Top Cloud Threats v2.0
Cloud Security Alliance
Michael Sutton, VP Research, Zscaler
Dan Hubbard, CTO, Websense
Project
Purpose
• Engage experts and the broader community to identify top security threats
for cloud computing
Educate cloud providers/consumers to mitigate risk when
deploying/adopting cloud computing
Participants
• Leaders – Michael Sutton & Dan Hubbard
• Team - Amer Deeba, Andy Dancer, Brian Shea, Craig Balding, Dennis Hurst,
Glenn Brunette, Jake Lee, Jason Witty, Jim Reavis, John Howie, Josh Zachry,
Ken Biery, Martin Roesler, Matthew Becker, Mike Geide, Scott Matsumoto,
Scott Morrison, William Thornhill, Wolfgang Kandek,Archie Reed, Daniele
Cattedu, Dave Cullinane, Giles Hogben,Gunter Ollmann, Jens Jensen, Joshua
Pennell, Nils Puhlmann, Rick Howard
Contributing Organizations
Top Threats for Cloud Computing v1
Goal
• Identify malicious use and abuse of cloud computing technologies
7 Deadly Sins of Cloud Security
• Shared Technology Vulnerabilities
• Account/Service Hijacking
• Data Loss/Data Leakage
• Malicious Insiders
• Interception or Hijacking of Traffic
• Nefarious Use of Service
• Insecure APIs
• DDOS
Shared Technology Vulnerabilities
Description
• Exposed hardware, operating systems, middleware, application
stacks and network components may posses known vulnerabilities
Impact
• Successful exploitation could impact multiple customers
Example
• Cloudburst - Kostya Kortchinsky (Blackhat 2009)
• Arbitrary code execution vulnerability identified in VMware SVGA II
device, a virtualized PCI Display Adapter
Cloudbust
Research
• Kostya Kortchinsky, Immunity (Blackhat 2009)
Goal
• Execute code on a host environment from a guest VM
• “VMware isn’t an additional security layer. It’s just another layer to find bugs
in.” – Kostya Kortchinsky
Vulnerability
• VMware SVGA II – virtualized PCI display adapter
• Present in VMware Workstation, Player, Server and ESX
• Run on the host, accessible by the guest
• Memory is shared between host and guest
Cloudburst
Kostya Kortchinsky, Immunity (Blackhat 2009)
Cloudburst
Kostya Kortchinsky,
Immunity (Blackhat 2009)
#define SVGA_CMD_RECT_COPY
/* FIFO layout:
Source X, Source Y, Dest, X, Dest Y, Width, Height */
Account / Service Hijacking
Description
• Attacker gains access to account credentials in order to eavesdrop on
transactions, manipulate data, return falsified information, and/or
redirect requests
Impact
• Access to confidential data, reputational damage and potential legal
consequences due to malicious use of resources
Example
• Hackers find a home in Amazon's EC2 cloud (InfoWorld)
• Zeus botnet C&C servers found running on compromised accounts
MobileMe – Enumerating Accounts
Background
• Apple’s MobileMe by default, exposes a public web directory for all new
users leveraging their username
• Account can be password protected but this requires a user initiated change
and the URL remains exposed
Risk
• Exposing usernames provides a simple mechanism for enumerating accounts
• Account passwords could then be brute forced or reset
Experiment
• Enumerate accounts for the most popular baby names in 2009
MobileMe – Enumerating Accounts
MobileMe – Enumerating Accounts
MobileMe – Enumerating Accounts
8%
Girl Names
48%
44%
69% of accounts
verified
Boy Names
26%
18%
Exists
Does not exist
56%
Exists (password protected)
MobileMe – Password Reset
MobileMe – Password Reset
MobileMe – Password Reset
MobileMe – Password Reset
Data Loss / Data Leakage
Description
• Data compromise due to improper access controls or weak encryption
• Poorly secured data is at greater risk due to the multi-tenant architecture
Impact
• Data integrity and confidentiality
Example
• Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party
Compute Clouds (UCSD/MIT)
• Research detailing techniques to ensure that images are deployed on the
same physical hardware as a victim and then leveraging cross-VM attacks
to identify data leakage
MediaMax – Inactive Accounts
MediaMax / The Linkup: When the cloud fails
By Michael Krigsman | August 27, 2008, 9:55am PDT
Online storage service MediaMax, also called The Linkup, went out of business
following a system administration error that deleted active customer data. The
defunct company leaves behind unhappy users and raises questions about the
reliability of cloud computing.
