For those who need an explanation for the title, take a minute to peruse this Wikipedia entry….

I’m a New Zealander through and through and for anyone unaware of the fact, that pretty much guarantees an immediate and absolute rivalry with each and every Australian. We love them, honestly, it’s just that they’re way less sophisticated than us and we like to point the fact out as often as humanly possible.

So, you might ask, given my (slightly tongue-in-cheek) antipathy for Aussies, why would I be so bullish about one particular Aussie company. It’s not, as you might think because they’ve upped sticks and moved to the US (although, in fairness, they have done that). Rather, it’s because they’re actually a very cool company doing really interesting stuff.

I first met UpGuard’s co-founders, Mike Baukes and Alan Sharp-Paul, soon after they’d made the move to the US. Back then, it was just them pretty much working out of a suitcase. Fast forwards to today and the company employs around 50 staff and has raised a truckload of money including, most recently, a $17 million series B funding round. All that money is being applied to building out UpGuard’s Cyber Resilience platform, an offering that scans an organization’s internal and external systems to create a dynamic model of their state and, hence, a pretty good indication of their security posture.

Outing the bad stuff

Which brings us to today and the news of the latest security breach that UpGuard has discovered. In a uniquely Australian way, they delight in exposing the misdeeds of organizations who should know better. Today it is AWS and GoDaddy who are left somewhat embarrassed.

The UpGuard team has discovered (and secured, in case you were wondering) a data exposure of documents that appear to describe critical GoDaddy infrastructure that runs in AWS. IN their caring and sharing way, UpGuard has also secured that data, preventing any further exploitation of it. They aren’t, it must be added, shy to leverage the breach for their own marketing purposes but, just like in cricket, all is fair in love and war.

Bad practice, much?

It seems that all of these documents were left exposed in a publicly accessible Amazon S3 storage bucket which was, according to AWS, created by one of their own salespeople. The exposed documents include high-level configuration information for tens of thousands of systems and pricing options for running those systems in Amazon AWS, including the discounts offered under different scenarios.

The exposed configuration information included fields for hostname, operating system, “workload” (what the system was used for), AWS region, memory and CPU specs, and more. Essentially, this data mapped a very large scale AWS cloud infrastructure deployment, with 41 different columns on individual systems, as well as summarized and modeled data on totals, averages, and other calculated fields. Also included were what appear to be information about the discounts GoDaddy receives from Amazon AWS, usually restricted information for both parties, who must negotiate for rates– as do GoDaddy’s competitors.

How much ouch?

Doing the right thing

In case you wondered, UpGuard notified GoDaddy, who set about closing the exposure. After which it was a case of carte blanche for those Aussies to make hay of the situation.

About S3 Buckets

Amazon’s S3 storage buckets are private by default, meaning only designated users can access them. However, through misunderstanding or misconfiguration, these permissions are sometimes altered to allow public access, which means that anyone who visits the URL of the storage bucket can anonymously view any contents that aren’t explicitly locked down– no password needed. It seems like that is what occurred in this instance.

MyPOV

The potential impacts of this breach could have been huge. GoDaddy is obviously a huge customer of AWS and having public awareness of the discounts that AWS grants to them could mean that other large customers would potentially pressure for better commercials from the Seattle giant. It’s also something of an existential issue as, no matter that this was a human-error failing, it’s another way that those opposed to the cloud will justify maintaining their on-premises preferences.

One could argue that UpGuard didn’t need to share this information, embarrassing as it is to the other two parties. But I don’t really buy that view for two reasons:

  • All is fair in love and war. UpGuard notified GoDaddy, and ensured the data was safe, after which it was open-season to use the breach for their own marketing purposes
  • Highlighting issues like this only helps to ensure that everyone is more careful when considering how they use technology

This isn’t a cloud versus legacy infrastructure debate, it’s simply an example of how best-practice is ALWAYS an important bar to maintain. Just like bowling overarm in cricket.

Ben Kepes

Ben Kepes is a technology evangelist, an investor, a commentator and a business adviser. Ben covers the convergence of technology, mobile, ubiquity and agility, all enabled by the Cloud. His areas of interest extend to enterprise software, software integration, financial/accounting software, platforms and infrastructure as well as articulating technology simply for everyday users.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.