Slashdot Mirror
Bots Scanning GitHub To Steal Amazon EC2 Keys
New submitter juniq writes: As one developer found out, posting your Amazon keys to GitHub on accident can be a costly mistake if they are not revoked immediately.
"When I woke up the next morning, I had four emails from Amazon AWS and a missed phone call from Amazon AWS. Something about 140 servers running on my AWS account. What? How? I only had S3 keys on my GitHub and they where gone within 5 minutes! Turns out through the S3 API you can actually spin up EC2 instances, and my key had been spotted by a bot that continually searches GitHub for API keys. Amazon AWS customer support informed me this happens a lot recently; hackers have created an algorithm that searches GitHub 24 hours per day for API keys. Once it finds one it spins up max instances of EC2 servers to farm itself bitcoins."
"When I woke up the next morning, I had four emails from Amazon AWS and a missed phone call from Amazon AWS. Something about 140 servers running on my AWS account. What? How? I only had S3 keys on my GitHub and they where gone within 5 minutes! Turns out through the S3 API you can actually spin up EC2 instances, and my key had been spotted by a bot that continually searches GitHub for API keys. Amazon AWS customer support informed me this happens a lot recently; hackers have created an algorithm that searches GitHub 24 hours per day for API keys. Once it finds one it spins up max instances of EC2 servers to farm itself bitcoins."
Oh right: http://developers.slashdot.org...
How? They got $2000 worth of cpu time from amazon. If they'd waited the guy would have surely thought to change the damn API key the next morning (surely no one is dumb enough, to think just removing the stuff after the fact will help - I guess they also don't bother getting new credit cards when their wallet gets lost and returned by a nice stranger that very same day).
Guy stores his password online, is surprised when he gets got.
I assume the idea is that you make more money stealing $1 many times from more people over a year than you do trying to steal all of it from all of it at once.
AWS strongly discourages the uses of root API keys, as they give bad guys who find them the "keys to the kingdom". Why should the credentials for one's S3 account also work for creating EC2 instances?
Amazon provides extensive control over access credentials through IAM, so one can create (for example) an S3-specific user with limited privileges and generate API keys for that user. If they get compromised, the bad guy has limited access: they might be able to add new files to S3, which is bad, but it's less bad than them spinning up hundreds of servers for nefarious purposes, deleting all your files, etc.
Judicious user of IAM can also reduce user errors: I use Amazon Glacier for backing up certain critical files (e.g. wedding photos, baby photos, copies of wills, passports, etc.). I created an "upload, view, and restore/download" user for Glacier that explicitly does not have the "delete" permission enabled. I have a second IAM user with "view and delete" permissions. API keys for both users are stored in FastGlacier, with the "delete" user credentials stored encrypted so I need to enter a password to switch to that user. The user without delete permissions is the default user and the credentials are not stored with a password. This way I can do the standard backup/restore functions needed while working with backups but significantly reduce the possibility of my accidentally deleting backed-up files if I fat-finger the wrong key.
HACKERS, I TELL YOU
But the user is still mostly to blame. Okay, so you might not find it intuitive that S3 keys can lead to new EC2 instances - I wouldn't have guessed that either, even though I've used both repeatedly. Maybe that shouldn't even be a possibility. But what howling insanity persuaded you to put those keys on github in the first fucking place? And if it was a mistake, why didn't you change them after? This isn't amateur hour, guys - there's real money at stake here.
...nor are algorithms usually created. Algorithms are discovered, devised, or designed. Software is created. Bots are created. Algorithms exist independent of their discovery.
Anyway, I'm getting sick of hearing the word "algorithms" used as it seems to be in the movies a lot lately.
They're going for The Big Dirty. One big score and they're out.
I guess i am too old to understand how loose people treat the internet these days. 'I posted my credentials openly on the internet and am now shocked that I have been taken advatage of'... no way! You shared the keys to your kingdom and someone abused it?? Shocking.
As a complete side note: I hate when people like the author don't know the difference between 'where' and 'were'....fuck, no wonder he was easy fodder
Dumbass.
Their algorithm will crash on March 8, a 23-hour day.
I remember a couple years ago someone accidentally pushed his .bash_history and it turned out to have a big log of him watching child porn movies. Pretty sure it was a Slashdot story but I really don't want to go searching for that.
With his money refunded he probably didn't file a police report. Which means Amazon doesn't have to deal with nosy investigators.
“Common sense is not so common.” — Voltaire
I assume the idea is that you make more money stealing $1 many times from more people over a year than you do trying to steal all of it from all of it at once.
Wal-Mart!
Why the f*ck would you post your S3 keys on github anyway? I sincerely hope you are not looking for sympathy because you won't find any here (nor do you deserve any).
God-damn "social media" generation that feels they need to share everything. Good riddance.
PR. Amazon doesn't want to be perceived as "too dangerous to use".
Run a WAF, log suspicious packets at the IP level, then you will discover a big underworld...
Everything I write is lies, read between the lines.
.bash_history eavesdropping is indeed kidiporn...
Everything I write is lies, read between the lines.
When you sign up for a developer account, you should be asked how much you plan to spend per month. $2375/day would not be a common option for an individual. Given proliferation of free 15GB storage accounts, a very low end developer account with no credit card is not a crazy option. People will learn the API and use it in future, but neither them nor hackers will have enough quota to run a production site. This is just like limited data cell plans where a single buggy app can run up crazy charges. Good that they refunded money, but fundamental structural problem must be fixed.
Really, leaving your money on a park-bench somewhere exposes it to be stolen...
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
ASCII porn in bash is evil man! At least he was not using rc.
You almost spelled Rivest right:
https://en.wikipedia.org/wiki/...
Keep on the good work!
Everything I write is lies, read between the lines.
