Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bots Scanning GitHub To Steal Amazon EC2 Keys

Posted by Soulskill on from the with-many-bots-all-vulns-are-shallow dept.

New submitter juniq writes: As one developer found out, posting your Amazon keys to GitHub on accident can be a costly mistake if they are not revoked immediately.

"When I woke up the next morning, I had four emails from Amazon AWS and a missed phone call from Amazon AWS. Something about 140 servers running on my AWS account. What? How? I only had S3 keys on my GitHub and they where gone within 5 minutes! Turns out through the S3 API you can actually spin up EC2 instances, and my key had been spotted by a bot that continually searches GitHub for API keys. Amazon AWS customer support informed me this happens a lot recently; hackers have created an algorithm that searches GitHub 24 hours per day for API keys. Once it finds one it spins up max instances of EC2 servers to farm itself bitcoins."

33 of 119 comments (clear)

  1. Now where have I heard this before... by JJJJust · · Score: 5, Insightful

    Oh right: http://developers.slashdot.org...

    1. Re:Now where have I heard this before... by WWJohnBrowningDo · · Score: 5, Funny

      There ought to be bots scanning /. to weed out duplicates.

    2. Re:Now where have I heard this before... by DaHat · · Score: 2

      This was also covered at Defcon 22... and not just for AWS keys: http://youtu.be/nBR7Kru6JX0?t=...

      --
      Help Brendan pay off his student loans
  2. Re:The Stupidity of Human Greed by Anonymous Coward · · Score: 2, Insightful

    How? They got $2000 worth of cpu time from amazon. If they'd waited the guy would have surely thought to change the damn API key the next morning (surely no one is dumb enough, to think just removing the stuff after the fact will help - I guess they also don't bother getting new credit cards when their wallet gets lost and returned by a nice stranger that very same day).

  3. Lesson: don't use root AWS API keys by heypete · · Score: 5, Interesting

    AWS strongly discourages the uses of root API keys, as they give bad guys who find them the "keys to the kingdom". Why should the credentials for one's S3 account also work for creating EC2 instances?

    Amazon provides extensive control over access credentials through IAM, so one can create (for example) an S3-specific user with limited privileges and generate API keys for that user. If they get compromised, the bad guy has limited access: they might be able to add new files to S3, which is bad, but it's less bad than them spinning up hundreds of servers for nefarious purposes, deleting all your files, etc.

    Judicious user of IAM can also reduce user errors: I use Amazon Glacier for backing up certain critical files (e.g. wedding photos, baby photos, copies of wills, passports, etc.). I created an "upload, view, and restore/download" user for Glacier that explicitly does not have the "delete" permission enabled. I have a second IAM user with "view and delete" permissions. API keys for both users are stored in FastGlacier, with the "delete" user credentials stored encrypted so I need to enter a password to switch to that user. The user without delete permissions is the default user and the credentials are not stored with a password. This way I can do the standard backup/restore functions needed while working with backups but significantly reduce the possibility of my accidentally deleting backed-up files if I fat-finger the wrong key.

    1. Re:Lesson: don't use root AWS API keys by Anonymous Coward · · Score: 5, Insightful

      they could save themselves a lot of trouble by making a web UI for IAM that isn't shit, and actually documenting the system somewhere

    2. Re:Lesson: don't use root AWS API keys by Anonymous Coward · · Score: 3, Insightful

      Amazon provides extensive control over access credentials through IAM, so one can create (for example) an S3-specific user with limited privileges and generate API keys for that user. If they get compromised, the bad guy has limited access: they might be able to add new files to S3, which is bad, but it's less bad than them spinning up hundreds of servers for nefarious purposes, deleting all your files, etc.

      Agreed, but when you sign up as a new user, Amazon presents you with the root key right there. Someone signing up to test things out is likely to just copy and paste that key wherever it's needed to get off and running. I did that when I was playing with ceph, fortunately I was evaluating locally and didn't leak the key. I think a better option would be for Amazon to give you *no* API key by default, requiring you to make one with the necessary permissions and at least have a cursory look at the options.

