1. AWS Security Threats
Boston AWS Meetup Group
Aaron C. Newman
Founder, CloudCheckr
Aaron.Newman@CloudCheckr.com
October 21, 2013

2. Agenda:
• Overview of Public Cloud Security
• Attacks from AWS
• Using Search Engines to Attack AWS
• Economic Denial of Sustainability Attacks
• Attacks on AWS

3. Overview of Public Cloud Security

4. State of Cloud Security
• 15 years ago
– The datacenter as an island, external access mediated
– Security issues rarely understood
– Security tools immature
• The data center opened up
– Suppliers, customers, partners could connect directly to your datacenter
– Robust solutions adopted, ranging from DLP, IDS, IPS, SEIM, VA
• Move to the cloud
– Perimeter security is officially dead, data can be accessed from anywhere
– Cloud provider security tools are immature
Survey of 100 hackers at Defcon 2012
96% of the respondents think that the cloud creates new opportunities for hacking
86% believe that “cloud vendors aren’t doing enough to address cyber-security issues.”

5. Cloud Threats
• Cloud Provider
–
–
–
–
Disgruntled employees
Natural disasters
Theft of physical equipment
Cloud provider hacked
• External Threats
– Hackers (LulzSec, Anonymous)
– Governments
• Stuxnet (US government targets Iran)
• Operation Aurora (Chinese government targets Rackspace/others)
• Internal Threats (still your biggest threat)
– Developers, cloud admins, users

6. Thinking Like a Hacker
• Large Attack surface
– Single successful attack can net many security
compromises
– Clouds provide homogeneous environments
• To defend against the hacker
– Think like the hacker
– Go home and figure out how YOU would hack into
your account
– Then plug the holes
– Defense-in-depth

7. Attacks using AWS

8. Using Clouds to Break Encryption
•
Clouds provide inexpensive ways to do massively parallel processing
•
•
July 2012 Defcon - Cryptohaze Cloud Cracking
•
•
Open source Cryptohaze tool suite implements network-clustered GPU accelerated
password cracking (both brute force & rainbow tables)
AWS Cluster GPU Instances crack SHA1
•
•
•
Perfect for cracking encryption keys
Quote from German Thomas Roth
“able to crack all hashes from [the 560 character SHA1 hash] with a password length
from one to six in only 49 minutes (one hour costs $2.10 [£1.30] by the way),“
Researcher uses AWS cloud to crack Wi-Fi passwords
•
•
Cloud Cracking Suite (CCS) released on Jan 2012 at Black Hat security conference
Crack a WPA-PSK handshake at a speed of 400,000 attempted passwords per
second using eight GPU-based AWS instances

9. Major Attacks from the Cloud
• Dark clouds or black clouds
• How do you shut down a hacker on the cloud?
• Cloud not only cheap – provides anonymity
• Amazon cloud used in PlayStation Network hack
•
http://www.zdnet.com/amazon-cloud-used-in-playstation-network-hack4010022454/
• Hackers rent AWS EC2 instances under an alias
• Amazon S3 hosts banking trojan
• Kaspersky Lab reports S3 hosts the command and
control channels for SpyEye banking trojan

10. Using Search Engines
to Attack AWS

11. Public Cloud Search Engine Attacks
Demo:
Search Diggity (Code Search, NotInMyBackyard)
AKA Google Hacking

12. Economic Denial of
Sustainability Attacks

13. EDoS Attacks
• Variation of Distributed Denial of Service Attack
– Goal is not to overload and crash an application
– Instead to cause the server hosting costs to overwhelm
the victim’s budget
“the infrastructure allows scaling of service
beyond the economic means of the vendor
to pay their cloud-based service bills”
-http://rationalsecurity.typepad.com

14. Worst Case Scenario – AWS CloudFront
• http://www.reviewmylife.co.uk/blog/2011/05/19/a
mazon-cloudfront-and-s3-maximum-cost/
• Author calculated maximum possible charge
– Used default limit of 1000 requests per second and
1000 megabits per second
– At the end of 30 days a maximum of 324TB of data
could have been downloaded (theoretically)
– $42,000 per month for a single edge location
– CloudFront has 30 edge locations

15. Stories and Lessons Learned
• Anecdotes from burned users
– Personal website hacked by file sharers
– Received bill for $10,000
• Note: AWS only charges for data out
– All data transfer in is at $0.000 per GB
– Mitigates costs – if you don’t respond to requests, doesn’t cost
you anything
• Use pre-paid credit cards or credit card with appropriate
credit limit
– Not sure if this limits your liability legally

16. Solutions?
• Amazon limits/caps have been “in the works”
since 2006
– Each year Amazon talks about intention of releasing
the feature
• May 2012 – Amazon announces Billing Alerts
– http://aws.amazon.com/about-aws/whatsnew/2012/05/10/announcing-aws-billing-alerts/
– Helps alert you when this starts happening to you
– Could still be a costly few hours

17. Attacks on AWS

18. Password Attacks
• Brute forcing of accounts and passwords
– Often no password lockout, just keep hammering away
– RDS (Oracle, MySQL, and SQL Server), AWS accounts
• Example: Enumerating AWS account numbers
– https://queue.amazonaws.com/<12 digit numbers
here>/a?Action=SendMessage
– Response tells you if the account exists
• Old school attacks on an OS sitting in cloud
– Typically secure defaults
– Much more heterogeneous

19. Easily Guessed Passwords
• Need to guess username also if you don’t already know
– Social engineering, research to make good guesses
• Passwords can be “guessed”
– Attacking a single account with 100k passwords
– Attacking many accounts with a few very common passwords
– People leave test/test or password same as username
• Password dictionaries
– http://www.openwall.com/passwords/wordlists/
– The wordlists are intended primarily for use with password
crackers …

20. Vulnerabilities in RDS
• MySQL versions
– Many vulnerable version
– Make sure you are using the last release
– Link to the issues
• RDS security groups should always be
restricted to specific trusted networks

21. Misconfigured Security Settings
• Scanning Amazon S3 to identify publicly
accessible buckets
– http://cloudcheckr.com/2012/05/aws-s3-bucketsbucket-finder/
• Open source tool – Bucket Finder
– script launches a dictionary attack on the names of
S3 buckets and interrogates the bucket for a list of
public and private files
– Creates an EDoS

22. Demo:
Bucket Finder

23. 5 Prevention Strategies
• Keep a close handle on what you are running in the cloud
• Educate yourself on how the cloud works
• Stay Patched
– Stay on top of all the security alerts and bulletins
• Defense in Depth
• Multiple Levels of Security
– Regularly perform audits and penetration tests on your cloud
– Encryption of data-in-motion / data-at-rest / data-in-use
– Monitor cloud activity log files

24. What is CloudCheckr?
CloudCheckr provides visibility into AWS
• Cost Optimization, Allocation, Reporting
• Resource Utilization
• > 250 Best Practice Checks
• Trending Analysis
• Change Monitoring

25. Questions?
Questions on:
• Clouds
• Security

26. Thank You for Attending
Enter promo code BOSTON for
a free 30 day trial
of www.cloudcheckr.com
Aaron Newman is the Founder
of CloudCheckr (www.cloudcheckr.com)
Please contact me with additional questions at:
aaron.newman@cloudcheckr.com