Cloud Computing Use By Criminals Increasing


Over the last couple of years Cloud Computing has started gaining some real leverage, it’s being deployed on a wide scale, it’s becoming more affordable and the platforms supplying such services are becoming more stable.

Of course the natural progression of this wider adoption is the focus of the security community and naturally the bad guys too.

There are already tools/services that will rate your Cloud Security and there have been demonstrations of Password Cracking using Cloud Platforms.

Legitimate businesses may well be turning to the Cloud in increasing numbers, but so too are illegitimate business, according to the Minister for Home Affairs and Justice, Brendan O’Connor.

In a speech, given at the International Association of Privacy Professionals Annual Conference in Sydney, O’Connor said cyber criminals were increasingly exploiting the Cloud to achieve their own aims.

“Cyber criminals can not only steal data from Clouds, they can also hide data in Clouds,” he said. “Rogue Cloud service providers based in countries with lax cybercrime laws can provide confidential hosting and data storage services, which facilitates the storage and distribution of criminal data, avoiding detection by law enforcement agencies. By way of example, O’Connor said cyber criminals could use the Cloud to secretly store and distribute child abuse material for commercial purposes.

“Cyber criminals can control servers in Clouds, denying legitimate users access to websites and targeting websites with repeated messages or images,” he said. “There have also been suggestions that Clouds can be used as launching pads for new attacks, such as trying all possible password combinations to break into encrypted data.”

According to O’Connor, the late 2009 attack on Google and several other companies was a reminder of how vulnerable systems and data were.

The whole Cloud model is a boon for cyber-criminals as they can effectively rent as much computing power and storage space as they need with stolen credit card details. They can keep it private if they want, and it’s distributed virtually ‘bullet-proof’ hosting.

I’m sure it’s something which will become more prevalent and I’m pretty sure it’s something which the authorities will start looking into soon. The one thing that will get everyone hot and bothered is if it’s discovered that a Cloud Platform is being used for any form of terrorism.


In order to mitigate the risks posed by cyber security, increased transparency and confidence building between Cloud service providers, businesses and government agencies was required, O’Connor said.

For its part, the government was seeking to achieve this through Australian Federal Police’s (AFP) High Tech Crime Unit, a child exploitation tracking system developed by CrimTrac, and thought leadership from the Australian Government Information Management Office (AGIMO).

“AGIMO has consulted widely across government, and is currently investigating a number of issues, including: the vulnerability of offshore data storage; the extra-territorial legal issues around compliance and privacy; and, the contractual arrangements necessary to achieve appropriate levels of security,” O’Connor said.

“Because Cloud service providers aren’t interchangeable, the difficulties inherent in swapping providers will also need to be considered, along with the ability to retrieve information in the event of a disaster or vendor failure.”

In addition, there may also be increased security or privacy risks for governments if a Cloud had unrelated customers sharing hardware and software resources, with the concentration of resources and data in one place providing an attractive target for cyber-criminals.

As with any new platform it needs to mature and it needs some kind of legislation to crack down on illegal activities plus laws to deal with privacy, data segregation and so on.

It’s certainly an area which has sparked some interest and I’m sure we’ll all be watching it closely. I do deal with some large scale web deployments that need high-availability/clustered/cloud platform components so I’m pretty sure some of you do to.

Source: Network World

Posted in: Hacking News, Web Hacking

,


Latest Posts:


Aclpwn.Py - Exploit ACL Based Privilege Escalation Paths in Active Directory Aclpwn.Py – Exploit ACL Based Privilege Escalation Paths in Active Directory
Aclpwn.py is a tool that interacts with BloodHound< to identify and exploit ACL based privilege escalation paths.
Vulhub - Pre-Built Vulnerable Docker Environments For Learning To Hack Vulhub – Pre-Built Vulnerable Docker Environments For Learning To Hack
Vulhub is an open-source collection of pre-built vulnerable docker environments for learning to hack. No pre-existing knowledge of docker is required, just execute two simple commands.
LibInjection - Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) LibInjection – Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS)
LibInjection is a C library to Detect SQL Injection (SQLi) and Cross-Site Scripting (XSS) through lexical analysis of real-world Attacks.
Grype - Vulnerability Scanner For Container Images & Filesystems Grype – Vulnerability Scanner For Container Images & Filesystems
Grype is a vulnerability scanner for container images and filesystems with an easy to install binary that supports the packages for most major *nix based OS.
APT-Hunter - Threat Hunting Tool via Windows Event Log APT-Hunter – Threat Hunting Tool via Windows Event Log
APT-Hunter is a threat hunting tool for windows event logs made from the perspective of the purple team mindset to provide detection for APT movements hidden in the sea of windows event logs.
GitLab Watchman - Audit Gitlab For Sensitive Data & Credentials GitLab Watchman – Audit Gitlab For Sensitive Data & Credentials
GitLab Watchman is an app that uses the GitLab API to audit GitLab for sensitive data and credentials exposed internally, this includes code, commits, wikis etc


One Response to Cloud Computing Use By Criminals Increasing

  1. chirchir December 17, 2010 at 2:54 pm #

    good work