[HN Gopher] Infosys leaked FullAdminAccess AWS keys on PyPI for ... ___________________________________________________________________ Infosys leaked FullAdminAccess AWS keys on PyPI for over a year Author : orf Score : 242 points Date : 2022-11-16 18:58 UTC (4 hours ago) (HTM) web link (tomforb.es) (TXT) w3m dump (tomforb.es) | jaywalk wrote: | Many years ago, I did some consulting work on a project that had | been "delivered" by Infosys. It was, to put it lightly, a | complete and utter mess in every way. Just from a security | vulnerability standpoint, it had: SQL injection, plaintext | passwords for user accounts, zero protection against URL | manipulation, etc. And those are just the ones that come to mind | immediately. | | Glad to see nothing has changed. | honestduane wrote: | Infosys is long known to be incompetent as an organization among | people who have experienced their brand of greed and labor fraud; | I highly recommend you avoid them as much as possible. | [deleted] | lzooz wrote: | skullone wrote: | About as useful and informative as the output from any Infosys | contractor. Did you do that on purpose? | COMMENT___ wrote: | Yeah, that's an excerpt from Wikipedia. But when I see these | lines I actually read "money laundering" and "scam". | COMMENT___ wrote: | Answer by GPT-3: | | > How is information security in Infosys? | | Information security at Infosys is implemented through a | combination of technological and organizational measures. The | company has a dedicated information security team that works | to identify and mitigate risks. Technologies used to protect | data include encryption, firewalls, and intrusion detection | systems. Organizational measures include employee training on | security policies and procedures. | another_devy wrote: | > teams that works to identify and mitigate risks | | Complete failure by team to not see super user permission | as risks | | > intrusion detection... | | Clearly the did not implement AWS CloudTrail threat | detection otherwise when op accessed the account it should | have raised alarms, so its just plain lie | | > ...training on security policy | | So the GitHub user probably skipped those considering them | boring. And instead of reporting their own failure chose | sneaky way to make it go away hoping no one will notice | COMMENT___ wrote: | I believe that the OP of this comment thread has been | unfairly downvoted. It was irony, right? | | Sigh. | zaptheimpaler wrote: | In a world filled with more competence and less corruption, | Infosys would have gone bankrupt 20 years ago. But here we are | with Wipro, Infosys, TCS etc. all chugging along. | belter wrote: | TCS -> US$25 billion Revenue in 2022 | | InfoSys-> US$16 billion Revenue in 2022 | | Wipro -> US$10 billion Revenue in 2022 | | I want to get out of this Universe and get into one that makes | sense... | terminal_d wrote: | > To put it bluntly, I'm not sure I trusted Infosys to revoke | this key in a timely manner. So I did it for them with aws iam | delete-access-key --access-key-id=$AWS_ACCESS_KEY_ID, and now the | key is useless: | | Hilarious. Infosys is a known "mass recruiter" in indian | colleges. WITCH (Wipro, Infosys, TCS, Cognizant, HCL) companies | is where talent goes to die. No competent employee stays in those | companies (from what I've witnessed). Wouldn't be surprised if | this turns out to be just the tip of the iceberg, because putting | people with 6-12 months of programming / computer "experience" | (that they only signed up for because of the money) in charge of | major production systems is a recipe for disaster. | duxup wrote: | I had some contact with Wipro. It was their standard operating | procedure to call us up and yell at support team members that X | "Hasn't worked for months and you haven't done anything." + | escalate up the chain as high as possible to put pressure on | the tech support staff from some other vendor, when in fact | they just opened the ticket. They would lie and reference the | first old ticket they could think of and say it was the same | issue (it never was, they wouldn't even lie well enough to | reference the same equipment). | | They would declare everything was a P1 ticket and demand it be | fixed immediately. Then we would get some output from the | machine or even remotely access it and find that outside of | testing at the factory this was the first time it was powered | on. When we would ask them for configurations ... they were | evasive. | | If you got their end customer on the line you would find that | they had been lying to them for months. This happened a lot ... | smcl wrote: | > Cognizant | | Someone hired those clowns as contractors as extra in a | previous job, to loud protests from our development team. They | produced what was quite possibly the most chaotic, copy-paste, | typo-laden code