back to article Boffins find that over nine out of ten 'ethical' hackers are being a bit naughty when it comes to cloud services

Infosec pros and hackers regularly abuse cloud service providers to conduct reconnaissance and attacks, despite efforts by cloud providers to limit such activity. In a recent research paper titled "Cloud as an Attack Platform" [PDF], five boffins from Texas Tech University – Moitrayee Chatterjee, Prerit Datta, Faranak Abri, …

  1. Flak

    It is happening now

    If white hats are using cloud services for attacks, we can be sure that the nasty ones are already doing this.

    That should come as no surprise, given cloud platforms' very attractive features for this kind of activity: scale, immediacy, location independence, low cost, virtualisation and the associated anonymity to name a few.

    Platform providers need to be vigilant in who they provide services to - but this is countered by the desired ease of use and onboarding needed to make those platforms attractive.

    I am sure we haven't heard the last of this yet.

    1. Steve Foster

      Re: It is happening now

      It certainly is.

      The number of attempts to log in to my email servers via SMTP, 2ry SMTP, IMAP and POP3 are through the roof.

      In the past, it would be the same IP trying over and over (though there's still plenty of that), but it's now also common to see an IP try once and then disappear. And lots of those IPs are part of cloud providers networks.

      Not only that, but the spam is also coming from an increasing range of IP addresses.

      I've had to further reduce the limit on failed login attempts, as well as begin firewall blocking of IP ranges wholesale.

      1. Qumefox

        Re: It is happening now

        Setting up fail2ban will automate the blocking of the vast majority of these. The only thing it wouldn't catch would be distributed brute force attempts, which are probably the single attempts from different IP's you see.

        1. Glen 1

          Re: It is happening now

          fail2ban Sidenote: You might want to adjust the ban times/attempts to be stricter than the default. An attacker could do a dictionary attack in a reasonable time-frame (weeks/months) by rate limiting the attempts to be slightly looser than the default ban triggers. Especially if you set-and-forget.

          Not that the readers here would ever have dictionary-able passwords. (blah blah ssh keys) It just gets annoying with the added noise in the log files - you do check the logfiles, right?

        2. Steve Foster

          Re: It is happening now

          As it happens, fail2ban isn't an option on the software I'm using, though that might change.

          And I always have a momentary brain freeze when I see "fail2ban" (what use is a tool that fails to ban? oh, wait, upgrade failures to banned)

          1. cbars

            Re: It is happening now

            Really? All you need is a predictable log message that says "access denied" with an IP address, you can set up custom patterns for any file to isolate the IP and it'll drop those packets once you hit whatever limit you configure, I think its about 10 lines in 3 files to do this

            1. Steve Foster

              Re: It is happening now

              Yes, really. AFAIK, fail2ban doesn't run on Windows Server (though I expect there are fail2ban-like ports/substitutes/wannabes available).

    2. Chozo

      Re: It is happening now

      Seriously.. you expect a true Blackhat to pay for cloud services? No, it's far cheaper to piggyback a Raspberry PI onto the motherboard of a dozen refurbished desktop PC's and return them to the wild. Stick in a half decent graphics card, label it "suitable for gaming" and they also tend to land in places with a nice unlimited fibre connection. Scanning the wifi card periodically we quickly learn when all cellphones have left the house for work then kick the pig till the fans squeal and we're making bacon on your budget.

      1. Anonymous Coward
        Anonymous Coward

        Re: It is happening now

        Would it not be easier to walk up (someone else's) street with a wifi pinapple?

        1. steviebuk Silver badge

          Re: It is happening now

          You could. But if you then roll up to said street in your car later and are seen on a laptop, most people report "There is an odd car outside with a guy on a laptop. I think he's up to no good". The fuzz then arrive and you're buggered unless you have a back story.

      2. tcmonkey

        Re: It is happening now

        Is there actually any evidence of this happening, or is it all a story that you have invented?

        1. AMBxx Silver badge

          Re: It is happening now

          Of course - he saw it on a TV drama.

      3. cbars

        Re: It is happening now

        This is a wet dream. The idea thats its better to *physically* link yourself to a mark? A decent copper would pick you up in no time, let alone if they got forensics involved.

        1. NetBlackOps

          Re: It is happening now

          That depends on whether you've read their forensics manuals, or not. Oppo research is a thing if one is serious as a practioner.

