Hello and welcome to the Tuesday, March 12, 2020,

edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

And we got yet another great post by one of our undergraduate interns here from the Sands.

combeck took a look at

what happens if you are exposing your aWS API keys now he did two experiments the first one

was just leaking the API key via a website secondly he then leaked the API key via a website. Secondly, he then leaked the API key via a public GitHub repository.

In order to detect what happened to the API key, he did use Canary tokens. Canary tokens allow you

to then receive an email whenever a particular API key is used.

They have been quite popular.

You can also attach them to PDFs or Word documents and the like.

In this particular case, the first experiment where he leaked the API key via the website, via a configuration file on the site.

It was used within about three days.

Now, not really clear who used it.

The attacker did use a proton VPN provider in order to obfuscate the actual source of the request.

Secondly, when he published it on GitHub, the key was used pretty much immediately.

However, their things were a little bit different.

The number one requester was actually a researcher in an organization that

proactively scans GitHub repositories for Leakeez. Git Guardian was the requester here.

I'm a little bit odd that actually the emails coming in whenever the key was accessed were so excessive that it actually caused

some email issues for no one and he had to kind of then discontinue the experiment but needless

to say yes we have already shown and we had another blog post about this last week that if you do leak these configuration

...