AP
Uploaded byAshwin Palani
268 views

Abuse_in_the_Cloud_Palani_Ashwin

This document discusses security issues related to the abuse and nefarious use of cloud computing. It begins by providing background on cloud computing and outlines some key motivations for security concerns, including that cloud environments present new risks compared to traditional computing due to virtualization and changes in trust boundaries. The document then examines several specific security threats enabled by cloud computing, such as using cloud services to launch DDoS attacks, host malicious data, run password cracking tools, and control botnets. It analyzes issues like easy registration processes, dynamically changing IP addresses, and blacklisting of cloud IP ranges that can allow malicious actors to evade detection. The document aims to understand the taxonomy of cloud security threats and discuss past, current and potential future

Embed presentation

Download to read offline
Cloud Computing Security: A Report on Abuse and Nefarious Use of Clouds Ashwin Palani Motivation: Cloud computing is the latest computing paradigm where most businesses are concentrating their research and resources to achieve ‘on-demand’ self service. Companies are attracted towards the notion of a cloud which encompasses separation of application and data from the underlying infrastructure comprising of computing, network and storage resources making use of software, platform and infrastructure as a service models. The capabilities along with risks are inherited as we move from the software towards infrastructure service models. Though security mechanisms in cloud computing appears similar in nature to traditional computing, the virtualization approaches and the models of operation present risks that would be of a different nature. The redrawing of perimeters of trust boundaries in an organization is a major impact of cloud computing. The dynamic nature of cloud computing poses new challenges to existing static security mechanisms. Any information previously stored locally could now be stored in a cloud, including email, word processing documents, spreadsheets, videos, health records, photographs, tax or other financial information, business plans, accounting information, address books, and more. The entire contents of a user’s previous storage device may be stored with a single cloud provider or with many cloud providers. Whenever an individual, a business, a government agency, or other entity shares information in the cloud, security issues arise. Security risks now also depend on the type of assets and resources being managed, the managing authority, virtualization strategies and the integration of consumer and provider security controls. More attention needs to be provided on confidentiality, integrity, availability, authentication, authorization, and non-Repudiation services. The location and availability of data along with the nature of data to be commingled with other cloud computers, legal and privacy issues are major areas that need focus with respect to cloud computing. Technologies like two factor authentication along with virtual private networks are gaining prominence in cloud computing environments. The expanded capabilities of cloud computing also provide attackers with ability to launch novel threats. Credible and challenging threats to cloud environments include co-residence attacks such as mounting cross- VM side-channel attacks to extract information from a target VM on the same machine and also other DNS and routing attacks. Thus cloud computing provides security researchers and enthusiasts with a large number of interesting challenges. The objectives of this paper are fivefold: i) Understand the working of a cloud, the various virtualizations involved along with Infrastructure, Platform and Software as A Service Models. ii) Identify and understand the taxonomy of security challenges and issues in the context of abuse and nefarious use of cloud services citing various incidents of cloud abuse. iii) Identify the current security mechanisms and best security practices provided by cloud services and also look at future research and direction in thwarting attacks arising from abuse of the cloud. iv) Brief overview of the novel security aspects of Microsoft’s cloud venture Microsoft Azure. v) Evaluation of a brute force password cracking tool among various types of Amazon instances.
Abuse and Nefarious Use of Cloud Computing: The cloud with its great potential for flexibility, agility, availability and capability for addition of computing resources on demand comes laced with its own set of potential security risks and issues. This possibility of security loopholes, with cloud computing being a largely evolving technology raises concerns among various stakeholders and existing and potential customers of cloud computing. The Cloud Security Alliance, a nonprofit organization which promotes the use of best practices for providing security assurance within Cloud Computing had listed “Abuse and Nefarious Use of Cloud Computing” as the top threat for cloud security as part of its latest research findings on this issue. This particular threat is the primary motivation of this paper. Nefarious use and abuses comprise of but not limited to launching DDOS attacks from the cloud, hosting malicious data, running password hacks, providing botnet command and control, managing rainbow tables and CAPTCHA forms within the cloud [1] . This paper tries to enlist and understand the taxonomy of various threats that would fall under this topic. The paper also discusses past, existing and potential future scenarios of various kinds of misuse of cloud services and also the possible approaches to deal with these issues. This paper also tries to demonstrate a scenario wherein malicious activities are carried out on a cloud instance and check the increased capability of running brute force attacks and also the capability or lack of it of the cloud services provider/environment to detect and/or restrict such activity. The following section discusses identified threats arising due to the abuse of cloud infrastructure even among cloud computing leaders like Amazon EC2, Google etc. Key Security Issues : Easy Registration Model: Clouds service providers usually have a business model that provides a simple registration process for the customers to use cloud instances where in many instances credit card information alone is sufficient to gain access to cloud resources. This is exploited to a great extent by spammers and hackers who have previously stolen credit card information through which they buy access to cloud resources to perform other malicious activity and it makes it impossible to trace the real culprits behind a malicious activity. In order to promote their services, cloud services provide promotional offers such as limited trials which are another means of exploiting cloud services for malicious activity. Dynamically Changing IPs: Cloud Customers are provided with dynamic IP addresses (for eg Amazon Ec2) which rapidly change from time to time. This makes it extremely difficult for organizations to block out spam originating from these spurious instances. Hence organizations tend to block out the entire IP range of the cloud services provider. Similarly even if an abuse is reported an instance may be terminated. But the same spammer operating on the previous instance only needs to buy out a new instance and carry out malicious activities without getting detected. Black Listing of Cloud URLS:
The result of dynamically changing IPs problem is that since malicious users tend to get away with their activities and the difficulty in tracking them the entire range of IP addresses from a cloud provider are sometimes blocked. One such example was when one of the largest real time black list provider Spamhaus blacklisted all Amazon EC2 instances’ IP addresses. ISPs, email servers, anti-phishing plugins, networking devices etc make use of these blacklists and hence when an entire range of IP address is blocked, even legitimate users are not able to send their traffic to their intended destinations which gets rejected as spam. The anonymity and difficulty in detection obtained through the nature of cloud services enables organizations/individuals with malicious intent to perform various nefarious activities. Some of them are listed below: Botnets: The Zeus botnet and infostealing Trojan horses were identified by CSA as major malicious software with capabilities to compromise confidential data on cloud platforms. The Zeus Trojan was a keylogger that stole data such as login credentials, account numbers and credit card information. The scheme was to design fake HTML forms on banking login pages to allow hackers to steal user data. Zeus alone amounted to around $100 million in bank fraud in 2009. This most wanted Botnet was captured on an Amazon EC2 cloud used to host the central server to control compromised machines, in late 2009. Infected machines would contact a server hosted in Amazon's cloud to download updates and additional functionality to compromised hosts. In 2008, spammers used Amazon EC2 to carry out a malicious campaign of porn-related junk e- mail. A recent report by Munk Centre for International Studies also elaborates on how espionage networks such as Ghostnet exploits the cloud. Bit torrents: Cloud services allow bit torrent traffic to bypass ISP throttling. Thus leaching and seeding can be done at far greater speeds and this provides online pirates with a mechanism to transfer illegitimate software at better speeds with very little chance of detection. The inherent danger is that people in organizations could use bittorrents to download files to legitimate domains such as Amazon EC2 and thereafter download copyrighted work from the cloud to corporate computers making it extremely difficult for internal firewalls to block-out traffic from these legitimate sources thereby leading to a possible copyright infringement of malware infection for the company. Phishing Attacks: The change towards increased hosting of data and applications in the cloud increases the threat of phishing and other abusive technologies aimed at stealing access credentials. Cloud services have encountered phishing attacks. One such scenario [35] in 2007 involved a Salesforce.com employee who divulged company password information that allowed attackers access to customer contact list. The customers then became the target of phishing attacks when they started receiving mails that resembled invoices from salesforce.com Password Hacking: The anonymity provided by the cloud along with its tremendous scalability provides capabilities for accelerated brute force cracking of passwords. WPA-PSK networks are vulnerable to
