Open Source Exploits In The Clouds Big Data Services Cloud Tradecraft

Join us in the Black Hills InfoSec Discord server here: discord.gg/BHIS to keep the security conversation going!

Reach out to Black Hills Infosec if you need pentesting, threat hunting, ACTIVE SOC, incident response, or blue team services -- blackhillsinfosec.com/

00:00 - Introduction and Problem statement
04:18 - Exploitation timeline
8:28 Map reduce and hadoop overview, overview of open source software based on hadoop architecture and their vulnerabilities
14:15 - Live demonstration of standing up a stack in EMR, terminology, auto-scaling risks, proper security postures for any new cloud
23:50 - Other security resources available to you including EyeWitness, GoWitness, and Webshot
28:43 - Continuation of the live demo
33:58 - Step by step recreation of the live demonstration with questions answered
43:11 - How to combat vulnerabilities in new technologies and staying ahead of the curve, NCC Group's scout
52:16 - Q&A and Closing Thoughts

Description: Let's move our ops to the cloud they said. It will be easy, fun, and "secure". Everything is safe right? The Cloud is certified for every compliance, ever drafted. It must be safe. So what happens when windows get left open on your cloud? How about doors with old rusty locks?

This webcast covers a disclosure first made to AWS support in December of 2018. The conversation was quiet for a while. BHIS re-submitted the disclosure and worked with AWS Security Operations for the next few months to share a finding/vulnerability/exposure, whathaveyou.

On the webcast, we talk a bit about the nature of open source solutions and the risks they present. We talk a bit about the cloud and the risks it presents. A lot of AWS specific service language is used and hopefully explained in a meaningful way. And, we offer up the Shodan query that identifies the possibly open doors. Oh, we go ahead and demo the nature of the exposure as well (shells).

Sadly, the nature of the exposure has left many doors open. Those doors lead to virtual private clouds across the globe.

This is one of the scarier webcasts we've been a part of, and for that, we'd like to say we shared everything we could, including a blog write-up that explains in all the gory detail how risky Hue / Hadoop / Spark and the Apache big data clusters can be to an organization.

blackhillsinfosec.com/securing-the-cloud-a-story-of-research-discovery-and-disclosure/

Slides for this webcast can be found here: blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_OpenSourceExploitsinCloudsBigDataServices.pdf

Black Hills Infosec Socials
Twitter: twitter.com/BHinfoSecurity
Mastodon: infosec.exchange/@blackhillsinfosec
LinkedIn: linkedin.com/company/antisyphon-training
Discord: discord.gg/ffzdt3WUDe

Black Hills Infosec Shirts & Hoodies
spearphish-general-store.myshopify.com/collections/bhis-shirt-collections

Black Hills Infosec Services
Active SOC: blackhillsinfosec.com/services/active-soc/
Penetration Testing: blackhillsinfosec.com/services/
Incident Response: blackhillsinfosec.com/services/incident-response/

Backdoors & Breaches - Incident Response Card Game
Backdoors & Breaches: backdoorsandbreaches.com/
Play B&B Online: play.backdoorsandbreaches.com/

Antisyphon Training
Pay What You Can: antisyphontraining.com/pay-what-you-can/
Live Training: antisyphontraining.com/course-catalog/
On Demand Training: antisyphontraining.com/on-demand-course-catalog/

Educational Infosec Content
Black Hills Infosec Blogs: blackhillsinfosec.com/blog/
Wild West Hackin' Fest YouTube: youtube.com/wildwesthackinfest
Active Countermeasures YouTube: youtube.com/activecountermeasures
Antisyphon Training YouTube: youtube.com/antisyphontraining

Join us at the annual information security conference in Deadwood, SD (in-person and virtually) — Wild West Hackin' Fest: wildwesthackinfest.com/

  • Open Source Exploits in the Cloud's Big Data Services - Cloud TradeCraft ( Download)
  • Hidden Among the Clouds: A Look at Undocumented AWS APIs ~ Nick Frichette ( Download)
  • this Cybersecurity Platform is FREE ( Download)
  • Cloudy with a Chance of Breaches: OSINTAdventures in Tracing Exposed Credentials ( Download)
  • #118 - Data Engineering (with Gal Shpantzer) ( Download)
  • CrowdStrike Blew Up The Internet ( Download)
  • Mercenary PREDATOR Spyware and other THREATS (plus FREE training) ( Download)
  • Keynote | Attacking Intelligence: Attacking and Defending AI on The Edge ( Download)
  • Best and Worst Encrypted Messaging Apps (7 Apps Ranked) ( Download)
  • Using GIS to Capture and Manage Structured Observations from Imagery ( Download)
  • Top 3 OSINT Tools for Internal Threat Intelligence Program ( Download)
  • WWHF | Why the Basics are Hard — AWS Cloud Security Fundamentals Andrew Krug ( Download)
  • #112 - Attack Surface Management (with Richard Ford) ( Download)
  • The Power of the Cloud ( Download)
  • Defense and Deception: How to Confuse and Frustrate the Hackers, and Secure Your Network For Good! ( Download)

Author

Ariyani

Como educador, estou profundamente engajado no desenvolvimento dos estudantes em ambiente escolar, adotando métodos pedagógicos que valorizam conexões genuínas e são movidos por inovação e fervor. É minha vocação guiar os alunos na jornada de se tornarem uma geração notável, empregando estratégias de ensino amplamente aclamadas por prestigiadas instituições acadêmicas ao redor do globo - report.dashgoo.com