Share this post


Link to post
Share on other sites

Posted

gamigo.com and forumcore.net got hacked and databases exposed recently too

And a few more

https://shouldichangemypassword.com/sources.php

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.