Security

Amazon Cloud Could Be Security Hole

Cloud services are now vulnerable to malicious use, a security company has suggested, after a techie worked out how Amazon's EC2 service could be used as a BitTorrent file harvester and host.

Amazon's Elastic Compute Cloud (EC2) is a web service software developers can use to access computing, compilation and software trialling power on a dynamic basis, without having to install the resources locally.

Now a developer, Brett O'Connor, has come up with a step-by-step method for using the same service to host an open source BitTorrent application called TorrentFlux.

Getting this up and running on Amazon would require some technical know-how, but would be within the reach of a moderately experienced user, right down to following O'Connor's command line low-down on how to install the public TorrentFlux app straight to Amazon's EC2 rather than a user's local machine.

Finding an alternative way of using BitTorrent matters to hardcore file sharers because ISPs and admins alike are increasingly keen to block such bandwidth-eating traffic on home and business links, and O'Connor's EC2 guide was clearly written to that end - using the Amazon service would make such blocking unlikely.

"I created a web-based, open-source Bittorrent 'machine' that liberated my network and leveraged Amazon's instead," says O'Connor. He then quips "I can access it from anywhere, uploading Torrent files from wherever, and manage them from my iPhone."

However, security company GSS claims the guide shows the scope for possible abuse, using EC2 to host or 'seed' non-legitimate BitTorrent file distribution.

"This means, says Hobson, that hackers and other interested parties can simply use a prepaid (and anonymous) debit card to pay the $75 a month fee to Amazon and harvest BitTorrent applications at high speed with little or no chance of detection," said David Hobson of GSS.

"The danger here is that companies may find their staff FTPing files from Amazon EC2 - a completely legitimate domain - to the firm's computers, resulting in an internal computer infection. The consequences of this do not bear thinking about," he continued.

Despite a certain amount of Internet comment on the 'O'Connor method', Amazon has yet to respond publically to the issue. Amazon already supports the BitTorrent protocol through its Simple Storage Service (S3), though a heavy user would likely find this service much more expensive than EC2.

It's not clear that O'Connor's clever work-out represents anything new in principle, but it does raise the issue of how cloud computing providers plan to monitor and manage what their services are being used for. There is no suggestion that O'Connor intended the method to be used improperly.

As well as being notorious way of sharing software, music and video illegally, BitTorrent has also become an occasional channel for malware distribution. The assumption has always been that non-Torrent channels would simply be an easier way to distribute malware to a mass audience, but this week's packing of an Apple Trojan inside a Torrent supposedly distributing pirated copies of Apple's iWork 09 suggests this view might be out of date.

Subscribe to the Security Watch Newsletter

Comments