Black hat software companies are scrambling to address a growing problem: hackers exploiting vulnerabilities in the software they are selling to large corporations.
The black hat community, which encompasses companies such as the CIA, Cisco, IBM and the U.S. Army, has been quietly developing and testing security measures for years to combat this threat, but the industry’s response has been slow.
Now, the black hats are demanding that these companies fix security vulnerabilities.
“Black hat seoSecurity is the name of the industry we are fighting,” said Paul Kucharski, a security researcher and security researcher at Cisco.
“The companies who are selling us black hats can’t afford to take the security vulnerabilities seriously.
Black hat security researchers have discovered and patched vulnerabilities in a number of the most popular cloud services including Amazon Web Services, Google Compute Engine and Microsoft Azure, and have found more than a dozen in a database used to store cloud data. “
In other words, these companies are using their own technology to create software that does not actually protect the system from attack, but rather just presents a threat that the user cannot see.”
Black hat security researchers have discovered and patched vulnerabilities in a number of the most popular cloud services including Amazon Web Services, Google Compute Engine and Microsoft Azure, and have found more than a dozen in a database used to store cloud data.
Black hat security researcher Alexey Shorokhov wrote that the vulnerabilities, which are not known publicly, allow attackers to take over control of a vulnerable service, such as AWS, and run commands on it.
Shorokov told the Guardian that he has developed software to detect and exploit these vulnerabilities and has published details of his work on his blog.
Black Hat said it has not found any vulnerabilities that would allow for attacks on other services.
But many other companies are not as fortunate.
A cybersecurity researcher at Intel who asked to remain anonymous said his company, Cisco Systems, discovered the vulnerabilities in October and fixed them in December.
“The most common flaw is a remote code execution vulnerability that could allow a malicious actor to take control of the system and execute arbitrary code, including code executed from outside the network,” said the researcher.
“There is a way to mitigate this issue in the API, but it requires that the attacker can access credentials, which can be difficult for the attacker to do.””
Intel said it fixed the flaw in September, but declined to comment further on the vulnerability.”
There is a way to mitigate this issue in the API, but it requires that the attacker can access credentials, which can be difficult for the attacker to do.”
Intel said it fixed the flaw in September, but declined to comment further on the vulnerability.
The company did not respond to a request for comment on the Black Hat report.
Other companies have also found vulnerabilities and patched them, but they did not release details of their work, nor did they confirm whether they had discovered the Black Hats vulnerabilities.
Another researcher who did not want to be identified told The Guardian that Black Hat’s approach is different from that of the large corporate cloud providers, who are typically cautious about the impact of the vulnerabilities they discover.
“A large cloud company will look at a bug as an attack,” said this researcher, who did an analysis of the Black hats findings but did not speak to The Guardian on the condition that he not be named.
“They will look into the vulnerability and then work on patching it.
Black hats are very much focused on finding flaws in the systems they sell to large companies.”
A security researcher said there is a significant market for security vulnerabilities that are not widely publicized and the Black Hats have been quick to exploit them.
“You see a lot of the big companies doing this, and the major cloud providers are not going to take it seriously because they have not seen any impact on their business,” he said.
“It’s a huge market and it is a huge opportunity for the Black hat guys.”
The Black hats have been able to exploit vulnerabilities in Amazon’s AWS cloud storage service because the company uses a proprietary storage engine called Amazon S3.
The Black Hat researchers said the vulnerabilities could allow attackers who have access to a server to steal access to it and then install malicious code that can be used to take complete control of it.
Amazon has denied that the company’s S3 service is vulnerable, saying that it is not.
Amazon’s security team has told the BBC that it has a strong track record of keeping customer data safe, and that the software used by Black Hat is widely used by its customers.
Amazon declined to be interviewed for this story.