Forbes reports on new research concerning security questions on Amazon’s cloud computing servers (cloud services are where you upload, store and access your data at an online service owned or operated by others; here’s a previous post I wrote discussing privacy and security issues with cloud computing).
Researchers at France’s Eurecom technology institute, Northeastern University and the security firm SecludIT ran automated scanning tools on more than 5,000 of the virtual machines images published on Amazon’s catalog of virtual machines set up with preset software and configurations and ready to run on Amazon’s Elastic Compute Cloud (EC2) service. They looked for security and privacy issues like malware, software vulnerabilities, and leftover data and user accounts from the administrator who set up the server’s software.
The results, which the team plans to present a paper at the Symposium on Applied Computing next March, aren’t pretty: 22% of the machines were still set up to allow a login by whoever set up the virtual machine’s software–either Amazon or one of the many other third party companies like Turnkey and Jumpbox that sell preset machine images running on Amazon’s cloud.
Almost all of the machines ran outdated software with critical security vulnerabilities, and 98% contained data that the company or individual who set up the machine for users had intended to delete but could still be extracted from the machine. […]
The research team notified Amazon about the issues last summer, and the company responded by posting a notice to its customers and partners about the problem. “We have received no reports that these vulnerabilities have been actively exploited,” the company wrote at the time. “The purpose of this document is to remind users that it is extremely important to thoroughly search for and remove any important credentials from an [Amazon Machine Image (AMIs)] before making it publicly available.” […]
The Eurecom team’s research isn’t the first to point out security issues in Amazon’s cloud services. Just earlier this week, a team of German researchers revealed a collection of vulnerabilities in Amazon’s web interface that allowed potential data theft from the company’s cloud platform. Amazon has now patched those flaws.
Here’s the research paper, “A Security Analysis of Amazon’s Elastic Compute Cloud Service” (pdf).