HN Gopher Feed (2017-12-02) - page 1 of 10 ___________________________________________________________________
Florida-based credit firm left 111GB of sensitive data exposed on a
AWS server
183 points by giacaglia
https://www.upguard.com/breaches/credit-crunch-national-credit-f...___________________________________________________________________
save_ferris - 3 hours ago
I get that it's the customer's responsibility to correctly
configure their services, but what does it say about the UX of AWS
services that they're so easy to misconfigure with disastrous
consequences? And despite this happening across a variety of
industries, Amazon doesn't seem super concerned about it either,
but I could be wrong here.There's just no excuse for this to keep
happening, but the processes meant to prevent this are clearly
failing.
Ninn - 3 hours ago
Does the same argument carry over to public FTP servers? I doubt
it.
siruncledrew - 3 hours ago
The new console for AWS literally has a documentation link
containing example bucket policies at the top of the page for S3
buckets. Either someone was given a job they clearly had no
experience in or was alarmingly inadequate at performing their
job duties. It really shows the level of incompetence so many of
these companies operate at with no regard for PII.
thesmallestcat - 3 hours ago
Insecure defaults are a footgun.
joshmn - 2 hours ago
Absolutely.Windows tells you that using a password is
probably a good idea for a user account. Many websites these
days force you to use a combination of
letters/numbers/special characters.Why doesn't Amazon say
"hey, this is publicly available, you wanna fix it?"
inopinatus - 2 hours ago
> Why doesn't Amazon say "hey, this is publicly available,
you wanna fix it?"They do. It's clearly warned about in the
interface both at the time you make it so and with a big
"PUBLIC" sticker label afterwards. What's more, I've
received warning emails from AWS notifying of
(intentionally) public buckets.Public buckets for private
data are a deliberate and wilful choice by lazy, reckless
administrators.
[deleted]
ghaff - 2 hours ago
I noticed this when I went into my console the other day.
(Ironically, to set up a public bucket for something.) I
don't think the UI was bad before but, now, you'd have to
be pretty clueless to have a bucket public by accident.
ghaff - 2 hours ago
You've always had to make it public deliberately. The new
console UI makes setting a bucket to public a very
deliberate effort.
moduspol - 2 hours ago
They're secure by default on S3. You have to go out of your
way to make it public, or grant anyone else access.
thesmallestcat - 21 minutes ago
It's not that so much but that novice users see two ACLs:
"Public" and "API Key I use to deploy." So it's very easy
to "fix" an access issue by making a bucket public, with
the alternative being to give your application the keys to
the kingdom. This combined with S3's most frequent use as a
file server means that buckets get opened up. You have to
jump through hoops and dig into Amazon's access model for
anything more nuanced, and only people experienced with AWS
will understand or know how to do that.Making a bucket
public should come with red flags, and there should be a
simpler way for client-side code to securely access a
bucket. If I save a user's uploaded files to the
filesystem, I usually have to go out of my way to expose
that. Even novices are less likely to put them inside the
web root, so exposing such files involves jumping through
hoops. Opening a bucket to the world is too easy in
AWS.Calling this situation "insecure defaults" was
imprecise of me, my point was more that Amazon gives you a
Big Red Button to "fix" things which has consequences like
this.
save_ferris - 2 hours ago
Agreed. So it sounds like Amazon is making efforts to reduce
configuration failures, but users don't necessarily take the
time to properly learn the tools and configure them correctly
because the risk of error doesn't seem to motivate them
appropriately. What can be done to change that? Naming and
shaming like this?I'm also not a devops person, so I'm
definitely not debating in my wheelhouse here. It's just crazy
to keep reading about a seemingly preventable problem that has
the potential to do major damage in regards to data exposure.
plandis - 2 hours ago
S3 buckets are not public by default. You have to go out of
your way to enable it.
TheAdamAndChe - 3 hours ago
What makes you think it's the UX of AWS services that is leading
to these issues?
emeraldd - 3 hours ago
I suspect this kind of storage was not the original purpose of
S3. For instance, it's a common to use S3 buckets to serve up
webpage assets rather than using a dedicated CDN or your own
servers.
