Many Amazon cloud users reveal confidential data

[security curmudgeon <jericho () attrition org>]

http://www.h-online.com/security/news/item/Many-Amazon-cloud-users-reveal-confidential-data-1263704.html

20 June 2011, 14:02
Many Amazon cloud users reveal confidential data

Sharing Amazon Machine Images (AMIs) to run on Amazon's Web Services (AWS) 
can open the door to attackers when users do not follow appropriate safety 
advice. The AMIs may contain private cryptographic keys, certificates and 
passwords, as researchers at the Darmstadt Research Center's CASED (Center 
for Advanced Security Research Darmstadt) found.

In a reportGerman language, they say that they examined 1100 public AMIs 
for cloud services and found that 30 per cent were vulnerable to 
manipulation that could allow attackers to partially or completely take 
over virtual web service infrastructure or other resources.

The published AMIs are provided as a service from the community of 
developers for other developers. Instead of creating a virtual environment 
from scratch . with a Linux system, Apache, a database and other services 
- to deploy an application, it is possible to find a preconfigured shared 
AMI over the web front end of AMS. But, if the publisher has left 
confidential information in the system or, for example, if the Bash shell 
history had not been deleted prior to publication, that data can be 
extracted and used.

[..]
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Learn encryption strategies that manage risk and shore up compliance.
Download Article 1 of CREDANT Technologies' The Essentials Series:
Endpoint Data Encryption That Actually Works
http://credant.com/campaigns/realtime2/gap-LP1/