          1. cbars

            Re: It is happening now

            now you need physical operational security expertise AND virtual; I'm not sure I prefer the attack surface, even if it's cool in movies. Although I heard you can beat forensics by using bleach, so just pour bleach all over the RPi and you're good to go!

  2. amanfromMars 1 Silver badge

    Keep IT Simple, Stupid ....... for IT and AI Makes Life So Much Easier whenever Complicated

    "perhaps they need a more mature, resilient, and monitoring tracking system empowered with AI and automated detection to identify these abuses."

    Or perhaps they need a more mature, resilient monitored mentoring system empowered with AI with automated detection which identifies abuses and misuses.

    Thus to render the need for a retroactive and reactive [after the fact] human operations basically unnecessary.

    Are cloud providers are aware of this issue?

  3. Mike 137 Silver badge

    "nine out of ten 'ethical' hackers are being a bit naughty..."

    There's no need for the quotes around the word ethical. if your community ethics include being naughty, then it's OK within your community. The problem arises only when the ethical systems of different communities are in conflict.

    However at least in the UK, such activities are potentially unlawful. They could therefore backfire badly supposing service providers and law enforcement really gave a hoot, but they don't really seem to so the habit gets reinforced until it becomes a norm.

  4. Pascal Monett Silver badge

    "fake credit card numbers"

    The fact that fake card numbers exist and can be used points to a lack of security on the part of banks. In Luxembourg, it is not enough to have a credit card for online transactions anymore. I have a USB-like token that, on the press of a button, gives me a 6-digit PIN code that I have to enter to validate my purchase.

    If banks all over the world adopted that level of functionality, the fake card issue would disappear by itself.

    1. iron Silver badge

      Re: "fake credit card numbers"

      No it wouldn't. You'd just get a trade in security tokens to replace it.

    2. Dan 55 Silver badge

      Re: "fake credit card numbers"

      This is PSD2 for online credit card payments that is rolling out everywhere in the EU, although many banks will insist you install their miserable app to get the PIN. An app means marketing opportunities!

      1. My-Handle Silver badge

        Re: "fake credit card numbers"

        And too many "marketing opportunities" sent to me by a bank abusing their multi-factor authentication system results in me choosing another bank.


        Sorry, it's been a long day.

  5. iron Silver badge

    Bollocks headline

    > Boffins find that over nine out of ten 'ethical' hackers...

    > "We did not collect any demographic data, so we can not tell apart an ethical hacker/pen-tester or malicious hackers,"

    If they did not ask any questions to distinguish the hat a hacker wears then they cannot make the statement in the headline.

    1. Brewster's Angle Grinder Silver badge

      Colour? Mine is 50% magenta.

      If they're wearing a hat, they're defo not hackers. As any fule kno: hackers wear hoodies.

  6. Chris the bean counter

    Do clouds do KYC?

    iirc my aws asked for no hard to falsify identifiable information other than credit card details.

    KYC is imperfect but adds to a hackers hassle...usually deters people if the competitor is easier to sign on to.

    From my insurance days we used to find a phone call was a great way to deter fraud (the surname and accent could trigger an alarm for any semi experienced call centre handler) ...although no doubt hackers with their social engineering skills may not be as vulnerable to this.

  7. Version 1.0 Silver badge

    It's the 2nd internet amendment

    We're created the Cloud, it's got a vast number of risks and dangers but we insist that everyone has the right to carry one around, either concealed or over their shoulder. The article is just documenting its design features. Sure, the hackers are doing bad things but everyone needs access to the Cloud don't they?

    A well regulated Cloud, being necessary to the security and profits of large companies, the right of the people to keep and bear access, shall not be infringed.

  8. Daniel Hall
    Thumb Down

    Stop over complicating statistics!

    Of the 75 security professionals and hackers they spoke with as a part of a larger examination of attacker psychology, more than 93 per cent admitted to abusing cloud services to create attack environments and launch attacks.

    Let me fix this for you:

    Of the 75 security professionals and hackers they spoke with as a part of a larger examination of attacker psychology, 70 admitted to abusing cloud services to create attack environments and launch attacks.

    Why do you need to make things more confusing than necessary?

    1. amanfromMars 1 Silver badge
      Thumb Up

      Re: Stop over complicating statistics!

      Amen to that, Daniel Hall.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022