dictionary attacks but running a large enough dictionary over a WPA handshake would take days together, WPA cracker [33] a password cracking service makes use of the services of the cloud by providing access to a 400 CPU cluster with 135 million word dictionary and cracks the password within minutes. This illustrates the trend in tapping the power of the cloud in carrying out brute force attacks. Economic Denial of Sustainability Attack: Malicious software could be used to dynamically impact the number of resources being consumed by a customer thereby increasing the billing amount of the customer. Interestingly, an attacker can continuously generate traffic onto the victim and thereby trigger new victim instances due to the use of auto scaling systems. These automatically provision and grow the number of instances used by a service on-the-fly to meet spikes in demand. Examples of such self scaling systems are scalr(self-scaling hosting environment utilizing Amazon's EC2.) , Amazon Simple Queue Service, and RightGrid. Such attacks destroy economic resources of the victim which would have a major economic impact sometimes even leading to bankruptcy. Privacy Issues: There are avenues of misuse of the power of the cloud not only from the cloud customer’s perspective but also from the cloud provider’s perspective. Any cloud would contain a large amount of datasets that can be used as possible revenue generation avenues by collaboration with advertisement agencies. Google allows its cloud to collect and analyze consumer data for its advertising wing. Also such mining of data would allow malicious persons to extract information which otherwise would be unavailable thereby creating privacy issues. Proponents of privacy have helped enact a lawsuit that would curtail a company’s rights to retain identity of collected information only for 18 months after which it would be anonymized. Anonymization is a difficult process in itself and needs effective tools to ensure complete anonymization of data. Also there could be issues of indirect data mining where a cloud provider might gain insider knowledge by observing transactional and relationship information such as the pending merger of two companies. An example of cloud provider failing in terms of ensuring privacy happened with Google when cloud based applications like Google Doc inadvertently shared some users’ documents with contacts that were never granted access. This was a major incident which highlighted the example of some technical glitch exposing sensitive data. The most recent (May6, 2010) security issue because of a technical glitch happened when Facebook users were able see their friends’ live chats [34] as they occurred by manipulating the preview my profile feature of Facebook Privacy Settings. This has raised serious concerns among several Facebook users. Mashup Authorizations: Applications using the cloud tend to combine or mash up data from different sources. This could lead to possible security issues relating to data leaks and also authorization of access. One example is Facebook where users provide both sensitive and non sensitive information. This information is not only used by Facebook but also other third party applications run in the cloud. There are some rogue applications on Facebook that try to steal saleable information from the profiles of users who open them. It is of prime importance to provide different set of
authorizations to different applications thereby placing data access control in the hands of the user. Data Remanence : Data remanence is the residual representation of data that have been in some way nominally erased or removed. When deleting sensitive files, a simple delete may not suffice. When a request to delete a cloud resource is made, it may not result in the real wiping out of the data as in the case of most operating systems. Where real data wiping out of data is required, special procedures may have to be followed and these procedures may not be supported by the cloud APIs. Multi-tenancy related attacks: Multitenancy and sharing of resources are important aspects of a cloud. Different resources such as compute power, storage and networking are shared among various cloud customers. This could lead to attacks such as guest-hopping attacks, SQL injection attacks and side channel attacks due to the failure to effectively separate out resources among various customers. Cache Attacks: An attacker’s instances could run on the hardware as that of his potential victims. Hence an attacker could use it to his advantage and try to manipulate and collect information from shared hardware resources such as CPU caches, network queues etc. The adversary by means of network probing, analyzing placement of resources, determining co-residency through means of matching Dom0 IP address etc could strategically place his resources nearer to that of a potential victim. There exists the possibility of information theft from cache memory on multi core systems which are shared between multiple virtual machines in a cloud environment. Also an attacker can measure the utilization of CPU caches and thereby estimate the current workload of co-resident hosts which can be used as a covert channel for attacks. One such example would be that a sender would be idle while transmitting bit ‘0’ and accesses memory to transmit “1”. The receiver accesses a memory block of his own and observes the access latencies. High latencies indicate transmission of a ‘1’ and vice versa. This attack is applicable across VMs, Measures to enhance Cloud Security : Cloud computing provides novel security challenges and hence novel approaches must be adopted to enhance security in cloud computing. There must be seamless extension of control from the enterprise into the cloud through the combination of high-assurance remote server integrity, and cryptographic protocols supporting computation on ciphertext. Some of them are: Strict Registration Process: It is easy for malicious users who have stolen credit card information to register and access cloud services. Hence there is a need for stricter initial registration and validation processes. This could be achieved through enhanced credit card fraud monitoring and coordination. Credit card companies and some banks make use of schemes that uses a multilevel monitoring system which would continuously monitor accounts for atypical patterns of activity that are consistent with fraud. These schemes also give ratings for transactions based on the potential for fraud. It is
imperative that cloud companies get into a partnership with credit card companies and/or also mine information regarding user behavior patterns on the cloud. This would help in monitoring and reporting patterns of abnormal behavior in the cloud. Immutable Audits: Immutable audits allow a cloud services provider to maintain an audit trail that would consists of details like time of data access, the kind of data access and the type of data access by customers over time. Immutable logs are log files that prevent tampering and erroneous insertion of data and used to create a tamper-resistant archive of events. A simple scheme would have a combination of digital hashing and digital signatures used on log entries for integrity verification. An example of immutable audit system is VMware’s Kinamik Secure Audit Vault. Thus logs provide valuable insight and forensic evidence when incidents occur. Inspections of logs and audits: After successful collection of logs, log inspections are used for gathering and analyzing operating system and other logs for all security events. The rules must be framed in such a way to optimize the search of vital security incidents among a large amount of audit data. The information can then be passed on to a centralized stand-alone system for correlation, reporting and archiving. This system must be able detect suspicious behavior, collect security related administrative actions and optimize collection of events across the cloud. Self Policing: Currently a cloud provider can view a customer’s data and leased virtual machines. Virtual- machine introspection (VMI) is the ability to inspect or modify the state of a virtual machine (VM) from the hypervisor or a service VM. This can be used to create a layered set of security services, where the trust model is rooted in an isolated secure VM, without the knowledge or indeed the cooperation of the inspected VM. This technique is particularly useful to improve security in virtualized environments. Such a technique can be adopted in the cloud where the cloud services provider performs checking of client’s virtual machines to ensure whether the operating system state is running properly or whether it contains malicious software such as root- kits. An interesting area of related research is a project named ‘Phantom’ developed by researchers at IBM[9] . This research work aims to lock the hypervisor and prevent malicious communications between Virtual Machines. Thus it aims to protect Virtual Machines by monitoring their execution thereby protecting them against both known and unknown threats. Provable Data Possession: In order to counter the abuse by cloud providers, clients can make use of tools that would check if a server has retained file data without retrieving the data from the server and without having the server access the entire file [7] . The server’s motivation for misbehavior could be discarding rarely used data thereby improving upon storage and gaining monetarily is or hiding a data loss incident that may have occurred due to management errors during migration, hardware failure, compromise of data due to attacks etc. The tools mentioned above generate probabilistic proofs of possession by sampling random sets of blocks from the server and the client maintains a constant amount of metadata such as homomorphic verifiable tags to verify the proof.
