Cloud404 :: Cloud Computing, Risk Management, Security, Compliance

Cloud Computing, Risk Management, Security, Compliance

Archive for the ‘General Concepts’ Category

Marketeering

leave a comment »

Absolutely worth the time to watch.

“Contending With The Virtualization Hangover” by John Dix

“Visualizing The Boundaries Of Control In The Cloud” by Scott Morrison

“Get Your SaaS Off My Cloud” by Lori MacVittie

“Do You Know What Your Data Is Doing When You’re Not Looking?” by Cathy Pitt.

“Cloud: Security Doesn’t Matter (Or, In Cloud, Nobody Can Hear You Scream)”

Written by Craig

May 21, 2010 at 5:02 pm

Posted in FUD, General Concepts

Cloud Investigation – Part Deux

leave a comment »

As “the cloud” becomes an architectural operation for businesses to leverage, many questions arise that — given what security pros have been through over the last 10 years — seem basic:

  1. How is data protected?
  2. How is data accessed by my applications or those of a business partner?
  3. If there is an incident, how can I investigate and what evidence can I collect?

Questions #1 and #2 will likely get the most initial attention as “the cloud” matures and is embraced.  However, once the move to the cloud is made and an incident occurs, question #3 will jump in priority.

I’d like to share some thoughts related to the differences of investigations within “the cloud” versus those that have a more traditional tone (i.e. a server that is on premise and under full control, or a single laptop computer where you can quickly obtain a hard drive and memory image).

First, there’s an important distinction to be made.  In some cases — especially in consumer-focused services — very little investigation can be performed (that is, unless you have subpoena power).  Providers simply don’t offer such interfaces because consumers (a) generally don’t perform investigative activities and (b) many privacy issues arise.    For example, it’s difficult to determine who has actually browsed photos that are being stored online via a photo management service.  This makes sense, because most consumers aren’t very paranoid about who is browsing their photos and the security controls that the providers offer tend to be straightforward.  However, with a service such as e-mail, some consumers would like to know if an outsider is gaining access to their information.  For example, within Google’s Gmail, one can see a list of the last few IP addresses (and the client type) that has accessed a mailbox.     Basically, you are given what the application provider wants you to have.  It’s difficult — if not impossible — to peel back the onion and access the data that is often needed to foster technically accurate conclusions. Also, the services are usually low-cost (or free), so the phrase “you get the support that you pay for” usually rings true.

Next, if we look at the enterprise scenario, access to low-level data within the security investigation process is quite important.  The enterprise wants to peel back the onion and obtain low level information for how the application is behaving, even if it is running “the cloud.”  When a security incident occurs, enterprise security teams want to be empowered to perform their own investigation without dependency on the provider.  From a provider perspective, “self-service” is an important element to achieve product scale.  So, we have to figure out how to do investigate, and where we can (a) determine what information we can get, and (b) where/how we can obtain it.

Let’s rewind a bit — when a business decides to adopt cloud computing, it’s likely in one of the following deployment options:

  • Software as a service (SaaS): Microsoft Online BPOS, Google Gmail, etc.  High in the stack. You consume the software, and can’t programmatically alter how it behaves (however, it’s likely there are a few knobs to change configuration).
  • Platform as a service (PaaS): Microsoft Azure, Google Apps, etc. You consume a platform, and upload applications that run within the provider’s “hosted sandbox.”   In this model, there’s little access to the underlying OS, but you can upload code that runs at the provider’s site.
  • Infrastructure as a service (IaaS): Amazon AWS, GoGrid, etc.  Full access to virtual machines running on the provider’s site.

In each of these scenarios, data has different states:

  • Data is at rest, written on the disk within an application-specific or OS-specific file format.  This state may contain de-allocated data (i.e. deleted files) that may not be used by the application or operating system, but is still accessible since it has not been reallocated and overwritten.
  • Data is in motion, being transmitted from a source to a destination over a network via numerous protocols, all encapsulated within each other, and each with different types of security (or, frequently within old protocols and applications, none at all)
  • Data is in execution, loaded into memory as a process, which contains series of executable steps that the processor is going to execute (threads).  A process may need to reference data (such as a file), so it loads it into memory.  Therefore, if you look at a snapshot of the memory of a server at any given time, you’d find process information, machine instructions, and allocated/de-allocated data.   In this state, data may be de-allocated (i.e. memory that has been de-allocated by a process and not yet reallocated/overwritten), but is still accessible.

Within each deployment option, the accessibility of data within each state differs. In addition, so do the primary and collateral investigative sources of data.

I’ve tried to build out a few matrices to further understand the intersections, and how to focus investigative & evidence collection activities.

Certainly a work in progress, but you may find them helpful..

Infrastructure-as-a-Service (click to enlarge)

Platform-as-a-Service (click to enlarge)

Software-as-a-Service (click to enlarge)

Written by Craig

January 22, 2010 at 11:30 pm

Posted in Forensics and Investigation, General Concepts, Technical

Tagged with , ,

Cracking in the Cloud

leave a comment »

Looks like password cracking is moving to the cloud.  In this case, it’s cracking WPA Wireless encryption from a simple protocol sniff.  In this case, the attacker only needs about $17 and the ability to intercept some network packets.  Not difficult..

A cloud-based password “auditing” service clearly makes sense.. of course, only for auditors and testers… since modern password cracking is based upon the attacker having (a) access to hashes, encrypted values, or handshake data, (b) knowledge of algorithm  (c) enough cpu to do something with it and/or/if needed (d) large enough datastores to use precomputed tables [rainbow tables].

quote:

WPA Cracker is a cloud cracking service for penetration testers and network auditors who need to check the security of WPA-PSK protected wireless networks.

WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes, for only $17.

That said, we’ll likely see the magic of the cloud challenge many of the past security assumptions and tasks which have been infeasible due to resources or lack of ability to execute.

On this note, another interesting article arose this week.  It involves wireless, but not our home networks.  Instead, it’s about cracking GSM and telephone conversations.

quote:

The problem was highlighted in August when German hackers announced a project to create a code table that cracked the standard GSM cell phone A5/1 encryption. Then, Cellcrypt CEO Simon Bransfield-Garth claimed that the development was worrying, as it marks a massive lowering of the bar for criminal organisations to illegally tap mobile phone conversations.

Here he claimed that the ‘lack of security is particularly worrying’. He said: “Businesses must plan now for the eventuality that their mobile voice calls will come under increasing attack within the next six months. A ‘policy of hope’ towards mobile phone security is not adequate, voice is another data service and should be afforded the same security considerations as email and other corporate communications.”

Will we see an analogous service that focuses on GSM conversations rather then wireless networks?

For my home network, I have the ability to use encryption that’s higher in the stack (TLS/SSL)  to help ensure security (well, perhaps with TLS v1.3 that addresses the recent vulnerabilities to to session protocol renegotiation).

For my GSM phone, I don’t have this luxury (well, not without making the phone unstable and dependent on various VOIP apps/availability of wireless networks).  So, cell phone interception may be soon available to the masses.

Companies fail to secure their mobile calls as challenges of interception predicted to rise in the next six months

Written by Craig

December 11, 2009 at 8:29 pm

Posted in FUD, General Concepts, Technical

Tagged with , ,

Windows Azure PDC 2009 Videos Posted

leave a comment »

Just in time for the long drive home from your Thanksgiving retreat (available in WMV and Mp4 formats for your iPod or Zune), the Microsoft PDC team has posted videos and presentations related to Windows Azure.  Although these are more focused on general developer concepts, I find that plenty of relevant material to our quest to learn about security/compliance/risk implications of cloud-based computing.

Starting with the intro videos is always a nice step — I’d then recommend the logging, single-sign-on, and storage sessions.

- Craig

Introduction

Learn to Develop for Windows Azure

Windows Azure Storage

Windows Azure as an Open Platform

SQL Azure Sessions

Showcases

Written by Craig

November 29, 2009 at 4:27 pm

Posted in General Concepts, Technical

Tagged with