Download - Cloud security : Boston AWS user group
![Page 1: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/1.jpg)
Boston AWS Meetup Group
AWS Security Threats
Aaron C. NewmanFounder, CloudCheckr
October 21, 2013
![Page 2: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/2.jpg)
Agenda:
• Overview of Public Cloud Security
• Attacks from AWS
• Using Search Engines to Attack AWS
• Economic Denial of Sustainability Attacks
• Attacks on AWS
![Page 3: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/3.jpg)
Overview of Public Cloud Security
![Page 4: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/4.jpg)
State of Cloud Security
• 15 years ago– The datacenter as an island, external access mediated– Security issues rarely understood– Security tools immature
• The data center opened up– Suppliers, customers, partners could connect directly to your datacenter– Robust solutions adopted, ranging from DLP, IDS, IPS, SEIM, VA
• Move to the cloud– Perimeter security is officially dead, data can be accessed from anywhere– Cloud provider security tools are immature
Survey of 100 hackers at Defcon 2012 96% of the respondents think that the cloud creates new opportunities for hacking
86% believe that “cloud vendors aren’t doing enough to address cyber-security issues.”
![Page 5: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/5.jpg)
Cloud Threats
• Cloud Provider– Disgruntled employees– Natural disasters– Theft of physical equipment– Cloud provider hacked
• External Threats– Hackers (LulzSec, Anonymous)– Governments
• Stuxnet (US government targets Iran)• Operation Aurora (Chinese government targets Rackspace/others)
• Internal Threats (still your biggest threat)
– Developers, cloud admins, users
![Page 6: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/6.jpg)
Thinking Like a Hacker
• Large Attack surface– Single successful attack can net many security
compromises– Clouds provide homogeneous environments
• To defend against the hacker– Think like the hacker– Go home and figure out how YOU would hack into your
account– Then plug the holes– Defense-in-depth
![Page 7: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/7.jpg)
Attacks using AWS
![Page 8: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/8.jpg)
Using Clouds to Break Encryption
• Clouds provide inexpensive ways to do massively parallel processing• Perfect for cracking encryption keys
• July 2012 Defcon - Cryptohaze Cloud Cracking• Open source Cryptohaze tool suite implements network-clustered GPU accelerated
password cracking (both brute force & rainbow tables)
• AWS Cluster GPU Instances crack SHA1• Quote from German Thomas Roth • “able to crack all hashes from [the 560 character SHA1 hash] with a password
length from one to six in only 49 minutes (one hour costs $2.10 [£1.30] by the way),“
• Researcher uses AWS cloud to crack Wi-Fi passwords• Cloud Cracking Suite (CCS) released on Jan 2012 at Black Hat security conference• Crack a WPA-PSK handshake at a speed of 400,000 attempted passwords per
second using eight GPU-based AWS instances
![Page 9: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/9.jpg)
Major Attacks from the Cloud
• Dark clouds or black clouds• How do you shut down a hacker on the cloud?• Cloud not only cheap – provides anonymity
• Amazon cloud used in PlayStation Network hack• http://www.zdnet.com/amazon-cloud-used-in-playstation-network-hack-40100224
54/
• Hackers rent AWS EC2 instances under an alias
• Amazon S3 hosts banking trojan• Kaspersky Lab reports S3 hosts the command and
control channels for SpyEye banking trojan
![Page 10: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/10.jpg)
Using Search Engines
to Attack AWS
![Page 11: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/11.jpg)
Public Cloud Search Engine Attacks
Demo:
Search Diggity (Code Search, NotInMyBackyard)
AKA Google Hacking
![Page 12: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/12.jpg)
Economic Denial of
Sustainability Attacks
![Page 13: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/13.jpg)
EDoS Attacks
• Variation of Distributed Denial of Service Attack– Goal is not to overload and crash an application – Instead to cause the server hosting costs to overwhelm
the victim’s budget
“the infrastructure allows scaling of service beyond the economic means of the vendor
to pay their cloud-based service bills”-http://rationalsecurity.typepad.com
![Page 14: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/14.jpg)
Worst Case Scenario – AWS CloudFront
• http://www.reviewmylife.co.uk/blog/2011/05/19/amazon-cloudfront-and-s3-maximum-cost/
• Author calculated maximum possible charge– Used default limit of 1000 requests per second and
1000 megabits per second– At the end of 30 days a maximum of 324TB of data
could have been downloaded (theoretically)– $42,000 per month for a single edge location– CloudFront has 30 edge locations
![Page 15: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/15.jpg)
Stories and Lessons Learned
• Anecdotes from burned users– Personal website hacked by file sharers– Received bill for $10,000
• Note: AWS only charges for data out– All data transfer in is at $0.000 per GB– Mitigates costs – if you don’t respond to requests, doesn’t cost
you anything
• Use pre-paid credit cards or credit card with appropriate credit limit– Not sure if this limits your liability legally
![Page 16: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/16.jpg)
Solutions?
