AWS security woes

[wraith808]

I use AWS for backing up my web sites mostly, though I use it for other reasons sometimes.  I switched to 2-factor, even though it's annoying and I don't use it much.  After all, if I'm only using it for a few things, how much trouble could I get in?

I saw these articles, and realized that 2-factor was a very good idea.

How a bug in Visual Studio 2015 exposed my source code on GitHub and cost me $6,500 in a few hours

Developers, Check Your Amazon Bills For Bitcoin Miners

Amazon AWS Account Hacking and How to Avoid it

How my Amazon S3 account was hacked with 10,776$ in billing.

Check your S3 and secure it... even if you don't use it.  Basically, they login, and then create EC2 instances with bitcoin miners.  They make the money, and leave you with the bill.

Just figured I'd post this as I'd not seen this particular phenomenon before.

[tomos]

Thanks for the warning

For the casual user -- just doing simple backup -- this seems to make Amazon S3 no longer worthwhile.
I presume that my automatic backups to S3 would no longer work with two-factor authentication.

[wraith808]

... where did the image come from?  I didn't put an image in the original post...?

[mouser]

I added it so I could blog it -- I do that sometimes to posts that I blog.

[Deozaan]

... where did the image come from?  I didn't put an image in the original post...?

-wraith808 (September 01, 2015, 01:44 PM)

Hacked!

 

[wraith808]

Thanks for the warning

For the casual user -- just doing simple backup -- this seems to make Amazon S3 no longer worthwhile.
I presume that my automatic backups to S3 would no longer work with two-factor authentication.

-tomos (September 01, 2015, 11:57 AM)

It's a different area, which is the reason they suggest having different keys with different users.  I have a key that I use for all of my backups that has only rights to the s3 bucket.  That one doesn't have two factor.  But if they get in, the only thing they can do is write to my backup bucket. It doesn't even have the rights to delete.  Just add. 

[wraith808]

^ That's in the original post.  And it wasn't a bug in Visual Studio, which is the reason that the thread wasn't titled as such.  It was because of a bug in the OSS git implementation that was an option in VS.

From that first link:

Scott Hanselman, Phil Haack, the GitHub team and Microsoft have all been in contact with me about this. Unlike the title of this post suggests, this is actually a problem with the GitHub extension that ships with Visual Stuido 2015. The GitHub Extension for Visual Studio is an open source project primarily maintained by GitHub but was initially jointly developed with Microsoft.

[mouser]

I apologize -- i have corrected the topics in the rest of the messages.

[wraith808]

I apologize -- i have corrected the topics in the rest of the messages.

-mouser (September 02, 2015, 10:48 PM)

Not a problem   The other title is more sensational... which he even talked about in the post   But I'd prefer it be accurate rather than attention getting Onward!

[Edvard]

Aw smokes, I did a search, why did I not see this before I posted?
Sorry for the dupe.  Mouser, you can erase mine, it doesn't add anything but the misleading tagline, and I totally missed the fact that it was the extension that had the bug, not VS.

Still, it seem somebody at MS or GitHub should have caught this bug long ago.  Is it that uncommon to make private repos on GitHub?

[wraith808]

Still, it seem somebody at MS or GitHub should have caught this bug long ago.  Is it that uncommon to make private repos on GitHub?

-Edvard (September 03, 2015, 06:57 PM)

You have to be a paying customer in order to make private repos (One of the reason I use bitbucket more).  Not sure how rare that is.