nullcon 2011 - Security and Forensic Discovery in Cloud Environments

CLOUD 9:U N C O V E R I N G S E C U R I T Y & F O R E N S I C S D I S C O V E RY

I N C L O U D

CLOUD 9:U N C O V E R I N G S E C U R I T Y & F O R E N S I C S D I S C O V E RY

I N C L O U D

“Aut viam inveniam aut faciam ” Hannibal Barca

by Manu ZachariaMVP (Enterprise Security), C|EH,

ISLA-2010 (ISC)², C|HFI, CCNA, MCPCertified ISO 27001:2005 Lead Auditor

HackIT – Technology & Advisory Services

• I am an Information Security Evangelist • For paying my bills – I do consulting - HackIT –

Technology & Advisory Services – A startup.• Awards

• Information Security Leadership Achievement Award from (ISC)² - 2010

• Microsoft Most Valuable Professional (Enterprise Security) – 2009 and 2010

• Co-Author of a Book • President – Information Security Research Association -

NPO

# whoami

• Chief Architect - Matriux – (www.matriux.com) - OS for

Hacking, Forensics and Security testing – Open Source &

Free

• Founder c0c0n – International Security & Hacking

Conference

• Extend service to various state and central investigations

agencies as Cyber Forensics Consultant

# whoami

# whoami

• Speaker at various national and international security,

technology and hacking conferences:

• Microsoft Tech-Ed 2010 (& 2011 upcoming)

• IQPC - Enterprise Security 2010 - Singapore

• Information Security Conference - Bangalore

• ClubHack, etc

• DevCon

• Training associations:• Indian Navy - Signal School , Centre for Defense

Communication and Electronic and Information / Cyber Warfare and INS Valsura.

• Centre for Police Research, Pune and Kerala Police• SCIT - Symbiosis Centre for Information

Technology,Pune• Institute of Management Technology (IMT) – Ghaziabad• IGNOU M-Tech (Information Systems Security) – Expert

Member – Curriculum Review Committee• C-DAC, ACTS (DISCS & DSSD)

# whoami

• The opinion here represented are my personal ones and do not necessary reflect my employers views.

• Registered brands belong to their legitimate owners.• The information contained in this

presentation does not break any intellectual property, nor does it provide detailed information that may be in conflict with any laws (hopefully...) :)

DISCLAIMER(S)

6

• Information and resources from Internet (including

publications from Cloud Security Alliance) were

extensively used for the creation of this presentation.

REFERENCES

7

CONCLUSION

EXPLOITING CLOUD & FORENSICS

CLOUD SECURITY & RISK ASSESSMENT FRAMEWORK

INTRO & CLOUD ARCHITECTURE

AGENDA

8

INTRODUCTION

9

• So what is Cloud Computing?

• Do you know what is EC2 and S3?

• What is SPI Model?

QUESTION

10

• cloud is loud

• Headline stealer

• Everybody is concerned about Cloud

Security

WHY THIS TALK?

11

• Why handle cloud differently?

• Simple – power of cloud

WHY CLOUD IS DIFFERENT?

12

TIGR - ??????

• Barack Obama's Technology Innovation and Government Reform Team (TIGR) describe the use of cloud computing as "one of the most important transformations the federal government will go through in the next decade."

13

• A 64 node Linux cluster can be online in

just five minutes

• Forget about those sleepless nights in

your data centers

CLOUD POWER

14

• Amazon Elastic Compute Cloud

(Amazon EC2)

• A web service that provides resizable

compute capacity in the cloud

EC2

15

• Allows users to rent computers on which

to run their own computer applications.

• A user can boot an Amazon Machine

Image (AMI) to create a virtual machine,

which Amazon calls an "instance",

containing any software desired.

EC2 - WIKIPEDIA

16

• A user can create, launch, and terminate

server instances as needed, paying by the

hour for active servers, hence the term

"elastic".

EC2 - WIKIPEDIA

17

• Amazon S3 (Simple Storage Service) is

an online storage web service offered by

Amazon Web Services.

• Provides unlimited storage through a

simple web services interface

S3

18

• $0.15 per gigabyte-month

• 102 billion objects as of March 2010

S3

19

• The New York Times - Amazon EC2 and

S3 - PDF's of 15M scanned news articles.

