AWS Security Threats
Boston AWS Meetup Group
Aaron C. Newman
Founder, CloudCheckr
Aaron.Newman@CloudCheckr.com
October 21,...
Agenda:
• Overview of Public Cloud Security
• Attacks from AWS

• Using Search Engines to Attack AWS
• Economic Denial of ...
Overview of Public Cloud Security
State of Cloud Security
• 15 years ago
– The datacenter as an island, external access mediated
– Security issues rarely un...
Cloud Threats
• Cloud Provider
–
–
–
–

Disgruntled employees
Natural disasters
Theft of physical equipment
Cloud provider...
Thinking Like a Hacker
• Large Attack surface
– Single successful attack can net many security
compromises
– Clouds provid...
Attacks using AWS
Using Clouds to Break Encryption
•

Clouds provide inexpensive ways to do massively parallel processing
•

•

July 2012 De...
Major Attacks from the Cloud
• Dark clouds or black clouds
• How do you shut down a hacker on the cloud?
• Cloud not only ...
Using Search Engines
to Attack AWS
Public Cloud Search Engine Attacks

Demo:
Search Diggity (Code Search, NotInMyBackyard)
AKA Google Hacking
Economic Denial of
Sustainability Attacks
EDoS Attacks
• Variation of Distributed Denial of Service Attack
– Goal is not to overload and crash an application
– Inst...
Worst Case Scenario – AWS CloudFront

• http://www.reviewmylife.co.uk/blog/2011/05/19/a
mazon-cloudfront-and-s3-maximum-co...
Stories and Lessons Learned
• Anecdotes from burned users
– Personal website hacked by file sharers
– Received bill for $1...
Solutions?
• Amazon limits/caps have been “in the works”
since 2006
– Each year Amazon talks about intention of releasing
...
Attacks on AWS
Password Attacks
• Brute forcing of accounts and passwords
– Often no password lockout, just keep hammering away
– RDS (Or...
Easily Guessed Passwords
• Need to guess username also if you don’t already know
– Social engineering, research to make go...
Vulnerabilities in RDS
• MySQL versions
– Many vulnerable version
– Make sure you are using the last release
– Link to the...
Misconfigured Security Settings
• Scanning Amazon S3 to identify publicly
accessible buckets
– http://cloudcheckr.com/2012...
Demo:

Bucket Finder
5 Prevention Strategies
• Keep a close handle on what you are running in the cloud

• Educate yourself on how the cloud wo...
What is CloudCheckr?

CloudCheckr provides visibility into AWS
• Cost Optimization, Allocation, Reporting
• Resource Utili...
Questions?

Questions on:
• Clouds
• Security
Thank You for Attending
Enter promo code BOSTON for
a free 30 day trial
of www.cloudcheckr.com

Aaron Newman is the Founde...
Upcoming SlideShare
Loading in …5
×

Cloud security : Boston AWS user group

1,448 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,448
On SlideShare
0
From Embeds
0
Number of Embeds
23
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • We spend too much time thinking about PCI compliance, shared hardware, not enough on actual threats
  • Cloud security : Boston AWS user group

