Feeds

Stratsec critical of cloud security

Potential haven for botnets, study finds

Providing a secure and efficient Helpdesk

A study conducted by BAE security subsidiary Stratsec claims that cloud services aren’t doing enough to secure their instances against being used to host attacks.

The company has described a series of experiments here. Stratsec says it was able to set up botnets – it refers to them as botClouds – on all five of the cloud services it tested, and that none either raised alerts nor placed restrictions on the accounts that were originating malicious traffic.

While the study doesn’t name the cloud services it tested, El Reg would assume that all five have had a private notification by Stratsec.

The experiments were conducted by setting up accounts with various cloud providers, setting up ten cloud instances on each account, and using those instances to send malicious traffic at “victim” systems on controlled networks. Common services like HTTP, FTP and SMTP were enabled on the victims.

The cloud services were then used to fire a variety of attacks against the victims: malformed traffic, malware attacks, DoS attacks, brute-force attacks against the FTP passwords, shellcode attacks on the victims’ services, and Web application attacks (such as SQL injection, cross-site scripting, and path traversal).

With this setup in place, four experimental setups were tested with the victim in (a) a corporate-style environment behind an IDS and firewall; (b) on the same cloud service that hosted the attacks; (c) the victim on one cloud service suffering an attack launched from another. In the last experiment, the attack on the private network victim was extended to 48 hours to try and elicit a response from the cloud providers.

Stratsec reports that “although we were expecting responses from cloud providers”, very little happened. There were no connection resets or terminations on the traffic, nor was the malicious traffic throttled or rate limited. The attacks failed to draw a response in the form of an alert or an account suspension, and although one provider blocked FTP, SMTP and HTTP traffic by default, the experimenters only needed to use a non-standard port to continue the attacks.

Without a stronger security posture from cloud providers, the report states, their services offer a cheap, scalable, reliable, and user-friendly platform – for anyone wanting to set up a botCloud. Moreover, they note, a corporate with its own relatively mature in-house security could find itself degrading its protection by moving to the cloud. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.