Back to overview

Cloud Security: Fair weather or gathering storm?

DUnkle Wolken: Die knapp werdenden IPv4 Adressen werden zum Sicherheitsrisiko für die CloudThe use of cloud services is widespread by now and continues to gain popularity. Many companies are pushing into the cloud, just to save money if nothing else. Security and data protection concerns are mitigated by appropriate claims of cloud providers, such as “data centers in Europe” and “private areas in the cloud”.

Problematic infrastructure

A great advantage of such solutions is the ability to dynamically adapt servers to demand. Services migrate from a smaller server to a larger one, or additional servers are started, depending on the utilization of the service. If a server is no longer needed, it is shut down or provisioned for another service.

All servers that offer cloud services usually need an official IP address, which is known to become increasingly scarce (there is solution, though: read about IPv6 in this article). This means that the addresses of the provider have to be reused in a short time after their freedoms.

IP recycling can cause data leaks

In a very recommendable article, security specialist Remco Verhoef [1] has now reported how the reuse of IP addresses can lead to potential leakage of private data. He has tracked the requests made to Amazon Cloud servers over four months. In most cases, they originated from clients that still hold old DNS records and therefore still keep the service on the server active. Before shutting down or migrating a service, the service provider must first adjust the DNS records. The server must of course remain available for a period of time until all clients have updated their DNS entries. The lifetime of the DNS entries is therefore kept short. But even after their expiration, late requests can reach the server.

The recorded inquiries include, among other things, frequently used cloud services like Google, Microsoft, Twitter, and Apple. Mostly they are SSL-encrypted, so a simple interception is not possible.

Man in the middle via manipulated certificates

A possible attack scenario would be a man-in-the-middle-attack with a self-generated certificate. The queries are forwarded to the “real” cloud service, to prevent the user from noticing anything suspicious. At this point, it is important that the respective application checks the certificate on the client and in case of doubt does not establish a connection or at least warns the user. Unfortunately, this is not always the case, and certificate warnings are often ignored: many average users don’t know what purpose certificates actually serve anyway.

This potential vector is complemented by security gaps in SSL implementations, such as Heartbleed or FREAK, which enable attacks on the SSL connection. Additionally, even certification bodies have already been compromised and certificates have been falsified in the past.

In response to Verhoef’s discoveries, Amazon introduced an “IP Cooldown Feature”, which means that IP addresses are no longer reused so quickly. This is intended to contain the attack capability described above. However, the scarcity of the IP addresses remains a problem.

In summary, I would advise any user of cloud services and the planners and programmers of cloud applications:

  •  do strongly encrypt every traffic to and from the cloud
  • check the SSL certificates for each connection established
  • make very sure to keep your client and server software up to date, especially the SSL libraries
  • precisely control and monitor the scaling of a service

Companies need to ensure that appropriate security measures are implemented when selecting the cloud provider. The cloud makes the provision of new services easy. However, the security of your own data should not be compromised.

The measures to acchieve this are available. But they have be used consistently.

 


[1] https://isc.sans.edu/forums/diary/My+Catch+Of+4+Months+In+The+Amazon+IP+Address+Space/22129/

Leave a Reply