5 Popular Web Hosting Services Found Vulnerable to Multiple Flaws

best web hosting security

A security researcher has discovered multiple one-click client-side vulnerabilities in the some of the world’s most popular and widely-used web hosting companies that could have put millions of their customers as well as billions of their sites’ visitors at risk of hacking.

Independent researcher and bug-hunter Paulos Yibelo, who shared his new research with The Hacker News, discovered roughly a dozen serious security vulnerabilities in Bluehost, Dreamhost, HostGator, OVH, and iPage, which amounts to roughly seven million domains.

Some of the vulnerabilities are so simple to execute as they require attackers to trick victims into clicking on a simple link or visiting a malicious website to easily take over the accounts of anyone using the affected web hosting providers.

Critical Flaws Reported in Popular Web Hosting Services

Yibelo tested all the below-listed vulnerabilities on all five web hosting platforms and found several account takeover, cross-scripting, and information disclosure vulnerabilities, which he

documented

on the Website Planet blog.

1. Bluehost—the company owned by Endurance which also owns Hostgator and iPage, and in total, the three hosting providers powers more than 2 million sites around the world. Bluehost was found vulnerable to:

  • Information leakage through cross-origin-resource-sharing (CORS) misconfigurations
  • Account takeover due to improper JSON request validation CSRF
  • A Man-in-the-middle attack can be performed due to improper validation of CORS scheme
  • Cross-site scripting flaw on my.bluehost.com allows account takeover (demonstrated in a proof-of-concept, below)

2. Dreamhost

—the hosting provider that powers one million domains was found vulnerable to:

  • Account takeover using cross-site scripting (XSS) flaw

3. HostGator

  • Site-wide CSRF protection bypass allows complete control
  • Multiple CORS misconfigurations leading to information leak and CRLF

4. OVH Hosting

—the company that alone powers four million domains around the world was found vulnerable to:

  • CSRF protection bypass
  • API misconfigurations

5. iPage Hosting

  • Account takeover flaw
  • Multiple Content Security Policy (CSP) bypasses

Video Demonstrations

Talking to The Hacker News, Yibelo said he took about an hour on each of the five web hosting platforms on an average to find at least one account takeover-related client-side vulnerability, mostly using the Burp Suite, a web application security testing tool, and Firefox browser plugins.

“They mostly focus on protecting the wrong assets, but most of them have medium security standards for their user profile portals and data exfiltration vulnerability classes. Most of their protections are easily bypassable using lesser-known tricks,” Yibelo told The Hacker News.

Among the affected hosting companies, Yibelo found Bluehost, HostGator and iPage to be the easiest ones to hack into, though he told The Hacker News that HostGator included “multiple layers of security checks (that can be bypassed, but they are there, unlike the other sites).”

Yibelo reported his findings to the affected web hosting providers, all except OVH patched their services before the information went public yesterday. OVH has yet to confirm and response on the researcher’s findings.

Read the Full Article here: >The Hacker News [ THN ]

Flight Booking System Flaw Affected Customers of 141 Airlines Worldwide

Almost half of the fight travelers around the world were found exposed to a critical security vulnerability discovered in online flight ticket booking system that allowed remote hackers to access and modify their travel details and even claim their frequent flyer miles.

Israeli network security researcher Noam Rotem discovered the vulnerability when he booked a flight on the Israeli airline ELAL, successful exploitation of which just required victim’s PNR (Passenger Name Record) number.

The vulnerability resided in the widely used online flight booking system developed by Amadeus, which is currently being used by nearly 141 international airlines, including United Airlines, Lufthansa and Air Canada.

After booking a flight with ELAL, the traveler receives a PNR number and a unique link that allows customers to check their booking status and related information associated with that PNR.

Rotem found that merely by changing the value of the “RULE_SOURCE_1_ID” parameter on that link to someone else’s PNR number would display personal and booking-related information from the account associated with that customer.

Using disclosed information, i.e. booking ID and last name of the customer, an attacker can simply access the victim’s account on

ELAL’s customer portal

and “make changes, claim frequent flyer miles to a personal account, assign seats and meals, and update the customer’s email and phone number, which could then be used to cancel/change flight reservation via customer service.”

“Though the security breach requires knowledge of the PNR code, ELAL sends these codes via unencrypted email, and many people even share them on Facebook or Instagram. But that’s just the tip of the iceberg,” the researcher said in his blog post.

