Amazon EC2 cloud servers used to hack PlayStation network
May 14, 2011
The hackers who compromised the security of Sony's PlayStation network last month and gained access to private data for 77 million subscribers used Amazon's Cloud servers to illegally launch the attack, it was learned earlier this morning.
The hackers rented a Cloud server from Amazon's EC2 service and got into the popular network from there. The hackers supplied fake information to Amazon. The account has now been closed.
For now, neither Sony nor Amazon commented on the news. It's still unclear how Amazon's web services were used to mount the attack, and it isn't the first time it's been used by hackers.
German security researcher Thomas Roth earlier this year showed how tapping the EC2 service allowed him to crack Wi-Fi passwords in a fraction of the time and for a fraction of the cost of using his own computing gear. For about $1.68, he used special “Cluster GPU Instances” of the Amazon cloud to carry out brute-force cracks that allowed him to access a WPA-PSK protected network in just 19 minutes.
In November 2009, a ZeuS-based banking trojan used the popular Amazon service as a command and control channel that issued software updates and malicious instructions to computers that were infected by the viruses.
In both cases, those tapping the Amazon cloud did so as paid customers. A top Sony executive recently implicated the Anonymous hacker collective in the PSN attack but has so far provided no convincing evidence to support his allegations.
The attack, which penetrated core parts of the gaming network, was used to steal passwords, names, addresses, ages, email addresses, credit card details and other data associated with 77 million accounts. The network has been closed for the past 23 days and Sony has provided no indication when it will reopen.
In other Internet security news
Internet security experts say they've discovered numerous security flaws in most of the popular file hosting sites that allow people to gain unauthorized access to data that's supposed to be available only to those selected by the user.
The Internet security experts include Nick Nikiforakis, Steven Van Acker, Wouter Joosen, of the Katholieke Université de Leuven in Belgium, then Marco Balduzzi and Davide Balzarotti of the Institute Eurecom in France.
Those file hosting services, which include sites such as RapidShare, FileFactory and EasyShare, allow users to upload large files and make them available to anyone who knows the unique URI (Uniform Resource Identifier) that's bound to each one.
Internet users can post the link on websites, in emails or on forums available to the public. For example, RapidShare says it can be used to share your data with your friends, colleagues or family.
But according to research academics in Belgium and France, a significant percentage of the 100 FHSs (File Hosting Services) they've studied made it very easy for outsiders to access the files simply by guessing the URLs that are bound to each uploaded file.
Making an already bad situation even worse, they presented more evidence that such Internet attacks, far from being theoretical, are already happening in the wild, and with increased frequency.
The academic researchers said they developed some software and then 'trained' web crawlers on the file services and uncovered hundreds of thousands of private files in just two weeks. They also used the file hosting sites to store private files that contained Internet beacons, so they'd know if anyone opened them. Over a month's span, no less than 80 unique IP addresses accessed the so-called "honey files" 275 times, indicating that the weakness is already being exploited in the wild to harvest data many users believe isn't available for general viewing or utilization.
Get the best Linux or Windows Web hosting plan for your website.
“These so-called file hosting services adopt a security-through-obscurity mechanism where a user can access the uploaded files only by knowing the correct download URIs,” the researchers wrote in a paper presented at the most recent USENIX Workshop on Large-Scale Exploits and Emergent Threats.
“While these services claim that these URIs are secret and cannot be guessed, our study shows that this is far from being true,” said the researchers.
The security flaws that were the easiest to exploit were found on hosting sites that use sequential identifiers in the download URIs. By writing scripts that enumerate the IDs character by character, their bot crawler was able to locate almost 311,000 unique files over a period of just 30 days. The researchers then ran searches on Microsoft's Bing.com search engine to arrive at an estimate of 168,320 or 54 percent of them, were private files because they hadn't been shared online, at least not yet.
“Unfortunately, the security issues are extremely serious since the list of insecure FHSs using sequential IDs also include some of the most popular names, often highly ranked by Alexa in the list of the top Internet websites,” the researchers wrote.
But in an effort to prevent their findings from being abused, their report didn't say which specific sites are the most vulnerable to various types of attacks.
Another common security flaw involved the use of pseudorandom URIs for each uploaded file. By using brute-force attacks that cycled through every possible known combination, the researchers were able to successfully guess a file's unique ID 1.1 times for every thousand attempts. Part of the weakness is the result of websites that used IDs that consisted of only numeric strings with a maximum length of six numbers. But even when services used IDs with alphanumeric characters or numbers with a length of 8, the researchers achieved similar success at penetration rates.
In other instances, some file hosting services used ID systems with enough complexity that rendered brute-force techniques ineffective or used CAPTCHAs (user-graphic input identifier boxes) or other mitigations.
However, and in many cases, the researchers were often able to guess the names anyway by simply exploiting a directory traversal vulnerability in a commonly-used web hosting program used by most file sharing services.
In other examples, they defeated the mitigation mechanism by using a feature that allows users to report copyright violations and other abuse to the site admins and combining it with a separate feature for deleting files. Because the feature on one site exposed the first 10 characters of a file's 14-character ID, the number of combinations to brute force was a manageable 65,536.
You can link to the Internet Security web site as much as you like.