Top Cloud Threats v2.0Cloud Security Alliance

Michael Sutton, VP Research, ZscalerDan Hubbard, CTO, Websense

Project

Contributing Organizations

Top Threats for Cloud Computing v1

Shared Technology Vulnerabilities

Cloudbust

Cloudburst

Kostya Kortchinsky, Immunity (Blackhat 2009)

Cloudburst

Kostya Kortchinsky, Immunity (Blackhat 2009)

#define SVGA_CMD_RECT_COPY /* FIFO layout: Source X, Source Y, Dest, X, Dest Y, Width, Height */

Account / Service Hijacking

MobileMe – Enumerating Accounts

MobileMe – Enumerating Accounts

MobileMe – Enumerating Accounts

MobileMe – Enumerating Accounts

48%

44%

8%

Girl Names

56%

18%

26%

Boy Names

Exists Does not existExists (password protected)

69% of accounts verified

MobileMe – Password Reset

MobileMe – Password Reset

MobileMe – Password Reset

MobileMe – Password Reset

Data Loss / Data Leakage

MediaMax – Inactive Accounts

MediaMax / The Linkup: When the cloud failsBy Michael Krigsman | August 27, 2008, 9:55am PDT

Online storage service MediaMax, also called The Linkup, went out of business following a system administration error that deleted active customer data. The defunct company leaves behind unhappy users and raises questions about the reliability of cloud computing.

…

As with most failures, this story is fraught with complications and contradictions. Besides finger pointing and back-biting, which I suppose is to be expected, confusing corporate relationships coupled with a seemingly bizarre level of process and technical carelessness lend a weird flavor to the whole mess.

MediaMax Failures

Microsoft – Lost Sidekick Data

Microsoft Recovers Lost Sidekick DataOCTOBER 15, 2009, 5:07 P.M. ETBy ROGER CHENG

Microsoft Corp. said Thursday that it has been able to recover the personal customer data lost from many of T-Mobile USA's Sidekick devices.

The Redmond, Wash., software giant said that most, if not all, customer data was recovered, and that the company would begin restoring data as soon as it has validated it. The company said it will start with personal contacts, and move on to the lost calendar, notes, tasks and pictures as quickly as possible.

Malicious Insiders

Google Fires Email Snooper

Google fires employee for snooping on usersSeptember 16, 2010|By Jessica Guynn, Los Angeles Times

The Internet search giant says the software engineer broke its 'strict internal privacy policies.' He allegedly accessed information about four teenagers.

Reporting from San Francisco — Google Inc. fired a software engineer for snooping on its users' private information, the Internet search giant confirmed Wednesday.

The 27-year-old employee, David Barksdale, allegedly accessed information about four teenagers he met through a Seattle technology group, according to gossip website Gawker, which reported the incident Tuesday.

Google Response

“We dismissed David Barksdale for breaking

Google’s strict internal privacy policies. We

carefully control the number of employees who

have access to our systems, and we regularly

upgrade our security controls–for example, we

are significantly increasing the amount of time

we spend auditing our logs to ensure those

controls are effective. That said, a limited

number of people will always need to access

these systems if we are to operate them

properly–which is why we take any breach so

seriously.”

Bill CoughranSenior VP of Engineering

Facebook Master Password

Purported Interview With Facebook Employee Details Use Of 'Master Password'Jason KincaidJan 11, 2010

Earlier today, The Rumpus published a very revealing interview with someone claiming to be a Facebook employee. The interview covers a variety of subjects, including privacy restrictions at the world’s largest social network and some of the technological hurdles the site has to deal with. The biggest revelations? That Facebook collects more data about your habits than you may realize, and that there was once a ‘master password’ that would grant employees access to anyone’s Facebook profile — a password that some employees abused.

Interception or Hijacking of Traffic

Twitter DNS Redirection

Internal Twitter Credentials Used in DNS Hack, Redirect

By David Kravets December 18, 2009 | 1:04 pm

Twitter’s website went offline for about an hour Thursday, with many tweeters redirected to a defacement page boasting “This site has been hacked by Iranian Cyber Army.”

Twitter acknowledged the 10 p.m. takeover, one in a series of security lapses to hit the popular microblogging service. Twitter said its DNS records “were temporarily compromised.”

Tom Daly, chief technology officer at Dyn, a New Hampshire-based DNS company that services Twitter, said somebody using a “set of valid Twitter credentials” redirected the site.

