Your SlideShare is downloading. ×
Anatomy of a Public Cloud Attack | CSA Orlando
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Anatomy of a Public Cloud Attack | CSA Orlando


Published on

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. CSA 2012 – OrlandoAnatomy of a PublicCloud AttackAaron C. Newman
  • 2. Agenda:• Overview of Public Cloud Security• Attacks from the Public Cloud• Search Engine Attacks on Public Cloud• Economic Denial of Sustainability Attacks• Attacks on the Public Cloud
  • 3. Overview of Public Cloud Security
  • 4. State of Cloud Security• 15 years ago– The datacenter as an island, external access mediated– Security issues rarely understood– Security tools immature• The data center opened up– Suppliers, customers, partners could connect directly to your datacenter– Robust solutions adopted, ranging from DLP, IDS, IPS, SEIM, VA• Move to the cloud– Perimeter security is officially dead, data can be accessed from anywhere– Cloud provider security tools are immatureSurvey of 100 hackers at Defcon 201296% of the respondents think that the cloud creates new opportunities for hacking86% believe that “cloud vendors aren’t doing enough to address cyber-security issues.”
  • 5. Cloud Threats• Cloud Provider– Disgruntled employees– Natural disasters– Theft of physical equipment– Cloud provider hacked• External Threats– Hackers (LulzSec, Anonymous)– Governments• Stuxnet (US government targets Iran)• Operation Aurora (Chinese government targets Rackspace/others)• Internal Threats (still your biggest threat)– Developers, cloud admins, users
  • 6. Thinking Like a Hacker• Large Attack surface– Single successful attack can net many securitycompromises– Clouds provide homogeneous environments• To defend against the hacker– Think like the hacker– Go home and figure out how YOU would hack intoyour account– Then plug the holes– Defense-in-depth
  • 7. Attacks from the Public Cloud
  • 8. Using Clouds to Break Encryption• Clouds provide inexpensive ways to do massively parallel processing• Perfect for cracking encryption keys• July 2012 Defcon - Cryptohaze Cloud Cracking• Open source Cryptohaze tool suite implements network-clustered GPU acceleratedpassword cracking (both brute force & rainbow tables)• AWS Cluster GPU Instances crack SHA1• Quote from German Thomas Roth• “able to crack all hashes from [the 560 character SHA1 hash] with a password lengthfrom one to six in only 49 minutes (one hour costs $2.10 [£1.30] by the way),“• Researcher uses AWS cloud to crack Wi-Fi passwords• Cloud Cracking Suite (CCS) released on Jan 2012 at Black Hat security conference• Crack a WPA-PSK handshake at a speed of 400,000 attempted passwords persecond using eight GPU-based AWS instances
  • 9. Major Attacks from the Cloud• Dark clouds or black clouds• How do you shut down a hacker on the cloud?• Cloud not only cheap – provides anonymity• Amazon cloud used in PlayStation Network hack•• Hackers rent AWS EC2 instances under an alias• Amazon S3 hosts banking trojan• Kaspersky Lab reports S3 hosts the command andcontrol channels for SpyEye banking trojan
  • 10. Search Engine Attackson Public Cloud
  • 11. Public Cloud Search Engine AttacksDemo:Search Diggity (Code Search, NotInMyBackyard)
  • 12. Economic Denial ofSustainability Attacks
  • 13. EDoS Attacks• Variation of Distributed Denial of Service Attack– Goal is not to overload and crash an application– Instead to cause the server hosting costs to overwhelmthe victim’s budget“the infrastructure allows scaling of servicebeyond the economic means of the vendorto pay their cloud-based service bills”-
  • 14. Worst Case Scenario – AWS CloudFront•• Author calculated maximum possible charge– Used default limit of 1000 requests per second and1000 megabits per second– At the end of 30 days a maximum of 324TB of datacould have been downloaded (theoretically)– $42,000 per month for a single edge location– CloudFront has 30 edge locations
  • 15. Stories and Lessons Learned• Anecdotes from burned users– Personal website hacked by file sharers– Received bill for $10,000• Note: AWS only charges for data out– All data transfer in is at $0.000 per GB– Mitigates costs – if you don’t respond to requests, doesn’t costyou anything• Use pre-paid credit cards or credit card with appropriatecredit limit– Not sure if this limits your liability legally
  • 16. Solutions?• Amazon limits/caps have been “in the works”since 2006– Each year Amazon talks about intention of releasingthe feature• May 2012 – Amazon announces Billing Alerts–– Helps alert you when this starts happening to you– Could still be a costly few hours
  • 17. Attacks on the Public Cloud
  • 18. Password Attacks• Brute forcing of accounts and passwords– Often no password lockout, just keep hammering away– RDS (Oracle, MySQL, and SQL Server), SQL Azure, AWSaccounts• Example: Enumerating AWS account numbers–<12 digit numbershere>/a?Action=SendMessage– Response tells you if the account exists• Old school attacks on an OS sitting in cloud– Typically secure defaults– Much more heterogeneous
  • 19. Easily Guessed Passwords• Need to guess username also if you don’t already know– Social engineering, research to make good guesses• Passwords can be “guessed”– Attacking a single account with 100k passwords– Attacking many accounts with a few very common passwords– People leave test/test or password same as username• Password dictionaries–– The wordlists are intended primarily for use with passwordcrackers …
  • 20. Misconfigured Security Settings• Scanning Amazon S3 to identify publiclyaccessible buckets–• Open source tool – Bucket Finder– script launches a dictionary attack on the names ofS3 buckets and interrogates the bucket for a list ofpublic and private files– Creates an EDoS
  • 21. Demo:Bucket Finder
  • 22. SQL Injection• Try to modify the query• Change:Select * from my_tablewhere column_x = ‘1’• To:Select * from my_tablewhere column_x = ‘1’UNION select credit_card_numberfrom orders where ‘q’=‘q’
  • 23. Hackers Reset Your SQL Firewall• Set the product_category to :test’; sys.sp_set_database_firewall_ruleXXXXX; --• The SQL Statement is now:SELECT ProductName FROM Products WHEREProductCategory=test’;sys.sp_set_database_firewall_rule XXXXX; -–’
  • 24. 5 Prevention Strategies• Keep a close handle on what you are running in the cloud• Educate yourself on how the cloud works• Stay Patched– Stay on top of all the security alerts and bulletins• Defense in Depth• Multiple Levels of Security– Regularly perform audits and penetration tests on your cloud– Encryption of data-in-motion / data-at-rest / data-in-use– Monitor cloud activity log files
  • 25. Questions?Questions on:• Clouds• Security
  • 26. Thank You for AttendingGet your FREEMIUM account tocheck your public cloudat www.cloudcheckr.comAaron Newman is the Founderof CloudCheckr ( contact me with additional questions