topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 10:35 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: AWS security woes  (Read 9007 times)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
AWS security woes
« on: September 01, 2015, 11:25 AM »
I use AWS for backing up my web sites mostly, though I use it for other reasons sometimes.  I switched to 2-factor, even though it's annoying and I don't use it much.  After all, if I'm only using it for a few things, how much trouble could I get in?

I saw these articles, and realized that 2-factor was a very good idea.

How a bug in Visual Studio 2015 exposed my source code on GitHub and cost me $6,500 in a few hours

Developers, Check Your Amazon Bills For Bitcoin Miners

Amazon AWS Account Hacking and How to Avoid it

How my Amazon S3 account was hacked with 10,776$ in billing.

Check your S3 and secure it... even if you don't use it.  Basically, they login, and then create EC2 instances with bitcoin miners.  They make the money, and leave you with the bill.

Just figured I'd post this as I'd not seen this particular phenomenon before.

the-bill.jpg
« Last Edit: September 02, 2015, 10:48 PM by mouser »

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,959
    • View Profile
    • Donate to Member
Re: AWS security woes
« Reply #1 on: September 01, 2015, 11:57 AM »
Thanks for the warning :up:

For the casual user -- just doing simple backup -- this seems to make Amazon S3 no longer worthwhile.
I presume that my automatic backups to S3 would no longer work with two-factor authentication.
Tom

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: AWS security woes
« Reply #2 on: September 01, 2015, 01:44 PM »
... where did the image come from?  I didn't put an image in the original post...?

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: AWS security woes
« Reply #3 on: September 01, 2015, 01:45 PM »
I added it so I could blog it -- I do that sometimes to posts that I blog.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: AWS security woes
« Reply #4 on: September 01, 2015, 03:25 PM »
... where did the image come from?  I didn't put an image in the original post...?

Hacked!

 :P

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: AWS security woes
« Reply #5 on: September 01, 2015, 05:07 PM »
Thanks for the warning :up:

For the casual user -- just doing simple backup -- this seems to make Amazon S3 no longer worthwhile.
I presume that my automatic backups to S3 would no longer work with two-factor authentication.
It's a different area, which is the reason they suggest having different keys with different users.  I have a key that I use for all of my backups that has only rights to the s3 bucket.  That one doesn't have two factor.  But if they get in, the only thing they can do is write to my backup bucket. It doesn't even have the rights to delete.  Just add. 

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: AWS security woes
« Reply #6 on: September 02, 2015, 10:37 PM »
^ That's in the original post.  And it wasn't a bug in Visual Studio, which is the reason that the thread wasn't titled as such.  It was because of a bug in the OSS git implementation that was an option in VS.

From that first link:

Scott Hanselman, Phil Haack, the GitHub team and Microsoft have all been in contact with me about this. Unlike the title of this post suggests, this is actually a problem with the GitHub extension that ships with Visual Stuido 2015. The GitHub Extension for Visual Studio is an open source project primarily maintained by GitHub but was initially jointly developed with Microsoft.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: AWS security woes
« Reply #7 on: September 02, 2015, 10:48 PM »
I apologize -- i have corrected the topics in the rest of the messages.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: AWS security woes
« Reply #8 on: September 03, 2015, 07:48 AM »
I apologize -- i have corrected the topics in the rest of the messages.

Not a problem :)  The other title is more sensational... which he even talked about in the post :)  But I'd prefer it be accurate rather than attention getting :) :Thmbsup: Onward!

Edvard

  • Coding Snacks Author
  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 3,017
    • View Profile
    • Donate to Member
Re: AWS security woes
« Reply #9 on: September 03, 2015, 06:57 PM »
Aw smokes, I did a search, why did I not see this before I posted? :(
Sorry for the dupe.  Mouser, you can erase mine, it doesn't add anything but the misleading tagline, and I totally missed the fact that it was the extension that had the bug, not VS.

Still, it seem somebody at MS or GitHub should have caught this bug long ago.  Is it that uncommon to make private repos on GitHub?

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: AWS security woes
« Reply #10 on: September 03, 2015, 10:42 PM »
Still, it seem somebody at MS or GitHub should have caught this bug long ago.  Is it that uncommon to make private repos on GitHub?

You have to be a paying customer in order to make private repos (One of the reason I use bitbucket more).  Not sure how rare that is.