In the wake of yesterday’s ransomware incident, Information security is in the lime light, and before I connected to the internet today, I clicked restart on the annoying windows updates message, instead of postponing it another 4 hours.
Computer is up to date with all security fixes and anti-virus definition files have been updated. I am ready to go.
I wanted to experiment with a web application, but didn’t want to spend the time configuring LAMP, and a PHP framework, so I opted for using an Amazon AWS EC2 community API pre-loaded with the application stack.
I was lucky to find one, so I went ahead and launched it, and accessed it via the server IP.
I created my RDS DB in order to change the “database.php” config file to point to my own DB.
When I opened the config file to edit it; there I found some brazilian website “.br” as the host name, and mysql root credentials.
I thought, there is no way this is still live, so I tried to connect via command line to the remote host.
I got the prompt back!
I had root on their MySQL database with no effort.
I am not sharing any screenshots on this blog post to protect the server. But this incident is a reminder to make sure you don’t share AMIs until you remove all credentials, user history, etc.
Follow this guide for more info: https://aws.amazon.com/articles/0155828273219400
Another tip is to run the mysql secure installation script.
It’s also a good idea to block remote connections to your SQL server.
I went ahead and contacted AWS security to alert them to this AMI, so they can take care of taking it down, and contacting the site owner.
In the wake of security breaches, one is amazed how these criminals are so successful with their exploits. It comes down to our deficiency in not following basic, annoying security steps one has to take. I say annoying, because they kind of are. Nobody wants to have multiple locks to their house, and then a lock for every room, security guard outside, etc… You get where I am going with this. However, today’s reality where most of our computing is in public networks makes it a priority to follow good security practices. Creating hard to guess passwords, implementing password expiration, multi factor authentication, software patching, updates to both OS and anti-virus definition files should be part of our disciplined approach to cyber security.
The ransomware that ravaged UK NHS computers was caused by running unpatched OS. It’s easy for me to sit here and speculate about the why?!
What’s apparent is that the NHS CTO or CSO (if they have one) decided to take on that risk, and we now know it was a costly decision.
Update: AWS Security replied to my e-mail where they referred to their “Shared responsibility model“, and that they can not take down the EC2 instance. So, until the owner takes action, this EC2 image is still there for people to use.
Excerpt from AWS Security message:
“To be clear, the security concern you have reported cannot be resolved by AWS but must be addressed by the customer, who may not be aware of or be following our recommended security best practices.
We have passed your security concern on to the specific customer for their awareness and potential mitigation.“