3. CCSK, CCSP , CCAK, ACSP
Moshe Farber
• Information security professional for over 20 years
• Founder, partner and investor at various cyber initiatives and startups
• Popular industry speaker & lecturer (DEFCON, RSA, BLACKHAT,
INFOSEC and more)
• Co-hosting the Silverlining podcast – lean about security engineering
• Founding committee member for ISC2 CCSP and CSA CCSK, CCAK
certification
• Member of the board at Macshava Tova – Narrowing societal gaps
• Chairman of the Board, Cloud Security Alliance, Israeli Chapter
• Cloud Security Course Schedule can be found at:
https://onlinecloudsec.com/speaking-schedule/
3
4. About the Cloud Security
Alliance
4
• Global, not-for-profit organization
• Building security best practices for
next generation IT
• Research and Educational Programs
• Cloud providers & security
professionals Certifications
• Awareness and Marketing
• The globally authoritative source for
Trust in the Cloud
“To promote the use of
best practices for
providing security
assurance within Cloud
Computing, and
provide education on
the uses of Cloud
Computing to help
secure all other forms
of computing”
6. What are the attacks vectors?
How do they reflect in the real world?
Cloud computing threats – what they
are?
Sources:
What we are going to talk about?
6
20. #11 Abuse & Nefarious use of Cloud Services
33
21. Recommendation, Cloud
Providers
36
• Invest in consumer visible controls
• You might be a chain in supply chain
attacks - Think about your role in
your customers security
• Start with good building block:
• Secure Software development life
cycle
• Security in operations
• Transparency
• CSA tools and research can help you
achieving good foundations
22. 01
02
03
04
Recommendation, Cloud
Consumers
37
• Invest in education.
• There are 4 kind of security
controls. Make sure you use the
right mixture.
• Establish Cloud Strategy.
• Audit your provider, his services
and the supply chain.
Preventive
• Anti virus
• Authentication
Detective
• IDS
• Logs
Corrective
• Patches
• Scanning
Compensatory
• DR & backups
• Audits
Data breaches
The classic ones: Uber, microsoft, Verizon, weight watchers
The role of the supply chain. 4 or 5 different roles
Talk about the shared responsibility between the provider and consumer
Booking.com partners miss configured bucket
Chtbox leaked 50m from Isragram
Exactis - leaked information from customers
Misconfiguration and inadequate change control
Lets talk about S3 & DB misconfigurations
S3: 120M brzilian citizens
MongoDB: 96 million votters mexican
Israel: Elector app db leaking
Israel ,mongodb: Paybox
Elasticsearch: 8m hotel guests details on AAVGO elastic server
Lack of cloud security architecture and strategy
Accenture 137gb of cloud strategy
Also happened to Delliot, also happened to me (Dropbox)
Myspace lost 12 years of photos
KPMG lost all teams data
Lack of strategy leads to
Finops, denial of wallet
The china great wall
Lack of understanding about backups
Insufficient identity , credentials, access and key management
Identity is the new perimeter
Lots of startups are doing identity
The growing number of phishing attacks on 365.
Solarwind and golden SAML attacks (from internal to the cloud)
Scraping github credentials - talk about access keys
Account hijacking
The account hijacking of Elon Must, AP (about Barak Obama)
Codespaces vs. just fishing (hijacking in SaaS vs. IaaS)
What can we learn from Codespaces - reducing the blast radius
Insider threats
Consumers:
Elon Musk - the twitter hack
Snapchat employee
Yahoo - former employee admin hacking 6000 account for sexual content
Industrial espionage
Telss malicious insider steal plans
Angry employee
600 webex servers deleted
Even happing to security companies
Trend micro employee sold customers data
Governments
MS sharing Indian citizens banking data with us
Twitter employee spayed for Saudi arabia on gov critics
Cloud providers are the new port nox
Insecure interfaces and API’s
API’s are the new b2b
Automation, Open banking ,, customers
API are the new authentication & authorization engines
Access tokens are a target
Facebook - view as API exposed 50m . stilling access tokens
Salesforce - data leakage through misconfigured API’s
Instrgram API glitch - scrapping millions of data, posting on behalf
Remind our research paper
Other interfaces:
Meta - data - used in capital 1
Weak control plane
Capitol 1 - least privilege
AMI & malicious images
Docker hub malicious images
AWS market place windows 7 - with bitcoin mining.