• Amazon limits/caps have been “in the works” since 2006– Each year Amazon talks about intention of releasing
the feature
• May 2012 – Amazon announces Billing Alerts– http://aws.amazon.com/about-aws/whats-new/2012/
05/10/announcing-aws-billing-alerts/– Helps alert you when this starts happening to you– Could still be a costly few hours
![Page 17: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/17.jpg)
Attacks on AWS
![Page 18: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/18.jpg)
Password Attacks
• Brute forcing of accounts and passwords– Often no password lockout, just keep hammering away– RDS (Oracle, MySQL, and SQL Server), AWS accounts
• Example: Enumerating AWS account numbers– https://queue.amazonaws.com/<12 digit numbers here>/a?
Action=SendMessage– Response tells you if the account exists
• Old school attacks on an OS sitting in cloud– Typically secure defaults– Much more heterogeneous
![Page 19: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/19.jpg)
Easily Guessed Passwords
• Need to guess username also if you don’t already know– Social engineering, research to make good guesses
• Passwords can be “guessed”– Attacking a single account with 100k passwords– Attacking many accounts with a few very common passwords– People leave test/test or password same as username
• Password dictionaries– http://www.openwall.com/passwords/wordlists/– The wordlists are intended primarily for use with password
crackers …
![Page 20: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/20.jpg)
Vulnerabilities in RDS
• MySQL versions– Many vulnerable version– Make sure you are using the last release– Link to the issues
• RDS security groups should always be restricted to specific trusted networks
![Page 21: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/21.jpg)
Misconfigured Security Settings
• Scanning Amazon S3 to identify publicly accessible buckets– http://cloudcheckr.com/2012/05/aws-s3-buckets-buck
et-finder/
• Open source tool – Bucket Finder– script launches a dictionary attack on the names of S3
buckets and interrogates the bucket for a list of public and private files
– Creates an EDoS
![Page 22: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/22.jpg)
Demo:
Bucket Finder
![Page 23: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/23.jpg)
5 Prevention Strategies
• Keep a close handle on what you are running in the cloud
• Educate yourself on how the cloud works
• Stay Patched– Stay on top of all the security alerts and bulletins
• Defense in Depth
• Multiple Levels of Security– Regularly perform audits and penetration tests on your cloud– Encryption of data-in-motion / data-at-rest / data-in-use– Monitor cloud activity log files
![Page 24: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/24.jpg)
What is CloudCheckr?
CloudCheckr provides visibility into AWS
• Cost Optimization, Allocation, Reporting• Resource Utilization• > 250 Best Practice Checks• Trending Analysis• Change Monitoring
![Page 25: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/25.jpg)
Questions?
Questions on:• Clouds• Security
![Page 26: Cloud security : Boston AWS user group](https://reader033.vdocument.in/reader033/viewer/2022061218/54b5ec124a7959261b8b473b/html5/thumbnails/26.jpg)
Thank You for Attending
Enter promo code BOSTON for a free 30 day trial
of www.cloudcheckr.com
Aaron Newman is the Founder of CloudCheckr (www.cloudcheckr.com)
Please contact me with additional questions at:[email protected]