Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Cloud Security IT

Amazon's Cloud Is Full of Holes 66

itwbennett writes "Amazon's Web Services is so easy to use that customers create virtual machines without following Amazon's 'very detailed' security guidelines, says Thomas Schneider, a postdoctoral researcher in the System Security Lab of Technische Universität Darmstadt. Most notably, Schneider and his fellow researchers found that the private keys used to authenticate with services such as the Elastic Compute Cloud (EC2) or the Simple Storage Service (S3) were publicly published in Amazon Machine Images (AMIs), which are pre-configured operating systems and application software used to create virtual machines. '[Customers] just forgot to remove their API keys from machines before publishing,' Schneider said."
This discussion has been archived. No new comments can be posted.

Amazon's Cloud Is Full of Holes

Comments Filter:
  • I don't get it. It's more like sending a letter to someone with your housekeys in the envelope.
    • by ChrisKnight ( 16039 ) on Tuesday June 21, 2011 @12:41PM (#36516054) Homepage

      No, your example posits a situation where you are privately sending your physical keys to a known individual in a 1:1 transaction. Apples to oranges.

      The situation being described is where people build server images, and them publish them to share, without first having striped them of their security keys.

      A better comparison is if you wrote up an email for your dog walker with very detailed instructions on how to take care of your dog and you included the security code for your alarm. Then, you thought it would be a terrific idea to share your great dog walking tips with an email list and forwarded your original email without editing out your security code. Now anyone who accesses your dog walking tips has access to your house.

      • by ep32g79 ( 538056 )
        Your analogy is confusing. Can I get one with cars?
        • by vlm ( 69642 )

          Your analogy is confusing. Can I get one with cars?

          A better comparison is if you wrote up an email for your driver with very detailed instructions on how to run over a dog and you included the security code for your garage door. Then, you thought it would be a terrific idea to share your great dog running over tips with an email list and forwarded your original email without editing out your garage door code. Now anyone who accesses your dog running over tips has access to your garage.

          Better now?

          • by Hylandr ( 813770 )

            What if I wanted to set the dog on fire and have the fire dept run over it instead?

            - Dan.

          • by ajs ( 35943 )

            A better comparison is if...

            A better comparison is you left your damned storage keys in your published machine image. This is a security blunder. That security key is, in simplistic terms, a password. Don't give out your passwords on the Web.

            This has nothing to do with the security of Amazon's infrastructure or services.

        • by blair1q ( 305137 )

          They're building their own cars using plans and parts from Amazon, and leaving the keys in the plastic bag that was taped to the top of the sunroof at the factory.

          • by blair1q ( 305137 )

            Albeit, it's not taped to the top of the sunroof; it's more like it's stuffed in a dark magnetized box in one of the bumpers, so you never notice it if you aren't looking for it, but anyone else who's built one correctly knows exactly where to check when they see your car in the parking lot at the mall.

            • Wrong use of 'Albeit'. You probably meant 'Although' or just 'Though'.

              'Albeit' is kind of a shortened form of 'All be it'. For instance;

              "It was sunny, albeit rather cold and windy."

              Not trying to be snotty, though I'm sure it comes off that way. Just trying to help.

              And can we stop with the analogies already? - we are computer professionals for the most part and don't need analogies to understand what it means to leave your private keys in a publicly accessible spot. Yours was a rather good one, but really, w

              • by blair1q ( 305137 )

                Er, http://www.etymonline.com/index.php?search=albeit&searchmode=none [etymonline.com]

                You don't really want to know what onelook.com has to say about it either.

                I did kind of misuse it to mean "on the contrary" rather than "in spite of", which is its more accurate sense.

                And you'll never get rid of analogies the way you'll never get rid of people who want to drive their cars despite the noise, cost, danger, waste, and pollution.

        • by myurr ( 468709 )

          Lets say your dog has a car but because he doesn't have opposable thumbs he struggles to use a key. Instead the car is fitted with a dog paw sized keypad that allows him to type an entry code in to gain access to the car and start the engine. Thinking that this setup is the bees knees your dog posts the details of this system on his blog, but includes his key code. Now any other man or his dog who reads this blog post will be able to access your dog's car.

        • It would be like you loaned me your car.
        • Your analogy is confusing. Can I get one with cars?

          Can I get one with fries?

    • It's actually like a building company selling prefab bank buildings, and then selling it to your local bank, and the bank forgot to lock the back door they used to get into the building all the while inviting you to come into their new fangled ultra safe and secure bank where you can store personal stuff.

      The problem is that Amazon gave someone a super easy way to set up a site... so easy, even idiots can set it up. And idiots will set it up and forget to close the back door, and those idiot will sell servi

    • Bad phrasing. When they say Amazon's cloud they really mean the customers in the cloud, not Amazon themselves.
    • It's more like tweeting a picture of your bulging underwear to everyone rather than sending it privately to just one person.
  • Known issue (Score:4, Informative)

    by Mullen ( 14656 ) on Tuesday June 21, 2011 @12:34PM (#36515946)

    This is a known issue and when Amazon.com finds out that certain AMIs have preinstalled root ssh keys, they send you an email letting you know, along with instructions on how to remove the root ssh key. Non-issue.

    • You can also deactivate your account credentials just in case you did do this.
    • Actually, this sounds like users leaving their AWS API keys on public AMIs. This could be a very expensive mistake for the AMI creators!