Don’t have PNR numbers of your victims? Don’t worry.

Rotem also figured out that the Amadeus portal was not using any brute-force protection that eventually allowed attackers to attempt every alphanumeric uppercase complications using a script, as shown, to find all active PNR numbers of customers of any Amadeus-linked airline website.

“After running a small and non-threatening script to check for any brute-force protections, none of which were found, we were able to find PNRs of random customers, which included all of their personal information,” Rotem added.

You can see the video demonstration provided by the researcher to know how a simple script devised by him guessed the PNR numbers and was able to find active numbers in Amadeus.

Since the Amadeus booking system is being used by at least 141 airlines, the vulnerability could have affected hundreds of millions of travelers.

After discovering the vulnerability, Rotem immediately contacted ELAL to point out the threat and suggested the airline to introduce captchas, passwords and a bot protection mechanism in order to prevent brute-force attempts.

Amadeus has now fixed the issue, and the Rotem’s script can no longer identify active PNRs as demonstrated in the above video.

Upon contacting Amadeus, the company replied, “At Amadeus, we give security the highest priority and are constantly monitoring and updating our systems. Our technical teams took immediate action, and we can now confirm that the issue is solved.”

Amadeus also added that the company has also added a Recovery PTR to strengthen security further and “prevent a malicious user from accessing travelers’ personal information.”

Read the Full Article here: >The Hacker News [ THN ]

Hackers target financial firms hosting malicious payloads on Google Cloud Storage

Researchers at Menlo Labs uncovered a malicious email campaign targeting employees of banks and financial services companies abusing Google Cloud Storage.

The campaign targeted organizations in the US and the UK, the attackers have been abusing Google Cloud Storage to deliver payload.

The spam campaign uses messages including links that point to archivefiles such as .zip or .gz. Attackers attempt to trick victims into clicking on the malicious links. Threat actors hosted the malicious payloads on storage.googleapis.com, which is associated with Google Cloud Storage service. The payload belongs to the Houdini and QRat malware families.

With this attack scheme, threat actors are able to bypass security controls in place within targeted organizations.

“In all of these cases, the malicious payload was hosted on storage.googleapis.com, the domain of the Google Cloud Storage service that is used by countless companies. Bad actors may host their payloads using this widely trusted domain as a way to bypass security controls put in place by organizations or built into commercially security products.” reads the analysis published by security researchers at Menlo.

“It’s an example of the increased use of “reputation-jacking”—hiding behind well-known, popular hosting services to help avoid detection. “

These attackers likely used malicious links rather than malicious attachments because of the combined use of email and the web to infect victims with this threat. Many security solution are able to detect malicious attachments but identify malicious URLs only if they included in a blacklist.

The attackers leveraged two types of payloads to compromise the victims, VBS scripts and JAR files. Experts analyzed some malicious VBS scripts that were highly obfuscated and were likely created by one of the builder available in the cybercrime underground.

The experts analyzed three scripts which belong to the Houdini malware family. The codes were highly obfuscated with three nested levels of obfuscated VBScript and encoded using Base64 encoding. Researchers discovered that they used the same C2 domain (pm2bitcoin[.]com) and secondary C2 (fud[.]fudcrypt[.] com ).

Researchers noticed the same string “<[ recoder : houdini (c) skype : houdini-fx ]>” appears in the last level of obfuscated VBScript and all download a JAR file.

One of the files belongs to the Houdini/jRATmalware family, meanwhile other JAR files belong to the QRat malware family.

“The Financial Services vertical continues to be a very attractive target for attackers, and Remote Access Trojans (RATs) play an important role in gaining control over a compromised machine within an enterprise. Novel ways of gaining endpoint access are always being developed, and will continue to evolve.” Menlo Labs concludes.

“Financial Services companies can expect to be the target of even more sophisticated malware and credential phishing attacks,”

The benefits and limitations of AI in cybersecurity

Today’s AI cannot replace humans in cybersecurity but shows promise for driving efficiency and addressing talent shortage, a new report by ProtectWise has shown.

Penetration of AI-enabled security products based on number of security alerts received on a typical day

AI cybersecurity benefits limitations

Conducted by Osterman Research, the study explores usage trends and sentiments toward AI among more than 400 U.S. security analysts in organizations with 1000 or more employees.