I have ever seen in my life. | robofanatic wrote: | > Infosys is a known "mass recruiter" in indian colleges. WITCH | (Wipro, Infosys, TCS, Cognizant, HCL) companies is where talent | goes to die. | | This could be true but you cant really generalize and it has | nothing to do with the article. Infosys is not the only company | leaking keys online. pretty sure tons of Amarican companies | have done that | duxup wrote: | I think that post goes on to explain why that might be | relevant. | [deleted] | foreggs5 wrote: | dessant wrote: | Fun fact: Mozilla projects are now developed in part by | Cognizant Softvision, including Firefox for Android. Their | employees are everywhere in Mozilla repositories, and their | numbers seem to have increased since 2020, right after Mozilla | fired a quarter of its workforce. | | https://www.cognizantsoftvision.com/blog/pedal-metal-mozilla... | drcross wrote: | >No competent employee stays in those companies | | Absolutely true from first hand experience. | | Imagine being a top performer doing great work for a company | whose managers insist on wasting your time putting you into | needless meetings getting you to explain how you're doing | everything all through badly communicated text with typos and | misspellings. | rodgerd wrote: | I didn't know Elon owned Infosys as well. | Gare wrote: | Well, at least it got Rishi('s wife) rich. | COMMENT___ wrote: | This kind of stories is one of the reason I visit Hacker News. | Thank you! | | It's funny and annoying to read every week or so about another | epic fail of a multi-billion "multinational information | technology company". Good luck with outsourcing your critical | services and medical data to neurodivergents. | | Thanks again for making my day. | dekhn wrote: | I recommend the RISKS mailing list. https://seclists.org/risks/ | But note that they sometimes take reliability too far. | COMMENT___ wrote: | Oh, this is great! Thank you. | | PS Good old usenet. :) | 1024core wrote: | Is it possible to do a full sweep across all tokens in all Python | files (for instance) in Github and find such keys? Can you tell | from the contents if it's a key or some such "important" string? | vimda wrote: | GitHub already offers this - they scan all the code that gets | uploaded to look for keys. I think the issue here is that the | code wasn't on public GitHub, but the artifacts were uploaded | to PyPi | MarkMarine wrote: | Yep, and if you don't look for them, you can be darn sure | someone else is looking for them. I heard about an incident | from a friend where a GitHub repo was created accidentally | public (ran out of private repos and I guess the failure mode | back in the day was just make it public) and that repo had | developer level access keys in it. Some enterprising fellow was | scanning public repos for this, grabbed the keys, opened | thousands and thousands of the biggest GPU machines they could | get on AWS and started mining bitcoins. They were nice enough | not to delete production to make room for more bitcoin miners. | dcdc123 wrote: | Their entire cybersecurity page is just a bunch of gibberish. | It's like someone slapped together buzzwords and phrases until | they filled a word count. | lob_it wrote: | TCP/IP (aka the Internet) followed a linear similar to | agriculture/factory farming. 2022 is a good time to dump the | diseased riddled prone density equations for domestic protocols | to skip the obvious cesspooling of illiteracy. | | I got to enjoy the internet with a population of 16 million and | noticed the degredation shortly after a population of 1.1 | billion, causing the ratio of illiteracy to skyrocket. | | https://www.internetworldstats.com/emarketing.htm | | 1st world countries would have an Internet population with | domestic networking protocols of the year 2000 for the US, 1998 | for Japan, 1997 for the UK, 1996 for Austrailia, etc. | | https://www.worldometers.info/world-population/population-by... | | The quality data would not change in the 1st world. Good news | travels fast :) | lob_it wrote: | Oh gosh... TCP/IP is a resilient protocol and would route | around any countr(y/ies) opting for modern standards. The | world would continue to spin. | | I didn't say "puppy mill" regarding infosys... So.... Its | just another puppy mill :) | | https://en.m.wikipedia.org/wiki/Puppy_mill | | As you were :p | ununoctium87 wrote: | Probably GPT-3 generated... | zikduruqe wrote: | Corporate Ipsum. | | https://cipsum.com | volleygman180 wrote: | Beautiful disaster | Exuma wrote: | Lol, I love how he just opted to delete it. Great on ya for | having some balls instead of walking on eggshells like most of | these security back and forth dialogues. | SV_BubbleTime wrote: | Reading the recent posts about an Android bug and how difficult | it was for the researcher to get them to fix and how he