    3. Re:Lesson: don't use root AWS API keys by Anonymous Coward · · Score: 4, Informative

      This may be anon but mark it up... very insightful. Yes it is important to create role based accounts/permissions for AWS through IAM, but abso-fucking-lutely the IAM UI and the process for modifying permissions/authorization is positively fucking shit. Garbage. Crap. A cankerous sore on the taint of the internet. It's not very good. And the documentation for it is so poor to the point of being virtually non-existent. I did use it, and on an AWS project I worked on made sure we had specific accounts created permissions limited depending on the roles required. But it is basically hacking at the configuration until you get it right because it is the only real way to figure it out. Not what you want when it involves security. It is too easy to fuck up and leave yourself vulnerable... never mind the people who take one look at it and say WTF? and not set up security at all and just use the root access key/secret key. Saying that this is something that only experts should use so it's OK to be cryptic is not the answer... if only security experts should set up accounts Amazon would likely lose 75% of their business (i.e. a lot of it).

      --theshowmecanuck ... posting anon because not only did I want to mod parent up, but hopefully someone from amazon reads /. and will help get their shit together on this.

    4. Re:Lesson: don't use root AWS API keys by jemmyw · · Score: 2

      And I recently found out about their IAM roles, which means that an EC2 instance can have it's own keys, that are automatically rotated, and available to any AWS-SDK you're running on the machine (or fetchable on a local IP). This is safer than passing keys, root or IAM user ones.

  4. HACKERS ARE SCANNING 24/7 by Anonymous Coward · · Score: 5, Funny

    HACKERS, I TELL YOU

  5. Sounds like multiple failures by rebelwarlock · · Score: 4, Insightful

    But the user is still mostly to blame. Okay, so you might not find it intuitive that S3 keys can lead to new EC2 instances - I wouldn't have guessed that either, even though I've used both repeatedly. Maybe that shouldn't even be a possibility. But what howling insanity persuaded you to put those keys on github in the first fucking place? And if it was a mistake, why didn't you change them after? This isn't amateur hour, guys - there's real money at stake here.

    1. Re:Sounds like multiple failures by Paradise+Pete · · Score: 5, Insightful

      This isn't amateur hour, guys - there's real money at stake here.

      People make mistakes every day of their lives. We always have, we always will. It's how we learn what not to do. It's just that almost all mistakes are harmless... except on the internet. There it's like living in a minefield. Make a bad step and boom. It's not a question of amateur hour, it's a question of being human.

    2. Re:Sounds like multiple failures by kramulous · · Score: 2

      No. It is a big fucking problem of Amazon that IAM S3 keys can be used outside S3. A BIG FUCKING problem! A major security incident.

      They, Amazon, need to sort their shit out. If I have IAM keys that are S3 read only on a certain bucket, then I EXPECT that it is read only on that bucket. If somebody has those keys, then all I want them to do is to read from that bucket. Not start EC2 instances, or change my Route53 records, or anything else.

      This is Amazon's fault. No two way about it.

      If somebody got the keys via github, then all they should have been able to do was what they were permitted to by those keys. PERIOD!

      --
      .
  6. Re:The Stupidity of Human Greed by jtownatpunk.net · · Score: 2

    They're going for The Big Dirty. One big score and they're out.

  7. I guess i am old by codepigeon · · Score: 5, Interesting

    I guess i am too old to understand how loose people treat the internet these days. 'I posted my credentials openly on the internet and am now shocked that I have been taken advatage of'... no way! You shared the keys to your kingdom and someone abused it?? Shocking.

    As a complete side note: I hate when people like the author don't know the difference between 'where' and 'were'....fuck, no wonder he was easy fodder

    1. Re: I guess i am old by glitch23 · · Score: 2

      I agree. It grinds my gears too. I just want to ask the person how the hell do you spell "where" if you spell "were" like "where" so I can see the look of confusion sweep over their face.

      --
      this nation, under God, shall have a new birth of freedom. -- Lincoln, Gettysburg Address
    2. Re:I guess i am old by caferace · · Score: 2

      'I posted my credentials openly on the internet and am now shocked that I have been taken advatage of'... no way!

      If you're going to ding someone on grammar I'd suggest you at least spell correctly while doing it.

    3. Re:I guess i am old by Kjella · · Score: 4, Insightful

      I guess i am too old to understand how loose people treat the internet these days. 'I posted my credentials openly on the internet and am now shocked that I have been taken advatage of'... no way! You shared the keys to your kingdom and someone abused it?? Shocking.

