There’s a hole in my bucket, Dear Lisa, Dear Lisa

A few weeks ago after our AWS event (where were you all?), we were going to launch into a sermon about the perils of misconfiguring cloud environments.

The specific focus of our attention was the misconfiguration of Amazon’s Simple Storage Service AKA S3 buckets (see what we did there). We have to stress that AWS S3 buckets are secure by default and that in order to allow access to World+Dog, an overworked, underpaid or possibly bored and negligent administrator has to type in the magic runes (Allow:*) and commit the change, simples.

In the last three months alone millions of records have been presented unchallenged to the public, be that the entire Internet or just all other AWS users, which in itself is a significant number.

The large breaches that had been disclosed (and so we can assume there are many yet undiscovered, or discovered and undisclosed) were the following:

  • Time Warner, 4 million customer details. This week
  • TigerSwan, details of thousands of security cleared mercenaries etc. Last week
  • Chicago election board, 1.8 million subscribers details. August 2017
  • Verizon, 14 million customer details. July 2017

Well we can now add another high scoring media company (surprise!) to the list. Step forward Viacom, whose backups of systems and data stored on AWS were discovered to be wide open by none other than Chris Vickery, the eagle-eyed bucket hole spotter from UpGuard.

The breached files contained server configuration details, usernames, passwords and data that would enable an attacker to ’cause enormous damage’ to Viacom’s business including some TV stations you might have heard of like MTV, Comedy Central and Nickelodeon. What a howler.

In this case UpGuard contacted Viacom and the Henry fixed the hole in his bucket pretty quickly (quick enough? Who knows). We do have to wonder what Henry will do with the axe in this 2017 panic remix of the classic children’s Nursery Rhyme.

We do not want misconfiguration of cloud resources to facilitate breaches of our customer’s data or systems and have been working on solutions for cloud environments, including best practice guides, health checks and continuous security monitoring. If you are concerned or just want some advice, please do contact us at: [email protected] or call 020 7517 3900.

In other important news this week, VMware announced an ‘out-of-bounds write vulnerability’ in ESXi version 6.5, Workstation 12.x, and Fusion 8.x on OSX. The implications of this are very serious, even though the bug may be difficult to execute, so we recommend all of you VMware customers to take some time off from counting your every last shilling for your next licence/support contract and patch your VMware estate pronto.

For those of you who are wondering what has happened to the NHS WannaCry hero, arrested in the USA accused of being involved in the creation and distribution of the Zeus banking trojan, Marcus Hutchins, he is still on bail, still pleading not guilty and building a robust defense (for that is how they spell it over there). His defense team will probably be a tad worried by some of the facts to be presented by the Feds, summarised by the mighty Brian Krebs here.

That’s all for this week. We were going to cover the further astonishing blunders of Equifax and now a faux-pas by Experian (hat tip to Krebs once more here) but you are probably reading all about these in the daily papers over your Shreddies. Have a good weekend.