DXC spills AWS private keys on public GitHub

'Unknown persons' spin up 244 VMs at cost of $64k. Whoops

Miscreants racked up a $64,000 bill on DXC Technologies' tab after a techie accidentally uploaded the outsourcing firm's private AWS key to a public GitHub repo.

It was red faces all round as the business opened up on the classic crypto key fumble in a PDF memo to staff, the contents of which were seen by The Register.

"Various secure variables (cryptographic keys that allowed access to DXC procured Amazon Web Services resources) were hardcoded into a piece of work being shared between multiple teams and with the project architect."

Then on September 27, a member of the technical team created a personal space on the public Github, and the code was loaded to this unsecured repository that allowed individuals as yet unknown to access and use it.

"Over a period of four days, the private keys were used to start 244 AWS virtual machines. The cost incurred was $64k (£48,799)."

DXC's own monitoring tool, Cloud Checker, indicated most of the VMs were stood up within 24 hours of the unwitting publication of the keys. The code was in the public space for less than 24 hours before DXC realised it was "unsecured and removed". So that's fine then.

The cost to rectify – in addition to the AWS bill racked up – was related to "having to change all the variables, username and passwords. Rotate the keys and create secure areas to store these details means the project lost two to four weeks delivery time". The customer project was unspecified.

The remedy involved removing private keys from the repo; all existing keys were recycled and secured; and the code changed to use a vault to "secure... variables needed".

Incredibly, DXC admitted a full probe had revealed some in the team were "not briefed on the compliance standards and have not received adequate security training".

It added: "A security incident exposure matrix was established, security breach possibilities were discussed along with preventative measures put in place."

The cost of time lost due to resource reallocation to work on these corrections and improvements was yet to be calculated in monetary terms. But culturally there was an impact.

"Legacy CSC colleagues lost confidence in our ability as a team to maintain secure information and even complete the work required. This also resulted in difficult interactions between colleagues on calls."

DXC reminded staff they are "one of the first lines of defense" [sic], or at least they are supposed to be. The 12-point list of common-sense advice to the troops is listed below.

  • Understand and follow DXC security policies and procedures
  • Physically secure your PCs, laptop, USB memory devices, credentials, etc.
  • Encrypt sensitive data on all devices and secure them from theft
  • Screen-lock your device when you walk away from it
  • Use strong passwords; never share or disclose them; create a unique password for each site and application
  • Ensure you have approved anti-malware software running on your PC
  • Accept PC-COE updates and apply security patches; download only approved software
  • Protect sensitive information in all forms
  • Use collaboration tools securely
  • Be aware of your surroundings and stay alert (El Reg's favourite)
  • Report incidents to the Security Incident Response Centre
  • Do not post about the company on social media if you are not authorised to do so

For any employees still in doubt, there is always the Safe and Secure video available on DXC's Cyber Security Awareness Month.

DXC refused to comment. ®

Similar topics

Narrower topics

Other stories you might like

  • AWS buys before it tries with quantum networking center
    Fundamental problems of qubit physics aside, the cloud giant thinks it can help

    Nothing in the quantum hardware world is fully cooked yet, but quantum computing is quite a bit further along than quantum networking – an esoteric but potentially significant technology area, particularly for ultra-secure transactions. Amazon Web Services is among those working to bring quantum connectivity from the lab to the real world. 

    Short of developing its own quantum processors, AWS has created an ecosystem around existing quantum devices and tools via its Braket (no, that's not a typo) service. While these bits and pieces focus on compute, the tech giant has turned its gaze to quantum networking.

    Alongside its Center for Quantum Computing, which it launched in late 2021, AWS has announced the launch of its Center for Quantum Networking. The latter is grandly working to solve "fundamental scientific and engineering challenges and to develop new hardware, software, and applications for quantum networks," the internet souk declared.

    Continue reading
  • Amazon can't channel the dead, but its deepfake voices take a close second
    Megacorp shows Alexa speaking like kid's deceased grandma

    In the latest episode of Black Mirror, a vast megacorp sells AI software that learns to mimic the voice of a deceased woman whose husband sits weeping over a smart speaker, listening to her dulcet tones.

    Only joking – it's Amazon, and this is real life. The experimental feature of the company's virtual assistant, Alexa, was announced at an Amazon conference in Las Vegas on Wednesday.

    Rohit Prasad, head scientist for Alexa AI, described the tech as a means to build trust between human and machine, enabling Alexa to "make the memories last" when "so many of us have lost someone we love" during the pandemic.

    Continue reading
  • AWS says it will cloudify your mainframe workloads
    Buyer beware, say analysts, technical debt will catch up with you eventually

    AWS is trying to help organizations migrate their mainframe-based workloads to the cloud and potentially transform them into modern cloud-native services.

    The Mainframe Modernization initiative was unveiled at the cloud giant's Re:Invent conference at the end of last year, where CEO Adam Selipsky claimed that "customers are trying to get off their mainframes as fast as they can."

    Whether this is based in reality or not, AWS concedes that such a migration will inevitably involve the customer going through a lengthy and complex process that requires multiple steps to discover, assess, test, and operate the new workload environments.

    Continue reading

Biting the hand that feeds IT © 1998–2022