Reykjavík University & Chief Science Officer of Syndis – Prior: IBM Research, Yahoo Research, ... – Where: Reykjavík • Rich Smith – Now: Principal Researcher and CEO of Syndis – Prior: VP at Morgan Stanley, HP Labs, ... – Where: NYC & Reykjavík
professionals who use aHack simulaJons against our clients to help them understand real-‐world threats • We focus on bespoke aHack technology for clients who need deep security insight
operaSng environments that share common resources and meter usage (as well as quality) Pros Lower capital and operaSng expenditures Simple to use AHributes Reliability ElasScity Virtual environment Distributed hosSng Types IaaS PaaS SaaS
– it is not flat ◦ What if Capsule uses Heroku, which in turn uses Amazon EC2? It may not even be possible to know where data is geographically stored ◦ Can‘t dictate data locaJon for cloud providers ◦ Historic knowledge of where it is does not predict where it will be in the future
from migraSng to the cloud? ◦ „More than 33% of company budgets spent on cloud services“ (Forbes [1]) ◦ „79% of cloud providers allocate less than <10% to security“ (Ponemon InsStute [2]) ◦ 100% of aRackers approve! [1] hRp://blogs.wsj.com/tech-‐europe/2011/04/29/cloud-‐providers-‐not-‐concerned-‐by-‐security [2] hRp://www.ca.com/us/~/media/Files/IndustryAnalystReports/2012-‐security-‐of-‐cloud-‐computer-‐users-‐final1.pdf
Wrote a proof-of- concept exploit Wrote a DEP- resistant exploit Weaponized the exploit Created post- exploitation framework Sponsored the attacks Administered deployment
You are using the cloud for a reason – Lowering barriers to entry: a startup can have a full IT setup without upfront costs – DelegaJng responsibility for saving on costs and complexity – Technology is complicated and a distracJon. Let someone else worry about that – All of these advantages also have trade-‐offs
ARackers take advantage of these features – Focus on those tradeoffs and compromises – IdenSfy the features of the cloud you rely on that also provide them aRack advanatage • What are the opportuniJes for aHackers? – We‘ll give real-‐world examples – Flaws -‐ not bugs
– IaaS: Amazon S3 does not provide connecSon logs – PaaS: Logs in Google Apps (e.g. Gmail) have no ‘SLA’ could arrive 0-‐48 hours later • Thus you will likely not see either successful or failed log-‐in aHempts at all or in a Smely manner • You are at the mercy of your provider
control – Clouds & OpenAPIs go hand in han – API tokens / certs are the keys to the kingdom – Opaque with respect to logging • Example: Amazon S3 credenSals – Full remote access via API keys / cerSficates – We‘ve found AWS admins keys on publicly accessible websites, giving access to everything
authenJcaJon? • User interface Vs. ProgramaSc Interface – Different security models & requirements • Example: Gmail servers. – May enforce 2-‐factor authenScaSon for users – But the API allows you to sidestep them
group chat and team collaboraSon – All files or images are stored in Amazon S3 – ProtecSon is based on not knowing the URL – Google search for “site:s3.amazonaws.com inurl:/ uploads.hipchat.com”
– The social network of soXware developers – Companies and individuals push their code into these services – We‘ve found lots of sensiJve data pushed unwizngly • CredenSals (SSH keys, database credenSals) • Internal documentaSon • Internal infrastructure informaSon – What applicaSons are being used? – Internal network set-‐up and structure – ARackers care about ROI – we hired a summer intern!
you‘re not using the cloud, you may sSll be • Example: MacOS X: Unsaved docs & iCloud – Enter AppleID at install Sme, iCloud auto-‐enabled – Your documents are stored locally... – ...but unsaved files in apps supporSng the iCloud API are automaScally pushed into iCloud – This is unexpected to most ! hRp://support.apple.com/kb/TS4372
is ongoing & not just OS X • Has significant impact to long established security models and boundaries • Not just network de-‐perimiterisaSon but the break of the OS perimeter hRp://support.apple.com/kb/TS4372
harder for people to see • Cloud users don’t understand the changes to their security boundaries of the new model • API keys are everywhere and are the keys to many kingdoms • RegulaJons fail to keep up != security