Top Cloud Threats v2.0 Cloud Security Alliance Michael Sutton, VP Research, Zscaler Dan Hubbard, CTO, Websense Project Purpose • Engage experts and the broader community to identify top security threats for cloud computing Educate cloud providers/consumers to mitigate risk when deploying/adopting cloud computing Participants • Leaders – Michael Sutton & Dan Hubbard • Team - Amer Deeba, Andy Dancer, Brian Shea, Craig Balding, Dennis Hurst, Glenn Brunette, Jake Lee, Jason Witty, Jim Reavis, John Howie, Josh Zachry, Ken Biery, Martin Roesler, Matthew Becker, Mike Geide, Scott Matsumoto, Scott Morrison, William Thornhill, Wolfgang Kandek,Archie Reed, Daniele Cattedu, Dave Cullinane, Giles Hogben,Gunter Ollmann, Jens Jensen, Joshua Pennell, Nils Puhlmann, Rick Howard Contributing Organizations Top Threats for Cloud Computing v1 Goal • Identify malicious use and abuse of cloud computing technologies 7 Deadly Sins of Cloud Security • Shared Technology Vulnerabilities • Account/Service Hijacking • Data Loss/Data Leakage • Malicious Insiders • Interception or Hijacking of Traffic • Nefarious Use of Service • Insecure APIs • DDOS Shared Technology Vulnerabilities Description • Exposed hardware, operating systems, middleware, application stacks and network components may posses known vulnerabilities Impact • Successful exploitation could impact multiple customers Example • Cloudburst - Kostya Kortchinsky (Blackhat 2009) • Arbitrary code execution vulnerability identified in VMware SVGA II device, a virtualized PCI Display Adapter Cloudbust Research • Kostya Kortchinsky, Immunity (Blackhat 2009) Goal • Execute code on a host environment from a guest VM • “VMware isn’t an additional security layer. It’s just another layer to find bugs in.” – Kostya Kortchinsky Vulnerability • VMware SVGA II – virtualized PCI display adapter • Present in VMware Workstation, Player, Server and ESX • Run on the host, accessible by the guest • Memory is shared between host and guest Cloudburst Kostya Kortchinsky, Immunity (Blackhat 2009) Cloudburst Kostya Kortchinsky, Immunity (Blackhat 2009) #define SVGA_CMD_RECT_COPY /* FIFO layout: Source X, Source Y, Dest, X, Dest Y, Width, Height */ Account / Service Hijacking Description • Attacker gains access to account credentials in order to eavesdrop on transactions, manipulate data, return falsified information, and/or redirect requests Impact • Access to confidential data, reputational damage and potential legal consequences due to malicious use of resources Example • Hackers find a home in Amazon's EC2 cloud (InfoWorld) • Zeus botnet C&C servers found running on compromised accounts MobileMe – Enumerating Accounts Background • Apple’s MobileMe by default, exposes a public web directory for all new users leveraging their username • Account can be password protected but this requires a user initiated change and the URL remains exposed Risk • Exposing usernames provides a simple mechanism for enumerating accounts • Account passwords could then be brute forced or reset Experiment • Enumerate accounts for the most popular baby names in 2009 MobileMe – Enumerating Accounts MobileMe – Enumerating Accounts MobileMe – Enumerating Accounts 8% Girl Names 48% 44% 69% of accounts verified Boy Names 26% 18% Exists Does not exist 56% Exists (password protected) MobileMe – Password Reset MobileMe – Password Reset MobileMe – Password Reset MobileMe – Password Reset Data Loss / Data Leakage Description • Data compromise due to improper access controls or weak encryption • Poorly secured data is at greater risk due to the multi-tenant architecture Impact • Data integrity and confidentiality Example • Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds (UCSD/MIT) • Research detailing techniques to ensure that images are deployed on the same physical hardware as a victim and then leveraging cross-VM attacks to identify data leakage MediaMax – Inactive Accounts MediaMax / The Linkup: When the cloud fails By Michael Krigsman | August 27, 2008, 9:55am PDT Online storage service MediaMax, also called The Linkup, went out of business following a system administration error that deleted active customer data. The defunct company leaves behind unhappy users and raises questions about the reliability of cloud computing. … As with most failures, this story is fraught with complications and contradictions. Besides finger pointing and back-biting, which I suppose is to be expected, confusing corporate relationships coupled with a seemingly bizarre level of process and technical carelessness lend a weird flavor to the whole mess. MediaMax Failures Situation • MediaMax was shutting down and migrating data to the successor company The Linkup • During the migration process, account cleanup wiped out legitimate accounts that were not recovered • Data was permanently lost and paying customers not reimbursed MediaMax Statement • "It was not possible to satisfactorily complete the move of files from MediaMax to The Linkup as we had expected… Failures • Single admin had control to permanently delete data • Inadequate testing prior to migration • No backup!!! Microsoft – Lost Sidekick Data Microsoft Recovers Lost Sidekick Data OCTOBER 15, 2009, 5:07 P.M. ET By ROGER CHENG Microsoft Corp. said Thursday that it has been able to recover the