• NASDAQ uses Amazon S3 to deliver

historical stock information.

POWER OF CLOUD

20

• Cloud separates:

• application and information resources

from the underlying infrastructure, and

• the mechanisms used to deliver them.

CLOUD

21

Use of a collection of

• services,

• applications,

• information, and

• infrastructure

comprised of pools of compute, network,

information, and storage resources.

CLOUD

22

• Components can be

• rapidly orchestrated,

• provisioned,

• implemented & decommissioned, and

• scaled up or down

• Provide an on-demand utility-like model.

CLOUD

23

• From an architectural perspective; there

is much confusion

• How cloud is both similar to and

different from existing models of

computing?

CLOUD CONFUSION

24

• How these similarities and differences

impact the• organizational, • operational, and • technological approaches

to network and information security

practices.

CLOUD CONFUSION

25

Marcus Ranum - Same old,

Same old

CLOUD SECURITY – DIFFERENT?

26

Same Client / Server paradigm from Mainframe days – Bruce Schneier

CLOUD SECURITY – DIFFERENT?

27

So what is this cloud?

28

CLOUD ARCHITECTURE

29

• NIST (U.S. National Institute of Standards

and Technology) defines cloud computing

by describing:

• five essential characteristics,

• three cloud service models, and

• four cloud deployment models.

CLOUD

30

• Five essential characteristics

• On-demand self-service

• Broad network access

• Resource pooling

• Rapid elasticity

• Measured service

CLOUD CHARACTERISTICS

31

• On-demand self-service

• Unilaterally provision computing

capabilities as needed automatically,

without requiring human interaction with

a service provider.

• Computing capabilities include server time

and network storage


32

• Broad network access

• Available over the network and

accessed through standard mechanisms


33

• Can be accessed through

heterogeneous thin or thick client

platforms (e.g., mobile phones, laptops,

and PDAs) as well as other traditional or

cloud based software services.


34

• Resource pooling

• The provider’s computing resources are

pooled to serve multiple consumers

using a multi-tenant model,

• Different physical and virtual resources

dynamically assigned and reassigned

according to consumer demand.


35

• Degree of location independence -

customer has no control or knowledge over

the exact location of the provided resources

• Customer may be able to specify location

at a higher level of abstraction (e.g.,

country, state, or datacenter).


36

• Examples of resources include:

• storage,

• processing,

• memory,

• network bandwidth, and

• virtual machines.


37

• Rapid elasticity

• Capabilities can be

• rapidly and elastically provisioned to

quickly scale out ; and

• rapidly released to quickly scale in.

• In some cases this is done automatically.


38

• Measured service.

• Metering capability at some level of

abstraction appropriate to the type of service

• Resource usage can be monitored,

controlled, and reported — providing

transparency for both the provider and

consumer of the service.


39

• Example:

• storage,

• processing,

• bandwidth,

• active user accounts


40

• Myths about Cloud Computing Essential

Characteristics

• Virtualization is mandatory

• Answer is No

• Cloud services are often but not always

utilized in conjunction with, and enabled by,

virtualization technologies

MYTHS - CLOUD CHARACTERISTICS

41

• There is no requirement that ties the

abstraction of resources to

virtualization technologies

• In many offerings virtualization by

hypervisor or operating system

container is not utilized.


42

• Multi-tenancy as an essential cloud

characteristic

• Multi-tenancy is not called out as an

essential cloud characteristic by NIST

but is often discussed as such.


43

• Divided into three archetypal models.

• The three fundamental classifications are

known as the SPI Model.

• Various other derivative combinations are

also available.

CLOUD SERVICE MODELS

44

• Cloud Service Models

• Cloud Software as a Service (SaaS).

• Cloud Platform as a Service (PaaS).

• Cloud Infrastructure as a Service (IaaS).

CLOUD SERVICE MODELS

45

• The client use the software / applications

running on a cloud infrastructure.

• Accessed through thin client interface

such as a browser.

CLOUD SERVICE MODELS - SaaS

46

• User does not manage or control the

underlying cloud infrastructure including:

• network,

• servers,

• operating systems,

• storage, or

• even individual application capabilities


47

• Possible exception - limited user specific

application configuration settings.


48

• User can deploy onto the cloud

infrastructure consumer-created or

acquired applications created using

programming languages and tools

supported by the provider.

CLOUD SERVICE MODELS - PaaS

49

• The consumer does not manage or control

the underlying cloud infrastructure including

• network,

• servers,

• operating systems, or

• storage,


50

• Has control over the deployed

applications and possibly application

hosting environment configurations.


51

• The user can provision

• processing,

• storage,

• networks, and

• other fundamental computing resources

CLOUD SERVICE MODELS - IaaS

52

• The consumer is able to deploy and run

arbitrary software, which can include

operating systems and applications.

• The consumer does not manage or

control the underlying cloud infrastructure


53

• Has control over

• operating systems,

• storage,

• deployed applications, and

• possibly limited control of select networking

components (e.g., host firewalls).


54

• Regardless of the service model, there

are four cloud deployment models:

• Public Cloud

• Private Cloud

• Community Cloud

• Hybrid Cloud

CLOUD DEPLOYMENT MODELS

55

• There are derivative variations that

address specific requirements.


56

• Public Cloud

• The cloud infrastructure is made

available to the general public or a large

industry group

• Owned by an organization providing

cloud services.


57

• Private Cloud

• The cloud infrastructure is operated

solely for a single organization.

• It may be managed by the organization

or a third party, and may exist on-

premises or off-premises.


58

• Community Cloud

• The cloud infrastructure is shared by

several organizations

• Supports a specific community that has

shared concerns


59

• Examples:

• mission,

• security requirements,

• policy, or

• compliance considerations


60

It may be managed by the:

• organizations or

• a third party

and may exist

• on-premises or

• off-premises.


61

• Hybrid Cloud

• Composition of two or more clouds (private,

community, or public)

• They remain unique entities but are bound

together by standardized or proprietary

technology that enables data and

application portability


62

• Example - Hybrid Cloud

• Cloud bursting for load-balancing

between clouds.


63

• New twist on an old concept :)

• Bursting into the cloud when necessary,

or

• using the cloud when additional compute

resources are required temporarily

CLOUD BURSTING

64

• Example - used to shoulder the burden of

some of the application's processing

requirements.

• How it is done?

• Basic application functionality could be

provided from within the cloud

CLOUD BURSTING

65

• More critical (e.g. revenue-generating or

mission critical) applications continue to

be served from within the controlled

enterprise data center.

CLOUD BURSTING

66

• How it is different from the traditional

bursting?

• Traditionally been applied to resource

allocation and automated provisioning /

de-provisioning of resources

• Historically focused on bandwidth.

CLOUD BURSTING

67

• In the cloud, it is being applied to

resources such as:

• servers,

• application servers,

• application delivery systems, and

• other infrastructure…

CLOUD BURSTING

68

• …required to provide on-demand

computing environments that expand and

contract as necessary, without manual

intervention.

CLOUD BURSTING

69

• Without manual intervention means?

• We generally call it - automation

• But is automation sufficient for cloud? or

is it the right thing for cloud?

CLOUD BURSTING

70

Orchestration describes the automated

• arrangement,

• coordination, and

• management of

complex computer systems, middleware,

and services.

CLOUD ORCHESTRATION

71

• Generally used in the context of:

• Service Oriented Architecture,

• virtualization,

• provisioning, and

• dynamic datacenter topics.

CLOUD ORCHESTRATION

72

• Derivative cloud deployment models are

emerging due to the maturation of market

offerings and customer demand.

• Example

• Virtual Private Clouds

DERIVATIVE - DEPLOYMENT MODELS

73

• Public cloud infrastructure in a private or

semi-private manner

• By interconnecting these resources to the

internal resources of a consumers’

datacenter, usually via virtual private

network (VPN) connectivity.

VIRTUAL PRIVATE CLOUDS

74

• Providers that offer intermediation,

monitoring, transformation/portability,

governance, provisioning, and integration

services.

• They also negotiate relationships between

various cloud providers and consumers.

CLOUD SERVICE BROKERS

75

• They take advantage of the

incompatibility issues prevailing and

provide an interface for customers.

