How long would it take to hack into an average Web-based server—the kind a company might rent from the likes of Amazon Web Services? To find out, the security company CloudPassage set up six servers, two running Microsoft operating systems and four running Linux-based operating systems, loaded them with various combinations of widely used programs, and invited hackers to take their best shot. Top prize: $5,000.
It took just four hours for the winning hacker to capture the flag and the bounty. Worse still, he was a novice. Gus Gray, 28, has worked for a technology company for a little over a year and is taking classes toward a bachelor’s degree in computer science at California Polytechnic State University in San Luis Obispo. “I just thought I’d spend two or three hours poking around and see what I could learn, and it would make for an interesting evening,” he says.
That’s one way to put it. As companies shift from old-fashioned and expensive servers managed within four walls to cloud data centers online, the market for cloud-based infrastructure has grown to $9.2 billion, according to an estimate by the technology research firm Gartner (IT). What that money buys may not be the security people think.
CloudPassage configured the systems without any security beyond the default setting required to get them to run, mimicking the setups they often see among clients. “People use cloud because it is fast, it is cheap, and it takes little to no time to get up and running,” says Andrew Hay, the company’s director of applied security research. “That’s what’s motivating a lot of people. They’re not thinking of these security ramifications.”
After researching the operating systems and applications on the servers, Gray decided to poke around on a utility application that allowed remote access from the Internet—a convenience for system administrators that can be easy to attack, Gray says. The application used a default password that wasn’t unique to either the program or the operating system, which Gray was able to guess (there are lists of default passwords for hundreds of programs publicly available online). Once he logged on, the application basically gave him administrative access to the entire server. He could grab whatever he wanted.
“I was expecting this grandiose and very elaborate attack,” says Hay. “That’s what surprised me, that this person who essentially was impersonating an administrator was able to gain total access to the server.”
A malicious hacker could easily write a computer program to scan for the vulnerability that Gray found, use it to scan automatically for the same problem on any server in the cloud, and break in, according to CloudPassage CEO Carson Sweet. CloudPassage has been working with the vendor of the application to fix the vulnerability.
Selling security services for the cloud is, of course, CloudPassage’s business. It’s in its interest to foment anxiety, and the dramatic conclusion of the contest does that. Even so, the report offers some common-sense suggestions: Companies can limit access they give to administrative accounts and ensure that they’re doing the basics, such as changing default passwords into ones that are more difficult to crack, and patching applications to fix known vulnerabilities.
Gray, for his part, did one thing immediately: “As soon as I had finished and saw the results, I basically came back to my own company and immediately implemented a couple of changes to prevent something similar happening at my company.”