Could an unskilled hacker guess their way into your Infrastructure-as-a-Service cloud?
That is what Symantec seems to have demonstrated in its recent research on vulnerabilities surrounding this type of solution.
It found that files including email addresses, passwords and credit card transactions could be easily accessible due to simple misconfigurations in folder structures.
Of 16,000 cloud domains, Symantec determined that 0.3 per cent had folder structures that could be guessed by a hacker. While the security vendor acknowledged that this number seemed insignificant, it still equated 11,000 files that were unintentionally accessible to the public.
“As part of our research, we demonstrated an attack scenario, showing how an amateur attacker could access thousands of files stored in the cloud without needing any user names and passwords,” Candid Wueest, a Symantec threat researcher, wrote in a blog post regarding the findings.
Common mistakes that administrators make in configuration include leaving folder access open, storing plain-text cloud access credentials in open source code and not enabling logging in their cloud services. The latter makes investigating an incident difficult, according to the report.
In one example involving Microsoft Azure, Wueest describes how once a hacker knew the URL structure of a data storage bucket, he or she could find those of other users by guessing the URL, granted they had the domain prefix and name of the target’s bucket. Even without a central listing, a simple dictionary attack script sufficed.
To avoid falling victim, Symantec suggested four procedures:
- Ensure that you understand the settings of your cloud resources and configure them accordingly
- Enable event logging to keep track of who is accessing data in the cloud
- Read the cloud providers’ service-level agreements to learn how data in the cloud is secured
- Include cloud IP addresses in vulnerability management processes and perform audits on any services that are provided through the cloud.
Wow, this is pretty sad, the fact that a hacker could access anything at all without credentials is absurd and shows a major weakness of cloud computing. What ever happened to permissions being assigned to traverse folders and access files? I’m glad that I have been advising the majority of my clients to avoid this sort of thing and stick primarily with traditional on-premise server-based computing!