Amazon: A Wild West Approach to Security
May 14, 2019
A story ostensibly about an “unprotected Elasticsearch cluster” and an administrator poses an interesting question which I will raise in a moment. You will want to read or scan “Sensitive Information of Millions of Panama Citizens Leaked.” The main idea is that information about citizens of Panama was leaked. The information appears to be germane to people with medical issues. That’s bad for several reasons:
- People and their medical “histories” are sensitive and like a sizzling hamburger to bad actors interested in blackmail or some other negative action
- Some citizens of Panama are often low profile. These individuals use Panama as a convenient base for one’s identity or one of many identities. There are also quick hops to nearby locations with a someone flexible approach to financial activities.
- The “unsecured” Elasticsearch databases are findable using Shodan. This is a search system of considerable utility to certain organizations and individuals.
The system on which the data resided, if the write up is accurate, was Amazon AWS. Now the big question:
With the automation Amazon AWS offers customers, why aren’t basic security health checks routinely performed by Amazon’s smart software?
Snuffing out unprotected AWS servers / services is going to add to friction for customers and impose additional computational burdens on AWS.
One can point the finger at Elasticsearch administrators, but these people are driving Amazon’s digital vehicle. When a smart car mows down a pedestrian, whom do we scrutinize? The person walking or the goi go outfit which built the smart vehicle?
Does Amazon’s speeding AWS may need some driver safety functions? Air bags save lives, and the driver does not have to pay extra or be aware of these devices. Just a thought: Air bags and seat belts for Amazon AWS customers. Amazon, it seems, wants to help former employees become delivery people. What about the administrators of Elasticsearch? What’s their future?
Stephen E Arnold, May 14, 2019