Ces derniers mois, des erreurs de configuration de la sécurité de services cloud sont à l’origine de graves divulgations involontaires de données. De par ses parts de marchés, ce sont bien sûr les services S3 d’Amazon qui ont été souvent mis à mal.
Des erreurs de configuration et non des vulnérabilités
De plus en plus souvent, la vulnérabilité se trouve entre la chaise et le clavier. Les dernières mésaventures de pertes de données sur S3 sont là pour le rappeler.
Pour améliorer la situation, Amazon a pris le taureau par les cornes et propose entre autre maintenant de chiffrer par défaut toutes les données stockées sur son cloud.
Back in 2006, when I announced S3, I wrote ” Further, each block is protected by an ACL (Access Control List) allowing the developer to keep the data private, share it for reading, or share it for reading and writing, as desired.” Starting from that initial model, with private buckets and ACLs to grant access, […]
et pour en savoir plus sur ce sujet:
A long line of very public data breaches have made clear that businesses don’t need to be targeted by sophisticated hackers to have private and sensitive data splashed across the newspaper headlines. Your company doesn’t need to be hit by a zero-day exploit for its customer database to fall into the hands of online criminals.
During the past year, there has been a surge in data breach reporting regarding Amazon S3 servers left accessible online, and which were exposing private information from all sorts of companies and their customers. In almost all cases, the reason was that companies, through their staff, left Amazon S3 “buckets” configured to allow “public” access.
et voici un florilège de boulettes de configuration:
The Australian Broadcasting Corporation (ABC) has accidentally leaked sensitive data from at least two unsecured Amazon Web Services (AWS) S3 repositories, according to Kromtech Security Center. The government-backed broadcaster has confirmed in a statement that it was notified of the data leak on November 16, and said its technology teams acted promptly to solve the issue.
Three misconfigured AWS S3 buckets have been discovered wide open on the public internet containing “dozens of terabytes” of social media posts and similar pages – all scraped from around the world by the US military to identify and profile persons of interest.
A recent data breach at Dow Jones exposed data including names, addresses, and partial credit card numbers from millions of customers, according to a Monday report from UpGuard. The reason for the leak? Dow Jones simply chose the wrong permission settings for the Amazon Web Services (AWS) S3 data repository.
Thousands of files containing the personal information of US citizens with classified security clearance have been exposed by an unsecured Amazon server. The sensitive information of an estimated 9,400 job seekers, mostly military veterans, was stored on an Amazon Web Services S3 storage server that required no password to access.
Technology and cloud giant Accenture has confirmed it inadvertently left a massive store of private data across four unsecured cloud servers, exposing highly sensitive passwords and secret decryption keys that could have inflicted considerable damage on the company and its customers.
A misconfigured Amazon S3 bucket has accidentally compromised 48,270 personally identifiable information (PII) from Australian employees working in government agencies, banks, and a utility company. The leaked PIIs include full names, passwords, IDs, phone numbers, email addresses, and some credit card numbers. Salary and expense details were also exposed.