• Acts as proxy (middle man)

CLOUD SERVICE BROKERS

76

• Open and proprietary APIs are evolving

which seek to enable things such as

• management,

• security and

• inter-operatibility

for cloud.

OPEN AND PROPRIETARY API

77

• Open Cloud Computing Interface Working

Group,

• Amazon EC2 API,

• VMware’s DMTF-submitted vCloud API,

• Sun’s Open Cloud API,

• Rackspace API, and

• GoGrid’s API,


78

• Play a key role in cloud portability and

interoperability as well as common

container formats such as the DMTF’s

Open Virtualization Format (OVF).

• DMTF - Distributed Management Task

Force


79

• Not an essential characteristic of Cloud

Computing in NIST’s model.

• Generally identified as an important

element of cloud.

MULTI-TENANCY IN CLOUD

80

• Implies a need for

• policy-driven enforcement,

• segmentation,

• isolation,

• governance,

• service levels, and

• chargeback/billing models for different consumers.

MULTI-TENANCY IN CLOUD

81

CLOUD

82

CLOUD CUBE

83

CLOUD REFERENCE MODEL

84

• Understanding the relationships and

dependencies between Cloud Computing

models is critical to understanding Cloud

Computing security risks.

CLOUD REF MODEL

85

• IaaS is the foundation of all

cloud services, with PaaS

building upon IaaS, and

SaaS in turn building upon

PaaS

• As the capabilities are

inherited, so are information

security issues and risk.

CLOUD REF MODEL

86

CLOUD SECURITY

87

• From an attackers point of view:

• The boxes,

• Storage,

• Applications

CLOUD – WHAT COULD BE TARGETTED?

88

• With any new technology comes new risks

• New vectors - that we need to be aware of

• Confusion exists - how cloud is both similar

to and different from existing models of

computing

WHY CLOUD SECURITY IS DIFFERENT?

89

• Cloud based security issues, also

commonly know as Cloud Based Risk –

CRISK

SECURITY ISSUES

90

Lock-in• When a cloud user decides to migrate (due to various reasons including poor SLA) to another cloud service provider or to in-house IT

• Different cloud service providers use different API – not compatible with each other for migrating the data

SECURITY ISSUES

91

Lack of:• Tools,• Procedures,• Standard data formats, and• Interfaces,

can considerably delay or prevent a successful migration.

SECURITY ISSUES

92

Shared Service Consequences

• Any kind of intentional and un-intentional

malicious activity carried out or executed

on a shared platform may affect the other

tenants and associated stake holders.

SECURITY ISSUES

93

Examples - Shared Service Consequences:

• Blocking of IP ranges

• Confiscation of resources as part of an

investigation - the availability is in question.

SECURITY ISSUES

94

Examples - Shared Service Consequences:

• The diversity of application running on the

cloud platform and a sudden increase in

the resource usage by one application

can drastically affect the performance and

availability of other applications shared in

the same cloud infrastructure.

SECURITY ISSUES

95

Sudden Acquisitions and Take-overs

• Cloud is upcoming and promising domain

for organizations to venture and expand.

• Sudden take over can result in a deviation

from the agreed Terms of Use & SLA which

may also lead to a Lock-In situation.

SECURITY ISSUES

96

Run-on-the-cloud

• Similar to the conventional run on the bank

concept.

• Bankruptcy and catastrophes does not

come with an early warning.

SECURITY ISSUES

97

• What happens if the majority clients

withdraw the associated services from a

cloud infrastructure?

SECURITY ISSUES

98

• The cloud service providers may try to

prevent that move through direct and

indirect methods – which may include a

lock-in also.

SECURITY ISSUES

99

Maintaining Certifications & Compliance

• Organizations need to ensure that they can

maintain the same when moving to cloud.

• ToU prohibits VA/PT

• This may introduce security vulnerabilities

and gaps

• Result – Loose your certification.

SECURITY ISSUES

100

Example - Maintaining Certifications:

• In general scenario, the PCI DSS

compliance cannot be achieved with the

Amazon EC2/S3 cloud service.

• Major downfall in performance and quality

metrics may affect your certifications.

SECURITY ISSUES

101

Technical and Procedural Vulnerability

• Vulnerabilities applicable to the

conventional systems & networks are also

applicable to cloud infrastructure.

• Lack of could based security standards and

non-adherence to procedures may affect the

CIA of customer data.

SECURITY ISSUES

102

Confidentiality is @ Risk

• The information deleted by the customer

may be available to the cloud solution

provider as part of their regular backups.

• Insecure and inefficient deletion of data,

true data wiping not happening, exposing

the sensitive information to other cloud

users.

SECURITY ISSUES

103

Lack of transparency in cloud

• The service provider may be following good

security procedures, but it is not visible to

the customers and end users.

• May be due to security reasons.

• But end user is finally in the dark.

SECURITY ISSUES

104

Lack of transparency in cloud

• End user questions remains un-answered:

• how the data is backed up,

• who back up the data,

• whether the cloud service provider does it

or has they outsourced to some third party,

SECURITY ISSUES

105

• how the backup is transferred to a remote

site as part of the backup policy,

• is it encrypted and send,

• is the backup properly destroyed after the

specified retention period or

SECURITY ISSUES

106

• is it lying somewhere in the disk,

• what kind of data wiping technologies are

used.

• The lists of questions are big and the cloud

users are in dark

SECURITY ISSUES

107

• Problems testing the cloud?

• Permission

• How do you get permission to test your

application running on Amazon EC2 when

the results of your testing could show you

data from another client completely?

SECURITY TESTING

108

• Getting black hole or getting kicked-off

• "In networking, black holes refer to places in the network where incoming traffic is silently discarded (or "dropped"), without informing the source that

the data did not reach its intended recipient." - From Wikipedia

SECURITY TESTING

109

• How do you track version?

• How do you do regression testing?

• How do you know what version of the

search engine google is currently running

on?

SECURITY TESTING

110

• If you test an application today and find it

vulnerable or not vulnerable, how do you

know that the app you testing tomorrow is

the same one that you tested yesterday? -

You don't

SECURITY TESTING

111

If its not good, safe or not even new, then why cloud adoption happening?

THEN WHY WE MOVE?

112

FEW TOP REASONS

• Management by in-flight magazines

• Management version – something new

and promising – let’s try it out

• Geek version – It’s really cool • There is nobody to put a break when these two people join together.

113

• Poor uptime and service delivery

experience from IT department.

• Economical factors

• Multi-tenancy means cost sharing

OTHER REASONS

114

• Cost saving makes it attractive during

recession.

• Cloud computing allows you to move from

CAPEX to OPEX.

• Save 30% of IT Operational Cost

OTHER REASONS

115

• Variable cost subscription model – rapidly

scale up and scale down.

• Go Green or Green IT also influenced

many.

• Powerful - A 64 node Linux cluster can be

online in just five minutes - forget about

those sleepless nights in your data centers

OTHER REASONS

116

ADDRESSING SECURITY ISSUES IN CLOUD – RISK

ASSESSMENT FRAMEWORK FOR

CLOUD117

• Adopt a risk based approach

• Evaluate your tolerance for moving an

asset to cloud

• Have a framework to evaluate cloud risks.

ADDRESSING CLOUD SECURITY

118

• Identify the asset for cloud.

• Evaluate the asset

• Map the asset to cloud deployment

models

• Evaluate cloud service models & providers

• Sketch the potential data flow

RA FRAMEWORK FOR CLOUD

119

• Two types of assets are supported by

cloud:

• Data

• Applications/Functions/Processes

• Either partial functions or full

applications

1 - IDENTIFY THE ASSET

120

• In cloud, we do not need data and

application to reside at the same location.

• We can shift parts of functions to the

cloud.


121

• Example:

• Host the main application and data in our

own data-centre.

• Outsource a portion of its functionality to

the cloud through Platform as a Service

(PaaS).


122

• First step in evaluating risk for the cloud -

determine exactly what data or function is

being considered for the cloud.

• Include potential use of the asset once it

moves to the cloud


123

• This will help you account for scope creep

• Data and transaction volumes are often

higher than expected.


124

• What is scope creep?

• Also known as

• focus creep,

• requirement creep,

• feature creep,

• function creep


125

• Refers to uncontrolled changes in a

project's scope.