personal customer data lost from many of T-Mobile USA's Sidekick devices. The Redmond, Wash., software giant said that most, if not all, customer data was recovered, and that the company would begin restoring data as soon as it has validated it. The company said it will start with personal contacts, and move on to the lost calendar, notes, tasks and pictures as quickly as possible. Malicious Insiders Description • Employees of the cloud vendor may abuse privileges to access customer data/functionality • Reduced visibility into internal processes may inhibit detection of the breach Impact • Data confidentiality and integrity • Reputational damage • Legal repercussions Example • Google Investigates Insider Threat After China Hack (eWeek) • “Google is investigating whether some of its own staff are behind the repeated attempts to hack into the Gmail accounts of Chinese human rights activists” Google Fires Email Snooper Google fires employee for snooping on users September 16, 2010|By Jessica Guynn, Los Angeles Times The Internet search giant says the software engineer broke its 'strict internal privacy policies.' He allegedly accessed information about four teenagers. Reporting from San Francisco — Google Inc. fired a software engineer for snooping on its users' private information, the Internet search giant confirmed Wednesday. The 27-year-old employee, David Barksdale, allegedly accessed information about four teenagers he met through a Seattle technology group, according to gossip website Gawker, which reported the incident Tuesday. Google Response Facebook Master Password Purported Interview With Facebook Employee Details Use Of 'Master Password' Jason Kincaid Jan 11, 2010 Earlier today, The Rumpus published a very revealing interview with someone claiming to be a Facebook employee. The interview covers a variety of subjects, including privacy restrictions at the world’s largest social network and some of the technological hurdles the site has to deal with. The biggest revelations? That Facebook collects more data about your habits than you may realize, and that there was once a ‘master password’ that would grant employees access to anyone’s Facebook profile — a password that some employees abused. Interception or Hijacking of Traffic Description • Internal – Compromising a host to sniff/redirect traffic for multiple clients • External – Redirect traffic destined for the cloud, thereby impacting multiple clients Impact • Data confidentiality and integrity • Reputational damage • Denial of service • Financial loss Example • Internal Twitter Credentials Used in DNS Hack, Redirect (Wired) • Twitter’s website…redirected to a defacement page. Twitter acknowledged...its DNS records “were temporarily compromised.” Twitter DNS Redirection Internal Twitter Credentials Used in DNS Hack, Redirect By David Kravets December 18, 2009 | 1:04 pm Twitter’s website went offline for about an hour Thursday, with many tweeters redirected to a defacement page boasting “This site has been hacked by Iranian Cyber Army.” Twitter acknowledged the 10 p.m. takeover, one in a series of security lapses to hit the popular microblogging service. Twitter said its DNS records “were temporarily compromised.” Tom Daly, chief technology officer at Dyn, a New Hampshire-based DNS company that services Twitter, said somebody using a “set of valid Twitter credentials” redirected the site. Insecure APIs Description • APIs designed to permit access to functionality and data may be vulnerable or improperly utilized, exposing applications to attack • Web 2.0 is the platform for the cloud Impact • Data confidentiality and integrity • Denial of service Example • P0wning the Programmable Web (Websense – AusCERT 2009_ • 80% of tested applications not using available security in APIs (e.g. unencrypted traffic and basic authentication) • Demonstrated CSRF, MITM and data leakage attacks Insecure API’s Insecure API’s Insecure API’s The programmable web is run in the cloud & The cloud is programmed by the web Insecure API’s We analyzed a dozen popular Twitter APPS, Gadgets, Facebook APPS, and Mashups and >80% are NOT utilizing the security provided via auth and encryption !!! Insecure API’s • Programmable web is… – – – – – Straightforward to develop solutions to Often anonymous or “frictionless” Can be done from anywhere Can be done usually from anyone Can be done on anything (it’s the web after all) Insecure API’s • Threats to programmable web: – – – – – Man in the middle attack (MITM) Message replay attacks Identity spoofing Message Alterations Confidentially and Privacy Leaking / Issues Insecure API’s • Example of Open graph being compromised and redirecting users Abuse and Nefarious Use Description • The cloud offers virtually unlimited computing power • What can be used for good can also be used for bad Impact • Attackers can use the cloud for their own purposes Examples • DDOS, Password cracking, Crypto breaking, Hosting malicious code, controlling bot’s, updating code Abuse and Nefarious Use Hosting attacker toolkits for user infections, updating code, and control and statistics portal Abuse and Nefarious Use Twitter and other web services have been used for command and control of BOT’s Abuse and Nefarious Use • Using Google’s search platform for poisoning