RhodesianHunter - 1 hours ago
It's becoming the underlying datastore for everything from
static websites to databases (see Athena)
zitterbewegung - 3 hours ago
Maybe if you house sensitive information you should have a person
or multiple people enforce security across your organization?
Scapegoating one technology or person is not the correct attitude
because it could have been anything else.Also, amazon is
improving their UX for these things already.
1stranger - 2 hours ago
Both can be true.
FLUX-YOU - 2 hours ago
>Maybe if you house sensitive information you should have a
person or multiple people enforce security across your
organization?They probably didn't care, and should suffer
consequences as a result.This looks like a really small company
who contracted this stuff out to a WordPress shop. There's
almost no tech employees or positions on job boards for them.
twunde - 3 hours ago
Apple has actually updated their UX recently to let you know if
your s3 buckets are public or not. EDIT: The recent update made
it explicitly clear that your bucket is public. Previously, you
might not notice, especially if you were taking over from a
previous sysadmin (or more likely a developer)
at-fates-hands - 2 hours ago
I honestly don't know what the solution is. Making a good user
experience (read: convenience) and keeping your stuff secure is
always a balancing act. I can't tell you how many times I've told
a manager or director not to do something because it would make
our client data insecure, only to have them basically reply with,
"I'm your boss, do what I say."This guy may have known exactly
what he was doing, but relented to other higher ups who told him
to do something. The shitty part is now this is public, all the
execs can point to the developer and say it was his fault and
fire him without incurring any repercussions themselves.
[deleted]
hashkb - 2 hours ago
Aren't S3 defaults entirely private? It's pretty obvious what
you're doing when you make a bucket public.
madeofpalk - 1 hours ago
Actually, AWS S3 console will now SCREAM at you if you leave
anything public.Now, if you don't know your S3 bucket is public
that's entirely on you.
LoonyBalloony - 1 hours ago
What will happen to this corporation? Any punishment at all? It
didn't say in the article.
jimjimjim - 1 hours ago
AWS server considered harmful.
pleasecalllater - 10 minutes ago
Oh, another company... cool.Who will get to jail? Oh, nobody.Who
will get bonuses? Oh, the management.Who will be fired? Oh, some
programmers or admins.
ngold - 45 minutes ago
Back in the paper days. I moved into a new office only to discover
a dozen or so boxes crammed full of people's personal files.
Mortgage applications and taxes. It took a couple of weeks to track
down the parent company buy all sorts of damage could have been
done had I been anyone else.
vannevar - 2 hours ago
The problem isn't that our data has become public; it's that
businesses accept data as identity. They mostly just mindlessly
automated manual paperwork processes that were slow, but also less
efficient to defraud. By only looking at costs, and not at risks,
business has built our ecommerce infrastructure on sand. The notion
of identity as it relates to business transactions needs to be
reworked from the ground up.
fjsolwmv - 1 hours ago
Data is identity. What else could be? The problem is which data
is identity.
neuland - 14 minutes ago
That's not really true though philosophically speaking. Even if
I forget everything about myself, my identity (as far as my
creditors are concerned) is the same.I think that there should
be some kind of hardware key or smart card system issued by the
government, where if you loose it or get it stolen, you can go
to the post office or DMV or something to get the old key
revoked and a new one reissued. The post office or DMV would
verify your identity by biometrics or N other forms of ID.
agumonkey - 2 hours ago
It hit me a while back, what I saw a dog slow and absurd can be
seen as more opportunities to fix shit when (and it will) happen.
joe_the_user - 1 hours ago
It would be a rather different world if people's private data
couldn't be used against them in some fashion or other.So the
problem is both that money isn't locked by a more secure scheme
than lots of data AND it is a problem that businesses are
allowed/able to accumulate massive data on people wind-up being
negligent with it.
bogomipz - 2 hours ago
Well said. I'm curious what are your thoughts on how that could
or should be reworked.
ibgib - 38 minutes ago
"Reworking" identity from the ground up as OP suggests is
actually one of the goals that I've been working on with ibGib.
