Cloud Databases: Another Worrying Attack Vector

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Cloud databases are worrying things from a security perspective, warns Tom Brewster

The debate over whether security is better or worse in the cloud rages on. The vendors say they have the security expertise and protections most companies can neither afford nor effectively implement. Others say that’s nonsense, how can a vendor with less knowledge of customers’ risk profile provide better security?

And, following the Edward Snowden revelations, many CIOs are feeling let down by cloud suppliers who promised them encryption keys would be kept safe from the prying eyes of governments.

More cloud = more vulnerabilities

Ethernet cloud rental network © Brian A Jackson ShutterstockWhatever you think, the more cloud services come online, the more vulnerabilities are opened up. That’s the double-edged sword users have to accept, if they want to enjoy the cost and scalability benefits the cloud brings.

It’s no surprise that even those esoteric cloud services that don’t make the headlines can be exploited. Imperva is now warning that database-as-a-service (DBaaS) is a worrying new attack vector.

“In databases, most of the vulnerabilities discovered are privilege escalation related, meaning that you have to have access to the database first, and then you can exploit a vulnerability,” explains  Barry Shteiman, director of security strategy at Imperva.

“While on-premise database are isolated, with DBaaS, anyone including a hacker can open an account and have a database sitting on the same infrastructure as retailers and any customer that you can imagine. They already have the login/user account to the server solved – which makes the vulnerabilities in the cloud much more viable as an attack vector.

“Once a hacker compromises a DBaaS, the breach may include any customer data that resides on that infrastructure, which makes the problem exponential.”

As proof this form of attack is genuinely concerning, Shteiman points to the breach of MongoHQ, a MongoDB cloud services provider, from October this year. It reported “attackers were able to use the impersonation feature to access the MongoHQ accounts database, and used connection information to access some customer databases directly”.

It appeared an attacker was on the hunt for social media logins and financial data in customer databases. This was serious business. The FBI was brought in to work alongside forensic experts to determine what went wrong.  Employee support applications were completely shut down.

How had the attacker breached the cloud database provider? A simple login leak, resulting from “a credential that had been shared with a compromised personal account”. Once the hacker had that credential for the support application, they were able to use an “impersonate” feature to act as if they were a logged in customer, meaning they could access databases. This kind of illicit acquisition of administrative privileges is precisely the threat Shteiman  is worried about.

“Cloud infrastructure introduces collision. All of a sudden different customers share the same infrastructure, which means that any potential breach to either the service provider or one of its customers, may affect all of the service users,” he adds.

The killer line from MongoHQ in its advisory was this: “We still recommend being paranoid.” That’s good advice for all IT chiefs considering moving databases, or anything else for that matter, to the cloud.

Are you a security expert? Try our quiz!