Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
CSA 2012 – OrlandoAnatomy of a PublicCloud AttackAaron C. Newman
Agenda:• Overview of Public Cloud Security• Attacks from the Public Cloud• Search Engine Attacks on Public Cloud• Economic...
Overview of Public Cloud Security
State of Cloud Security• 15 years ago– The datacenter as an island, external access mediated– Security issues rarely under...
Cloud Threats• Cloud Provider– Disgruntled employees– Natural disasters– Theft of physical equipment– Cloud provider hacke...
Thinking Like a Hacker• Large Attack surface– Single successful attack can net many securitycompromises– Clouds provide ho...
Attacks from the Public Cloud
Using Clouds to Break Encryption• Clouds provide inexpensive ways to do massively parallel processing• Perfect for crackin...
Major Attacks from the Cloud• Dark clouds or black clouds• How do you shut down a hacker on the cloud?• Cloud not only che...
Search Engine Attackson Public Cloud
Public Cloud Search Engine AttacksDemo:Search Diggity (Code Search, NotInMyBackyard)
Economic Denial ofSustainability Attacks
EDoS Attacks• Variation of Distributed Denial of Service Attack– Goal is not to overload and crash an application– Instead...
Worst Case Scenario – AWS CloudFront• http://www.reviewmylife.co.uk/blog/2011/05/19/amazon-cloudfront-and-s3-maximum-cost/...
Stories and Lessons Learned• Anecdotes from burned users– Personal website hacked by file sharers– Received bill for $10,0...
Solutions?• Amazon limits/caps have been “in the works”since 2006– Each year Amazon talks about intention of releasingthe ...
Attacks on the Public Cloud
Password Attacks• Brute forcing of accounts and passwords– Often no password lockout, just keep hammering away– RDS (Oracl...
Easily Guessed Passwords• Need to guess username also if you don’t already know– Social engineering, research to make good...
Misconfigured Security Settings• Scanning Amazon S3 to identify publiclyaccessible buckets– http://cloudcheckr.com/2012/05...
Demo:Bucket Finder
SQL Injection• Try to modify the query• Change:Select * from my_tablewhere column_x = ‘1’• To:Select * from my_tablewhere ...
Hackers Reset Your SQL Firewall• Set the product_category to :test’; sys.sp_set_database_firewall_ruleXXXXX; --• The SQL S...
5 Prevention Strategies• Keep a close handle on what you are running in the cloud• Educate yourself on how the cloud works...
Questions?Questions on:• Clouds• Security
Thank You for AttendingGet your FREEMIUM account tocheck your public cloudat www.cloudcheckr.comAaron Newman is the Founde...
Upcoming SlideShare
Loading in …5
×