…
As with most failures, this story is fraught with complications and
contradictions. Besides finger pointing and back-biting, which I suppose is to
be expected, confusing corporate relationships coupled with a seemingly
bizarre level of process and technical carelessness lend a weird flavor to the
whole mess.
MediaMax Failures
Situation
• MediaMax was shutting down and migrating data to the successor company The Linkup
• During the migration process, account cleanup wiped out legitimate accounts that were
not recovered
• Data was permanently lost and paying customers not reimbursed
MediaMax Statement
• "It was not possible to satisfactorily complete the move of files from MediaMax to The
Linkup as we had expected…
Failures
• Single admin had control to permanently delete data
• Inadequate testing prior to migration
• No backup!!!
Microsoft – Lost Sidekick Data
Microsoft Recovers Lost Sidekick Data
OCTOBER 15, 2009, 5:07 P.M. ET
By ROGER CHENG
Microsoft Corp. said Thursday that it has been able to recover the personal
customer data lost from many of T-Mobile USA's Sidekick devices.
The Redmond, Wash., software giant said that most, if not all, customer data
was recovered, and that the company would begin restoring data as soon as it
has validated it. The company said it will start with personal contacts, and
move on to the lost calendar, notes, tasks and pictures as quickly as possible.
Malicious Insiders
Description
• Employees of the cloud vendor may abuse privileges to access customer
data/functionality
• Reduced visibility into internal processes may inhibit detection of the breach
Impact
• Data confidentiality and integrity
• Reputational damage
• Legal repercussions
Example
• Google Investigates Insider Threat After China Hack (eWeek)
• “Google is investigating whether some of its own staff are behind the repeated
attempts to hack into the Gmail accounts of Chinese human rights activists”
Google Fires Email Snooper
Google fires employee for snooping on users
September 16, 2010|By Jessica Guynn, Los Angeles Times
The Internet search giant says the software engineer broke its 'strict internal
privacy policies.' He allegedly accessed information about four teenagers.
Reporting from San Francisco — Google Inc. fired a software engineer for
snooping on its users' private information, the Internet search giant confirmed
Wednesday.
The 27-year-old employee, David Barksdale, allegedly accessed information
about four teenagers he met through a Seattle technology group, according to
gossip website Gawker, which reported the incident Tuesday.
Google Response
Facebook Master Password
Purported Interview With Facebook Employee Details Use
Of 'Master Password'
Jason Kincaid
Jan 11, 2010
Earlier today, The Rumpus published a very revealing interview with someone
claiming to be a Facebook employee. The interview covers a variety of
subjects, including privacy restrictions at the world’s largest social network and
some of the technological hurdles the site has to deal with. The biggest
revelations? That Facebook collects more data about your habits than you may
realize, and that there was once a ‘master password’ that would grant
employees access to anyone’s Facebook profile — a password that some
employees abused.
Interception or Hijacking of Traffic
Description
• Internal – Compromising a host to sniff/redirect traffic for multiple clients
• External – Redirect traffic destined for the cloud, thereby impacting multiple clients
Impact
• Data confidentiality and integrity
• Reputational damage
• Denial of service
• Financial loss
Example
• Internal Twitter Credentials Used in DNS Hack, Redirect (Wired)
• Twitter’s website…redirected to a defacement page. Twitter acknowledged...its DNS
records “were temporarily compromised.”
Twitter DNS Redirection
Internal Twitter Credentials Used in DNS Hack, Redirect
By David Kravets
December 18, 2009 | 1:04 pm
Twitter’s website went offline for about an hour Thursday, with many tweeters
redirected to a defacement page boasting “This site has been hacked by
Iranian Cyber Army.”
