[HN Gopher] Infosys leaked FullAdminAccess AWS keys on PyPI for ...
___________________________________________________________________
Infosys leaked FullAdminAccess AWS keys on PyPI for over a year
Author : orf
Score : 242 points
Date : 2022-11-16 18:58 UTC (4 hours ago)
(HTM) web link (tomforb.es)
(TXT) w3m dump (tomforb.es)
| jaywalk wrote:
| Many years ago, I did some consulting work on a project that had
| been "delivered" by Infosys. It was, to put it lightly, a
| complete and utter mess in every way. Just from a security
| vulnerability standpoint, it had: SQL injection, plaintext
| passwords for user accounts, zero protection against URL
| manipulation, etc. And those are just the ones that come to mind
| immediately.
|
| Glad to see nothing has changed.
| honestduane wrote:
| Infosys is long known to be incompetent as an organization among
| people who have experienced their brand of greed and labor fraud;
| I highly recommend you avoid them as much as possible.
| [deleted]
| lzooz wrote:
| skullone wrote:
| About as useful and informative as the output from any Infosys
| contractor. Did you do that on purpose?
| COMMENT___ wrote:
| Yeah, that's an excerpt from Wikipedia. But when I see these
| lines I actually read "money laundering" and "scam".
| COMMENT___ wrote:
| Answer by GPT-3:
|
| > How is information security in Infosys?
|
| Information security at Infosys is implemented through a
| combination of technological and organizational measures. The
| company has a dedicated information security team that works
| to identify and mitigate risks. Technologies used to protect
| data include encryption, firewalls, and intrusion detection
| systems. Organizational measures include employee training on
| security policies and procedures.
| another_devy wrote:
| > teams that works to identify and mitigate risks
|
| Complete failure by team to not see super user permission
| as risks
|
| > intrusion detection...
|
| Clearly the did not implement AWS CloudTrail threat
| detection otherwise when op accessed the account it should
| have raised alarms, so its just plain lie
|
| > ...training on security policy
|
| So the GitHub user probably skipped those considering them
| boring. And instead of reporting their own failure chose
| sneaky way to make it go away hoping no one will notice
| COMMENT___ wrote:
| I believe that the OP of this comment thread has been
| unfairly downvoted. It was irony, right?
|
| Sigh.
| zaptheimpaler wrote:
| In a world filled with more competence and less corruption,
| Infosys would have gone bankrupt 20 years ago. But here we are
| with Wipro, Infosys, TCS etc. all chugging along.
| belter wrote:
| TCS -> US$25 billion Revenue in 2022
|
| InfoSys-> US$16 billion Revenue in 2022
|
| Wipro -> US$10 billion Revenue in 2022
|
| I want to get out of this Universe and get into one that makes
| sense...
| terminal_d wrote:
| > To put it bluntly, I'm not sure I trusted Infosys to revoke
| this key in a timely manner. So I did it for them with aws iam
| delete-access-key --access-key-id=$AWS_ACCESS_KEY_ID, and now the
| key is useless:
|
| Hilarious. Infosys is a known "mass recruiter" in indian
| colleges. WITCH (Wipro, Infosys, TCS, Cognizant, HCL) companies
| is where talent goes to die. No competent employee stays in those
| companies (from what I've witnessed). Wouldn't be surprised if
| this turns out to be just the tip of the iceberg, because putting
| people with 6-12 months of programming / computer "experience"
| (that they only signed up for because of the money) in charge of
| major production systems is a recipe for disaster.
| duxup wrote:
| I had some contact with Wipro. It was their standard operating
| procedure to call us up and yell at support team members that X
| "Hasn't worked for months and you haven't done anything." +
| escalate up the chain as high as possible to put pressure on
| the tech support staff from some other vendor, when in fact
| they just opened the ticket. They would lie and reference the
| first old ticket they could think of and say it was the same
| issue (it never was, they wouldn't even lie well enough to
| reference the same equipment).
|
| They would declare everything was a P1 ticket and demand it be
| fixed immediately. Then we would get some output from the
| machine or even remotely access it and find that outside of
| testing at the factory this was the first time it was powered
| on. When we would ask them for configurations ... they were
| evasive.
|
| If you got their end customer on the line you would find that
| they had been lying to them for months. This happened a lot ...
| smcl wrote:
| > Cognizant
|
| Someone hired those clowns as contractors as extra in a
| previous job, to loud protests from our development team. They
| produced what was quite possibly the most chaotic, copy-paste,
| typo-laden code I have ever seen in my life.
