back to article Crypto boffins uncover rogue task risk on Amazon cloud

Security researchers have unearthed a flaw in Amazon Web Services that created a possible mechanism for hackers to take over control of cloud-based systems and run administrative tasks. The flaw, which affected Amazon's EC2 cloud and has already been plugged, could have been abused to start and stop virtual machines or create …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Getting tired of these ALL CAPS hysterical headlines. The Register is looking more and more like the Daily Mail of IT journalism.

    1. Destroy All Monsters Silver badge

      That is THE POINT!

    2. Goat Jam
      Paris Hilton

      Not to mention that "All your clouds are belong to us" is totally grammatically incorrect!

      1. Turtle_Fan

        @Goat Jam

        A bit of a phail on your behalf here mate. It's meant to be so. And if you don't know why, then go look up the original phrase.

        1. Goat Jam

          Whooosh

          My post was ironic, you imbecile.

          All Your Base Belong To ME.

  2. Blofeld's Cat
    Stop

    Could have...

    ... but didn't.

    Researchers could have published a straightforward, dull report ... ... but didn't.

  3. dlc.usa
    Holmes

    You Bet Your Business

    I submit no organization's working component is more likely to terminate that organization's very existence than its aggregate IT component. Any CxO that doesn't understand that overarching risk should not have his/her position because, sooner or later, that organization will be bitten hard as a consequence of underfunding the crucial areas of IT, with security at the top of the list followed by loyalty and competency of the key IT employees. Competent IT employees will never buy Brand X because nobody ever got fired for doing so--to decide on such a basis demonstrates incompetency. Competent IT employees do their homework and well consider the major big picture risks of all possible choices.

    I expect a lot of incompetent CxOs are going to be exposed as these cloud security lapses multiply.

    1. ed 8

      NO

      In-housing all IT is akin to keeping your money in a box under your bed. Does your company keep all its cash in a safe in the basement? no, it keeps it in a bank, so why does it do the same with its data and IT systems. Sure Amazons data center and infrastructure are going to be a big juicy target for hackers just like banks get robbed.Like banks they have some pretty significant security investment for that reason. Read the pysical security section on this document

      http://awsmedia.s3.amazonaws.com/pdf/AWS_Security_Whitepaper.pdf

      Can you honestly say that your organisation has such safeguards. 12 years working with IT departments across the UK has taught me that almost all organisations are utterly hopeless at security.

      "oh yeah the password is adm1n or passw0rd..? what do you men 60 bits of entropy? i cant rember it so i put it on this postit and emailed it to my hotmail"

      At least EC2 goes some way to enforcing security best practice with ssh keys and such but you people will still leave themsleves wide open.

      So im sure there will be high profile breaches and outages.. its inevitable but the direction and the cost case is set in stone. the internet is just about good enough now that you can stick your IT sytems "over there" and they will work just great, and its cheaper and more secure so happy days, quit bitchin and make sure your CV is nice and up to date.

      1. trottel

        money != data

        This analogy is just not good.

        If a bank "loses" my $0.02, they can just give me another $0.02 and i will be just has happy. If xyz-cloud loses my customer invoices, they can not just give me some others... is that so hard to see?

  4. Anonymous Coward
    Anonymous Coward

    pedantry :)

    "The flaw, which affected Amazon's EC2 cloud..."

    dosn't EC2 stand for elastic compute cloud? so an EC2 cloud is an elastic compute cloud cloud... wonder when we'll see an elastic EC2 cloud...

    1. Uncle Siggy
      Headmaster

      An EC2 cloud would be an Elastic Cloud 2 Cloud.

  5. SiliconSlick
    Thumb Up

    OK... that gets us to EC3 (which is worth one upvote for a hint)...

    but what gets us to the "EC4 authentication systems" mentioned in the article? I'm still trying to figure out that one.

    @+++ath0.... indeed... "could have" and "TAKEN OVER" is quite yellow -- journalistically speaking. . I guess the vultures covered their arse with the "could have" bit, but, still, Amazon might have reason to... oh, I dunno (IANAL)... be unhappy. (???)

    I will say this... as an individual about to embark on some benchmarking of AWS EC2 clusters now that they've fixed the Placement Groups problem[*], the headline certainly got my attention. After reading the article, I'll take my chances. But some corporate beancounter at some point will just read the headline and cross Amazon's AWS off the list of cloud "solutions" (resulting in a loss of revenue for Amazon... etc.etc.).

    SS (not sure he would maintain a permanent presence using EC2, but would certainly keep it in the toolbox for prototyping and scalability testing... and quite curious what "EC4" is about)

    [*] https://forums.aws.amazon.com/thread.jspa?threadID=78069

  6. Anonymous Coward
    Anonymous Coward

    Shouldn't that be...

    All your cloud are belong to us

  7. Sirius Lee

    A CIOs task is...

    ...to help the company make profit.

    Like all management jobs its a balancing act. There is no right answer. If your competitors use an IT service (any IT service) and as a result are able to provide product faster/cheaper/better than you what are you going to do? Pray that the competitor is hacked to show their decision was flawed?

    Of course not, you have to do the same or better or risk your job. The balance is between risk and reward just as it is for all the other execs. When the CFO hedges a corporate position that hedge may fail and the company lose money. When the COO tries a new manufacturing technique it may fail and the company lose money.

    It is ridiculous to suggest that CIOs should have perfect foresight or be absolutely risk averse. If you've invested in a company with a massively risk averse IT operation sell or you are likely to lose some or all of your investment.

This topic is closed for new posts.

Other stories you might like