SlideShare ist ein Scribd-Unternehmen logo
1 von 26
Downloaden Sie, um offline zu lesen
CSA 2012 – Orlando
Anatomy of a Public
Cloud Attack
Aaron C. Newman
Agenda:
• Overview of Public Cloud Security
• Attacks from the Public Cloud
• Search Engine Attacks on Public Cloud
• Economic Denial of Sustainability Attacks
• Attacks on the Public Cloud
Overview of Public Cloud Security
State of Cloud Security
• 15 years ago
– The datacenter as an island, external access mediated
– Security issues rarely understood
– Security tools immature
• The data center opened up
– Suppliers, customers, partners could connect directly to your datacenter
– Robust solutions adopted, ranging from DLP, IDS, IPS, SEIM, VA
• Move to the cloud
– Perimeter security is officially dead, data can be accessed from anywhere
– Cloud provider security tools are immature
Survey of 100 hackers at Defcon 2012
96% of the respondents think that the cloud creates new opportunities for hacking
86% believe that “cloud vendors aren’t doing enough to address cyber-security issues.”
Cloud Threats
• Cloud Provider
– Disgruntled employees
– Natural disasters
– Theft of physical equipment
– Cloud provider hacked
• External Threats
– Hackers (LulzSec, Anonymous)
– Governments
• Stuxnet (US government targets Iran)
• Operation Aurora (Chinese government targets Rackspace/others)
• Internal Threats (still your biggest threat)
– Developers, cloud admins, users
Thinking Like a Hacker
• Large Attack surface
– Single successful attack can net many security
compromises
– Clouds provide homogeneous environments
• To defend against the hacker
– Think like the hacker
– Go home and figure out how YOU would hack into
your account
– Then plug the holes
– Defense-in-depth
Attacks from the Public Cloud
Using Clouds to Break Encryption
• Clouds provide inexpensive ways to do massively parallel processing
• Perfect for cracking encryption keys
• July 2012 Defcon - Cryptohaze Cloud Cracking
• Open source Cryptohaze tool suite implements network-clustered GPU accelerated
password cracking (both brute force & rainbow tables)
• AWS Cluster GPU Instances crack SHA1
• Quote from German Thomas Roth
• “able to crack all hashes from [the 560 character SHA1 hash] with a password length
from one to six in only 49 minutes (one hour costs $2.10 [£1.30] by the way),“
• Researcher uses AWS cloud to crack Wi-Fi passwords
• Cloud Cracking Suite (CCS) released on Jan 2012 at Black Hat security conference
• Crack a WPA-PSK handshake at a speed of 400,000 attempted passwords per
second using eight GPU-based AWS instances
Major Attacks from the Cloud
• Dark clouds or black clouds
• How do you shut down a hacker on the cloud?
• Cloud not only cheap – provides anonymity
• Amazon cloud used in PlayStation Network hack
• http://www.zdnet.com/amazon-cloud-used-in-playstation-network-hack-
4010022454/
• Hackers rent AWS EC2 instances under an alias
• Amazon S3 hosts banking trojan
• Kaspersky Lab reports S3 hosts the command and
control channels for SpyEye banking trojan
Search Engine Attacks
on Public Cloud
Public Cloud Search Engine Attacks
Demo:
Search Diggity (Code Search, NotInMyBackyard)
Economic Denial of
Sustainability Attacks
EDoS Attacks
• Variation of Distributed Denial of Service Attack
– Goal is not to overload and crash an application
– Instead to cause the server hosting costs to overwhelm
the victim’s budget
“the infrastructure allows scaling of service
beyond the economic means of the vendor
to pay their cloud-based service bills”
-http://rationalsecurity.typepad.com
Worst Case Scenario – AWS CloudFront
• http://www.reviewmylife.co.uk/blog/2011/05/19/a
mazon-cloudfront-and-s3-maximum-cost/
• Author calculated maximum possible charge
– Used default limit of 1000 requests per second and
1000 megabits per second
– At the end of 30 days a maximum of 324TB of data
could have been downloaded (theoretically)
– $42,000 per month for a single edge location
– CloudFront has 30 edge locations
Stories and Lessons Learned
• Anecdotes from burned users
– Personal website hacked by file sharers
– Received bill for $10,000
• Note: AWS only charges for data out
– All data transfer in is at $0.000 per GB
– Mitigates costs – if you don’t respond to requests, doesn’t cost
you anything
• Use pre-paid credit cards or credit card with appropriate
credit limit
– Not sure if this limits your liability legally
Solutions?
