Stratosphere: Finding Vulnerable Cloud Storage Buckets

• URL: http://arxiv.org/abs/2309.13496v1
• Date: Sat, 23 Sep 2023 23:27:19 GMT
• Title: Stratosphere: Finding Vulnerable Cloud Storage Buckets
• Authors: Jack Cable, Drew Gregory, Liz Izhikevich, Zakir Durumeric,
• Abstract summary: Misconfigured cloud storage buckets have leaked hundreds of millions of medical, voter, and customer records. These breaches are due to a combination of easily-guessable bucket names and error-prone security configurations. We introduce Stratosphere, a system that learns how buckets are named in practice in order to efficiently guess the names of vulnerable buckets.
• Score: 3.591117014415182
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Misconfigured cloud storage buckets have leaked hundreds of millions of medical, voter, and customer records. These breaches are due to a combination of easily-guessable bucket names and error-prone security configurations, which, together, allow attackers to easily guess and access sensitive data. In this work, we investigate the security of buckets, finding that prior studies have largely underestimated cloud insecurity by focusing on simple, easy-to-guess names. By leveraging prior work in the password analysis space, we introduce Stratosphere, a system that learns how buckets are named in practice in order to efficiently guess the names of vulnerable buckets. Using Stratosphere, we find wide-spread exploitation of buckets and vulnerable configurations continuing to increase over the years. We conclude with recommendations for operators, researchers, and cloud providers.

Related papers

• Exploiting Leakage in Password Managers via Injection Attacks [16.120271337898235]
  This work explores injection attacks against password managers. In this setting, the adversary controls their own application client, which they use to "inject" chosen payloads to a victim's client via, for example, sharing credentials with them.
  arXiv  Detail & Related papers  (2024-08-13T17:45:12Z)
• EmInspector: Combating Backdoor Attacks in Federated Self-Supervised Learning Through Embedding Inspection [53.25863925815954]
  Federated self-supervised learning (FSSL) has emerged as a promising paradigm that enables the exploitation of clients' vast amounts of unlabeled data. While FSSL offers advantages, its susceptibility to backdoor attacks has not been investigated. We propose the Embedding Inspector (EmInspector) that detects malicious clients by inspecting the embedding space of local models.
  arXiv  Detail & Related papers  (2024-05-21T06:14:49Z)
• Leveraging AI Planning For Detecting Cloud Security Vulnerabilities [15.503757553097387]
  Cloud computing services provide scalable and cost-effective solutions for data storage, processing, and collaboration. Access control misconfigurations are often the primary driver for cloud attacks. We develop a PDDL model for detecting security vulnerabilities which can for example lead to widespread attacks such as ransomware.
  arXiv  Detail & Related papers  (2024-02-16T03:28:02Z)
• Protecting Sensitive Tabular Data in Hybrid Clouds [0.0]
  Regulated industries, such as Healthcare and Finance, are starting to move parts of their data and workloads to the public cloud. We address the security and performance challenges of big data analytics using a hybrid cloud in a real-life use case from a hospital.
  arXiv  Detail & Related papers  (2023-12-03T11:20:24Z)
• Using Honeybuckets to Characterize Cloud Storage Scanning in the Wild [3.105093346087614]
  In this work, we analyze to what extent actors target poorly-secured cloud storage buckets for attack. We deployed hundreds of AWS S3 honeybuckets with different names and content to lure and measure different scanning strategies.
  arXiv  Detail & Related papers  (2023-12-01T13:41:41Z)
• Exploring Security Practices in Infrastructure as Code: An Empirical Study [54.669404064111795]
  Cloud computing has become popular thanks to the widespread use of Infrastructure as Code (IaC) tools. scripting process does not automatically prevent practitioners from introducing misconfigurations, vulnerabilities, or privacy risks. Ensuring security relies on practitioners understanding and the adoption of explicit policies, guidelines, or best practices.
  arXiv  Detail & Related papers  (2023-08-07T23:43:32Z)
• A Survey of Label-Efficient Deep Learning for 3D Point Clouds [109.07889215814589]
  This paper presents the first comprehensive survey of label-efficient learning of point clouds. We propose a taxonomy that organizes label-efficient learning methods based on the data prerequisites provided by different types of labels. For each approach, we outline the problem setup and provide an extensive literature review that showcases relevant progress and challenges.
  arXiv  Detail & Related papers  (2023-05-31T12:54:51Z)
• REaaS: Enabling Adversarially Robust Downstream Classifiers via Robust Encoder as a Service [67.0982378001551]
  We show how a service provider pre-trains an encoder and then deploys it as a cloud service API. A client queries the cloud service API to obtain feature vectors for its training/testing inputs. We show that the cloud service only needs to provide two APIs to enable a client to certify the robustness of its downstream classifier.
  arXiv  Detail & Related papers  (2023-01-07T17:40:11Z)
• Reinforcement Learning on Encrypted Data [58.39270571778521]
  We present a preliminary, experimental study of how a DQN agent trained on encrypted states performs in environments with discrete and continuous state spaces. Our results highlight that the agent is still capable of learning in small state spaces even in presence of non-deterministic encryption, but performance collapses in more complex environments.
  arXiv  Detail & Related papers  (2021-09-16T21:59:37Z)
• NAS-FAS: Static-Dynamic Central Difference Network Search for Face Anti-Spoofing [94.89405915373857]
  Face anti-spoofing (FAS) plays a vital role in securing face recognition systems. Existing methods rely on expert-designed networks, which may lead to a sub-optimal solution for task FAS. Here we propose the first FAS method based on neural search (NAS), called FAS-FAS, to discover the well-suited task-aware networks.
  arXiv  Detail & Related papers  (2020-11-03T23:34:40Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.