Researchers: AWS Users Are Leaving Security Holes

Researchers in Germany rich person found long security problems within Virago's cloud-computing services referable its customers either ignoring or forgetting published security tips.

Amazon offers computer science power and storage using its infrastructure via its Web Services division. The flexible platform allows people to quickly straighten services and upgrade or downgrade accordant to their needs.

Thomas Schneider, a postdoctoral researcher in the System Security Science lab of Technische Universität Darmstadt, said connected Mon that Amazon's Net Services is so easy to employ that a lot of people create essential machines without following the security measures guidelines.

"These guidelines are real detailed," he said.

In what they termed was the most critical discovery, the researchers found that the private keys accustomed authenticate with services such as the Bouncy Compute Cloud (EC2) operating room the Simple Storage Service (S3) were publically publicized in Amazon Machine Images (AMIs), which are pre-configured operating systems and application program software victimized to create virtual machines.

Those keys shouldn't be there. "They [Customers] just forgot to remove their API keys from machines in front publishing," Schneider said.

But the consequences could be expensive: With those keys, an interloper could start raised services on EC2 or S3 using the customer's keys and create "realistic infrastructure worth several thousands of dollars per day at the expense of the key holder," according to the researchers.

The researchers looked at some 1,100 AMIs and found some other common problem: Third of those AMIs contained SSH (Ensure Shell) master of ceremonies keys or user keys.

SSH is a common tool used to log up into and manage a essential machine. But unless the server cay is removed and replaced, every other representativ copied from that image will use the same keystone. This can cause severe security problems, such as the theory of impersonating the exemplify and launching phishing attacks.

Some AMIs also restrained SSH user keys for root-privileged logins. "Hence, the holder of the corresponding SSH key can login to instances plagiaristic from those images with superuser privileges unless the substance abuser of the illustration becomes aware of this back door and manually closes it," according to a bailiwick data sheet on the research.

Among the other data establish in the public AMIs were valid SSL (Secure Sockets Bed) certificates and their clannish keys, the source code of unpublished software system products, passwords and personally identifiable information including pictures and notes, they said.

Anyone with a credit card can get access to Amazon Web Services, which would enable a person to consider the public AMIs that the researchers analyzed, Schneider said. Once the problem was evident, Schneider said they contacted Amazon Web Services at the end of Apr. Amazon acted in a professional agency, the researchers said, by notifying those account holders of the certificate issues.

The study was through with by the Center for Advanced Security Search Darmstadt (CASED) and the Fraunhofer Institute for Security in IT (SIT) in Darmstadt, FRG, which both study cloud computing protection. Parts of the project were also part of the European Brotherhood's "Trustworthy Clouds" or TClouds course of study.

Send news tips and comments to jeremy_kirk@idg.com