Become a fan of Slashdot on Facebook


Forgot your password?
Take advantage of Black Friday with 15% off sitewide with coupon code "BLACKFRIDAY" on Slashdot Deals (some exclusions apply)". ×

The Windows Flaw That Cracks Amazon Web Services 114

Nerval's Lobster writes "Developer and editor Jeff Cogswell decided to poke around the security of Amazon Web Services, and found a potential loophole that could theoretically allow anyone — a developer, an unscrupulous Amazon employee, the NSA — to access and copy data volumes stored on the system, using a slightly modified version of the popular 'chntwp' password tool. In this article, he breaks down how he did it, and suggests some ways for those who use cloud-hosting services to keep their data a little more secure in the future. 'The key here, of course, is that an unscrupulous employee might be able to make a copy of any existing Windows volume, and go to work on it without the customer ever knowing that it happened,' he writes. 'Now let's be clear: I'm not accusing anyone of having done this; in fact, I doubt anybody has, considering I was unable to find a working copy of chntpw until I modified it.' It's a security concern, and one that's particularly insidious to patch."
This discussion has been archived. No new comments can be posted.

The Windows Flaw That Cracks Amazon Web Services

Comments Filter:
  • This just in (Score:5, Informative)

    by Anonymous Coward on Wednesday September 11, 2013 @01:12PM (#44821353)

    People with access to your data are able to access your data.

  • by solafide (845228) on Wednesday September 11, 2013 @01:13PM (#44821369) Homepage
    This is no different than booting a LiveCD and changing the Windows password from a Linux LiveCD running with access to the same storage device. This is not a flaw in AWS in any fashion, other than illustrating the trust you place in AWS having access to your physical devices. Why is this news? This is a standard if-you-have-access-to-hardware-you-can-have-complete-control-over-everything-on-it-not-encrypted problem.
  • by cbhacking (979169) <been_out_cruisin ...> on Wednesday September 11, 2013 @02:04PM (#44821945) Homepage Journal

    Too bad the author of TFA is a flaming idiot, and this has nothing to do with Windows at all. It's a total non-story.

    He just "discovered" that if you download a cloud machine disk volume - which is completely OS-agnostic, you could do it BeOS if you wanted to - you can mount it on your own machine and go to town on the data. Unix-like OS? Cool, go read /etc/shadow and get the password hashes (or change/add your own password and re-mount it, as he suggests doing with Windows). There's absolutely nothing here Windows-specific at all except that the idiot only *just* discovered that password resetting by modifying the user login data is possible.

Philosophy: A route of many roads leading from nowhere to nothing. -- Ambrose Bierce