Mainstream news sites are supposed to have a firewall between advertisers and editorial. This has eroded in some places, but NYT, WaPo, and other respected sites would still have them.
Also, there are so many sites now that Accenture couldn't be advertising on all of them, at least not significantly.
2) No actual breach seems to of occurred: We asked if anyone else had accessed the servers, the spokesperson said its logs showed access "by only a single non-authorized IP address which we traced back to a data security consultant who contacted us about about two weeks ago," referring to Vickery.
Seems like they got lucky then. Their statement also claims that no sensitive client data was accessible.
Bad sign for clients: I'd be banging on the door asking what their mitigation will be for the future.
I might be wrong about this, but my understanding is that a decent black-hat hacker wouldn't have left many (if any) breadcrumbs because he had "the keys to the kingdom". It would be easy to erase change logs on the way out.
Boy, it sure does sound like Accenture wants to keep this one quiet.
I think I'll take a break from HN to send an e-mail to some friends whose employers are Accenture customers and see if they've heard from 'em about this.
I asked a friend whether it was a story that was blowing up in Accenture. They haven't heard a word about it. It seems like Accenture is trying to bury it and do nothing about it.
I used to work in Deloitte's Federal cybersecurity practice. Nobody I sent articles to had heard of the recent email server breaches before I told them, and they are still waiting for leadership to make a practice wide statement. Then it came out that some of the emails were from clients and teams I worked with. Still nada.
It's making its rounds. Accenture is incredibly unorganized though, for example I have no idea which teams use this AWS service. I didn't even know Accenture had AWS services as they tend to push Azure more. My own project uses it's own datacenter which is the case for most clients - Accenture wants to leave them least responsible in these kinds of events.
>As we continue our forensic review we may learn more but, the email and password information in the database is more than two and a half years old and for Accenture users of a decommissioned system," the spokesperson said.
I don't know if they understand that password re-use is a thing. So it doesn't matter if the passwords are too old or not.
Still the response is nothing but a long line of excuses: the data was not client related, no PII data was leaked, passwords are old etc.
> ...passwords -- some of which were stored in plaintext.
Maybe don't do that?
Also, the greater-than sign in their logo is amusing. I amused myself by looking at the picture while mentally inserting nouns. eg dog poop > Accenture
S3 buckets have a single unified namespace, so presumably he's got bots running 24/7 scanning every legal bucket name. Filter it down using english words, likely ops jargon, and company names. I'm guessing Accenture has lots of buckets named "accenture-prod-uploads" or other promising combinations.
Yup, they must have (except for one region in AWS), a DNS compliant and completely unique name. So it’s just a case of dns bruteforce, working through wordlists and common phrases/words to try and spot them.
I ran something very similar for a couple of months, and found >200,000 valid S3 buckets, a large portion of which had permissions issues (public list etc).
I wrote a web-scraping script to iterate through buckets and download items, to see which of my employer's S3 buckets were unsecured. Chris probably did the same thing, but is spidering the whole namespace instead of just targeting a known list.
S3 has a hostile interface which is missing many necessary features. AWS try to supplement this through 3rd party products (Cloudberry) and other paid services (Macie), instead of making a client that helps you know what's in your buckets and who can see them.
If I recall correctly, you can't specify on a bucket that you want a group to access it. You have to specify on the group that it has access to the bucket. There's tons of stupid shit like that.
Just an hour ago I was on a call, helping someone else find a file she had just uploaded, but wasn't visible in the S3 Web Console. Because it doesn't bring back ALL files in the folder, just the current 300. And they aren't sorted, so the file she had just uploaded was 2 pages back from a lot of other files which were uploaded today. It's nonsensical.
> No actual breach seems to of occurred: We asked if anyone else had accessed the servers, the spokesperson said its logs showed access "by only a single non-authorized IP address which we traced back to a data security consultant who contacted us about about two weeks ago," referring to Vickery.
Suspicious wording, if indeed "The four servers were quietly secured the next day.". Normally the PR response would have emphasised that e.g. "we took action immeiately and resolved the problem within 24 hours".
And as for "non-authorized IP address" - really? Is IP address whitelisting used to secure this stuff? And if so, then how on earth did an unauthorized IP address get through?
And then "the company downplayed the exposure, saying the data was less than half a percent of its cloud service" - but according to TFA that 0.5% included the master keys!?!
At the least, their public responses are feeble and imprecise.
Which leads to the suspicion that something darker happened.
Sorry, not the case at all. If you start poking around on a server that the DoD forgets to lock down, you're going to jail. You're not authorized to use it just because you can access it.
36 comments
[ 0.20 ms ] story [ 51.4 ms ] threadThere are many major companies in Accenture's client portfolio that this would expose, including health-care companies.
I might be cynical but Accenture is a big advertiser and main stream news sites generally don't want to piss off their source of income.
Also, there are so many sites now that Accenture couldn't be advertising on all of them, at least not significantly.
1) The story only just broke.
2) No actual breach seems to of occurred: We asked if anyone else had accessed the servers, the spokesperson said its logs showed access "by only a single non-authorized IP address which we traced back to a data security consultant who contacted us about about two weeks ago," referring to Vickery.
I might be wrong about this, but my understanding is that a decent black-hat hacker wouldn't have left many (if any) breadcrumbs because he had "the keys to the kingdom". It would be easy to erase change logs on the way out.
I think I'll take a break from HN to send an e-mail to some friends whose employers are Accenture customers and see if they've heard from 'em about this.
I don't know if they understand that password re-use is a thing. So it doesn't matter if the passwords are too old or not.
Still the response is nothing but a long line of excuses: the data was not client related, no PII data was leaked, passwords are old etc.
Maybe don't do that?
Also, the greater-than sign in their logo is amusing. I amused myself by looking at the picture while mentally inserting nouns. eg dog poop > Accenture
I am easily amused.
source: unfortunately I used to work there when they came up with the name.
How does he do it?
S3 has a hostile interface which is missing many necessary features. AWS try to supplement this through 3rd party products (Cloudberry) and other paid services (Macie), instead of making a client that helps you know what's in your buckets and who can see them.
https://en.m.wikipedia.org/wiki/Accenture
Suspicious wording, if indeed "The four servers were quietly secured the next day.". Normally the PR response would have emphasised that e.g. "we took action immeiately and resolved the problem within 24 hours".
And as for "non-authorized IP address" - really? Is IP address whitelisting used to secure this stuff? And if so, then how on earth did an unauthorized IP address get through?
And then "the company downplayed the exposure, saying the data was less than half a percent of its cloud service" - but according to TFA that 0.5% included the master keys!?!
At the least, their public responses are feeble and imprecise.
Which leads to the suspicion that something darker happened.
This is why companies put authorized use only login banners on servers and network gear.