Twitter acknowledged the 10 p.m. takeover, one in a series of security lapses
to hit the popular microblogging service. Twitter said its DNS records “were
temporarily compromised.”
Tom Daly, chief technology officer at Dyn, a New Hampshire-based DNS
company that services Twitter, said somebody using a “set of valid Twitter
credentials” redirected the site.
Insecure APIs
Description
• APIs designed to permit access to functionality and data may be vulnerable or
improperly utilized, exposing applications to attack
• Web 2.0 is the platform for the cloud
Impact
• Data confidentiality and integrity
• Denial of service
Example
• P0wning the Programmable Web (Websense – AusCERT 2009_
• 80% of tested applications not using available security in APIs (e.g. unencrypted traffic
and basic authentication)
• Demonstrated CSRF, MITM and data leakage attacks
Insecure API’s
Insecure API’s
Insecure API’s
The programmable web is run in the cloud
&
The cloud is programmed by the web
Insecure API’s
We analyzed a dozen popular Twitter APPS,
Gadgets, Facebook APPS, and Mashups and
>80% are NOT utilizing the security provided via
auth and encryption !!!
Insecure API’s
• Programmable web is…
–
–
–
–
–
Straightforward to develop solutions to
Often anonymous or “frictionless”
Can be done from anywhere
Can be done usually from anyone
Can be done on anything (it’s the web after all)
Insecure API’s
• Threats to programmable web:
–
–
–
–
–
Man in the middle attack (MITM)
Message replay attacks
Identity spoofing
Message Alterations
Confidentially and Privacy Leaking / Issues
Insecure API’s
• Example of Open graph being compromised and
redirecting users
Abuse and Nefarious Use
Description
• The cloud offers virtually unlimited computing power
• What can be used for good can also be used for bad
Impact
• Attackers can use the cloud for their own purposes
Examples
• DDOS, Password cracking, Crypto breaking, Hosting malicious code,
controlling bot’s, updating code
Abuse and Nefarious Use
Hosting attacker
toolkits for
user infections,
updating code, and
control and statistics
portal
Abuse and Nefarious Use
Twitter and other web services have been used for
command and control of BOT’s
Abuse and Nefarious Use
• Using Google’s search platform for poisoning
search results
~15% of searches for hot trends end up
at malicious Websites
Attackers use web api’s like hot trends,
topics, tweets, and mining
Abuse and Nefarious Use
Keep in mind that this is essentially
a DoS attack. Launch it against a
site that isn’t yours and very bad
things will happen to you. But for
testing your own site’s
performance, Bees with Machine
Guns is awesome — all you need is
an EC2 account and the script.
Abuse and Nefarious Use
Amazon
• 1 of 2,208 IPs
• http://ec2-184-73-228-133.compute-1.amazonaws.com/ (fake AV)
Rackspace
• 13 of 2,208 IPs
• generatorservices.in (Exploits)
• fabvid.com (Exploits)
• soundcomputers.net (Directs to exploits)
• down-south.com (Directs to exploits)
• pics.imagephun.com (CRiMEPACK)
• ashtartours.com (Directs to exploits)
• admincareers.com, alkarmel.com.jo, allwebjobs.com, an-inconvenient-truth.com, crowncraftsinc.com,
espdesign.com.au, expojordan.com.jo, infoportsolutions.com (Directs to exploits)
• white.be (RFI)
• lasvegasusacasino.com (Casino.Adware)
• adware-2009.com (Fake Antivirus)
• www.antivirus-live.com (Fake Antivirus)
• www.onebigmaine.com (Directs to exploits)
• antiadwarepro.com (Rogue)
Abuse and Nefarious Use
• Other examples of potential abuse:
– Password and encryption cracking
– Data warehousing of large amounts of data, identities
– DDOS (we talk about that later)