Monitoring Mail Related Activity: TCP connections on port 25 should be rate limited and monitored on a per-customer basis to detect spammers. The provider should incorporate functionality to maintain a lookup table of customers’ ids vs. IP addresses captured during address assignment and re-assignment in order to track the activities of malicious users. DNS security: It is important to have a redundant internal and external DNS infrastructure in a cloud environment. Redundancy provides for fault tolerance and is achieved through clustering of DNS servers ACLs within DNS servers must restrict write access to DNS records. Security features such as randomization of query identifiers must be used. DNS clusters must be monitored for unauthorized software and any disruptive events. Privacy-Enhanced Business Intelligence: As noted above, to ensure privacy and confidentiality, it is important that data in the cloud be encrypted. Searching and indexing are key issues when encryption of data is performed. State of the art encryption techniques can be employed in the cloud such as predicate encryption which allows operation and computation on cipher text. The data owner can compute a capability from his/her secret key. A capability encodes a search query, and the cloud can use this capability to decide which documents match the search query, without learning any extra information. Such techniques and techniques such as homomorphic encryption and Private Information Retrieval are areas of future research with regard to cloud security Security in Microsoft Windows Azure: Microsoft’s Windows Azure platform is a group of cloud technologies, each providing a specific set of services to application developers. It is a platform for running Windows applications and storing their data in the cloud. Windows Azure provides Windows-based compute and storage services for cloud applications. Microsoft adopts a defense in depth security approach for Azure. Defense in depth approach constitutes providing a layered model of security. Notable security features of Microsoft Azure are: Access Control Service: Determining a user’s identity is important for an application to ascertain the tasks that a user can perform. To achieve this Azure uses tokens defined using Security Assertion Markup Language (SAML).Each such token contains claims carrying information such as name, role, e-mail id about a user. These tokens are created using a Security Token Service (STS) which digitally signs the claims to verify the source. If a web browser has a token for its user, it can present the token to an application. The application then uses the token’s claims to decide what this user is allowed to do. Service Bus: An application which wants to publish its services registers one or more endpoints through a registry like mechanism known as service bus which exposes them. When some other application
wishes to access this application, it contacts the service bus using Atom Publishing Protocol which in turn returns a service document after which services can be invoked. The important feature of the Service Bus is it can improve security. Clients see only an IP address provided by Service Bus, and hence there arises no need to expose any IP addresses from within an organization. This effectively makes an application anonymous, since the outside world can’t see its IP address. Service Bus acts as an external DMZ, providing a layer of indirection to deter attackers. The Service Bus is also designed to be used with STS discusses above thereby further enhancing security. Other measures at various levels [32] include: • Physical security of the data centers including biometric devices • Firewalls, application gateways and Intrusion Detection Systems offer protection at the network level. • Redundant internal and external DNS infrastructure with restricted write access • Securing virtual machine objects. • Authentication and authorization services for access to data. • Server and operating system hardening. Evaluation of Brute Force Methods across Cloud Instances: This paper also tries to demonstrate a scenario wherein a password recovery script such as John The Ripper ) is used inside a cloud instance such as an Amazon EC2 instance and check the increased capability of running brute force attacks. John the Ripper(JTR) is a free, open source tools password cracking tool. It is popular because it runs on different platforms, combines a multitude of password crackers into a single package and auto detects the type of hashes. Passwords created from popular schemes such as DES, MD5, Blowfish are successfully cracked through this tool. JTR allows cracking of passwords using brute force method and also using wordlists. The purpose of the exercise is to demonstrate the easy availability of computing resources on the cloud and the easy scalability of computing power using cloud services. Amazon EC2 is a part of Amazon’s cloud services that provides capabilities for re-sizeable compute capacity on the cloud. New server instances with varying compute power are obtained within minutes using EC2.Since JTR cracks weak passwords using a wordlist within minutes, the experiment of cracking a password was carried out using the brute force approach. A user name and a simple DES password was used (user:AZl.zWwxIh15Q). The clear form of the password is the simple word “example”. The table below lists the cost, computing power and time taken by JTR to crack the password. The cost has been factored in to indicate the low cost of computing power that can be obtained ‘on-the-fly’ and ‘pay-by-the-hour’.
Exp . No Instance Type CPU Units CPU Cores Memor y Cost Time taken for JTR to brute force crack password (Days:Hrs:Min:Se c) 1 m1.large 4 ECUS 2 7.5 GB $0.34 per Large Instance 0:09:08:38 2 c1.xlarge 20 ECUS 8 cores 7 GB $0.68 per High- CPU Extra Large Instance 0:07:55:15 3 m2.4xlarge 26 ECUS 8 cores 68.4 GB $2.40 per Quadruple Extra Large Instance ( 0:06:58:31 It can be observed from that table that experiment 2 involving instance type c1.xlarge having 20ECUS, 8 CPU cores and 2GB of memory results in a performance improvement of 13.37% over experiment 1 with lesser number of compute power. Experiment3 with a even greater amount of computer power achieves an improvement of a whopping 23.71% over Experiment1. These experiments illustrate the power of the cloud which allows rapid elasticity and flexibility in obtaining high compute power instances hassle free which could be exploited by password hackers to successfully run brute force algorithms in a shorter duration. Conclusion: Cloud computing has been touted as software’s next revolution. Any new technology brings about with its share of concerns and people have been skeptical about cloud security. Cloud concerns are based on the perceived loss of control of sensitive data. While most of these concerns can be cast off as concerns that arise with any new technology, some of the concerns have been legitimate and valid ones. This paper aims to be a useful source of information with vital pointers for any cloud security enthusiast. This paper discusses the security challenges posed in cloud computing, especially the abuse and misuse of the cloud by the customer and sometimes the provider. The paper elaborates on the taxonomy of attacks most of which are novel in the context of a cloud and also instances of these attacks across time on popular cloud services. The paper then focuses on the various strategies and mechanisms adopted by cloud providers to thwart attackers. It finally provides an insight into Microsoft’s promising cloud offering “Microsoft Azure” and the prominent security features of this offering. Acknowledgements: This work was carried out at the Virginia Polytechnic and State University. I would like to thank Dr Danfeng Yao for providing the impetus for this paper. References: [1] Cloud Security Alliance, December 2009, Top Threats Security Guidance for Critical Areas of Focus in Cloud Computing V2.1
[2] Cloud Security Alliance, March 2010, Top Threats to Cloud Computing V 1.0. [3]AOL apologizes for release of user search data. http://news.cnet.com/2100-1030_3-6102793.html. [4] Loss of customer data spurs closure of online storage service 'The Linkup'. http://www.networkworld.com/news/2008/081108-linkup-failure.html [5]Facebook users suffer viral surge. http://news.bbc.co.uk/2/hi/technology/7918839.stm. [6]Virtual I/O Server, Performance and sizing considerations http://www14.software.ibm.com/webapp/set2/sas/f/vios/documentation/perf.html [7] Ateniese, G., Burns, R., Curtmola, R., Herring, J., Kissner, L., Z., Peterson, and Song, D. Provable Data Possession at Untrusted Stores. In CCS. 2007. [8]Immutable Log Files. http://www.securosis.com/blog/immutable-log-files [9] IBM’s Phantom project for Virtualization Security. http://www-03.ibm.com/press/us/en/pressrelease/23833.wss [10] Google’s cloud computing facilities used to host botnet control application. http://searchsecurity.techtarget.com.au/news/36967-Criminals-use-Google-s-cloud-computing- facilities-to-host-botnet-control-application [11]Self-Policing Cloud Computing. http://www.technologyreview.com/computing/23988/page2/ [12]Cloud used for Malicious Purposes http://www.spamfighter.com/News-14013-Legally-Designed-Cloud-Computing-Used-for- Malicious-Purposes.htm [13] Amazon EC2 Used for Hosting BitTorrent Clients. http://news.softpedia.com/news/Amazon-EC2-Used-to-For-Hosting-BitTorrent-Clients- 102821.shtml [14]Amazon EC2’s spam and malware problems http://taint.org/2008/07/02/162007a.html. [15]Economic Denial of Sustainability. http://rationalsecurity.typepad.com/blog/2009/01/a-couple-of-followups-on-my-edos-economic- denial-of-sustainability-concept.html [16] Amazon’s IP addressed blacklisted by Spamhaus http://voices.washingtonpost.com/securityfix/2008/07/amazon_hey_spammers_get_off_my.html [17] Trojan Barok Infostealing Activity http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=21651 [18] Zeus Botnet http://krebsonsecurity.com/2010/02/zeus-a-virus-known-as-botnet/ [19] Microsoft on Cloud Computing. http://www.microsoft.com/presspass/presskits/cloud/videogallery.aspx [20]Salesforce.com http://www.salesforce.com/cloudcomputing/ [21]Information Warfare Monitor, Shadow Server Foundation. Shadows in the Cloud: Investigating Cyber Espionage 2.0. April 2010. [22] Richard Chow, Philippe Golle, Markus Jakobsson, Ryusuke Masuoka, Jesus Molina,Elaine Shi, Jessica Staddon, Ryusuke Masuoka, Jesus Molina. Controlling Data in the Cloud:
Outsourcing Computation without Outsourcing Control. Conference on Computer and Communications Security, 2009. [23] Sun Microsystems. Introduction to Cloud Computing Architecture. WhitePaper. June2009. [24] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, You, Get off My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. [25] European Network and Information Security Agency. Benefits, Risks and Recommendations for Information Security. November 2009. [26] Microsoft Global Foundation Services. Securing Microsoft’s Cloud Infrastructure. May 2009. [27]Third Brigade Deep Security Solutions. Cloud Computing Security: Making Virtual Machines Cloud Ready. www.cloudreadysecurity.com [28]Nuno Santos, Krishna P. Gummadi, Rodrigo Rodrigues. Towards Trusted Cloud Computing. [29] Survey: Cloud Computing ’No Hype’, But Fear of Security and Control Slowing Adoption. http: //www.circleid.com/posts/20090226_cloud_computing_hype_security/. [30] David Chappell. Introducing the Windows Azure Platform. August 2009. [31]Crypto Services in Microsoft Azure. http://msdn.microsoft.com/en-us/magazine/ee291586.aspx [32]Microsoft Azure’s Defence in Depth Approach http://www.windowsecurity.com/articles/Microsoft-Azure-Security-Cloud.html [33] WPA cracking http://www.wpacracker.com/ [34] Facebook’s serious privacy and security issues http://www.pcworld.com/article/195722/hey_facebook_you_have_some_serious_privacy_and_s ecurity_pproblem.html [35] Phishing attacks on Salesforce.com customers http://www.zdnet.com/blog/berlind/phishing-based-breach-of-salesforcecom-customer-data-is- more-evidence-of-industrys-need-to-act-on-spam-now/880

