Would you leave the keys in the ignition of a running car in Times Square? According to new research, that is precisely what many people are doing when it comes to the public cloud.
Security consulting firm Stach & Liu has recently updated their Diggity toolset to easily enable researchers to find cloud security keys that have been left out in the open.
“I’m looking for people that have embedded Amazon Cloud keys within public source code,” Francis Brown, managing partner at Stach & Liu told InternetNews.com.
The Search Diggity tool works by scanning the Google Code search index looking for regular expressions that are commonly used. “We’re finding several thousand Amazon cloud keys and secret keys that are embedded in code,” Brown said. What is happening is that some people are embedding their cloud keys in code and putting that information somewhere that is publicly accessible.
Once a researcher has access to the cloud keys, they can access an Amazon cloud instance with the same credentials as the owner of the cloud instance.
“The real problem is that this is just like if a user put their username and password out in a piece of code somewhere, thinking that no one would ever find it,” Brown said. “It’s just too easy to take control of an Amazon account given the shared account and secret key, so if anyone puts that information out anywhere, you’re pretty much done.”