Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 

neb

2590 posts

Uber Geek

Trusted
Lifetime subscriber

  #2524400 16-Jul-2020 21:36
Send private message quote this post

frankv: No, the biggest problem is people who don't understand how to use AWS's security features,

 

 

Separate reply for a different topic: AWS is a neverending breach machine. If one or two companies/users get it wrong, the problem is the user. If a neverending stream of companies/users get it wrong, the problem is AWS.

1769 posts

Uber Geek

Subscriber

  #2524458 16-Jul-2020 23:24
Send private message quote this post

frankv: 

It's a few months since I got my AWS certification (Solutions Architect and Developer) and I haven't touched AWS since, but it's not hard to lock down access to an S3 bucket so it's only publicly accessible via a website, which in turn can be secured. So I dispute your characterisation as "profoundly unusable".

LPM's site says it was created by Black Cedar (blackcedar.co.nz). Their site is "Temporarily unavailable"... make of that what you will.

 

This 100%

 

The news article states it was a database leak, I am unsure why they are saying that it seems its just file storage.  Reading between the lines the "security specialist" looked at the URL of a document and within that is the bucket address.  Either that or has been googling bucket URLS until he finds one and sees if the user made it public.  Once you have the URL of a bucket you can go to the root level and if the bucket is made public it will display an XML directory listing of all folders and files.  However to get S3 to behave in that way you have to bypass numerous warnings telling you this is a very bad idea. I agree that the CORS bucket policy is not simple to use, but this is services aimed at certain level of IT expertise.

 

frankv: 

 

Separate reply for a different topic: AWS is a neverending breach machine. If one or two companies/users get it wrong, the problem is the user. If a neverending stream of companies/users get it wrong, the problem is AWS.  

  I dont agree, if people dont understand the toys they are playing with they will create [their own] problems.  AWS is well documented but extremely dry - its all there though.  


 
 
 
 


BDFL - Memuneh
67818 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #2524523 17-Jul-2020 09:02
Send private message quote this post

Geektastic: Surely the biggest problem is the person/company that chose to use AWS?

 

 

Nothing wrong with AWS. It's how you use it.





 

 

These links are referral codes

 

Geekzone broadband switch | Eletricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Amazon | My technology disclosure 


3832 posts

Uber Geek

Lifetime subscriber

  #2524573 17-Jul-2020 10:02
Send private message quote this post

neb:
frankv: No, the biggest problem is people who don't understand how to use AWS's security features, which aren't difficult at all.

It's the must godawful unusable security interface I've ever seen, and that includes things like RACF and VMS. To give an example, walk us through the configuration steps required to set up a bucket where Accounts has read/write access, individual employees have read access, and no-one else has any access.

 

From memory (but it's been a while): Create the bucket. Leave the "Block All Public Access" enabled. Add email addresses or IDs to the Access Control List for the bucket with appropriate permissions.

 

 


193 posts

Master Geek


  #2525520 19-Jul-2020 10:44
Send private message quote this post

freitasm:

 

The new privacy law that makes reporting and acting on this a mandatory requirement doesn't come into force until December.

 

 

Does the law cover Wireless Hotspot providers like Zenbu who set up a mesh network for 34 users then leave the network wide open for 6-7 months (& counting) without any security whatsoever?

 

 


2611 posts

Uber Geek


  #2525582 19-Jul-2020 12:53
Send private message quote this post

SirHumphreyAppleby:

Sadly, this is true. A family member has a card with a major retailer and accessing their online portal now gives a security warning because they're still using the now-deprecated and very outdated TLS 1.0. What did their customer service suggest? Use another browser.


The same company also sends out e-mails with tracking links to their portal rather than showing the actual URL... bad practice IMO.



Microsoft itself has now pushed back their TLS1 retirement date...

TLS 1.0 and 1.1 retirement date in Office 365 to be October 15, 2020
Major update: Announcement started
Applied To: All

We originally paused the retirement of TLS 1.0 and 1.1 in Office 365 (MC186218 June '20) due to these unprecedented times. As companies have pivoted their supply chains and countries have started to re-open, we have re-established a retirement date for TLS 1.0 and 1.1 in Office 365 to be October 15, 2020. As previously communicated (MC126199 in Dec 2017, MC128929 in Feb 2018 and MC186827 in July 2019), we are moving all of our online services to Transport Layer Security (TLS) 1.2+ toprovide best-in-class encryption, and to ensure our service is more secure by default.

Note: If your organization has already taken steps to migrate from TLS 1.0 and 1.1 you can safely disregard this message.

