An API key with high enough permissions, you don't need console access, you can just do everything from the AWS CLI.
-- ~*~ StormeRider ~*~ "Every world needs its heroes [...] They inspire us to be better than we are. And they protect from the darkness that's just around the corner." (from Smallville Season 6x1: "Zod") On why I hate the phrase "that's so lame"... http://bit.ly/Ps3uSS On Thu, Jun 19, 2014 at 7:52 PM, Tom Perrine <[email protected]> wrote: > Following this closely. Note that as far as anyone can tell, neither > was using the MFA option for control panel access. > > bonsai said they suspect a compromised API key, I don't pay enough > attention to AWS to know if/how an API key can be leveraged to get > console access. > > > On Thu, Jun 19, 2014 at 8:00 AM, Brandon Allbery <[email protected]> > wrote: > > On Thu, Jun 19, 2014 at 10:56 AM, Yves Dorfsman <[email protected]> wrote: > >> > >> Does anybody know what's going on (codespaces.com, bonzai.io)? > >> > >> Is it a series of people making obvious mistake (easily guesses > password, > >> keys spread to public places, etc...)? > >> > >> Or some new type of attack not so obvious, and that more sites thinking > >> they are secure might be exposed to? > > > > > > I wouldn't be surprised if it's the same kind of social engineering > attack > > that works so well to get access to payroll accounts (as reported every > > other week or so by Krebs...). > > > > -- > > brandon s allbery kf8nh sine nomine > associates > > [email protected] > [email protected] > > unix, openafs, kerberos, infrastructure, xmonad > http://sinenomine.net > > > > _______________________________________________ > > Tech mailing list > > [email protected] > > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > > This list provided by the League of Professional System Administrators > > http://lopsa.org/ > > > _______________________________________________ > Tech mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ >
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