      He wasn't surprised they were abused. He's surprised what he thought was keys to S3 unlocks the entire kingdom. Like you lose a card for electronic bus tickets and you think the worst they can do is ride the bus for free. Except the card doubles as a "secure ID" and they order thousands of dollars worth of goods from cooperating merchants, which you didn't even know was possible. Sure posting them on Github was ignorant and entirely his fault, but if you try to assess the risk then it's probability * impact and I think he just got a big surprise when it came to impact. I think you're being too hard on him.

      --
      Live today, because you never know what tomorrow brings
    4. Re:I guess i am old by LordLucless · · Score: 3, Informative

      No, he was surprised that what he *thought* were keys to S3 unlocked the whole kingdom. In reality, the keys he was using were root credentials, and were always intended to unlock the whole kingdom.

      --
      Just because you're paranoid doesn't mean there isn't an invisible demon about to eat your face
  8. Re:Fucking idiot.... by OrangeTide · · Score: 2

    With his money refunded he probably didn't file a police report. Which means Amazon doesn't have to deal with nosy investigators.

    --
    “Common sense is not so common.” — Voltaire
  9. Re:The Stupidity of Human Greed by Anonymous Coward · · Score: 3, Insightful

    I assume the idea is that you make more money stealing $1 many times from more people over a year than you do trying to steal all of it from all of it at once.

    Wal-Mart!

  10. Re:Bots are not "algorithms" by Paradise+Pete · · Score: 2

    Anyway, I'm getting sick of hearing the word "algorithms" used as it seems to be in the movies a lot lately.

    I once came up with an algorithm that wasn't very good, so I just commanded the computer to "Enhance!", and it got much better.

  11. Horrible design on part of Amazon by iamacat · · Score: 4, Insightful

    When you sign up for a developer account, you should be asked how much you plan to spend per month. $2375/day would not be a common option for an individual. Given proliferation of free 15GB storage accounts, a very low end developer account with no credit card is not a crazy option. People will learn the API and use it in future, but neither them nor hackers will have enough quota to run a production site. This is just like limited data cell plans where a single buggy app can run up crazy charges. Good that they refunded money, but fundamental structural problem must be fixed.

    1. Re:Horrible design on part of Amazon by Charliemopps · · Score: 2

      It reminds me of the stories of teenagers getting themselves a website and then hosting some video that went viral overnight... they wake up to a $16k bill.

  12. Re:The Stupidity of Human Greed by Cramer · · Score: 2

    Doesn't matter if their nuclear road flare gets their instances shutdown before a single shitcoin is mined. Given the speed of CPU hashing, even 1000 instances would take days to amount to anything. (the fastest dedicated miner does 6TH/s, and it would take a week to generate 0.5BTC -- worth about $150)

  13. Re:Summary without technobabble by mwvdlee · · Score: 4, Informative

    More like don't upload your PRIVATE keys to a PUBLIC repository.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  14. Re:The Stupidity of Human Greed by tlhIngan · · Score: 4, Insightful

    I assume the idea is that you make more money stealing $1 many times from more people over a year than you do trying to steal all of it from all of it at once.

    It works in real life all the time, actually - companies do this quite routinely. Jack up your bill by $2 and they can rack up millions over the year, and it doesn't matter if it's a contract or not because how much are you going to spend trying to recovery $24/year? If it's a cellphone contract, the max they're going charge you is $48 more over the contract's 2 year lifespan. You going to sue them over that? Now repeat that for a million subscribers and that's an extra $2M a month in free profits.

    Maybe you can jack it up by $5 ($60/year) because it's still too low to bother.

    It's why they made class-action lawsuits, because someone stealing $48M/year would get sued/arrested/etc if it was against one person, but against 1M people? Worthless.

    As for this, well, given it's still "free money", even at Bitcoin's deflated value of around $350 or so, it's still free money. Who cares about efficiency or anything when you can steal CPU cycles like that - just scan github checkins for the key, then use the APIs to automatically create sessions and all that and rack up the bitcoins. Even the github scanner doesn't have to be owned by the user - they probably stole some guy's EC2 credential and are using one of his instances for it unbeknownst to the user. Free money!