Key takeaways

Nearly three quarters of respondents have already implemented at least one product that uses AI, but findings uncovered mixed results and a learning curve that needs to be addressed in order to use AI at higher levels of sophistication and effectiveness.

“A lot of hype and confusion exists around AI and its role in the cybersecurity industry,” said Gene Stevens, CTO, ProtectWise. “In its current state, AI is a tool for driving efficiencies and addressing staffing needs, but it is not going to replace human intelligence any time soon. AI is well positioned today to create machine-accelerated humans: an army of hunters and responders who use a wide array of expert systems to help unearth and prioritize critical threats. In the future, AI will only become more valuable as the industry develops products that improve ease of use and capitalize on AI’s efficiency differentiators.”

Top findings from the report include:

  • AI is already widely adopted – AI has already established a strong foothold, with 73 percent of respondents reporting they have implemented security products that incorporate at least some aspect of AI. Most organizations find AI’s ability to improve the efficiency of security staff members and make investigation of alerts faster as top priorities. Organizations with a higher proportion of AI-enabled security products are larger than those with less AI, and they have larger security teams.
  • Executives, not the people who manage security, are the biggest advocates for AI – Fifty-five percent of respondents suggested that the strongest advocates for AI-based security products in their organization are IT executives, while 38 percent identified non-IT executives as the biggest internal champion.
  • AI is yielding some real benefits – Overall, 60 percent of organizations perceive that AI makes investigations of alerts faster and the same proportion consider that AI improves the efficiency of their security staff. Moreover, nearly one-half of organizations view AI as beneficial for automating initial triage and for optimizing threat identification.
  • AI-powered security products are weighed down by mixed results post deployment – According to respondents: 46 percent agree that rules creation and implementation are burdensome; and 25 percent said that they do NOT plan to implement additional AI-enabled security solutions in the future
  • There is still work to do. More than half of all respondents believe that: AI doesn’t stop zero-days and advanced threats (61 percent); it focuses more on malware than exploits (51 percent); it delivers inaccurate results (54 percent); it’s difficult to use (42 percent); and AI-based products are more expensive than traditional ones (71 percent). The most important differentiator for AI-enabled security products when compared to traditional security products is their ability to automatically block threats, while automatic remediation or isolation is viewed as the least important feature of AI-enabled products.

“All of these findings imply that AI is still in its early stages and we have yet to see its full potential,” said Michael Osterman, principal analyst of Osterman Research. “But AI-based products offer significant promise for improving the speed of processing alerts and that it might at least be a ‘silver-plated’ bullet in addressing the cybersecurity skills shortage.”

GDPR: EU Sees More Data Breach Reports, Privacy Complaints

Ireland, France, Germany and UK Report Increases Since Privacy Law Took Effect

GDPR: EU Sees More Data Breach Reports, Privacy Complaints

Privacy watchdogs in Europe say they are continuing to see an increase in data breach reports as well as privacy complaints.

See Also: Fraud Prevention for Banks: Top 10 Tech Requirements to Evaluate

That should be no surprise, because the EU on May 25 began enforcing its General Data Protection Regulation. Among its provisions, GDPR requires organizations that suffer a breach that may have exposed Europeans’ personal information to notify relevant authorities.

The number of data breach reports filed since GDPR went into effect has hit about 3,500 in Ireland, over 4,600 in Germany, 6,000 in France and 8,000 in the U.K.

GDPR also gives Europeans the ability to file class-action lawsuits against breached organizations, and some law firms have already been exploring these types of actions.

And under article 77 of GDPR – "Right to complain to a supervisory authority" – Europeans can also file complaints with regulators about organizations’ data protection practices, as they were also able to do before enactment of the new regulation. Regulators say these complaints have also been increasing.

Numerous national data protection authorities say they have seen an increase in both complaints as well as breach reports. But as information security expert Brian Honan has told Information Security Media Group, the increase in data breach reports does not mean there has been a surge in data breaches.

"What we are seeing is an increase in the reporting of the breaches that are happening," according to Honan, who heads Dublin-based cybersecurity firm BH Consulting. "So there is not necessarily an increase in the number of breaches since May 25, but rather we now have better visibility on data breaches."

Here’s a sample of what European privacy watchdogs have been seeing.

Ireland: DPC

Ireland’s DPA, the Data Protection Commission, tells ISMG that as of Monday, it’s received 2,476 complaints and 3,495 breach reports, although they involve both pre-GDPR and post-GDPR cases. "We have received complaints and breach notifications that relate to issues that occurred both post and pre-GDPR, and the pre-GDPR [before May 25] cases are therefore dealt with under the old legislation," says Graham Doyle, the head of communications.