People mess up. An API key will occasionally get into a file that's in a source tree. It is an API - an Application Programming Interface, so programs will have that key. Program source gets posted to github. Shit happens.
My bank knows shit happens and I could get my card stolen, so when I make a large purchase which appears unusual my cell phone rings - the bank's security company calling to verify the purchase. That's the bank doing a good job.
People should watch where they're walking. That doesn't mean you leave an open manhole in the middle of the sidewalk unmarked - someone is likely to mess up and fall in.
Doesn't matter if their nuclear road flare gets their instances shutdown before a single shitcoin is mined. Given the speed of CPU hashing, even 1000 instances would take days to amount to anything. (the fastest dedicated miner does 6TH/s, and it would take a week to generate 0.5BTC -- worth about $150)
It works in real life all the time, actually - companies do this quite routinely. Jack up your bill by $2 and they can rack up millions over the year, and it doesn't matter if it's a contract or not because how much are you going to spend trying to recovery $24/year? If it's a cellphone contract, the max they're going charge you is $48 more over the contract's 2 year lifespan. You going to sue them over that? Now repeat that for a million subscribers and that's an extra $2M a month in free profits.
Maybe you can jack it up by $5 ($60/year) because it's still too low to bother.
It's why they made class-action lawsuits, because someone stealing $48M/year would get sued/arrested/etc if it was against one person, but against 1M people? Worthless.
As for this, well, given it's still "free money", even at Bitcoin's deflated value of around $350 or so, it's still free money. Who cares about efficiency or anything when you can steal CPU cycles like that - just scan github checkins for the key, then use the APIs to automatically create sessions and all that and rack up the bitcoins. Even the github scanner doesn't have to be owned by the user - they probably stole some guy's EC2 credential and are using one of his instances for it unbeknownst to the user. Free money!
but the bot operator isn't paying for it, why do they care how efficient it is? if it takes a week worth of cpu time to generate $150 that is still $150 of pure profit for them. at the same time they can probably also sell cycles on the instances they hijacked to spammers or some other group
Surely it is not that unreasonable to (1) realize that those keys will be scraped within 5 minutes after uploading to an obscure project, and (2) not realize that an S3 key in a free trial subscription wouldn't allow racking up $2375 in EC charges within 10 hours?
Avantslash: low-bandwidth mobile slashdot.
Not even that.
raise the price by 1% and it goes right to your bottom line. Most people won't even notice that the $99 item costs $99.99. It is how gas companies do it.
i thought once I was found, but it was only a dream.
Well, you do realize that AWS DOES offer instances for GPU calculations. Still much slower than dedicated hardware, but basically it's free (as in stolen).
He did exactly that and .gitignore was accidentally lost.
Service providers are responsible for 90% of work by designing solutions secure by default and in depth. It should take multiple explicit steps and dismissed warnings for an inexperienced developer to incur a catastrophic financial liability.
That was too funny not to search for; it obviously got taken down from github, but someone posted the (very NSFW) .zsh_history on a paste site when the story broke in 2012. If you search for lines starting with "mplayer", you can see how they're clustered into several obvious jerkoff sessions... ROTFL! The file names were so sick they made my eyes pop open.. I had to push them back into their sockets!
This wins the prize for the worst commit I've ever seen. There's a lesson for pedophiles here: echo ".zsh_history" >> .gitignore
I've lived all over the U.S.A. for decades, near plenty of stupid people, and I have never heard anyone use the phrase "on accident" in my life. That's the type of error you see in technical manuals from Asian countries. People do say "on purpose", which can easily confuse people who learn English as a second language into saying "on accident" instead of "by accident".
To spot Americans with two-digit IQs on the Internet, look for two unforgivable homonym goofs: confusion between "they're", "their", and "there", and also between "you're" and "your". Those are big warnings that you're reading something stupid written by a native-English speaker. Foreigners don't seem especially prone to goof over these words, but half-illiterate native English speakers just type the way they hear themselves talk, and if it passes the spell check they'll remain oblivious.
This type of problem has been reported many times before, with much more knowledgable writeups.
The original poster is so naive that they didn't even bother to read enough Amazon documentation to realize there is no such thing as an "S3 key" - API access by AWS keys is limited only by the IAM profile of the key (and my guess is that the OPs keys were unrestricted). They also apparently didn't realize how version control systems work, otherwise they would have known that deleting the key from a revision doesn't actually remove it from the history of the repository.
This article isn't doing anyone any favors - if you want to actually help the community then maybe source an original article reminding people that they should read the docs and understand the services they're using, with pointers to the relevant warnings for commonly used services (both github and amazon have prominent notices with service-relevant notes about how to protect your sensitive data).
The mistake he made was not understanding the tools he was using. Apparently neither do you.
(1) The key could have been scraped at any time once it was pushed, because you can't actually "delete[d] all traces from GitHub" (some ways are more thorough than others, but nothing is foolproof with Google wandering the earth). He needed to revoke his keys immediately.
(2) There is no such thing as an "S3 key". There are only AWS API keys, which potentially have access to every service that you have enabled (plus the default ones). You need to use IAM profiles to restrict what services they can access, and what rights they have.
Signing up for a service and then using it without reading the documentation is foolish.
Let us see... are you:
You get the idea.
What makes you so sure the guy is from Israel?
In addition to the various other oversights already mentioned, OP doesn't seem to understand Git (or perhaps SCMs in general) given that those (now revoked) keys are still on GitHub -- there was no need for a bot to be all that quick.
Although I wouldn't blame OP for any single one of these oversights -- nobody's perfect -- it's fair to say that it took a number of different oversights / misunderstandings on OP's part for this to become a real problem.
WFT would anyone want to post keys to anything anywhere public?