German researchers uncovered multiple security problems within Amazon’s cloud-computing services caused by customers ignoring or forgetting security tips.
Researchers looked at some 1,100 Amazon Machine Images and found the majority of them contained security keys used to authenticate with other services and servers.
“They [customers] just forgot to remove their API keys from machines before publishing,” Thomas Schneider, a post-doctoral researcher in the System Security Lab of Technische Universitat Darmstadt, wrote in a paper.
Researchers found that the private keys used to authenticate with Amazon services such as Elastic Compute Cloud (EC2) or Simple Storage Service (S3) were published in those AMIs. About a third of the studied AMIs also contained Secure Shell (SSH) host keys or user keys. SSH is a common tool used to log into and manage a virtual machine and the keys authenticate the user onto the server.
Unless the host key is removed and replaced from the AMI, every virtual machine created from that image will use the same key, creating the possibility of a malicious user impersonating the server and launching phishing attacks. SSH user keys are also used for root-privileged log-ins. With the user keys, the interloper can log in using super-user privileges unless the owner discovers and closes the “backdoor”, researchers said.
With the authentication keys for EC2 and S3, any third-party miscreant can connect and create “virtual infrastructure worth several thousands of dollars per day at the expense” of the original customer, the researchers found.
The AMIs also contained valid SSL (Secure Sockets Layer) certificates and their private keys, which would allow attackers to impersonate the servers. The researchers also uncovered source code for unpublished software products, passwords and personal identifiable information such as pictures and notes.
Amazon Web Services is very easy to use, and customers can easily purchase and roll out servers and storage services. It is also so easy to use that users are creating virtual machines without following Amazon’s recommendations on security and implementation, according to Schneider.
“These guidelines are very detailed,” Schneider said.
Security experts have paid close attention to underlying cloud infrastructures and providers, but have underestimated or ignored the “threats caused by the cloud customers when constructing services”, the researchers said. Flawed configurations meant anyone could harvest critical data such as passwords and cryptographic keys and certificates from virtual machines. Attackers would be able to “operate criminal virtual infrastructures, manipulate Web services and circumvent security mechanisms”, the researchers wrote.
Customers can endanger themselves and other users with the “careless and error-prone manner” in which AMIs are handled and deployed, the researchers said.
Once the researchers uncovered the problem, they contacted Amazon Web Services with their findings at the end of April. Amazon notified those account holders of the security issues, Schneider said.
The study was done by the Centre for Advanced Security Research Darmstadt and the Fraunhofer Institute for Security in Information Technology in Darmstadt, Germany.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…