| robofanatic wrote:
| > Infosys is a known "mass recruiter" in indian colleges. WITCH
| (Wipro, Infosys, TCS, Cognizant, HCL) companies is where talent
| goes to die.
|
| This could be true but you cant really generalize and it has
| nothing to do with the article. Infosys is not the only company
| leaking keys online. pretty sure tons of Amarican companies
| have done that
| duxup wrote:
| I think that post goes on to explain why that might be
| relevant.
| [deleted]
| foreggs5 wrote:
| dessant wrote:
| Fun fact: Mozilla projects are now developed in part by
| Cognizant Softvision, including Firefox for Android. Their
| employees are everywhere in Mozilla repositories, and their
| numbers seem to have increased since 2020, right after Mozilla
| fired a quarter of its workforce.
|
| https://www.cognizantsoftvision.com/blog/pedal-metal-mozilla...
| drcross wrote:
| >No competent employee stays in those companies
|
| Absolutely true from first hand experience.
|
| Imagine being a top performer doing great work for a company
| whose managers insist on wasting your time putting you into
| needless meetings getting you to explain how you're doing
| everything all through badly communicated text with typos and
| misspellings.
| rodgerd wrote:
| I didn't know Elon owned Infosys as well.
| Gare wrote:
| Well, at least it got Rishi('s wife) rich.
| COMMENT___ wrote:
| This kind of stories is one of the reason I visit Hacker News.
| Thank you!
|
| It's funny and annoying to read every week or so about another
| epic fail of a multi-billion "multinational information
| technology company". Good luck with outsourcing your critical
| services and medical data to neurodivergents.
|
| Thanks again for making my day.
| dekhn wrote:
| I recommend the RISKS mailing list. https://seclists.org/risks/
| But note that they sometimes take reliability too far.
| COMMENT___ wrote:
| Oh, this is great! Thank you.
|
| PS Good old usenet. :)
| 1024core wrote:
| Is it possible to do a full sweep across all tokens in all Python
| files (for instance) in Github and find such keys? Can you tell
| from the contents if it's a key or some such "important" string?
| vimda wrote:
| GitHub already offers this - they scan all the code that gets
| uploaded to look for keys. I think the issue here is that the
| code wasn't on public GitHub, but the artifacts were uploaded
| to PyPi
| MarkMarine wrote:
| Yep, and if you don't look for them, you can be darn sure
| someone else is looking for them. I heard about an incident
| from a friend where a GitHub repo was created accidentally
| public (ran out of private repos and I guess the failure mode
| back in the day was just make it public) and that repo had
| developer level access keys in it. Some enterprising fellow was
| scanning public repos for this, grabbed the keys, opened
| thousands and thousands of the biggest GPU machines they could
| get on AWS and started mining bitcoins. They were nice enough
| not to delete production to make room for more bitcoin miners.
| dcdc123 wrote:
| Their entire cybersecurity page is just a bunch of gibberish.
| It's like someone slapped together buzzwords and phrases until
| they filled a word count.
| lob_it wrote:
| TCP/IP (aka the Internet) followed a linear similar to
| agriculture/factory farming. 2022 is a good time to dump the
| diseased riddled prone density equations for domestic protocols
| to skip the obvious cesspooling of illiteracy.
|
| I got to enjoy the internet with a population of 16 million and
| noticed the degredation shortly after a population of 1.1
| billion, causing the ratio of illiteracy to skyrocket.
|
| https://www.internetworldstats.com/emarketing.htm
|
| 1st world countries would have an Internet population with
| domestic networking protocols of the year 2000 for the US, 1998
| for Japan, 1997 for the UK, 1996 for Austrailia, etc.
|
| https://www.worldometers.info/world-population/population-by...
|
| The quality data would not change in the 1st world. Good news
| travels fast :)
| lob_it wrote:
| Oh gosh... TCP/IP is a resilient protocol and would route
| around any countr(y/ies) opting for modern standards. The
| world would continue to spin.
|
| I didn't say "puppy mill" regarding infosys... So.... Its
| just another puppy mill :)
|
| https://en.m.wikipedia.org/wiki/Puppy_mill
|
| As you were :p
| ununoctium87 wrote:
| Probably GPT-3 generated...
| zikduruqe wrote:
| Corporate Ipsum.
|
| https://cipsum.com
| volleygman180 wrote:
| Beautiful disaster
| Exuma wrote:
| Lol, I love how he just opted to delete it. Great on ya for
| having some balls instead of walking on eggshells like most of
| these security back and forth dialogues.