  15. Re:Summary without technobabble by ls671 · · Score: 2

    I entirely agree but for some, namely the ones who still use symmetric keys, this has become an old school thought.

    In Canada, the government bought 30 millions certificates for all its citizens in oder to authenticate for government on line services for a buck a piece. Total: 30,000,000$

    I would have been glad to provide it to them for 10,000$ and guess what? All privaye keys were kept centrally ;-) Us, old school guys just couldn't believe it.

    The big thinkers/marketing guys decided that it was just to complicated for citizens to manage and keep their secret key in a secure location.

    --
    Everything I write is lies, read between the lines.
  16. Give the man some slack by hankwang · · Score: 4, Insightful
    To all posters who are blaming the man for being so stupid: please RTFA. He had just opened an amazon AWS 1-year free trial to practice what he'd just learnt about Ruby on Rails. He made a mistake:

    I knew my API key needed to be safe, so I installed the Figaro gem (a rails API key security gem, which typically works great), and trusted it to keep my API key off of git when I pushed. (...) deleted all traces from GitHub. I was able to clean it up within about 5 minutes (...) After a close call, I went to bed.

    Surely it is not that unreasonable to (1) realize that those keys will be scraped within 5 minutes after uploading to an obscure project, and (2) not realize that an S3 key in a free trial subscription wouldn't allow racking up $2375 in EC charges within 10 hours?

    --
    Avantslash: low-bandwidth mobile slashdot.
    1. Re:Give the man some slack by hankwang · · Score: 2

      The mistake he made was not understanding the tools he was using. (...) Signing up for a service and then using it without reading the documentation is foolish.

      I assume that you also blame the subprime borrowers for signing a contract that they didn't fully understand without putting most of the blame on the banks that knew damn well what they were doing?

      The fact that one person can be blamed for a mistake due to lack of experience does not mean that there is not someone else (i.e., Amazon and the people who actually abused the keys) who deserves a lot more blame.

      --
      Avantslash: low-bandwidth mobile slashdot.
  17. Re:Summary without technobabble by gbjbaanb · · Score: 2

    The big thinkers/marketing guys decided that it was just to complicated for citizens to manage and keep their secret key in a secure location

    It is. Do not underestimate the ignorance of the common user, especially one who just wants to use their computer. Now if the government had charged $5 and sent a USB key with the certificate on it, maybe the end-user would take more care of it as they understand physical keys in a way that they don't with electronic versions.

    Look at how many times you have to use the "I forgot my password" feature. For a service you use once or twice a year, the "forgot my password" link would be the login screen.

    Secondly, if all keys are stored centrally, by the government, you can use them to decrypt end-user comms. I think someone must have been thinking ahead!

    Thirdly, "bought" 30 million certs? They're the government, they can create their own certs and be their own authority. Then they can outsource the delivery of these to citizens to a private company for only a few hundred million dollars. (a company with a minister on the board as a non-exec director, of course)

  18. Re:"ON accident"? by MillionthMonkey · · Score: 2

    I've lived all over the U.S.A. for decades, near plenty of stupid people, and I have never heard anyone use the phrase "on accident" in my life. That's the type of error you see in technical manuals from Asian countries. People do say "on purpose", which can easily confuse people who learn English as a second language into saying "on accident" instead of "by accident".

    To spot Americans with two-digit IQs on the Internet, look for two unforgivable homonym goofs: confusion between "they're", "their", and "there", and also between "you're" and "your". Those are big warnings that you're reading something stupid written by a native-English speaker. Foreigners don't seem especially prone to goof over these words, but half-illiterate native English speakers just type the way they hear themselves talk, and if it passes the spell check they'll remain oblivious.

  19. Give the man some slack by Mondragon · · Score: 2

    The mistake he made was not understanding the tools he was using. Apparently neither do you.

    (1) The key could have been scraped at any time once it was pushed, because you can't actually "delete[d] all traces from GitHub" (some ways are more thorough than others, but nothing is foolproof with Google wandering the earth). He needed to revoke his keys immediately.

    (2) There is no such thing as an "S3 key". There are only AWS API keys, which potentially have access to every service that you have enabled (plus the default ones). You need to use IAM profiles to restrict what services they can access, and what rights they have.

    Signing up for a service and then using it without reading the documentation is foolish.