View
3.605
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Security and Forensic Discovery in Cloud Environments by Manu Zacharia
Citation preview
CLOUD 9:U N C O V E R I N G S E C U R I T Y & F O R E N S I C S D I S C O V E RY
I N C L O U D
CLOUD 9:U N C O V E R I N G S E C U R I T Y & F O R E N S I C S D I S C O V E RY
I N C L O U D
“Aut viam inveniam aut faciam ” Hannibal Barca
by Manu ZachariaMVP (Enterprise Security), C|EH,
ISLA-2010 (ISC)², C|HFI, CCNA, MCPCertified ISO 27001:2005 Lead Auditor
HackIT – Technology & Advisory Services
• I am an Information Security Evangelist • For paying my bills – I do consulting - HackIT –
Technology & Advisory Services – A startup.• Awards
• Information Security Leadership Achievement Award from (ISC)² - 2010
• Microsoft Most Valuable Professional (Enterprise Security) – 2009 and 2010
• Co-Author of a Book • President – Information Security Research Association -
NPO
# whoami
• Chief Architect - Matriux – (www.matriux.com) - OS for
Hacking, Forensics and Security testing – Open Source &
Free
• Founder c0c0n – International Security & Hacking
Conference
• Extend service to various state and central investigations
agencies as Cyber Forensics Consultant
# whoami
# whoami
• Speaker at various national and international security,
technology and hacking conferences:
• Microsoft Tech-Ed 2010 (& 2011 upcoming)
• IQPC - Enterprise Security 2010 - Singapore
• Information Security Conference - Bangalore
• ClubHack, etc
• DevCon
• Training associations:• Indian Navy - Signal School , Centre for Defense
Communication and Electronic and Information / Cyber Warfare and INS Valsura.
• Centre for Police Research, Pune and Kerala Police• SCIT - Symbiosis Centre for Information
Technology,Pune• Institute of Management Technology (IMT) – Ghaziabad• IGNOU M-Tech (Information Systems Security) – Expert
Member – Curriculum Review Committee• C-DAC, ACTS (DISCS & DSSD)
# whoami
• The opinion here represented are my personal ones and do not necessary reflect my employers views.
• Registered brands belong to their legitimate owners.• The information contained in this
presentation does not break any intellectual property, nor does it provide detailed information that may be in conflict with any laws (hopefully...) :)
DISCLAIMER(S)
6
• Information and resources from Internet (including
publications from Cloud Security Alliance) were
extensively used for the creation of this presentation.
REFERENCES
7
CONCLUSION
EXPLOITING CLOUD & FORENSICS
CLOUD SECURITY & RISK ASSESSMENT FRAMEWORK
INTRO & CLOUD ARCHITECTURE
AGENDA
8
INTRODUCTION
9
• So what is Cloud Computing?
• Do you know what is EC2 and S3?
• What is SPI Model?
QUESTION
10
• cloud is loud
• Headline stealer
• Everybody is concerned about Cloud
Security
WHY THIS TALK?
11
• Why handle cloud differently?
• Simple – power of cloud
WHY CLOUD IS DIFFERENT?
12
TIGR - ??????
• Barack Obama's Technology Innovation and Government Reform Team (TIGR) describe the use of cloud computing as "one of the most important transformations the federal government will go through in the next decade."
13
• A 64 node Linux cluster can be online in
just five minutes
• Forget about those sleepless nights in
your data centers
CLOUD POWER
14
• Amazon Elastic Compute Cloud
(Amazon EC2)
• A web service that provides resizable
compute capacity in the cloud
EC2
15
• Allows users to rent computers on which
to run their own computer applications.
• A user can boot an Amazon Machine
Image (AMI) to create a virtual machine,
which Amazon calls an "instance",
containing any software desired.
EC2 - WIKIPEDIA
16
• A user can create, launch, and terminate
server instances as needed, paying by the
hour for active servers, hence the term
"elastic".
EC2 - WIKIPEDIA
17
• Amazon S3 (Simple Storage Service) is
an online storage web service offered by
Amazon Web Services.
• Provides unlimited storage through a
simple web services interface
S3
18
• $0.15 per gigabyte-month
• 102 billion objects as of March 2010
S3
19
• The New York Times - Amazon EC2 and
S3 - PDF's of 15M scanned news articles.
• NASDAQ uses Amazon S3 to deliver
historical stock information.
