CSA 2012 – Orlando

Anatomy of a Public Cloud Attack

Aaron C. Newman

Agenda:

• Overview of Public Cloud Security

• Attacks from the Public Cloud

• Search Engine Attacks on Public Cloud

• Economic Denial of Sustainability Attacks

• Attacks on the Public Cloud

Overview of Public Cloud Security

State of Cloud Security

• 15 years ago– The datacenter as an island, external access mediated

– Security issues rarely understood

– Security tools immature

• The data center opened up– Suppliers, customers, partners could connect directly to your datacenter

– Robust solutions adopted, ranging from DLP, IDS, IPS, SEIM, VA

• Move to the cloud– Perimeter security is officially dead, data can be accessed from anywhere

– Cloud provider security tools are immature

Survey of 100 hackers at Defcon 2012

96% of the respondents think that the cloud creates new opportunities for hacking

86% believe that “cloud vendors aren’t doing enough to address cyber-security issues.”

Cloud Threats

• Cloud Provider– Disgruntled employees

– Natural disasters

– Theft of physical equipment

– Cloud provider hacked

• External Threats– Hackers (LulzSec, Anonymous)

– Governments • Stuxnet (US government targets Iran)

• Operation Aurora (Chinese government targets Rackspace/others)

• Internal Threats (still your biggest threat)

– Developers, cloud admins, users

Thinking Like a Hacker

• Large Attack surface– Single successful attack can net many security

compromises

– Clouds provide homogeneous environments

• To defend against the hacker– Think like the hacker

– Go home and figure out how YOU would hack into your account

– Then plug the holes

– Defense-in-depth

Attacks from the Public Cloud

Using Clouds to Break Encryption

• Clouds provide inexpensive ways to do massively parallel processing• Perfect for cracking encryption keys

• July 2012 Defcon - Cryptohaze Cloud Cracking• Open source Cryptohaze tool suite implements network-clustered GPU accelerated

password cracking (both brute force & rainbow tables)

• AWS Cluster GPU Instances crack SHA1• Quote from German Thomas Roth

• “able to crack all hashes from [the 560 character SHA1 hash] with a password length from one to six in only 49 minutes (one hour costs $2.10 [£1.30] by the way),“

• Researcher uses AWS cloud to crack Wi-Fi passwords• Cloud Cracking Suite (CCS) released on Jan 2012 at Black Hat security conference

• Crack a WPA-PSK handshake at a speed of 400,000 attempted passwords per second using eight GPU-based AWS instances

Major Attacks from the Cloud

• Dark clouds or black clouds• How do you shut down a hacker on the cloud?

• Cloud not only cheap – provides anonymity

• Amazon cloud used in PlayStation Network hack• http://www.zdnet.com/amazon-cloud-used-in-playstation-network-hack-

4010022454/

• Hackers rent AWS EC2 instances under an alias

• Amazon S3 hosts banking trojan• Kaspersky Lab reports S3 hosts the command and

control channels for SpyEye banking trojan

Search Engine Attacks

on Public Cloud

Public Cloud Search Engine Attacks

Demo:

Search Diggity (Code Search, NotInMyBackyard)

Economic Denial of

Sustainability Attacks

EDoS Attacks

• Variation of Distributed Denial of Service Attack

– Goal is not to overload and crash an application

– Instead to cause the server hosting costs to overwhelm

the victim’s budget

“the infrastructure allows scaling of service

beyond the economic means of the vendor

to pay their cloud-based service bills”-http://rationalsecurity.typepad.com

Worst Case Scenario – AWS CloudFront

• http://www.reviewmylife.co.uk/blog/2011/05/19/a

mazon-cloudfront-and-s3-maximum-cost/

• Author calculated maximum possible charge

– Used default limit of 1000 requests per second and

1000 megabits per second

– At the end of 30 days a maximum of 324TB of data

could have been downloaded (theoretically)

– $42,000 per month for a single edge location

– CloudFront has 30 edge locations

Stories and Lessons Learned

• Anecdotes from burned users– Personal website hacked by file sharers

– Received bill for $10,000

• Note: AWS only charges for data out– All data transfer in is at $0.000 per GB

– Mitigates costs – if you don’t respond to requests, doesn’t cost you anything

• Use pre-paid credit cards or credit card with appropriate credit limit– Not sure if this limits your liability legally

Solutions?

• Amazon limits/caps have been “in the works” since 2006– Each year Amazon talks about intention of releasing

the feature

• May 2012 – Amazon announces Billing Alerts– http://aws.amazon.com/about-aws/whats-

new/2012/05/10/announcing-aws-billing-alerts/

– Helps alert you when this starts happening to you

– Could still be a costly few hours

Attacks on the Public Cloud

Password Attacks

• Brute forcing of accounts and passwords– Often no password lockout, just keep hammering away

– RDS (Oracle, MySQL, and SQL Server), SQL Azure, AWS accounts

• Example: Enumerating AWS account numbers– https://queue.amazonaws.com/<12 digit numbers

here>/a?Action=SendMessage

– Response tells you if the account exists

• Old school attacks on an OS sitting in cloud– Typically secure defaults

– Much more heterogeneous

Easily Guessed Passwords

• Need to guess username also if you don’t already know– Social engineering, research to make good guesses

• Passwords can be “guessed”– Attacking a single account with 100k passwords

– Attacking many accounts with a few very common passwords

– People leave test/test or password same as username

• Password dictionaries– http://www.openwall.com/passwords/wordlists/

– The wordlists are intended primarily for use with password crackers …

Misconfigured Security Settings

• Scanning Amazon S3 to identify publicly accessible buckets– http://cloudcheckr.com/2012/05/aws-s3-buckets-

bucket-finder/

• Open source tool – Bucket Finder– script launches a dictionary attack on the names of

S3 buckets and interrogates the bucket for a list of public and private files

– Creates an EDoS

Demo:

Bucket Finder

SQL Injection

• Try to modify the query

• Change:

Select * from my_table

where column_x = ‘1’

• To:

Select * from my_table

where column_x = ‘1’

UNION select credit_card_number

from orders where ‘q’=‘q’

Hackers Reset Your SQL Firewall

• Set the product_category to :

test’; sys.sp_set_database_firewall_rule

XXXXX; --

• The SQL Statement is now:

SELECT ProductName FROM Products WHERE

ProductCategory=test’;

sys.sp_set_database_firewall_rule XXXXX; -–’

5 Prevention Strategies

• Keep a close handle on what you are running in the cloud

• Educate yourself on how the cloud works

• Stay Patched

– Stay on top of all the security alerts and bulletins

• Defense in Depth

• Multiple Levels of Security

– Regularly perform audits and penetration tests on your cloud

– Encryption of data-in-motion / data-at-rest / data-in-use

– Monitor cloud activity log files

Questions?

Questions on:

• Clouds

• Security

Thank You for Attending

Get your FREEMIUM account to check your public cloud at www.cloudcheckr.com

Aaron Newman is the Founder of CloudCheckr (www.cloudcheckr.com)

Please contact me with additional questions at:aaron.newman@cloudcheckr.com