When will people secure their S3 buckets!?
What do Dow Jones, the Republican National Committee, the WWE, Department of Defense contractors, Verizon and now Viacom have in common? They have all had data exfiltrated from their companies from misconfigured S3 buckets. What’s worse this time is that the bucket that was exposed was basically a set of master keys hidden under the doormat. Puppet scripts including passwords, access keys, master AWS credentials all kinds of scary things. All this comes after widespread coverage the issue and attempts from amazon to warn customers with publicly available data in their buckets.
Much of this boils down to laziness. Yes security is hard. Yes sharing files safely between people involves a few annoying steps like making sure everyone has a valid way of authenticating themselves with the file sharing service.
How many more companies need to have their data exposed? How many more people need to have their information exposed? If we as an industry can’t apply CVE patches and keep our S3 buckets secure we are failing society. We are like children running with scissors.
There is no such thing as a shortcut
Everyone is always trying to cut a corner and make things faster. We’re always looking for a quick fix. I’m going to tell you a secret. There is no such thing as a shortcut. The mere idea of one is an oxymoron. If it were actually a better faster way of doing it, it would simply be called «The Way™« We’ve all been there you’re staring down the barrel of a problem and you know that if you could just skip a few steps that were out of your normal workflow you could be done already. «What’s the harm?» you think to yourself. «What could go wrong?» you wonder as you turn off the security to your S3 bucket.
A LOT can go wrong. The loss of your organizations secrets and/or private information of your customers/users could be the harm. And it’s not like this is some kind of cockamamie invented by the guy in your security department (you do have one of those right?) invented to scare you into believing his job is necessary.
Stop trying to finish your task before you’ve even begun. Learn to plan for these sorts of things as part of development and/or deployment time.
It shouldn’t be DevOps it should be DevSecOps
Over the last few years DevOps has become a massive growing trend in IT over the last few years to automate deployment of projects. Many saw this as a tool to put power in developers hands. In small startups this was especially great. No longer did a small team of programmers need a sysadmin while they were trying to get their app off the ground. But this was a very dangerous slope.
Some generalizations about developers:
- developers are lazy, doing thins securely is tedious and time consuming
- developers are not sysadmins,
sudo apt install nginx does NOT make you a sysadmin
- developers have a very limited concept of security, security through obscurity is NOT security
If your organization is too small to afford a full time sysadmin make sure you have as many developers who are exceptions to the above as possible.
Certifications and Training
Our industry has survived for a long time on self regulation. Unlike Doctors, Nurses, Teachers, Lawyers, Mechanics, Electricians, Welders and many other professions there is no hard formal requirement of education to have a career in IT. Part of this was because of a sudden boom in demand for IT staff and tons of kids that «knew how to use computers good» and an entire age of computing was born. I think that some of the recent events highlight the need for more formalization of education and certification as an industry. I think the GDPR will go a long way from a privacy standpoint but companies need to be training their staff. For years companies have reaped huge profits off the internet seeing little overhead in operating in this space. I argue the costs have been there all along and we have ben ignoring them. The time has come to pay our technical debts and the costs may be higher than we realized.
First and foremost at the front of this everyone should take personal responsibility for their computer and what they do with it. Try to keep yourself informed, learn to be cautious with your computer, check out some videos, take a Udemy course. Do something each year to refresh what you know or maybe learn more than the year before.
Some of these suggestions are for people who know little to nothing and if you’re reading this blog than that isn’t you, however, if you’re reading this blog I think you have a responsibility to ensure the people around you and in your life have a basic concept of how to use their computer safely. Knowledge is power and with great knowledge comes great responsibility. Security awareness month is coming. Take the time to share with your friends and family helpful advice.