research-article

Public Access

Stratosphere: Finding Vulnerable Cloud Storage Buckets

Authors:

Liz Izhikevich,

Zakir DurumericAuthors Info & Claims

RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses

Pages 399 - 411

https://doi.org/10.1145/3471621.3473500

Published: 07 October 2021 Publication History

All formats PDF

Abstract

Misconfigured cloud storage buckets have leaked hundreds of millions of medical, voter, and customer records. These breaches are due to a combination of easily-guessable bucket names and error-prone security configurations, which, together, allow attackers to easily guess and access sensitive data. In this work, we investigate the security of buckets, finding that prior studies have largely underestimated cloud insecurity by focusing on simple, easy-to-guess names. By leveraging prior work in the password analysis space, we introduce Stratosphere, a system that learns how buckets are named in practice in order to efficiently guess the names of vulnerable buckets. Using Stratosphere, we find wide-spread exploitation of buckets and vulnerable configurations continuing to increase over the years. We conclude with recommendations for operators, researchers, and cloud providers.

References

[1]

2013. VirusTotal Passive DNS. https://blog.virustotal.com/2013/04/virustotal-passive-dns-replication.html.

[2]

2016. Cisco Umbrella Popularity List. https://s3-us-west-1.amazonaws.com/umbrella-static/index.html.

[3]

2017. Black Box, Red Disk: How Top Secret NSA and Army Data Leaked Online. https://www.upguard.com/breaches/cloud-leak-inscom.

[4]

2017. Data Breach Exposed Medical Records, Including Blood Test Results, of Over 100 Thousand Patients. https://gizmodo.com/data-breach-exposed-medical-records-including-blood-te-1819322884.

[5]

2017. The RNC Files: Inside the Largest US Voter Data Leak. https://www.upguard.com/breaches/the-rnc-files.

[6]

2017. S3 Mining. https://github.com/treebuilder/s3-mining. Accessed: 2021-1-13.

[7]

2018. Slurp’s S3 String Formatting Permuations. https://github.com/0xbharath/slurp/blob/master/permutations.json. Accessed: 2019-12-12.

[8]

2019. Amazon Macie. https://aws.amazon.com/macie/. Accessed: 2019-12-14.

[9]

2019. Amazon S3 Block Public Access – Another Layer of Protection for Your Accounts and Buckets. https://aws.amazon.com/blogs/aws/amazon-s3-block-public-access-another-layer-of-protection-for-your-accounts-and-buckets. Accessed: 2019-12-14.

[10]

2019. AWS Honeypots. https://docs.rapid7.com/insightidr/aws-honeypots/.

[11]

2020. Bucket Stream S3 Scanner. https://github.com/eth0izzle/bucket-stream. Accessed: 2021-02-03.

[12]

2020. Nearly 80% of Companies Experienced a Cloud Data Breach in Past 18 Months. https://www.securitymagazine.com/articles/92533-nearly-80-of-companies-experienced-a-cloud-data-breach-in-past-18-months.

[13]

2020. SCOWL (And Friends). http://wordlist.aspell.net/.

[14]

2021. Actions - Amazon Simple Storage Service. https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html.

[15]

2021. Alibaba ACL. https://www.alibabacloud.com/help/doc-detail/31843.html.

[16]

2021. All About AWS S3 ETags. https://teppen.io/2018/06/23/aws_s3_etags/what-is-an-s3-etag. Accessed: 2021-1-18.

[17]

2021. Amazon GuardDuty. https://aws.amazon.com/guardduty/. Accessed: 2021-01-18.

[18]

2021. American Express EarlyBird. https://github.com/americanexpress/earlybird/.

[19]

2021. Azure Cognitive Services. https://azure.microsoft.com/en-us/services/cognitive-services/.

[20]

2021. Celebrate 15 Years of Amazon S3 with Pi Week Livestream Events. https://aws.amazon.com/blogs/aws/amazon-s3s-15th-birthday-it-is-still-day-1-after-5475-days-100-trillion-objects/.

[21]

2021. Farsight Passive DNS FAQ. https://www.farsightsecurity.com/technical/passive-dns/passive-dns-faq/.

[22]

2021. Google BigQuery Pubic Datatsets. https://cloud.google.com/bigquery/public-data.

[23]

2021. IAM permissions for Cloud Storage. https://cloud.google.com/storage/docs/access-control/iam-permissions.

[24]

2021. Intel Core i5-11300H Processor. https://www.intel.com/content/www/us/en/products/processors/core/i5-processors/i5-11300h.html. Accessed: 2021-1-29.