No one really cares, but I'm going to describe some of the more
interesting (to me) aspects of it, to bounce it off of you and
others here.First, ibGib's structure is like a block chain.
I've been developing it for a long time, and I had no idea what
a block chain was, and the like. But an ibGib's structure is
like this:* ib - unstructured text, like a name. * often
provides data or metadata for convenience per use case, i.e.
data is just in the address, without loading entire record.
* gib - hash of ib, data, & rel8ns, providing internal
integrity. * ib + gib (ib^gib) is a "content address", but I
think of it as like a memory pointer in an infinite memory
space. * Currently sha256 but that is metadata and can be
specified in the data section. * data - internal data, like
a "value" or "content" of the record.* rel8ns - named "merkle"
links to other ib^gib. * special rel8ns include... *
"past" - provides a linked list of mutations *
"ancestor" - provides linked list of forks * "dna" -
provides event-sourcing-like complete history of how to build
the record. You can see examples of this, e.g., in the info
view at https://www.ibgib.com/as-
file/ibGib%20Tutorials%5E1E371C4463... . Use the button in the
bottom left to change your view, depending on your use case.So,
it's effectively like a tree-version of a block chain, or a
distributed (and scalable) block chain. Or if you're familiar
with IPFS (which is where I learned the term "merkle"), it's
like a merkle forest. (I've been working on ibGib for 15+ years
though - had never heard of IPFS either, but I digress).
Basically, you can think of the entire thing as self-similar
git repos, but for anything - not just code (currently working
on VCS use case for it, which is why I've taken the code off of
GitHub. You can see my current "issue" for it at
https://www.ibgib.com/as-
chat/version%20control%20in%20ibGib...).So this works with
identity in a different way, in that each record is internally
associated with multiple identity ibGibs. For the above
example, check out the "identity" key in the "rel8ns" section.
So, each individual datum is associated with _multiple_
identities for multiple things: users, nodes, sessions, etc.
The piece I'm working on right now (in the active process of
whiteboarding/coding at this very second) is the public key
infrastructure "replacement". Because the data has this entire
integrity chain, you can do different things for verifying
provenance.The way that you "prove" who you are is similar to
the current SPHINCS algorithm (https://sphincs.cr.yp.to/ or ),
which is an ever-expanding many-times hash-based signature
scheme. In my algorithm though, you can create "keystones"
which act similarly to public/private key pairs. Each stone has
a list of hash challenges and the specs of the challenge
difficulty. For example, if I have a stone of 100 challenges,
the stone may say that a valid challenge requires a minimum of
5 challenges to be answered. The challenges are based on 1-way
hashes (recursively called with a depth that is included in the
params of the stone). So, when you first communicate between
nodes, you provide a public global stone, that is replicated,
e.g. to a "public key server" analog or wherever. In the
initial contact between any two nodes this global stone is
challenged, and if successful any future communications between
the two nodes works on a private stone (created also in the
handshake). Then, each transaction - in the form of ibGib data
structures - is proven in the future using that private
keystone. The ibGib internal integrity allows for integrity of
the data exchange, as it's basically hashing the entire
communication for verification.And so, identity is established
among nodes, and all data is verifiable. It's very tricky to
really try to "nail down" the provenance once you get multiple
nodes involved, but even if there is a known mistake, that is
where another aspect of the data comes into play: non-monotonic
(append-only) data.Again, this is like a version control
repository for your data. This leaves a full audit trail, yada
yada yada, it's really neat. I've typed enough for people to
ignore anyway. If anyone is interested, ask about how this
affects identity with users AND IoT devices AND AI! Ah well. At
the very least, the website is instructional for navigating
around merkle forests.
jstanley - 2 hours ago
We should use public key cryptography to prove our identity.
noncoml - 2 hours ago
How?It?s a chicken and egg problem.How do you map a public
key to a person?You will have to have an Equifax like service
that will do the mapping.But then how do you prove to them
that you are who you say you are in order to map you to your
public key?Back to, SSN, driving license and what not.Edit: I
don't think having a governmental service dealing with
thousands of people every day(lost keys etc..) is something
that is going to happen in the US.
jstanley - 2 hours ago
Map a public key to a person (in cases where that is even
desirable! Which is not most of them) using the web of
trust.