POWER OF CLOUD
20
• Cloud separates:
• application and information resources
from the underlying infrastructure, and
• the mechanisms used to deliver them.
CLOUD
21
Use of a collection of
• services,
• applications,
• information, and
• infrastructure
comprised of pools of compute, network,
information, and storage resources.
CLOUD
22
• Components can be
• rapidly orchestrated,
• provisioned,
• implemented & decommissioned, and
• scaled up or down
• Provide an on-demand utility-like model.
CLOUD
23
• From an architectural perspective; there
is much confusion
• How cloud is both similar to and
different from existing models of
computing?
CLOUD CONFUSION
24
• How these similarities and differences
impact the• organizational, • operational, and • technological approaches
to network and information security
practices.
CLOUD CONFUSION
25
Marcus Ranum - Same old,
Same old
CLOUD SECURITY – DIFFERENT?
26
Same Client / Server paradigm from Mainframe days – Bruce Schneier
CLOUD SECURITY – DIFFERENT?
27
So what is this cloud?
28
CLOUD ARCHITECTURE
29
• NIST (U.S. National Institute of Standards
and Technology) defines cloud computing
by describing:
• five essential characteristics,
• three cloud service models, and
• four cloud deployment models.
CLOUD
30
• Five essential characteristics
• On-demand self-service
• Broad network access
• Resource pooling
• Rapid elasticity
• Measured service
CLOUD CHARACTERISTICS
31
• On-demand self-service
• Unilaterally provision computing
capabilities as needed automatically,
without requiring human interaction with
a service provider.
• Computing capabilities include server time
and network storage
CLOUD CHARACTERISTICS
32
• Broad network access
• Available over the network and
accessed through standard mechanisms
CLOUD CHARACTERISTICS
33
• Can be accessed through
heterogeneous thin or thick client
platforms (e.g., mobile phones, laptops,
and PDAs) as well as other traditional or
cloud based software services.
CLOUD CHARACTERISTICS
34
• Resource pooling
• The provider’s computing resources are
pooled to serve multiple consumers
using a multi-tenant model,
• Different physical and virtual resources
dynamically assigned and reassigned
according to consumer demand.
CLOUD CHARACTERISTICS
35
• Degree of location independence -
customer has no control or knowledge over
the exact location of the provided resources
• Customer may be able to specify location
at a higher level of abstraction (e.g.,
country, state, or datacenter).
CLOUD CHARACTERISTICS
36
• Examples of resources include:
• storage,
• processing,
• memory,
• network bandwidth, and
• virtual machines.
CLOUD CHARACTERISTICS
37
• Rapid elasticity
• Capabilities can be
• rapidly and elastically provisioned to
quickly scale out ; and
• rapidly released to quickly scale in.
• In some cases this is done automatically.
CLOUD CHARACTERISTICS
38
• Measured service.
• Metering capability at some level of
abstraction appropriate to the type of service
• Resource usage can be monitored,
controlled, and reported — providing
transparency for both the provider and
consumer of the service.
CLOUD CHARACTERISTICS
39
• Example:
• storage,
• processing,
• bandwidth,
• active user accounts
CLOUD CHARACTERISTICS
40
• Myths about Cloud Computing Essential
Characteristics
• Virtualization is mandatory
• Answer is No
• Cloud services are often but not always
utilized in conjunction with, and enabled by,
virtualization technologies
MYTHS - CLOUD CHARACTERISTICS
41
• There is no requirement that ties the
abstraction of resources to
virtualization technologies
• In many offerings virtualization by
hypervisor or operating system
container is not utilized.
MYTHS - CLOUD CHARACTERISTICS
42
• Multi-tenancy as an essential cloud
characteristic
• Multi-tenancy is not called out as an
essential cloud characteristic by NIST
but is often discussed as such.
MYTHS - CLOUD CHARACTERISTICS
43
• Divided into three archetypal models.
• The three fundamental classifications are
known as the SPI Model.
• Various other derivative combinations are
also available.
CLOUD SERVICE MODELS
44
• Cloud Service Models
• Cloud Software as a Service (SaaS).
• Cloud Platform as a Service (PaaS).
• Cloud Infrastructure as a Service (IaaS).
CLOUD SERVICE MODELS
45
• The client use the software / applications
running on a cloud infrastructure.
• Accessed through thin client interface
such as a browser.
