Marco Balduzzi, a senior threat researcher at Trend Micro, has been kind enough to have a chat with us at the Hack in the Box 2012 security conference in Amsterdam.
We’ve talked about different things relating to cloud security, but the talk focused on the researcher’s studies on Amazon EC server images using a clever tool called the SatanCloud. The final part of the interview contains important advice for users who want to utilize cloud services. Softpedia:
Please introduce yourself for our readers.
My name is Marco Balduzzi and I am originary from Italy, but in the last 6 years I lived abroad. In 2006/2007 I worked as security researcher and engineering for an information security provider in Munich (Germany).
When I moved to Nice, in the French Riviera, I worked for a couple of security companies before joining EURECOM, a graduate school and research lab in system security. In EURECOM I researched on different topics of applied security, such as web security, malware analysis, botnet detection, privacy in social networks and cloud security, and in 2011 I earned a Ph.D. from Télécom ParisTech ENST.
Since April, I am with Trend Micro, one of the largest and well-known antivirus companies, where I work as a Senior Threat Researcher. Our job is to research in which direction security is evolving, in a time frame from now to 2-3 years. Softpedia:
Can you describe the SatanCloud and how it works? Marco Balduzzi:
SatanCloud is a system that we designed and developed at EURECOM. It is an automated tool for testing Amazon's EC server images (AMIs) for privacy and security issues. Softpedia:
How did you come up with this name, SatanCloud? Marco Balduzzi: Cloud
because is a cloud computing security tool and Satan
because it is a “satanic” or “evil” tool . When pronounced, SatanCloud sounds similar to Santa Claus. Softpedia:
You have analyzed more than 5,000 server images with SatanCloud. What did you find? Marco Balduzzi:
We analyzed all public server images provided by Amazon in its four data centers in Europe, Asia and US East/West. The experiment was conducted over a period of seven months, using SatanCloud in fully automated mode, by testing globally more than 5,000 AMIs.
We found a first set of problems related to the security of using such images. For example, 98% of Windows and 58% of Linux AMIs come with obsolete software containing critical (possibly exploitable) vulnerabilities.
There are AMIs with installed backdoors or malware, and others that “spy” the user by leaking their private information to an external host.
A second set of problems is related to the privacy of the users that publish the images on the cloud. There are users (or external providers) who publish the images, while others rent them.
The problem with these images is that they may contain leftover private information, such as private keys, password and credentials for accessing private systems. If an attacker rents these images, he can retrieve them. Softpedia:
Were there any major differences between what you found in the data centers in US, Europe and Asia? Marco Balduzzi:
US was the first Amazon EC2's datacenter and at the moment it contains the oldest images. When we compare US with the other regions, we see that US images are more bugged and have more security issues. Softpedia:
So, Asia is the best from this point of view? Marco Balduzzi:
No, I won’t say that, but the images there are newer than in the US. Softpedia:
You mentioned security risks such as data leakage, unauthorized access, malware infections, and loss of sensitive information. Is any of these risks more likely to occur compared to the others? Marco Balduzzi:
It’s difficult to say which one is more prevalent, because we are comparing different things, we cannot compare potatoes with bananas, but we can say which one is probably more critical from the security point of view.
One important issue is that image publishers are often not aware of the possibility to recover deleted files from their published images.
In fact, an attacker can rent several images and use special tools to undelete tons of personal data, like private SSH keys, passwords/username, and any sensitive information. In our experiments we were able to recover deleted files for both Linux and Windows machines.
Another big problem is that about 20% of the images we analyzed, 1 out of 5, came with an enabled login account, for example via password or SSH key. If the user that rents the image is not aware of this account and does not remove it, the attacker can connect to the machine and own it. The enabled account acts as backdoor. Softpedia:
Can you make a comparison between Amazon’s cloud services and others? Marco Balduzzi:
The problems we identified may affect other providers as well. We focused our study on Amazon EC2 because it is the most used and popular service provider. But of course, someone else could probably run the same experiment on another provider. Softpedia:
Both private and government organizations have started relying more and more on the cloud. From your experience, how are they handling the migration process from conventional systems to cloud-based systems? Marco Balduzzi:
In my opinion, from a security point of view, the cloud has not introduced any new problem. The same problems we had before are now moved to the cloud. It’s the same with mobile phones. We had malware infections back in the '80s, first on desktops, then on laptops and now on smartphones.
The same is with cloud computing. If you rent a server over the cloud, you must secure it and keep it patched, otherwise it will get hacked.
The Cloud's slogan is “Do you want to have a system running in a few seconds? Pay for it and you have it”. The problem is that cloud users may not be security experts. Often, they are not aware that to use a cloud service, such as virtual server images, requires to deploy a correct management and patching process.
The second point is that when you use a cloud service, you have to think that your data is not stored on your local computer, but somewhere on the Net. Somehow you should trust the place where your data is. When you use a cloud service, you want to make sure that what you upload on the cloud is not accessible from somebody else. Softpedia:
Apple said recently that people should trust the iCloud, but not too much
, or at least not with highly sensitive information. Marco Balduzzi:
Exactly. File hosting services, such as iCloud or Amazon, for example, upload your personal data to the Cloud. You may believe that your data are well-secured, at least until the day when a bad guy will come and show you the opposite. Softpedia:
Can you share some advice for users who want to utilize the cloud? Marco Balduzzi:
If you extensively make use of cloud's virtual image services, or if you do it to run your business, I would suggest you to configure your own image. Don’t trust images published by others.
If you really prefer to use publicly shared images, before going online you want to make sure that the software is up-to-date, the network services are well configured and the image is cleaned against malware/backdoor infections. Remember that you are using an image provided by somebody else, that is not necessarily trustworthy.
If you want to publish your own image and you want to allow people to use it, make sure that you delete all the sensitive information. Use as well tool like Shred to wipe free space and avoid data recovering before publishing. Softpedia:
Is there anything else you want to add? Marco Balduzzi:
This research is a joint work with Jonas Zaddach, Davide Balzarotti, Engin Kirda and Sergio Loureiro. Here are the slides
and the paper