- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
Network World - Windows data volumes (meaning virtual machine hard-drives) in public clouds such as Amazon Web Services can be copied and have their access credentials modified, allowing a hacker to glean insights into the data, a programmer has reported.
Programming author and consultant Jeff Cogswell identified the security vulnerability and showed how he executed a hack of his own data in a story titled “The Windows flaw that cracks Amazon Web Services” posted on Slashdot.com. His conclusion: Don’t store sensitive information in the cloud, even if it is encrypted.
A caveat is that the would-be hacker needs access to the data volume in order to copy it and change the credentials, but Cogswell says employees at certain cloud providers have that capability. Although industry representatives played down the threat, Cogswell’s findings could add to concerns potential users have about the security of public clouds.
[TECH DEBATE ON CLOUD SOURCING: Consolidate suppliers or go best of breed?]
The vulnerability exists because of a feature many public cloud providers offer that allows volumes to be copied. Copying volumes is helpful in test and development scenarios, for example, where programmers can tinker with an application and not have the changes impact the production environment. Cogswell says it's also a security vulnerability though.
To demonstrate the hack, Cogswell made a copy of his volumes and used a modified version of a password reset tool named “chntwp” to change the credentials of the copied volume. Microsoft has issued patches to ensure chntwp does not allow credential resets, but Cogswell says he was able to modify the password reset tool to expose the vulnerability on new versions of Windows.
Once the Windows volume’s password is reset, a hacker can manipulate the contents of the volume and replace the original with the modified copy. Software could be installed to run alongside the volume and track it, for example. The data could be perused by the hacker or changes could be made to the data.
Cloud industry advocates shot down the findings. John Howie, COO of the Cloud Security Alliance – which advocates for strong security standards among cloud providers – called it a “non-issue.” To execute the vulnerability, the hacker must have access to that data volume in order to be able to copy and manipulate it. “The likelihood that someone at a cloud provider would perform this attack, even assuming they had access to the file store and there was no monitoring in place, is so small as to be negligible.”
Cogswell points out that employees of public cloud providers have access to these volumes – especially at smaller cloud service providers. If user credentials are compromised, the data volume could also be exposed. Cogswell notes that he was not able to perform the hack on other users’ data, only his own.
The use of chntwp to reset the credentials to access the volume is something that could be done on Windows volumes that are stored with any cloud provider, or in an on-premises volume, he notes. “This tool has in the past been used primarily to reset passwords on a Windows machine where the passwords were forgotten, or by employees trying to gain Administrator access to their work computers; that sort of thing,” Cogswell wrote in an e-mail. “As such, it's never really been considered a high security threat. But by having bootable copies of Windows in a cloud, an insider could easily make a copy of your cloud-based hard drive, take the copy home, and spend hours hacking into it using tools such as the one I described.”