Meta structure and applistracture
Talk about providers failures
Google deleted out g-suite
Google suspended an account
Digital ocean falsely detected crypto miner and shut the company down
Facebook and twitter close Trump account / Parler
Limited cloud visibility
Talk about shadow IT
Hospitals
Hilary clinton
Abuse & Nefarious use of cloud services
Zepto populated through cloud storage apps
Telegram used to deliver Herorat
Google drive and one drive links
Sometimes the abuser are governments
Grinder & tiktok - chinese owners forced to sell
German and France governments are saying USA is abusing cloud services
Classic Data breaches:
https://www.bleepingcomputer.com/news/security/weight-watchers-it-infrastructure-exposed-via-no-password-kubernetes-server/
https://awsinsider.net/articles/2017/11/21/uber-aws-data-breach.aspx
https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/
Partners:
Partners of booking.com
https://www.itgovernance.co.uk/blog/millions-of-expedia-and-booking-com-customers-at-risk-after-data-breach
Marketing data:
https://www.wired.com/story/exactis-database-leak-340-million-records/amp
Verizon 12 million – the shared responsibility model
Instgram 50M leaked due to Chtrbox - a parner
https://techcrunch.com/2019/05/20/instagram-influencer-celebrity-accounts-scraped/
120m records:
https://www.forbes.com/sites/ thomasbrewster/2017/12/19/120m-american-households-exposed-in- massive-consumerview-database-leak/#37bb94d27961
230m records:
https://www.wired.com/story/exactis-database-leak-340-million- records/
Chain of supply:
short-circuit-how-a-robotics-vendor-exposed-confidential-data-for-major- manufacturing-companies
Misconfiguration of s3:
https://www.scmagazine.com/home/security-news/exposed-s3-bucket-compromises-120-million-brazilian-citizens/
https://www.helpnetsecurity.com/2019/07/11/magecart-unsecured-s3-buckets/
https://gizmodo.com/amazon-engineer-leaked-private-encryption-keys-outside-1841160934
Misconfiguration of MongoDB:
https://www.ifi.today/news/547-The-Paybox-payment-app-reported-it-clients-partial/
Misconfiguration of Elasticsearch:
https://m.facebook.com/story.php?story_fbid=2588367461187658&id=766718676685888
https://www.zdnet.com/article/accenture-left-a-huge-trove-of-client-passwords-on-exposed-servers/
hackread.com/personal-data-of-over-50000-honda-connect-app-leaked/
Lack of understanding:
"As a result of a server migration project, any photos, videos, and audio files you uploaded more than three years ago, may no longer be available on or from MySpace.”
Some estimate nearly 50 million songs from 2003 to 2015 have been lost. According to MySpace users on Reddit, all pre-2015 music stopped working about a year ago.
https://www.engadget.com/2019-03-18-myspace-lost-12-years-music-photos.html
Lack of strategy causes waste of money:
Finops, DDOS, Fincicail ddos, denial of wallet
China greatwall
Serverless
Lack of understanding about backups:
As part of using Amazon EC2, you agree that your Amazon EC2 resources may be terminated or replaced due to failure, retirement or other AWS requirement(s). We have no liability whatsoever for any damages, liabilities, losses (including any corruption, deletion, or destruction or loss of data, applications or profits), or any other consequences resulting from the foregoing.
https://www-theregister-com.cdn.ampproject.org/c/s/www.theregister.com/AMP/2020/08/24/kpmg_microsoft_teams
Just password guessing:
https:// www.nytimes.com/2019/01/08/world/europe/germany-hacking-arrest.html
https://www. irishtimes.com/news/world/europe/german-data-hacker-says-he-was- annoyed-by-politicians-1.3751332
phising
Cloud an on-premise:
Solarwind and golden SAML attacks
The growing number of phising attacks on 365.
