The San Francisco-based security company CloudPassage recently offered a $5,000 prize to any “hacker” who could successfully gain access to web-based servers – like those used by major companies today – configured with assorted operating systems, programs and applications, according to an article published by the San Francisco Chronicle. The article asked a question that the CloudPassage exercise wished to answer: “How long would it take to hack into an average server – the kind a company might rent from the likes of Amazon Web Services?”
According to the Chronicle’s report, CloudPassage configured “six servers, two running Microsoft operating systems and four running Linux-based operating systems” then proceeded to invite a number of individuals from numerous technological backgrounds to break past the security and get inside. Unfortunately, access was gained in approximately four hours by a novice hacker who, according to the article, “has worked for a technology company for a little over a year and is taking classes toward a bachelor’s degree in computer science.”
The winning hacker, California Polytechnic State University student Gus Gray, was quoted in the article to say, “I just thought I’d spend two or three hours poking around and see what I could learn, and it would make for an interesting evening.” The article indicates that CloudPassage configured these six systems “without any security beyond the default setting required to get them to run, mimicking the setups they often see among clients.” CloudPassage director Andrew Hay was quoted in the article to say, “People use cloud because it is fast, it is cheap, and it takes little to no time to get up and running. That’s what’s motivating a lot of people. They’re not thinking of these security ramifications.”
The article stated that, according to Gartner – the technology research firm – as companies make a significant change from expensive servers managed within their brick and mortar locations to “online” cloud data centers, the “cloud-based market” grew to an “estimated $9.2 billion” proving that all this money may not be buying the security people understand. According to the report, after discovering the vulnerability and winning the prize, Gray returned to work and put some measures in place. Gray was quoted in the article to say, “As soon as I had finished and saw the results, I basically came back to my own company and immediately implemented a couple of changes to prevent something similar happening at my company.”
Read about how Gus Gray found the path into these servers so quickly and what experts feel about what needs to be changed as a result of this exercise in the full article at the San Francisco Chronicle.