More Related Content

PDF
MIST Effective Masquerade Attack Detection in the Cloud
byKumar Goud
 
PDF
Project 3
byPriyanka Goswami
 
DOCX
Cloud Computing Security
byAhmed Banafa
 
PDF
10 security concerns cloud computing
byHossam Zein
 
PDF
Global Security Certification for Governments
byCloudMask inc.
 
PDF
Security Issues in Cloud Computing by rahul abhishek
byEr. rahul abhishek
 
PDF
IRJET- Detection and Isolation of Zombie Attack under Cloud Computing
byIRJET Journal
 
PDF
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
byMZERMA Amine
 
MIST Effective Masquerade Attack Detection in the Cloud
byKumar Goud
 
Project 3
byPriyanka Goswami
 
Cloud Computing Security
byAhmed Banafa
 
10 security concerns cloud computing
byHossam Zein
 
Global Security Certification for Governments
byCloudMask inc.
 
Security Issues in Cloud Computing by rahul abhishek
byEr. rahul abhishek
 
IRJET- Detection and Isolation of Zombie Attack under Cloud Computing
byIRJET Journal
 
Symantec & WSJ PRESENTS "MALWARE on Main Street" ...
byMZERMA Amine
 

What's hot

PDF
A Comparative Review on Data Security Challenges in Cloud Computing
byIRJET Journal
 
PDF
Cloud Computing Security
byArunvignesh Venkatesh
 
PDF
OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...
byEditor IJMTER
 
PDF
A survey on cloud security issues and techniques
byijcsa
 
PDF
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
byAngelaHoltby
 
DOC
Security Issues in Cloud Computing by rahul abhishek
byEr. rahul abhishek
 
PDF
The Security and Privacy Threats to Cloud Computing
byAnkit Singh
 
PDF
New Approaches to Security and Availability for Cloud Data
byEMC
 
PDF
Balancing Cloud-Based Email Benefits With Security
bySymantec
 
PDF
Trust based Mechanism for Secure Cloud Computing Environment: A Survey
byinventionjournals
 
PDF
Securing a Collaborative Environment
byJoseph Pidala
 
PDF
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
byIOSR Journals
 
PDF
Single Sign-on Authentication Model for Cloud Computing using Kerberos
byDeepak Bagga
 
PDF
Analyst Report: The Digital Universe in 2020 - China
byEMC
 
PDF
Why Passwords are not strong enough
byEMC
 
DOCX
4.authentication and key agreement based on anonymous identity for peer to-pe...
byVenkat Projects
 
PPTX
Cloud computing security & forensics (manu)
byClubHack
 
PDF
Encryption Technique for a Trusted Cloud Computing Environment
byIOSR Journals
 
A Comparative Review on Data Security Challenges in Cloud Computing
byIRJET Journal
 
Cloud Computing Security
byArunvignesh Venkatesh
 
OneTK: Key Distribution Center at Cloud Providers towards End to End, Securit...
byEditor IJMTER
 
A survey on cloud security issues and techniques
byijcsa
 
Cloudifying threats-understanding-cloud-app-attacks-and-defenses joa-eng_0118
byAngelaHoltby
 
Security Issues in Cloud Computing by rahul abhishek
byEr. rahul abhishek
 
The Security and Privacy Threats to Cloud Computing
byAnkit Singh
 
New Approaches to Security and Availability for Cloud Data
byEMC
 
Balancing Cloud-Based Email Benefits With Security
bySymantec
 
Trust based Mechanism for Secure Cloud Computing Environment: A Survey
byinventionjournals
 
Securing a Collaborative Environment
byJoseph Pidala
 
Security and Privacy Issues of Cloud Computing; Solutions and Secure Framework
byIOSR Journals
 
Single Sign-on Authentication Model for Cloud Computing using Kerberos
byDeepak Bagga
 
Analyst Report: The Digital Universe in 2020 - China
byEMC
 
Why Passwords are not strong enough
byEMC
 
4.authentication and key agreement based on anonymous identity for peer to-pe...
byVenkat Projects
 
