Hostwinds Blog

Search results for:


Security Firm Uses Hackers to Test Server Vulnerability

The San Francisco-based security company CloudPassage recently offered a $5,000 prize to any "_hacker_" who could successfully gain access to web-based servers – like those used by major companies today – configured with assorted operating systems, programs, and applications, according to an article published by the San Francisco Chronicle. The article asked a question that the CloudPassage exercise wished to answer: "_How long would it take to hack into an average server – the kinda company might rent from the likes of Amazon Web Services?_"

According to the Chronicle's report, CloudPassage configured "_six servers, two running Microsoft operating systems and four running Linux-based operating systems_" then proceeded to invite several individuals from numerous technological backgrounds to break past the security and get inside. Unfortunately, access was gained in approximately four hours by a novice hacker who, according to the article, "_has worked for a technology company for a little over a year and is taking classes toward a bachelor's degree in computer science._"

The winning hacker, California Polytechnic State University student Gus Gray, was quoted in the article to say, "I just thought I'd spend two or three hours poking around and see what I could learn, and it would make for an interesting evening._" The article indicates that CloudPassage configured these six systems "_without any security beyond the default setting required to get them to run, mimicking the setups they often see among clients._" CloudPassage director Andrew Hay was quoted in the article to say, "_People use the cloud because it is fast, it is cheap, and it takes little to no time to get up and running. That's what's motivating a lot of people. They're not thinking of these security ramifications."

The article stated that according to Gartner – the technology research firm – as companies make a significant change from expensive servers managed within their brick and mortar locations to "online" cloud data centers, the "_cloud-based market_" grew to an "_estimated $9.2 billion_" proving that all this money may not be buying the security people understand. According to the report, after discovering the vulnerability and winning the prize, Gray returned to work and put some measures. Gray was quoted in the article to say, "_As soon as I had finished and saw the results, I basically came back to my own company and immediately implemented a couple of changes to prevent something similar happening at my company._"

Read about how Gus Gray found the path into these servers so quickly and what experts feel about what needs to be changed due to this exercise in the full article at the San Francisco Chronicle.

Written by Bryon Turcotte  /  December 26, 2013

Need help? Chat now!