AWS Meet-up San Francisco: Cloud Security
Upcoming SlideShare
Loading in...5
×
 

AWS Meet-up San Francisco: Cloud Security

on

  • 615 views

CloudCheckr Founder Aaron Newman presents a comprehensive overview of AWS security threats and mitigation strategies.

CloudCheckr Founder Aaron Newman presents a comprehensive overview of AWS security threats and mitigation strategies.

Statistics

Views

Total Views
615
Views on SlideShare
605
Embed Views
10

Actions

Likes
1
Downloads
26
Comments
0

1 Embed 10

https://twitter.com 10

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • We spend too much time thinking about PCI compliance, shared hardware, not enough on actual threats

AWS Meet-up San Francisco: Cloud Security AWS Meet-up San Francisco: Cloud Security Presentation Transcript

  • AWS Security Threats San Francisco AWS Meetup Group Aaron C. Newman Founder, CloudCheckr Aaron.Newman@CloudCheckr.com Feb 11, 2013
  • Agenda: • Overview of Public Cloud Security • Attacks from AWS • Using Search Engines to Attack AWS • Economic Denial of Sustainability Attacks • Attacks on AWS
  • Overview of Public Cloud Security
  • State of Cloud Security • 15 years ago – The datacenter as an island, external access mediated – Security issues rarely understood – Security tools immature • The data center opened up – Suppliers, customers, partners could connect directly to your datacenter – Robust solutions adopted, ranging from DLP, IDS, IPS, SEIM, VA • Move to the cloud – Perimeter security is officially dead, data can be accessed from anywhere – Cloud provider security tools are immature Survey of 100 hackers at Defcon 2012 96% of the respondents think that the cloud creates new opportunities for hacking 86% believe that “cloud vendors aren’t doing enough to address cyber-security issues.”
  • Cloud Threats • Cloud Provider – – – – Disgruntled employees Natural disasters Theft of physical equipment Cloud provider hacked • External Threats – Hackers (LulzSec, Anonymous) – Governments • Stuxnet (US government targets Iran) • Operation Aurora (Chinese government targets Rackspace/others) • Internal Threats (still your biggest threat) – Developers, cloud admins, users
  • Thinking Like a Hacker • Large Attack surface – Single successful attack can net many security compromises – Clouds provide homogeneous environments • To defend against the hacker – Think like the hacker – Go home and figure out how YOU would hack into your account – Then plug the holes – Defense-in-depth
  • Attacks using AWS
  • Using Clouds to Break Encryption • Clouds provide inexpensive ways to do massively parallel processing • • July 2012 Defcon - Cryptohaze Cloud Cracking • • Open source Cryptohaze tool suite implements network-clustered GPU accelerated password cracking (both brute force & rainbow tables) AWS Cluster GPU Instances crack SHA1 • • • Perfect for cracking encryption keys Quote from German Thomas Roth “able to crack all hashes from [the 560 character SHA1 hash] with a password length from one to six in only 49 minutes (one hour costs $2.10 [£1.30] by the way),“ Researcher uses AWS cloud to crack Wi-Fi passwords • • Cloud Cracking Suite (CCS) released on Jan 2012 at Black Hat security conference Crack a WPA-PSK handshake at a speed of 400,000 attempted passwords per second using eight GPU-based AWS instances
  • Major Attacks from the Cloud • Dark/black/storm clouds • How do you shut down a hacker on the cloud? • Cloud not only cheap – provides anonymity • Amazon cloud used in PlayStation Network hack • http://www.zdnet.com/amazon-cloud-used-in-playstation-network-hack4010022454/ • Hackers rent AWS EC2 instances under an alias • Amazon S3 hosts banking trojan • Kaspersky Lab reports S3 hosts the command and control channels for SpyEye banking trojan
  • Using Search Engines to Attack AWS
  • Public Cloud Search Engine Attacks Demo: Search Diggity (Code Search, NotInMyBackyard) AKA Google Hacking Rich Mogul Blog Post My $500 Cloud Security Screwup
