Viacom is playing down the significance of this, but that could just be damage control.
One of our favorite security researchers, Chris Vickery, discovered yet another Amazon S3 storage bucket unprotected on Amazon.
In this case, it did not contain non-public personal information of customers, according to Viacom. They touted this as a good thing, After Equifax, it probably is a good thing FOR US, but what was there is definitely worse for Viacom.
For those of you not familiar with Viacom, they own the likes of Paramount, MTV, Nickelodeon and Comedy Central, among other brands.
What was in there was the access key and secret key to an Amazon web services account owned by Viacom. Whether it is their main corporate Amazon web services account or maybe a test account, we don’t know (yet), but the attempt to deflect the question leads me to believe that it is the main corporate account. If it was, it would allow anyone who had that key to totally own the account, all the servers in it and all of the data associated with it. Likely nothing important.
But that is not all that was there.
The Amazon storage bucket also contained the GPG (open source version of PGP) data encryption/decryption keys. Depending on what those keys were used to encrypt, having the decryption keys would have allowed an attacker to read any data protected with those keys. Generally speaking, encryption keys don’t protect the lunch menu. If you go to the trouble to encrypt something, it is likely important and sensitive.
Chris contacted Viacom on August 31st and within a few hours, the data was gone.
The Amazon subdomain in question was called mcs-puppet. MCS likely refers to Viacom’s Multi-platform Compute Services. Puppet likely refers to the devops automation tool Puppet that allows IT operations teams to automate the deployment and management of corporate compute services.
While Viacom attempted to deflect the seriousness of the matter, without knowing what those Puppet scripts controlled, what the PGP keys controlled and what the AWS private keys were used for we really don’t know how much damage it could have done.
We also don’t know whether Chris was the first outsider to find the stash or whether it was downloaded many times.
Viacom’s attempts to make it go away would suggest to me that the damage was worse than they wanted to let on.
In the bigger picture, this is just one more case of a company not understanding where their data is, how it is protected and who has access to it. In this case, access was restricted to anyone who could find the data. Not a great plan for your private encryption keys and configuration scripts. Not a great plan at all.
But Viacom is hardly unique.
Does your company actively track the location, access controls and identities of all data and users who can access that data, whether it is located in a company owned data center or some cloud service that an employee set up without asking or telling anyone? I didn’t think so. THAT is what needs to happen and it is not a one time event; it needs to be managed in real time, FOREVER.
Or, your company could become the next Viacom. Your choice.
Information for this post came from Gizmodo.