search results ~15% of searches for hot trends end up at malicious Websites Attackers use web api’s like hot trends, topics, tweets, and mining Abuse and Nefarious Use Keep in mind that this is essentially a DoS attack. Launch it against a site that isn’t yours and very bad things will happen to you. But for testing your own site’s performance, Bees with Machine Guns is awesome — all you need is an EC2 account and the script. Abuse and Nefarious Use Amazon • 1 of 2,208 IPs • http://ec2-184-73-228-133.compute-1.amazonaws.com/ (fake AV) Rackspace • 13 of 2,208 IPs • generatorservices.in (Exploits) • fabvid.com (Exploits) • soundcomputers.net (Directs to exploits) • down-south.com (Directs to exploits) • pics.imagephun.com (CRiMEPACK) • ashtartours.com (Directs to exploits) • admincareers.com, alkarmel.com.jo, allwebjobs.com, an-inconvenient-truth.com, crowncraftsinc.com, espdesign.com.au, expojordan.com.jo, infoportsolutions.com (Directs to exploits) • white.be (RFI) • lasvegasusacasino.com (Casino.Adware) • adware-2009.com (Fake Antivirus) • www.antivirus-live.com (Fake Antivirus) • www.onebigmaine.com (Directs to exploits) • antiadwarepro.com (Rogue) Abuse and Nefarious Use • Other examples of potential abuse: – Password and encryption cracking – Data warehousing of large amounts of data, identities – DDOS (we talk about that later) – Hosting malicious files, phishing pages – Hiding behind services for data mining – Breaking CAPTCHA’s or other security checks Top Threats for Cloud Computing v2 Goal • Identify malicious use and abuse of cloud computing technologies 8 Deadly Sins of Cloud Security? • Shared Technology Vulnerabilities • Account/Service Hijacking • Data Loss/Data Leakage • Insecure APIs • Malicious Insiders • Interception or Hijacking of Traffic • Nefarious Use of Service • Distributed Denial of Service Attacks (DDoS) Distributed Denial of Service Description • DDOS was the #1 threat not in our top list that respondents suggested • As a sub-set of abuse and nefarious use Impact • Attackers can use the cloud for their own purposes Examples • Taking down web sites, services, etc Distributed Denial of Service Process • Using Twill, automated account generation • Instances limited to 20 per user • Each instance created new users accounts which generated 20 more instances • No CAPTCHA required • Single credit card used for all instances Outcome • Cycle to generate 20 accounts took 3 minutes • In 10 minutes, thousands of instances running • Distributed clouds means more power Distributed Denial of Service • Attacks could be launched from different zone’s, geo’s, and services to help thwart takedowns • Attacker could be shutdown but damage could be done, IP space now blacklisted Another version is a financial DDOS that goes against a service user of IaaS that is paying per drink. Much harder to stop and detect Future Candidates to Think About • All things Cloudy: Mobile / Tablets – Application Hacking – Location based service hacking – Eavesdropping • Social Hacking – – – – – Location based service hijacking “meatspace” attacks Hacking the social graph Hacking social trust Vendor miss-use or abuse Co-operation is the new control Feedback from the masses CSA TOP THREATS SURVEY Survey Overview • Solicited feedback from cloud providers and consumers • Survey promoted through technical blogs and on CSA website and at RSA CSA Cloud Security Summit • Received more than 300 responses to the survey • Survey opened from Jan – March, 2010 Survey Highlights: Demographics Organization Breakdown* 4.40% 18.20% Small Business 22.90% 21.00% 33.50% Medium and Enterprise Large Enterprise Governement Cloud Response Usage 31.03% * # of employees: Small Business < 100, Medium 100-10,000, Large > 10,000 24.12% 44.84% Cloud Vendor Cloud Consumer Other Top Survey Statistics: Data Leakage Likelihood of Data Leakage Occurring 6.15% 12.31% 15.49% Very Unlikely Unlikely 31.49% 34.56% Possible Likely Frequently 82 % of respondents believe that the likelihood of Data Leakage in the cloud is possible, likely, or frequent. Top Survey Statistics: Malicious Insiders Likelihood of Malicious Insider 5.50% 6.11% 25.15% 19.04% Very Unlikely Unlikely Possible 44.20% Likely Frequently 76 % of respondents believe that the likelihood of Malicious Insiders in the cloud is possible, likely, or frequent. Survey Results Rank Threat Percentage 1 Data Loss/Leakage 26.5% 2 Abuse and Nefarious use of Cloud Computing 19.4% 3 Insecure API’s 14.2% 4 Malicious Insiders 12.9% 5 Account/Service and Traffic Hijacking 12.3% 6 Unknown Risk Profile 8.4% 7 Shared Technology Vulnerabilities 6.5% Status Revisions • Top threats list will be updated 2x per year Process • Recommended changes will be solicited from CSA participants • Recommendations will be summarized and solicited to judges for review • Judges will vote on any recommended changes • Participate! Improve the Top Threats! Participation http://cloudsecurityalliance.org/topthreats_form.html Recommended Additions/Deletions • Propose new ‘threat templates’ • Description of threat • Pertinent examples • Impact • Remediation • Comment on existing Questions Michael Sutton VP, Security Research Zscaler msutton@zscaler.com Dan Hubbard CTO Websense dhubbard@websense.co m http://cloudsecurityalliance.org/topthreats