CLOUD SERVICE MODELS - SaaS
46
• User does not manage or control the
underlying cloud infrastructure including:
• network,
• servers,
• operating systems,
• storage, or
• even individual application capabilities
CLOUD SERVICE MODELS - SaaS
47
• Possible exception - limited user specific
application configuration settings.
CLOUD SERVICE MODELS - SaaS
48
• User can deploy onto the cloud
infrastructure consumer-created or
acquired applications created using
programming languages and tools
supported by the provider.
CLOUD SERVICE MODELS - PaaS
49
• The consumer does not manage or control
the underlying cloud infrastructure including
• network,
• servers,
• operating systems, or
• storage,
CLOUD SERVICE MODELS - PaaS
50
• Has control over the deployed
applications and possibly application
hosting environment configurations.
CLOUD SERVICE MODELS - PaaS
51
• The user can provision
• processing,
• storage,
• networks, and
• other fundamental computing resources
CLOUD SERVICE MODELS - IaaS
52
• The consumer is able to deploy and run
arbitrary software, which can include
operating systems and applications.
• The consumer does not manage or
control the underlying cloud infrastructure
CLOUD SERVICE MODELS - IaaS
53
• Has control over
• operating systems,
• storage,
• deployed applications, and
• possibly limited control of select networking
components (e.g., host firewalls).
CLOUD SERVICE MODELS - IaaS
54
• Regardless of the service model, there
are four cloud deployment models:
• Public Cloud
• Private Cloud
• Community Cloud
• Hybrid Cloud
CLOUD DEPLOYMENT MODELS
55
• There are derivative variations that
address specific requirements.
CLOUD DEPLOYMENT MODELS
56
• Public Cloud
• The cloud infrastructure is made
available to the general public or a large
industry group
• Owned by an organization providing
cloud services.
CLOUD DEPLOYMENT MODELS
57
• Private Cloud
• The cloud infrastructure is operated
solely for a single organization.
• It may be managed by the organization
or a third party, and may exist on-
premises or off-premises.
CLOUD DEPLOYMENT MODELS
58
• Community Cloud
• The cloud infrastructure is shared by
several organizations
• Supports a specific community that has
shared concerns
CLOUD DEPLOYMENT MODELS
59
• Examples:
• mission,
• security requirements,
• policy, or
• compliance considerations
CLOUD DEPLOYMENT MODELS
60
It may be managed by the:
• organizations or
• a third party
and may exist
• on-premises or
• off-premises.
CLOUD DEPLOYMENT MODELS
61
• Hybrid Cloud
• Composition of two or more clouds (private,
community, or public)
• They remain unique entities but are bound
together by standardized or proprietary
technology that enables data and
application portability
CLOUD DEPLOYMENT MODELS
62
• Example - Hybrid Cloud
• Cloud bursting for load-balancing
between clouds.
CLOUD DEPLOYMENT MODELS
63
• New twist on an old concept :)
• Bursting into the cloud when necessary,
or
• using the cloud when additional compute
resources are required temporarily
CLOUD BURSTING
64
• Example - used to shoulder the burden of
some of the application's processing
requirements.
• How it is done?
• Basic application functionality could be
provided from within the cloud
CLOUD BURSTING
65
• More critical (e.g. revenue-generating or
mission critical) applications continue to
be served from within the controlled
enterprise data center.
CLOUD BURSTING
66
• How it is different from the traditional
bursting?
• Traditionally been applied to resource
allocation and automated provisioning /
de-provisioning of resources
• Historically focused on bandwidth.
CLOUD BURSTING
67
• In the cloud, it is being applied to
resources such as:
• servers,
• application servers,
• application delivery systems, and
• other infrastructure…
CLOUD BURSTING
68
• …required to provide on-demand
computing environments that expand and
contract as necessary, without manual
intervention.
CLOUD BURSTING
69
• Without manual intervention means?
• We generally call it - automation
• But is automation sufficient for cloud? or
is it the right thing for cloud?
CLOUD BURSTING
70
Orchestration describes the automated
• arrangement,
• coordination, and
• management of
complex computer systems, middleware,
and services.
CLOUD ORCHESTRATION
71
• Generally used in the context of:
• Service Oriented Architecture,
• virtualization,
• provisioning, and
• dynamic datacenter topics.
CLOUD ORCHESTRATION
72
• Derivative cloud deployment models are
emerging due to the maturation of market
offerings and customer demand.