[25]

2021. Keras. https://keras.io/.

[26]

2021. List of File Extensions. https://pastebin.com/mg1FPzKS.

[27]

2021. List of Tech Terms. https://pastebin.com/9k5StZP4.

[28]

2021. Public buckets by GrayHatWarfare. https://buckets.grayhatwarfare.com/. Accessed: 2019-12-14.

[29]

2021. Public Cloud Storage Search. https://github.com/nightwatchcybersecurity/public-cloud-storage-search. Accessed: 2021-01-17.

[30]

2021. s3enum. https://github.com/koenrh/s3enum. Accessed: 2019-12-14.

[31]

2021. S3Scanner. https://github.com/sa7mon/S3Scanner. Accessed: 2019-12-14.

[32]

2021. Zetalytics. https://zetalytics.com/.

[33]

2021. ZGrab 2.0 - GitHub. https://github.com/zmap/zgrab2. Accessed: 2019-12-14.

[34]

Andrea Continella, Mario Polino, Marcello Pogliani, and Stefano Zanero. 2018. There’s a Hole in That Bucket!: A Large-scale Analysis of Misconfigured S3 Buckets. In Proceedings of the 34th Annual Computer Security Applications Conference (San Juan, PR, USA) (ACSAC ’18). ACM, New York, NY, USA, 702–711. https://doi.org/10.1145/3274694.3274736

Digital Library

[35]

Dani Deahl. 2017. Verizon partner data breach exposes millions of customer records. https://www.theverge.com/2017/7/12/15962520/verizon-nice-systems-data-breach-exposes-millions-customer-records.

[36]

Markus Dürmuth, Fabian Angelstorf, Claude Castelluccia, Daniele Perito, and Abdelberi Chaabane. 2015. OMEN: Faster password guessing using an ordered markov enumerator. In International Symposium on Engineering Secure Software and Systems. Springer.

[37]

Zakir Durumeric, Michael Bailey, and J. Alex Halderman. 2014. An Internet-Wide View of Internet-Wide Scanning. In 23rd USENIX Security Symposium. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/durumeric

[38]

Zakir Durumeric, Eric Wustrow, and J Alex Halderman. 2013. ZMap: Fast Internet-wide scanning and its security applications. In 22nd USENIX Security Symposium.

[39]

Cameron Ero. 2018. The Bucket List: Experiences Operating S3 Honeypots. In BSidesSF.

[40]

Pawel Foremski, David Plonka, and Arthur Berger. 2016. Entropy/IP: Uncovering Structure in IPv6 Addresses. In Proceedings of the 2016 Internet Measurement Conference (Santa Monica, California, USA) (IMC ’16). Association for Computing Machinery, New York, NY, USA, 167–181. https://doi.org/10.1145/2987443.2987445

Digital Library

[41]

Robert David Graham. 2014. MASSCAN: Mass IP port scanner. https://github.com/robertdavidgraham/masscan.

[42]

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee. 2008. BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In 17th USENIX Security Symposium.

[43]

Guofei Gu, Phillip A Porras, Vinod Yegneswaran, Martin W Fong, and Wenke Lee. 2007. Bothunter: Detecting malware infection through ids-driven dialog correlation. In 16th USENIX Security Symposium, Vol. 7. 1–16.

[44]

G. Gu, J. Zhang, and W. Lee. 2008. BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In NDSS.

[45]

Marcella Hastings, Joshua Fried, and Nadia Heninger. 2016. Weak keys remain widespread in network devices. In ACM Internet Measurement Conference.

Digital Library

[46]

Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J Alex Halderman. 2012. Mining your Ps and Qs: Detection of widespread weak keys in network devices. In 21st USENIX Security Symposium.

[47]

Elizabeth Izhikevich. 2018. Building and Breaking Burst-Parallel Systems. Master’s thesis. UC San Diego.

[48]

Dan Kaminsky. 2005. MD5 to be considered harmful someday. In Aggressive Network Self-Defense. Elsevier, 323–337.

[49]

P. G. Kelley, S. Komanduri, M. L. Mazurek, R. Shay, T. Vidas, L. Bauer, N. Christin, L. F. Cranor, and J. Lopez. 2012. Guess Again (and Again and Again): Measuring Password Strength by Simulating Password-Cracking Algorithms. In 2012 IEEE Symposium on Security and Privacy. 523–537.

[50]

Ron Kohavi, Randal M Henne, and Dan Sommerfield. 2007. Practical guide to controlled experiments on the web: listen to your customers not to the hippo. In Proceedings of the 13th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 959–967.

