30% of Amazon VMs insecure, say scientists

Research by German university finds that customer carelessness is causing insecurities in the cloud

Tags: Amazon.com IncorporatedCloud computingHackingUSA
  • E-Mail
30% of Amazon VMs insecure, say scientists Research finds AWS machine 'are insecure'
By  Daniel Shane Published  June 22, 2011

Three in every ten virtual machines hosted on Amazon's cloud computing services suffer from security vulnerabilities, academic research has discovered.

A study by scientists from Germany's Darmstadt Research Centre for Advanced Security (CASED) claims it found numerous insecurities in 30% of a test sample of 1,100 virtual instances hosted on the US retailer's Amazon Web Services cloud.

However, the investigation also claimed that many of these vulnerabilities were down to the behaviour of customers, rather than Amazon. The CASED research showed that while Amazon gave its customers detailed security information, many of the virtual machines being deployed suffered from flawed configurations. These vulnerabilities allowed CASED scientists to extract data including passwords, cryptographic keys and security certificates.

"The problem clearly lies in the customers' unawareness and not in Amazon Web Services," commented Professor Ahmad-Reza Sadeghi, who led the research. "We believe that customers of other cloud providers endanger themselves and other cloud users similarly by ignoring or underestimating security recommendations."

CASED has developed a free tool that can scan Amazon virtual images for vulnerabilities. It can be downloaded free of charge from http://trust.cased.de/AMID. CASED says it has informed Amazon of the vulnerabilities.

The security and reliability of cloud computing services have been called in question several times this year already. In April, an apparent networking error at Amazon affected access to its cloud services for a number of days, while video game giants including Sony, Nintendo and Sega have all suffered breaches of online services.

2676 days ago
Vinod Mehra

Good job CASED for creating panic. But such shock treatments are desired to put systems on toes. And I would proceed towards saying that fault lies with the service provider for not simplifying such vulnerabilities to the users and the service user for not heeding to the fine prints.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code