Harnessing the power that cloud computing can provide brings a lot of potential benefits to the enterprise. Organizations can process huge amounts of data without investing in the infrastructure that would have been required before cloud computing became an option. But just like everything else, great power always has a dark side, and there are definitely those who are eager to wield the power of the cloud not for good, but for evil.
It should come as no surprise that malicious hackers are well on their way to crafting their own exploits, using cloud platforms as a base. When citing cloud security risks, we are usually focused on the concern that attackers will steal our data from the servers, but criminals can also use those same services to amplify the effects of outgoing attacks. Last year’s well-publicized hacking of Sony’s PlayStation Network was largely carried out by someone who rented an Amazon EC2 server from which to launch the attack after opening an account and supplying fake information for registration. That intrusion compromised over 100 million Sony customers.
Just last month, Australian security firm Stratsec released the results of a number of experiments it carried out using various unnamed cloud providers. The upshot of their testing was that some cloud providers fail to detect and block malicious traffic originating from their networks, making it possible for cybercriminals to launch vast botnets running on cloud instances.
As cloud providers, no doubt, continue to implement security measures that will prevent this type of abuse of their services, researchers are revealing even newer methods. Ars Technica’s Dan Goodin reports today that computer scientists from North Carolina State University and the University of Oregon have demonstrated a browser-based exploit that has great potential for launching crippling denial of service attacks and password cracks. Using the technique outlined in their paper (due to be presented at an upcoming security conference):
They estimate they could use the same technique to generate more than 24,000 cryptographic hashes every second. It could also be abused to amplify the effects of already powerful denial-of-service attacks on third-party websites. While their proof-of-concept attack abuses the Puffin service for Android and iOS devices, they say similar cloud infrastructure is also vulnerable, including services that work with Amazon’s Silk browser for Kindle devices, Cloud Browse from AlwaysOn Technologies, and Opera Mini.
Obviously, it’s good that researchers are busy uncovering the newest methods by which criminals and malicious hackers can use the cloud to wreak havoc. It will be interesting to see what measures cloud providers put in place to detect potential abuse of their services by criminals and mischief-makers — without creating barriers for their legitimate customers.
Cybercrime moves to the cloud (CNET)