Digital Library

[51]

Zhizhu Liu, Yinqiao Xiong, Xin Liu, Wei Xie, and Peidong Zhu. 2019. 6Tree: Efficient dynamic discovery of active addresses in the IPv6 address space. Computer Networks (2019).

[52]

William R Marczak, John Scott-Railton, Morgan Marquis-Boire, and Vern Paxson. 2014. When governments hack opponents: A look at actors and technology. In 23rd USENIX Security Symposium.

[53]

Mike McCabe. 2018. Creating S3 Honey Pots. https://medium.com/@mccabe615/creating-s3-honey-pots-26128a2aaea. Accessed: 2021-1-14.

[54]

William Melicher, Blase Ur, Sean M. Segreti, Saranga Komanduri, Lujo Bauer, Nicolas Christin, and Lorrie Faith Cranor. 2016. Fast, Lean, and Accurate: Modeling Password Guessability Using Neural Networks. In 25th USENIX Security Symposium. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/melicher

[55]

Ben Morris. 2016. More Keys Than the Janitor: Hacking Exposed AWS EBS Volumes. Danske Bank.

[56]

Austin Murdock, Frank Li, Paul Bramsen, Zakir Durumeric, and Vern Paxson. 2017. Target generation for internet-wide IPv6 scanning. In Proceedings of the 2017 Internet Measurement Conference. 242–253.

Digital Library

[57]

Arvind Narayanan and Vitaly Shmatikov. 2005. Fast Dictionary Attacks on Passwords Using Time-Space Tradeoff. In Proceedings of the 12th ACM Conference on Computer and Communications Security. Association for Computing Machinery, New York, NY, USA.

Digital Library

[58]

Sean Oesch and Scott Ruoti. 2020. That Was Then, This Is Now: A Security Evaluation of Password Generation, Storage, and Autofill in Browser-Based Password Managers. In USENIX Security Symposium.

[59]

Vern Paxson. 1999. Bro: A system for detecting network intruders in real-time. Computer networks 31, 23-24 (1999), 2435–2463.

[60]

Mathangi Ramesh. 2020. Tighten S3 permissions for your IAM users and roles using access history of S3 actions. https://aws.amazon.com/blogs/security/tighten-s3-permissions-iam-users-and-roles-using-access-history-s3-actions/.

[61]

Thomas Ristenpart, Eran Tromer, Hovav Shacham, and Stefan Savage. 2009. Hey, You, Get off of My Cloud: Exploring Information Leakage in Third-party Compute Clouds. In Proceedings of the 16th ACM Conference on Computer and Communications Security (Chicago, Illinois, USA) (CCS ’09). ACM, New York, NY, USA, 199–212. https://doi.org/10.1145/1653662.1653687

Digital Library

[62]

Martin Roesch. 1999. Snort - Lightweight Intrusion Detection for Networks. In Proceedings of the 13th USENIX Conference on System Administration (Seattle, Washington) (LISA ’99). USENIX Association, USA, 229–238.

Digital Library

[63]

Christian Rossow. 2014. Amplification Hell: Revisiting Network Protocols for DDoS Abuse. In NDSS.

[64]

Juraj Somorovsky, Mario Heiderich, Meiko Jensen, Jörg Schwenk, Nils Gruschka, and Luigi Lo Iacono. 2011. All your clouds are belong to us: security analysis of cloud management interfaces. In Proceedings of the 3rd ACM Workshop on Cloud Computing Security Workshop. 3–14.

Digital Library

[65]

Drew Springall, Zakir Durumeric, and J Alex Halderman. 2016. FTP: The forgotten cloud. In International Conference on Dependable Systems and Networks.

[66]

Mustafa Torun. 2017. How to Detect and Automatically Remediate Unintended Permissions in Amazon S3 Object ACLs with CloudWatch Events. https://aws.amazon.com/blogs/security/how-to-detect-and-automatically-remediate-unintended-permissions-in-amazon-s3-object-acls-with-cloudwatch-events/. Accessed: 2021-1-13.

[67]

Johanna Ullrich, Peter Kieseberg, Katharina Krombholz, and Edgar Weippl. 2015. On Reconnaissance with IPv6: A Pattern-Based Scanning Approach. In Availability, Reliability and Security (ARES).

