Cloud Hack-A-Thon Shows That Security is a Big Concern With Public Clouds

Have you ever thought about how hackers target public cloud infrastructures such as the Amazon AWS? Since Amazon is the most popular public cloud, CloudPassage decided to answer this question by inviting hackers to a competition that paid out a hefty $5,000 to the first person who could gain access to a cloud infrastructure that they setup with Amazon AWS. The cloud that CloudPassage setup consisted of 2 Microsoft based operating systems and 4 Linux based operating systems. CloudPassage, a cloud security firm, setup the servers using default settings and a basic configuration. Four hour after the competition had begun; one of the hackers was able to gain administrator access to the system thus netting the $5,000 bounty.

The man who won the prize is named Gus Gray. Gray is a 28 year old first year technology associate and he is currently pursuing his bachelors in computer science degree at Cal Poly State in San Luis Obispo. You would think that the “Hack” that Gray found is some elaborate security exploit however the method that Gray used was quite rudimentary. Gray began researching the OS and applications installed on the image used to spin up the servers. While he conducted his research, he noticed an application that was used for remote access that was installed a convenience to system administrators. Gray realized that the application had a default password that needed to be changed once a system administrator began using it. Since this password hadn’t been setup yet, the default password logged him in and gave him administrator access over the box.
CloudBridge awarded him his prize and it is unclear what Gray’s intentions for the money are. Andrew Hay is the Director of Applied Security Research at CloudPassage. He was quoted as saying, “People use cloud because it is fast, it is cheap, and it takes little to no time to get up and running.” Hay was asked about the lack of security in most cloud environments and he replied by saying, “They’re not thinking of these security ramifications.”