Data Breach Exposes Thousands of Job Seekers Citing Top Secret Government Work
gizmodo.comSetting permissions on s3 buckets is absurdly complicated.
Though it's no excuse, it's not surprising people leave it open, it's too hard to figure out how to lock it down.
Amazon needs to share some of the blame here and create a sane UI.
Well, I've used S3 on many projects since it pretty much came out. TBH, security is not much harder that in any &nix based systems.
Default settings are usually NO public read, and it actually takes more work to make stuff publicly readable on S3 than to just leave it as private.
I am thinking the biggest stuff up with this vendor is that they made the entire bucket or bucket key available publicly, which is a pretty dumb, and deliberate thing.
If you wanted people to access resumes on an individual basis via a known web link, then just make the documents individually publicly readable, but don't make the entire bucket readable by default.
Better still, use Amazon's 'one time' or time based permissions to make sensitive files only available to a certain person or for a limited time.
Re: UI - Amazons new S3 console is spades better than their old one - plenty of auditing and analytics tools there too which can prevent silly mistakes like this.
> Default settings are usually NO public read, and it actually takes more work to make stuff publicly readable on S3 than to just leave it as private.
While true, and a very sensible default, this misses one crucial point.
Setting granular permissions for an S3 bucket is hideously difficult. Want to limit access to a whitelisted set of users or origins? Write a bucket policy. This is where the UI completely fails.
0: The policies can become awfully difficult to understand even for straightforward use cases.
1: You can have policies with sensible rule sets, but the S3 UI doesn't allow to pick-and-attach any of them.
2: The "permissions" tab has a very convenient and extremely dangerous option as the top item: "allow access for any logged in user"
I'll let the last one sink in. It's not "any logged in user in MY organisation", it's really "ANY logged in AWS user". Putting the bucket essentially world-readable by accident is far too easy.
Point taken. Granular policies ARE a royal PITA to try and build. I wish their policy editor had a nice easy ARN selector, and a 'policy building' GUI that would help you with syntax and grouping.
Most of my projects use either totally restricted buckets, or buckets with access to a particular IAM, which is basic, but works.
The one time permission links are quite simple to implement, with libraries for practically every language. So there's really no excuse.
I personally believe it's a valid excuse. Amazon should be included in the blame and should play a larger part in helping to provide automatic scanning for sensitive data, virus/malware protection, automatic data protection policies and other tools that can automatically detect/protect information. It's the lack of (local enforcement?) of data protection laws as well, similar to how a bar has to ID patrons before serving alcohol or lose it's license to serve. There simply needs to stop being a Wild West mentality in IT. At a minimum it shows the importance of design & UX.
Well if Google Reviews are anything to go by, McDonalds is more pleasant than working at/with TigerSwan.
Also, it's amusing that they're blaming this mysterious third-party "TalentPen" whose search results are so scant that they have this very article as one of the top hits. Wouldn't TigerSwan be equally liable for vetting their vendors?
AWS S3 storage, as mentioned previously in this thread, are a real treasure trove of leaks and breaches. I have been scanning them as part of a project and regularly have to reach out to businesses to tell them they're leaking information publicly.
You name it, I've probably come across it - lots are for hosting static content of websites which is pretty common, but there are also website and database backups, user uploaded content (from a sensitive 'dating' website), development and staging environments with sensitive internal information, a sea of CVs etc.
The hardest part is trying to responsibly disclose this stuff to the businesses - trying to find a security contact is often impossible, leaving it up to info@ or support@ emails.
And obviously AWS aren't the only cloud storage provider out there... there is more to be found with the other providers.
S3 is awesome. You can find all sorts of interesting stuff by adding site:s3.amazonaws.com to a google search. You'd seriously be amazed (or not) at the stuff people leave in open S3 buckets.
Time Warner Cable also had the same data breach. I wonder by passwordless did they mean someone was able to do a ls command on the bucket and was able to download as a public/anon user (direct s3 link)? If this was done I bet you someone probably didn't have time to implement secure link, just decided to make the bucket open.
> someone probably didn't have time to implement secure link, just decided to make the bucket open.
That sounds more likely. AWS permissions are tricky, but not so tricky that it's easy to leave a bucket wide open like that. In my experience, they're much more likely to lock out someone who should be able to access them than to allow someone who shouldn't. Just bad practice to give up and allow anyone in.