IncRnd - 1 hours ago
Web of Trust systems only work in cooperative
environments. In the presence of malicious parties they
fail spectacularly.
zeta0134 - 2 hours ago
Because unlike an SSN, you never hand out your private key.
Ever. Instead, you encrypt things with your private key,
and whomever you are validating your key to looks up the
public key, decrypts your message, and has their proof.The
public keys can be stolen all day long and they're the only
part of the equation that needs to be stored anywhere long
term. The private keys are just that; truly private, and
ideally extremely difficult to steal.Yes, there will need
to be a public service to manage the public keys, and yes
this will be able to be compromised in some dangerous ways,
but not quite so dangerous as "Whoops, everyone's SSNs are
lost, now any attacker can impersonate them because that's
all they needed."
lostlogin - 2 hours ago
This would be ideal, but imagine trying to implement it.
4 digit banking PIN numbers are already regularly
forgotten, even when chosen by the user.
Spivak - 1 hours ago
If you think they're going to be difficult to steal
you're crazy. They will sit unsecured on personal
computers in some folder on the Desktop waiting for any
malware to scoop them up. They will overnight beclem the
highest value target for hackers.This is even before we
talk about how to handle the huge number of people who
will lose or delete them.Tech can't solve this prpblem.
Any system that requires a secret won't be.
mtgx - 1 hours ago
You give everyone smart cards/tokens with bruteforce-
limited PINs on them. That's where the private key will
reside.The "only" other problem that will remain is that
you will need a secure supply-chain, otherwise this will
happen:http://www.zdnet.com/article/id-card-security-
spain-is-facin...https://www.reuters.com/article/us-
gemalto-cybercrime/hack-g...If you do something like this
you actually need to be serious about it and establish a
rigorous vetting/auditing process -- not just hand the
contract to whoever donated the most to your election
campaign.Maybe set-up a 3-year long NIST competition or
something, like they do when choosing new crypto
standards, and establish the winner this way.The other
side of the equation, allowing services to interface with
these cards securely, is already being solved by the FIDO
2.0 spec.
madeofpalk - 1 hours ago
...how do you get the private key off the card and into
my future banks website when I apply for a credit card?
filoleg - 52 minutes ago
The same way you can currently do it with smartcards.
When you insert your smartcard into the reader, it is
being treated as a certificate. Most major browsers
support this, I can vouch for Chrome and Firefox
personally, as I use a smartcard for auth in them on a
fairly regular basis.
vel0city - 28 minutes ago
With smart cards (EMV, PIV, etc.), cryptographic
functions executed on secret materials are usually
handled on the card. The host sends the data to be
encrypted or signed to the card, requests the card to
process it, and then reads the encrypted results or
signature. Often, there are no ways to get the chip to
send the private key off of the device. Once the private
key is generated or loaded onto the device, it can only
be erased or written over.Standards like FIDO and others
allow for browsers and websites to utilize these
cryptographic functions of smart cards in ways to handle
website authentication. The technology exists for
smartcards to handle authentication, it is simply a
matter of us moving to this technology.
madeofpalk - 23 minutes ago
So I need a smart card reader?
astura - 1 hours ago
Um... They would be in the form of smart card+pin, not a
file on desktop.
danieldk - 1 hours ago
They will sit unsecured on personal computers in some
folder on the Desktop waiting for any malware to scoop
them up. They will overnight beclem the highest value
target for hackers.Most modern phones have secure
elements that can generate and store a private key that
cannot be extracted through software. Also, it is easy to
set up things such that a physical confirmation is
required to sign something (this is eg. what some U2F
keys or touch ID do).Of course, you still need a
procedure to map public keys to identities and people
need to secure their phones in order to prevent someone
stealing the phone to make signatures.But using the
secure element of a phone for various forms of
authentication is orders of magnitude safer than relying
on a credit card or social security number.
EvanAnderson - 2 hours ago
In the United States, at least, the U.S. Postal Service is
in a unique position to "pivot" to being an identity and
"trust" provider. They already provide a physical-to-
identity "mapping" service for the vast majority of
Americans.
chimeracoder - 2 hours ago
> In the United States, at least, the U.S. Postal
Service is in a unique position to "pivot" to being an
identity and "trust" provider.The USPS is nowhere near
equipped to handle this. And there's no way I'd trust
them to be competent enough to handle the task with the
level of security that it would entail.> They already
provide a physical-to-identity "mapping" service for the
vast majority of Americans.They really don't. Even if we
ignore the fact that one's identity is completely
separate from the question of where they reside, the USPS
has no way to verify residence. They don't really even a
way to verify mailing addresses, which is at least a more
well-defined problem than residence.
chickenfries - 1 hours ago
> And there's no way I'd trust them to be competent
enough to handle the task with the level of security that
it would entail.Why? Obviously it would be a big
undertaking, but the post office already issues US
Passports. I'm not sure what you mean by "verifying
mailing addresses" because the USPS does provide a way to
do verify the correctness and deliverability of an
address [1].The point is that the USPS would be in a good
position to become the government body that implements a
national identity service.[1]
https://en.wikipedia.org/wiki/Address_Management_System
akira2501 - 1 hours ago
> but the post office already issues US Passports.The
State Department issues US Passports, the Post Office
merely accepts your applications on their behalf.> I'm
not sure what you mean by "verifying mailing addresses"
because the USPS does provide a way to do verify the
correctness and deliverability of an address [1].It's
only vaguely tied to identity. I have my physical
address, but because I live in an RV park and move
often, I don't actually receive mail there. In about
half of the locations I've stayed, you _can't_ receive
mail there.I use a private mailbox along with a mail
forwarding service in order to receive postal mail.> [1]
https://en.wikipedia.org/wiki/Address_Management_SystemIs
used to solve the problem of sorting and routing mail,
which is really what the Post Office spends most of their
effort on. Every postal address in the US can be
uniquely identified by an 11 digit code: your ZIP+4 and
the last two digits of your house number, but it
completely ignores multi-tenancy and has no provisions
for linking to identity.
astura - 1 hours ago
The post office does not issue passports, the US
Department of State does, it literally says right on the
passport that it's issued by the Dept of State.
Additionally, there's a whole host of government
buildings that accept your passport application that
aren't the post office. I submitted mine at the county
clerk's office.
Sir_Substance - 2 hours ago
>How do you map a public key to a
person?https://e-resident.gov.ee/
Simon_says - 2 hours ago
The government keeps a publicly available list of the
public keys of the people in their jurisdiction. Even the
government has no need to know the private keys of
citizens. In a sense, a person's identity is the public
key. You prove who you are to a third party by encrypting
a challenge text provided by the third party. The only
reason the government needs to be involved at all is to
prevent a single person from having multiple identities,
but with or without the government keeping track of the
public keys, bank fraud is made exponentially more
difficult, and has to be done on an one-by-one individual
basis, rather than the situation today where a single hack
exposes the credentials of millions.
IncRnd - 55 minutes ago
That's false. By centralizing public keys under the
purview of the federal government you have created a
single point of failure that is susceptible to theft,
spoofing, planting, and numerous other issues.
jstanley - 50 minutes ago
It's still a strict improvement on what we have at the
moment, which is more akin to storing unhashed passwords
with the government.
IncRnd - 33 minutes ago
It is not an improvement to centralize more and require
fewer pieces of information in order to make a claim for
identification.
heavenlyblue - 2 hours ago
How do you map a passport to something?At least a public
key can not be forged without my direct effort.
zxcmx - 1 hours ago
Actually e-passports have (in 2017) a pretty competent
public-key based issuing scheme behind them. You can read
them with NFC and cryptographically authenticate the
contents.
astura - 1 hours ago
The US military already does it. They have a PKI
infrastructure to authenticate service members, civilian
employees,and (some) contractors.
