Скачать или смотреть Penetration Testing | Security issues caused by out sourced services - Amazon S3 from Apple iOS app

Penetration Testing | Security issues caused by out sourced services - Amazon S3 from Apple iOS app

Скачать Penetration Testing | Security issues caused by out sourced services - Amazon S3 from Apple iOS app бесплатно в качестве 4к (2к / 1080p)

У нас вы можете скачать бесплатно Penetration Testing | Security issues caused by out sourced services - Amazon S3 from Apple iOS app или посмотреть видео с ютуба в максимальном доступном качестве.

Для скачивания выберите вариант из формы ниже:

Информация по загрузке:

Cкачать музыку Penetration Testing | Security issues caused by out sourced services - Amazon S3 from Apple iOS app бесплатно в формате MP3:

Если иконки загрузки не отобразились, ПОЖАЛУЙСТА, НАЖМИТЕ ЗДЕСЬ или обновите страницу
Если у вас возникли трудности с загрузкой, пожалуйста, свяжитесь с нами по контактам, указанным в нижней части страницы.
Спасибо за использование сервиса video2dn.com

Описание к видео Penetration Testing | Security issues caused by out sourced services - Amazon S3 from Apple iOS app

Hello, in this short video I'm going to demonstrate a major security hole of today's technology world.
As developers, we tend to feel much less responsibility of out-sourced services of all kinds,
even when they are an integral part of our final product.

Combine this with the common circle of declaring "we will change it in production"
when eventually not doing so in favor of getting things done on deadline,
and what you get is critical security breaches.

I'll demonstrate.
This is an iOS application's binary I just SCPed to this folder.
I'm doing a quick static analysis to scan for out-sourced services, storage in our case.

[0:52]
seems like we found one, Amazon Simple Storage Service, S3.

[1:07]
Let's check how applications authenticate that thing

(google search: inurl:amazon s3 authentication)

[1:18]
Apparently by a key of 20 uppercase alphanumericals and a secret of 40 alphanumericals plus a slash

Now that we figured the authentication format, let's scan the binary's contents for these patterns

[1:40]
And indeed, they are abailable for the whole universe.
At least for the parts of it that have iphones.

[1:51]
The key and secret are Company's credentials that allow communication with their storage service.
Let's check what we can do with our new permissions.
Thankfully, Amazon provides us with a rich API and even a command line tool.

Now we might be able to download, upload and modify contents and settings,
waste the company's money by eating bandwith, get sensitive information, and delete everything.
This is a little tool I made for convenience.

[2:38]
We have here files that contain credentials for databases, servers and management consoles,
server IPs, customers information, sensitive URLs, and even SSH keys.
You don't want that happen to you!

There are two main problems here.
One, these key and secret are available to the whole world.
Two, these credentials are all needed to gain access to a huge amount of sensitive information of all kinds,
instead of enforcing the least privileges principle.

Following Amazon's best practices eliminates these problems,
But I assure you that this issue exist in too many of the houndreds of thousands applications that use
Amazon Simple Storage Service.

And obviously, the problem also occurs with many other servers.

Комментарии

Информация по комментариям в разработке