Developers have never, traditionally, had to consider security. Getting their code to run was their only concern. Yet under the DevOps (not DevSecOps) model they have been tasked with configuring things to run “in the Cloud” with little to no security training and no security practice. Yet their actions have real world consequences. Every company is adopting these practices with the idea to just keep pushing more code. There is insufficient thought given to securing all of these things even though they either collect or interact with sensitive data.
Thousands of domestic abuse victims and alleged abusers had their information made public through a mis-configured S3 storage bucket on AWS. This information included names, addresses, and other highly personal details that could easily have been weaponized against both the victim and the alleged abuser. Imagine getting an email that says send us a thousand dollars of bit coin or we tell your abuser where to find you. Equally, imagine being innocent of the abuse allegation but being told send us bitcoin or we will inform your employer that you abuse your spouse.
Lets move on to another scenario that is even more frightening. Most of our infrastructure is run by IoT devices. Many are quite old, often decades, so the security of many of these devices is terrible at best. When they were created, it was assumed that you would need to have physical access to the device in order to manipulate it so many of them have serious flaws like hard coded user names and passwords that are published in maintenance and repair guides. Our current mode is to insist that we legislate protections for these devices, even though we know that this is ineffective at best. This was one part of the outcome of the MOD/LOD battle (aka The Great Hacker War) that shut down phone and electricity for most of the eastern seaboard briefly in the late 80s.
Instead of fixing the infrastructure we just said its not legal to fiddle with it if you don’t own it. Vigorous investigation and prosecution by Federal authorities backed up the legal threats and things settled back into a sedate, if fragile, peace. Then came the internet and now all of these laxly “secured” items are now exposed to those who are well beyond the reach of the FBI. In many cases, often hostile foreign powers like North Korea, have or can get access to things like our water supply, electricity, phone calls, or the one that truly frightens me, natural gas pipelines. If you see the video below, imagine that happening in an urban or even suburban area and you will see why this frightens me.