Another black eye for Amazon? Hackers may have used AWS in crippling Sony attack

Amazon Web Services has been taking some PR knocks in recent weeks. First, came the massive outage which sparked anger and frustration among many core customers. Now, word comes that Amazon Web Services was the platform that hackers used to disrupt Sony’s PlayStation Network and Qriocity service late last month.

Bloomberg News reports — citing an anonymous source — that the hackers rented server space from Amazon’s EC2. The story notes:

The hackers didn’t break into the Amazon servers, the person said. Rather, they signed up for the service just as a legitimate company would, using fake information. Even so, the breach at Amazon is likely to call attention to concerns some businesses have voiced over the security of computing services delivered via others’ remote servers, referred to as cloud computing.

According to Bloomberg, Amazon.com likely will receive a subpoena in a case now being investigated by the FBI.

Late last month, Sony issued this statement on the security breach.

Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. It is also possible that your profile data, including purchase history and billing address (city, state, zip), and your PlayStation Network/Qriocity password security answers may have been obtained. If you have authorized a sub-account for your dependent, the same data with respect to your dependent may have been obtained. While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility.

The news that the hackers used Amazon Web Services to launch their attack will likely draw more scrutiny of cloud computing at a time when Amazon is still trying to repair its image after last month’s outage. Furthermore, AWS certainly doesn’t want to obtain the reputation as the launching point for crippling cyberattacks, something that The Register pointed out has occurred in the past.

  • http://twitter.com/evanjacobs Evan Jacobs

    Blaming Amazon for the Sony attack is like blaming Ford for a bank robbery because the getaway driver drove a Taurus.

  • http://twitter.com/gamedude007 GamerDude

    While i don’t blame AWS, i think the Ford analogy might be a little off. It’s like me going to rent a tank and then taking out a bank without the tank guys doing some checks.  Credit card companies don’t just give you unlimited credit from the get go – you need to work your way up. Similarly,  AWS should be doing more serious verification on accounts as those accounts get access to more powerful resources. Getting access to 5 m1.small machines shouldn’t be gated too much. But getting access to 20 m2.4xlarge machines that are each capable of taking down a site on their own should probably require some more checks.  Plus there should be better platform level checks built into AWS to make sure you’re not launching spam attacks / TCP syn attacks etc from inside EC2 and quickly catching and investigating offenders.

  • Imperio59

    This is really over-simplification and finger-pointing designed to spread more confusion for the masses and smear the name of cloud computing. How is it different for someone to spin up an EC2 instance and launch my attack from there with a fake name, than to purchase one or several dedicated boxes in any of the thousands of hosting providers that exist and launch an attack from there?

    It’s probably faster and easier to request the hardware on EC2, but when you sign up for an AWS account there ARE several security checks in place. I have had an account with Amazon for over 5 years without a single payment incident and they still spent a day reviewing my application for an AWS account…

    Unless if the investigation shows that part of the attack was a DDOS attack using a large number of EC2 instances, then the point is moot. Also I have no doubt Amazon will cooperate fully with any investigation and turn over as much information as it still has about the IPs the attacker(s) used to connect to the EC2 instances etc…

    I agree with Evan, you can’t blame Amazon for this, otherwise why not blame also Microsoft or the Linux foundation for the OS the hacker used to perform the hack, or blame Comcast for carrying the attackers’ packets over their network, or blame the hackers’ parents for conceiving him in the first place? It’s ridiculous!

    It’s not anyone’s fault but the hacker(s)’ (and possibly Sony’s carelessness, although I have no doubt that they did have many security measures in place already before the attack) that this happened. This definitely wasn’t just some “kiddie” requesting 20 large EC2 instances and running some small DDOS script…

  • johnhcook

     Thanks for the comments. Bloomberg News followed up on this very topic in their story: 

    “Sony Attack Shows Amazon ‘s Cloud Service Lures Hackers at Pennies an Hour”

    http://www.bloomberg.com/news/2011-05-15/sony-attack-shows-amazon-s-cloud-service-lures-hackers-at-pennies-an-hour.html

  • http://twitter.com/dierken dierken

    How can “didn’t break into the Amazon servers” and “the breach at Amazon” be in the same paragraph? You’re just going to let Bloomberg say that without pointing out how ludicrous it is? What is it about new technology that old media can’t stand, or at least can’t be objective about?

  • Guest

    Thank you for requesting an EC2 instance. Before we proceed with your request, please answer the following security question.

    Will this EC2 instance be used to attack a corporate network? YES/NO