AWS Meet-up San Francisco: Cloud Security


Published on

CloudCheckr Founder Aaron Newman presents a comprehensive overview of AWS security threats and mitigation strategies.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • We spend too much time thinking about PCI compliance, shared hardware, not enough on actual threats
  • AWS Meet-up San Francisco: Cloud Security

    1. 1. AWS Security Threats San Francisco AWS Meetup Group Aaron C. Newman Founder, CloudCheckr Feb 11, 2013
    2. 2. Agenda: • Overview of Public Cloud Security • Attacks from AWS • Using Search Engines to Attack AWS • Economic Denial of Sustainability Attacks • Attacks on AWS
    3. 3. Overview of Public Cloud Security
    4. 4. State of Cloud Security • 15 years ago – The datacenter as an island, external access mediated – Security issues rarely understood – Security tools immature • The data center opened up – Suppliers, customers, partners could connect directly to your datacenter – Robust solutions adopted, ranging from DLP, IDS, IPS, SEIM, VA • Move to the cloud – Perimeter security is officially dead, data can be accessed from anywhere – Cloud provider security tools are immature Survey of 100 hackers at Defcon 2012 96% of the respondents think that the cloud creates new opportunities for hacking 86% believe that “cloud vendors aren’t doing enough to address cyber-security issues.”
    5. 5. Cloud Threats • Cloud Provider – – – – Disgruntled employees Natural disasters Theft of physical equipment Cloud provider hacked • External Threats – Hackers (LulzSec, Anonymous) – Governments • Stuxnet (US government targets Iran) • Operation Aurora (Chinese government targets Rackspace/others) • Internal Threats (still your biggest threat) – Developers, cloud admins, users
    6. 6. Thinking Like a Hacker • Large Attack surface – Single successful attack can net many security compromises – Clouds provide homogeneous environments • To defend against the hacker – Think like the hacker – Go home and figure out how YOU would hack into your account – Then plug the holes – Defense-in-depth
    7. 7. Attacks using AWS
    8. 8. Using Clouds to Break Encryption • Clouds provide inexpensive ways to do massively parallel processing • • July 2012 Defcon - Cryptohaze Cloud Cracking • • Open source Cryptohaze tool suite implements network-clustered GPU accelerated password cracking (both brute force & rainbow tables) AWS Cluster GPU Instances crack SHA1 • • • Perfect for cracking encryption keys Quote from German Thomas Roth “able to crack all hashes from [the 560 character SHA1 hash] with a password length from one to six in only 49 minutes (one hour costs $2.10 [£1.30] by the way),“ Researcher uses AWS cloud to crack Wi-Fi passwords • • Cloud Cracking Suite (CCS) released on Jan 2012 at Black Hat security conference Crack a WPA-PSK handshake at a speed of 400,000 attempted passwords per second using eight GPU-based AWS instances
    9. 9. Major Attacks from the Cloud • Dark/black/storm clouds • How do you shut down a hacker on the cloud? • Cloud not only cheap – provides anonymity • Amazon cloud used in PlayStation Network hack • • Hackers rent AWS EC2 instances under an alias • Amazon S3 hosts banking trojan • Kaspersky Lab reports S3 hosts the command and control channels for SpyEye banking trojan
    10. 10. Using Search Engines to Attack AWS
    11. 11. Public Cloud Search Engine Attacks Demo: Search Diggity (Code Search, NotInMyBackyard) AKA Google Hacking Rich Mogul Blog Post My $500 Cloud Security Screwup
    12. 12. Economic Denial of Sustainability Attacks
    13. 13. EDoS Attacks • Variation of Distributed Denial of Service Attack – Goal is not to overload and crash an application – Instead to cause the server hosting costs to overwhelm the victim’s budget “the infrastructure allows scaling of service beyond the economic means of the vendor to pay their cloud-based service bills” -
    14. 14. Worst Case Scenario – AWS CloudFront • mazon-cloudfront-and-s3-maximum-cost/ • Author calculated maximum possible charge – Used default limit of 1000 requests per second and 1000 megabits per second – At the end of 30 days a maximum of 324TB of data could have been downloaded (theoretically) – $42,000 per month for a single edge location – CloudFront has 30 edge locations
    15. 15. Stories and Lessons Learned • Anecdotes from burned users – Personal website hacked by file sharers – Received bill for $10,000 • Note: AWS only charges for data out – All data transfer in is at $0.000 per GB – Mitigates costs – if you don’t respond to requests, doesn’t cost you anything • Use pre-paid credit cards or credit card with appropriate credit limit – Not sure if this limits your liability legally
    16. 16. Solutions? • Amazon limits/caps have been “in the works” since 2006 – Each year Amazon talks about intention of releasing the feature • May 2012 – Amazon announces Billing Alerts – – Helps alert you when this starts happening to you – Could still be a costly few hours
    17. 17. Attacks on AWS
    18. 18. Password Attacks • Brute forcing of accounts and passwords – Often no password lockout, just keep hammering away – RDS (Oracle, MySQL, and SQL Server), AWS accounts • Example: Enumerating AWS account numbers –<12 digit numbers here>/a?Action=SendMessage – Response tells you if the account exists • Old school attacks on an OS sitting in cloud – Typically secure defaults – Much more heterogeneous
    19. 19. Easily Guessed Passwords • Need to guess username also if you don’t already know – Social engineering, research to make good guesses • Passwords can be “guessed” – Attacking a single account with 100k passwords – Attacking many accounts with a few very common passwords – People leave test/test or password same as username • Password dictionaries – – The wordlists are intended primarily for use with password crackers …
    20. 20. Vulnerabilities in RDS • MySQL versions – Many vulnerable version – Make sure you are using the last release – Link to the issues • RDS security groups should always be restricted to specific trusted networks
    21. 21. Misconfigured Security Settings • Scanning Amazon S3 to identify publicly accessible buckets – • Open source tool – Bucket Finder – script launches a dictionary attack on the names of S3 buckets and interrogates the bucket for a list of public and private files – Creates an EDoS
    22. 22. Demo: Bucket Finder
    23. 23. 5 Prevention Strategies • Keep a close handle on what you are running in the cloud • Educate yourself on how the cloud works • Stay Patched – Stay on top of all the security alerts and bulletins • Defense in Depth • Multiple Levels of Security – Regularly perform audits and penetration tests on your cloud – Encryption of data-in-motion / data-at-rest / data-in-use – Monitor cloud activity log files
    24. 24. What is CloudCheckr? CloudCheckr provides visibility into AWS • Cost Optimization, Allocation, Reporting • Resource Utilization • > 250 Best Practice Checks • Trending Analysis • Change Monitoring
    25. 25. Questions? Questions on: • Clouds • Security
    26. 26. Thank You for Attending For a free 14 day trial of Aaron Newman is the Founder of CloudCheckr ( Please contact me with additional questions at: