{"id":429890,"date":"2022-04-11T15:00:01","date_gmt":"2022-04-11T12:00:01","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/cloud-server-leasing-can-leave-sensitive-data-up-for-grabs\/"},"modified":"2022-04-11T15:00:01","modified_gmt":"2022-04-11T12:00:01","slug":"cloud-server-leasing-can-leave-sensitive-data-up-for-grabs","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/cloud-server-leasing-can-leave-sensitive-data-up-for-grabs\/","title":{"rendered":"#Cloud server leasing can leave sensitive data up for grabs"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a29cb08dc1b6\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a29cb08dc1b6\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/cloud-server-leasing-can-leave-sensitive-data-up-for-grabs\/#%E2%80%9CCloud_server_leasing_can_leave_sensitive_data_up_for_grabs%E2%80%9D\" >&#8220;Cloud server leasing can leave sensitive data up for grabs&#8221;<\/a><\/li><\/ul><\/nav><\/div>\n<h1><span class=\"ez-toc-section\" id=\"%E2%80%9CCloud_server_leasing_can_leave_sensitive_data_up_for_grabs%E2%80%9D\"><\/span>&#8220;Cloud server leasing can leave sensitive data up for grabs&#8221;<span class=\"ez-toc-section-end\"><\/span><\/h1>\n<div>\n<div class=\"article-gallery lightGallery\">\n<div data-thumb=\"https:\/\/scx1.b-cdn.net\/csz\/news\/tmb\/2020\/cloudserver.jpg\" data-src=\"https:\/\/scx2.b-cdn.net\/gfx\/news\/hires\/2020\/cloudserver.jpg\" data-sub-html=\"Credit: Pixabay\/CC0 Public Domain\">\n<figure class=\"article-img\">\n            <img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/scx1.b-cdn.net\/csz\/news\/800a\/2020\/cloudserver.jpg\" alt=\"cloud server\" title=\"Credit: Pixabay\/CC0 Public Domain\" width=\"800\" height=\"530\"\/><figcaption class=\"text-darken text-low-up text-truncate-js text-truncate mt-3\">\n                Credit: Pixabay\/CC0 Public Domain<br \/>\n            <\/figcaption><\/figure>\n<\/p><\/div>\n<\/div>\n<p>Renting space and IP addresses on a public server has become standard business practice, but according to a team of Penn State computer scientists, current industry practices can lead to &#8220;cloud squatting,&#8221; which can create a security risk, endangering sensitive customer and organization data intended to remain private.<\/p>\n<p>                                                                                Cloud squatting occurs when a company, such as your bank, leases space and IP addresses\u2014unique addresses that identify individual computers or computer networks\u2014on a public server, uses them, and then releases the space and addresses back to the public server company, a standard pattern seen every day. The public server company, such as Amazon, Google, or Microsoft, then assigns the same addresses to a second company. \u202fIf this second company is a bad actor, it can receive information coming into the address intended for the original company\u2014for example, when you as a customer unknowingly use an outdated link when interacting with your bank\u2014and use it to its advantage\u2014cloud squatting.<\/p>\n<p>&#8220;There are two advantages to leasing server space,&#8221; said Eric Pauley, doctoral candidate in computer <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/sciencee\/\" data-internallinksmanager029f6b8e52c=\"5\" title=\"Science\" target=\"_blank\" rel=\"noopener\">science<\/a> and engineering. &#8220;One is a cost advantage, saving on equipment and management.\u202f The other is scalability. Leasing server space offers an unlimited pool of computing resources so, as workload changes, companies can quickly adapt.&#8221; As a result, the use of clouds has grown exponentially, meaning almost every website a user visits takes advantage of cloud computing. <\/p>\n<p>While the Penn State researchers suspected cloud squatting was possible, they designed an experiment to determine if cloud tenants were vulnerable and to quantify the extent of the problem. \u202fThe researchers set up a <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/watch-movies-tv-seriess\/\" data-internallinksmanager029f6b8e52c=\"8\" title=\"Watch Movies &amp; TV Series\" target=\"_blank\" rel=\"noopener\">series<\/a> of cloud server rentals from Amazon Web Services&#8217; in its us east 1 region, the region that serves the East Coast of the U.S. They rented server space for 10-minute intervals, received information sent to the address intended for previous tenants and then moved to another server location, repeating the process.\u202f They did not ask for any data, nor did they send out any data.\u202f Whatever unsolicited data they received was potentially intended for previous tenants. <\/p>\n<p>For example, if a mobile banking company rented server space, they would receive an IP address from the public cloud-services company.\u202f After they relinquished that server space and IP address, the next tenant of that space could receive any personal financial data sent by the bank&#8217;s customer to the IP address.  <\/p>\n<figure class=\"mb-4\" itemscope=\"\" itemtype=\"http:\/\/schema.org\/VideoObject\">\n    <meta itemprop=\"name\" content=\"Cloud server leasing can leave sensitive data up for grabs\"\/><br \/>\n    <meta itemprop=\"url\" content=\"https:\/\/scx2.b-cdn.net\/gfx\/video\/2022\/cloud-server-leasing-c.mp4\"\/><br \/>\n    <meta itemprop=\"description\" content=\"Cloud squatting explained. Credit: College of Engineering, Penn State\"\/><br \/>\n    <meta itemprop=\"uploadDate\" content=\"2022-04-11T04:53:59-04:00\"\/><br \/>\n        <meta itemprop=\"thumbnailUrl\" content=\"https:\/\/scx1.b-cdn.net\/gfx\/video_tmb\/2022\/cloud-server-leasing-c.mp4.jpg\"\/><br \/>\n    <meta itemprop=\"contentUrl\" content=\"https:\/\/scx2.b-cdn.net\/gfx\/video\/2022\/cloud-server-leasing-c.mp4\"\/><br \/>\n            <video class=\"embed-responsive embed-responsive-16by9\" id=\"jwVID68983\" controls=\"\" poster=\"https:\/\/scx1.b-cdn.net\/gfx\/video_tmb\/2022\/cloud-server-leasing-c.mp4.jpg\"><source src=\"https:\/\/scx2.b-cdn.net\/gfx\/video\/2022\/cloud-server-leasing-c.mp4\" type=\"video\/mp4\"><\/source><\/video><figcaption class=\"text-darken text-low-up mt-4\" itemprop=\"caption\">Cloud squatting explained. Credit: College of Engineering, Penn State<\/figcaption><\/figure>\n<p>The researchers note in the Proceedings of the 43rd IEEE Symposium on Security and Privacy that they &#8220;deployed over 3 million servers receiving 1.5 million unique IP addresses over 101 days.&#8221;\u202f They identified cloud servers, third-party services and Domain Name Servers (DNS) as sources of potentially serious security breaches.<br \/>\n                                            <!-- Google middle Adsense block --><\/p>\n<p>&#8220;The previous perception was that DNS was the sole risk,&#8221; said Pauley. &#8220;So, if DNS was secure, it was fine.\u202f Unfortunately, this was not a panacea.&#8221; <\/p>\n<p>In the 5 million pieces of data they received, many contained sensitive information including financial transactions, GPS locations and personal identifiable information. <\/p>\n<p>&#8220;We did not knowingly receive health data but did confirm that an adversary could receive that data,&#8221; said Patrick McDaniel, holder of the William L. Weiss Chair in Information and Communications <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" data-internallinksmanager029f6b8e52c=\"4\" title=\"Technology\" target=\"_blank\" rel=\"noopener\">Technology<\/a> in the School of Electrical Engineering and Computer Science, Penn State.\u202f&#8221;For example, requests received by one of our IP addresses were to the web site for Health and Human Services, HHS.gov. We did not further interact, but others could pretend to be an HHS service and get people to interact.&#8221; In this case, from the user&#8217;s perspective, they would believe they were talking to a legitimate government agency, exposing sensitive personal and health data. <\/p>\n<p>If companies use cloud messaging internally or cloud print services, then when those IP addresses are let go, information requests sent to those services by company staff who mistakenly attempt to use the old addresses or who are unaware that the addresses have changed can get into the wrong hands. <\/p>\n<p>&#8220;Our experiment collected, encrypted and sent anything we got off to a secure location for analyses,&#8221; said McDaniel. &#8220;We also took additional steps to ensure that any detected user data was protected.&#8221; <\/p>\n<p>McDaniel notes that the research was performed in compliance with Amazon&#8217;s Vulnerability Reporting program, which allows security researchers who are acting in good faith to conduct their research. <\/p>\n<p>The researchers im<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>tely contacted the three major cloud server companies, AWS, Microsoft and Google, as well as vulnerable US Government agencies, to inform them of the vulnerabilities in their server practices. Amazon, after reviewing the information and an internal audit, is implementing a series of practices to try to contain cloud squatting on their servers. <\/p>\n<p>To resolve cloud squatting concerns, the researchers believe that there are mitigation efforts that should be made by both the cloud server companies and the clients who rent server space. From the cloud server side, one of the ways to thwart cloud squatting is to prevent IP address reuse. However, this is limited by the number of available IP addresses.  <\/p>\n<p>Second, &#8220;server companies can create reserved IP address blocks,&#8221; said McDaniel. &#8220;A large client organization could be assigned a fixed range of addresses that are recyclable within the company.&#8221;   <\/p>\n<p>Third, server companies can delay recycling of IP addresses, but the longer IP addresses are idle, the more it will cost the server company. <\/p>\n<p>From the client side, users can avoid producing IP address configurations that linger after cloud server IP addresses are let go. However, the researchers found that this rarely h<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ens because there is often limited central control and oversight of IP address configurations within an organization. During interviews with affected cloud server users, the researchers found that many organizations have little visibility into how the dozens or hundreds of different accounts using cloud computing capabilities are being used and, most importantly, decommissioned, by departments and employees. <\/p>\n<p>&#8220;<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">General<\/a>ly speaking, the users fail to remove configurations that point to IP addresses on cloud servers,&#8221; said McDaniel. &#8220;It could be a decommissioned printer that is still in the menu or a domain name or a sticky note saying connect to a specific address.