Back to Table of contents

Primeur weekly 2011-10-31

Exascale supercomputing

PRACE partner Jülich joins XSEDE ...

The Cloud

Citrix NetScaler CloudConnectors extend network fabric to "last mile" Cloud services ...

Cloud computing: Gaps in the 'Cloud' ...

Final version of NIST Cloud computing definition published ...

Citrix CloudGateway delivers end user computing for the Cloud Era ...

Univa adds distributed automation to Xuropa Software Sales Cloud ...

EuroFlash

Impressions from the BiG Grid HPC Cloud Day in Amsterdam ...

OpenMP Architecture Review Board appoints New CEO ...

PRACE grants 721 million compute hours on Tier-0 systems to twenty-four European research projects and opens new call for Project Access ...

PRACE Tier-1 Workshop 2011 issues Call for Participation ...

USFlash

ARM discloses technical details of the next version of the ARM architecture ...

Grid Dynamics unveils DevOps Catalyst ...

SGI establishes new world record Apache Hadoop Benchmark ...

Cloudera and SGI partner to take high performance computing on Apache Hadoop to the next level ...

New IBM software helps analyze the world's data for health care transformation ...

Astronomers pin down galaxy collision rates by comparing Hubble images to supercomputer simulations ...

NASA Ames inks Lustre support deal with Whamcloud ...

Quantum computer components 'coalesce' to 'converse' ...

Idemitsu Petroleum Norge selects HP for business continuity ...

Targetbase adopts Oracle Exadata Database Machine for real-time data warehousing ...

Diamonds, silver and the quest for single photons ...

IBM launches Netezza appliance to help communications services providers analyze networks and gain consumer insight ...

Univa appoints veteran Head of Sales ...

SAS Alliances bring analytical innovation to businesses ...

New hybrid technology could bring 'quantum information systems' ...

Cloud computing: Gaps in the 'Cloud'

24 Oct 2011 Bochum - Researchers from Ruhr-University Bochum (RUB) have found a massive security gap at Amazon Cloud Services. Using different methods of attack - signature wrapping and cross site scripting - they tested the system which was deemed "safe". "Based on our research results, Amazon confirmed the security gaps and closed them immediately", stated Prof. Dr. Jörg Schwenk, chair for network and data security at the RUB. Amazon Webservices (AWS) offers its customers Cloud computing services and hosts, among others, services like Twitter, Second Life and 4Square.

Cloud computing could be the major computing paradigm of tomorrow. The idea of processing and storing software and data in a cheap external infrastructure is becoming increasingly popular. The fact that these services are by no means as secure as promised is now demonstrated by the research results of Professor Schwenk and his staff.

The "Cloud" is a collection of many virtual servers with concentrated computing power. Outsourcing to Cloud computing has many advantages for professional users: they can rent storage and server capacity short term on demand. The service is invoiced, for example, according to the usage period, and the customer saves the cost of purchasing his own software and hardware. Up to now, the discussion about Cloud computing has above all been dominated by the inability to comply with legal requirements. "Real" attacks were, however, less in the public eye.

"A major challenge for Cloud providers is ensuring the absolute security of the data entrusted to them, which should only be accessible by the clients themselves", stated Professor Schwenk, who set out with his staff to seek weak points. They have found what they were looking for: Juraj Somorovsky, Mario Heiderich and Meiko Jensen tested the security concept of the cloud provider Amazon Web Services, in short AWS.

"Using different kinds of XML signature wrapping attacks, we succeeded in completely taking over the administrative rights of Cloud customers", stated Juraj Somorovsky. "This allowed us to create new instances in the victim's Cloud, add or delete images." The researchers suspect that many Cloud offers are susceptible to signature wrapping attacks, since the relevant web service standards make performance and security incompatible. "We are working on a high-performance solution, however, that no longer has any of the known security gaps", stated Professor Dr. Jörg Schwenk.

In addition, the researchers found gaps in the AWS interface and in the Amazon shop which were ideally suited for smuggling in executable script code - what are termed cross-site scripting attacks. With alarming consequences: "We had free access to all customer data, including authentication data, tokens, and even plain text passwords", stated Mario Heiderich. The researcher see the common login as a complex potential danger: "It's a chain reaction. A security gap in the complex Amazon shop always also directly causes a gap in the Amazon Cloud."

In contrast to public belief, Private Clouds are also vulnerable to the aforementioned attacks: Eucalyptus, an open source project widely used to implement Cloud solutions within companies, did expose the same weaknesses. "A rough classification of Cloud technologies cannot replace a thorough security investigation", stated Professor Schwenk.

"Critical services and infrastructures are making increasing use of Cloud computing", explained Juraj Somorovsky. According to industry estimates, the turnover of European Cloud services is set to more than double in the next four years - from around 68 billion Euros in 2010 to about 148 billion in 2014. "Therefore it is essential that we recognise the security gaps in Cloud computing and avoid them on a permanent basis." Industry took immediate action: "On our advice, Amazon and Eucalyptus confirmed the security gaps and closed them immediately."

Source: Ruhr-University Bochum

Back to Table of contents

Primeur weekly 2011-10-31

Exascale supercomputing

PRACE partner Jülich joins XSEDE ...

The Cloud

Citrix NetScaler CloudConnectors extend network fabric to "last mile" Cloud services ...

Cloud computing: Gaps in the 'Cloud' ...

Final version of NIST Cloud computing definition published ...

Citrix CloudGateway delivers end user computing for the Cloud Era ...

Univa adds distributed automation to Xuropa Software Sales Cloud ...

EuroFlash

Impressions from the BiG Grid HPC Cloud Day in Amsterdam ...

OpenMP Architecture Review Board appoints New CEO ...

PRACE grants 721 million compute hours on Tier-0 systems to twenty-four European research projects and opens new call for Project Access ...

PRACE Tier-1 Workshop 2011 issues Call for Participation ...

USFlash

ARM discloses technical details of the next version of the ARM architecture ...

Grid Dynamics unveils DevOps Catalyst ...

SGI establishes new world record Apache Hadoop Benchmark ...

Cloudera and SGI partner to take high performance computing on Apache Hadoop to the next level ...

New IBM software helps analyze the world's data for health care transformation ...

Astronomers pin down galaxy collision rates by comparing Hubble images to supercomputer simulations ...

NASA Ames inks Lustre support deal with Whamcloud ...

Quantum computer components 'coalesce' to 'converse' ...

Idemitsu Petroleum Norge selects HP for business continuity ...

Targetbase adopts Oracle Exadata Database Machine for real-time data warehousing ...

Diamonds, silver and the quest for single photons ...

IBM launches Netezza appliance to help communications services providers analyze networks and gain consumer insight ...

Univa appoints veteran Head of Sales ...

SAS Alliances bring analytical innovation to businesses ...

New hybrid technology could bring 'quantum information systems' ...