March 3, 2017
UNM4SK3D: AWS, Cloudbleed, and CloudPets
March 3, 2017
The annoyance when your Internet won't load is quite possibly the most irritating feeling of the 21st century. So when the Amazon S3 outage occurred on Tuesday, February 28th for almost 5 hours, both consumers and businesses alike were in quite a mood.
S3, or Simple Storage Service, provides hosting for entire websites, app backends, and images. During the outage, those sites and apps were experiencing widespread issues, leading to service that was either partially or fully broken. Affected websites and services included Quora, Business Insider, Giphy, filesharing in Slack, and a number of e-commerce retailer's sites, like Express and Lululemon. What's worse, the outage also extended to IoT hardware from light bulbs to thermostats.
Across the media, the event was over dramatized in some cases and underplayed as simply an annoyance in others. Of course on Twitter there were memes. This data, reported by TechCrunch puts things into the best perspective: "It’s [S3] used by 0.8 percent of the top 1 million websites, which is actually quite a bit smaller than CloudFlare, which is used by 6.2 percent of the top 1 million websites globally – and yet it’s still having this much of an effect." The reality is that the outage did affect a lot of people, particularly in the US, but it's small in comparison to what could happen. Outages are still possible, and this event has only shed light on that. As for the cause, Amazon is attributing it to “high error rates with S3 in US-EAST-1” but has yet to release further details.
Amazon S3 is used by around 148,213 websites, and 121,761 unique domains -SimilarTech
Want another blogger's perspective on the topic? You'd better read "Alexa, Call Jeff Bezos."
#vulnerabilitySpeaking of CloudFlare, the content delivery network and web security provider has more good news for the Internet. They recently announced the finding of a critical bug that could have exposed a range of sensitive information, including passwords and tokens used to authenticate users. Estimates of the number of leaks are around 1.2 million. The bug was discovered by Google Project Zero security researcher Tavis Ormandy. Around the time of discovery, Ormandy noticed a buffer overflow issue with Cloudflare's edge servers that were running past the end of a buffer and returning memory containing private data. CloudFlare works by acting "as a proxy between the user and web server, which caches content for websites that sits behind its global network and lowers the number of requests to the original host server by parsing content through Cloudflare’s edge servers for optimization and security."Once they became aware of the bug, Cloudflare's investigation found that Cloudbleed was triggered over a million times in the past six months prior to Ormandy finding it. What a relief. CloudFlare was lucky in the respect that their investigation did not find any evidence that the bug was maliciously exploited before it was patched. But, the bad news continues. Even if you do not use CloudFlare directly, that does not mean it does not affect you. There's a chance that websites you visited may have been affected, leaking your data as well. Because when it rains, it pours. One brownie point for precautionary measures, CEO Matthew Prince has pledged to have a code review completed by outside company, Veracode.
We're talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything. -Ormandy's blog post in reference to the leakCloudbleed is named after the Heartbleed bug discovered in 2014. To get more background on that bug, check out "Don't Let your Site Heartbleed."
Hide yo kids, hide their IoT Teddy Bears. If parents were not concerned about their children's privacy before, they will be now. Spiral Toys' line of internet-connected stuffed animal toys, CloudPets, which allow children and relatives to send recorded voicemails back and forth, reportedly left the voice messages recorded between parents and children, as well as other personal data vulnerable to online hackers.
Each toy contains a tiny microphone for you to speak into. It uses a Bluetooth interface to upload the recording to cloud storage via an Android or iOS smartphone app tied to an account. Then, recipients download and listen to the message on a second CloudPets toy. Easy enough to use. And just as easy to hack. It's been reported that more than 2 million voice recordings have been exposed, along with email addresses and passwords for over 820,000 user accounts. In some cases, hackers locked the data and held it for ransom.
Allegedly, the toy maker was notified four times but failed to take timely action. "The customer data was left unprotected from December 25th, 2016 to January 8th in a publicly available database that wasn't protected by any password or a firewall, according to a blog post published Monday by Troy Hunt, creator of the breach-notification website Have I Been Pwned?" referenced The Hacker News. So the next time you're shopping for the hottest 'toy in tech,' proceed with caution.
It is impossible to believe that CloudPets (or mReady, [a Romanian company which Spiral Toys appears to have contracted with to store its database]) did not know that firstly, the databases had been left publicly exposed and secondly, that malicious parties had accessed them -Troy Hunt, creator of the breach-notification website Have I Been Pwned?
If you want more from Troy Hunt, watch his video training: "Web Security Fundamentals."