“Get Off of My Cloud”: Cloud Credential Compromise and Exposure

Presented at DerbyCon 1.0 (2011), Oct. 1, 2011, 2 p.m. (50 minutes).

An Amazon Machine Image (AMI) is a virtual appliance container used to create virtual machines (VMs) within the Amazon Elastic Compute Cloud (EC2). EC2 instances typically interact with a variety of Amazon Web Services (AWS), and as such require access to AWS credentials and private key materials. We will explore how AWS credentials and keys may end up being persisted within an AMI, allowing these credentials and key materials to be unintentionally shared with 3rd parties. We will discuss the risks and potential impacts of compromise of this sensitive information.

A new tool, “AMIexposed” will be released that can check an AMI for the most common ways AWS credentials and keys are persisted within an AMI. The results of research using AMIexposed against public AMIs will be presented, helping to quantify the scope and prevalence of AWS credentials and keys exposed within public AMIs. We’ll also discuss the risks inherent in trusting public AMIs to be free of backdoors, trojans, and other malicious hitchhikers. Results of an experiment demonstrating these risks will be presented. Finally, the talk will propose best practices for utilizing AMIs, both from the AMI creator and the AMI user perspective.


Presenters:

  • Jeff Jarmoc
    Jeff has been hacking most of his life. He got his start in the early days of the 312 BBS scene, moved on to IRC and USENET, and eventually pursued a career in enterprise infrastructure and security. His latest passion is abusing ubiquitous infrastructure devices and systems in an attempt to bring renewed focus on the security of these systems everyone has come to rely on. Jeff has previously spoken at Black Hat USA. When not abusing software and hardware he enjoys spending time with his wife and daughter.
  • Ben Feinstein
    Ben Feinstein is Director of CTU Operations & Analysis with the Dell SecureWorks Counter Threat Unit (CTU). Ben is an author of RFC 4765 and RFC 4767, and has over a decade of experience designing, implementing and operationalizing security-related information systems. His major areas of expertise include network IDS/IPS, digital forensics and incident response, and security operations. Ben has previously presented at Black Hat USA, DEF CON, ToorCon, DeepSec, the U.S. Department of Defense Cyber Crime Conference, and many other events. He is active in his local DEF CON group, DC404.

Similar Presentations: