Slashdot Mirror

← Back to Stories (view on slashdot.org)

AWS Error Exposed GoDaddy Business Secrets (zdnet.com)

Posted by BeauHD on from the inside-information dept.

Internal information belonging to hosting provider GoDaddy has been exposed via an error in Amazon's AWS bucket configuration. According to cybersecurity firm UpGuard, a set of documents were left in an Amazon S3 bucket which was available to the public. ZDNet reports: The information involved in the security breach appeared to describe GoDaddy's architecture, as well as "high-level configuration information for tens of thousands of systems and pricing options for running those systems in Amazon AWS, including the discounts offered under different scenarios," according to UpGuard. Configuration files for hostnames, operating systems, workloads, AWS regions, memory, CPU specifications, and more were included in the exposed cache, which described at least 24,000 systems.

"Essentially, this data mapped a very large scale AWS cloud infrastructure deployment, with 41 different columns on individual systems, as well as summarized and modeled data on totals, averages, and other calculated fields," the cybersecurity firm said. The open bucket, called "abbottgodaddy," also included what the company believes to be business information relating to GoDaddy and Amazon AWS' relationship, including rate negotiations. This information should have been kept confidential. The open bucket, called "abbottgodaddy," also included what the company believes to be business information relating to GoDaddy and Amazon AWS' relationship, including rate negotiations. This information should have been kept confidential.

39 of 85 comments (clear)

  1. Derptastic by Aighearach · · Score: 3, Insightful

    Don't name your instances after your company. Select a neutral naming policy, and follow it.

    It is bad enough when business data gets leaked, but why put a big flag on anything accidentally visible to let people know that they should snoop into it because they're not supposed to see it?

    1. Re: Derptastic by mSparks43 · · Score: 1

      link to the data or it never happened.

    2. Re:Derptastic by Anonymous Coward · · Score: 2, Interesting

      AWS S3 bucket names are shared globally. I don't mean globally within your account. I mean globally globally. If you name an S3 bucket "GoDaddy" then nobody else in the world can name an S3 bucket "GoDaddy". It's a rather strange quirk of the AWS systems that often leads to people naming their buckets with their company name because the likelihood of name collision is much lower that way.

    3. Re:Derptastic by Aighearach · · Score: 1

      The possibility of name collision is clearly and obviously still much higher than using a random string, and maintaining your semantic metadata privately. Don't share your metadata frivolously!

    4. Re: Derptastic by Aighearach · · Score: 1

      You didn't fix anything, you comprehended the story but not any of the human comments.

      The *user* is who chooses the naming. It is the *user* who is more likely to have their stuff under attack if they name it after the company. Then when the *user* makes any other error, the baddies get their data.

      Obscurity isn't security, and yet it is still an important part of operational security practices including belt and suspenders.

  2. What secrets ? by Archfeld · · Score: 1

    Nekkid pictures of Danica Patrick ?

    --
    errr....umm...*whooosh* *whoosh* Is this thing on ?
    1. Re:What secrets ? by Tsolias · · Score: 1

      more like, nekkid pictures of Andrew Anglin.

  3. Confused by QuadEddie · · Score: 5, Funny

    I'm confused should this information should have been kept confidential? I wish the summary would clarify that

    1. Re:Confused by nadass · · Score: 1

      Generally speaking, infrastructure configurations and vendor-negotiated pricing arrangements are relatively confidential for the entity (GoDaddy) and they are traditionally classified as "trade secrets" (especially in the eyes of lawyers and employment/vendor contracts). The vendor/team/person who setup "abbottgodaddy" is liable for any damages directly attributable to this snafu; the direct damages would be changes in pricing strategy and infrastructure migration costs -- for a company like GoDaddy (with over 24K systems) that'll be a lotta budget spent to resolve, and the vendor would go broke (I hope they have good liability insurance).

    2. Re:Confused by giggleloop · · Score: 1, Funny

      Yeah. They really need to be clear that the open bucket, called "abbottgodaddy," also included what the company believes to be business information relating to GoDaddy and Amazon AWS' relationship, including rate negotiations. This information should have been kept confidential. Sloppy reporting not to include that info.

    3. Re:Confused by deviated_prevert · · Score: 1

      I'm confused should this information should have been kept confidential? I wish the summary would clarify that

      I'm confused should this information should have been kept confidential? I wish the summary would clarify that

      "Essentially, this data mapped a very large scale AWS cloud infrastructure deployment, with 41 different columns on individual systems, as well as summarized and modeled data on totals, averages, and other calculated fields," the cybersecurity firm said. The open bucket, called "abbottgodaddy," also included what the company believes to be business information relating to GoDaddy and Amazon AWS' relationship, including rate negotiations. This information should have been kept confidential. The open bucket, called "abbottgodaddy," also included what the company believes to be business information relating to GoDaddy and Amazon AWS' relationship, including rate negotiations. This information should have been kept confidential.

      • The redundancy could have made the situation more clear IMO, BeauHD didn't proof read the original post. I did and it made me somewhat dizzy it was deja vu all over again.
      • The redundancy could have made the situation more clear IMO, BeauHD didn't proof read the original post. I did and it made me somewhat dizzy it was deja vu all over again.
      --
      This message was not sent from an iPhone because Peter Sellers really was a deviated prevert without a dime for the call
    4. Re:Confused by jargonburn · · Score: 1

      Whoosh? ;-)

    5. Re: Confused by bestweasel · · Score: 1

      Whoosh whoosh.

  4. This is the Problem with Cloud Services by Anonymous Coward · · Score: 1

    It's too easy to have an epic security fail because it's too complicated, the peons configuring it don't know WTF they're doing and management doesn't care as long as it involves the words "cloud" and "savings".

    1. Re:This is the Problem with Cloud Services by iTrawl · · Score: 1

      Yeah, back in my day it was too easy to have an epic security fail because your own damn server was too complicated and the peons configuring it didn't know WTF they were doing. Now they have this cloud thing with point and click security...

      Now get off my... err... I'm not that old actually. I don't have a lawn yet.

      --
      "Everybody's naked underneath" -- The Doctor
  5. User error, not AWS error by Mascot · · Score: 1

    I forgave the local semi techy tabloid type online newspaper getting this wrong when the news broke days ago, but this is Slashdot FFS. This was user error, not a systems error. An AWS employee fucked up.

    1. Re:User error, not AWS error by nadass · · Score: 1
      Hmm, from the article:

      "The bucket in question was created by an AWS salesperson to store prospective AWS pricing scenarios while working with a customer," an AWS spokesperson told ZDNet.

      Somebody is not getting their performance bonus this quarter...

    2. Re:User error, not AWS error by StormReaver · · Score: 2

      This was user error, not a systems error. An AWS employee fucked up.

      I disagree. The "storing your data on someone else's servers" craze makes configuration so hard that not even the vendor can get it right.

    3. Re:User error, not AWS error by Old+Tom+Bombadil · · Score: 1

      I disagree. The "storing your data on someone else's servers" craze makes configuration so hard that not even the vendor can get it right.

      It's not difficult to make a default deny (i.e. Deny:*) bucket policy and then add in the allows. Hard but not impossible.

      --
      "Tom Bombadil is a merry fellow! Bright Blue his jacket is, and his boots are yellow!" -Tom Bombadil
    4. Re:User error, not AWS error by Mascot · · Score: 1

      Our usage of the term seems to differ, then. To me, a systems error is a category separate from user error, even if the user error is made more likely by overly complicated design or implementation.

  6. que? by MJhasHIV · · Score: 1

    que?

  7. Re:AWS error??? by nadass · · Score: 2

    It's unambiguously an error in the AWS bucket configuration. The title doesn't state responsibility but the first line in the brief description does.

  8. recurring theme by Anonymous Coward · · Score: 1

    how many times does a bucket need to be exposed before people get smart enough to. stop. fucking. using. them. for. important. data.

