Forgot your password?
typodupeerror
Security

The Windows Flaw That Cracks Amazon Web Services 114

Posted by Unknown Lamer
from the you're-doing-it-wrong dept.
Nerval's Lobster writes "Developer and editor Jeff Cogswell decided to poke around the security of Amazon Web Services, and found a potential loophole that could theoretically allow anyone — a developer, an unscrupulous Amazon employee, the NSA — to access and copy data volumes stored on the system, using a slightly modified version of the popular 'chntwp' password tool. In this article, he breaks down how he did it, and suggests some ways for those who use cloud-hosting services to keep their data a little more secure in the future. 'The key here, of course, is that an unscrupulous employee might be able to make a copy of any existing Windows volume, and go to work on it without the customer ever knowing that it happened,' he writes. 'Now let's be clear: I'm not accusing anyone of having done this; in fact, I doubt anybody has, considering I was unable to find a working copy of chntpw until I modified it.' It's a security concern, and one that's particularly insidious to patch."
This discussion has been archived. No new comments can be posted.

The Windows Flaw That Cracks Amazon Web Services

Comments Filter:
  • This just in (Score:5, Informative)

    by Anonymous Coward on Wednesday September 11, 2013 @02:12PM (#44821353)

    People with access to your data are able to access your data.

  • by solafide (845228) on Wednesday September 11, 2013 @02:13PM (#44821369) Homepage
    This is no different than booting a LiveCD and changing the Windows password from a Linux LiveCD running with access to the same storage device. This is not a flaw in AWS in any fashion, other than illustrating the trust you place in AWS having access to your physical devices. Why is this news? This is a standard if-you-have-access-to-hardware-you-can-have-complete-control-over-everything-on-it-not-encrypted problem.
  • by cbhacking (979169) <been_out_cruising-slashdot.yahoo@com> on Wednesday September 11, 2013 @03:04PM (#44821945) Homepage Journal

    Too bad the author of TFA is a flaming idiot, and this has nothing to do with Windows at all. It's a total non-story.

    He just "discovered" that if you download a cloud machine disk volume - which is completely OS-agnostic, you could do it BeOS if you wanted to - you can mount it on your own machine and go to town on the data. Unix-like OS? Cool, go read /etc/shadow and get the password hashes (or change/add your own password and re-mount it, as he suggests doing with Windows). There's absolutely nothing here Windows-specific at all except that the idiot only *just* discovered that password resetting by modifying the user login data is possible.

No user-servicable parts inside. Refer to qualified service personnel.

Working...