• Amazon limits/caps have been “in the works”
since 2006
– Each year Amazon talks about intention of releasing
the feature
• May 2012 – Amazon announces Billing Alerts
– http://aws.amazon.com/about-aws/whats-
new/2012/05/10/announcing-aws-billing-alerts/
– Helps alert you when this starts happening to you
– Could still be a costly few hours
Attacks on the Public Cloud
Password Attacks
• Brute forcing of accounts and passwords
– Often no password lockout, just keep hammering away
– RDS (Oracle, MySQL, and SQL Server), SQL Azure, AWS
accounts
• Example: Enumerating AWS account numbers
– https://queue.amazonaws.com/<12 digit numbers
here>/a?Action=SendMessage
– Response tells you if the account exists
• Old school attacks on an OS sitting in cloud
– Typically secure defaults
– Much more heterogeneous
Easily Guessed Passwords
• Need to guess username also if you don’t already know
– Social engineering, research to make good guesses
• Passwords can be “guessed”
– Attacking a single account with 100k passwords
– Attacking many accounts with a few very common passwords
– People leave test/test or password same as username
• Password dictionaries
– http://www.openwall.com/passwords/wordlists/
– The wordlists are intended primarily for use with password
crackers …
Misconfigured Security Settings
• Scanning Amazon S3 to identify publicly
accessible buckets
– http://cloudcheckr.com/2012/05/aws-s3-buckets-
bucket-finder/
• Open source tool – Bucket Finder
– script launches a dictionary attack on the names of
S3 buckets and interrogates the bucket for a list of
public and private files
– Creates an EDoS
Demo:
Bucket Finder
SQL Injection
• Try to modify the query
• Change:
Select * from my_table
where column_x = ‘1’
• To:
Select * from my_table
where column_x = ‘1’
UNION select credit_card_number
from orders where ‘q’=‘q’
Hackers Reset Your SQL Firewall
• Set the product_category to :
test’; sys.sp_set_database_firewall_rule
XXXXX; --
• The SQL Statement is now:
SELECT ProductName FROM Products WHERE
ProductCategory=test’;
sys.sp_set_database_firewall_rule XXXXX; -–’
5 Prevention Strategies
• Keep a close handle on what you are running in the cloud
• Educate yourself on how the cloud works
• Stay Patched
– Stay on top of all the security alerts and bulletins
• Defense in Depth
• Multiple Levels of Security
– Regularly perform audits and penetration tests on your cloud
– Encryption of data-in-motion / data-at-rest / data-in-use
– Monitor cloud activity log files
Questions?
Questions on:
• Clouds
• Security
Thank You for Attending
Get your FREEMIUM account to
check your public cloud
at www.cloudcheckr.com
Aaron Newman is the Founder
of CloudCheckr (www.cloudcheckr.com)
Please contact me with additional questions at:
aaron.newman@cloudcheckr.com

Weitere ähnliche Inhalte

Anatomy of a Public Cloud Attack | CSA Orlando

  • 1. CSA 2012 – Orlando Anatomy of a Public Cloud Attack Aaron C. Newman
  • 2. Agenda: • Overview of Public Cloud Security • Attacks from the Public Cloud • Search Engine Attacks on Public Cloud • Economic Denial of Sustainability Attacks • Attacks on the Public Cloud
  • 3. Overview of Public Cloud Security
  • 4. State of Cloud Security • 15 years ago – The datacenter as an island, external access mediated – Security issues rarely understood – Security tools immature • The data center opened up – Suppliers, customers, partners could connect directly to your datacenter – Robust solutions adopted, ranging from DLP, IDS, IPS, SEIM, VA • Move to the cloud – Perimeter security is officially dead, data can be accessed from anywhere – Cloud provider security tools are immature Survey of 100 hackers at Defcon 2012 96% of the respondents think that the cloud creates new opportunities for hacking 86% believe that “cloud vendors aren’t doing enough to address cyber-security issues.”
