upvote

points

by tcdent4 days ago |
comments
upvoteby SoftTalker4 days ago|
next
[-]
Good point. Phishers would certainly take advantage of a widely reported outage to send emails related to "recovering your services."

Even cautious people are more vulnerable to phishing when the message aligns with their expectations and they are under pressure because services are down.

Always, always log in through bookmarked links or typing them manually. Never use a link in an email unless it's in direct response to something you initiated and even then examine it carefully.

reply
upvoteby Sebb7673 days ago|
parent|
next
[-]
> Always, always log in through bookmarked links or typing them manually. Never use a link in an email unless it's in direct response to something you initiated and even then examine it carefully.

If you still want to avoid the comfort of typing in stuff manually or navigating the webinterface, logging in on a new tab and then clicking on the link is also an option.

reply
upvoteby morkalork3 days ago|
parent|
[-]
Mini-rant here but I hate how websites for SaaS products are so over-optimized for the sales funnel. It's like giant blue button to sign up, teeny tiny link to login, if there is even one at all on any of the main pages. Often your access is on an entirely different subdomain that barely ranks on Google. If it's something that "just works" and you only access every 6 months, it's pain to go hunting through your email to rediscover if it's clients.example.com, portal.example.com, or whatever the heck it is.
reply
upvoteby rtkwe3 days ago|
parent|
[-]
I hate how many sites do that, always a signup first then a small little "Already have an account" link below that. Feels almost hostile to your existing users.
reply
upvoteby roblabla4 days ago|
parent|
prev|
next
[-]
You can also use phishing-resistant login/2FA like passkeys/FIDO keys, where it is available (and I'm pretty sure amazon supports it), to minimize the risk of accidentally login into a phishing website while under pressure.
reply
upvoteby akerl_4 days ago|
parent|
next
[-]
If my memory is correct, AWS supports FIDO for web login but not for the API, so you either have to restrict access to FIDO and then use the web UI for everything done as that user, or have a separate non-FIDO MFA device (without FIDO's phishing resistance) for terminal/API interactions.
reply
upvoteby jorvi4 days ago|
parent|
[-]
You can generate temporary AWS keys for privileged users: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credenti...

Of course, as always, PEBKAC. You will have to strictly follow protocol, and not every team is willing to jump through annoying hoops every day.

reply
upvoteby akerl_4 days ago|
parent|
[-]
Can you actually generate temporary AWS STS credentials via FIDO MFA?

Again, last I looked, FIDO MFA credentials cannot be used for API calls, which you'd need to make for STS credential generation.

reply
upvoteby jorvi4 days ago|
parent|
[-]
You don't put the temporary credentials behind FIDO because they're temporary anyway. You put FIDO on the main account that has the privilege to generate the temporary credentials.

So in the off chance that you get a phishing mail, you generate temporary credentials to take whatever actions it wants, attempt to log in with those credentials, get phished, but they only have access to API for 900s (or whatever you put as the timeout, 900s is just the minimum).

900s won't stop them from running amok, but it caps the amok at 900s.

reply
upvoteby akerl_4 days ago|
parent|
[-]
You aren't grokking what I'm saying. AWS does not allow FIDO2 as an MFA method for API calls.

So if your MFA device for your main account is a FIDO2 device, you either:

1. Don't require MFA to generate temporary credentials. Congrats, your MFA is now basically theater.

2. Do require MFA to generate temporary credentials. Congrats, the only way to generate temporary credentials is to instead use a non-FIDO MFA device on the main account.

Nobody is getting a phishing email, going to the terminal, generating STS credentials, and then feeding those into the phish. The phish is punting them to a fake AWS webpage. Temporary credentials are a mitigation for session token theft, not for phishing.

reply
upvoteby computerfriend4 days ago|
parent|
[-]
I think you're not grokking it.

Require FIDO2-based MFA to log into AWS via Identity Center, then run aws sso login to generate temporary credentials which will be granted only if the user can pass the FIDO2 challenge.

The literal API calls aren't requesting a FIDO2 challenge each time, just like the console doesn't require it for every action. It's session based.

reply
upvoteby akerl_3 days ago|
parent|
[-]
I definitely wasn’t grokking that, because the prior commenter never mentioned AWS Identity Center, and instead linked to STS, which works how I described (you can’t use FIDO MFA for the authentication of the call that gives you your short-lived session creds).

I’m excited to see that Identity Center supports FIDO2 for this use case.

reply
upvoteby jorvi3 days ago|
parent|
[-]
You weren't grokking it because I was hasty (and tired) and provided the wrong link. My bad!
reply
upvoteby SoftTalker4 days ago|
parent|
prev|
[-]
They probably support it but how many accounts have not configured it? I'd bet it's a lot.
reply
upvoteby plaidfuji4 days ago|
parent|
prev|
next
[-]
What if the outage and phishing attack were coordinated at a higher level? There’s a scary thought.
reply
upvoteby BikiniPrince4 days ago|
parent|
[-]
Bezos will get to Mars at any cost!
reply
upvoteby fragmede2 days ago|
parent|
[-]
Bezos is shooting for the Moon, Elons the one going for Mars. In fact, that's why Elon's going for Mars, to show up Bezos' plan.
reply
upvoteby Scoundreller4 days ago|
parent|
prev|
[-]
A phisher that did their homework would send out a tone deaf email with a subject line like this that aws sent me during their outage:

> You could win $5,000 in AWS credits at Innovate

reply
upvoteby timdev24 days ago|
prev|
next
[-]
These were accounts that shouldn't have had console access in the first place, and were never used by humans to log in AFAICT. I don't know exactly what they were originally for, but they were named like "foo-robots", were very old.

At first I thought maybe some previous dev had set passwords for troubleshooting, saved those passwords in a password manager, and then got owned all these years later. But that's really, really, unlikely. And the timing is so curious.

reply
upvoteby portaouflop4 days ago|
parent|
[-]
Why keep accounts like this around anyway? Sounds like a breach was just waiting to happen…
reply
upvoteby Avicebron4 days ago|
parent|
[-]
A cost center like security? Are you crazy..
reply
upvoteby highfrequencyy4 days ago|
prev|
next
[-]
I second this, pretty much immediately after my organization got hit with a wave of phishing emails.
reply
upvoteby jbverschoor4 days ago|
prev|
[-]
Or maybe it wasn't DNS, but they simply pulled the plug bc of some breach?
reply