Anatomy of a Public Cloud Attack | CSA Orlando

1,138 views

Published on

  • Be the first to comment

Anatomy of a Public Cloud Attack | CSA Orlando

  1. 1. CSA 2012 – OrlandoAnatomy of a PublicCloud AttackAaron C. Newman
  2. 2. Agenda:• Overview of Public Cloud Security• Attacks from the Public Cloud• Search Engine Attacks on Public Cloud• Economic Denial of Sustainability Attacks• Attacks on the Public Cloud
  3. 3. Overview of Public Cloud Security
  4. 4. State of Cloud Security• 15 years ago– The datacenter as an island, external access mediated– Security issues rarely understood– Security tools immature• The data center opened up– Suppliers, customers, partners could connect directly to your datacenter– Robust solutions adopted, ranging from DLP, IDS, IPS, SEIM, VA• Move to the cloud– Perimeter security is officially dead, data can be accessed from anywhere– Cloud provider security tools are immatureSurvey of 100 hackers at Defcon 201296% of the respondents think that the cloud creates new opportunities for hacking86% believe that “cloud vendors aren’t doing enough to address cyber-security issues.”
  5. 5. Cloud Threats• Cloud Provider– Disgruntled employees– Natural disasters– Theft of physical equipment– Cloud provider hacked• External Threats– Hackers (LulzSec, Anonymous)– Governments• Stuxnet (US government targets Iran)• Operation Aurora (Chinese government targets Rackspace/others)• Internal Threats (still your biggest threat)– Developers, cloud admins, users
  6. 6. Thinking Like a Hacker• Large Attack surface– Single successful attack can net many securitycompromises– Clouds provide homogeneous environments• To defend against the hacker– Think like the hacker– Go home and figure out how YOU would hack intoyour account– Then plug the holes– Defense-in-depth
  7. 7. Attacks from the Public Cloud
  8. 8. Using Clouds to Break Encryption• Clouds provide inexpensive ways to do massively parallel processing• Perfect for cracking encryption keys• July 2012 Defcon - Cryptohaze Cloud Cracking• Open source Cryptohaze tool suite implements network-clustered GPU acceleratedpassword cracking (both brute force & rainbow tables)• AWS Cluster GPU Instances crack SHA1• Quote from German Thomas Roth• “able to crack all hashes from [the 560 character SHA1 hash] with a password lengthfrom one to six in only 49 minutes (one hour costs $2.10 [£1.30] by the way),“• Researcher uses AWS cloud to crack Wi-Fi passwords• Cloud Cracking Suite (CCS) released on Jan 2012 at Black Hat security conference• Crack a WPA-PSK handshake at a speed of 400,000 attempted passwords persecond using eight GPU-based AWS instances
  9. 9. Major Attacks from the Cloud• Dark clouds or black clouds• How do you shut down a hacker on the cloud?• Cloud not only cheap – provides anonymity• Amazon cloud used in PlayStation Network hack• http://www.zdnet.com/amazon-cloud-used-in-playstation-network-hack-4010022454/• Hackers rent AWS EC2 instances under an alias• Amazon S3 hosts banking trojan• Kaspersky Lab reports S3 hosts the command andcontrol channels for SpyEye banking trojan
  10. 10. Search Engine Attackson Public Cloud
  11. 11. Public Cloud Search Engine AttacksDemo:Search Diggity (Code Search, NotInMyBackyard)
  12. 12. Economic Denial ofSustainability Attacks
  13. 13. EDoS Attacks• Variation of Distributed Denial of Service Attack– Goal is not to overload and crash an application– Instead to cause the server hosting costs to overwhelmthe victim’s budget“the infrastructure allows scaling of servicebeyond the economic means of the vendorto pay their cloud-based service bills”-http://rationalsecurity.typepad.com
  14. 14. Worst Case Scenario – AWS CloudFront• http://www.reviewmylife.co.uk/blog/2011/05/19/amazon-cloudfront-and-s3-maximum-cost/• Author calculated maximum possible charge– Used default limit of 1000 requests per second and1000 megabits per second– At the end of 30 days a maximum of 324TB of datacould have been downloaded (theoretically)– $42,000 per month for a single edge location– CloudFront has 30 edge locations
  15. 15. Stories and Lessons Learned• Anecdotes from burned users– Personal website hacked by file sharers– Received bill for $10,000• Note: AWS only charges for data out– All data transfer in is at $0.000 per GB– Mitigates costs – if you don’t respond to requests, doesn’t costyou anything• Use pre-paid credit cards or credit card with appropriatecredit limit– Not sure if this limits your liability legally
  16. 16. Solutions?• Amazon limits/caps have been “in the works”since 2006– Each year Amazon talks about intention of releasingthe feature• May 2012 – Amazon announces Billing Alerts– http://aws.amazon.com/about-aws/whats-new/2012/05/10/announcing-aws-billing-alerts/– Helps alert you when this starts happening to you– Could still be a costly few hours
  17. 17. Attacks on the Public Cloud
  18. 18. Password Attacks• Brute forcing of accounts and passwords– Often no password lockout, just keep hammering away– RDS (Oracle, MySQL, and SQL Server), SQL Azure, AWSaccounts• Example: Enumerating AWS account numbers– https://queue.amazonaws.com/<12 digit numbershere>/a?Action=SendMessage– Response tells you if the account exists• Old school attacks on an OS sitting in cloud– Typically secure defaults– Much more heterogeneous
  19. 19. Easily Guessed Passwords• Need to guess username also if you don’t already know– Social engineering, research to make good guesses• Passwords can be “guessed”– Attacking a single account with 100k passwords– Attacking many accounts with a few very common passwords– People leave test/test or password same as username• Password dictionaries– http://www.openwall.com/passwords/wordlists/– The wordlists are intended primarily for use with passwordcrackers …
  20. 20. Misconfigured Security Settings• Scanning Amazon S3 to identify publiclyaccessible buckets– http://cloudcheckr.com/2012/05/aws-s3-buckets-bucket-finder/• Open source tool – Bucket Finder– script launches a dictionary attack on the names ofS3 buckets and interrogates the bucket for a list ofpublic and private files– Creates an EDoS
  21. 21. Demo:Bucket Finder
  22. 22. SQL Injection• Try to modify the query• Change:Select * from my_tablewhere column_x = ‘1’• To:Select * from my_tablewhere column_x = ‘1’UNION select credit_card_numberfrom orders where ‘q’=‘q’
  23. 23. Hackers Reset Your SQL Firewall• Set the product_category to :test’; sys.sp_set_database_firewall_ruleXXXXX; --• The SQL Statement is now:SELECT ProductName FROM Products WHEREProductCategory=test’;sys.sp_set_database_firewall_rule XXXXX; -–’
  24. 24. 5 Prevention Strategies• Keep a close handle on what you are running in the cloud• Educate yourself on how the cloud works• Stay Patched– Stay on top of all the security alerts and bulletins• Defense in Depth• Multiple Levels of Security– Regularly perform audits and penetration tests on your cloud– Encryption of data-in-motion / data-at-rest / data-in-use– Monitor cloud activity log files
  25. 25. Questions?Questions on:• Clouds• Security
  26. 26. Thank You for AttendingGet your FREEMIUM account tocheck your public cloudat www.cloudcheckr.comAaron Newman is the Founderof CloudCheckr (www.cloudcheckr.com)Please contact me with additional questions at:aaron.newman@cloudcheckr.com

×