Another possibility: someone was doing testing (and at thr stage too lazy), they made it public, and forgot about it even after they implemented authorization at the application level. Could have used trusted advisor...
There's always time to implement basic security when it comes to personally identifiable info. This was simple ineptitude.
Yes agree, but incident like this usually orginatrd from laziness/ forgetting about turning the switch off.
Putting top secret anything on the Internet seems like the opposite of a good idea.
4 million people have top secret clearance. what is and isn't a good idea given this state of affairs is ummm...
[1] https://www.washingtonpost.com/news/worldviews/wp/2013/06/12...
Holy smuckers. Thanks for that link. I hope this mark everything secret mentality is not to get around FOIA...
CVs like these are sanitized to only contain unclassified ingormation regarding otherwise classified work. So the problem here is not classified information leaks, it would be better ability to target certain folks based on their work (Although honestly, many folks who have done classified work seem to not use much discretion when setting up LinkedIn profiles).
Unless you're a whistle blower exposing corruption.
If you are a spook I wonder how you give references? And if you’ve done anything good you can’t write it on your CV without breaking the law.
I left the intelligence community and it was a pain in the ass. There are portions of my career that I simply can't talk about.
My first job out was the worst. Easily half of the "tell me about a time when you.." questions required me to be vague and speak about skills instead of projects, people, customers or goals. I was lucky because the CEO of that company was a friend of a friend and they did a number of classified projects themselves.
If it had been all civilians or non-IC connected firm, it would have been awful.
As a reaction to all that, I went deep into the open source community and blogging with the goal of always having projects and a portfolio I could talk about and show. Best decision I ever made.
Quite frankly if you're a spook you don't leave your job until you retire, or you go to the public sector where the bar is "this person has a clearance"
Hiring is not very competitive for government work. They are usually hiring warm bodies with clearances rather than talent.
If you're going from government cleared work to something completely different it's still fine to get a reference from people you worked with, just there are some pieces that are filtered
If you're getting another job in intel, you send the references over email on a secure network.
If you're leaving the intel community, chances are your references are really pertinent. All the "I can't say" responses will derail a lot of interviewers though.
>>> All the "I can't say" responses will derail a lot of interviewers though.
Not so sure about that.
The majority of interviews in the HN bubbles is hours of technical questions and quizzes, where the interviewers will not ask a single question about your resume.
Outside of this bubble, the more mature interviewers, who did hundreds and hundreds of interviewers, are not moved by a "This is confidential... I could talk about -other thing- instead".
After publication of the first few NSA documents via Snowden, people searched Linked In for keywords like XKeyscore. And found users who had cited them in work history. Security by obscurity?
They should add another layer of security by using embarrassing code names like YummyDookieChomper and IBeatMyWife, to discourage people from using them in their resumes or casual conversations.
Well, until Snowden's dump, stuff like XKeyscore must have seemed enigmatic enough. I mean, I doubt that people disclosed that they'd worked or consulted with the NSA, or NSA contractors. So only people who had would have known what those acronyms / code words meant. Rather like a secret handshake or whatever.
I thought the codewords were classified themselves? Never understood how people put them on Linkedin
I would have thought so too. People get sloppy, I guess.
For example, from WWII: http://weaponsman.com/wp-content/uploads/2015/01/OPSEC-grunt...
I'm sure there are lots of people paid to not work simply because of what they know
Close, but not quite how it works - there's actually a series of documentaries about the practice of retiring spies called The Prisoner.
I'm not sure those are documentaries so much as fiction. Not to say it's inaccurate storytelling, but it's definitely not a documentary
Well, I am sure that it is entirely fiction.
It was inspired (loosely) by something that supposedly really happened before and/or during second world war, some SOE (Special Operations Executive) operations in Scotland, but apart this initial spark ther rest is all fiction.
http://www.secretscotland.org.uk/index.php/Secrets/Inverlair...
Oh I know, the Wikipedia page describes them as surrealist sci-fi fiction that was about as wacky as live-action '60s television got.
But I like calling random TV shows and movies 'documentaries.' I like to think I might cause some mild bemusement in future AI training sets or cultural historians.
URI or GTFO. What use is "reporting" on the snake oil industry's own FUDmongering press releases? "Permissions are hard, let's go shopping!"
Let's see some independent analyses of this dataset. Start turning on the right lights and the roaches will scatter.