For three pennies an hour, hackers can rent Amazon.com's serversto wage cyber attacks such as the one that crippled Sony Corp.'sPlayStation Network and led to the second-largest online databreach in U.S. history.

A hacker used Amazon's Elastic Computer Cloud, or EC2, serviceto attack Sony's online entertainment systems last month, a personwith knowledge of the matter said May 13. The intruder, who used abogus name to set up an account that's now disabled, didn't hackinto Amazon's servers, the person said.

The incident helps illustrate the dilemma facing Chief ExecutiveOfficer Jeff Bezos: Amazon's cloud-computing service is as cheapand convenient for hackers as it is for customers ranging fromNetflix Inc. to Eli Lilly & Co. Last month's attack on Sonycompromised more than 100 million customer accounts, the largestdata breach in the U.S. since intruders stole credit and debit cardnumbers from Heartland Payment Systems in 2009.

“Anyone can go get an Amazon account and use it anonymously,”said Pete Malcolm, chief executive officer of Abiquo Inc., aRedwood City, California-based company that helps customers managedata internally and through cloud computing. “If they havecomputers in their back bedroom they are much easier to trace thanif they are on Amazon's Web Services.”

Network Resumption
Sony on May 14 partially restarted its PlayStation Network andQriocity services, which had been shut since April 20 because ofthe intrusion. The company has hired three security firms toinvestigate and is working with the law enforcement officials.

Sony has faced a backlash from regulators and customers over thetime it took to warn customers that their data may have beenstolen.

Drew Herdener, a spokesman for Seattle-based Amazon, the world'slargest online retailer, declined to comment. Amazon didn't respondto a request to speak with Bezos. Patrick Seybold, a U.S. spokesmanfor Tokyo-based Sony, declined to comment beyond public statementsmade on the matter.

The Federal Bureau of Investigation will likely subpoena Amazonor seek a search warrant to access the history of transactions,trace who had access to the specific Internet address at the timeand get details on payment data, said E.J. Hilbert, president ofthe security company Online Intelligence and a former FBIcyber-crime investigator.

FBI Probe FBI Special Agent Darrell Foxworth, a spokesman forthe agency's San Diego office, said he couldn't comment on whetherthe bureau served Amazon with a search warrant or subpoena and thatinvestigators are following up “each and every lead.”

Amazon's Herdener declined to say whether his employer had beensubpoenaed or served with a search warrant.

Amazon Web Services leases computing space to companies so theydon't have to buy their own servers to store data and handle asurge in visitors. Prices for EC2 range from 3 cents to $2.48 anhour for users on the east coast of the U.S., according to itswebsite.

Signing up to the service requires a name, e-mail address,password, phone number, billing address and credit cardinformation. Users get an automated call from Amazon and are askedto dial in a four-digit verification code to complete theregistration process.

That's not enough to scare off hackers seeking to conductattacks anonymously, and Amazon doesn't have the means to detectillegal uses of its servers, Abiquo's Malcolm said.

Good Versus Bad
“Realistically, Amazon can't do anything to prevent it,”Malcolm said. “There is no way of telling who's a good guy andwho's a bad guy.”

Web Services generated about $500 million in revenue for Amazonin the past year, according to estimates at Barclays Capital.That's about 1.5 percent of 2010 sales at Amazon, which doesn'tdisclose sales from the unit.

Amazon fell $10.05, or 5 percent, to $192.51 at 4 p.m. New Yorktime on the Nasdaq Stock Market. Sony was little changed today inTokyo trading.

As companies from Amazon to Microsoft Corp. build server farmsworldwide, the services can help hackers hide their tracks, saidHilbert.

Cloud services are also attractive for hackers because the useof multiple servers can facilitate tasks such as crackingpasswords, said Ray Valdes, an analyst at Gartner Inc. Amazon couldimprove measures to weed out bogus accounts, he said.

Hijacked Servers
The use of hijacked orrented servers to launch attacks is typical for sophisticatedhackers, according to Hilbert.

Chinese hackers used the servers of a major U.S. Internetservice provider in 2008 to break into a government agency andseveral defense contractors, according to a secret Nov. 3, 2008,cable exposed by Wikileaks.

The hackers “used at least three separate systems at the unnamedISP in multiple network intrusions and have exfiltrated data viathese systems,” according to the cable.

In some cases, hackers hide their tracks beneath several layersof proxy servers that can span the globe. A recent attack againstcomputers in South Korea was controlled from servers in more than20 different countries, according to Georg Wicherski, a securityanalyst at Santa Clara, California-based McAfee Inc. The identityof the offenders is unknown, he said.

Rethinking Cloud
Malicious attacks in theU.S. are on the rise. They made up 31 percent of data breaches in2010, up from 24 percent a year earlier, with each event costingU.S. businesses an average of $7.2 million, according to a Marchreport by the Ponemon Institute.

The study found that about 85 percent of all U.S. companies haveexperienced one or more attacks.

Last month's incursion was “very carefully planned, veryprofessional, highly sophisticated criminal cyber attack,” Sony hassaid.

The episode will cause individuals and companies to rethink whatdata to put on the cloud and force companies to potentially doublewhat they spend on application security, said Murray Jennex, anassociate professor at San Diego State University who specializesin computer systems security. In the long run, it will be cheaperthan being hacked, he said.

“This puts cloud computing into proper perspective,” Jennexsaid. “Everybody's been thinking it's chic and ignoring thesecurity aspect. I think this reminds companies that things thatmake them great need to stay under their control.”

Bloomberg News

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.