Slashdot Mirror
Bots Scanning GitHub To Steal Amazon EC2 Keys
New submitter juniq writes: As one developer found out, posting your Amazon keys to GitHub on accident can be a costly mistake if they are not revoked immediately.
"When I woke up the next morning, I had four emails from Amazon AWS and a missed phone call from Amazon AWS. Something about 140 servers running on my AWS account. What? How? I only had S3 keys on my GitHub and they where gone within 5 minutes! Turns out through the S3 API you can actually spin up EC2 instances, and my key had been spotted by a bot that continually searches GitHub for API keys. Amazon AWS customer support informed me this happens a lot recently; hackers have created an algorithm that searches GitHub 24 hours per day for API keys. Once it finds one it spins up max instances of EC2 servers to farm itself bitcoins."
"When I woke up the next morning, I had four emails from Amazon AWS and a missed phone call from Amazon AWS. Something about 140 servers running on my AWS account. What? How? I only had S3 keys on my GitHub and they where gone within 5 minutes! Turns out through the S3 API you can actually spin up EC2 instances, and my key had been spotted by a bot that continually searches GitHub for API keys. Amazon AWS customer support informed me this happens a lot recently; hackers have created an algorithm that searches GitHub 24 hours per day for API keys. Once it finds one it spins up max instances of EC2 servers to farm itself bitcoins."
This may be anon but mark it up... very insightful. Yes it is important to create role based accounts/permissions for AWS through IAM, but abso-fucking-lutely the IAM UI and the process for modifying permissions/authorization is positively fucking shit. Garbage. Crap. A cankerous sore on the taint of the internet. It's not very good. And the documentation for it is so poor to the point of being virtually non-existent. I did use it, and on an AWS project I worked on made sure we had specific accounts created permissions limited depending on the roles required. But it is basically hacking at the configuration until you get it right because it is the only real way to figure it out. Not what you want when it involves security. It is too easy to fuck up and leave yourself vulnerable... never mind the people who take one look at it and say WTF? and not set up security at all and just use the root access key/secret key. Saying that this is something that only experts should use so it's OK to be cryptic is not the answer... if only security experts should set up accounts Amazon would likely lose 75% of their business (i.e. a lot of it).
--theshowmecanuck ... posting anon because not only did I want to mod parent up, but hopefully someone from amazon reads /. and will help get their shit together on this.
No, he was surprised that what he *thought* were keys to S3 unlocked the whole kingdom. In reality, the keys he was using were root credentials, and were always intended to unlock the whole kingdom.
Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
More like don't upload your PRIVATE keys to a PUBLIC repository.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?