• Example
• Virtual Private Clouds
DERIVATIVE - DEPLOYMENT MODELS
73
• Public cloud infrastructure in a private or
semi-private manner
• By interconnecting these resources to the
internal resources of a consumers’
datacenter, usually via virtual private
network (VPN) connectivity.
VIRTUAL PRIVATE CLOUDS
74
• Providers that offer intermediation,
monitoring, transformation/portability,
governance, provisioning, and integration
services.
• They also negotiate relationships between
various cloud providers and consumers.
CLOUD SERVICE BROKERS
75
• They take advantage of the
incompatibility issues prevailing and
provide an interface for customers.
• Acts as proxy (middle man)
CLOUD SERVICE BROKERS
76
• Open and proprietary APIs are evolving
which seek to enable things such as
• management,
• security and
• inter-operatibility
for cloud.
OPEN AND PROPRIETARY API
77
• Open Cloud Computing Interface Working
Group,
• Amazon EC2 API,
• VMware’s DMTF-submitted vCloud API,
• Sun’s Open Cloud API,
• Rackspace API, and
• GoGrid’s API,
OPEN AND PROPRIETARY API
78
• Play a key role in cloud portability and
interoperability as well as common
container formats such as the DMTF’s
Open Virtualization Format (OVF).
• DMTF - Distributed Management Task
Force
OPEN AND PROPRIETARY API
79
• Not an essential characteristic of Cloud
Computing in NIST’s model.
• Generally identified as an important
element of cloud.
MULTI-TENANCY IN CLOUD
80
• Implies a need for
• policy-driven enforcement,
• segmentation,
• isolation,
• governance,
• service levels, and
• chargeback/billing models for different consumers.
MULTI-TENANCY IN CLOUD
81
CLOUD
82
CLOUD CUBE
83
CLOUD REFERENCE MODEL
84
• Understanding the relationships and
dependencies between Cloud Computing
models is critical to understanding Cloud
Computing security risks.
CLOUD REF MODEL
85
• IaaS is the foundation of all
cloud services, with PaaS
building upon IaaS, and
SaaS in turn building upon
PaaS
• As the capabilities are
inherited, so are information
security issues and risk.
CLOUD REF MODEL
86
CLOUD SECURITY
87
• From an attackers point of view:
• The boxes,
• Storage,
• Applications
CLOUD – WHAT COULD BE TARGETTED?
88
• With any new technology comes new risks
• New vectors - that we need to be aware of
• Confusion exists - how cloud is both similar
to and different from existing models of
computing
WHY CLOUD SECURITY IS DIFFERENT?
89
• Cloud based security issues, also
commonly know as Cloud Based Risk –
CRISK
SECURITY ISSUES
90
Lock-in• When a cloud user decides to migrate (due to various reasons including poor SLA) to another cloud service provider or to in-house IT
• Different cloud service providers use different API – not compatible with each other for migrating the data
SECURITY ISSUES
91
Lack of:• Tools,• Procedures,• Standard data formats, and• Interfaces,
can considerably delay or prevent a successful migration.
SECURITY ISSUES
92
Shared Service Consequences
• Any kind of intentional and un-intentional
malicious activity carried out or executed
on a shared platform may affect the other
tenants and associated stake holders.
SECURITY ISSUES
93
Examples - Shared Service Consequences:
• Blocking of IP ranges
• Confiscation of resources as part of an
investigation - the availability is in question.
SECURITY ISSUES
94
Examples - Shared Service Consequences:
• The diversity of application running on the
cloud platform and a sudden increase in
the resource usage by one application
can drastically affect the performance and
availability of other applications shared in
the same cloud infrastructure.
SECURITY ISSUES
95
Sudden Acquisitions and Take-overs
• Cloud is upcoming and promising domain
for organizations to venture and expand.
• Sudden take over can result in a deviation
from the agreed Terms of Use & SLA which
may also lead to a Lock-In situation.
SECURITY ISSUES
96
Run-on-the-cloud
• Similar to the conventional run on the bank
concept.
• Bankruptcy and catastrophes does not
come with an early warning.
SECURITY ISSUES
97
• What happens if the majority clients
withdraw the associated services from a
cloud infrastructure?
SECURITY ISSUES
98
• The cloud service providers may try to
prevent that move through direct and
indirect methods – which may include a
lock-in also.
SECURITY ISSUES
99
Maintaining Certifications & Compliance
• Organizations need to ensure that they can
maintain the same when moving to cloud.
• ToU prohibits VA/PT
• This may introduce security vulnerabilities
and gaps
• Result – Loose your certification.
