Amazon cloud exploited

Powered by SC Magazine
 

But the problems lie with customers, not Amazon.

Scientists from the Centre for Advanced Security Research Darmstadt (CASED) claimed to have found major security vulnerabilities in Amazon's cloud virtual machines published by customers.

Surveying 1100 public Amazon Machine Images (AMIs), which are used to provide cloud services, it found that around 30 percent were vulnerable and could allow attackers to manipulate or compromise web services or virtual infrastructures.

It claimed that the main failure lies in the ‘careless and error-prone manner' in which Amazon's customers handle and deploy AMIs.

The research group, led by professor Ahmad-Reza Sadeghi at CASED, found that even though Amazon Web Services (AWS) provides its customers with very detailed security recommendations on its web pages, at least one third of the machines under consideration have flawed configurations.

The research team reported that it was able to extract critical data such as passwords, cryptographic keys and certificates from the analysed virtual machines.

“The problem clearly lies in the customers' unawareness and not in Amazon Web Services," Sadeghi said. "We believe that customers of other cloud providers endanger themselves and other cloud users similarly by ignoring or underestimating security recommendations.”

AWS has informed affected customers and will publish guidance on how to manage private keys.

SafeNet director of European solutions Mike Smart said cloud computing is "virgin territory" and more organisations are going to make similar simple mistakes.

"...user education [is] a real priority for service providers and the industry as a whole," he said.

“End users should go further and ensure their digital keys are never used on the cloud, but are held and used within hardware security modules in their premises.

"This kind of technology is widely used within the financial sector and has evolved to the point where it can be used much more widely to secure all kinds of secure infrastructure including those associated with private or public clouds."

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, US edition


Amazon cloud exploited
 
 
 
Top Stories
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
Telstra hands over copper, HFC in new $11bn NBN deal
Value of 2011 deal remains intact.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  3%
 
A Federal Government agency (ATO, Centrelink etc)
  19%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1888

Vote
Do you support the abolition of the Office of the Information Commissioner?