Cloud server leasing can leave sensitive data up for grabs:
Renting space and IP addresses on a public server has become standard business practice, but according to a team of Penn State computer scientists, current industry practices can lead to "cloud squatting," which can create a security risk, endangering sensitive customer and organization data intended to remain private.
Cloud squatting occurs when a company, such as your bank, leases space and IP addresses — unique addresses that identify individual computers or computer networks — on a public server, uses them, and then releases the space and addresses back to the public server company, a standard pattern seen every day. The public server company, such as Amazon, Google, or Microsoft, then assigns the same addresses to a second company. If this second company is a bad actor, it can receive information coming into the address intended for the original company — for example, when you as a customer unknowingly use an outdated link when interacting with your bank — and use it to its advantage — cloud squatting.
"There are two advantages to leasing server space," said Eric Pauley, doctoral candidate in computer science and engineering. "One is a cost advantage, saving on equipment and management. The other is scalability. Leasing server space offers an unlimited pool of computing resources so, as workload changes, companies can quickly adapt." As a result, the use of clouds has grown exponentially, meaning almost every website a user visits takes advantage of cloud computing.
While the Penn State researchers suspected cloud squatting was possible, they designed an experiment to determine if cloud tenants were vulnerable and to quantify the extent of the problem. The researchers set up a series of cloud server rentals from Amazon Web Services' in its us east 1 region, the region that serves the East Coast of the U.S. They rented server space for 10-minute intervals, received information sent to the address intended for previous tenants and then moved to another server location, repeating the process. They did not ask for any data, nor did they send out any data. Whatever unsolicited data they received was potentially intended for previous tenants.
[...] To resolve cloud squatting concerns, the researchers believe that there are mitigation efforts that should be made by both the cloud server companies and the clients who rent server space. From the cloud server side, one of the ways to thwart cloud squatting is to prevent IP address reuse. However, this is limited by the number of available IP addresses.
Second, "server companies can create reserved IP address blocks," said McDaniel. "A large client organization could be assigned a fixed range of addresses that are recyclable within the company."
Third, server companies can delay recycling of IP addresses, but the longer IP addresses are idle, the more it will cost the server company.
[...] "I (Patrick McDaniel) would heed the conclusion that despite the overwhelming attraction of cloud servers, cloud computing is not without risk," said Pauley. "However, by managing and watching their use, we can mitigate a lot of that danger. The free lunch that people thought the clouds were is not free. Companies have to weigh the risk to benefit."
This is an interesting effect that I hadn't considered. What are your thoughts?
(Score: 2, Insightful) by Anonymous Coward on Monday April 11 2022, @09:18PM (4 children)
Your cryptoshit will get nailed too
Damn computers are not ready for prime time. The infrastructure is too frail, and insecure by design
(Score: 2) by maxwell demon on Tuesday April 12 2022, @05:01AM (2 children)
You are assuming that in case the infrastructure (which is all computers by now) breaks down, your cash will still have value. I don't think so.
Well, if you keep coins you may be able to use them for their material value.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Freeman on Tuesday April 12 2022, @02:23PM
Gold or silver coins may retain value, if the US economy makes a nose dive. This is not a guarantee, but they'll likely be worth more than paper currency at any rate.
Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
(Score: 0) by Anonymous Coward on Wednesday April 13 2022, @03:13AM
Difficult to counterfeit paper notes can still serve as scrip, a perfectly cromulent form of currency
(Score: 2) by bmimatt on Tuesday April 12 2022, @04:10PM
My thoughts are the doctoral candidate needs some more basic schooling:
1. 'saving on equipment and management' - it's simply a CAPEX vs OPEX tradeoff, where leasing space in the Cloud eliminates hardware CAPEX. Maintenance, short of physically racking machines, is pretty much the same.
2. 'Leasing server space offers an unlimited pool of computing resources ' - that's a pretty wild exaggeration, even if you add up all the unused compute resources of the largest Cloud providers, you're still quite far from 'unlimited'. There are also a number of other constraints that are part of the scalability picture and should not be left out in this context.