https://www. helpnetsecurity.com/2018/05/18/office-365-phishing-threats/
Secrets:
http://www.forbes.com/sites/ runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service- credentials-hijack-account-to-mine-virtual-currency/
Even security companies do mistakes:
Comdo exposed github username & password:
https://techcrunch.com/2019/07/27/comodo-password-access-data/
Consumers attacks:
The twitter account take over (elon mask)
ultiple employees have abused their privileged access to spy on Snapchat users:
https://www.vice.com/en/article/xwnva7/snapchat-employees-abused-data-access-spy-on-users-snaplion
Former Yahoo Employee Admits Hacking into 6000 Accounts for Sexual Content
https://thehackernews.com/2019/10/yahoo-email-hacking.html
Tesla – industry espionage
https://www.infosecurity-magazine.com/news/teslas-tough-lesson-on-malicious/
Cisco webex – deleting 600 servers
https://www.theregister.com/2020/08/26/former_cisco_engineer_aws_webex_teams
Trend Micro rough employee sold customer data:
https://www.bbc.com/news/technology-50315544
https://businessinsights.bitdefender.com/palo-alto-networks-employee-data-breach-highlights-risks-posed-by-third-party-vendors
https://www.bleepingcomputer.com/news/security/resentful-employee-deletes-1-200-microsoft-office-365-accounts-gets-prison/amp/?__twitter_impression=true
Clouds are becoming the new port-nox. Therefor government access:
https://www.theguardian.com/technology/2018/oct/04/china-planted-chips-on-apple-and-amazon-servers-report-claims
Access to data does not have to be malicious insider. Government are after cloud data:
https://www.neowin.net/news/microsoft-has-been-sharing-indian-bank-customers039-data-with-us-intelligence-agencies/
https://www.washingtonpost.com/national-security/former-twitter-employees-charged-with-spying-for-saudi-arabia-by-digging-into-the-accounts-of-kingdom-critics/2019/11/06/2e9593da-00a0-11ea-8bab-0fc209e065a8_story.html
To examine:
https://www.darkreading.com/the-6-worst-insider-attacks-of-2018---so-far/d/d-id/1332183
https://www.hackread.com/whistleblower-apple-contractors-listen-to-siri-conversions/
Sales Force API’s:
API is the new b2b.
API is all about authorization.
https://threatpost.com/salesforce-com-warns-marketing-customers-of-data-leakage-snafu/134703/
After change “ API service can retrieve or write data from one customer’s account to another inadvertently,”
Facebook:
Attackers found multiple bugs in view as feature that "allowed them to steal Facebook access tokens״
https://www.bbc.com/news/technology-45686890
Instrgram:
The hackers used this glitch in Instagram’s system to start posting nude pictures of the singer and actor’s ex-boyfriend Justin Bieber to her 125 million followers.
https://techcrunch.com/2017/09/01/hackers-are-selling-millions-of-instagram-celeb-accounts-on-the-web/
Capital 1:
Using metadata for key recovery
Capital one:
Least privilage
Avoid lift and shift
AMI malicous machine images
https://arstechnica.com/information-technology/2018/06/backdoored-images-downloaded-5-million-times-finally-removed-from-docker-hub/
Google says they are sorry for suspending account:
https://ilya-sher.org/2018/03/23/google-deleted-our-g-suite/
https://medium.com/@serverpunch/why-you-should-not-use-google-cloud-75ea2aec00de
Shadow IT
he “Skyhigh Networks Cloud Adoption & Risk Report Q2 2015 reported that “the average enterprise now uses 1,083 cloud services
Shadow it:
Hilary Clinton
Prezi
Shadow IT in Trelo, IDF:
https://www.haaretz.co.il/captain/software/.premium-1.9518921
https://www.techradar.com/news/trump-looks-to-block-foreign-actors-from-us-cloud-computing-services
https://www.netskope.com/blog/zepto-variant-locky-ransomware-delivered-via-popular-cloud-storage-apps
https://www.netskope.com/blog/cloudfanta-pops-cloud-using-sugarsync
Abusing telegram:
https://www.securityweek.com/herorat-controls-infected-android-devices-telegram
https://www.crn.com/news/security/aws-solarwinds-hackers-used-our-elastic-compute-cloud
Sometimes , the abuse comes from the providers themselves:
Github locked a programmer:
https://www.geektime.co.il/github-5-year-code-data-locked/
Digital ocean detected false cryptominer activity and shutdown the company:
https://news.ycombinator.com/item?id=20064169
Sometimes the abuser are goverments:
https://www.theverge.com/2019/3/27/18283666/grindr-chinese-owner-beijing-kunlun-tech-cfius-divest-national-security-concerns
Hackers , governments , all went into flames with OVH data centerhttps://www.vice.com/en/article/3an9wb/ovh-datacenter-fire-takes-down-government-hacking-infrastructure
This can also happen:
https://www.cnn.com/2021/04/09/politics/amazon-data-center-attempted-bombing/index.html