Swizec - 22 minutes ago
> How do you map a public key to a person?In Slovenia where
I'm from you have to go to a government location, same
place that gives out IDs and passports and such, show your
government issued ID and sign some paperwork. You are then
given a digital certificate that you can use for online
banking and e-government stuff. Proper RSA stuff. You
install it on your computer and your browser uses it to
sign requests.Seems like a pretty good way to do it, if you
ask me.A slightly more efficient, if less secure, way is
how Apple does it for their Apple Developer program. You
have to prove to Apple in a way they like that you are who
you say you are, then you are issued a certificate with
which to sign your apps. That could work too.
nickthemagicman - 1 hours ago
What.That's like saying how do you map a bitcoin to a
person. Public Private key cryptography and the
blockchain. Works great for bitcoins, would work great for
identity.
nsomaru - 53 minutes ago
Lose your private key, lose your identity? Let's play
that game :)
anigbrowl - 41 minutes ago
So your interactions with the other people in your life
(which could be affected by breaches of privacy) are all
going to be governed by public key cryptography? Look I like
strong crypto but this is getting ridiculous.
IncRnd - 1 hours ago
Are you sure of that? There is an almost finished call for
algorithms right now from NIST, because RSA and elliptic
curve are known to be broken by quantum cryptography.While
you might not personally believe this to be true, it's not a
good design decision to enforce upon the entire world a
concept of identity that many security professionals will
tell you is broken at scale.This doesn't even address key
management issues such rotation, theft, loss, planting, etc.
Faaak - 2 hours ago
For example with certificates on a national card, like spain
or estonia.
mcny - 2 hours ago
> For example with certificates on a national card, like
spain or estonia.There is so much wrong with a national
identity card. For example, who will pay for it? I don't
want to pay for it. I don't want my taxes to pay for it.
Even if you find some way to pay for it, I don't want it.
What's next? Will you require me to carry a identity card
on me at all times? "Random" cavity search for people
walking down the road?
gech - 1 hours ago
You don't get to choose what your taxes goes to.
raverbashing - 1 hours ago
Thanks for proving most of the objections to a national
ID card are mostly fallacies instead of actual
arguments"I don't want to pay" is not a valid reason. I
would not like to pay taxes but that's not how things
work
[deleted]
heavenlyblue - 2 hours ago
But then you seem to be willing to pay for the fraudulent
debt in your name due to identity theft.
Cyph0n - 2 hours ago
> Even if you find some way to pay for it, I don't want
it.Sounds like you are not open to discussing this.Also,
what does a national ID card have to do with "cavity
searches"?Edit: I understand the American insistence on
reducing the reach of the federal government. What I
don't understand is how many of those same people are
fine with allowing Congress to screw us all over on
important issues like healthcare and taxation...
ChrisClark - 2 hours ago
If you're in the US, you already have a national ID. The
SSN. Because everyone uses it like that. This would
just be a much more secure way of having a unique number
for your person.And if keeping citizens secure is not the
job of the government and thus paid for with taxes, then
what is?
Faaak - 2 hours ago
You seem to be talking emotionally instead of rationally.
But I suppose you already have a passport or a drivers
licence (what if you don't drive ?). Then you just add a
chip to it. This chip generates its own keys and then you
can authenticate yourself with it.
lyndonjohnsonbe - 50 minutes ago
Passport has an RFID chip in it. State DL typically do
not though.
pbhjpbhj - 2 hours ago
What relationship does providing citizens a way to
identify themselves, sign documents, to having cavity
searches ... can you show how providing a nationwide
digital certificate scheme leads direct to random cavity
searches??It's like if someone says "I fancy Chinese
takeaway" and you don't want any you say "enjoy your
cavity search" as if that's a natural
outcome.Explain.Moreover, how is identifying yourself to
the police bad? Sure if you live in a fascist
dictatorship, but in a Western democracy?
ssijak - 3 hours ago
Thats cool, just following whats trendy
hdogan - 2 hours ago
This might be related with
https://news.ycombinator.com/item?id=15826906
ryanf323 - 2 hours ago
Those AWS ?practitioners? who are too stupid or lazy to figure out
IAM policies. Thankfully, AWS has added bright yellow labels to
identify public buckets. However, labels won?t be enough to
motivate some people to learn JSON.