      Amazon provides ways to mitigate this risk. For instance:

      1. You are allowed to revoke keys. If you think you might have put your keys on a public AMI, even if you deleted those keys, you should revoke the keys immediately. Remember, deleting is different from wiping.
      2. You can use Identity and Access Management (IAM) to limit the functions that a giving API keypair is authorized
    • by kmac06 ( 608921 )
      Sounds like this issue became known because of these guys:

      Once the problem was evident, Schneider said they contacted Amazon Web Services at the end of April. Amazon acted in a professional way, the researchers said, by notifying those account holders of the security issues.

      So it certainly was an issue until they looked into it (and still is an issue if some fraction of their users are too lazy to fix it).

  • I don't know, the cloud looks like a safe to me..... or a pad lock.

    Oh, and that cloud looks like a shark.... and that one next to it looks like a worm....

    • I don't know, the cloud looks like a safe to me..... or a pad lock.

      Oh, and that cloud looks like a shark.... and that one next to it looks like a worm....

      And next to it is a cloud that looks like a bird.

  • If it allows you to do something incorrectly then it isn't very easy to use.

    • by ackthpt ( 218170 )

      If it allows you to do something incorrectly then it isn't very easy to use.

      Nonsense. Windows has been allowing people to get things wrong for decades and millions claim it's easy to use ... nevermind.

    • So if someone sticks a fork in a toaster and gets electrocuted, does that mean the appliance was poorly designed? No matter how easy something is to use, some idiot will find a way to misuse it.
      • So if someone sticks a fork in a toaster and gets electrocuted, does that mean the appliance was poorly designed? No matter how easy something is to use, some idiot will find a way to misuse it.

        I would say yes. If you can literally kill yourself by sticking a piece of metal in to a toaster, then the toaster could be designed better.

      • On the other hand, the smart user will unplug the toaster whenever possible before reaching into it, thus ensuring personal safety even if the manufacturer screwed up. Not sure what the analogous safe practice would be with AWS, aside from RTFM and generally being cautious.

    • That's the most insanely impractical philosophy I can imagine. I have to assume you don't actually make anything people use.

      • It's becoming more common and accepted these days though ... Apple seems to use that philosophy in a lot of their products. I think the drawbacks outweigh the benefits, but there are those that don't.
      • I actually blame this on Asimov. His three-law robots were a great idea, and people loved the simple and 'obviously right' three laws that made them 'safe' around humans. People praise them, and actually say that they are trying to work them into their designs. At this point, even designs made by people who have never heard of the stories are following the same philosophy of design that they helped inspire.

        Except we never actually want our machines to follow the three laws as he wrote them. We want rule

      • by dkf ( 304284 )

        That's the most insanely impractical philosophy I can imagine. I have to assume you don't actually make anything people use.

        Yes, he must be a computer security expert.

      • That's the most insanely impractical philosophy I can imagine. I have to assume you don't actually make anything people use.

        If you think about it, it's not really that impractical. If, given very clear instructions on how to use something, people still manage to use it incorrectly, then it isn't really easy to use. I'm not arguing that everything NEEDS to be easy to use, just that some of the things people claim are easy are not really all that easy.

    • I don't know...a pencil is pretty easy to use, but it's trivial to use the wrong end (thereby erasing the work you've already done) or to poke yourself with it, etc.

      Then again, I'm one of those people that gets annoyed with devices that try too hard to protect me from myself. That's one of the reasons why I prefer stick-shift cars, manual focus cameras, Linux, and such.
      • I don't know...a pencil is pretty easy to use, but it's trivial to use the wrong end (thereby erasing the work you've already done) or to poke yourself with it, etc.

        Then again, I'm one of those people that gets annoyed with devices that try too hard to protect me from myself. That's one of the reasons why I prefer stick-shift cars, manual focus cameras, Linux, and such.

        I think it depends on your definition of "easy to use". If a significant number of people manage to use something incorrectly despite given clear instructions on its use, then you shouldn't try to claim that it is easy to use. The harshness of the consequences of improper use also factor in here. An easy to make mistake that has extremely harsh consequences may raise the difficulty rating of a task.

        With your pencil example, how many people actually mistake the eraser for the point? Children understand p

    • I agree. Private elements of a configuration such as API keys should be kept separate to public ones. Whatever is used to generate the image should only publish the public stuff by default.
  • This seems like basically the same issue as "forgot to remove my SQL password from the config file in the code I uploaded to github", which is also quite common. If you upload a working version of some of your infrastructure somewhere, you need to be careful about whether it contains any sort of authentication tokens.

  • It's not too difficult to plug a LAMP stack (or a windows/BSD/Solaris equiv.) into the net but the average lamer isn't going to know about hardening, updating, monitoring and troubleshooting. Amazon apparently could care less as well.

  • Yay cloud!

  • Amazon wants you to store all your videos and music on their servers but with ISPs capping traffic and lowering limits that idea may be short lived. "I have that movie but we can't watch it until the 18th when my limit resets for the month"
  • "...'[Customers] just forgot to remove their API keys from machines before publishing,' Schneider said."

    Sure... blame the users... /sarcasm

  • As an IaaS it is YOUR responsibility to design security etc into YOUR servers on EC2. I think the title of this thread is misleading in that it makes it sound like AWS is at fault for implementation of someone's poor practices. "Amazon's Cloud is Full of Holes" That's like saying Intel's processor's are Full of Holes because people do stupid things using machines that have them.
  • It has been reported that certain ford mustangs allow the owner to leave the doors unlocked and the keys in the ignition..

    a large recall is expected once the ford motor company finishes studying the problem.

What hath Bob wrought?

Working...