Cloud computing security & forensics (manu)
byClubHack
 
Encryption Technique for a Trusted Cloud Computing Environment
byIOSR Journals
 

Viewers also liked

DOCX
Tugas eka
byMikhael Eka
 
PDF
Norma iram 4501
bymariabeatrizlopez2013
 
PDF
Skyscape 2015-onboces-pdf
byJeff Paye
 
DOC
Report - Final_New_phishila
byAshwin Palani
 
PDF
A new successful project -lamp product--wit mold
byBeta Jiang
 
PPT
Some automotive parts made by WIT MOLD
byBeta Jiang
 
Tugas eka
byMikhael Eka
 
Norma iram 4501
bymariabeatrizlopez2013
 
Skyscape 2015-onboces-pdf
byJeff Paye
 
Report - Final_New_phishila
byAshwin Palani
 
A new successful project -lamp product--wit mold
byBeta Jiang
 
Some automotive parts made by WIT MOLD
byBeta Jiang
 

Similar to Abuse_in_the_Cloud_Palani_Ashwin

PDF
Taxonomy of cloud security
byIJCSEA Journal
 
PDF
SECURITY THREATS ON CLOUD COMPUTING VULNERABILITIES
byijcsit
 
PDF
Seven deadly threats and vulnerabilities in cloud
bycloudresearcher
 
PDF
Seven Deadly Threats and Vulnerabilities in Cloud Computing
byMervat Bamiah
 
PDF
Cloud Computing Security Issues and Challenges
byCSCJournals
 
PDF
Literature Review: Security on cloud computing
bySuranga Nisiwasala
 
PDF
Cloud Computing Security Issues and Challenges
bypaperpublications3
 
PDF
SECURE CLOUD ARCHITECTURE
byacijjournal
 
PPTX
Cloud Computing Chap-4 (1)for_comp-science.pptx
by8718amrindange
 
PDF
Introduction to cloud security
byIAEME Publication
 
PDF
Cloud Security Guidance: IBM Recommendations For The Implementation Of Cloud ...
byIBM India Smarter Computing
 
DOCX
Challenges and Mechanisms for Securing Data in Mobile Cloud Computing
byijcnes
 
PDF
International journal of computer science and innovation vol 2015-n2-paper4
bysophiabelthome
 
DOC
Security threats in cloud computing
byPuneet Arora
 
PDF
Appraisal of the Most Prominent Attacks due to Vulnerabilities in Cloud Compu...
bySalam Shah
 
PDF
Cloud computing and security issues in the
byIJNSA Journal
 
PDF
Welcome to International Journal of Engineering Research and Development (IJERD)
byIJERD Editor
 
PDF
CLOUD COMPUTING AND SECURITY ISSUES IN THE CLOUD
byIJNSA Journal
 
DOCX
CLOUD COMPUTING -Risks, Countermeasures, Costs and Benefits-
byLillian Ekwosi-Egbulem
 
PDF
Identified Vulnerabilitis And Threats In Cloud Computing
byIOSR Journals
 
Taxonomy of cloud security
byIJCSEA Journal
 
SECURITY THREATS ON CLOUD COMPUTING VULNERABILITIES
byijcsit
 
Seven deadly threats and vulnerabilities in cloud
bycloudresearcher
 
Seven Deadly Threats and Vulnerabilities in Cloud Computing
byMervat Bamiah
 
Cloud Computing Security Issues and Challenges
byCSCJournals
 
Literature Review: Security on cloud computing
bySuranga Nisiwasala
 
Cloud Computing Security Issues and Challenges
bypaperpublications3
 
SECURE CLOUD ARCHITECTURE
byacijjournal
 
Cloud Computing Chap-4 (1)for_comp-science.pptx
by8718amrindange
 
Introduction to cloud security
byIAEME Publication
 
Cloud Security Guidance: IBM Recommendations For The Implementation Of Cloud ...
byIBM India Smarter Computing
 
Challenges and Mechanisms for Securing Data in Mobile Cloud Computing
byijcnes
 
International journal of computer science and innovation vol 2015-n2-paper4
bysophiabelthome
 
Security threats in cloud computing
byPuneet Arora
 
Appraisal of the Most Prominent Attacks due to Vulnerabilities in Cloud Compu...
bySalam Shah
 
Cloud computing and security issues in the
byIJNSA Journal
 
Welcome to International Journal of Engineering Research and Development (IJERD)
byIJERD Editor
 
CLOUD COMPUTING AND SECURITY ISSUES IN THE CLOUD
byIJNSA Journal
 
CLOUD COMPUTING -Risks, Countermeasures, Costs and Benefits-
byLillian Ekwosi-Egbulem
 
