Ces derniers mois, des erreurs de configuration de la sécurité de services cloud sont à l’origine de graves divulgations involontaires de données. De par ses parts de marchés, ce sont bien sûr les services S3 d’Amazon qui ont été souvent mis à mal.
Des erreurs de configuration et non des vulnérabilités
De plus en plus souvent, la vulnérabilité se trouve entre la chaise et le clavier. Les dernières mésaventures de pertes de données sur S3 sont là pour le rappeler.
Pour améliorer la situation, Amazon a pris le taureau par les cornes et propose entre autre maintenant de chiffrer par défaut toutes les données stockées sur son cloud.
New Amazon S3 Encryption & Security Features | Amazon Web Services
Back in 2006, when I announced S3, I wrote » Further, each block is protected by an ACL (Access Control List) allowing the developer to keep the data private, share it for reading, or share it for reading and writing, as desired. » Starting from that initial model, with private buckets and ACLs to grant access, […]
et pour en savoir plus sur ce sujet:
Amazon moves to stop S3 buckets leaking business data
A long line of very public data breaches have made clear that businesses don’t need to be targeted by sophisticated hackers to have private and sensitive data splashed across the newspaper headlines. Your company doesn’t need to be hit by a zero-day exploit for its customer database to fall into the hands of online criminals.
7% of All Amazon S3 Servers Are Exposed, Explaining Recent Surge of Data Leaks
During the past year, there has been a surge in data breach reporting regarding Amazon S3 servers left accessible online, and which were exposing private information from all sorts of companies and their customers. In almost all cases, the reason was that companies, through their staff, left Amazon S3 « buckets » configured to allow « public » access.
et voici un florilège de boulettes de configuration:
Australian Broadcasting Corporation confirms S3 data leak | ZDNet
The Australian Broadcasting Corporation (ABC) has accidentally leaked sensitive data from at least two unsecured Amazon Web Services (AWS) S3 repositories, according to Kromtech Security Center. The government-backed broadcaster has confirmed in a statement that it was notified of the data leak on November 16, and said its technology teams acted promptly to solve the issue.
Massive US military social media spying archive left wide open in AWS S3 buckets
Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing « dozens of terabytes » of social media posts and similar pages – all scraped from around the world by the US military to identify and profile persons of interest.
Massive Amazon S3 leaks highlight user blind spots in enterprise race to the cloud
Data leaks at Dow Jones, Verizon, and a GOP analytics firm show that companies are forgoing security best practices in order to quickly make it to the cloud. A recent data breach at Dow Jones exposed data including names, addresses, and partial credit card numbers from millions of customers, according to a Monday report from UpGuard.
Verizon Hit by Another Amazon S3 Leak
Verizon’s cybersecurity strategy has been found wanting again after researchers found a trove of sensitive corporate data in a publicly accessible Amazon S3 bucket, which could have given attackers access to parts of its network. The 100MB of data included information on the telecoms giant’s Distributed Vision Services (DVS) middleware, according to Kromtech Security.
Leaky S3 bucket sloshes deets of thousands with US security clearance
Thousands of files containing the personal information of US citizens with classified security clearance have been exposed by an unsecured Amazon server. The sensitive information of an estimated 9,400 job seekers, mostly military veterans, was stored on an Amazon Web Services S3 storage server that required no password to access.
Accenture left a huge trove of sensitive data on exposed servers
Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers.
A Misconfigured Amazon S3 Exposed Almost 50 Thousand PII in Australia
A misconfigured Amazon S3 bucket has accidentally compromised 48,270 personally identifiable information (PII) from Australian employees working in government agencies, banks, and a utility company. The leaked PIIs include full names, passwords, IDs, phone numbers, email addresses, and some credit card numbers. Salary and expense details were also exposed.
et encore un autre cas : https://www.infosecurity-magazine.com/news/100gb-secret-consumer-credit-data/
Pingback: Veille Cyber N157 – 26 novembre 2017 |
et encore un nouveau problème : http://www.lemondeinformatique.fr/actualites/lire-un-sous-traitant-du-pentagone-laisse-fuiter-1-8-milliard-de-posts-sur-s3-70030.html
Comments are closed.
et encore ici :
Massive Cloud Leak Exposes Alteryx, Experian, US Census Bureau Data
A misconfigured Amazon Web Services S3 storage bucket exposed sensitive data on consumers’ financial histories, contact information, and mortgage ownership.