– Hosting malicious files, phishing pages
– Hiding behind services for data mining
– Breaking CAPTCHA’s or other security
checks
Top Threats for Cloud Computing v2
Goal
• Identify malicious use and abuse of cloud computing technologies
8 Deadly Sins of Cloud Security?
• Shared Technology Vulnerabilities
• Account/Service Hijacking
• Data Loss/Data Leakage
• Insecure APIs
• Malicious Insiders
• Interception or Hijacking of Traffic
• Nefarious Use of Service
• Distributed Denial of Service Attacks (DDoS)
Distributed Denial of Service
Description
• DDOS was the #1 threat not in our top list that respondents
suggested
• As a sub-set of abuse and nefarious use
Impact
• Attackers can use the cloud for their own purposes
Examples
• Taking down web sites, services, etc
Distributed Denial of Service
Process
• Using Twill, automated account generation
• Instances limited to 20 per user
• Each instance created new users accounts which generated 20 more
instances
• No CAPTCHA required
• Single credit card used for all instances
Outcome
• Cycle to generate 20 accounts took 3 minutes
• In 10 minutes, thousands of instances running
• Distributed clouds means more power
Distributed Denial of Service
• Attacks could be launched from different zone’s, geo’s, and services
to help thwart takedowns
• Attacker could be shutdown but damage could be done, IP space
now blacklisted
Another version is a financial DDOS that goes against a service user of IaaS that
is paying per drink. Much harder to stop and detect
Future Candidates to Think About
• All things Cloudy: Mobile / Tablets
– Application Hacking
– Location based service hacking
– Eavesdropping
• Social Hacking
–
–
–
–
–
Location based service hijacking
“meatspace” attacks
Hacking the social graph
Hacking social trust
Vendor miss-use or abuse
Co-operation is the new control
Feedback from the masses
CSA TOP THREATS SURVEY
Survey Overview
• Solicited feedback from cloud providers and
consumers
• Survey promoted through technical blogs and on
CSA website and at RSA CSA Cloud Security
Summit
• Received more than 300 responses to the
survey
• Survey opened from Jan – March, 2010
Survey Highlights: Demographics
Organization Breakdown*
4.40%
18.20%
Small Business
22.90%
21.00%
33.50%
Medium and
Enterprise
Large Enterprise
Governement
Cloud Response Usage
31.03%
* # of employees: Small Business < 100,
Medium 100-10,000, Large > 10,000
24.12%
44.84%
Cloud Vendor
Cloud Consumer
Other
Top Survey Statistics: Data Leakage
Likelihood of Data Leakage Occurring
6.15%
12.31%
15.49%
Very Unlikely
Unlikely
31.49%
34.56%
Possible
Likely
Frequently
82 % of respondents believe that the likelihood of Data
Leakage in the cloud is possible, likely, or frequent.
Top Survey Statistics: Malicious Insiders
Likelihood of Malicious Insider
5.50% 6.11%
25.15%
19.04%
Very Unlikely
Unlikely
Possible
44.20%
Likely
Frequently
76 % of respondents believe that the likelihood of Malicious
Insiders in the cloud is possible, likely, or frequent.
Survey Results
Rank
Threat
Percentage
1
Data Loss/Leakage
26.5%
2
Abuse and Nefarious use of Cloud Computing
19.4%
3
Insecure API’s
14.2%
4
Malicious Insiders
12.9%
5
Account/Service and Traffic Hijacking
12.3%
6
Unknown Risk Profile
8.4%
7
Shared Technology Vulnerabilities
6.5%
Status
Revisions
• Top threats list will be updated 2x per year
Process
• Recommended changes will be solicited from CSA
participants
• Recommendations will be summarized and solicited to
judges for review
• Judges will vote on any recommended changes
• Participate! Improve the Top Threats!
Participation
http://cloudsecurityalliance.org/topthreats_form.html
Recommended Additions/Deletions
• Propose new ‘threat templates’
• Description of threat
• Pertinent examples
• Impact
• Remediation
• Comment on existing
Questions
Michael Sutton
VP, Security Research
Zscaler
msutton@zscaler.com
Dan Hubbard
CTO
Websense
dhubbard@websense.co
m
http://cloudsecurityalliance.org/topthreats