Programmer exploits Windows vulnerability in cloud-based services

Windows data volumes (meaning virtual machine hard-drives) in public clouds such as Amazon Web Services can be copied and have their access credentials modified, allowing a hacker to glean insights into the data, a programmer has reported.

Programming author and consultant Jeff Cogswell identified the security vulnerability and showed how he executed a hack of his own data in a story titled "The Windows flaw that cracks Amazon Web Services" posted on His conclusion: Don't store sensitive information in the cloud, even if it is encrypted.

A caveat is that the would-be hacker needs access to the data volume in order to copy it and change the credentials, but Cogswell says employees at certain cloud providers have that capability. Although industry representatives played down the threat, Cogswell's findings could add to concerns potential users have about the security of public clouds.

[TECH DEBATE ON CLOUD SOURCING:Consolidate suppliers or go best of breed?]

The vulnerability exists because of a feature many public cloud providers offer that allows volumes to be copied. Copying volumes is helpful in test and development scenarios, for example, where programmers can tinker with an application and not have the changes impact the production environment. Cogswell says it's also a security vulnerability though.

To demonstrate the hack, Cogswell made a copy of his volumes and used a modified version of a password reset tool named "chntwp" to change the credentials of the copied volume. Microsoft has issued patches to ensure chntwp does not allow credential resets, but Cogswell says he was able to modify the password reset tool to expose the vulnerability on new versions of Windows.

Once the Windows volume's password is reset, a hacker can manipulate the contents of the volume and replace the original with the modified copy. Software could be installed to run alongside the volume and track it, for example. The data could be perused by the hacker or changes could be made to the data.

Cloud industry advocates shot down the findings. John Howie, president of the Cloud Security Alliance which advocates for strong security standards among cloud providers called it a "non-issue." To execute the vulnerability, the hacker must have access to that data volume in order to be able to copy and manipulate it. "The likelihood that someone at a cloud provider would perform this attack, even assuming they had access to the file store and there was no monitoring in place, is so small as to be negligible."

Cogswell points out that employees of public cloud providers have access to these volumes especially at smaller cloud service providers. If user credentials are compromised, the data volume could also be exposed. Cogswell notes that he was not able to perform the hack on other users' data, only his own.

The use of chntwp to reset the credentials to access the volume is something that could be done on Windows volumes that are stored with any cloud provider, or in an on-premises volume, he notes. "This tool has in the past been used primarily to reset passwords on a Windows machine where the passwords were forgotten, or by employees trying to gain Administrator access to their work computers; that sort of thing," Cogswell wrote in an e-mail. "As such, it's never really been considered a high security threat. But by having bootable copies of Windows in a cloud, an insider could easily make a copy of your cloud-based hard drive, take the copy home, and spend hours hacking into it using tools such as the one I described."

The vulnerability reinforces Cogswell's belief that sensitive data should not be stored in the cloud, he says. Simple encryption methods would not even protect against this vulnerability, because code can be modified in a similar way to gain access to the keys that are stored in the encrypted file to decrypt the information in some cases. Encryption methods that store the keys to the encrypted information separately from the encrypted data may be more secure, however.

A Microsoft spokesperson said security is a top priority and "a variety of security technologies and procedures (are used) to help protect customer information from unauthorized access, use, or disclosure." The company did not specifically address the ability of employees to access customer files or the vulnerability of the chntwp reset tool though. Amazon officials have not yet responded.

Senior Writer Brandon Butler covers cloud computing for Network World and He can be reached at and found on Twitter at @BButlerNWW. Read his Cloud Chronicles here.

Join the CSO newsletter!

Error: Please check your email address.

Tags Amazon Web ServicesConfiguration / maintenancesecurityCloudhardware systemsData Centercloud computinginternet

More about Amazon Web ServicesAmazon Web ServicesMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Brandon Butler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place