(Translated from the original Italian)
The title is borrowed from a presentation made by Francis Brown of Stach & Liu, Hacker Halted 2011 in Miami.
The presentation focus on two topics that are crucial in the modern scenario:
- Cloud Computing
- Search engines
The presentation demonstrated the fact that the overall safety of complex systems can be impacted by incorrect implementation of the "cloud" paradigm.
Through the knowledge of authentication mechanisms is relatively easy to retrieve access codes, passwords and secret keys necessary for access to data stored within a cloud as happened for Amazon's EC3.
Let me remind you the OSINT definition:
"A form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence."
LulzSec and Anonymous are believed to use Google Hacking as a primary means of identifying vulnerable targets, as it provides a complete and regularly updated source where it is possible to retrieve info regarding:
- Advisories and Vulnerabilities
- Error Messages
- Files containing juicy info
- Files containing passwords
- Files containing usernames
- Pages containing login portals
Application developers and system administrators who want to deploy their applications on cloud infrastructures should be aware that files can be subject to indexing of search engines through an ordinary Google search.
Francis Brown of Stach & Liu LCC has proved this during the event... I invite all to the careful reading of the paper. That is incredible!
I will conclude by saying that the maturity of a paradigm like the cloud can be measured through the security processes implemented and through the level of knowledge of administrators and developers who intend to use it.
Unfortunately today the scenario is still far from reassuring.
Cross-posted from Security Affairs