  9. Hmmm....Seem like someone dropped the ball. by gerald.edward.butler · · Score: 1

    The editors should ensure that duplicate sentences are removed from the summary. The editors should ensure that duplicate sentences are removed from the summary. It seems like this could be automated. It seems like this could be automated. I don't know why I see articles about 10% to 20% of the time with duplicate sentences, or sometimes even whole paragraphs, in them. I don't know why I see articles about 10% to 20% of the time with duplicate sentences, or sometimes even whole paragraphs, in them. It's kind of annoying. It's kind of annoying.

    1. Re: Hmmm....Seem like someone dropped the ball. by gerald.edward.butler · · Score: 1

      There's a joke I recall that has something to do with a woman and a man commenting on the size of the woman's, well, you know, and her asking why he said it twice, and him saying, "I didn't. I didn't". Something to do with acoustics of large spaces or something like that. These repetitions always remind me of that joke.

    2. Re: Hmmm....Seem like someone dropped the ball. by gerald.edward.butler · · Score: 1

      I'm pretty certain the original joke was from this guy: https://en.wikipedia.org/wiki/...

  10. Re:AWS error??? by Old+Tom+Bombadil · · Score: 2

    The article states that an AWS employee created the bucket and did not follow best practices. That's part of the problem with AWS, they apply the "professional" tag to new hires who sometimes only have 2-3 months experience with the company.

    --
    "Tom Bombadil is a merry fellow! Bright Blue his jacket is, and his boots are yellow!" -Tom Bombadil
  11. How is this an AWS error? by technomom · · Score: 1

    Calling this an AWS error is like calling leaving an unlocked S series in an airport parking lot a "Mercedes Benz" error. This is an error that GoDaddy, who is typically poor when it comes to security knowledge, made in their implementation. They used S3 without applying proper policies around it, all of which are more than sufficiently documented.

    1. Re:How is this an AWS error? by Junta · · Score: 1

      If it were a Mercedes salesperson leaving it unlocked in the airport, they would call it a Mercedes issue.

      Also, if Mercedes had a keyfob that would tend to unlock in the pocket, people would be questioning some human factors situations with that keyfob, even though that keyfob is working fine and would be secure if 'used properly'.

      The challenge with cloud hosting is that humans suck at securing things, and in the cloud instance context they tend to make the same mistakes they make on private networks except on internet accessible contexts. Sure, they shouldn't make the mistake on private networks and that's not defensible and can be a gigantic risk, but in practice the risk is mitigated by the nature of that private network. One would *hope* being on the internet would scare people into good practice, but that does not seem to be a safe outcome to presume.

      --
      XML is like violence. If it doesn't solve the problem, use more.
  12. Both, and AWS is the user by raymorris · · Score: 3, Insightful

    We have two major errors here, or three, all by AWS and their employees.

    An AWS employee created this bucket with it set to be accessible by everyone in the world.

    Why did the set it to be accessible to anyone and everyone? They didn't set it, that's the DEFAULT on AWS. AWS says Security Groups is their implementation of a firewall. Just about the only firewall that defaults to wide open, no security at all.

    Amazon's sales process apparently involves employees manually clicking on the generic UI to create resources for each customer, rather than having a Cloud Formation or other script for "create customer file".

    There are many failures here. The failure of the AWS employee to override the really stupid defaults is, to me, the least significant. Had he never been hired, other employees would be frequently creating buckets with the default, and stupidly insecure, settings. Had the default been to be secure, and let the let customer select places it SHOULD be accessible from, this wouldn't have happened and it wouldn't be a common occurrence.

    I've spent 20 years full time IT security. I'm very much security aware. I've forgotten to change the incredibly stupid AWS defaults, thereby leaving a security problem.

    1. Re:Both, and AWS is the user by lgw · · Score: 1

      To add to the list of mistakes: where was the security audit script? It's a trivial thing that anyone who has ever made this mistake should already be doing. Just log every best practice not being followed, and fix the inevitable mistakes before you load customer data. You know Amazon must do that sort of thing to police internal teams - heck, why isn't it there in the AWS dashboard?