Identified Vulnerabilitis And Threats In Cloud Computing
byIOSR Journals
 

Abuse_in_the_Cloud_Palani_Ashwin

  • 1.
    Cloud Computing Security:A Report on Abuse and Nefarious Use of Clouds Ashwin Palani Motivation: Cloud computing is the latest computing paradigm where most businesses are concentrating their research and resources to achieve ‘on-demand’ self service. Companies are attracted towards the notion of a cloud which encompasses separation of application and data from the underlying infrastructure comprising of computing, network and storage resources making use of software, platform and infrastructure as a service models. The capabilities along with risks are inherited as we move from the software towards infrastructure service models. Though security mechanisms in cloud computing appears similar in nature to traditional computing, the virtualization approaches and the models of operation present risks that would be of a different nature. The redrawing of perimeters of trust boundaries in an organization is a major impact of cloud computing. The dynamic nature of cloud computing poses new challenges to existing static security mechanisms. Any information previously stored locally could now be stored in a cloud, including email, word processing documents, spreadsheets, videos, health records, photographs, tax or other financial information, business plans, accounting information, address books, and more. The entire contents of a user’s previous storage device may be stored with a single cloud provider or with many cloud providers. Whenever an individual, a business, a government agency, or other entity shares information in the cloud, security issues arise. Security risks now also depend on the type of assets and resources being managed, the managing authority, virtualization strategies and the integration of consumer and provider security controls. More attention needs to be provided on confidentiality, integrity, availability, authentication, authorization, and non-Repudiation services. The location and availability of data along with the nature of data to be commingled with other cloud computers, legal and privacy issues are major areas that need focus with respect to cloud computing. Technologies like two factor authentication along with virtual private networks are gaining prominence in cloud computing environments. The expanded capabilities of cloud computing also provide attackers with ability to launch novel threats. Credible and challenging threats to cloud environments include co-residence attacks such as mounting cross- VM side-channel attacks to extract information from a target VM on the same machine and also other DNS and routing attacks. Thus cloud computing provides security researchers and enthusiasts with a large number of interesting challenges. The objectives of this paper are fivefold: i) Understand the working of a cloud, the various virtualizations involved along with Infrastructure, Platform and Software as A Service Models. ii) Identify and understand the taxonomy of security challenges and issues in the context of abuse and nefarious use of cloud services citing various incidents of cloud abuse. iii) Identify the current security mechanisms and best security practices provided by cloud services and also look at future research and direction in thwarting attacks arising from abuse of the cloud. iv) Brief overview of the novel security aspects of Microsoft’s cloud venture Microsoft Azure. v) Evaluation of a brute force password cracking tool among various types of Amazon instances.
  • 2.
    Abuse and NefariousUse of Cloud Computing: The cloud with its great potential for flexibility, agility, availability and capability for addition of computing resources on demand comes laced with its own set of potential security risks and issues. This possibility of security loopholes, with cloud computing being a largely evolving technology raises concerns among various stakeholders and existing and potential customers of cloud computing. The Cloud Security Alliance, a nonprofit organization which promotes the use of best practices for providing security assurance within Cloud Computing had listed “Abuse and Nefarious Use of Cloud Computing” as the top threat for cloud security as part of its latest research findings on this issue. This particular threat is the primary motivation of this paper. Nefarious use and abuses comprise of but not limited to launching DDOS attacks from the cloud, hosting malicious data, running password hacks, providing botnet command and control, managing rainbow tables and CAPTCHA forms within the cloud [1] . This paper tries to enlist and understand the taxonomy of various threats that would fall under this topic. The paper also discusses past, existing and potential future scenarios of various kinds of misuse of cloud services and also the possible approaches to deal with these issues. This paper also tries to demonstrate a scenario wherein malicious activities are carried out on a cloud instance and check the increased capability of running brute force attacks and also the capability or lack of it of the cloud services provider/environment to detect and/or restrict such activity. The following section discusses identified threats arising due to the abuse of cloud infrastructure even among cloud computing leaders like Amazon EC2, Google etc. Key Security Issues : Easy Registration Model: Clouds service providers usually have a business model that provides a simple registration process for the customers to use cloud instances where in many instances credit card information alone is sufficient to gain access to cloud resources. This is exploited to a great extent by spammers and hackers who have previously stolen credit card information through which they buy access to cloud resources to perform other malicious activity and it makes it impossible to trace the real culprits behind a malicious activity. In order to promote their services, cloud services provide promotional offers such as limited trials which are another means of exploiting cloud services for malicious activity. Dynamically Changing IPs: Cloud Customers are provided with dynamic IP addresses (for eg Amazon Ec2) which rapidly change from time to time. This makes it extremely difficult for organizations to block out spam originating from these spurious instances. Hence organizations tend to block out the entire IP range of the cloud services provider. Similarly even if an abuse is reported an instance may be terminated. But the same spammer operating on the previous instance only needs to buy out a new instance and carry out malicious activities without getting detected. Black Listing of Cloud URLS:
  • 3.
    The result ofdynamically changing IPs problem is that since malicious users tend to get away with their activities and the difficulty in tracking them the entire range of IP addresses from a cloud provider are sometimes blocked. One such example was when one of the largest real time black list provider Spamhaus blacklisted all Amazon EC2 instances’ IP addresses. ISPs, email servers, anti-phishing plugins, networking devices etc make use of these blacklists and hence when an entire range of IP address is blocked, even legitimate users are not able to send their traffic to their intended destinations which gets rejected as spam. The anonymity and difficulty in detection obtained through the nature of cloud services enables organizations/individuals with malicious intent to perform various nefarious activities. Some of them are listed below: Botnets: The Zeus botnet and infostealing Trojan horses were identified by CSA as major malicious software with capabilities to compromise confidential data on cloud platforms. The Zeus Trojan was a keylogger that stole data such as login credentials, account numbers and credit card information. The scheme was to design fake HTML forms on banking login pages to allow hackers to steal user data. Zeus alone amounted to around $100 million in bank fraud in 2009. This most wanted Botnet was captured on an Amazon EC2 cloud used to host the central server to control compromised machines, in late 2009. Infected machines would contact a server hosted in Amazon's cloud to download updates and additional functionality to compromised hosts. In 2008, spammers used Amazon EC2 to carry out a malicious campaign of porn-related junk e- mail. A recent report by Munk Centre for International Studies also elaborates on how espionage networks such as Ghostnet exploits the cloud. Bit torrents: Cloud services allow bit torrent traffic to bypass ISP throttling. Thus leaching and seeding can be done at far greater speeds and this provides online pirates with a mechanism to transfer illegitimate software at better speeds with very little chance of detection. The inherent danger is that people in organizations could use bittorrents to download files to legitimate domains such as Amazon EC2 and thereafter download copyrighted work from the cloud to corporate computers making it extremely difficult for internal firewalls to block-out traffic from these legitimate sources thereby leading to a possible copyright infringement of malware infection for the company. Phishing Attacks: The change towards increased hosting of data and applications in the cloud increases the threat of phishing and other abusive technologies aimed at stealing access credentials. Cloud services have encountered phishing attacks. One such scenario [35] in 2007 involved a Salesforce.com employee who divulged company password information that allowed attackers access to customer contact list. The customers then became the target of phishing attacks when they started receiving mails that resembled invoices from salesforce.com Password Hacking: The anonymity provided by the cloud along with its tremendous scalability provides capabilities for accelerated brute force cracking of passwords. WPA-PSK networks are vulnerable to
  • 4.