\u202f Because the problems are very broad and dispersed across many, many users, it can be very difficult to have overall methods to fix them.\u202f However, the common threads are a failure to monitor and decommission outdated configurations.&#8221; <\/p>\n<p>IP addresses used to be long-lived or static, but now they are dynamic, changing in hours or minutes.\u202f This introduces a large class of vulnerability, according to the researchers. <\/p>\n<p>&#8220;I would heed the conclusion that despite the overwhelming attraction of cloud servers, cloud computing is not without risk,&#8221; said Pauley. &#8220;However, by managing and watching their use, we can mitigate a lot of that danger. The free lunch that people thought the clouds were is not free. Companies have to weigh the risk to benefit.&#8221;\n                                                                                                                        <\/p>\n<hr\/>\n<div class=\"article-main__explore my-4 d-print-none\">\n<p>                                            <a rel=\"nofollow noopener\" target=\"_blank\" class=\"text-medium text-info mt-2 d-inline-block\" href=\"https:\/\/phys.org\/news\/2015-09-dew-ground-cloud.html\">Dew helps ground cloud computing<\/a>\n                                        <\/div>\n<hr class=\"mb-4\"\/>\n<p>                                                                                                <strong>More information:<\/strong><br \/>\n                                                Measuring and Mitigating the Risk of IP Reuse on Public Clouds, Proceedings of the 43rd IEEE Symposium on Security and Privacy, 2022.<\/p>\n<div class=\"d-inline-block text-medium my-4\">\n                                                Provided by<br \/>\n                                                                                                    Pennsylvania State University<br \/>\n                                                                                                        <a rel=\"nofollow noopener\" target=\"_blank\" class=\"icon_open\" href=\"http:\/\/www.psu.edu\/\"><br \/>\n                                                        <svg>\n                                                            <use href=\"https:\/\/techx.b-cdn.net\/tmpl\/v2\/img\/svg\/sprite.svg#icon_open\" x=\"0\" y=\"0\"\/>\n                                                        <\/svg><br \/>\n                                                    <\/a><\/p><\/div>\n<p>                                        <!-- print only --><\/p>\n<div class=\"d-none d-print-block\">\n<p>                                                 <strong>Citation<\/strong>:<br \/>\n                                                 Cloud server leasing can leave sensitive data up for grabs (2022, April 11)<br \/>\n                                                 retrieved 11 April 2022<br \/>\n                                                 from https:\/\/techxplore.com\/<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/news\/\" data-internallinksmanager029f6b8e52c=\"2\" title=\"News\" target=\"_blank\" rel=\"noopener\">news<\/a>\/2022-04-cloud-server-leasing-sensitive.html<\/p>\n<p>                                            This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no<br \/>\n                                            part may be reproduced without the written permission. The content is provided for information purposes only.<\/p><\/div>\n<\/p><\/div>\n<p><script id=\"facebook-jssdk\" async=\"\" src=\"https:\/\/connect.facebook.net\/en_US\/sdk.js\"><\/script><\/p>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more Like this articles, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/science\/\" target=\"_blank\" rel=\"noopener\">Science category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/techxplore.com\/news\/2022-04-cloud-server-leasing-sensitive.html\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;Cloud server leasing can leave sensitive data up for grabs&#8221; Credit: Pixabay\/CC0 Public Domain Renting space and IP addresses on a public server has become standard business practice, but according to a team of Penn State computer scientists, current industry practices can lead to &#8220;cloud squatting,&#8221; which can create a security risk, endangering sensitive customer&#8230;<\/p>\n","protected":false},"author":1,"featured_media":429891,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/scx2.b-cdn.net\/gfx\/news\/hires\/2020\/cloudserver.jpg","fifu_image_alt":"","footnotes":""},"categories":[16],"tags":[],"class_list":["post-429890","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sciencee"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/429890","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=429890"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/429890\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/429891"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=429890"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=429890"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=429890"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}