Hackers could be guessing their way into your cloud: Symantec

Could an unskilled hacker guess their way into your Infrastructure-as-a-Service cloud?

That is what Symantec seems to have demonstrated in its recent research on vulnerabilities surrounding this type of solution.

It found that files including email addresses, passwords and credit card transactions could be easily accessible due to simple misconfigurations in folder structures.

Of 16,000 cloud domains, Symantec determined that 0.3 per cent had folder structures that could be guessed by a hacker.  While the security vendor acknowledged that this number seemed insignificant, it still equated 11,000 files that were unintentionally accessible to the public.

“As part of our research, we demonstrated an attack scenario, showing how an amateur attacker could access thousands of files stored in the cloud without needing any user names and passwords,” Candid Wueest, a Symantec threat researcher, wrote in a blog post regarding the findings.

Common mistakes that administrators make in configuration include leaving folder access open, storing plain-text cloud access credentials in open source code and not enabling logging in their cloud services. The latter makes investigating an incident difficult, according to the report.

In one example involving Microsoft Azure, Wueest describes how once a hacker knew the URL structure of a data storage bucket, he or she could find those of other users by guessing the URL, granted they had the domain prefix and name of the target’s bucket.  Even without a central listing, a simple dictionary attack script sufficed.

To avoid falling victim, Symantec suggested four procedures:

  • Ensure that you understand the settings of your cloud resources and configure them accordingly
  • Enable event logging to keep track of who is accessing data in the cloud
  • Read the cloud providers’ service-level agreements to learn how data in the cloud is secured
  • Include cloud IP addresses in vulnerability management processes and perform audits on any services that are provided through the cloud.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

CDN Staff
CDN Staffhttps://channeldailynews.com
For over 25 years, CDN has been the voice of the IT channel community in Canada. Today through our digital magazine, e-mail newsletter, video reports, events and social media platforms, we provide channel partners with the information they need to grow their business.

Related Tech News

Featured Tech Jobs


CDN in your inbox

CDN delivers a critical analysis of the competitive landscape detailing both the challenges and opportunities facing solution providers. CDN's email newsletter details the most important news and commentary from the channel.