[68]

Rajat Ravinder Varuni and Rafael Marcelino Koike. 2018. How to Use Bucket Policies and Apply Defense-in-Depth to Help Secure Your Amazon S3 Data. https://aws.amazon.com/blogs/security/how-to-use-bucket-policies-and-apply-defense-in-depth-to-help-secure-your-amazon-s3-data/. Accessed: 2021-1-13.

[69]

Rick Wash, Emilee Rader, Ruthie Berman, and Zac Wellmer. 2016. Understanding password choices: How frequently entered passwords are re-used across websites. In Twelfth Symposium on Usable Privacy and Security ({SOUPS} 2016). 175–188.

[70]

M. Weir, S. Aggarwal, B. d. Medeiros, and B. Glodek. 2009. Password Cracking Using Probabilistic Context-Free Grammars. In 2009 30th IEEE Symposium on Security and Privacy. 391–405. https://doi.org/10.1109/SP.2009.8

Digital Library

[71]

Daniel Lowe Wheeler. 2016. zxcvbn: Low-Budget Password Strength Estimation. In 25th USENIX Security Symposium. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/wheeler

[72]

_willis_. 2013. There’s a Hole in 1,951 Amazon S3 Buckets. https://blog.rapid7.com/2013/03/27/open-s3-buckets/.

Cited By

Cohen BHu APatino DCoffman J(2024)This Is Going on Your Permanent Record: A Legal Analysis of Educational Data in the CloudACM Journal on Responsible Computing10.1145/36752301:3(1-27)Online publication date: 4-Jul-2024
https://dl.acm.org/doi/10.1145/3675230
Wu BYuan XWang SLi QXue MPan S(2024)Securing Graph Neural Networks in MLaaS: A Comprehensive Realization of Query-based Integrity Verification2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00110(2534-2552)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00110
Izhikevich KVoelker GSavage SIzhikevich L(2024)Using Honeybuckets to Characterize Cloud Storage Scanning in the Wild2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00014(95-113)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00014
Show More Cited By

Recommendations

Fragmentation Considered Vulnerable

We show that fragmented IPv4 and IPv6 traffic is vulnerable to effective interception and denial-of-service (DoS) attacks by an off-path attacker. Specifically, we demonstrate a weak attacker intercepting more than 80% of the data between peers and ...
Vulnerable Cloud: SOAP Message Security Validation Revisited
ICWS '09: Proceedings of the 2009 IEEE International Conference on Web Services

The service-oriented architecture paradigm is influencing modern software systems remarkably and Web Services are a common technology to implement such systems. However, the numerous Web Service standard specifications and especially their ambiguity ...
Cloud Storage Defense Against Advanced Persistent Threats: A Prospect Theoretic Study

Cloud storage is vulnerable to advanced persistent threats (APTs), in which an attacker launches stealthy, continuous, and targeted attacks on storage devices. In this paper, prospect theory (PT) is applied to formulate the interaction between the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

RAID '21: Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses

October 2021

468 pages

ISBN:9781450390583

DOI:10.1145/3471621

Program Chairs:
Leyla Bilge,
Tudor Dumitras

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 October 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

NSF

Conference

RAID '21

RAID '21: 24th International Symposium on Research in Attacks, Intrusions and Defenses

October 6 - 8, 2021

San Sebastian, Spain

Acceptance Rates

Overall Acceptance Rate 43 of 173 submissions, 25%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
556
Total Downloads

Downloads (Last 12 months)349
Downloads (Last 6 weeks)64

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Cohen BHu APatino DCoffman J(2024)This Is Going on Your Permanent Record: A Legal Analysis of Educational Data in the CloudACM Journal on Responsible Computing10.1145/36752301:3(1-27)Online publication date: 4-Jul-2024
https://dl.acm.org/doi/10.1145/3675230
Wu BYuan XWang SLi QXue MPan S(2024)Securing Graph Neural Networks in MLaaS: A Comprehensive Realization of Query-based Integrity Verification2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00110(2534-2552)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00110
Izhikevich KVoelker GSavage SIzhikevich L(2024)Using Honeybuckets to Characterize Cloud Storage Scanning in the Wild2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00014(95-113)Online publication date: 8-Jul-2024
https://doi.org/10.1109/EuroSP60621.2024.00014
Izhikevich LTran MKallitsis MFass ADurumeric ZMontpetit MLeivadeas AUhlig SJaved M(2023)Cloud Watching: Understanding Attacks Against Cloud-Hosted ServicesProceedings of the 2023 ACM on Internet Measurement Conference10.1145/3618257.3624818(313-327)Online publication date: 24-Oct-2023
https://dl.acm.org/doi/10.1145/3618257.3624818

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents