
Hackers could have taken over AWS - olegp
http://www.theregister.co.uk/2011/10/27/cloud_security/
======
olegp
I do find it odd that they encourage you to use the same account to sign into
Amazon the store and AWS. That seems a bit like asking for a Subway loyalty
card to buy a gun.

~~~
snewman
From the article, one problem is that even if you don't use your AWS account
on the Amazon store, you _could_ , and so XSS vulnerabilities in the store can
be used to hijack AWS accounts. Unfortunately the store is large and complex
and so has a large attack surface area.

~~~
btn
Amazon offer security token authentication for accessing AWS account
resources, which can limit the impact of a breach in another part of their
system.

------
tptacek
WS-* and XML cryptography is such a clusterfuck. It's ironic to see Amazon
injured by use of "standard" constructions; they'd have been better off
rolling their own here.

~~~
azth
You shouldn't really be surprised though; especially after Yegge's rant the
other week. Software quality at Amazon is pretty mediocre, and pales in
comparison to Google's (I worked at both places.)

------
nadahalli
Is it just me, or does the article seem like gobbledygook. What is EC4
authentication anyway?

------
amnigos
So we can assume that the cloud security is as strong as the security at
weakest link in one of the centralized access component.

Can we have a workflow or multi-level authorizations for critical actions like
delete or terminate actions of cloud resources?.

------
dmor
Did I miss something, or this basically trying to call out something that
Amazon fixed before anyone actually discovered it. Reads like FUD

~~~
sector
The attackers reported the problem to Amazon and allowed Amazon to fix it
prior to their public disclosure.

I don't see how that's FUD. There was a problem, they found it, they let
Amazon fix it, then they reported what they'd found.

------
taylorbuley
Glad the Reg is sensationalist enough to spark a discussion (seriously). The
orig item didn't do so hot.

<http://news.ycombinator.com/item?id=3160301>

------
sdfjkl
Headline wildly inaccurate.