    dictionary attacks butrunning a large enough dictionary over a WPA handshake would take days together, WPA cracker [33] a password cracking service makes use of the services of the cloud by providing access to a 400 CPU cluster with 135 million word dictionary and cracks the password within minutes. This illustrates the trend in tapping the power of the cloud in carrying out brute force attacks. Economic Denial of Sustainability Attack: Malicious software could be used to dynamically impact the number of resources being consumed by a customer thereby increasing the billing amount of the customer. Interestingly, an attacker can continuously generate traffic onto the victim and thereby trigger new victim instances due to the use of auto scaling systems. These automatically provision and grow the number of instances used by a service on-the-fly to meet spikes in demand. Examples of such self scaling systems are scalr(self-scaling hosting environment utilizing Amazon's EC2.) , Amazon Simple Queue Service, and RightGrid. Such attacks destroy economic resources of the victim which would have a major economic impact sometimes even leading to bankruptcy. Privacy Issues: There are avenues of misuse of the power of the cloud not only from the cloud customer’s perspective but also from the cloud provider’s perspective. Any cloud would contain a large amount of datasets that can be used as possible revenue generation avenues by collaboration with advertisement agencies. Google allows its cloud to collect and analyze consumer data for its advertising wing. Also such mining of data would allow malicious persons to extract information which otherwise would be unavailable thereby creating privacy issues. Proponents of privacy have helped enact a lawsuit that would curtail a company’s rights to retain identity of collected information only for 18 months after which it would be anonymized. Anonymization is a difficult process in itself and needs effective tools to ensure complete anonymization of data. Also there could be issues of indirect data mining where a cloud provider might gain insider knowledge by observing transactional and relationship information such as the pending merger of two companies. An example of cloud provider failing in terms of ensuring privacy happened with Google when cloud based applications like Google Doc inadvertently shared some users’ documents with contacts that were never granted access. This was a major incident which highlighted the example of some technical glitch exposing sensitive data. The most recent (May6, 2010) security issue because of a technical glitch happened when Facebook users were able see their friends’ live chats [34] as they occurred by manipulating the preview my profile feature of Facebook Privacy Settings. This has raised serious concerns among several Facebook users. Mashup Authorizations: Applications using the cloud tend to combine or mash up data from different sources. This could lead to possible security issues relating to data leaks and also authorization of access. One example is Facebook where users provide both sensitive and non sensitive information. This information is not only used by Facebook but also other third party applications run in the cloud. There are some rogue applications on Facebook that try to steal saleable information from the profiles of users who open them. It is of prime importance to provide different set of
  • 5.
    authorizations to differentapplications thereby placing data access control in the hands of the user. Data Remanence : Data remanence is the residual representation of data that have been in some way nominally erased or removed. When deleting sensitive files, a simple delete may not suffice. When a request to delete a cloud resource is made, it may not result in the real wiping out of the data as in the case of most operating systems. Where real data wiping out of data is required, special procedures may have to be followed and these procedures may not be supported by the cloud APIs. Multi-tenancy related attacks: Multitenancy and sharing of resources are important aspects of a cloud. Different resources such as compute power, storage and networking are shared among various cloud customers. This could lead to attacks such as guest-hopping attacks, SQL injection attacks and side channel attacks due to the failure to effectively separate out resources among various customers. Cache Attacks: An attacker’s instances could run on the hardware as that of his potential victims. Hence an attacker could use it to his advantage and try to manipulate and collect information from shared hardware resources such as CPU caches, network queues etc. The adversary by means of network probing, analyzing placement of resources, determining co-residency through means of matching Dom0 IP address etc could strategically place his resources nearer to that of a potential victim. There exists the possibility of information theft from cache memory on multi core systems which are shared between multiple virtual machines in a cloud environment. Also an attacker can measure the utilization of CPU caches and thereby estimate the current workload of co-resident hosts which can be used as a covert channel for attacks. One such example would be that a sender would be idle while transmitting bit ‘0’ and accesses memory to transmit “1”. The receiver accesses a memory block of his own and observes the access latencies. High latencies indicate transmission of a ‘1’ and vice versa. This attack is applicable across VMs, Measures to enhance Cloud Security : Cloud computing provides novel security challenges and hence novel approaches must be adopted to enhance security in cloud computing. There must be seamless extension of control from the enterprise into the cloud through the combination of high-assurance remote server integrity, and cryptographic protocols supporting computation on ciphertext. Some of them are: Strict Registration Process: It is easy for malicious users who have stolen credit card information to register and access cloud services. Hence there is a need for stricter initial registration and validation processes. This could be achieved through enhanced credit card fraud monitoring and coordination. Credit card companies and some banks make use of schemes that uses a multilevel monitoring system which would continuously monitor accounts for atypical patterns of activity that are consistent with fraud. These schemes also give ratings for transactions based on the potential for fraud. It is
  • 6.
    imperative that cloudcompanies get into a partnership with credit card companies and/or also mine information regarding user behavior patterns on the cloud. This would help in monitoring and reporting patterns of abnormal behavior in the cloud. Immutable Audits: Immutable audits allow a cloud services provider to maintain an audit trail that would consists of details like time of data access, the kind of data access and the type of data access by customers over time. Immutable logs are log files that prevent tampering and erroneous insertion of data and used to create a tamper-resistant archive of events. A simple scheme would have a combination of digital hashing and digital signatures used on log entries for integrity verification. An example of immutable audit system is VMware’s Kinamik Secure Audit Vault. Thus logs provide valuable insight and forensic evidence when incidents occur. Inspections of logs and audits: After successful collection of logs, log inspections are used for gathering and analyzing operating system and other logs for all security events. The rules must be framed in such a way to optimize the search of vital security incidents among a large amount of audit data. The information can then be passed on to a centralized stand-alone system for correlation, reporting and archiving. This system must be able detect suspicious behavior, collect security related administrative actions and optimize collection of events across the cloud. Self Policing: Currently a cloud provider can view a customer’s data and leased virtual machines. Virtual- machine introspection (VMI) is the ability to inspect or modify the state of a virtual machine (VM) from the hypervisor or a service VM. This can be used to create a layered set of security services, where the trust model is rooted in an isolated secure VM, without the knowledge or indeed the cooperation of the inspected VM. This technique is particularly useful to improve security in virtualized environments. Such a technique can be adopted in the cloud where the cloud services provider performs checking of client’s virtual machines to ensure whether the operating system state is running properly or whether it contains malicious software such as root- kits. An interesting area of related research is a project named ‘Phantom’ developed by researchers at IBM[9] . This research work aims to lock the hypervisor and prevent malicious communications between Virtual Machines. Thus it aims to protect Virtual Machines by monitoring their execution thereby protecting them against both known and unknown threats. Provable Data Possession: In order to counter the abuse by cloud providers, clients can make use of tools that would check if a server has retained file data without retrieving the data from the server and without having the server access the entire file [7] . The server’s motivation for misbehavior could be discarding rarely used data thereby improving upon storage and gaining monetarily is or hiding a data loss incident that may have occurred due to management errors during migration, hardware failure, compromise of data due to attacks etc. The tools mentioned above generate probabilistic proofs of possession by sampling random sets of blocks from the server and the client maintains a constant amount of metadata such as homomorphic verifiable tags to verify the proof.
  • 7.
    Monitoring Mail RelatedActivity: TCP connections on port 25 should be rate limited and monitored on a per-customer basis to detect spammers. The provider should incorporate functionality to maintain a lookup table of customers’ ids vs. IP addresses captured during address assignment and re-assignment in order to track the activities of malicious users. DNS security: It is important to have a redundant internal and external DNS infrastructure in a cloud environment. Redundancy provides for fault tolerance and is achieved through clustering of DNS servers ACLs within DNS servers must restrict write access to DNS records. Security features such as randomization of query identifiers must be used. DNS clusters must be monitored for unauthorized software and any disruptive events. Privacy-Enhanced Business Intelligence: As noted above, to ensure privacy and confidentiality, it is important that data in the cloud be encrypted. Searching and indexing are key issues when encryption of data is performed. State of the art encryption techniques can be employed in the cloud such as predicate encryption which allows operation and computation on cipher text. The data owner can compute a capability from his/her secret key. A capability encodes a search query, and the cloud can use this capability to decide which documents match the search query, without learning any extra information. Such techniques and techniques such as homomorphic encryption and Private Information Retrieval are areas of future research with regard to cloud security Security in Microsoft Windows Azure: Microsoft’s Windows Azure platform is a group of cloud technologies, each providing a specific set of services to application developers. It is a platform for running Windows applications and storing their data in the cloud. Windows Azure provides Windows-based compute and storage services for cloud applications. Microsoft adopts a defense in depth security approach for Azure. Defense in depth approach constitutes providing a layered model of security. Notable security features of Microsoft Azure are: Access Control Service: Determining a user’s identity is important for an application to ascertain the tasks that a user can perform. To achieve this Azure uses tokens defined using Security Assertion Markup Language (SAML).Each such token contains claims carrying information such as name, role, e-mail id about a user. These tokens are created using a Security Token Service (STS) which digitally signs the claims to verify the source. If a web browser has a token for its user, it can present the token to an application. The application then uses the token’s claims to decide what this user is allowed to do. Service Bus: An application which wants to publish its services registers one or more endpoints through a registry like mechanism known as service bus which exposes them. When some other application