SECURITY ISSUES
100
Example - Maintaining Certifications:
• In general scenario, the PCI DSS
compliance cannot be achieved with the
Amazon EC2/S3 cloud service.
• Major downfall in performance and quality
metrics may affect your certifications.
SECURITY ISSUES
101
Technical and Procedural Vulnerability
• Vulnerabilities applicable to the
conventional systems & networks are also
applicable to cloud infrastructure.
• Lack of could based security standards and
non-adherence to procedures may affect the
CIA of customer data.
SECURITY ISSUES
102
Confidentiality is @ Risk
• The information deleted by the customer
may be available to the cloud solution
provider as part of their regular backups.
• Insecure and inefficient deletion of data,
true data wiping not happening, exposing
the sensitive information to other cloud
users.
SECURITY ISSUES
103
Lack of transparency in cloud
• The service provider may be following good
security procedures, but it is not visible to
the customers and end users.
• May be due to security reasons.
• But end user is finally in the dark.
SECURITY ISSUES
104
Lack of transparency in cloud
• End user questions remains un-answered:
• how the data is backed up,
• who back up the data,
• whether the cloud service provider does it
or has they outsourced to some third party,
SECURITY ISSUES
105
• how the backup is transferred to a remote
site as part of the backup policy,
• is it encrypted and send,
• is the backup properly destroyed after the
specified retention period or
SECURITY ISSUES
106
• is it lying somewhere in the disk,
• what kind of data wiping technologies are
used.
• The lists of questions are big and the cloud
users are in dark
SECURITY ISSUES
107
• Problems testing the cloud?
• Permission
• How do you get permission to test your
application running on Amazon EC2 when
the results of your testing could show you
data from another client completely?
SECURITY TESTING
108
• Getting black hole or getting kicked-off
• "In networking, black holes refer to places in the network where incoming traffic is silently discarded (or "dropped"), without informing the source that
the data did not reach its intended recipient." - From Wikipedia
SECURITY TESTING
109
• How do you track version?
• How do you do regression testing?
• How do you know what version of the
search engine google is currently running
on?
SECURITY TESTING
110
• If you test an application today and find it
vulnerable or not vulnerable, how do you
know that the app you testing tomorrow is
the same one that you tested yesterday? -
You don't
SECURITY TESTING
111
If its not good, safe or not even new, then why cloud adoption happening?
THEN WHY WE MOVE?
112
FEW TOP REASONS
• Management by in-flight magazines
• Management version – something new
and promising – let’s try it out
• Geek version – It’s really cool • There is nobody to put a break when these two people join together.
113
• Poor uptime and service delivery
experience from IT department.
• Economical factors
• Multi-tenancy means cost sharing
OTHER REASONS
114
• Cost saving makes it attractive during
recession.
• Cloud computing allows you to move from
CAPEX to OPEX.
• Save 30% of IT Operational Cost
OTHER REASONS
115
• Variable cost subscription model – rapidly
scale up and scale down.
• Go Green or Green IT also influenced
many.
• Powerful - A 64 node Linux cluster can be
online in just five minutes - forget about
those sleepless nights in your data centers
OTHER REASONS
116
ADDRESSING SECURITY ISSUES IN CLOUD – RISK
ASSESSMENT FRAMEWORK FOR
CLOUD117
• Adopt a risk based approach
• Evaluate your tolerance for moving an
asset to cloud
• Have a framework to evaluate cloud risks.
ADDRESSING CLOUD SECURITY
118
• Identify the asset for cloud.
• Evaluate the asset
• Map the asset to cloud deployment
models
• Evaluate cloud service models & providers
• Sketch the potential data flow
RA FRAMEWORK FOR CLOUD
119
• Two types of assets are supported by
cloud:
• Data
• Applications/Functions/Processes
• Either partial functions or full
applications
1 - IDENTIFY THE ASSET
120
• In cloud, we do not need data and
application to reside at the same location.
• We can shift parts of functions to the
cloud.
1 - IDENTIFY THE ASSET
121
• Example:
• Host the main application and data in our
own data-centre.
• Outsource a portion of its functionality to
the cloud through Platform as a Service
(PaaS).
1 - IDENTIFY THE ASSET
122
• First step in evaluating risk for the cloud -
determine exactly what data or function is
being considered for the cloud.
• Include potential use of the asset once it
moves to the cloud
1 - IDENTIFY THE ASSET
123
• This will help you account for scope creep
• Data and transaction volumes are often
higher than expected.