    1. 1. AWS Security Threats Boston AWS Meetup Group Aaron C. Newman Founder, CloudCheckr Aaron.Newman@CloudCheckr.com October 21, 2013
    2. 2. Agenda: • Overview of Public Cloud Security • Attacks from AWS • Using Search Engines to Attack AWS • Economic Denial of Sustainability Attacks • Attacks on AWS
    3. 3. Overview of Public Cloud Security
    4. 4. State of Cloud Security • 15 years ago – The datacenter as an island, external access mediated – Security issues rarely understood – Security tools immature • The data center opened up – Suppliers, customers, partners could connect directly to your datacenter – Robust solutions adopted, ranging from DLP, IDS, IPS, SEIM, VA • Move to the cloud – Perimeter security is officially dead, data can be accessed from anywhere – Cloud provider security tools are immature Survey of 100 hackers at Defcon 2012 96% of the respondents think that the cloud creates new opportunities for hacking 86% believe that “cloud vendors aren’t doing enough to address cyber-security issues.”
    5. 5. Cloud Threats • Cloud Provider – – – – Disgruntled employees Natural disasters Theft of physical equipment Cloud provider hacked • External Threats – Hackers (LulzSec, Anonymous) – Governments • Stuxnet (US government targets Iran) • Operation Aurora (Chinese government targets Rackspace/others) • Internal Threats (still your biggest threat) – Developers, cloud admins, users
    6. 6. Thinking Like a Hacker • Large Attack surface – Single successful attack can net many security compromises – Clouds provide homogeneous environments • To defend against the hacker – Think like the hacker – Go home and figure out how YOU would hack into your account – Then plug the holes – Defense-in-depth
    7. 7. Attacks using AWS
    8. 8. Using Clouds to Break Encryption • Clouds provide inexpensive ways to do massively parallel processing • • July 2012 Defcon - Cryptohaze Cloud Cracking • • Open source Cryptohaze tool suite implements network-clustered GPU accelerated password cracking (both brute force & rainbow tables) AWS Cluster GPU Instances crack SHA1 • • • Perfect for cracking encryption keys Quote from German Thomas Roth “able to crack all hashes from [the 560 character SHA1 hash] with a password length from one to six in only 49 minutes (one hour costs $2.10 [£1.30] by the way),“ Researcher uses AWS cloud to crack Wi-Fi passwords • • Cloud Cracking Suite (CCS) released on Jan 2012 at Black Hat security conference Crack a WPA-PSK handshake at a speed of 400,000 attempted passwords per second using eight GPU-based AWS instances
    9. 9. Major Attacks from the Cloud • Dark clouds or black clouds • How do you shut down a hacker on the cloud? • Cloud not only cheap – provides anonymity • Amazon cloud used in PlayStation Network hack • http://www.zdnet.com/amazon-cloud-used-in-playstation-network-hack4010022454/ • Hackers rent AWS EC2 instances under an alias • Amazon S3 hosts banking trojan • Kaspersky Lab reports S3 hosts the command and control channels for SpyEye banking trojan
    10. 10. Using Search Engines to Attack AWS
    11. 11. Public Cloud Search Engine Attacks Demo: Search Diggity (Code Search, NotInMyBackyard) AKA Google Hacking
    12. 12. Economic Denial of Sustainability Attacks
    13. 13. EDoS Attacks • Variation of Distributed Denial of Service Attack – Goal is not to overload and crash an application – Instead to cause the server hosting costs to overwhelm the victim’s budget “the infrastructure allows scaling of service beyond the economic means of the vendor to pay their cloud-based service bills” -http://rationalsecurity.typepad.com
    14. 14. Worst Case Scenario – AWS CloudFront • http://www.reviewmylife.co.uk/blog/2011/05/19/a mazon-cloudfront-and-s3-maximum-cost/ • Author calculated maximum possible charge – Used default limit of 1000 requests per second and 1000 megabits per second – At the end of 30 days a maximum of 324TB of data could have been downloaded (theoretically) – $42,000 per month for a single edge location – CloudFront has 30 edge locations
    15. 15. Stories and Lessons Learned • Anecdotes from burned users – Personal website hacked by file sharers – Received bill for $10,000 • Note: AWS only charges for data out – All data transfer in is at $0.000 per GB – Mitigates costs – if you don’t respond to requests, doesn’t cost you anything • Use pre-paid credit cards or credit card with appropriate credit limit – Not sure if this limits your liability legally
    16. 16. Solutions? • Amazon limits/caps have been “in the works” since 2006 – Each year Amazon talks about intention of releasing the feature • May 2012 – Amazon announces Billing Alerts – http://aws.amazon.com/about-aws/whatsnew/2012/05/10/announcing-aws-billing-alerts/ – Helps alert you when this starts happening to you – Could still be a costly few hours
    17. 17. Attacks on AWS
    18. 18. Password Attacks • Brute forcing of accounts and passwords – Often no password lockout, just keep hammering away – RDS (Oracle, MySQL, and SQL Server), AWS accounts • Example: Enumerating AWS account numbers – https://queue.amazonaws.com/<12 digit numbers here>/a?Action=SendMessage – Response tells you if the account exists • Old school attacks on an OS sitting in cloud – Typically secure defaults – Much more heterogeneous
    19. 19. Easily Guessed Passwords • Need to guess username also if you don’t already know – Social engineering, research to make good guesses • Passwords can be “guessed” – Attacking a single account with 100k passwords – Attacking many accounts with a few very common passwords – People leave test/test or password same as username • Password dictionaries – http://www.openwall.com/passwords/wordlists/ – The wordlists are intended primarily for use with password crackers …
    20. 20. Vulnerabilities in RDS • MySQL versions – Many vulnerable version – Make sure you are using the last release – Link to the issues • RDS security groups should always be restricted to specific trusted networks
    21. 21. Misconfigured Security Settings • Scanning Amazon S3 to identify publicly accessible buckets – http://cloudcheckr.com/2012/05/aws-s3-bucketsbucket-finder/ • Open source tool – Bucket Finder – script launches a dictionary attack on the names of S3 buckets and interrogates the bucket for a list of public and private files – Creates an EDoS
    22. 22. Demo: Bucket Finder
    23. 23. 5 Prevention Strategies • Keep a close handle on what you are running in the cloud • Educate yourself on how the cloud works • Stay Patched – Stay on top of all the security alerts and bulletins • Defense in Depth • Multiple Levels of Security – Regularly perform audits and penetration tests on your cloud – Encryption of data-in-motion / data-at-rest / data-in-use – Monitor cloud activity log files
    24. 24. What is CloudCheckr? CloudCheckr provides visibility into AWS • Cost Optimization, Allocation, Reporting • Resource Utilization • > 250 Best Practice Checks • Trending Analysis • Change Monitoring
    25. 25. Questions? Questions on: • Clouds • Security
    26. 26. Thank You for Attending Enter promo code BOSTON for a free 30 day trial of www.cloudcheckr.com Aaron Newman is the Founder of CloudCheckr (www.cloudcheckr.com) Please contact me with additional questions at: aaron.newman@cloudcheckr.com

    ×