Users Leave Amazon Secure Storage Wide Open
A fairly serious security risk has appeared on Amazon Simple Storage Service (S3), this one borne of carelessness rather than malice. S3 is a paid cloud-storage service that Amazon offers specifically for businesses and developers.
While S3's "buckets" (directories that users can organize to store content on Amazon's cloud servers) are supposed to be private, users can set them to be public — a problematic decision, since nearly 2,000 public folders contained 126 billion accessible files, full of personal photos and sensitive sales data.
Public buckets are problematic for two reasons. If files are available for download, the risks are obvious: Anyone can access whatever you store there. This is admittedly pretty harmless if your bucket is just a repository for your funny Internet memes, but not so smart if you are storing a work-in-progress novel, personal photos or business credentials.
Even if your files are protected, public buckets reveal file names. This does not pose as much of a threat, but if you list customer names or dates of client interactions, it's easy to see how public buckets could still prove risky.
Users with public buckets did not exhibit much discretion in what they posted. A study from the Security Street blog found personal photos, sales records, traffic data, employee information, program source code and a multitude of passwords. Many users marked files "confidential" or "private," but then left them available for download anyway. [See also: 10 Profound Innovations Ahead]
The fix for this one is extremely simple, but responsibility still falls on the user's shoulders, not Amazon's. By default, all files uploaded to S3 are private, which means that users have, at one point or another, changed permissions on files or entire directories. Revoking permission and restricting it to just a few users will keep files secure. Amazon also recommends encrypting sensitive files.
Many security threats arise from oversights in a system's programming or from dedicated hackers out to make a quick buck. Still, everyday users would be wise to remember Bill Vaughan's famous maxim: "To err is human, to really foul things up requires a computer."