1 - IDENTIFY THE ASSET
124
• What is scope creep?
• Also known as
• focus creep,
• requirement creep,
• feature creep,
• function creep
1 - IDENTIFY THE ASSET
125
• Refers to uncontrolled changes in a
project's scope.
• Can occur when the scope of a project is
not properly defined, documented, or
controlled.
1 - IDENTIFY THE ASSET
126
• Determine how important the data or
function is to the organization.
• A detailed valuation is recommended only
if the organization has an existing process
for that.
2 - EVALUATE THE ASSET
127
• If not, a rough assessment of the following
is recommended:
• how sensitive an asset is, and
• how important an application / function /
process is.
2 - EVALUATE THE ASSET
128
• How do we do it?
• For each asset, ask the following
questions:
• How would we be harmed if the asset
became widely public and widely
distributed?
2 - EVALUATE THE ASSET
129
• How would we be harmed if an employee
of our cloud provider accessed the asset?
• How would we be harmed if the process
or function were manipulated by an
outsider?
2 - EVALUATE THE ASSET
130
• How would we be harmed if the process
or function failed to provide expected
results?
• How would we be harmed if the
information/data were unexpectedly
changed?
2 - EVALUATE THE ASSET
131
• How would we be harmed if the asset
were unavailable for a period of time?
2 - EVALUATE THE ASSET
132
• What are we doing basically with the
above process?
• Assessing confidentiality, integrity, and
availability requirements for the asset;
and
• how those are affected if all or part of the
asset is handled in the cloud.
2 - EVALUATE THE ASSET
133
• Step 3 - Map the asset to potential cloud
deployment models
• Determine which deployment model is
good for the organizational requirement.
3 – MAP THE ASSETS
134
• Decide whether the organization can
accept the risks implicit to the various
deployment models (private, public,
community, or hybrid); and hosting
scenarios (internal, external, or combined).
3 – MAP THE ASSETS
135
• For the asset, determine if you are willing
to accept the following options:• Public.• Private, internal/on-premises.• Private, external (including dedicated or shared infrastructure).
• Community• Hybrid
3 – MAP THE ASSETS
136
• End of this phase you should have answer
to the following:
• Deployment models and locations that fits
your security and risk requirements.
3 – MAP THE ASSETS
137
• Focus on the degree of control you’ll have
at each SPI tier to implement any required
risk management.
4 – EVALUATE MODELS & PROVIDERS
138
• Map out the data flow between:
• your organization,
• the cloud service, and
• any customers/other nodes.
5 – SKETCH DATA FLOW
139
• High-level design can be adopted for the
same.
• Absolutely essential to understand
whether, and how, data can move in and
out of the cloud before finalizing.
5 – SKETCH DATA FLOW
140
• You should have a clear understanding of
the following:
• the importance of what you are
considering moving to the cloud,
• risk tolerance,
RA - CONCLUSION
141
• which combinations of deployment and
service models are acceptable, and
• potential exposure points for sensitive
information and operations.
RA - CONCLUSION
142
• For low-value assets you don’t need the
same level of security controls
• Can skip most of the recommendations —
such as on-site inspections, discoverability,
and complex encryption schemes.
• A high-value regulated asset might entail
audit and data retention requirements.
RA - CONCLUSION
143
EXPLOITING CLOUD FOR IW /
ATTACKS
144
DO YOU KNOW THIS?
145
• Clue:
• Kendo (kumdo in korean)
INFORMATION WARFARE
146
風 - Swift as the wind
林 - Quiet as the forest
火 - Conquer like the fire
山 - Steady as the mountain
INFORMATION WARFARE
147
• Battle strategy and motto of Japanese feudal lord Takeda Shingen ( 武 田 信 玄 )
(1521–1573 A.D.).
• Twenty-Four Generals - famous groupings of battle commanders• (Takeda Nijūshi-shō ) 武田二十四将
INFORMATION WARFARE
148
• Came from the Art of War by Chinese
strategist and tactician Sun Tzu (Sunzi)
• A sort of abbreviation to remind officers
and troops how to conduct battle
INFORMATION WARFARE
149
• This is what we need in information
warfare or when launching an attack
INFORMATION WARFARE
150
• Sample Task
• Break PGP passphrases
• Solution
• Brute forcing PGP passphrases
EXPLOITING CLOUD
151
• Try – ElcomSoft Distributed Password
Recovery (with some patches to handle
PGP ZIP)
• Two elements - EDPR Managers & EDPR
Agents
EXPLOITING CLOUD
152
• Dual core Win7 box - 2100 days for a
complex passphrase.