| SV_BubbleTime wrote:
| Reading the recent posts about an Android bug and how difficult
| it was for the researcher to get them to fix and how he was
| reluctant to disclose or even threaten to disclose reminds me
| of a time gone past of... harder... type of hackers.
|
| It's like the completely backwards on the wrong foot.
| loophr wrote:
| Infosys is a CBDC proponent
| (https://www.outlookindia.com/business/here-s-how-central-
| ban...).
|
| Britain's PM Sunak has Infosys connections via his wife and is
| also a CBDC proponent. If the dystopian future happens, we might
| look forward to security risks in addition to the privacy and
| state control risks.
| 988747 wrote:
| Well, if they choose Infosys as a company to implement CBDC
| then at least we are safe for the next 20+ years, because
| there's no way they complete the project before that time :)
| ticviking wrote:
| I really wish this surprised me. The number of people who
| completely understand the stack they are working on is shrinking,
| even as the size of the stack grows.
|
| The power of computing is such that every organization on the
| planet is forced to lower the bar to get people who are
| marginally competent, even if they lack attention detail and
| cannot be relied on to solve problems of this sort. This kind of
| leak is the result.
| pipeline_peak wrote:
| In a world where all the problems are wrapped in containers and
| ever increasing bloat, it takes a lot of discipline to
| understand the stack, if that's even the proper term anymore.
| stuaxo wrote:
| Infosys, the UK prime ministers wife's families company.
| neathack wrote:
| When do companies finally start adopting the `security.txt`
| proposal (see https://securitytxt.org). Would have made a big
| difference!
|
| EDIT: That GitHub user is gone for good.
| Akronymus wrote:
| That site is quite ironic.
|
| https://securitytxt.org/security.txt 404's
|
| As does https://securitytxt.org/well-known/security.txt
|
| nvm, I missed a '.'
|
| https://securitytxt.org/.well-known/security.txt
| avg_dev wrote:
| Wow. Really crazy. I know it was not right to revoke the key, he
| touched into their system. He probably broke someone's
| production.
|
| But it was also absolutely the right thing to do. A god mode key
| floating around for over a year unrevoked, with real human
| beings's medical data on the other side... I am glad the post
| author revoked the key. It is probably too little too late but
| they did close that door and maybe saved someone some pain: not
| the negligent development team, but a real patient and human
| being, perhaps many of them.
| fragmede wrote:
| The lesson here is that there are things worse than downtime.
| Yeah the site being down is bad but hey, what's worse? Leaking
| PII all over the place.
| orf wrote:
| I tried to highlight this in the post, but the key is a
| personal user one tied to an email, and the worst that I
| expect would happen would be that some training scripts
| break.
|
| If this was a production key or something that seemed like it
| would cause financial harm/downtime, I would have never
| deleted it.
| OJFord wrote:
| Honestly, with this level of competence I wouldn't be
| surprised if the same admin user credentials were used in
| application/lambda processor/whatever there is. Not at all
| saying you shouldn't have done it though!
| kevin_thibedeau wrote:
| It wasn't right to issue a fraudulent takedown either.
| stefan_ wrote:
| Pretty sure GitHub runs a system that will automatically revoke
| every (AWS and other) key to ever become part of a repository.
| whoknew1122 wrote:
| Not in my experience dealing with customers who had AWS email
| them saying 'Hey, we found one of your keys on GitHub'.
| philsnow wrote:
| I've worked on a team where Github was the one who reached
| out about a leaked AWS secret key, not AWS. They apparently
| usually do this a few minutes before the key makes it into
| their search index. It's not much but it's better than
| nothing.
| rodgerd wrote:
| They have the tools to do that.
|
| You might be horrified by how many shitty developers want all
| the good guardrails GHE provides switched off, and how many
| managers will support them because they're a "superstar who
| gets things done".
| OJFord wrote:
| That evidently didn't happen here.
|
| I do remember reading about that too though, maybe it missed
| it because it was JSON data not a variable definition or
| something?
|
| https://docs.github.com/en/code-security/secret-
| scanning/sec...
|
| I can't find anywhere that specifies the actual pattern
| though.
| zhfliz wrote:
| it wasn't stored on GitHub.
|
| there's a json file on GitHub referencing the download of
| the source archive, stored on pypi infra.
|
| in the tgz you can download from pypi you can find python
| code containing the secret.
|
| https://github.com/orf/pypi-
| data/blob/main/release_data/i/h/...
___________________________________________________________________
(page generated 2022-11-16 23:00 UTC)