How Long Can Cloud Servers Hold Off Hackers? Not as Long as You Think

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.businessweek.com/articles/2013-12-19/how-long-can-cloud-servers-hold-off-hackers-not-as-long-as-you-think

How long would it take to hack into an average Web-based server—the kind a
company might rent from the likes of Amazon Web Services? To find out, the
security company CloudPassage set up six servers, two running Microsoft
operating systems and four running Linux-based operating systems, loaded
them with various combinations of widely used programs, and invited hackers
to take their best shot. Top prize: $5,000.

It took just four hours for the winning hacker to captured the flag and the
bounty. Worse still, he was a novice. Gus Gray, 28, has worked for a
technology company for a little over a year and is taking classes toward a
bachelor’s degree in computer science at California Polytechnic State
University in San Luis Obispo. “I just thought I’d spend two or three hours
poking around and see what I could learn, and it would make for an
interesting evening,” he says.

That’s one way to put it. As companies shift from old-fashioned and
expensive servers managed within four walls to cloud data centers online,
the market for cloud-based infrastructure has grown to $9.2 billion,
according to an estimate by the technology research firm Gartner (IT). What
that money buys may not be the security people think.

CloudPassage configured the systems without any security beyond the default
setting required to get them to run, mimicking the setups they often see
among clients. “People use cloud because it is fast, it is cheap, and it
takes little to no time to get up and running,” says Andrew Hay, the
company’s director of applied security research. “That’s what’s motivating
a lot of people. They’re not thinking of these security ramifications.”

After researching the operating systems and applications on the servers,
Gray decided to poke around on a utility application that allowed remote
access from the Internet—a convenience for system administrators that can
be easy to attack, Gray says. The application used a default password that
wasn’t unique to either the program or the operating system, which Gray was
able to guess (there are lists of default passwords for hundreds of
programs publicly available online). Once he logged on, the application
basically gave him administrative access to the entire server. He could
grab whatever he wanted.

“I was expecting this grandiose and very elaborate attack,” says Hay.
“That’s what surprised me, that this person who essentially was
impersonating an administrator was able to gain total access to the server.”

A malicious hacker could easily write a computer program to scan for the
vulnerability that Gray found, use it to scan automatically for the same
problem on any server in the cloud, and break in, according to CloudPassage
CEO Carson Sweet. CloudPassage has been working with the vendor of the
application to fix the vulnerability.

Selling security services for the cloud is, of course, CloudPassage’s
business. It’s in its interest to foment anxiety, and the dramatic
conclusion of the contest does that. Even so, the report offers some
common-sense suggestions: Companies can limit access they give to
administrative accounts and ensure that they’re doing the basics, such as
changing default passwords into ones that are more difficult to crack, and
patching applications to fix known vulnerabilities.

Gray, for his part, did one thing immediately: “As soon as I had finished
and saw the results, I basically came back to my own company and
immediately implemented a couple of changes to prevent something similar
happening at my company.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.