Programmer exploits Windows vulnerability in cloud-based services

Amazon Web Services targeted in demo; industry rep calls threat 'negligible'

Windows data volumes (meaning virtual machine hard-drives) in public clouds such as Amazon Web Services can be copied and have their access credentials modified, allowing a hacker to glean insights into the data, a programmer has reported.

Programming author and consultant Jeff Cogswell identified the security vulnerability and showed how he executed a hack of his own data in a story titled “The Windows flaw that cracks Amazon Web Services” posted on Slashdot.com. His conclusion: Don’t store sensitive information in the cloud, even if it is encrypted.

A caveat is that the would-be hacker needs access to the data volume in order to copy it and change the credentials, but Cogswell says employees at certain cloud providers have that capability. Although industry representatives played down the threat, Cogswell’s findings could add to concerns potential users have about the security of public clouds.

[TECH DEBATE ON CLOUD SOURCING: Consolidate suppliers or go best of breed?]

The vulnerability exists because of a feature many public cloud providers offer that allows volumes to be copied. Copying volumes is helpful in test and development scenarios, for example, where programmers can tinker with an application and not have the changes impact the production environment. Cogswell says it's also a security vulnerability though.

To demonstrate the hack, Cogswell made a copy of his volumes and used a modified version of a password reset tool named “chntwp” to change the credentials of the copied volume. Microsoft has issued patches to ensure chntwp does not allow credential resets, but Cogswell says he was able to modify the password reset tool to expose the vulnerability on new versions of Windows.

Once the Windows volume’s password is reset, a hacker can manipulate the contents of the volume and replace the original with the modified copy. Software could be installed to run alongside the volume and track it, for example. The data could be perused by the hacker or changes could be made to the data.

Cloud industry advocates shot down the findings. John Howie, COO of the Cloud Security Alliance – which advocates for strong security standards among cloud providers – called it a “non-issue.” To execute the vulnerability, the hacker must have access to that data volume in order to be able to copy and manipulate it. “The likelihood that someone at a cloud provider would perform this attack, even assuming they had access to the file store and there was no monitoring in place, is so small as to be negligible.”

Cogswell points out that employees of public cloud providers have access to these volumes – especially at smaller cloud service providers. If user credentials are compromised, the data volume could also be exposed. Cogswell notes that he was not able to perform the hack on other users’ data, only his own.

The use of chntwp to reset the credentials to access the volume is something that could be done on Windows volumes that are stored with any cloud provider, or in an on-premises volume, he notes. “This tool has in the past been used primarily to reset passwords on a Windows machine where the passwords were forgotten, or by employees trying to gain Administrator access to their work computers; that sort of thing,” Cogswell wrote in an e-mail. “As such, it's never really been considered a high security threat. But by having bootable copies of Windows in a cloud, an insider could easily make a copy of your cloud-based hard drive, take the copy home, and spend hours hacking into it using tools such as the one I described.”

The vulnerability reinforces Cogswell’s belief that sensitive data should not be stored in the cloud, he says. Simple encryption methods would not even protect against this vulnerability, because code can be modified in a similar way to gain access to the keys that are stored in the encrypted file to decrypt the information in some cases. Encryption methods that store the keys to the encrypted information separately from the encrypted data may be more secure, however.

A Microsoft spokesperson said security is a top priority and “a variety of security technologies and procedures (are used) to help protect customer information from unauthorized access, use, or disclosure.” The company did not specifically address the ability of employees to access customer files or the vulnerability of the chntwp reset tool though. Amazon officials have not yet responded.

Senior Writer Brandon Butler covers cloud computing for Network World and NetworkWorld.com. He can be reached at BButler@nww.com and found on Twitter at @BButlerNWW. Read his Cloud Chronicles here.

From CSO: 7 security mistakes people make with their mobile device
Join the discussion
Be the first to comment on this article. Our Commenting Policies