Complaints:

  • Total complaints received: 2,476
  • GDPR applies: 1,575
  • Old legislation applies: 901

Breach reports:

  • Total breach reports: 3,495
  • GDPR applies: 3,105
  • Old legislation applies: 390

In 2017, the DPC received an average of 230 data breach reports and 220 complaints per month. Since GDPR came into effect, however, it’s seen a monthly average of 500 breach reports and 354 complaints.

"As you can see, there has been a significant increase in the volumes of both breaches and complaints to the DPC since May 25," Doyle says.

Germany: BfDI

Germany’s DPA, the Federal Commissioner for Data Protection and Freedom of Information, or BfDI, tells ISMG that as of Oct. 31, it received:

  • Complaints: 1,914;
  • Data breach notifications: 4,667.

In some cases, breach reports and complaints may be filed with any of the DPAs in Germany’s 16 federal states. As of Sept. 5, BfDI says the total numbers seen across all federal and state DPAs included:

  • Complaints: 11,017;
  • Data breach notifications: 6,156.

France: CNIL

France’s DPA, the Commission nationale de l’information et des libertés, aka CNIL, tells ISMG that since GDPR enforcement began on May 25, through Nov. 23, it has received:

  • Data breach notifications: 1,000;
  • Data protection complaints: 6,000.

In the first two months following GDPR going into effect, CNIL received an average of 27 data protection complaints per day, but since then, the average has risen to 36 per day.

United Kingdom: ICO

Earlier this month, the U.K.’s DPA, the Information Commissioner’s Office, said that it’s now seeing about 41 data breach reports get filed per day.

U.K. Information Commissioner Elizabeth Denham told a privacy conference in Wellington, New Zealand, on Dec. 5 that the ICO has seen the total number of data security complaints increase from 9,000 in the six months before GDPR took effect to 19,000 in the six months after.

Since May 25, the ICO also received more than 8,000 data breach reports,she said.

The ICO says the increase in complaints was expected because of the number of high-profile organizations that have been breached in recent months, including Currys, Marriott and Superdrug.

One-Stop Shop

While each of the 28 EU member nations has its own DPA, expect to hear much more from Ireland’s Data Protection Commissioner. That’s because it will be taking the lead on numerous high-profile privacy investigations since many U.S. technology giants – including Facebook, Microsoft, Twitter, and soon Google – having chosen the country as the sight of their European headquarters.

Under GDPR, non-EU organizations that have headquarters established in Europe can take advantage of a "one-stop shop" mechanism. This enables organizations that have a presence across different EU member nations to be subject to regulatory oversight by just one supervisory authority, rather than being subject to regulation by the supervisory authorities of each nation in which they have a business presence. The supervisory authority in the nation of the organization’s "main establishment" takes on the role of lead supervisory authority.

For any organization that doesn’t qualify for the one-stop-shop mechanism, but is the subject of a privacy complaint under GDPR, the data protection authority in whichever country where the complaint gets raised takes the lead if it determines that an investigation would be warranted.

First GDPR Fines Still to Come

Beyond bringing mandatory notifications for many types of breach to Europe, GDPR is also a big deal because of the potential penalties that regulators can impose on organizations that fail to take privacy seriously.

Organizations that violate GDPR face fines of up to 4 percent of their annual global revenue or €20 million ($22.7 million) – whichever is greater – as well as other potential sanctions, including losing their ability to process personal data.

Separately, organizations that fail to comply with GDPR’s reporting requirements also face fines of up to €10 million ($11.3 million) or 2 percent of annual global revenue.

Many regulators have been clear that they don’t plan to use the threat of massive GDPR fines punitively. But at the same time, organizations that fail to take Europeans’ privacy rights seriously, or worse, engage in criminal behavior and attempt to cover it up, may find themselves at the receiving end of a serious European privacy enforcement smackdown.

So far, regulators have yet to bring GDPR fines to bear on an organization that was breached since May 25. In general, DPAs’ investigations into major breaches tend to take about a year. So it’s a safe bet that any major GDPR penalties won’t be seen until mid-2019, at the earliest.

phpMyAdmin Releases Critical Software Update — Patch Your Sites Now!