It would be easier to explain the above from the perspective of relation of OPEX to product/service demand and platform elasticity, or enabling savings by maintaining a loose yet somewhat parallel relationship between product/service demand and its elastic availability.
(Score: 5, Insightful) by looorg on Monday April 11 2022, @09:32PM (3 children)
I hate the cloud, or I guess I just hate people that somehow appear to believe that it's some magical computer place in the sky far away from the prying eyes and sticky hands of others. The cloud is just a fancy term for a computer run by someone else.
"Want to store our sensitive information in the Cloud?", sure doesn't sound so bad.
"Want to store our sensitive information on a computer controlled by someone else?", sounds horrific.
There are I gather then many issues with it. Such as IP coming and going. I guess there are a bunch of things that "Cloud" people could do like wiping things when you leave. That said that is bad since if you by accident forget to pay the bill to have all your data wiped would be kind of bad. I guess they could have a large pool of addresses so a used one goes into a resting pool for awhile before getting reused. I assume this is the suggesting of having a delay on the IP and letting them idle for longer. But as an idle IP doesn't generate revenue and the other bad part is there isn't enough addresses to go around for this to have a large enough pool (unless you are one of those lucky companies that got shit tons of blocks assigned to you back in the day and are now laughing).
In this case thou it seems they take the IP of someone and wait for data to start streaming in that was intended for the previous owner. Could be interesting. I guess super-bad of the previous owner to send precious data to some rent-by-the-X magical Cloud device. Question is they why not just do normal Man-in-the-Middle-stuff?
So what happens when a cloud storage company goes belly up? I guess Amazon, Google and Microsoft are not going to go away anytime soon -- no matter how hard we all pray to $DEITY that it should just reap them and let them burn in hellfire for eternity.
(Score: 3, Disagree) by maxwell demon on Tuesday April 12 2022, @05:10AM (2 children)
Want to store your money in a vault controlled by someone else? Sounds horrific? Well, I bet you've got your money at a bank, right? Well, it's probably not in the bank's vault, but exists only on one of their computers, but then, that doesn't really sound better, does it?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 1) by anubi on Tuesday April 12 2022, @11:00AM
Sounds kinda like sharing toothbrushes.
It's yours as long as it's in your mouth, but you don't know who had it before you, nor will you know who gets it when you return to it's rack when you are done.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by DannyB on Tuesday April 12 2022, @06:07PM
<no-sarcasm>
Money in the bank is federally insured.
</no-sarcasm>
It is as safe and trustworthy as the federal government itself.
I hear Russian Rubles are a good investment right now.
The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 0) by Anonymous Coward on Monday April 11 2022, @09:49PM (2 children)
It seems to me that this is just a plain old man-in-the-middle attack, just maybe, sometimes, a little bit easier to carry out than more "traditional" MITM methods such as BGP or DNS poisoning or even just the classic "shady guy working at your ISP redirects your traffic".
The solution, as always, is to use strong authentication protocols. These work against the shady guy working at your ISP and they will work against the shady guy buying up your no-longer-needed IP addresses.
(Score: 0) by Anonymous Coward on Monday April 11 2022, @10:48PM (1 child)
It seems like they're talking about people who don't like DNS and type the IPv4 into their address bar.
But either way I agree, strong authentication is the answer. The PKI (server certs/CAs) in use on the web does leave something to be desired, but it's better than nothing. Given that we're all supposed to be HTTPS, it seems like the attack in TFS is mostly theoretical.
Some kind of certificate pinning would be the best, but that would require the end user to know WTF they're doing. For a car analogy, it'd be like requiring drivers to know how to fill their tank safely. WTF that's too technical for me! I live in New Jersey, Oregon, or Alberta, you insensitive clod!
(Score: 0) by Anonymous Coward on Tuesday April 12 2022, @02:56AM
You are close. The underlying issue here is DNS propagation time caused by bad TTLs, either on your end, an ISPs', or the clients'. The best practices for scaling is to have an appropriate TTL on the more ephemeral IP addresses and when scaling-in is to remove the IP record in question at least an hour or 3x the TTL, whichever is greater, before releasing it to your cloud pool. However, no matter what you do, it will never be good enough to prevent the scenario where someone on your old address gets at least some traffic after you release an IP address.