  • 8.
    wishes to accessthis application, it contacts the service bus using Atom Publishing Protocol which in turn returns a service document after which services can be invoked. The important feature of the Service Bus is it can improve security. Clients see only an IP address provided by Service Bus, and hence there arises no need to expose any IP addresses from within an organization. This effectively makes an application anonymous, since the outside world can’t see its IP address. Service Bus acts as an external DMZ, providing a layer of indirection to deter attackers. The Service Bus is also designed to be used with STS discusses above thereby further enhancing security. Other measures at various levels [32] include: • Physical security of the data centers including biometric devices • Firewalls, application gateways and Intrusion Detection Systems offer protection at the network level. • Redundant internal and external DNS infrastructure with restricted write access • Securing virtual machine objects. • Authentication and authorization services for access to data. • Server and operating system hardening. Evaluation of Brute Force Methods across Cloud Instances: This paper also tries to demonstrate a scenario wherein a password recovery script such as John The Ripper ) is used inside a cloud instance such as an Amazon EC2 instance and check the increased capability of running brute force attacks. John the Ripper(JTR) is a free, open source tools password cracking tool. It is popular because it runs on different platforms, combines a multitude of password crackers into a single package and auto detects the type of hashes. Passwords created from popular schemes such as DES, MD5, Blowfish are successfully cracked through this tool. JTR allows cracking of passwords using brute force method and also using wordlists. The purpose of the exercise is to demonstrate the easy availability of computing resources on the cloud and the easy scalability of computing power using cloud services. Amazon EC2 is a part of Amazon’s cloud services that provides capabilities for re-sizeable compute capacity on the cloud. New server instances with varying compute power are obtained within minutes using EC2.Since JTR cracks weak passwords using a wordlist within minutes, the experiment of cracking a password was carried out using the brute force approach. A user name and a simple DES password was used (user:AZl.zWwxIh15Q). The clear form of the password is the simple word “example”. The table below lists the cost, computing power and time taken by JTR to crack the password. The cost has been factored in to indicate the low cost of computing power that can be obtained ‘on-the-fly’ and ‘pay-by-the-hour’.
  • 9.
    Exp . No Instance Type CPU Units CPU Cores Memor y Cost Time takenfor JTR to brute force crack password (Days:Hrs:Min:Se c) 1 m1.large 4 ECUS 2 7.5 GB $0.34 per Large Instance 0:09:08:38 2 c1.xlarge 20 ECUS 8 cores 7 GB $0.68 per High- CPU Extra Large Instance 0:07:55:15 3 m2.4xlarge 26 ECUS 8 cores 68.4 GB $2.40 per Quadruple Extra Large Instance ( 0:06:58:31 It can be observed from that table that experiment 2 involving instance type c1.xlarge having 20ECUS, 8 CPU cores and 2GB of memory results in a performance improvement of 13.37% over experiment 1 with lesser number of compute power. Experiment3 with a even greater amount of computer power achieves an improvement of a whopping 23.71% over Experiment1. These experiments illustrate the power of the cloud which allows rapid elasticity and flexibility in obtaining high compute power instances hassle free which could be exploited by password hackers to successfully run brute force algorithms in a shorter duration. Conclusion: Cloud computing has been touted as software’s next revolution. Any new technology brings about with its share of concerns and people have been skeptical about cloud security. Cloud concerns are based on the perceived loss of control of sensitive data. While most of these concerns can be cast off as concerns that arise with any new technology, some of the concerns have been legitimate and valid ones. This paper aims to be a useful source of information with vital pointers for any cloud security enthusiast. This paper discusses the security challenges posed in cloud computing, especially the abuse and misuse of the cloud by the customer and sometimes the provider. The paper elaborates on the taxonomy of attacks most of which are novel in the context of a cloud and also instances of these attacks across time on popular cloud services. The paper then focuses on the various strategies and mechanisms adopted by cloud providers to thwart attackers. It finally provides an insight into Microsoft’s promising cloud offering “Microsoft Azure” and the prominent security features of this offering. Acknowledgements: This work was carried out at the Virginia Polytechnic and State University. I would like to thank Dr Danfeng Yao for providing the impetus for this paper. References: [1] Cloud Security Alliance, December 2009, Top Threats Security Guidance for Critical Areas of Focus in Cloud Computing V2.1
  • 10.
    [2] Cloud SecurityAlliance, March 2010, Top Threats to Cloud Computing V 1.0. [3]AOL apologizes for release of user search data. http://news.cnet.com/2100-1030_3-6102793.html. [4] Loss of customer data spurs closure of online storage service 'The Linkup'. http://www.networkworld.com/news/2008/081108-linkup-failure.html [5]Facebook users suffer viral surge. http://news.bbc.co.uk/2/hi/technology/7918839.stm. [6]Virtual I/O Server, Performance and sizing considerations http://www14.software.ibm.com/webapp/set2/sas/f/vios/documentation/perf.html [7] Ateniese, G., Burns, R., Curtmola, R., Herring, J., Kissner, L., Z., Peterson, and Song, D. Provable Data Possession at Untrusted Stores. In CCS. 2007. [8]Immutable Log Files. http://www.securosis.com/blog/immutable-log-files [9] IBM’s Phantom project for Virtualization Security. http://www-03.ibm.com/press/us/en/pressrelease/23833.wss [10] Google’s cloud computing facilities used to host botnet control application. http://searchsecurity.techtarget.com.au/news/36967-Criminals-use-Google-s-cloud-computing- facilities-to-host-botnet-control-application [11]Self-Policing Cloud Computing. http://www.technologyreview.com/computing/23988/page2/ [12]Cloud used for Malicious Purposes http://www.spamfighter.com/News-14013-Legally-Designed-Cloud-Computing-Used-for- Malicious-Purposes.htm [13] Amazon EC2 Used for Hosting BitTorrent Clients. http://news.softpedia.com/news/Amazon-EC2-Used-to-For-Hosting-BitTorrent-Clients- 102821.shtml [14]Amazon EC2’s spam and malware problems http://taint.org/2008/07/02/162007a.html. [15]Economic Denial of Sustainability. http://rationalsecurity.typepad.com/blog/2009/01/a-couple-of-followups-on-my-edos-economic- denial-of-sustainability-concept.html [16] Amazon’s IP addressed blacklisted by Spamhaus http://voices.washingtonpost.com/securityfix/2008/07/amazon_hey_spammers_get_off_my.html [17] Trojan Barok Infostealing Activity http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=21651 [18] Zeus Botnet http://krebsonsecurity.com/2010/02/zeus-a-virus-known-as-botnet/ [19] Microsoft on Cloud Computing. http://www.microsoft.com/presspass/presskits/cloud/videogallery.aspx [20]Salesforce.com http://www.salesforce.com/cloudcomputing/ [21]Information Warfare Monitor, Shadow Server Foundation. Shadows in the Cloud: Investigating Cyber Espionage 2.0. April 2010. [22] Richard Chow, Philippe Golle, Markus Jakobsson, Ryusuke Masuoka, Jesus Molina,Elaine Shi, Jessica Staddon, Ryusuke Masuoka, Jesus Molina. Controlling Data in the Cloud:
  • 11.
    Outsourcing Computation withoutOutsourcing Control. Conference on Computer and Communications Security, 2009. [23] Sun Microsystems. Introduction to Cloud Computing Architecture. WhitePaper. June2009. [24] T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, You, Get off My Cloud: Exploring Information Leakage in Third-Party Compute Clouds. [25] European Network and Information Security Agency. Benefits, Risks and Recommendations for Information Security. November 2009. [26] Microsoft Global Foundation Services. Securing Microsoft’s Cloud Infrastructure. May 2009. [27]Third Brigade Deep Security Solutions. Cloud Computing Security: Making Virtual Machines Cloud Ready. www.cloudreadysecurity.com [28]Nuno Santos, Krishna P. Gummadi, Rodrigo Rodrigues. Towards Trusted Cloud Computing. [29] Survey: Cloud Computing ’No Hype’, But Fear of Security and Control Slowing Adoption. http: //www.circleid.com/posts/20090226_cloud_computing_hype_security/. [30] David Chappell. Introducing the Windows Azure Platform. August 2009. [31]Crypto Services in Microsoft Azure. http://msdn.microsoft.com/en-us/magazine/ee291586.aspx [32]Microsoft Azure’s Defence in Depth Approach http://www.windowsecurity.com/articles/Microsoft-Azure-Security-Cloud.html [33] WPA cracking http://www.wpacracker.com/ [34] Facebook’s serious privacy and security issues http://www.pcworld.com/article/195722/hey_facebook_you_have_some_serious_privacy_and_s ecurity_pproblem.html [35] Phishing attacks on Salesforce.com customers http://www.zdnet.com/blog/berlind/phishing-based-breach-of-salesforcecom-customer-data-is- more-evidence-of-industrys-need-to-act-on-spam-now/880