Developers of phpMyAdmin, one of the most popular and widely used MySQL database management systems, today released an updated version 4.8.4 of its software to patch several important vulnerabilities that could eventually allow remote attackers to take control of the affected web servers.

The phpMyAdmin project Sunday gave an

early heads-up

about the latest security release on its blog, informing website administrators about this significant update.

phpMyAdmin is a free, open-source administration tool for managing MySQL databases using a simple graphical interface over the web-browser.

Almost every web hosting service pre-installs phpMyAdmin with their control panels to help webmasters easily manage their databases for websites, including WordPress, Joomla, and many other content management platforms.

Besides many bug fixes, there are primarily three critical security vulnerabilities that affect phpMyAdmin versions before release 4.8.4, phpMyAdmin revealed in its latest advisory.

Details of three newly

discovered

phpMyAdmin vulnerabilities are as described below:

1.) Local file inclusion (CVE-2018-19968) —

phpMyAdmin versions from at least 4.0 through 4.8.3 includes a local file inclusion flaw that could allow a remote attacker to read sensitive contents from local files on the server through its transformation feature.

“The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system.”

2.) Cross-Site Request Forgery (CSRF)/XSRF (CVE-2018-19969) —

phpMyAdmin versions 4.7.0 through 4.7.6 and 4.8.0 through 4.8.3 includes CSRF/XSRF flaw that could allow attackers to “perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc.” just by convincing victims into opening specially crafted links.

3.) Cross-site scripting (XSS) (CVE-2018-19970) —

The software also includes a cross-site scripting vulnerability in its navigation tree, using which an attacker can inject malicious code through a specially-crafted database/table name.

Since phpMyAdmin has now released its latest version 4.8.4 to address all reported flaws, website administrators and hosting providers are highly recommended to install the update immediately.

Read the Full Article here: >The Hacker News [ THN ]

Trend Micro Predicts More Sophisticated Attacks Will Dominate 2019

Trend Micro Incorporated a global leader in cybersecurity solutions, today released its 2019 predictions report, warning that attackers will increase the effectiveness of proven attack methods by adding more sophisticated elements to take advantage of the changing technology landscape. The report, Mapping the Future: Dealing with Pervasive and Persistent Threats , highlights the growing threats faced by consumers and organizations that are exacerbated by the increasingly connected world.

Start the conversation, or Read more at Al Bawaba.

Read the Full Article here: >Computer Security News

Scam iOS apps promise fitness, steal money instead

Fitness-tracking apps use dodgy in-app payments to steal money from unaware iPhone and iPad users.

Multiple apps posing as fitness-tracking tools were caught misusing Apple’s Touch ID feature to steal money from iOS users. The dodgy payment mechanism used by the apps is activated while victims are scanning their fingerprint seemingly for fitness-tracking purposes.

There are many apps that promise to assist users on the way to a healthier lifestyle. The bogus apps were, until recently, available in the Apple App Store. The apps were called “Fitness Balance app” and “Calories Tracker app”, and at first glance appeared to put users on the road to fitness – they could calculate the BMI, track daily calorie intake, or remind users to drink more water. These services, however, came with an unexpectedly hefty price tag, according to Reddit users.

After a user fires up any of the above mentioned apps for the first time, the apps request a fingerprint scan to “view their personalized calorie tracker and diet recommendations” (Figure 1). Only moments after the user complies with the request and places their finger on the fingerprint scanner, the apps then display a pop-up showing a dodgy payment amounting to 99.99, 119.99 USD or 139.99 EUR (Figure 2).

This pop-up is only visible for about a second, however, if the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams.

Based on the user interface and functionality, both apps are most likely created by the same developer. Users have also posted videos of “Fitness Balance app” and “Calories Tracker app” on Reddit.

Scam iOS apps

Figure 1 – Scam apps in Apple’s App Store require users to scan their fingers for fitness tracking (Image source: Reddit)

Scam iOS apps

Figure 2 – Dodgy payment popping up in “Fitness Balance app” and “Calories Tracker app” (Image source: Reddit)

If users refuse to scan their finger in “Fitness Balance app”, another pop-up is displayed, prompting them to tap a “Continue” button to be able to use the app. If they comply, the app tries to repeat the dodgy payment procedure.

Despite its malicious nature, the “Fitness Balance app” received multiple 5-star ratings, had an average rating of 4.3 stars and received at least 18 mostly positive user reviews. Posting fake reviews is a well-known technique used by scammers to improve the reputation of their apps.