was | reluctant to disclose or even threaten to disclose reminds me | of a time gone past of... harder... type of hackers. | | It's like the completely backwards on the wrong foot. | loophr wrote: | Infosys is a CBDC proponent | (https://www.outlookindia.com/business/here-s-how-central- | ban...). | | Britain's PM Sunak has Infosys connections via his wife and is | also a CBDC proponent. If the dystopian future happens, we might | look forward to security risks in addition to the privacy and | state control risks. | 988747 wrote: | Well, if they choose Infosys as a company to implement CBDC | then at least we are safe for the next 20+ years, because | there's no way they complete the project before that time :) | ticviking wrote: | I really wish this surprised me. The number of people who | completely understand the stack they are working on is shrinking, | even as the size of the stack grows. | | The power of computing is such that every organization on the | planet is forced to lower the bar to get people who are | marginally competent, even if they lack attention detail and | cannot be relied on to solve problems of this sort. This kind of | leak is the result. | pipeline_peak wrote: | In a world where all the problems are wrapped in containers and | ever increasing bloat, it takes a lot of discipline to | understand the stack, if that's even the proper term anymore. | stuaxo wrote: | Infosys, the UK prime ministers wife's families company. | neathack wrote: | When do companies finally start adopting the `security.txt` | proposal (see https://securitytxt.org). Would have made a big | difference! | | EDIT: That GitHub user is gone for good. | Akronymus wrote: | That site is quite ironic. | | https://securitytxt.org/security.txt 404's | | As does https://securitytxt.org/well-known/security.txt | | nvm, I missed a '.' | | https://securitytxt.org/.well-known/security.txt | avg_dev wrote: | Wow. Really crazy. I know it was not right to revoke the key, he | touched into their system. He probably broke someone's | production. | | But it was also absolutely the right thing to do. A god mode key | floating around for over a year unrevoked, with real human | beings's medical data on the other side... I am glad the post | author revoked the key. It is probably too little too late but | they did close that door and maybe saved someone some pain: not | the negligent development team, but a real patient and human | being, perhaps many of them. | fragmede wrote: | The lesson here is that there are things worse than downtime. | Yeah the site being down is bad but hey, what's worse? Leaking | PII all over the place. | orf wrote: | I tried to highlight this in the post, but the key is a | personal user one tied to an email, and the worst that I | expect would happen would be that some training scripts | break. | | If this was a production key or something that seemed like it | would cause financial harm/downtime, I would have never | deleted it. | OJFord wrote: | Honestly, with this level of competence I wouldn't be | surprised if the same admin user credentials were used in | application/lambda processor/whatever there is. Not at all | saying you shouldn't have done it though! | kevin_thibedeau wrote: | It wasn't right to issue a fraudulent takedown either. | stefan_ wrote: | Pretty sure GitHub runs a system that will automatically revoke | every (AWS and other) key to ever become part of a repository. | whoknew1122 wrote: | Not in my experience dealing with customers who had AWS email | them saying 'Hey, we found one of your keys on GitHub'. | philsnow wrote: | I've worked on a team where Github was the one who reached | out about a leaked AWS secret key, not AWS. They apparently | usually do this a few minutes before the key makes it into | their search index. It's not much but it's better than | nothing. | rodgerd wrote: | They have the tools to do that. | | You might be horrified by how many shitty developers want all | the good guardrails GHE provides switched off, and how many | managers will support them because they're a "superstar who | gets things done". | OJFord wrote: | That evidently didn't happen here. | | I do remember reading about that too though, maybe it missed | it because it was JSON data not a variable definition or | something? | | https://docs.github.com/en/code-security/secret- | scanning/sec... | | I can't find anywhere that specifies the actual pattern | though. | zhfliz wrote: | it wasn't stored on GitHub. | | there's a json file on GitHub referencing the download of | the source archive, stored on pypi infra. | | in the tgz you can download from pypi you can find python | code containing the secret. | | https://github.com/orf/pypi- | data/blob/main/release_data/i/h/... ___________________________________________________________________ (page generated 2022-11-16 23:00 UTC)