BDFL - Memuneh
67818 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #2525671 19-Jul-2020 16:54
Send private message quote this post

K8Toledo:

 

freitasm:

 

The new privacy law that makes reporting and acting on this a mandatory requirement doesn't come into force until December.

 

 

Does the law cover Wireless Hotspot providers like Zenbu who set up a mesh network for 34 users then leave the network wide open for 6-7 months (& counting) without any security whatsoever?

 

 

What "data leak" would you be talking about here? Someone's computer not being secured and people being able to access data residing on that end point?

 

I am not a lawyer and you would have to test the case but I don't see how a network operator would be responsible for someone's data being unprotected. The network is neutral.





 

 

These links are referral codes

 

Geekzone broadband switch | Eletricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Amazon | My technology disclosure 


 
 
 
 


neb

2590 posts

Uber Geek

Trusted
Lifetime subscriber

  #2525788 19-Jul-2020 18:45
Send private message quote this post

PhantomNVD: Microsoft itself has now pushed back their TLS1 retirement date...

 

 

Presumably because they care about supporting existing users rather than following some security-geek agenda of cutting off users at the knees because of a theoretical weakness that no-one has ever exploited in practice (an MD5+SHA1 PRF that no-one knows how to exploit, 3DES that no-one has broken as mandatory cipher), and even with the ancient TLS 1.0 the best you can get is a mostly academic CBC padding oracle vulnerability for which every other attack is far easier and less work.

 

 

Bending over backwards to support existing users is one of the reasons why they were #1 for such a long time.

14707 posts

Uber Geek

Trusted
Lifetime subscriber

  #2525799 19-Jul-2020 18:56
Send private message quote this post

freitasm:

 

Geektastic: Surely the biggest problem is the person/company that chose to use AWS?

 

 

Nothing wrong with AWS. It's how you use it.

 

 

 

 

Which is the point I made. The person who chose to use it, not knowing how to use it, was the problem.






BDFL - Memuneh
67818 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #2525865 20-Jul-2020 07:22
Send private message quote this post

neb:

 

PhantomNVD: Microsoft itself has now pushed back their TLS1 retirement date...

 

 

Presumably because they care about supporting existing users rather than following some security-geek agenda of cutting off users at the knees because of a theoretical weakness that no-one has ever exploited in practice (an MD5+SHA1 PRF that no-one knows how to exploit, 3DES that no-one has broken as mandatory cipher), and even with the ancient TLS 1.0 the best you can get is a mostly academic CBC padding oracle vulnerability for which every other attack is far easier and less work. Bending over backwards to support existing users is one of the reasons why they were #1 for such a long time.

 

 

The email Microsoft sent yesterday to Office 365 admins clarifies why - there's nothing to "presume": they slowed down lots of projects because of COVID-19 and this was impacted. They now resumed work in various fronts and retiring TLS 1.0 is one of these projects.





 

 

These links are referral codes

 

Geekzone broadband switch | Eletricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Amazon | My technology disclosure 


3210 posts

Uber Geek

Trusted
Subscriber

  #2525961 20-Jul-2020 11:21
Send private message quote this post

neb: Presumably because they care about supporting existing users rather than following some security-geek agenda of cutting off users at the knees because of a theoretical weakness that no-one has ever exploited in practice (an MD5+SHA1 PRF that no-one knows how to exploit, 3DES that no-one has broken as mandatory cipher), and even with the ancient TLS 1.0 the best you can get is a mostly academic CBC padding oracle vulnerability for which every other attack is far easier and less work. Bending over backwards to support existing users is one of the reasons why they were #1 for such a long time.

 

Any "mostly academic" vulnerability becomes a very real issue when the data being protected is important or valuable enough. Office 365 is actually certified to carry PROTECTED information, which would be revoked if they did not cut off TLS 1.0 and SSL clients, because a "mostly academic" vulnerability is just the sort of thing that a foreign state actor would use to intercept it.

 

As to "cutting off users at the knees" - any piece of software that can interact over HTTPS with Office 365 supports TLS 1.2. If there is any software still running that does not, then it is good that it's cut off because what other vulnerabilities lay in that code which hasn't been patched since 2015?


neb

2590 posts

Uber Geek

Trusted
Lifetime subscriber

  #2525986 20-Jul-2020 12:46
Send private message quote this post

Kyanar:

Any "mostly academic" vulnerability becomes a very real issue when the data being protected is important or valuable enough.