gldev3 - 2 hours ago
Last year one of mexico's political parties left the nominal list
with a lot of citizen's information available in an AWS server,
unforgivable; how come this keeps happening.
laurencei - 2 hours ago
Is there a way I can triple check my S3 bucket is secure?I know
I've not enabled public access that I know of - but given the
recent focus on this; what are the exact steps that I need to
follow so I can sleep at night and show a level of diligence on the
issue?
alpha_squared - 2 hours ago
There are several companies that handle this for you, though some
more effective than others. Evident.io is a big player in the
field, though general complaints are that they're too
noisy.However, this is actually what CloudCoreo does -
infrastructure security. More precisely, infrastructure security
at deployment and continuous security monitoring (Evident only
does the latter).Disclaimer: I work for CloudCoreo.
cvickery - 10 minutes ago
UpGuard has a solution available for this. You should get in
contact if you're looking for bucket monitoring and peace of
mind.Full disclosure- I work for UpGuard. I'm the same guy that
found the exposed data set in that article.
NathanKP - 2 hours ago
Enable Amazon Macie. It automatically classifies your data in S3
buckets, detects situations where data is more open than it
should be, and warns you if access patterns for data change in a
way that may indicate that you have been hacked or someone is
misusing their level of access to the
data.https://aws.amazon.com/macie/
Operyl - 2 hours ago
Neat! Didn't know about that service, hopefully businesses
accept that hefty price tag though. It's obvious they don't
want to invest too heavily in sec-orgs as it stands it seems.
NathanKP - 1 hours ago
Pretty soon with the GDPR kicking in it will be more
expensive to not protect the data than it is to protect
it.All companies processing the personal data of people
residing in the EU regardless of the company?s location who
have a breach of data where the organization has been shown
to violate basic privacy design concepts can be fined 4% of
annual global turnover or ?20 million, whichever is
greater.It goes into enforcment in May
2018:https://www.eugdpr.org/If Macie saves you just once from
that giant fine it probably just paid for itself for years!
napsterbr - 1 hours ago
Hey, I'm all in for that, but how do we handle data
breaches on small business where 20mil corresponds to, say,
100 years of profit?I haven't read the law but the faq does
not mention the 20mil figure
Alex3917 - 2 hours ago
> Is there a way I can triple check my S3 bucket is secure?Amazon
Trusted Advisor will automatically send you a weekly email if any
of your buckets are misconfigured to allow public access. The
catch is that this feature is only available if you pay for a
premium support contract, which is hundreds or thousands of
dollars per month.If you have Trusted Advisor enabled but aren't
paying for premium support, then you will still get the weekly
email saying that there is a security vulnerability somewhere in
your system, but when you click to see what it is you will just
get prompted to hand over your credit card to signup for an
annual support contract.
amorphid - 2 hours ago
How about monitoring via polling? I'm imagining something like
this...- Set up application with your AWS/S3 credentials- Poll S3
to get list of all your buckets on a regular interval (once a
day, every 5 minutes, whatever)- Get a list of some files in
those buckets- Try to access those files directly w/ no
authentication or authorization- Set up some rules about how to
interpret the results (look for any public files, look for
specific private buckets, look any buckets that are public &
haven't been whitelisted, whatever)There's probably a ton of ways
to do this. For simple use cases, it shouldn't be too tough.
That'd be a fun hack for a day project, and I'd be happy to pair
with you on it if interested. It's probably spending a little
time looking around for an off the shelf solution first.
vintageseltzer - 2 hours ago
Are there any examples of class-action lawsuits or legal
consequences against companies that expose sensitive data like this
in the U.S.?
astura - moments ago
Here's a discussion on the topic:
https://www.bankinfosecurity.com/data-breach-lawsuits-fail-a...
tomlong - 1 hours ago
It's frustrating that whatever I do to protect my own
identity/data, no amount of 2FA or password generators or my own
good practice mitigates the loss/theft of data/identify in this
way.I'm as good at it as anyone I know (and unsurprisingly I work
in tech) and it's still a complete crapshoot.
Veratyr - 1 hours ago
Not everything you do is futile. Refraining from distributing
your data is very effective.