• Not acceptable – too long
• Lets exploit the cloud.
EXPLOITING CLOUD
153
• First things first – Create an Account on
Amazon. Credit Card Required
• Install Amazon EC2 API Tools on your
linux box.
sudo apt-get install ec2-api-
tools
EXPLOITING CLOUD
154
• Select an AMI
• Example - use a 32 bit Windows AMI -
ami-df20c3b6-g
EXPLOITING CLOUD
155
• Start an instance from the Linux shell as
follows:
ec2-run-instances -k ssh-
keypair ami-df20c3b6-g default
EXPLOITING CLOUD
156
• Enumerate the instance ID & public IP:
ec2-describe-instances
EXPLOITING CLOUD
157
• Instance status change from “pending” to “running”
• Extract the admin password for the instance
ec2-get-password -k ssh-
keypair.pem $instanceID
EXPLOITING CLOUD
158
• Configure EC2 firewall to permit inbound RDP traffic to the instance.
ec2-authorize default -p 3389
-s $trusted_ip_address/32
EXPLOITING CLOUD
159
• Configure the firewall in front of the EDPR
manager system to permit TCP/12121 from
anywhere.
• RDP into the instance & configure EDPR
EXPLOITING CLOUD
160
EXPLOITING CLOUD
• Login using the password obtained from
ec2-get-password command
161
• Install EDPR Agent,
• Configure the Agent to connect to the
Manager.
• 3 points to configure mainly
EXPLOITING CLOUD
162
• Configure the public IP address or hostname of the EDPR manager you have configured.
EXPLOITING CLOUD
163
• Interface tab - Set the Start-up Mode to "At Windows Start-up".
EXPLOITING CLOUD
164
• Registry hack
• EDPR creates a pair of registry values
which are used to uniquely identify the
agent when connecting to the manager.
• We need to scrub these values – why?
EXPLOITING CLOUD
165
• If we don’t, every single instance we
initiate will appear to be the same agent to
the manager.
• Output = The job handling will be totally
corrupted.
EXPLOITING CLOUD
166
HKEY_LOCAL_MACHINE\Software\
ElcomSoft\Distributed Agent\UID
• Set the value of the UID key to null, but
DO NOT DELETE THE KEY.
EXPLOITING CLOUD
167
• Let’s bundle the EC2 instance.
• Remember in cloud, bundle is similar to
creating a ‘template’ in VMware
terminology.
EXPLOITING CLOUD
168
• Install and configure EC2 AMI Tools
• Command:
ec2-bundle-instance $instance_id -b $bucket_name -p $bundle_name -o $access_key_id -w $secret_access_key
EXPLOITING CLOUD
169
• Bundling process runs sysprep on the
Windows instance, compress and copies
the instance to S3.
EXPLOITING CLOUD
170
• Check the progress of the bundle task:
ec2-describe-bundle-tasks
EXPLOITING CLOUD
171
• Register the bundled AMI:
ec2-register
$bucket_name/$bundle_name.manife
st.xml
EXPLOITING CLOUD
172
• The register command returns AMI ID
• Used to spawn instances of the EDPR
agent. Example:
IMAGE ami-54f3103d
EXPLOITING CLOUD
173
• Start EDPR manager & configure task.
• to brute an password composed of
uppercase letters, lowercase letters, and
the numbers 0-9, with a length of between
1 to 8 characters against a PGP ZIP file.
ACTION TIME
174
ACTION TIME
175
• Start a single instance of our EDPR agent:
ec2-run-instances -k $ssh-
keypair ami-54f3103d -g
default
ACTION TIME
176
• Agent check in with the EDPR manager.
ACTION TIME
177
• We started it with default parameters
• EC2 “small” instance
• Trying 500K keys per second
• How long will it take?
ACTION TIME
178
• What???? 3600 days? = 10 years!!!!!
ACTION TIME
179
• Let’s scale up – deploy 10 additional
instances:
ec2-run-instances -n 10 -k ssh-
keypair ami-54f3103d -g default
-t c1.medium
ACTION TIME
180
• The -n 10 parameter tells EC2 to launch
10 instances.
• c1.medium instance = “High CPU"
instance
ACTION TIME
181
ACTION TIME
182
• Now we have more cracking agents in the
party!!!