 

 

Except that you don't bypass TLS through some high-tech attack that lets you recover 32 bits of a message with a massive amount of effort, you bypass it by phishing the victim's credentials, or buying them from a data breach, or exploiting the 0day in their operating system. To quote security researcher Drew Gross, "I love crypto, it tells me which bits of the system not to bother attacking". They're not fixing anything that attackers are exploiting, so there's no particular hurry to complete the task.

1211 posts

Uber Geek

Trusted

  #2526206 20-Jul-2020 19:43
Send private message quote this post

alasta: It would be nice to think that this sort of situation could be avoided by people simply refusing to provide electronic copies of identity documents to third parties. ...

 

Somehow, you need to be verified digitally. Currently we lack a trustworthy & verifiable method to identify ourselves online. So we do the next best thing, we shift the physical / real world into the digital realm. Until the techies come up with a better solution, ordinary people will go about living their day to day lives the best they can. Sometimes that requires you to upload a digital copy of your government ID, be that for rental, financial or other purposes.

 

 





Please keep this GZ community vibrant by contributing in a constructive & respectful manner.


16217 posts

Uber Geek

Trusted
Subscriber

  #2526210 20-Jul-2020 19:55
Send private message quote this post

neb:
frankv: No, the biggest problem is people who don't understand how to use AWS's security features, which aren't difficult at all.

It's the must godawful unusable security interface I've ever seen, and that includes things like RACF and VMS. To give an example, walk us through the configuration steps required to set up a bucket where Accounts has read/write access, individual employees have read access, and no-one else has any access.

 

AWS is fairly complex. I've been using AWS for years in a professional capacity, I have multiple AWS qualifications, it's still not trivial to fully secure AWS. However, securing an S3 bucket can be really simple as the console makes it difficult to make a bucket public, and constantly alerts you that the bucket is public.

 

To answer your question you would use a bucket policy, but I'm not going to do a walkthrough because the use case isn't as precise as it needs to be to fully specify the security.


BDFL - Memuneh
67818 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  #2526226 20-Jul-2020 21:20
Send private message quote this post

ANglEAUT:

 

alasta: It would be nice to think that this sort of situation could be avoided by people simply refusing to provide electronic copies of identity documents to third parties. ...

 

Somehow, you need to be verified digitally. Currently we lack a trustworthy & verifiable method to identify ourselves online. So we do the next best thing, we shift the physical / real world into the digital realm. Until the techies come up with a better solution, ordinary people will go about living their day to day lives the best they can. Sometimes that requires you to upload a digital copy of your government ID, be that for rental, financial or other purposes.

 

 

there are verification services that do not require a copy of your document.





 

 

These links are referral codes

 

Geekzone broadband switch | Eletricity comparison and switch | Hatch investment (NZ$ 10 bonus if NZ$100 deposited within 30 days) | Sharesies | Mighty Ape | Backblaze | Amazon | My technology disclosure 


1 | 2 | 3 
View this topic in a long page with up to 500 replies per page Create new topic




News »

Freeview On Demand app launches on Sony Android TVs
Posted 6-Aug-2020 13:35


UFB hits more than one million connections
Posted 6-Aug-2020 09:42


D-Link A/NZ extends COVR Wi-Fi EasyMesh System series with new three-pack
Posted 4-Aug-2020 15:01


New Zealand software Rfider tracks coffee from Colombia all the way to New Zealand businesses
Posted 3-Aug-2020 10:35


Logitech G launches Pro X Wireless gaming headset
Posted 3-Aug-2020 10:21


Sony Alpha 7S III provides supreme imaging performance
Posted 3-Aug-2020 10:11


Sony introduces first CFexpress Type A memory card
Posted 3-Aug-2020 10:05


Marsello acquires Goody consolidating online and in-store marketing position
Posted 30-Jul-2020 16:26


Fonterra first major customer for Microsoft's New Zealand datacentre
Posted 30-Jul-2020 08:07


Everything we learnt at the IBM Cloud Forum 2020
Posted 29-Jul-2020 14:45


Dropbox launches native HelloSign workflow and data residency in Australia
Posted 29-Jul-2020 12:48


Spark launches 5G in Palmerston North
Posted 29-Jul-2020 09:50


Lenovo brings speed and smarter features to new 5G mobile gaming phone
Posted 28-Jul-2020 22:00


Withings raises $60 million to enable bridge between patients and healthcare
Posted 28-Jul-2020 21:51


QNAP integrates Catalyst Cloud Object Storage into Hybrid Backup solution
Posted 28-Jul-2020 21:40



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.