  • Economic Denial of Sustainability Attacks
  • EDoS Attacks • Variation of Distributed Denial of Service Attack – Goal is not to overload and crash an application – Instead to cause the server hosting costs to overwhelm the victim’s budget “the infrastructure allows scaling of service beyond the economic means of the vendor to pay their cloud-based service bills” -http://rationalsecurity.typepad.com
  • Worst Case Scenario – AWS CloudFront • http://www.reviewmylife.co.uk/blog/2011/05/19/a mazon-cloudfront-and-s3-maximum-cost/ • Author calculated maximum possible charge – Used default limit of 1000 requests per second and 1000 megabits per second – At the end of 30 days a maximum of 324TB of data could have been downloaded (theoretically) – $42,000 per month for a single edge location – CloudFront has 30 edge locations
  • Stories and Lessons Learned • Anecdotes from burned users – Personal website hacked by file sharers – Received bill for $10,000 • Note: AWS only charges for data out – All data transfer in is at $0.000 per GB – Mitigates costs – if you don’t respond to requests, doesn’t cost you anything • Use pre-paid credit cards or credit card with appropriate credit limit – Not sure if this limits your liability legally
  • Solutions? • Amazon limits/caps have been “in the works” since 2006 – Each year Amazon talks about intention of releasing the feature • May 2012 – Amazon announces Billing Alerts – http://aws.amazon.com/about-aws/whatsnew/2012/05/10/announcing-aws-billing-alerts/ – Helps alert you when this starts happening to you – Could still be a costly few hours
  • Attacks on AWS
  • Password Attacks • Brute forcing of accounts and passwords – Often no password lockout, just keep hammering away – RDS (Oracle, MySQL, and SQL Server), AWS accounts • Example: Enumerating AWS account numbers – https://queue.amazonaws.com/<12 digit numbers here>/a?Action=SendMessage – Response tells you if the account exists • Old school attacks on an OS sitting in cloud – Typically secure defaults – Much more heterogeneous
  • Easily Guessed Passwords • Need to guess username also if you don’t already know – Social engineering, research to make good guesses • Passwords can be “guessed” – Attacking a single account with 100k passwords – Attacking many accounts with a few very common passwords – People leave test/test or password same as username • Password dictionaries – http://www.openwall.com/passwords/wordlists/ – The wordlists are intended primarily for use with password crackers …
  • Vulnerabilities in RDS • MySQL versions – Many vulnerable version – Make sure you are using the last release – Link to the issues • RDS security groups should always be restricted to specific trusted networks
  • Misconfigured Security Settings • Scanning Amazon S3 to identify publicly accessible buckets – http://cloudcheckr.com/2012/05/aws-s3-bucketsbucket-finder/ • Open source tool – Bucket Finder – script launches a dictionary attack on the names of S3 buckets and interrogates the bucket for a list of public and private files – Creates an EDoS
  • Demo: Bucket Finder
  • 5 Prevention Strategies • Keep a close handle on what you are running in the cloud • Educate yourself on how the cloud works • Stay Patched – Stay on top of all the security alerts and bulletins • Defense in Depth • Multiple Levels of Security – Regularly perform audits and penetration tests on your cloud – Encryption of data-in-motion / data-at-rest / data-in-use – Monitor cloud activity log files
  • What is CloudCheckr? CloudCheckr provides visibility into AWS • Cost Optimization, Allocation, Reporting • Resource Utilization • > 250 Best Practice Checks • Trending Analysis • Change Monitoring
  • Questions? Questions on: • Clouds • Security
  • Thank You for Attending For a free 14 day trial of www.cloudcheckr.com Aaron Newman is the Founder of CloudCheckr (www.cloudcheckr.com) Please contact me with additional questions at: aaron.newman@cloudcheckr.com