Cloud computing: Gaps in the 'cloud'

Oct 24, 2011 by Jens Wylkop

Researchers from Ruhr-University Bochum have found a massive security gap at Amazon Cloud Services. Using different methods of attack (signature wrapping and cross site scripting) they tested the system which was deemed "safe". "Based on our research results, Amazon confirmed the security gaps and closed them immediately", said Prof. Dr. Jorg Schwenk, chair for network and data security at the RUB. Amazon Webservices (AWS) offers its customers cloud computing services and hosts, among others, services like Twitter, Second Life and 4Square.

Cloud computing could be the major computing paradigm of tomorrow. The idea of processing and storing software and data in a cheap external infrastructure is becoming increasingly popular. The fact that these services are by no means as secure as promised is now demonstrated by the research results of Prof. Schwenk and his staff.

The "Cloud" is a collection of many virtual servers with concentrated . Outsourcing to cloud computing has many advantages for professional users: they can rent storage and server capacity short term on demand. The service is invoiced, for example, according to the usage period, and the customer saves the cost of purchasing his own software and hardware. Up to now, the discussion about cloud computing has above all been dominated by the inability to comply with legal requirements. "Real" attacks were, however, less in the public eye.

"A major challenge for cloud providers is ensuring the absolute of the data entrusted to them, which should only be accessible by the clients themselves," said Prof. Schwenk, who set out with his staff to seek weak points. They have found what they were looking for: Juraj Somorovsky, Mario Heiderich and Meiko Jensen tested the security concept of the cloud provider Amazon Web Services, in short AWS.

"Using different kinds of XML signature wrapping attacks, we succeeded in completely taking over the administrative rights of cloud customers", said Juraj Somorovsky. "This allowed us to create new instances in the victim's cloud, add or delete images." The researchers suspect that many cloud offers are susceptible to signature wrapping attacks, since the relevant web service standards make performance and security incompatible. "We are working on a high-performance solution, however, that no longer has any of the known security gaps", said Prof. Dr. Jörg Schwenk.

In addition, the researchers found gaps in the AWS interface and in the Amazon shop which were ideally suited for smuggling in executable script code - what are termed cross-site scripting attacks. With alarming consequences: "We had free access to all customer data, including authentication data, tokens, and even plain text passwords" said Mario Heiderich. The researcher see the common login as a complex potential danger: "It's a chain reaction. A security gap in the complex Amazon shop always also directly causes a gap in the Amazon cloud."

In contrast to public belief, Private Clouds are also vulnerable to the aforementioned attacks: Eucalyptus, an open source project widely used to implement Cloud solutions within companies, did expose the same weaknesses. "A rough classification of cloud technologies cannot replace a thorough security investigation", states Prof. Schwenk.

"Critical services and infrastructures are making increasing use of cloud computing", explained Juraj Somorovsky. According to industry estimates, the turnover of European cloud services is set to more than double in the next four years – from around 68 billion Euros in 2010 to about 148 billion in 2014. "Therefore it is essential that we recognise the security gaps in and avoid them on a permanent basis." Industry took immediate action: "On our advice, Amazon and Eucalyptus confirmed the security gaps and closed them immediately".

Explore further: MIT groups develop smartphone system THAW that allows for direct interaction between devices

Provided by Ruhr-University Bochum

not rated yet
add to favorites email to friend print save as pdf

Related Stories

Study on the Security of Cloud Computing

Feb 26, 2010

Not only does cloud computing help to save money, it also helps to increase IT security: Small and medium sized companies especially can profit from special cloud security solutions and the knowledge advantage of experienced ...

Sun Microsystems to offer 'public cloud' service

Mar 18, 2009

(AP) -- Taking a cue from Amazon.com, Sun Microsystems Inc. plans to launch its own "public cloud" service, which will let everyone from big-time corporations to dorm-room entrepreneurs run their businesses on Sun's computers ...

CeBIT 2011: Administration in the cloud

Feb 10, 2011

The emerging field of cloud computing is an interesting one, and not just for businesses. The field of public administration benefits from the technology as well. Fraunhofer Institutes are developing solutions ...

Recommended for you

Computerized emotion detector

Sep 16, 2014

Face recognition software measures various parameters in a mug shot, such as the distance between the person's eyes, the height from lip to top of their nose and various other metrics and then compares it with photos of people ...

Cutting the cloud computing carbon cost

Sep 12, 2014

Cloud computing involves displacing data storage and processing from the user's computer on to remote servers. It can provide users with more storage space and computing power that they can then access from anywhere in the ...

Teaching computers the nuances of human conversation

Sep 12, 2014

Computer scientists have successfully developed programs to recognize spoken language, as in automated phone systems that respond to voice prompts and voice-activated assistants like Apple's Siri.

User comments : 0