back to article Crypto-coin miners caught toiling away in hacked cloud boxes

Here's yet another reason to make sure you lock down your clutch of cloud services: cryptocurrency mining. Security outfit RedLock's security trends report [PDF], out this month, said developers and organizations are not securing their AWS, Azure and Google Cloud Platform systems, allowing miscreants to hijack them to steal …

  1. Mark 85
    Pirate

    Security company?

    RedLock says companies stung this way included security company Gemalto and....

    Whoa... hold on there. This is not a sterling recommendation for their services is it? Especially one touting themselves as a "world leader in digital security".

    1. iron

      Re: Security company?

      Based on recent events at Deloitte and Equifax I'd say this is par for the course for a security company.

  2. Anonymous Coward
    Anonymous Coward

    The only safe way to use of the Cloud ...

    ... is not to use it.

    1. Captain Scarlet
      Mushroom

      Re: The only safe way to use of the Cloud ...

      The only safe thing to do is fire the stupid people who think its ok to have a password of password.

      1. handleoclast
        Coat

        Re: The only safe way to use of the Cloud ...

        @Captain Scarlet

        You're right. It's totally insecure to make your password be password.

        Do what I do. Make your username be password and your password be username. They'll never guess that.

        1. Muscleguy

          Re: The only safe way to use of the Cloud ...

          I'm reminded of an Eric the Penguin cartoon*. Eric says his password is INCORRECT because every time he puts in the wrong password or forgets it the system tells him his password is INCORRECT.

          I have the 2017 calendar.

  3. Arthur2sheds

    The blind leading the blind

    Often, foolishly, users of cloud services rely absolutely on the cloud provider to deploy enhanced secure systems as standard. They don't...

    Solution: Provide your own hardened systems configuration standards when setting up, and continually monitor for compliance and vulnerabilities.

    Don't forget to conduct penetration tests, and undertake more frequently for critical applications / solutions.

    1. thegroucho
      Facepalm

      Re: The blind leading the blind

      Amazon clearly state - 'shared security model'.

      The end users clearly haven't done their part.

      Just don't mention putting creds in public github ...

  4. HieronymusBloggs

    Password?

    “found a number of Kubernetes administrative consoles deployed on Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform that were not password protected,”

    The fact that this is possible is disappointing.

  5. Anonymous Coward
    Anonymous Coward

    Defaults?

    I use AWS quite alot and it's default firewall rules are all closed.

    I need to generate a key file for ssh access, what default creds am I missing?

  6. Ken Moorhouse Silver badge

    215 kWH

    I wonder if Cloud vendors have factored the above into their prices.

    A bit like things like tethering, when such "unintended usages" surface the Service affected hit back by invoking their safety net Acceptable Usage Policy (1) throttling or curtailing or (2) charging an excess for the usage not deemed acceptable.

    Will this happen in this case?

  7. Mark 85

    I'm waiting for some admin to be found out he/she is using the company's servers to mine. Just a matter of time, I guess.

  8. Nimby
    Angel

    Reverse-Cloud: Distributed Computing Service Provider

    Sadly, these days I am not surprised that no one takes security seriously. No password protection? Sure! Saves time logging in, right?

    I am however surprised that companies don't reverse-cloud with a distributed-computing client installed on every PC in their network in order to sell the processing power of unused cycles to world+dog. (After all, no one cares about security anymore, so why not...)

    Sadly, I can even see companies running a reverse-cloud (on all of their PCs that were turned into thin clients when they moved all of their corporate systems to the cloud) in order to help pay for their cloud services.

    And then complaining about how their voip phones all suck, oblivious to their networks not being able to handle the load of cloud + reverse-cloud + voip.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like