Four key Cloud Security take-aways from a Hacker’s POV

This year BruCon organized its “0x0B’th” (eleventh in hexadecimal) yearly spring trainings. Toreonite Wouter Coudenys decided to register for the ‘Hacking and Securing Cloud Infrastructure’, as a way to explore a specialization in the line of webapp pentesting.

These were his four key take-aways from the training:

• The main takeaway from my “Cloud” training was the complexity of cloud security, which meant that simple mistakes could potentially have a huge impact. Therefore, Cloud specific knowledge is valuable to pentesters, as well as developers, because they expose new variants of the same old vulnerabilities.

• There is a common misconception that cloud is by default more secure. This is definitely not the case. Because of this this misconception, companies introduce the same old vulnerabilities to the cloud. Because cloud is relatively new, misconfiguration mistakes are even more common than in traditional environments.
  
  Example: For example, when your web service is configured with a default password. It will still be accessible with that default password when it is up in the cloud!

• There are easily exploitable cloud-oriented attacks for badly managed cloud environments. For example, one remarkable website scans GitHub for known security keys. In a cloud environment, mostly long authentication keys are used instead of passwords. Administrators might forget the confidentiality of these keys. So they leave the keys to the kingdom on GitHub, with potential horrendous consequences.
  
  Example: The following website scans GitHub continuously for known confidential strings and high entropy strings. Cloud keys are big categories on this website.

• Not all vulnerabilities are old kids with new clothes. There are some interesting new types of cloud oriented attacks. One example is called the ‘financial attack’ in which a hacker abuses the cloud functions of a hacked organisation for its own gain, by abusing the ease of scalability of cloud environments.
  
  Example: In this sad Quora question we see an internet user ask if his $50 000 dollar bill in Amazon can be reduced because his cloud function server was abused. This however is not possible. To mitigate this, usage monitoring should be enabled on the cloud services. Furthermore it might also be very smart to limit the amount you’re able to spent on the web services completely.

We can conclude that the cloud gives us on the one hand the same old vulnerabilities that we’ve been familiar with for decades. Together with the misconception that cloud services are secure by default, likelihood and impact of known vulnerabilities could be higher. On the other hand, cloud gives us few interesting new vulnerabilities, such as financial attacks, and leaked cloud keys on the public internet.