UNM4SK3D: AWS, Cloudbleed, and CloudPets

Join Cybrary

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

< Back to Blog Posts

UNM4SK3D: AWS, Cloudbleed, and CloudPets

Published: March 3, 2017 | By: Olivia | Views: 2261
save

cyber_security_news

#outage

The annoyance when your Internet won’t load is quite possibly the most irritating feeling of the 21st century. So when the Amazon S3 outage occurred on Tuesday, February 28th for almost 5 hours, both consumers and businesses alike were in quite a mood.

S3, or Simple Storage Service, provides hosting for entire websites, app backends, and images. During the outage, those sites and apps were experiencing widespread issues, leading to service that was either partially or fully broken. Affected websites and services included Quora, Business Insider, Giphy, filesharing in Slack, and a number of e-commerce retailer’s sites, like Express and Lululemon. What’s worse, the outage also extended to IoT hardware from light bulbs to thermostats.

Across the media, the event was over dramatized in some cases and underplayed as simply an annoyance in others. Of course on Twitter there were memes. This data, reported by TechCrunch puts things into the best perspective: “It’s [S3] used by 0.8 percent of the top 1 million websites, which is actually quite a bit smaller than CloudFlare, which is used by 6.2 percent of the top 1 million websites globally – and yet it’s still having this much of an effect.”  The reality is that the outage did affect a lot of people, particularly in the US, but it’s small in comparison to what could  happen. Outages are still possible, and this event has only shed light on that. As for the cause, Amazon is attributing it to “high error rates with S3 in US-EAST-1” but has yet to release further details.

Amazon S3 is used by around 148,213 websites, and 121,761 unique domains -SimilarTech

Want another blogger’s perspective on the topic? You’d better read “Alexa, Call Jeff Bezos.”

#vulnerability

Speaking of CloudFlare, the content delivery network and web security provider has more good news for the Internet. They recently announced the finding of a critical bug that could have exposed a range of sensitive information, including passwords and tokens used to authenticate users. Estimates of the number of leaks are around 1.2 million. 

The bug was discovered by Google Project Zero security researcher Tavis Ormandy. Around the time of discovery, Ormandy noticed a buffer overflow issue with Cloudflare’s edge servers that were running past the end of a buffer and returning memory containing private data. CloudFlare works by acting “as a proxy between the user and web server, which caches content for websites that sits behind its global network and lowers the number of requests to the original host server by parsing content through Cloudflare’s edge servers for optimization and security.”

Once they became aware of the bug, Cloudflare’s investigation found that Cloudbleed was triggered over a million times in the past six months prior to Ormandy finding it. What a relief. CloudFlare was lucky in the respect that their investigation did not find any evidence that the bug was maliciously exploited before it was patched. But, the bad news continues. Even if you do not use CloudFlare directly, that does not mean it does not affect you. There’s a chance that websites you visited may have been affected, leaking your data as well. Because when it rains, it pours. One brownie point for precautionary measures, CEO Matthew Prince has pledged to have a code review completed by outside company, Veracode.

We’re talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything. -Ormandy’s blog post in reference to the leak

Cloudbleed is named after the Heartbleed bug discovered in 2014. To get more background on that bug, check out “Don’t Let your Site Heartbleed.”

#hacked

Hide yo kids, hide their IoT Teddy Bears. If parents were not concerned about their children’s privacy before, they will be now. Spiral Toys’ line of internet-connected stuffed animal toys, CloudPets, which allow children and relatives to send recorded voicemails back and forth, reportedly left the voice messages recorded between parents and children, as well as other personal data vulnerable to online hackers.

Each toy contains a tiny microphone for you to speak into. It uses a Bluetooth interface to upload the recording to cloud storage via an Android or iOS smartphone app tied to an account. Then, recipients download and listen to the message on a second CloudPets toy. Easy enough to use. And just as easy to hack. It’s been reported that more than 2 million voice recordings have been exposed, along with email addresses and passwords for over 820,000 user accounts. In some cases, hackers locked the data and held it for ransom.

Allegedly, the toy maker was notified four times but failed to take timely action. “The customer data was left unprotected from December 25th, 2016 to January 8th in a publicly available database that wasn’t protected by any password or a firewall, according to a blog post published Monday by Troy Hunt, creator of the breach-notification website Have I Been Pwned?” referenced The Hacker News. So the next time you’re shopping for the hottest ‘toy in tech,’ proceed with caution.

It is impossible to believe that CloudPets (or mReady, [a Romanian company which Spiral Toys appears to have contracted with to store its database]) did not know that firstly, the databases had been left publicly exposed and secondly, that malicious parties had accessed them -Troy Hunt, creator of the breach-notification website Have I Been Pwned?

If you want more from Troy Hunt, watch his video training: “Web Security Fundamentals.”

#factbyte

$35 per month. That’s the price of the new live TV streaming service from YouTube, YouTube TV that takes on cable providers directly.

#certspotlight

Today’s expectation of immediacy has led to exponential growth of the volume of sensitive data being transmitted digitally. Unfortunately, data is not only more valuable while in motion, it is also less secure. 

Data in transit is information that travels over the public network or data that flows within a private network. The Protecting Data in Transit Micro Certification provides useful insight into encryption, data integrity, and organizational data security, as well as implementing secure transport protocols such as: like IPsec, SSH, SSL/TLS. Knowing that the files we send and receive have not been modified due to data corruption or by attackers, requires specialized capabilities that multiple employers desire.

 

olivia2

Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the field of cyber security. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.

< Back to Blog Posts
Enjoy this blog post? Want more Cybytes?
Invite a Friend
and share now
Facebook Twitter Google+ LinkedIn Email
Join Cybrary
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel