Let's dig a bit deeper into this screen shot posted by @zackwhittaker and talk about why the JamCOVID app's architecture is FUNDAMENTALLY FLAWED. This flaw goes way beyond Amber Group forgetting to secure the S3 bucket. It seems security was just not a consideration at all! 1/
When we look at this ACL we see two things: the "Everyone" group having FULL_CONTROL (this is what was fixed last Monday), but we also see an account "opmjmmobile" having FULL_CONTROL as well, with no other accounts defined. This account seems likely the one used by the app. 2/
For an app like this it needs a way to communicate with the server; it typically does this with a user account (opmjmmobile in this case) and a fixed password. This password can either be hard-coded and compiled with the app, or can be fetched from another server location. 3/
The issue is there are ways to find out what that password is using some advanced techniques. So, we need to restrict what this user account "opmjmmobile" can do by applying the Principle of Least Privilege: giving it the minimum access the app needs to function. 4/
Instead of doing this, the Amber Group folks gave "opmjmmobile" FULL_CONTROL permission, which allows it to do anything: create files, view existing files, alter files, or delete files. What it should ONLY have access to do is create files. 5/
The other thing that is missing is automated file management. Files should only exist in the app's S3 bucket for a short time; there should be a job that automatically moves them to a more secure location then purges them after 21 days. This process is completely missing. 6/
In short, security does not seem to have been a consideration in JamCOVID. When we look at the timelines this shouldn't be surprising: Amber reportedly threw this app together in 3 days. This just isn't enough time to get the security right or to do proper in-house testing! 7/
What I suggest the GOJ do at this point is to engage an IT security firm to do a proper security assessment of this app and its underlying architecture. This project was clearly a "rush job", there very likely are other issues. Symptai is one I can recommend for this. 8/8
There is an old principle in IT when implementing systems: "Read The F**king Manual" (RTFM).

If only Amber group had followed this principle when building JamCOVID they'd have seen this message splashed all over the Amazon S3 ACL configuration manual pages! 🤦‍♂️

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Shawn Wenzel

Shawn Wenzel Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @shawnwenzel

21 Feb
Allowing abortion only for rape or where the woman's life is in danger: a concept that may seem like a good compromise but when you dig further into it it's a disaster. Let's talk about it and why abortion should be freely available without these restrictions. #AbortionStandJA 1/
Let's start with the woman's life in danger: who makes this determination? Pregnancy and childbirth are risky and can cost a woman her life, even if it is a normal pregnancy. If she doesn't want a baby is it not inhumane to force this risk on her? 2/
Now let's think about rape. Who is to determine if a woman was raped, when it's often just her word against the alleged rapist? The police? A court? What happens if there's no proof at all she was raped other than her own word (as is so common)? Does this mean no abortion? 3/
Read 8 tweets
19 Feb
Happy to be back at @UHWI_JA for my 4th #ConvalescentPlasma donation; a full 6 months since I had COVID19 my antibody titer is still very high and I am still able to donate. Image
Couple more pics of the Convalescent Plasma donation process. ImageImage
For anyone wondering what they're seeing in this picture the machine on the left is a cardiac ultrasound machine, which was used to place the access line (the one higher up my arm, which uses a larger bore cannula). The machine on the right is the apheresis machine. 1/
Read 7 tweets
24 Dec 19
One area the US has been very short-sighted in its efforts over the years is in the Jamaican banking system. Their legitimate concern is a significant volume of illegitimate transactions but their solution, enhanced Know-Your-Customer (KYC) requirements is an abject failure. 1/
Because of these KYC requirements, it is very difficult to open a bank account in Jamaica. One typically needs a job letter, multiple references, proof of address, etc., small independent business owners often can't meet all that and just do without a bank account. 2/
The result is that over 30% of Jamaicans are "unbanked", having no relationship with a bank at all. The net effect of this fosters a parallel cash-based financial system for the "average Joe", one in which #MoneyLaundering is very easy because cash is untraceable. 3/
Read 9 tweets
19 Nov 19
A newly appointed CEO arrives at work on his first day and notices three envelopes in his desk drawer along with a hand-written note from his predecessor: "if you have any difficulties managing the company you can't handle, open these envelopes one at a time." 1/
After a few months in his new role the CEO finds himself embroiled in a big labour dispute, so he opens the first envelope: "Blame your predecessor." the note inside read. The new CEO thought this was great, laid all the blame at the foot of his predecessor and quelled unrest. 2/
Two years later the CEO finds himself in a big product design scandal so he opens the second envelope: "Hire a consultant." So the CEO brings in a big consulting firm and promises investors and his board that the issues are in good hands. 3/
Read 4 tweets
3 Aug 19
A thread with some tips on how to make the most out of business travel: speaking as a guy who's clocked a million miles in my career, had "platinum" status on 3 different airlines, and done business in dozens of countries. Others will disagree with me but these are my tricks 1/
Tip 1: travel light. Pack just a standard 9 inch roll-aboard suitcase. This can be hard but you need to be disciplined:
- travel with two pairs of shoes, one on your feet, one in the bag
- stuff shoes with underwear and socks so they're not taking up empty space. 2/
- only pack one type of clothes: if you're traveling for business, don't pack casual clothes, if you're traveling for vacation don't pack business clothes
- pack clothes you can mix-and-match so you can wear each outer garment 2x without looking like you wore the same outfit 3/
Read 18 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!