Public Cloud Keys Too Easy to Find
If you put the keys to your cloud infrastructure in plain sight, don't be surprised if you get hacked.
Would you leave the keys in the ignition of a running car in Times Square? According to new research, that is precisely what many people are doing when it comes to the public cloud.
Security consulting firm Stach & Liu has recently updated their Diggity toolset to easily enable researchers to find cloud security keys that have been left out in the open.
"I'm looking for people that have embedded Amazon Cloud keys within public source code," Francis Brown, managing partner at Stach & Liu told InternetNews.com.
The Search Diggity tool works by scanning the Google Code search index looking for regular expressions that are commonly used. "We're finding several thousand Amazon cloud keys and secret keys that are embedded in code," Brown said. What is happening is that some people are embedding their cloud keys in code and putting that information somewhere that is publicly accessible.
Once a researcher has access to the cloud keys, they can access an Amazon cloud instance with the same credentials as the owner of the cloud instance.
"The real problem is that this is just like if a user put their username and password out in a piece of code somewhere, thinking that no one would ever find it," Brown said. "It's just too easy to take control of an Amazon account given the shared account and secret key, so if anyone puts that information out anywhere, you're pretty much done."
In Brown's view Amazon's cloud security is not where it needs to be for sensitive data and there is no "right way" to embed Amazon cloud credentials in a public document.
"It's just like a username and password and if you put it out there in some public way, you're in trouble," Brown said. "In fact, it's even worse than username and password, since it's harder to find that in code, whereas the Amazon cloud keys are very specific formats that make it easy to find on the Internet."
Stach & Liu first launched the Diggity toolset in 2010 as a way to mine Google search information for useful security research. The tools were expanded in 2011 to scan the Chinese Baidu search engine, as well.
Diggity is leveraging the Google Code search index but Google said it plans to shutter the Code Search index in early 2012. Brown noted, however, that even when Google Code search goes offline, there are other code search type indexes that he will be able to leverage.
"I'm either going to migrate to another search that is like Google Code, like Koders or I'll just build something on my own," Brown said. "But, one way or another, we will migrate to something."