Your SlideShare is downloading. ×
0
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Cloud security : Boston AWS user group
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Cloud security : Boston AWS user group

937

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
937
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • We spend too much time thinking about PCI compliance, shared hardware, not enough on actual threats
  • Transcript

    • 1. AWS Security Threats Boston AWS Meetup Group Aaron C. Newman Founder, CloudCheckr Aaron.Newman@CloudCheckr.com October 21, 2013
    • 2. Agenda: • Overview of Public Cloud Security • Attacks from AWS • Using Search Engines to Attack AWS • Economic Denial of Sustainability Attacks • Attacks on AWS
    • 3. Overview of Public Cloud Security
    • 4. State of Cloud Security • 15 years ago – The datacenter as an island, external access mediated – Security issues rarely understood – Security tools immature • The data center opened up – Suppliers, customers, partners could connect directly to your datacenter – Robust solutions adopted, ranging from DLP, IDS, IPS, SEIM, VA • Move to the cloud – Perimeter security is officially dead, data can be accessed from anywhere – Cloud provider security tools are immature Survey of 100 hackers at Defcon 2012 96% of the respondents think that the cloud creates new opportunities for hacking 86% believe that “cloud vendors aren’t doing enough to address cyber-security issues.”
    • 5. Cloud Threats • Cloud Provider – – – – Disgruntled employees Natural disasters Theft of physical equipment Cloud provider hacked • External Threats – Hackers (LulzSec, Anonymous) – Governments • Stuxnet (US government targets Iran) • Operation Aurora (Chinese government targets Rackspace/others) • Internal Threats (still your biggest threat) – Developers, cloud admins, users
    • 6. Thinking Like a Hacker • Large Attack surface – Single successful attack can net many security compromises – Clouds provide homogeneous environments • To defend against the hacker – Think like the hacker – Go home and figure out how YOU would hack into your account – Then plug the holes – Defense-in-depth
    • 7. Attacks using AWS
    • 8. Using Clouds to Break Encryption • Clouds provide inexpensive ways to do massively parallel processing • • July 2012 Defcon - Cryptohaze Cloud Cracking • • Open source Cryptohaze tool suite implements network-clustered GPU accelerated password cracking (both brute force & rainbow tables) AWS Cluster GPU Instances crack SHA1 • • • Perfect for cracking encryption keys Quote from German Thomas Roth “able to crack all hashes from [the 560 character SHA1 hash] with a password length from one to six in only 49 minutes (one hour costs $2.10 [£1.30] by the way),“ Researcher uses AWS cloud to crack Wi-Fi passwords • • Cloud Cracking Suite (CCS) released on Jan 2012 at Black Hat security conference Crack a WPA-PSK handshake at a speed of 400,000 attempted passwords per second using eight GPU-based AWS instances
    • 9. Major Attacks from the Cloud • Dark clouds or black clouds • How do you shut down a hacker on the cloud? • Cloud not only cheap – provides anonymity • Amazon cloud used in PlayStation Network hack • http://www.zdnet.com/amazon-cloud-used-in-playstation-network-hack4010022454/ • Hackers rent AWS EC2 instances under an alias • Amazon S3 hosts banking trojan • Kaspersky Lab reports S3 hosts the command and control channels for SpyEye banking trojan
    • 10. Using Search Engines to Attack AWS
    • 11. Public Cloud Search Engine Attacks Demo: Search Diggity (Code Search, NotInMyBackyard) AKA Google Hacking
    • 12. Economic Denial of Sustainability Attacks
    • 13. EDoS Attacks • Variation of Distributed Denial of Service Attack – Goal is not to overload and crash an application – Instead to cause the server hosting costs to overwhelm the victim’s budget “the infrastructure allows scaling of service beyond the economic means of the vendor to pay their cloud-based service bills” -http://rationalsecurity.typepad.com
    • 14. Worst Case Scenario – AWS CloudFront • http://www.reviewmylife.co.uk/blog/2011/05/19/a mazon-cloudfront-and-s3-maximum-cost/ • Author calculated maximum possible charge – Used default limit of 1000 requests per second and 1000 megabits per second – At the end of 30 days a maximum of 324TB of data could have been downloaded (theoretically) – $42,000 per month for a single edge location – CloudFront has 30 edge locations
    • 15. Stories and Lessons Learned • Anecdotes from burned users – Personal website hacked by file sharers – Received bill for $10,000 • Note: AWS only charges for data out – All data transfer in is at $0.000 per GB – Mitigates costs – if you don’t respond to requests, doesn’t cost you anything • Use pre-paid credit cards or credit card with appropriate credit limit – Not sure if this limits your liability legally
    • 16. Solutions? • Amazon limits/caps have been “in the works” since 2006 – Each year Amazon talks about intention of releasing the feature • May 2012 – Amazon announces Billing Alerts – http://aws.amazon.com/about-aws/whatsnew/2012/05/10/announcing-aws-billing-alerts/ – Helps alert you when this starts happening to you – Could still be a costly few hours
    • 17. Attacks on AWS
    • 18. Password Attacks • Brute forcing of accounts and passwords – Often no password lockout, just keep hammering away – RDS (Oracle, MySQL, and SQL Server), AWS accounts • Example: Enumerating AWS account numbers – https://queue.amazonaws.com/<12 digit numbers here>/a?Action=SendMessage – Response tells you if the account exists • Old school attacks on an OS sitting in cloud – Typically secure defaults – Much more heterogeneous
    • 19. Easily Guessed Passwords • Need to guess username also if you don’t already know – Social engineering, research to make good guesses • Passwords can be “guessed” – Attacking a single account with 100k passwords – Attacking many accounts with a few very common passwords – People leave test/test or password same as username • Password dictionaries – http://www.openwall.com/passwords/wordlists/ – The wordlists are intended primarily for use with password crackers …
    • 20. Vulnerabilities in RDS • MySQL versions – Many vulnerable version – Make sure you are using the last release – Link to the issues • RDS security groups should always be restricted to specific trusted networks
    • 21. Misconfigured Security Settings • Scanning Amazon S3 to identify publicly accessible buckets – http://cloudcheckr.com/2012/05/aws-s3-bucketsbucket-finder/ • Open source tool – Bucket Finder – script launches a dictionary attack on the names of S3 buckets and interrogates the bucket for a list of public and private files – Creates an EDoS
    • 22. Demo: Bucket Finder
    • 23. 5 Prevention Strategies • Keep a close handle on what you are running in the cloud • Educate yourself on how the cloud works • Stay Patched – Stay on top of all the security alerts and bulletins • Defense in Depth • Multiple Levels of Security – Regularly perform audits and penetration tests on your cloud – Encryption of data-in-motion / data-at-rest / data-in-use – Monitor cloud activity log files
    • 24. What is CloudCheckr? CloudCheckr provides visibility into AWS • Cost Optimization, Allocation, Reporting • Resource Utilization • > 250 Best Practice Checks • Trending Analysis • Change Monitoring
    • 25. Questions? Questions on: • Clouds • Security
    • 26. Thank You for Attending Enter promo code BOSTON for a free 30 day trial of www.cloudcheckr.com Aaron Newman is the Founder of CloudCheckr (www.cloudcheckr.com) Please contact me with additional questions at: aaron.newman@cloudcheckr.com

    ×