(Score: 0) by Anonymous Coward on Monday April 11 2022, @11:27PM
no problemo
(Score: 2) by Runaway1956 on Tuesday April 12 2022, @12:40AM (2 children)
How is cloud squatting significantly different from old fashioned domain squatting? You register, and/or rent, an address on the web, maybe you intentionally misspell a legitimate domain, or grab an abandoned domain, or whatever. If you're slick, you provide a landing page that at least resembles the legitimate domain, so as not to scare away the suckers. Then, you wait, and collect the data that comes rolling in. The better a phisherman you are, the more phish you pull in, right?
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 0) by Anonymous Coward on Tuesday April 12 2022, @06:00AM (1 child)
The biggest difference that I can see is that you (the phisher) can't predict who you will be squatting. It's like getting a new randomly assigned phone number and then answering calls looking for the previous owner.
As a real life example, I once inherited a number that previously belonged to a church. They had already updated their website, but finding third parties and getting them to update their listings so Google Maps would show the right number was a PITA. It took months to fix. At least the pastor's wife was nice about it when I called. :/
(Score: 0) by Anonymous Coward on Tuesday April 12 2022, @11:56AM
Consider the guy who got the number of a 48 line Gay BBS / Chat Board a friend of mine ran. Being a BBS, people commonly called it at all hours via modem.
Now, I thought I'd be a nice brother and buy my Sister a nice anonymous TracFone, as she is single and needed a throwaway number she could share with prospective suitors, just in case she snagged a problem paramour.
She is not technical, but I am.
So I bought a phone, set it up real nice with a huge TF card loaded with all sorts of extended functionality, music, NewPipe, VLC, Shazam, GPS maps of the whole world, compass, notepads, calculators, offline wikipedia (AARD), dictionaries, thesaurus, bible texts, 100 Gigabytes of stuff.
You name it, it is probably in there. Most of it works offline. It was supposed to be a "survival phone" that would be very useful should the technology infrastructure fail. You know, natural disaster or worse. Her area is prone for hurricanes.
In the event she just had to "get out of Dodge" in a hurry, anywhere but here, she would have a good chance of knowing where she was, even if no cell towers for miles.
And gave the phone to her. All set up. Ready to place calls. All the family numbers already in it.
Know what I forgot?
The number I had been issued had been previously used by someone who did not pay his bills and had left a very long trail of very unhappy people who wanted their money!
My sister was quite put out at me for doing such carelessness and involving her in it. Frankly, I don't blame her.
It's one of those things that even the best of intention can go terribly wrong.
(Score: 2) by DannyB on Tuesday April 12 2022, @06:01PM (2 children)
Some day, in the future, scientists may invent some way to create internet addresses which are not as scarce and limited as today.
Cloud providers would not need to recycle IP addresses.
(but without recycling, what happens to the old addresses? Do they drain into the ocean and foul marine habitats? That would cause environ mentalists to use
foulfowl language.)The server will be down for replacement of vacuum tubes, belts, worn parts and lubrication of gears and bearings.
(Score: 0) by Anonymous Coward on Tuesday April 12 2022, @11:38PM
If you don't recycle IP addresses then your routing tables quickly become unmanageable and the whole network breaks down. It also doesn't address the root problem, which is conflating address with identity, and the resulting lack of authentication that allows this attack in the first place.
(Score: 2) by sea on Wednesday April 13 2022, @08:09AM
They call it IPv6 and it's a 30 year old protocol at this point.
(Score: 1) by mmlj4 on Wednesday April 13 2022, @08:00AM (1 child)
Seriously... hard-coded IPs in publicly-addressable services? SSL can't work with IPs. This seems like a non-story to me.
Need a Linux consultant [joeykelly.net] in New Orleans?
(Score: 0) by Anonymous Coward on Thursday April 14 2022, @05:24AM
TLS could work with IPs, especially for what appears to be internal traffic. But that is hardly the biggest oversight here. Even if you don't want to manage an internal DNS server, at least don't use a public address for internal traffic. That is what really mystifies me here. These people seem to be paying for external addresses for purely internal traffic.