Browse: Home / Amazon Web Services Makes It Easy for the Hackers, Oops, Users

Amazon Web Services Makes It Easy for the Hackers, Oops, Users

By Krishnan Subramanian on January 8, 2009

Image representing Amazon as depicted in Crunc...

Image via
CrunchBase

Amazon Web Services today announced the release of Web based AWS Management
Console. This helps users manage their EC2 instances easily. Amazon is also
planning to release load balancing, auto scaling, S3 support, etc., through this
console. Users don’t have to figure out their public/secret keys and
certificates to launch an instance. They can just log into the console and
launch an instance with a few mouse clicks. Through the console, it is just a
few clicks to launch instances, manage AMIs, create security groups and key
pairs, manage elastic IP and elastic block store. In short, your
AWS EC2 management is reduced to just a few mouse clicks.

Even though Amazon touts it as a way to use EC2 without being tied into a
single computer, the console also gives an option to get rid of this advantage.
The instance launch wizard offers an option to restrict EC2 access to the
computer used to launch it. From a purely security point of view, I would
recommend this restriction. From the convenience point of view, this web based
console is a boon for individuals and companies to manage their EC2 deployment.
This has the potential to wreck the business of many companies in the AWS
eco-system.

Having said that, convenience always comes at the cost of security. Two
months back, I came across this blog post about the weak spot in Amazon’s Cloud
Security.

Perhaps the weakest point to the whole S3 system is Amazon’s own password
scheme. It allows for very weak passwords and I’m sure with some good social
engineering could probably get them to reset it to a new e-mail address claiming
the old address was changed due to a corporate e-mail policy change. Take any
company, buy the domain mail-corportationname.com, and probably get any phone
support person to believe you are infact working for that corporation. If needed
do some fake letter head, get a fax number in the same town / phone exchange,
and pretty soon you could be the head of the smallest branch office of that
corporation. It must happen pretty often, Amazon even has a page for people’s
who’s email has
changed since the last order.

So, how secure is your cloud? Using the same techniques used to compromised
domain names and have them transfered, it would be possible to recover
Amazon passwords and login and download complete S3 collections, Start and Stop
clouds, and manage any other Amazon web service.

So to answer the question, the answer is… it ain’t. So deal with it.

From the time I started using AWS, I was also wondering about the same
weakness and I tried my best to protect my account by keeping a strong password.
After I read this blog post, I was scouting around to see if I could get in
touch with someone in AWS security team to get a response on this but I couldn’t
talk to anyone. Maybe, I didn’t try harder. The release of Web Based AWS
Management console has made it one step easier to hack into EC2 deployment of
any user. 

Before the release of console, someone who steals the Amazon password of an
user, could log into their AWS account and get the public/private key and
certificates. They can then use this information to cause havoc in the EC2
deployment. With this console, the hacker cracker has one less
step to manage. He/She can just log into the EC2 web based management console
with the Amazon.com account password they stole and create havoc. They don’t
even have to worry about looking for the public/private key and certificates.
This is plain risky from the security point of view.

Well, security minds can come up with far better solutions to this problem
but to start with I would like to see the following implemented as soon as
possible.

  1. Separate Amazon.com account from AWS account. In fact, the percentage of
    Amazon.com users who will also use AWS is quite negligible and such a separation
    will not affect badly.
  2. Force the users to select a really hard to crack password. It is important
    to develop a policy to enforce strong passwords in every AWS account.

I don’t see any reason why these two can’t be implemented. This will
definitely not close the loophole but it will, at least, make it harder for bad
guys to take a shot at the potential victims.

Related articles by
Zemanta

Posted in , | Tagged , , , , | 2 Responses

LinkedIn Twitter
Research Analyst And Editor
Krishnan Subramanian (a.k.a Krish) is the Principal Analyst of Rishidot Research LLC. His main focus areas include Cloud Infrastructure and Platforms while he also focusses on the big picture where the seemingly disparate technologies of cloud computing, mobile, social and big data converge to change IT in ways we can't even imagine today. Krish also evangelizes Open Source and Cloud Computing on various media outlets, public speaking and blogs. Rishidot Research offer research reports and advisory services for enterprises and IT vendors. More information can be found here. Krish's personal website can be found here.

2 responses to “Amazon Web Services Makes It Easy for the Hackers, Oops, Users”

  1. Amazon EC2 launches Web-based management console | Between the Lines | ZDNet.com
    Amazon EC2 launches Web-based management console | Between the Lines | ZDNet.com January 9, 2009 at 6:39 am |

    [..] Cloud Ave notes that’s Amazon’s love for usernames and passwords are a security risk, but you can’t argue the ease of use. Personally, I wouldn’t want my infrastructure riding on a username and password–they are too easy to break. Give me those complicated secret keys. [..]

  2. AMB Album » Amazon’s New Management Console Makes Setting up a Server in the Cloud Easy
    AMB Album » Amazon’s New Management Console Makes Setting up a Server in the Cloud Easy January 10, 2009 at 3:43 pm |

    [..] At the same time, however, it should also be noted that Cloud Avepoints out that Amazon’s reliance on relatively weak passwords could be a potential security issue. [..]