Researchers also observed a vulnerability involving leftover credentials; that is, a user's password or part of his or her SSH keys, necessary for accessing a remote Linux server, might end up left on an AMI. A malicious hacker might leave his or her public key intact on an AMI so that he or she can log in to any running instance of the image down the road. Additionally, a provider might leave SSH keys or passwords in an AMI, which in turn could be exploited by a malicious third party. (Notably, researchers found that 54 out of 56 SSH keys were not password-protected, contrary to best security practices.) AMIs also might contain exploitable information like browser history, which can reveal personal information about a user, or shell history, through which a hacker can extract, for example, credential information like a DNS management password.
In theory, an image provider could simply delete the aforementioned sensitive information before making an AMI public again. Unfortunately, according to the report, that basic practice is insufficient: "In many file systems, when a user deletes a file, the space occupied by the file is marked as free, but the content of the file physically remains on the media (e.g. the hard disk)."
As such, a malicious hacker could use tools such asextundeleteandWinundeleteto recover previously deleted data. In their tests, researchers were able to recover files for 98 percent of AMIs, retrieving PDFs, Office documents, password files, and private keys. The keys included Amazon AWS keys, which are not password-protected and which malicious hackers could use to instantiate Amazon resources at a victim's expense.
Amazon's Web Services Security team has acted on their researchers' findings, according to the report. For example, the team has released a tutorial to help customers securely share public images. Amazon is also working on a solution for preventing the recovery of deleted private documents, according to the report.
Among the researchers' takeaways, they stressed the important of users being properly trained in using public cloud server images. "Although public cloud server images are highly useful for organizations, if users are not properly trained, the risk associated with using these images can be quite high. The fact that these machines come pre-installed and pre-configured may communicate the wrong message, i.e., that they can provide an easy-to-use 'shortcut' for users that do not have the skills to configure and setup a complex server," the report says. "The reality is quite different. Many different security considerations must be taken into account to make sure that a virtual image can be operated securely."
The full paper is available for free via Scribd.
This story, "Sloppy use of Amazon cloud can expose users to hacking," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.