On cars, old, new and future; science & technology; vintage airplanes, computer flight simulation of them; Sherlockiana; our English language; travel; and other stuff
PROFESSORS AT Worcester Polytechnic Institute’s Vernam Group hacked Amazon Web Services, the Cloud computing business that earned Amazon more than $6 billion in 2015. Then, honest guys that WPI’s Thomas Eisenbarth and Berk Sunar are, these two reported the security breach at the 2015 Symposium on Security and Privacy, organized by the IEEE, Institute of Electrical and Electronics Engineers.
The WPI researchers let Amazon know of the problem. “They weren’t very happy,” Professor Sunar said, “but they were cooperative and very open to our feedback.”
And for good reason. Cloud security is essential if this innovative concept of remote computing is to avoid resembling an open bank vault. WPI’s Vernam Group and others of its kind play a crucial role in exposing leaks that put sensitive data at risk.
The latest issue of WPI Research 2017 gives details of this research, supported in part by grants from the National Science Foundation. “Keeping the Clouds from Leaking,” by Neil Savage, reads like a spy tale wrapped in the digital code of 0s and 1s. At its core is the Cloud, Internet-based computing that uses shared resources accessed on demand.
Loosely, our earthbound devices needn’t store data nor relevant software. Instead, we store the data in the Cloud and borrow the Cloud’s software only when we need it.
Technically, the Cloud is very elegant: Software is always at its updated finest. Data are secure and held without limit. (Albeit at a cost, of course. Remember Amazon Web Services’ $6 billion in 2015.)
Vernam Group’s Cloud hacking, complex indeed, is based on an elemental fact of electronics: A transistor’s power requirement is slightly different whether it’s retaining a digital 0 or a digital 1. By measuring these fluctuations of power, a hacker can identify what the chip is doing. Notes Professor Eisenbarth, “If you look at hundreds or thousands of operations, you can see quite a bit.”
Amazon’s Cloud, for example, had numbers of users sharing what might be thought of as virtual computers on the Internet. If a user chooses to monitor the operation of this shared processing, this user can eavesdrop on another. The Cloud’s primary security is through a cryptographic concept called RSA keys, named after Ron Rivest, Adi Shamir and Leonard Adleman, computer scientists who first described this encryption and authentication algorithm in 1977.
However, Eisenbarth and his colleagues at Vernam Group were able to decipher RSA keys from Amazon’s virtual computers. “Our attack was really the first that successfully recovered an RSA encryption key from a neighboring instance in the Cloud,” Professor Sunar noted.
WPI Research 2017 author Neil Savage writes, “Like safecrackers carefully listening to the sound of the tumblers in the lock, they parsed out the code, digit by digit.”
After learning of Vernam Group’s success, Amazon patched its Cloud libraries to fix the problem. Notes Savage, “They also pointed out that it would be difficult for less sophisticated and less diligent users to duplicate what the WPI team had accomplished.”
However, the fix is effective only if users install the patch. Savage notes, “about half of Amazon AWS users are still running outdated libraries. The door the WPI team walked through is far from closed.”
Many of us sit back confidently saying “I don’t use the Cloud.” However, whether we realize it or not, we do.
Savage observes, “Anyone using Dropbox or Evernote to store files or Netflix to watch movies is putting their data in the Cloud, and it might be stolen if security breaks down.”
In fact, Vernam Group recently received another NSF grant to identify vulnerabilities on mobile platforms such as smartphones. “Malicious apps,” warns Savage, “perhaps in the guise of something benign like a game, can gather information about the processes running on a phone to access information about the user, for example, tracking the user’s location or capturing credit card numbers.”
Professor Sunar concludes saying, “If there’s any opening in any system, sooner or later it will be attacked.”
We’re fortunate when the attackers are on our side. ds
© Dennis Simanaitis, SimanaitisSays.com, 2017