Sloppy use of Amazon cloud can expose users to hacking

New research exposes the potential for vulnerabilities from the non-secure use of virtual images in the public cloud

Using Amazon's EC2 (Elastic Compute Cloud) can pose a security threat to organizations and individuals alike, though Amazon's not to blame, according to researchers from Eurecom, Northeastern University, and SecludIT. Rather, third parties evidently are not following best security practices when using preconfigured virtual machine images available in Amazon's public catalog, leaving users and providers open to such risks as unauthorized access, malware infections, and data loss.

The researchers say similar security vulnerabilities may be present in other public clouds from such providers as Rackspace, IBM, Joyent, and Terremark. The underlying message is that for all the power and opportunity of public clouds, providers and users alike need to approach with caution and embrace best security practices. Cloud infrastructure providers can't be expected to assess the security of every image, bit, and transaction that occurs on their machines any more than an apartment landlord can be responsible for everything that happens within his or her complex -- that is, what tenants do behind closed doors in the spaces they rent.

The security vulnerabilities in EC2 stem from the misuse and mismanagement of the AMIs (Amazon Machine Images), according to a research report titled "A Security Analysis of Amazon's Elastic Compute Cloud Service." AMIs are virtual images of preconfigured operating systems and applications, provided by third-party developers as well as Amazon itself, for quickly and easily deploying services via EC2. Over a five-month period, the researchers analyzed more than 5,000 AMIs -- both Linux and Windows -- which they grabbed from data centers in Europe, Asia, and the United States.

The researchers found a host of security problems with the AMIs they analyzed. First, 98 percent of the Windows AMIs and 58 percent of the Linux AMIs contained software with critical vulnerabilities. "This observation was not typically restricted to a single application but often involved multiple services: An average of 46 for Windows and 11 for Linux images," according to the report. "On a broader scale, we observed that a large number of images come with software that is more than two years old."

These vulnerabilities leave users exposed to malware, as well as to unsolicited connections, which malicious hackers could use to gather information about an AMI's usage and to collect IP target addresses for future attacks through a built-in backdoor.

Researchers also observed a vulnerability involving leftover credentials; that is, a user's password or part of his or her SSH keys, necessary for accessing a remote Linux server, might end up left on an AMI. A malicious hacker might leave his or her public key intact on an AMI so that he or she can log in to any running instance of the image down the road. Additionally, a provider might leave SSH keys or passwords in an AMI, which in turn could be exploited by a malicious third party. (Notably, researchers found that 54 out of 56 SSH keys were not password-protected, contrary to best security practices.) AMIs also might contain exploitable information like browser history, which can reveal personal information about a user, or shell history, through which a hacker can extract, for example, credential information like a DNS management password.

In theory, an image provider could simply delete the aforementioned sensitive information before making an AMI public again. Unfortunately, according to the report, that basic practice is insufficient: "In many file systems, when a user deletes a file, the space occupied by the file is marked as free, but the content of the file physically remains on the media (e.g. the hard disk)."

As such, a malicious hacker could use tools such asextundeleteandWinundeleteto recover previously deleted data. In their tests, researchers were able to recover files for 98 percent of AMIs, retrieving PDFs, Office documents, password files, and private keys. The keys included Amazon AWS keys, which are not password-protected and which malicious hackers could use to instantiate Amazon resources at a victim's expense.

Amazon's Web Services Security team has acted on their researchers' findings, according to the report. For example, the team has released a tutorial to help customers securely share public images. Amazon is also working on a solution for preventing the recovery of deleted private documents, according to the report.

Among the researchers' takeaways, they stressed the important of users being properly trained in using public cloud server images. "Although public cloud server images are highly useful for organizations, if users are not properly trained, the risk associated with using these images can be quite high. The fact that these machines come pre-installed and pre-configured may communicate the wrong message, i.e., that they can provide an easy-to-use 'shortcut' for users that do not have the skills to configure and setup a complex server," the report says. "The reality is quite different. Many different security considerations must be taken into account to make sure that a virtual image can be operated securely."

The full paper is available for free via Scribd.

This story, "Sloppy use of Amazon cloud can expose users to hacking," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.