Insecure APIs

Insecure API’s

Insecure API’s

Insecure API’s

The programmable web is run in the cloud &

The cloud is programmed by the web

Insecure API’s

We analyzed a dozen popular Twitter APPS, Gadgets, Facebook APPS, and Mashups and

>80% are NOT utilizing the security provided via auth and encryption !!!

Insecure API’s

• Programmable web is…

– Straightforward to develop solutions to– Often anonymous or “frictionless”– Can be done from anywhere– Can be done usually from anyone– Can be done on anything (it’s the web after all)

Insecure API’s

• Threats to programmable web:

– Man in the middle attack (MITM)– Message replay attacks– Identity spoofing– Message Alterations– Confidentially and Privacy Leaking / Issues

Insecure API’s

• Example of Open graph being compromised and redirecting users

Abuse and Nefarious Use

Abuse and Nefarious Use

Hosting attacker toolkits for user infections, updating code, and control and statistics portal

Twitter and other web services have been used for command and control of BOT’s

Abuse and Nefarious Use

Abuse and Nefarious Use

• Using Google’s search platform for poisoning search results

~15% of searches for hot trends end up at malicious Websites

Attackers use web api’s like hot trends,topics, tweets, and mining

Keep in mind that this is essentially a DoS attack. Launch it against a site that isn’t yours and very bad things will happen to you. But for testing your own site’s performance, Bees with Machine Guns is awesome — all you need is an EC2 account and the script.

Abuse and Nefarious Use

Abuse and Nefarious Use

Abuse and Nefarious Use

• Other examples of potential abuse:

– Password and encryption cracking– Data warehousing of large amounts of data, identities– DDOS (we talk about that later)– Hosting malicious files, phishing pages– Hiding behind services for data mining– Breaking CAPTCHA’s or other security checks

Top Threats for Cloud Computing v2

Distributed Denial of Service

Distributed Denial of Service

Distributed Denial of Service

• Attacks could be launched from different zone’s, geo’s, and services to help thwart takedowns

• Attacker could be shutdown but damage could be done, IP space now blacklisted

Another version is a financial DDOS that goes against a service user of IaaS that is paying per drink. Much harder to stop and detect

Future Candidates to Think About

• All things Cloudy: Mobile / Tablets – Application Hacking– Location based service hacking– Eavesdropping

• Social Hacking – Location based service hijacking– “meatspace” attacks– Hacking the social graph– Hacking social trust – Vendor miss-use or abuse

Co-operation is the new control

CSA TOP THREATS SURVEYFeedback from the masses

Survey Overview

• Solicited feedback from cloud providers and consumers

• Survey promoted through technical blogs and on CSA website and at RSA CSA Cloud Security Summit

• Received more than 300 responses to the survey

• Survey opened from Jan – March, 2010

Survey Highlights: Demographics

24.12%

44.84%

31.03%

Cloud Response Usage

Cloud Vendor

Cloud Consumer

Other

22.90%33.50%

21.00%

4.40%

18.20%

Organization Breakdown*

Small Business Medium and Enterprise

Large Enterprise GovernementOther

* # of employees: Small Business < 100, Medium 100-10,000, Large > 10,000

Top Survey Statistics: Data Leakage

82 % of respondents believe that the likelihood of Data Leakage in the cloud is possible, likely, or frequent.

6.15%12.31%

34.56%31.49%

15.49%

Likelihood of Data Leakage Occurring

Very UnlikelyUnlikelyPossibleLikelyFrequently

Top Survey Statistics: Malicious Insiders

76 % of respondents believe that the likelihood of Malicious Insiders in the cloud is possible, likely, or frequent.

6.11%

19.04%

44.20%

25.15%

5.50%

Likelihood of Malicious Insider

Very Unlikely

Unlikely

Possible

Likely

Frequently

Survey Results

Rank Threat Percentage

1 Data Loss/Leakage 26.5%

2 Abuse and Nefarious use of Cloud Computing 19.4%

3 Insecure API’s 14.2%

4 Malicious Insiders 12.9%

5 Account/Service and Traffic Hijacking 12.3%

6 Unknown Risk Profile 8.4%

7 Shared Technology Vulnerabilities 6.5%

Status

Participation

http://cloudsecurityalliance.org/topthreats_form.html

Questions

http://cloudsecurityalliance.org/topthreats

Michael SuttonVP, Security ResearchZscalermsutton@zscaler.com

Dan HubbardCTOWebsensedhubbard@websense.com