Cloud Security


It should be no surprise that the cloud can be just as vulnerable as in-house servers; after all the cloud is just data centers with servers connected to the internet. Cloud data centers such as Amazon, Microsoft, and Google do have top notch security such as physical controls like concrete barriers and utilize the most recent and secure network protocols such as IPv6. However, this does not stop users of the cloud from poorly implementing security configurations or writing bad code for the sites a cloud may host. Even more interesting, it has been found that the cloud vendors themselves have vulnerabilities. Let’s delve into some of these issues and how they may be addressed.
0day vulnerabilities in the cloud vendors themselves do exist. Azure, in example, did have a 0day Cross-Site Scripting (XSS) vulnerability. Chris Dale, a penetration tester, found a command injection flaw that allowed him to set environment variables of a process using an XSS payload. The command injection would cause the process to hang which would cause the Administrator to debug the problem thus cause the script to execute on his browser. Chris’s test stopped here due to ethical reasons but the payload that Chris developed could’ve been used to escalate privileges by, in example, stealing the admin’s session token. It’s interesting to think that vulnerabilities like the one Chris had discovered exist in the cloud vendor’s server and services themselves; from personal experience cloud vendors such as Azure are used by BlueCross BlueShield and store HIPAA and PHI related information. Even just leveraging an insecure site of another company could give attackers the ability to navigate to their intended target and compromise this data (Dale, 2016). Further reading can be found in the link below:
https://pen-testing.sans.org/blog/2016/08/19/azure-0day-cross-site-scripting-with-sandbox-escape
While, unfortunately, cloud clients may not be able to do much about their vendor’s vulnerabilities there are ways to minimize their own. It’s common for companies to spin up production virtual machines on a cloud to host websites. These sites could use APIs that manage them or utilize third-party code/tools such as angular-js for login pages. Setting up a website on a cloud is no different than setting up a web site on an on-site server. Thus, securing APIs, using tls encryption, and properly configuring the web server can prevent hackers from compromising a client’s site. Having proper Change Control Systems in place and including security experts in reviews can prevent misconfigurations from occurring (Siemons, 2017).  
According to OWASP, threat modeling can also assist in addressing potential security issues and vulnerabilities by addressing security issues at an architectural level. Organizations could also get involved in the OWASP Cloud Security project which was formed in 2017 and is relatively new and could use more contribution. A link to more information is below:
https://github.com/owasp-cloud-security/owasp-cloud-security
There is a relatively new type of attack called the man-in-the-cloud (MitC) attack. In this attack, the attacker utilizes social engineering (e.g. email spam, etc.) to place a piece of malware called a switcher on the victim’s machine. The victim’s machine uses a synchronization token to connect to the cloud and this piece of malware replaces that token with a forged synchronization token from the attacker. This forged synchronization token points to a cloud account set up by the hacker allowing the attacker to copy the victim’s token to the attacker’s cloud location where it is then downloaded by the attacker. This gives the attacker access to the victim’s cloud data (Siemons, 2017).
This attack is very difficult to detect as intrusion detection systems and logs will normal cloud sync occurring. Administrators may be able to note synchronization occurring with an unknown user given the logs verbosity level, but outside of this the synchronization process will appear normal. Other method of detection may include geolocation history but the best form of detection would be at the social engineering part of the attack (e.g. a spam filter). Unfortunately if this attack does successfully occur, the best mitigation strategy (once detected) would be to close the cloud account and notify the cloud vendor (Siemons, 2017).
Many other attack methods exist such as Denial of Service, SQL Injection attacks, and remote file inclusion attacks. Really the cloud is no different than any other server on the internet, and unfortunately cloud clients do not have control of a cloud vendor’s vulnerabilities. Thus, the best method for securing data on the cloud is to keep communication between a client and its cloud vendor open. Users of the cloud can also stay up to date on cloud and general web application security vulnerabilities in general by reading reports such as the OWASP Top 10 and complying with security frameworks such as COBIT. Below is a list of some good sites for staying on top of cloud security:
1.      https://pen-testing.sans.org/
2.      https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
3.      https://searchcloudsecurity.techtarget.com/
4.      https://resources.infosecinstitute.com/category/cloud-computing/
References
Dale, C. (August 19, 2016). Azure 0day Cross-Site Scripting with Sandbox Escape. Retrieved from https://pen-testing.sans.org/blog/2016/08/19/azure-0day-cross-site-scripting-with-sandbox-escape
Siemons, F. (April 13, 2017). Attacking the Cloud. Retrieved from https://resources.infosecinstitute.com/attacking-the-cloud/#gref
Siemons, F. (March 8, 2017). How to detect and prevent a man-in-the-cloud attack. Retrieved from https://searchcloudsecurity.techtarget.com/tip/How-to-detect-and-prevent-a-man-in-the-cloud-attack

Comments

Post a Comment

Popular posts from this blog

Covering Your Tracks

The ability to remain stealth during a penetration exercise is what separates a sophisticated hacker from a script kitty. The phrase “The Quieter You Become, The More You Are Able to Hear” holds true, especially in the field of hacking. Being able to perform Ani-forensics and avoid detection is critical to the success of hacking and penetration testing and understanding these methods is beneficial, even for white hat hackers, as there will be times in a penetration where the system is already compromised. In such cases, understanding what the attacker is doing in order to cover their tracks can help determine the sophistication of the attack or bring prosecution to the attacker. All hacks begin with system enumeration and nmap is one of the best tools to use during this discovery phase. However, as I explained in Scanning With nmap blog, port scanning a bunch of IP Addresses or every port on a target system is noisy and can cause denial of service conditions (very bad if you are ...
Read more

LDAP Vulnerabilities

Image
Note** The following examples utilize Web for Penetration Testers which I do not own any rights to. These examples provide solutions to the live image of Web for Pentester 1 which can be downloaded at https://pentesterlab.com/exercises/web_for_pentester/course . Please attempt these exercises on your own before reviewing my solutions to gain maximum benefit.   Web for Penetration Testers Example 1 Lightweight Directory Access Protocol (LDAP) can be thought of as a hierarchical directory structure. Using the live iso of Web for Pentester 1 lab we can find that Open LDAP service is running by running performing a nmap scan from our kali box (attacking machine): Figure 1 Using the ldapsearch command with the -b (base dn [top of hierarchy in this case]) -LLL (print responses in LDIF format without comments or version) and -x (simple authentication) flags (-h specifies the host) from our kali box (see Figure 2), we see that there are three common names (cn) entries: admin, ...
Read more

Setting Up a Proxy to Protect Your Public IP (An Introduction to Proxies)

Image
I recently purchased a static IP address. While this is great for setting up VPNs, websites, and other major benefits it bothered me that I normally visit CTFs and sites that contain malicious code to accomplish these CTF challenges. There had to be a way I could better protect my public IP from direct exposure in the event I did something stupid while surfing the web. This is where a proxies come into play. A proxy is exactly the same thing meant in the English language; think if computer A who set up the proxy wants to talk to computer C. An intermediary could be introduced (Proxy Server B) so that when computer C talks to computer A it has to go through Proxy Server B. Thus Computer C thinks its talking to Proxy Server B and only sees that IP address; when in reality all traffic is getting forwarded to computer A and vise versa. This creates a layer of abstraction. There are many types of proxies such as reverse proxies which is used mainly for public facing web sites. We are strict...
Read more