Tales of the Leaky Cloud

A security associate at Bishop Fox, Ben Morris, has revealed that Amazon EBS (Elastic Block Storage) has a public mode that makes virtual hard disks available to anyone on the Internet.

The announcement found here said, “Apparently hundreds of thousands (don’t know this either), because they’re out there exposing secrets for everyone to see.

Among the information that has been left out in the open, encryption keys, passwords, authentication tokens, there is also personal identifiable information (PII).

What they are, are whole virtual hard drives to websites and apps that are live, in production mode.

According to TechCrunch, these are different from the S3 buckets or Amazon-hosted storage servers packed with customer data. These exposed S3 buckets were discovered some time back, and the belief is that they happen due to settings that are misconfigured. Ben Morris had told TechCrunch, that these new gold mine of information are the keys to the kingdom.

He said that all too often cloud admins don’t choose the correct configuration settings, leaving EBS snapshots inadvertently public and unencrypted. “That means anyone on the internet can download your hard disk and boot it up, attach it to a machine they control, and then start rifling through the disk to look for any kind of secrets,” he said.

He estimates the figure could be as many as 1,250 exposures across all Amazon cloud regions. An Amazon spokesperson said customers who set their Amazon EBS snapshots to public “have been notified.”