Windows data volumes (meaning virtual machine hard drives) in public clouds such as Amazon Web Services can be copied and have their access credentials modified, allowing a hacker to glean insights into the data, a programmer has reported.
Programming author and consultant Jeff Cogswell identified the security vulnerability and showed how he executed a hack of his own data in a story titled "The Windows flaw that cracks Amazon Web Services" posted on Slashdot.com. His conclusion: Don't store sensitive information in the cloud, even if it is encrypted.
[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in "Fight Today's Malware," InfoWorld's Shop Talk video. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]
A caveat is that the would-be hacker needs access to the data volume in order to copy it and change the credentials, but Cogswell says employees at certain cloud providers have that capability. Although industry representatives played down the threat, Cogswell's findings could add to concerns potential users have about the security of public clouds.
[TECH DEBATE ON CLOUD SOURCING:Consolidate suppliers or go best of breed?]
The vulnerability exists because of a feature many public cloud providers offer that allows volumes to be copied. Copying volumes is helpful in test and development scenarios, for example, where programmers can tinker with an application and not have the changes impact the production environment. Cogswell says it's also a security vulnerability though.
To demonstrate the hack, Cogswell made a copy of his volumes and used a modified version of a password reset tool named "chntwp" to change the credentials of the copied volume. Microsoft has issued patches to ensure chntwp does not allow credential resets, but Cogswell says he was able to modify the password reset tool to expose the vulnerability on new versions of Windows.
Once the Windows volume's password is reset, a hacker can manipulate the contents of the volume and replace the original with the modified copy. Software could be installed to run alongside the volume and track it, for example. The data could be perused by the hacker or changes could be made to the data.
Cloud industry advocates shot down the findings. John Howie, president of the Cloud Security Alliance which advocates for strong security standards among cloud providers called it a "non-issue." To execute the vulnerability, the hacker must have access to that data volume in order to be able to copy and manipulate it. "The likelihood that someone at a cloud provider would perform this attack, even assuming they had access to the file store and there was no monitoring in place, is so small as to be negligible."
Cogswell points out that employees of public cloud providers have access to these volumes especially at smaller cloud service providers. If user credentials are compromised, the data volume could also be exposed. Cogswell notes that he was not able to perform the hack on other users' data, only his own.