Amazon, HP, and GoGrid IaaS Services Ripe for Attack, Stolen Customer Data

If you use Amazon, HP or GoGrid for Cloud-based server services, you'll need to take extra steps to secure the environment.

Bkav corporation, a security vendor located in Mountain View, California, has uncovered a lack of security best practices from some of the top Cloud providers vendors. Initially discovered and verified for Amazon's IaaS service, the company's researchers also found the same issues with HP and GoGrid.

The problem is that when new servers are created using these services, Auto Update defaults to off. While this is not a problem in itself because good admins should know to verify these updating settings (right?), the base server images are severely out of date.  A new Windows 2003 Server instance using Amazon's service shows a server that has not been patched since October 2009. HP and GoGrid are a little better, with HP's server instances carrying updates from July 2013 and GoGrid from April 2012.

By permitting the base images to get so horribly out of date, Amazon, HP, and GoGird are allowing server instances to be created, connected instantly to the Internet, that are also immediately vulnerable to attack. Customers of the service expect to be protected from a 5-year history of flaws and exploits and it really exposes a sort of laziness on the provider's part. Many companies rely on these services, pay good money for subscriptions, and shouldn't have to double-check that the vendor is adhering to security industry best practices. Server images should be updated frequently, incorporating the latest security measures made available.

To me, this shows how out of touch some Cloud providers are with what is actually expected in a business IT environment, and what has been learned by every administrator over decades of dealing with security issues. It also underscores how utilizing Cloud services in a Hybrid Cloud scenario means that IT Pros need to be extra careful and extra wary. Just because a particular service is popular and has a big name doesn't mean they are any less vulnerable. The same steps need to be taken to secure the Cloud as is practiced internally, particularly since most companies using a Hybrid Cloud are doing so just to expand the current network environment.

Bkav found the problem during an investigation where customer's data had been stolen from an Amazon-provided Cloud server. Bkav also tested against Microsoft's IaaS service and found that the company's server images are up-to-date and have Auto Update enabled by default.

Bkav has released a video presenting proof of the problem and even showing how vulnerable a brand new server instance can be.