Renting cloud servers can leave sensitive data to be entered
UNIVERSITY PARK, Pennsylvania — Renting space and IP addresses on a public server has become common business practice, but according to a team of Pennsylvania state IT experts, current industry practices can lead to the “cloud squatting”, which can create a security risk, endangering sensitive customer and organizational data intended to remain private.
Cloud squatting occurs when a company, such as a bank, rents space and IP addresses – unique addresses that identify individual computers or computer networks – on a public server, uses them, and then returns the ‘space and addresses to public server company, a standard pattern seen every day. The public server company, such as Amazon, Google, or Microsoft, then assigns the same addresses to a second company. If that second business is a bad actor, it may receive incoming information at the address intended for the original business – for example, when you, as a customer, unknowingly use an outdated link when interaction with your bank – and use it to your advantage – cloud squat.
“There are two benefits to renting server space,” said Eric Pauley, a computer science and engineering PhD student. “One is cost advantage, savings on equipment and management. The other is scalability. Renting server space provides an unlimited pool of computing resources so that as the workload changes, companies can adapt quickly.” As a result, cloud usage has grown exponentially, which means almost every website a user visits takes advantage of cloud computing.
While Penn State researchers suspected that cloud squatting was possible, they designed an experiment to determine if cloud tenants were vulnerable and to quantify the extent of the problem. The researchers set up a series of cloud server rentals from Amazon Web Services in its us east 1 region, the region that serves the east coast of the United States. They rented server space for 10-minute intervals, received information sent to the address intended for previous tenants, then moved to another server location, repeating the process. They did not request any data and did not send any data. Whatever unsolicited data they received was potentially intended for former tenants.
For example, if a mobile banking company rented server space, it would receive an IP address from the public cloud services company. After relinquishing that server space and IP address, the next tenant of that space could receive all personal financial data sent by the bank customer to the IP address.
The researchers note in the Proceedings of the 43rd IEEE Symposium on Security and Privacy that they “deployed over 3 million servers receiving 1.5 million unique IP addresses over 101 days.” They identified cloud servers, third-party services, and domain name servers (DNS) as sources of potentially serious security vulnerabilities.
“The previous perception was that the DNS was the only risk,” Pauley said. “So if the DNS was secure, it was fine. Unfortunately, it wasn’t a panacea.”
Of the 5 million pieces of data they received, many contained sensitive information, including financial transactions, GPS locations and personally identifiable information.
“We did not knowingly receive health data, but we have confirmed that an adversary could receive this data,” said Patrick McDaniel, William L. Weiss Professor of Information and Communications Technology. at the School of Electrical Engineering and Computer Science, Penn State. “For example, requests received by one of our IP addresses were directed to the health and human services website, HHS.gov. We did not interact further, but others may claim to be an HHS service and get people to interact.” In this case, from the user’s perspective, they would believe they are talking to a legitimate government agency, exposing sensitive personal and health data.
If companies use in-house cloud mail or cloud print services, when these IP addresses are dropped, requests for information sent to these services by company personnel who mistakenly attempt to use the old addresses or who are unaware that addresses have changed may get into the wrong hands.
“Our experiment collected, encrypted and sent everything we obtained to a secure location for analysis,” McDaniel said. “We also took additional steps to ensure that all detected user data was protected.”
McDaniel notes that the research was conducted pursuant to Amazon’s Vulnerability Reporting Program, which allows security researchers acting in good faith to conduct their research.
The researchers immediately contacted the three major cloud server companies, AWS, Microsoft and Google, as well as vulnerable US government agencies, to inform them of the vulnerabilities in their server practices. Amazon, after reviewing the information and an internal audit, is implementing a series of practices to try to contain cloud squatting on its servers.
To address cloud squatting issues, the researchers believe that mitigation efforts should be made by both cloud server companies and customers who rent server space. On the cloud server side, one of the ways to thwart cloud squatting is to prevent the reuse of IP addresses. However, this is limited by the number of available IP addresses.
Second, “server companies can create blocks of reserved IP addresses,” McDaniel said. “A large customer organization might be assigned a fixed range of recyclable addresses within the company.”
Third, server companies can delay the recycling of IP addresses, but the longer the IP addresses are inactive, the more expensive it will be for the server company.
On the client side, users can avoid producing IP address configurations that persist after cloud server IP addresses are dropped. However, the researchers found that this rarely happened because central control and oversight of IP address configurations within an organization was often limited. In interviews with affected cloud server users, researchers found that many organizations had little visibility into how the dozens or hundreds of different accounts using cloud computing capabilities were being used and, more importantly, downgraded, by departments and employees.
“Users typically fail to delete configurations that point to IP addresses on cloud servers,” McDaniel said. “It could be a downgraded printer that’s still on the menu or a domain name or a post-it saying connect to a specific address. Because the issues are very broad and spread over many very many users, it can be very difficult to have a methods to fix them, however, common threads are a failure to monitor and decommission obsolete configurations.
IP addresses used to be long-lived or static, but now they are dynamic and change in hours or minutes. This introduces a large class of vulnerability, according to the researchers.
“I would heed the conclusion that despite the overwhelming appeal of cloud servers, cloud computing is not without risk,” Pauley said. “However, by managing and monitoring their use, we can mitigate much of this danger. The free lunch that people thought clouds were is not free. Companies must weigh the risk to benefit. ”
Others working on this project were Ryan Sheatsley, Blaine Hoak, Quinn Burke, and Yohan Beugin, all graduate students of Penn State’s School of Electrical Engineering and Computer Science.
The National Science Foundation supported this work.