• 2+M keys/second
• So what's the time required now???
ACTION TIME
183
• Down to 122 days
ACTION TIME
184
• Kickoff another 89 to hit a century.
ec2-run-instances -n 89 -k ssh-
keypair ami-54f3103d -g default
-t c1.medium
Note: Check your EDPR License.
ACTION TIME
185
• Error:
Client.InstanceLimitExceeded:
Your quota allows for 9 more
instance(s). You requested at
least 89
ACTION TIME
186
• Option 1
• Request to instance amazon EC2 Instance
Limit -
http://aws.amazon.com/contact-us/ec2-
request/
ACTION TIME
187
• Option 2
• Amazon spot instances - allows us to bid
on unused Amazon EC2 capacity and run
those instances.
ACTION TIME
188
• Option 3
• Create custom python script to bypass this
limitation
ACTION TIME
189
• With a couple more of instances, we can
reduce it to hours
• A successful cloud based distributed
cracking system.
ACTION TIME
190
CLOUD FORENSICS
191
• Mixed Responses
• Bad guys have started using cloud based
services and infrastructure for launching
attacks
• Cloud do provide a good platform for
incidence response and forensics
investigations
CLOUD FORENSICS
192
• By utilizing the inherent features of cloud
computing, computer forensic can become
an on-demand service under certain
circumstances.
CLOUD FORENSICS
193
• Regular business and operations are not
affected when a cloud environment needs to
be forensically examined.
• Not the case with the traditional
infrastructure where the equipments are
seized.
• Cloud Example – Amazon EBS
CLOUD FORENSICS
194
• Cloud based forensics took a new turn
when Amazon introduced Elastic Block
Store (EBS) volumes
• Enables the user to launch an instance with
an Amazon EBS volume that will serve as
the root device.
CLOUD FORENSICS
195
• When there is a need to preserve a cloud environment, EBS can create an exact replica of the cloud instance & put it on the same cloud for forensics evaluation and examination.
• Since the forensic investigators will be working with another instance of the environment, the regular operations is not affected in any way.
CLOUD FORENSICS
196
• Replication process achieved in few
minutes.
• Forensic evidences are invalid if they are
not cryptographically hashed.
• This can be easily achieved using the on-
demand feature of cloud.
CLOUD FORENSICS
197
• Replication process achieved in few
minutes.
• Forensic evidences are invalid if they are
not cryptographically hashed.
• This can be easily achieved using the on-
demand feature of cloud.
CLOUD FORENSICS
198
• The cloud based hashing takes less time
and is much faster when you compare it with
the traditional cryptographic hashing
process.
• Amazon Web Services is already providing
a good forensic feature where it can provide
a MD5 hash of every file that is on the cloud
system.
CLOUD FORENSICS
199
• What this practically means is that when a
bit by bit copy is initiated (forensic
duplication), you have systems in place
which can ensure that you made the exact
replica and not even a bit has changed
during the replication and copying process.
CLOUD FORENSICS
200
• Even though you have all the above
services available, cloud forensics is still
challenging.
• Virtualization of various entities like the
applications and host systems, which once
used to be in-house is now scattered on the
cloud.
CLOUD FORENSICS
201
• Makes evidence gathering a challenging
task
• Since we are acquiring data from a virtual
environment, the forensic investigator should
have a clear and precise understanding of
how they work and what files are interesting
and required to acquire.
CLOUD FORENSICS
202
• Near to impossible to acquire the complete
hard disk due to various reasons including
but not limited to:
• multiple data owners on the same disk,
• remote geographical location,
• jurisdictional difficulties,
• RAID configurations etc
CLOUD FORENSICS
203
• Questions also arise on the compatibility
and reliability of the tools used for
investigating cloud forensics - because most
of the tools are meant for real time systems
and not for virtualized environments.
• A collaborative and collective effort is
required to address what we discussed.
AND FINALLY
204
CONCLUSION
205
• The architectural mindset used when
designing solutions has clear implications
on the:• future flexibility, • security, • collaborative capabilities, and • mobility
of the resultant solution.
CONCLUSION
206
• With so many different cloud deployment
and service models, and their hybrid
permutations — no list of security controls
can cover all these circumstances.
CONCLUSION
207
A good security professional is someone who always looks both ways before crossing a one-way street.
GOOD SECURITY PROFESSIONAL
208
THANK YOU !