      --
      Socialism: a lie told by totalitarians and believed by fools.
    2. Re:Both, and AWS is the user by Anonymous Coward · · Score: 2, Informative

      You are not correct on the defaults. S3 buckets default to no access to anyone outside your account, and in fact usually throw up "WARNING: This bucket is public" if you change it. Security groups are not used on S3 buckets, but they default to no access as well (except I think port 22, which is how you access your EC2 instances, but anyone with half a brain will configure their own security groups for VPCs where machines should be deployed), but would not have mattered in this case because security groups are not used for S3.

    3. Re:Both, and AWS is the user by Lord+Ender · · Score: 2

      Nothing in your post is true. The default bucket policy is private and the default security group allows no public access.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    4. Re:Both, and AWS is the user by MachineShedFred · · Score: 1

      Then you haven't used AWS in a really long time, or you never set up a VPC when you did.

      S3 bucket policies default to non-public. You have to either use an IAM role that allows access, or have a bucket policy attached that allows access; or you can check a box that is very much not default to make it a public bucket.

      If you are using a VPC (which any organization should be) then resources created in the VPC default to having no security groups attached, which means there is no access to anything allowed at all. You have to create security groups that whitelist CIDR / port combinations, and then attach them to the resources. If you want it to be wide open, you would have to actually get an elastic IP, attach it to the instance, create a security group allowing traffic from 0.0.0.0/0 on ports 0-65535, and then attach that security group to the instance.

      None of that happens by default, if using a VPC.

      If you are using EC2-Classic (which really nobody should be unless you are looking to make a single public-available VM for playing around) then yes, it will be far more open. No organization of any size worth talking about would do this, and they would definitely not use EC2-classic under the direction from anyone working at AWS.

      Don't lie about shit you don't know anything about.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
  13. That's on my TODO list, and we're a small team by raymorris · · Score: 1

    An audit script that runs as new resources are created, and the again periodically, is on my to-do list. We're a small team with hundreds of dollars per month of AWS spend. If we can do it, certainly AWS themselves can and should have such a script for internal use.

  14. And they are about 100 years behind the times (law by raymorris · · Score: 1

    Yes, under their Customer Responsibility Model, AWS says the customer is responsible carefully avoiding the dangers inherent in the design of their product. That was a common, and arguably legal, position to take until 1963.

    Since 1963, you may have noticed that self-propelled lawnmowers have deadman switches that automatically shit off the mower and apply a brake if the operator let's go of the handle for a second. All openings are covered by a metal plate held closed with a powerful spring any time the attachment isn't attached. In general, products have every reasonable safeguard in place in order to eliminate any foreseeable danger. That's because companies are legally required to put safeguards in place to guard against dangers whenever it's reasonably possible. "It's the customer's responsibility to avoid the clear dangers we designed into our product" hasn't been a legitimate or legal stance since at least 1963.

  15. Misleading Title by duke_cheetah2003 · · Score: 1

    The title suggests Amazon screwed up, when it was GoDaddy that screwed up their usage of Amazon's services. Kinda shady. The title.

  16. Why not to go to the cloud by Billly+Gates · · Score: 1

    This is a perfect example why companies refuse to outsource their Exchange servers, SharePoint boxen, as well as file storage services to the cloud. HR won't let them for reasons such as this.

    For those arguing it is GODADDYS FAULT not Amazon they miss the point. It was perfectly secure and fine the way it was. Some bean counter who is not trained in risk management urged to fire their IT workers and outsource this function to the cloud to save money.

    They got what they paid for.

    --
    http://saveie6.com/
  17. Retracted by brunes69 · · Score: 1

    "Although the potential threats to exploit this kind of data require intentional malicious actors, the exposure of that data through misconfigured storage does not," UpGuard said. "From operations as large as GoDaddy and Amazon, to small and medium organizations, anyone who uses cloud technology is subject to the risk of unintentional exposure, if the operational awareness and processes aren't there to catch and fix misconfigurations when they occur."