Victims already reported both of these apps to Apple, which led to their removal from the market. Users even tried to directly contact the developer of “Fitness Balance app”, but only received a generic response promising to fix the reported “issues” in the upcoming version 1.1 (Figure 3).

Scam iOS apps

Figure 3 – Users who directly contacted the developer received what seems to be an automatic reply

What can users do to avoid similar threats?

As Apple doesn’t allow security products in its App Store, users need to rely on the security measures implemented by Apple.

On top of that, ESET advises users to always read reviews by other users. As positive feedback is easily faked, negative reviews are more likely to reveal the true nature of the app.

iPhone X users can also activate an additional feature called “Double Click to Pay”, which requires them to double-click the side button (Figure 4) to verify a payment.

Scam iOS apps

Figure 4 – The side button verification feature in premium iPhone X

Those who already fell victim to this scam can also try to claim a refund from the Apple App Store.

The state of BYOD and mobile device security

Bitglass has released its 2018 BYOD Security Report. The analysis is based on a survey of nearly 400 enterprise IT experts who revealed the state of BYOD and mobile device security in their organizations.

byod mobile device security

According to the study, 85 percent of organizations are embracing BYOD. Interestingly, many organizations are even allowing contractors, partners, customers, and suppliers to access corporate data on their personal devices.

Amidst this BYOD frenzy, over half of the survey’s respondents believe that the volume of threats to mobile devices has increased over the past twelve months.

Key findings

  • Organizations are embracing BYOD, making it available to employees (76 percent), contractors (27 percent), partners (25 percent), customers (22 percent), and suppliers (19 percent).
  • 51 percent of respondents believe the number of threats targeting mobile devices has increased in the past year. Unfortunately, only 30 percent of firms are confident that they are properly defending against malware on personal and mobile devices.
  • 30 percent of enterprises cite company security concerns as the leading inhibitor to BYOD adoption; specifically, they are worried about data leakage (61 percent), unauthorized data access (53 percent), and the inability to control uploads and downloads (53 percent).
  • One in five organizations lacks visibility into basic, native mobile apps (like email) on personal devices.
  • Only 56 percent of companies can employ key functionality like remote wipe for removing sensitive data from endpoints.

byod mobile device security

“While most companies believe mobile devices are being targeted more than ever, our findings indicate that many still lack the basic tools needed to secure data in BYOD environments,” said Rich Campagna, CMO of Bitglass. “Enterprises should feel empowered to take advantage of BYOD’s myriad benefits, but must employ comprehensive, real-time security if they want to do so safely and successfully.”

Read the Full Article here: >Help Net Security – News

New security feature to prevent Amazon S3 bucket misconfiguration and data leaks

Hardly a week goes by that we don’t hear about an organization leaving sensitive data exposed on the Internet because they failed to properly configure their Amazon S3 buckets.

Amazon Web Services, to their credit, are trying to prevent this from happening.

For one, all newly created S3 buckets and objects (files and directories in the bucket) are by default private, i.e. not publicly accesible by random people via the Internet. Secondly, changes implemented earlier this year made it possible for customers to easily identify S3 buckets that are publicly accessible due to Access Control Lists (ACLs) or policies that allow read/write access for any user:

prevent Amazon S3 bucket misconfiguration

But even that’s not enough, so the company is rolling out a new security feature: Amazon S3 Block Public Access.

About Amazon S3 Block Public Access

This new feature allows account owners/administrators to centrally block existing public access (whether made possible via an ACL or a policy) and to make sure that newly created items aren’t inadvertently granted public access.

The feature allows four new options:

prevent Amazon S3 bucket misconfiguration

They allow account users to protect against future attempts to use ACLs to make buckets or objects public, to override current or future public access settings for current and future objects in the bucket, to disallow the use of new public bucket policies, and to limit access to publicly accessible buckets to the bucket owner and to AWS services.

The options can be configured to affect the entire account or selected buckets. Options set at the bucket level cannot override account-level settings.

“If an AWS account is used to host a data lake or another business application, blocking public access will serve as an account-level guard against accidental public exposure,” AWS Chief Evangelist Jeff Barr explained.

The feature can be accessed from the S3 Console, the command-line interface, the S3 APIs, and from within CloudFormation templates.

Read the Full Article here: >Help Net Security – News