The Windows Flaw That Cracks Amazon Web Services - Slashdot

Slashdot

The Windows Flaw That Cracks Amazon Web Services 114

Posted by Unknown Lamer on Wednesday September 11, 2013 @02:05PM
from the you're-doing-it-wrong dept.

Nerval's Lobster writes "Developer and editor Jeff Cogswell decided to poke around the security of Amazon Web Services, and found a potential loophole that could theoretically allow anyone — a developer, an unscrupulous Amazon employee, the NSA — to access and copy data volumes stored on the system, using a slightly modified version of the popular 'chntwp' password tool. In this article, he breaks down how he did it, and suggests some ways for those who use cloud-hosting services to keep their data a little more secure in the future. 'The key here, of course, is that an unscrupulous employee might be able to make a copy of any existing Windows volume, and go to work on it without the customer ever knowing that it happened,' he writes. 'Now let's be clear: I'm not accusing anyone of having done this; in fact, I doubt anybody has, considering I was unable to find a working copy of chntpw until I modified it.' It's a security concern, and one that's particularly insidious to patch."

This discussion has been archived. No new comments can be posted.

The Windows Flaw That Cracks Amazon Web Services

Search 114 Comments Log In/Create an Account

Comments Filter:

This just in (Score:5, Informative)

by Anonymous Coward writes: on Wednesday September 11, 2013 @02:12PM (#44821353)

People with access to your data are able to access your data.

Share
twitter facebook linkedin
Not actually a problem with AWS. (Score:5, Informative)

by solafide (845228) writes: on Wednesday September 11, 2013 @02:13PM (#44821369) Homepage

This is no different than booting a LiveCD and changing the Windows password from a Linux LiveCD running with access to the same storage device. This is not a flaw in AWS in any fashion, other than illustrating the trust you place in AWS having access to your physical devices. Why is this news? This is a standard if-you-have-access-to-hardware-you-can-have-complete-control-over-everything-on-it-not-encrypted problem.

Share
twitter facebook linkedin
Re:Windows volumes... (Score:5, Informative)

by cbhacking (979169) writes: <<moc.oohay> <ta> ... isiurc_tuo_neeb>> on Wednesday September 11, 2013 @03:04PM (#44821945) Homepage Journal

Too bad the author of TFA is a flaming idiot, and this has nothing to do with Windows at all. It's a total non-story.
He just "discovered" that if you download a cloud machine disk volume - which is completely OS-agnostic, you could do it BeOS if you wanted to - you can mount it on your own machine and go to town on the data. Unix-like OS? Cool, go read /etc/shadow and get the password hashes (or change/add your own password and re-mount it, as he suggests doing with Windows). There's absolutely nothing here Windows-specific at all except that the idiot only *just* discovered that password resetting by modifying the user login data is possible.

Parent Share
twitter facebook linkedin

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

FORTRAN is a good example of a language which is easier to parse using ad hoc techniques. -- D. Gries [What's good about it? Ed.]