• Can occur when the scope of a project is

not properly defined, documented, or

controlled.


126

• Determine how important the data or

function is to the organization.

• A detailed valuation is recommended only

if the organization has an existing process

for that.

2 - EVALUATE THE ASSET

127

• If not, a rough assessment of the following

is recommended:

• how sensitive an asset is, and

• how important an application / function /

process is.


128

• How do we do it?

• For each asset, ask the following

questions:

• How would we be harmed if the asset

became widely public and widely

distributed?


129

• How would we be harmed if an employee

of our cloud provider accessed the asset?

• How would we be harmed if the process

or function were manipulated by an

outsider?


130

• How would we be harmed if the process

or function failed to provide expected

results?

• How would we be harmed if the

information/data were unexpectedly

changed?


131

• How would we be harmed if the asset

were unavailable for a period of time?


132

• What are we doing basically with the

above process?

• Assessing confidentiality, integrity, and

availability requirements for the asset;

and

• how those are affected if all or part of the

asset is handled in the cloud.


133

• Step 3 - Map the asset to potential cloud

deployment models

• Determine which deployment model is

good for the organizational requirement.

3 – MAP THE ASSETS

134

• Decide whether the organization can

accept the risks implicit to the various

deployment models (private, public,

community, or hybrid); and hosting

scenarios (internal, external, or combined).


135

• For the asset, determine if you are willing

to accept the following options:• Public.• Private, internal/on-premises.• Private, external (including dedicated or shared infrastructure).

• Community• Hybrid


136

• End of this phase you should have answer

to the following:

• Deployment models and locations that fits

your security and risk requirements.


137

• Focus on the degree of control you’ll have

at each SPI tier to implement any required

risk management.

4 – EVALUATE MODELS & PROVIDERS

138

• Map out the data flow between:

• your organization,

• the cloud service, and

• any customers/other nodes.

5 – SKETCH DATA FLOW

139

• High-level design can be adopted for the

same.

• Absolutely essential to understand

whether, and how, data can move in and

out of the cloud before finalizing.

5 – SKETCH DATA FLOW

140

• You should have a clear understanding of

the following:

• the importance of what you are

considering moving to the cloud,

• risk tolerance,

RA - CONCLUSION

141

• which combinations of deployment and

service models are acceptable, and

• potential exposure points for sensitive

information and operations.

RA - CONCLUSION

142

• For low-value assets you don’t need the

same level of security controls

• Can skip most of the recommendations —

such as on-site inspections, discoverability,

and complex encryption schemes.

• A high-value regulated asset might entail

audit and data retention requirements.

RA - CONCLUSION

143

EXPLOITING CLOUD FOR IW /

ATTACKS

144

DO YOU KNOW THIS?

145

• Clue:

• Kendo (kumdo in korean)

INFORMATION WARFARE

146

風 - Swift as the wind

林 - Quiet as the forest

火 - Conquer like the fire

山 - Steady as the mountain

INFORMATION WARFARE

147

• Battle strategy and motto of Japanese feudal lord Takeda Shingen ( 武田信玄 )

(1521–1573 A.D.).

• Twenty-Four Generals - famous groupings of battle commanders• (Takeda Nijūshi-shō ) 武田二十四将

INFORMATION WARFARE

148

• Came from the Art of War by Chinese

strategist and tactician Sun Tzu (Sunzi)

• A sort of abbreviation to remind officers

and troops how to conduct battle

INFORMATION WARFARE

149

• This is what we need in information

warfare or when launching an attack

INFORMATION WARFARE

150

• Sample Task

• Break PGP passphrases

• Solution

• Brute forcing PGP passphrases

EXPLOITING CLOUD

151

• Try – ElcomSoft Distributed Password

Recovery (with some patches to handle

PGP ZIP)

• Two elements - EDPR Managers & EDPR

Agents

EXPLOITING CLOUD

152

• Dual core Win7 box - 2100 days for a

complex passphrase.

• Not acceptable – too long

• Lets exploit the cloud.

EXPLOITING CLOUD

153

• First things first – Create an Account on

Amazon. Credit Card Required

• Install Amazon EC2 API Tools on your

linux box.

sudo apt-get install ec2-api-

tools

EXPLOITING CLOUD

154

• Select an AMI

• Example - use a 32 bit Windows AMI -

ami-df20c3b6-g

EXPLOITING CLOUD

155

• Start an instance from the Linux shell as

follows:

ec2-run-instances -k ssh-

keypair ami-df20c3b6-g default

EXPLOITING CLOUD

156

• Enumerate the instance ID & public IP:

ec2-describe-instances

EXPLOITING CLOUD

157

• Instance status change from “pending” to “running”

• Extract the admin password for the instance

ec2-get-password -k ssh-

keypair.pem $instanceID

EXPLOITING CLOUD

158

• Configure EC2 firewall to permit inbound RDP traffic to the instance.

ec2-authorize default -p 3389

-s $trusted_ip_address/32

EXPLOITING CLOUD

159

• Configure the firewall in front of the EDPR

manager system to permit TCP/12121 from

anywhere.

• RDP into the instance & configure EDPR

EXPLOITING CLOUD

160

EXPLOITING CLOUD

• Login using the password obtained from

ec2-get-password command

161

• Install EDPR Agent,

• Configure the Agent to connect to the

Manager.

• 3 points to configure mainly

EXPLOITING CLOUD

162

• Configure the public IP address or hostname of the EDPR manager you have configured.

EXPLOITING CLOUD

163

• Interface tab - Set the Start-up Mode to "At Windows Start-up".

EXPLOITING CLOUD

164

• Registry hack

• EDPR creates a pair of registry values

which are used to uniquely identify the

agent when connecting to the manager.

• We need to scrub these values – why?

EXPLOITING CLOUD

165

• If we don’t, every single instance we

initiate will appear to be the same agent to

the manager.

• Output = The job handling will be totally

corrupted.

EXPLOITING CLOUD

166

HKEY_LOCAL_MACHINE\Software\

ElcomSoft\Distributed Agent\UID

• Set the value of the UID key to null, but

DO NOT DELETE THE KEY.

EXPLOITING CLOUD

167

• Let’s bundle the EC2 instance.

• Remember in cloud, bundle is similar to

creating a ‘template’ in VMware

terminology.

EXPLOITING CLOUD

168

• Install and configure EC2 AMI Tools

• Command:

ec2-bundle-instance $instance_id -b $bucket_name -p $bundle_name -o $access_key_id -w $secret_access_key

EXPLOITING CLOUD

169

• Bundling process runs sysprep on the

Windows instance, compress and copies

the instance to S3.

EXPLOITING CLOUD

170

• Check the progress of the bundle task:

ec2-describe-bundle-tasks

EXPLOITING CLOUD

171

• Register the bundled AMI:

ec2-register

$bucket_name/$bundle_name.manife

st.xml

EXPLOITING CLOUD

172

• The register command returns AMI ID

• Used to spawn instances of the EDPR

agent. Example:

IMAGE ami-54f3103d

EXPLOITING CLOUD

173

• Start EDPR manager & configure task.

• to brute an password composed of

uppercase letters, lowercase letters, and

the numbers 0-9, with a length of between

1 to 8 characters against a PGP ZIP file.

ACTION TIME

174

ACTION TIME

175

• Start a single instance of our EDPR agent:

ec2-run-instances -k $ssh-

keypair ami-54f3103d -g

default

ACTION TIME

176

• Agent check in with the EDPR manager.

ACTION TIME

177

• We started it with default parameters

• EC2 “small” instance

• Trying 500K keys per second

• How long will it take?

ACTION TIME

178

• What???? 3600 days? = 10 years!!!!!

ACTION TIME

179

• Let’s scale up – deploy 10 additional

instances:

ec2-run-instances -n 10 -k ssh-

keypair ami-54f3103d -g default

-t c1.medium

ACTION TIME

180

• The -n 10 parameter tells EC2 to launch

10 instances.

• c1.medium instance = “High CPU"

instance

ACTION TIME

181

ACTION TIME

182

• Now we have more cracking agents in the

party!!!

• 2+M keys/second

• So what's the time required now???

ACTION TIME

183

• Down to 122 days

ACTION TIME

184

• Kickoff another 89 to hit a century.

ec2-run-instances -n 89 -k ssh-

keypair ami-54f3103d -g default

-t c1.medium

Note: Check your EDPR License.

ACTION TIME

185

• Error:

Client.InstanceLimitExceeded:

Your quota allows for 9 more

instance(s). You requested at

least 89

ACTION TIME

186

• Option 1

• Request to instance amazon EC2 Instance

Limit -

http://aws.amazon.com/contact-us/ec2-

request/

ACTION TIME

187

• Option 2

• Amazon spot instances - allows us to bid

on unused Amazon EC2 capacity and run

those instances.

ACTION TIME

188

• Option 3

• Create custom python script to bypass this

limitation

ACTION TIME

189

• With a couple more of instances, we can

reduce it to hours

• A successful cloud based distributed

cracking system.

ACTION TIME

190

CLOUD FORENSICS

191

• Mixed Responses

• Bad guys have started using cloud based

services and infrastructure for launching

attacks

• Cloud do provide a good platform for

incidence response and forensics

investigations

CLOUD FORENSICS

192

• By utilizing the inherent features of cloud

computing, computer forensic can become

an on-demand service under certain

circumstances.

CLOUD FORENSICS

193

• Regular business and operations are not

affected when a cloud environment needs to

be forensically examined.

• Not the case with the traditional

infrastructure where the equipments are

seized.

• Cloud Example – Amazon EBS

CLOUD FORENSICS

194

• Cloud based forensics took a new turn

when Amazon introduced Elastic Block

Store (EBS) volumes

• Enables the user to launch an instance with

an Amazon EBS volume that will serve as

the root device.

CLOUD FORENSICS

195

• When there is a need to preserve a cloud environment, EBS can create an exact replica of the cloud instance & put it on the same cloud for forensics evaluation and examination.

• Since the forensic investigators will be working with another instance of the environment, the regular operations is not affected in any way.

CLOUD FORENSICS

196

• Replication process achieved in few

minutes.

• Forensic evidences are invalid if they are

not cryptographically hashed.

• This can be easily achieved using the on-

demand feature of cloud.

CLOUD FORENSICS

197

• Replication process achieved in few

minutes.

• Forensic evidences are invalid if they are

not cryptographically hashed.

• This can be easily achieved using the on-

demand feature of cloud.

CLOUD FORENSICS

198

• The cloud based hashing takes less time

and is much faster when you compare it with

the traditional cryptographic hashing

process.

• Amazon Web Services is already providing

a good forensic feature where it can provide

a MD5 hash of every file that is on the cloud

system.

CLOUD FORENSICS

199

• What this practically means is that when a

bit by bit copy is initiated (forensic

duplication), you have systems in place

which can ensure that you made the exact

replica and not even a bit has changed

during the replication and copying process.

CLOUD FORENSICS

200

• Even though you have all the above

services available, cloud forensics is still

challenging.

• Virtualization of various entities like the

applications and host systems, which once

used to be in-house is now scattered on the

cloud.

CLOUD FORENSICS

201

• Makes evidence gathering a challenging

task

• Since we are acquiring data from a virtual

environment, the forensic investigator should

have a clear and precise understanding of

how they work and what files are interesting

and required to acquire.

CLOUD FORENSICS

202

• Near to impossible to acquire the complete

hard disk due to various reasons including

but not limited to:

• multiple data owners on the same disk,

• remote geographical location,

• jurisdictional difficulties,

• RAID configurations etc

CLOUD FORENSICS

203

• Questions also arise on the compatibility

and reliability of the tools used for

investigating cloud forensics - because most

of the tools are meant for real time systems

and not for virtualized environments.

• A collaborative and collective effort is

required to address what we discussed.

AND FINALLY

204

CONCLUSION

205

• The architectural mindset used when

designing solutions has clear implications

on the:• future flexibility, • security, • collaborative capabilities, and • mobility

of the resultant solution.

CONCLUSION

206

• With so many different cloud deployment

and service models, and their hybrid

permutations — no list of security controls

can cover all these circumstances.

CONCLUSION

207

A good security professional is someone who always looks both ways before crossing a one-way street.

GOOD SECURITY PROFESSIONAL

208

209

Manu Zacharia

[email protected]

[email protected]

or

QUESTIONS??

THANK YOU !