AWS Meet-up San Francisco: Cloud Security
•Download as PPTX, PDF•
1 like•1,482 views
CloudCheckr Founder Aaron Newman presents a comprehensive overview of AWS security threats and mitigation strategies.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to AWS Meet-up San Francisco: Cloud Security
Similar to AWS Meet-up San Francisco: Cloud Security (20)
Recently uploaded
Recently uploaded (20)
AWS Meet-up San Francisco: Cloud Security
- 1. AWS Security Threats San Francisco AWS Meetup Group Aaron C. Newman Founder, CloudCheckr Aaron.Newman@CloudCheckr.com Feb 11, 2013
- 2. Agenda: • Overview of Public Cloud Security • Attacks from AWS • Using Search Engines to Attack AWS • Economic Denial of Sustainability Attacks • Attacks on AWS
- 3. Overview of Public Cloud Security
- 4. State of Cloud Security • 15 years ago – The datacenter as an island, external access mediated – Security issues rarely understood – Security tools immature • The data center opened up – Suppliers, customers, partners could connect directly to your datacenter – Robust solutions adopted, ranging from DLP, IDS, IPS, SEIM, VA • Move to the cloud – Perimeter security is officially dead, data can be accessed from anywhere – Cloud provider security tools are immature Survey of 100 hackers at Defcon 2012 96% of the respondents think that the cloud creates new opportunities for hacking 86% believe that “cloud vendors aren’t doing enough to address cyber-security issues.”
- 5. Cloud Threats • Cloud Provider – – – – Disgruntled employees Natural disasters Theft of physical equipment Cloud provider hacked • External Threats – Hackers (LulzSec, Anonymous) – Governments • Stuxnet (US government targets Iran) • Operation Aurora (Chinese government targets Rackspace/others) • Internal Threats (still your biggest threat) – Developers, cloud admins, users
- 6. Thinking Like a Hacker • Large Attack surface – Single successful attack can net many security compromises – Clouds provide homogeneous environments • To defend against the hacker – Think like the hacker – Go home and figure out how YOU would hack into your account – Then plug the holes – Defense-in-depth
- 8. Using Clouds to Break Encryption • Clouds provide inexpensive ways to do massively parallel processing • • July 2012 Defcon - Cryptohaze Cloud Cracking • • Open source Cryptohaze tool suite implements network-clustered GPU accelerated password cracking (both brute force & rainbow tables) AWS Cluster GPU Instances crack SHA1 • • • Perfect for cracking encryption keys Quote from German Thomas Roth “able to crack all hashes from [the 560 character SHA1 hash] with a password length from one to six in only 49 minutes (one hour costs $2.10 [£1.30] by the way),“ Researcher uses AWS cloud to crack Wi-Fi passwords • • Cloud Cracking Suite (CCS) released on Jan 2012 at Black Hat security conference Crack a WPA-PSK handshake at a speed of 400,000 attempted passwords per second using eight GPU-based AWS instances
- 9. Major Attacks from the Cloud • Dark/black/storm clouds • How do you shut down a hacker on the cloud? • Cloud not only cheap – provides anonymity • Amazon cloud used in PlayStation Network hack • http://www.zdnet.com/amazon-cloud-used-in-playstation-network-hack4010022454/ • Hackers rent AWS EC2 instances under an alias • Amazon S3 hosts banking trojan • Kaspersky Lab reports S3 hosts the command and control channels for SpyEye banking trojan
- 10. Using Search Engines to Attack AWS
- 11. Public Cloud Search Engine Attacks Demo: Search Diggity (Code Search, NotInMyBackyard) AKA Google Hacking Rich Mogul Blog Post My $500 Cloud Security Screwup
- 12. Economic Denial of Sustainability Attacks
- 13. EDoS Attacks • Variation of Distributed Denial of Service Attack – Goal is not to overload and crash an application – Instead to cause the server hosting costs to overwhelm the victim’s budget “the infrastructure allows scaling of service beyond the economic means of the vendor to pay their cloud-based service bills” -http://rationalsecurity.typepad.com
- 14. Worst Case Scenario – AWS CloudFront • http://www.reviewmylife.co.uk/blog/2011/05/19/a mazon-cloudfront-and-s3-maximum-cost/ • Author calculated maximum possible charge – Used default limit of 1000 requests per second and 1000 megabits per second – At the end of 30 days a maximum of 324TB of data could have been downloaded (theoretically) – $42,000 per month for a single edge location – CloudFront has 30 edge locations
- 15. Stories and Lessons Learned • Anecdotes from burned users – Personal website hacked by file sharers – Received bill for $10,000 • Note: AWS only charges for data out – All data transfer in is at $0.000 per GB – Mitigates costs – if you don’t respond to requests, doesn’t cost you anything • Use pre-paid credit cards or credit card with appropriate credit limit – Not sure if this limits your liability legally
- 16. Solutions? • Amazon limits/caps have been “in the works” since 2006 – Each year Amazon talks about intention of releasing the feature • May 2012 – Amazon announces Billing Alerts – http://aws.amazon.com/about-aws/whatsnew/2012/05/10/announcing-aws-billing-alerts/ – Helps alert you when this starts happening to you – Could still be a costly few hours
- 17. Attacks on AWS
- 18. Password Attacks • Brute forcing of accounts and passwords – Often no password lockout, just keep hammering away – RDS (Oracle, MySQL, and SQL Server), AWS accounts • Example: Enumerating AWS account numbers – https://queue.amazonaws.com/<12 digit numbers here>/a?Action=SendMessage – Response tells you if the account exists • Old school attacks on an OS sitting in cloud – Typically secure defaults – Much more heterogeneous
- 19. Easily Guessed Passwords • Need to guess username also if you don’t already know – Social engineering, research to make good guesses • Passwords can be “guessed” – Attacking a single account with 100k passwords – Attacking many accounts with a few very common passwords – People leave test/test or password same as username • Password dictionaries – http://www.openwall.com/passwords/wordlists/ – The wordlists are intended primarily for use with password crackers …
- 20. Vulnerabilities in RDS • MySQL versions – Many vulnerable version – Make sure you are using the last release – Link to the issues • RDS security groups should always be restricted to specific trusted networks
- 21. Misconfigured Security Settings • Scanning Amazon S3 to identify publicly accessible buckets – http://cloudcheckr.com/2012/05/aws-s3-bucketsbucket-finder/ • Open source tool – Bucket Finder – script launches a dictionary attack on the names of S3 buckets and interrogates the bucket for a list of public and private files – Creates an EDoS
- 23. 5 Prevention Strategies • Keep a close handle on what you are running in the cloud • Educate yourself on how the cloud works • Stay Patched – Stay on top of all the security alerts and bulletins • Defense in Depth • Multiple Levels of Security – Regularly perform audits and penetration tests on your cloud – Encryption of data-in-motion / data-at-rest / data-in-use – Monitor cloud activity log files
- 24. What is CloudCheckr? CloudCheckr provides visibility into AWS • Cost Optimization, Allocation, Reporting • Resource Utilization • > 250 Best Practice Checks • Trending Analysis • Change Monitoring
- 25. Questions? Questions on: • Clouds • Security
- 26. Thank You for Attending For a free 14 day trial of www.cloudcheckr.com Aaron Newman is the Founder of CloudCheckr (www.cloudcheckr.com) Please contact me with additional questions at: aaron.newman@cloudcheckr.com
Editor's Notes
- We spend too much time thinking about PCI compliance, shared hardware, not enough on actual threats