Amazon downplays report highlighting vulnerabilities in its cloud service
Hypothetical example described in report much harder to pull off in reality, company says
Computerworld - Amazon said today that it has taken steps to mitigate a security issue in its cloud computing infrastructure that was identified recently by researchers from MIT and the University of California at San Diego.
The report described how attackers could search for, locate and attack specific targets in Amazon's Elastic Computer Cloud (EC2) because of certain underlying vulnerabilities in the infrastructure.
Though the attack described in the report was conducted against Amazons infrastructure, the researchers concluded that similar targeted attacks could be carried out in other cloud services as well because the vulnerabilities were generic.
In response, Amazon spokeswoman Kay Kinton said today that the report describes cloud cartography methods that could increase an attacker's probability of launching a rogue virtual machine (VM) on the same physical server as another specific target VM.
What remains unclear, however, is how exactly attackers would be able to use that presence on the same physical server to then attack the target VM, Kinton told Computerworld via e-mail.
The research paper itself described how potential attackers could use so-called "side-channel" attacks to try and try and steal information from a target VM. The researchers had argued that a VM sitting on the same physical server as a target VM, could monitor shared resources on the server to make highly educated inferences about the target VM.
By monitoring CPU and memory cache utilization on the shared server, an attacker could determine periods of high-activity on the target servers, estimate high-traffic rates and even launch keystroke timing attacks to gather passwords and other data from the target server, the researchers had noted.
Such side-channel attacks have proved highly successful in non-cloud contexts, so there's no reason why they shouldn't work in a cloud environment, the researchers postulated.
However, Kinton characterized the attack described in the report as "hypothetical," and one that would be "significantly more difficult in practice."
"The side channel techniques presented are based on testing results from a carefully controlled lab environment with configurations that do not match the actual Amazon EC2 environment," Kinton said.
"As the researchers point out, there are a number of factors that would make such an attack significantly more difficult in practice," she said.
At the same time, Amazon takes all reports of vulnerabilities in its cloud infrastructure very seriously, she said. The company will continue to investigate potential exploits thoroughly and continue to develop features bolster security for users of its cloud service, she said.
Amazon Web Services has already rolled out safeguards that prevent potential attackers from using the cartography techniques described in the paper, Kinton said without offering any details.
She also pointed to the recently launched Amazon Web Service Multi-Factor Authentication (AWS MFA) as another example of the company's continuing effort to bolster cloud security. AWS MFA is designed to provide an extra layer access control to a customer's Web services account, Kinton said.
The research report that highlighted the security issues in cloud computing infrastructures is scheduled to be presented at the ACM Conference on Computer and Communications Security next month.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts