Post on 08-Jun-2015
description
San Francisco AWS Meetup Group
AWS Security Threats
Aaron C. NewmanFounder, CloudCheckr
Aaron.Newman@CloudCheckr.com
Feb 11, 2013
Agenda:
• Overview of Public Cloud Security
• Attacks from AWS
• Using Search Engines to Attack AWS
• Economic Denial of Sustainability Attacks
• Attacks on AWS
Overview of Public Cloud Security
State of Cloud Security
• 15 years ago– The datacenter as an island, external access mediated– Security issues rarely understood– Security tools immature
• The data center opened up– Suppliers, customers, partners could connect directly to your datacenter– Robust solutions adopted, ranging from DLP, IDS, IPS, SEIM, VA
• Move to the cloud– Perimeter security is officially dead, data can be accessed from anywhere– Cloud provider security tools are immature
Survey of 100 hackers at Defcon 2012 96% of the respondents think that the cloud creates new opportunities for hacking
86% believe that “cloud vendors aren’t doing enough to address cyber-security issues.”
Cloud Threats
• Cloud Provider– Disgruntled employees– Natural disasters– Theft of physical equipment– Cloud provider hacked
• External Threats– Hackers (LulzSec, Anonymous)– Governments
• Stuxnet (US government targets Iran)• Operation Aurora (Chinese government targets Rackspace/others)
• Internal Threats (still your biggest threat)
– Developers, cloud admins, users
Thinking Like a Hacker
• Large Attack surface– Single successful attack can net many security
compromises– Clouds provide homogeneous environments
• To defend against the hacker– Think like the hacker– Go home and figure out how YOU would hack into your
account– Then plug the holes– Defense-in-depth
Attacks using AWS
Using Clouds to Break Encryption
• Clouds provide inexpensive ways to do massively parallel processing• Perfect for cracking encryption keys
• July 2012 Defcon - Cryptohaze Cloud Cracking• Open source Cryptohaze tool suite implements network-clustered GPU accelerated
password cracking (both brute force & rainbow tables)
• AWS Cluster GPU Instances crack SHA1• Quote from German Thomas Roth • “able to crack all hashes from [the 560 character SHA1 hash] with a password
length from one to six in only 49 minutes (one hour costs $2.10 [£1.30] by the way),“
• Researcher uses AWS cloud to crack Wi-Fi passwords• Cloud Cracking Suite (CCS) released on Jan 2012 at Black Hat security conference• Crack a WPA-PSK handshake at a speed of 400,000 attempted passwords per
second using eight GPU-based AWS instances
Major Attacks from the Cloud
• Dark/black/storm clouds• How do you shut down a hacker on the cloud?• Cloud not only cheap – provides anonymity
• Amazon cloud used in PlayStation Network hack• http://www.zdnet.com/amazon-cloud-used-in-playstation-network-hack-40100224
54/
• Hackers rent AWS EC2 instances under an alias
• Amazon S3 hosts banking trojan• Kaspersky Lab reports S3 hosts the command and
control channels for SpyEye banking trojan
Using Search Engines
to Attack AWS
Public Cloud Search Engine Attacks
Demo:
Search Diggity (Code Search, NotInMyBackyard)
AKA Google Hacking
Rich Mogul Blog Post
My $500 Cloud Security Screwup
Economic Denial of
Sustainability Attacks
EDoS Attacks
• Variation of Distributed Denial of Service Attack– Goal is not to overload and crash an application – Instead to cause the server hosting costs to overwhelm
the victim’s budget
“the infrastructure allows scaling of service beyond the economic means of the vendor
to pay their cloud-based service bills”-http://rationalsecurity.typepad.com
Worst Case Scenario – AWS CloudFront
• http://www.reviewmylife.co.uk/blog/2011/05/19/amazon-cloudfront-and-s3-maximum-cost/
• Author calculated maximum possible charge– Used default limit of 1000 requests per second and
1000 megabits per second– At the end of 30 days a maximum of 324TB of data
could have been downloaded (theoretically)– $42,000 per month for a single edge location– CloudFront has 30 edge locations
Stories and Lessons Learned
• Anecdotes from burned users– Personal website hacked by file sharers– Received bill for $10,000
• Note: AWS only charges for data out– All data transfer in is at $0.000 per GB– Mitigates costs – if you don’t respond to requests, doesn’t cost
you anything
• Use pre-paid credit cards or credit card with appropriate credit limit– Not sure if this limits your liability legally
Solutions?
• Amazon limits/caps have been “in the works” since 2006– Each year Amazon talks about intention of releasing
the feature
• May 2012 – Amazon announces Billing Alerts– http://aws.amazon.com/about-aws/whats-new/2012/
05/10/announcing-aws-billing-alerts/– Helps alert you when this starts happening to you– Could still be a costly few hours
Attacks on AWS
Password Attacks
• Brute forcing of accounts and passwords– Often no password lockout, just keep hammering away– RDS (Oracle, MySQL, and SQL Server), AWS accounts
• Example: Enumerating AWS account numbers– https://queue.amazonaws.com/<12 digit numbers here>/a?
Action=SendMessage– Response tells you if the account exists
• Old school attacks on an OS sitting in cloud– Typically secure defaults– Much more heterogeneous
Easily Guessed Passwords
• Need to guess username also if you don’t already know– Social engineering, research to make good guesses
• Passwords can be “guessed”– Attacking a single account with 100k passwords– Attacking many accounts with a few very common passwords– People leave test/test or password same as username
• Password dictionaries– http://www.openwall.com/passwords/wordlists/– The wordlists are intended primarily for use with password
crackers …
Vulnerabilities in RDS
• MySQL versions– Many vulnerable version– Make sure you are using the last release– Link to the issues
• RDS security groups should always be restricted to specific trusted networks
Misconfigured Security Settings
• Scanning Amazon S3 to identify publicly accessible buckets– http://cloudcheckr.com/2012/05/aws-s3-buckets-buck
et-finder/
• Open source tool – Bucket Finder– script launches a dictionary attack on the names of S3
buckets and interrogates the bucket for a list of public and private files
– Creates an EDoS
Demo:
Bucket Finder
5 Prevention Strategies
• Keep a close handle on what you are running in the cloud
• Educate yourself on how the cloud works
• Stay Patched– Stay on top of all the security alerts and bulletins
• Defense in Depth
• Multiple Levels of Security– Regularly perform audits and penetration tests on your cloud– Encryption of data-in-motion / data-at-rest / data-in-use– Monitor cloud activity log files
What is CloudCheckr?
CloudCheckr provides visibility into AWS
• Cost Optimization, Allocation, Reporting• Resource Utilization• > 250 Best Practice Checks• Trending Analysis• Change Monitoring
Questions?
Questions on:• Clouds• Security
Thank You for Attending
For a free 14 day trialof www.cloudcheckr.com
Aaron Newman is the Founder of CloudCheckr (www.cloudcheckr.com)
Please contact me with additional questions at:aaron.newman@cloudcheckr.com