Investigation reveals serious cloud computing data security flaws

Context Information Security found that data stored by a cloud customer could be accessed by the next customer to spin up a VM on the same disk.

A UK security company has revealed the long-awaited details of a research study involving four cloud service providers (CSPs) that pinpointed serious cloud computing data security problems, including the ability for customers, in some cases, to access each others' stored data. Context Information Security initially brought the issues to light a year ago when it carried out research to test the security of four CSPs.

You have to remember that these servers are in a hostile environment ... what they are providing is an unpatched machine that the customer is responsible for patching.

Michael Jordon,
Context Information Security

In April 2011, Context produced a white paper detailing the tests it carried out against Amazon EC2, Gigenet, Rackspace and VPS.net. Context  did not name the four CSPs at the time, but it released the names today. Context outlined a range of security failings it had found as well as issues customers should consider when moving to a CSP.

At the most basic level, Context found the virtual machines (VM) provided by all four CSPs lacked up-to-date security patches and did not have antivirus software included. In addition, some of the CSPs had backdoors to allow their own administration staff to have access to the VMs.

But the most serious flaw, detected at the time in offerings from Rackspace and VPS.Net, was that data left by one customer was not deleted automatically and could conceivably show up on the VM belonging to the next customer using that disk space.

Mike Jordon, CTO for London-based Context, said such a security oversight could be exploited by a criminal.

“You can spin up a new VM, see what’s on the disk and copy it. Then you delete that VM, start another, and so on,” Jordon said. “An attacker could continuously automate the process of harvesting more and more data, then gather it all and go through it to look for credit card numbers, personal data or credentials. It’s just like ‘Hoovering’ up the data from the cloud provider and using it to carry out an attack.”

Context first reported its findings to the four CSP companies a year ago, and gave them six months to fix the problems before going public with the information. Six months later the fixes had not been completed, so Context allowed another six months, and then produced a partial report in March. After communicating with the legal departments of Rackspace and VPS.net, Context did not name those two CSPs at the time of the partial report, but said it would reveal the full facts on April 24.

Context has now published more details on the “dirty disk” vulnerability in the Context Information Security blog.

Rackspace has recently declared it has solved the “dirty disk” problem by moving all its Linux-based VM customers, who previously ran under an open source Xen hypervisor, to Citrix XenServer (which was already supporting its Windows-based VM customers.) Context confirmed it had retested the Rackspace system and the fix was effective.

In a prepared statement, Rackspace said, “Rackspace has identified and fully resolved a potential security vulnerability for some Linux customers on our legacy Cloud Servers platform. An independent consulting firm alerted us that, in certain use cases, when a customer’s data was deleted from the shared file system, fragments of that data may have been left behind on the physical hard disk for a period of time.”

The Rackspace statement continued, “What we resolved was a vulnerability, rather than an exploitation of customer data. We know of no case of customer data being viewed or exploited in any way by an unauthorised party. To resolve this issue, we have insured that all data is wiped effectively whenever disk space moves from one customer to the next. And we have cleaned up all fragments of remnant data.”

VPS.net recently communicated to Context that it has fixed the problem. The cloud services offered by VPS.net are based on the OnApp cloud platform that is also used by more than 250 other cloud providers around the world. 

Carlos Rego, chief visionary officer for London-based OnApp, said his company has introduced an optional feature that allows companies to zero-fill their disk areas after using a VM, but insisted not all companies would want or need it.

“How useful the data [is that] you can find in this way is debatable,” Rego said, referring to the ability of a CSP’s customer to access data left behind by another customer.

Rego said zero-filling whole areas of disk is resource-intensive and expensive, so many of the low-cost CSPs using the OnApp platform might find it uneconomical to offer the feature to their clients.

“There is a big cost because it puts a lot of stress on the systems, and some low-cost providers may not be able to absorb the costs; you get what you pay for,” Rego said.

Rego added the Context findings underline the need for clients to perform due diligence when adopting any outsourced IT service to make sure they know what they are getting.

Context’s Jordon said the research reveals a lack of maturity in the cloud service market, and indicates companies still need to do more to boost security. He warned customers to view any cloud-based servers as they would any other Internet-facing server.

“You have to remember that these servers are in a hostile environment, they are not in your server room anymore, and you have to look after security,” Jordan said. “For instance, we talked to Rackspace about the reliability of their standard build, and they were very clear that what they are providing is an unpatched machine that the customer is responsible for patching.”

Read more on Cloud security