  • 5. Cloud Threats • Cloud Provider – Disgruntled employees – Natural disasters – Theft of physical equipment – Cloud provider hacked • External Threats – Hackers (LulzSec, Anonymous) – Governments • Stuxnet (US government targets Iran) • Operation Aurora (Chinese government targets Rackspace/others) • Internal Threats (still your biggest threat) – Developers, cloud admins, users
  • 6. Thinking Like a Hacker • Large Attack surface – Single successful attack can net many security compromises – Clouds provide homogeneous environments • To defend against the hacker – Think like the hacker – Go home and figure out how YOU would hack into your account – Then plug the holes – Defense-in-depth
  • 7. Attacks from the Public Cloud
  • 8. Using Clouds to Break Encryption • Clouds provide inexpensive ways to do massively parallel processing • Perfect for cracking encryption keys • July 2012 Defcon - Cryptohaze Cloud Cracking • Open source Cryptohaze tool suite implements network-clustered GPU accelerated password cracking (both brute force & rainbow tables) • AWS Cluster GPU Instances crack SHA1 • Quote from German Thomas Roth • “able to crack all hashes from [the 560 character SHA1 hash] with a password length from one to six in only 49 minutes (one hour costs $2.10 [£1.30] by the way),“ • Researcher uses AWS cloud to crack Wi-Fi passwords • Cloud Cracking Suite (CCS) released on Jan 2012 at Black Hat security conference • Crack a WPA-PSK handshake at a speed of 400,000 attempted passwords per second using eight GPU-based AWS instances
  • 9. Major Attacks from the Cloud • Dark clouds or black clouds • How do you shut down a hacker on the cloud? • Cloud not only cheap – provides anonymity • Amazon cloud used in PlayStation Network hack • http://www.zdnet.com/amazon-cloud-used-in-playstation-network-hack- 4010022454/ • Hackers rent AWS EC2 instances under an alias • Amazon S3 hosts banking trojan • Kaspersky Lab reports S3 hosts the command and control channels for SpyEye banking trojan
  • 10. Search Engine Attacks on Public Cloud
  • 11. Public Cloud Search Engine Attacks Demo: Search Diggity (Code Search, NotInMyBackyard)
  • 13. EDoS Attacks • Variation of Distributed Denial of Service Attack – Goal is not to overload and crash an application – Instead to cause the server hosting costs to overwhelm the victim’s budget “the infrastructure allows scaling of service beyond the economic means of the vendor to pay their cloud-based service bills” -http://rationalsecurity.typepad.com
  • 14. Worst Case Scenario – AWS CloudFront • http://www.reviewmylife.co.uk/blog/2011/05/19/a mazon-cloudfront-and-s3-maximum-cost/ • Author calculated maximum possible charge – Used default limit of 1000 requests per second and 1000 megabits per second – At the end of 30 days a maximum of 324TB of data could have been downloaded (theoretically) – $42,000 per month for a single edge location – CloudFront has 30 edge locations
  • 15. Stories and Lessons Learned • Anecdotes from burned users – Personal website hacked by file sharers – Received bill for $10,000 • Note: AWS only charges for data out – All data transfer in is at $0.000 per GB – Mitigates costs – if you don’t respond to requests, doesn’t cost you anything • Use pre-paid credit cards or credit card with appropriate credit limit – Not sure if this limits your liability legally
  • 16. Solutions? • Amazon limits/caps have been “in the works” since 2006 – Each year Amazon talks about intention of releasing the feature • May 2012 – Amazon announces Billing Alerts – http://aws.amazon.com/about-aws/whats- new/2012/05/10/announcing-aws-billing-alerts/ – Helps alert you when this starts happening to you – Could still be a costly few hours
  • 17. Attacks on the Public Cloud
  • 18. Password Attacks • Brute forcing of accounts and passwords – Often no password lockout, just keep hammering away – RDS (Oracle, MySQL, and SQL Server), SQL Azure, AWS accounts • Example: Enumerating AWS account numbers – https://queue.amazonaws.com/<12 digit numbers here>/a?Action=SendMessage – Response tells you if the account exists • Old school attacks on an OS sitting in cloud – Typically secure defaults – Much more heterogeneous
  • 19. Easily Guessed Passwords • Need to guess username also if you don’t already know – Social engineering, research to make good guesses • Passwords can be “guessed” – Attacking a single account with 100k passwords – Attacking many accounts with a few very common passwords – People leave test/test or password same as username • Password dictionaries – http://www.openwall.com/passwords/wordlists/ – The wordlists are intended primarily for use with password crackers …
  • 20. Misconfigured Security Settings • Scanning Amazon S3 to identify publicly accessible buckets – http://cloudcheckr.com/2012/05/aws-s3-buckets- bucket-finder/ • Open source tool – Bucket Finder – script launches a dictionary attack on the names of S3 buckets and interrogates the bucket for a list of public and private files – Creates an EDoS
  • 22. SQL Injection • Try to modify the query • Change: Select * from my_table where column_x = ‘1’ • To: Select * from my_table where column_x = ‘1’ UNION select credit_card_number from orders where ‘q’=‘q’
  • 23. Hackers Reset Your SQL Firewall • Set the product_category to : test’; sys.sp_set_database_firewall_rule XXXXX; -- • The SQL Statement is now: SELECT ProductName FROM Products WHERE ProductCategory=test’; sys.sp_set_database_firewall_rule XXXXX; -–’
  • 24. 5 Prevention Strategies • Keep a close handle on what you are running in the cloud • Educate yourself on how the cloud works • Stay Patched – Stay on top of all the security alerts and bulletins • Defense in Depth • Multiple Levels of Security – Regularly perform audits and penetration tests on your cloud – Encryption of data-in-motion / data-at-rest / data-in-use – Monitor cloud activity log files
  • 26. Thank You for Attending Get your FREEMIUM account to check your public cloud at www.cloudcheckr.com Aaron Newman is the Founder of CloudCheckr (www.cloudcheckr.com) Please contact me with additional questions at: aaron.newman@cloudcheckr.com