top cloud threats v2.0 cloud security alliance michael sutton, vp research, zscaler dan hubbard,...
TRANSCRIPT
Top Cloud Threats v2.0Cloud Security Alliance
Michael Sutton, VP Research, ZscalerDan Hubbard, CTO, Websense
Project
Contributing Organizations
Top Threats for Cloud Computing v1
Shared Technology Vulnerabilities
Cloudbust
Cloudburst
Kostya Kortchinsky, Immunity (Blackhat 2009)
Cloudburst
Kostya Kortchinsky, Immunity (Blackhat 2009)
#define SVGA_CMD_RECT_COPY /* FIFO layout: Source X, Source Y, Dest, X, Dest Y, Width, Height */
Account / Service Hijacking
MobileMe – Enumerating Accounts
MobileMe – Enumerating Accounts
MobileMe – Enumerating Accounts
MobileMe – Enumerating Accounts
48%
44%
8%
Girl Names
56%
18%
26%
Boy Names
Exists Does not existExists (password protected)
69% of accounts verified
MobileMe – Password Reset
MobileMe – Password Reset
MobileMe – Password Reset
MobileMe – Password Reset
Data Loss / Data Leakage
MediaMax – Inactive Accounts
MediaMax / The Linkup: When the cloud failsBy Michael Krigsman | August 27, 2008, 9:55am PDT
Online storage service MediaMax, also called The Linkup, went out of business following a system administration error that deleted active customer data. The defunct company leaves behind unhappy users and raises questions about the reliability of cloud computing.
…
As with most failures, this story is fraught with complications and contradictions. Besides finger pointing and back-biting, which I suppose is to be expected, confusing corporate relationships coupled with a seemingly bizarre level of process and technical carelessness lend a weird flavor to the whole mess.
MediaMax Failures
Microsoft – Lost Sidekick Data
Microsoft Recovers Lost Sidekick DataOCTOBER 15, 2009, 5:07 P.M. ETBy ROGER CHENG
Microsoft Corp. said Thursday that it has been able to recover the personal customer data lost from many of T-Mobile USA's Sidekick devices.
The Redmond, Wash., software giant said that most, if not all, customer data was recovered, and that the company would begin restoring data as soon as it has validated it. The company said it will start with personal contacts, and move on to the lost calendar, notes, tasks and pictures as quickly as possible.
Malicious Insiders
Google Fires Email Snooper
Google fires employee for snooping on usersSeptember 16, 2010|By Jessica Guynn, Los Angeles Times
The Internet search giant says the software engineer broke its 'strict internal privacy policies.' He allegedly accessed information about four teenagers.
Reporting from San Francisco — Google Inc. fired a software engineer for snooping on its users' private information, the Internet search giant confirmed Wednesday.
The 27-year-old employee, David Barksdale, allegedly accessed information about four teenagers he met through a Seattle technology group, according to gossip website Gawker, which reported the incident Tuesday.
Google Response
“We dismissed David Barksdale for breaking
Google’s strict internal privacy policies. We
carefully control the number of employees who
have access to our systems, and we regularly
upgrade our security controls–for example, we
are significantly increasing the amount of time
we spend auditing our logs to ensure those
controls are effective. That said, a limited
number of people will always need to access
these systems if we are to operate them
properly–which is why we take any breach so
seriously.”
Bill CoughranSenior VP of Engineering
Facebook Master Password
Purported Interview With Facebook Employee Details Use Of 'Master Password'Jason KincaidJan 11, 2010
Earlier today, The Rumpus published a very revealing interview with someone claiming to be a Facebook employee. The interview covers a variety of subjects, including privacy restrictions at the world’s largest social network and some of the technological hurdles the site has to deal with. The biggest revelations? That Facebook collects more data about your habits than you may realize, and that there was once a ‘master password’ that would grant employees access to anyone’s Facebook profile — a password that some employees abused.
Interception or Hijacking of Traffic
Twitter DNS Redirection
Internal Twitter Credentials Used in DNS Hack, Redirect
By David Kravets December 18, 2009 | 1:04 pm
Twitter’s website went offline for about an hour Thursday, with many tweeters redirected to a defacement page boasting “This site has been hacked by Iranian Cyber Army.”
Twitter acknowledged the 10 p.m. takeover, one in a series of security lapses to hit the popular microblogging service. Twitter said its DNS records “were temporarily compromised.”
Tom Daly, chief technology officer at Dyn, a New Hampshire-based DNS company that services Twitter, said somebody using a “set of valid Twitter credentials” redirected the site.
Insecure APIs
Insecure API’s
Insecure API’s
Insecure API’s
The programmable web is run in the cloud &
The cloud is programmed by the web
Insecure API’s
We analyzed a dozen popular Twitter APPS, Gadgets, Facebook APPS, and Mashups and
>80% are NOT utilizing the security provided via auth and encryption !!!
Insecure API’s
• Programmable web is…
– Straightforward to develop solutions to– Often anonymous or “frictionless”– Can be done from anywhere– Can be done usually from anyone– Can be done on anything (it’s the web after all)
Insecure API’s
• Threats to programmable web:
– Man in the middle attack (MITM)– Message replay attacks– Identity spoofing– Message Alterations– Confidentially and Privacy Leaking / Issues
Insecure API’s
• Example of Open graph being compromised and redirecting users
Abuse and Nefarious Use
Abuse and Nefarious Use
Hosting attacker toolkits for user infections, updating code, and control and statistics portal
Twitter and other web services have been used for command and control of BOT’s
Abuse and Nefarious Use
Abuse and Nefarious Use
• Using Google’s search platform for poisoning search results
~15% of searches for hot trends end up at malicious Websites
Attackers use web api’s like hot trends,topics, tweets, and mining
Keep in mind that this is essentially a DoS attack. Launch it against a site that isn’t yours and very bad things will happen to you. But for testing your own site’s performance, Bees with Machine Guns is awesome — all you need is an EC2 account and the script.
Abuse and Nefarious Use
Abuse and Nefarious Use
Abuse and Nefarious Use
• Other examples of potential abuse:
– Password and encryption cracking– Data warehousing of large amounts of data, identities– DDOS (we talk about that later)– Hosting malicious files, phishing pages– Hiding behind services for data mining– Breaking CAPTCHA’s or other security checks
Top Threats for Cloud Computing v2
Distributed Denial of Service
Distributed Denial of Service
Distributed Denial of Service
• Attacks could be launched from different zone’s, geo’s, and services to help thwart takedowns
• Attacker could be shutdown but damage could be done, IP space now blacklisted
Another version is a financial DDOS that goes against a service user of IaaS that is paying per drink. Much harder to stop and detect
Future Candidates to Think About
• All things Cloudy: Mobile / Tablets – Application Hacking– Location based service hacking– Eavesdropping
• Social Hacking – Location based service hijacking– “meatspace” attacks– Hacking the social graph– Hacking social trust – Vendor miss-use or abuse
Co-operation is the new control
CSA TOP THREATS SURVEYFeedback from the masses
Survey Overview
• Solicited feedback from cloud providers and consumers
• Survey promoted through technical blogs and on CSA website and at RSA CSA Cloud Security Summit
• Received more than 300 responses to the survey
• Survey opened from Jan – March, 2010
Survey Highlights: Demographics
24.12%
44.84%
31.03%
Cloud Response Usage
Cloud Vendor
Cloud Consumer
Other
22.90%33.50%
21.00%
4.40%
18.20%
Organization Breakdown*
Small Business Medium and Enterprise
Large Enterprise GovernementOther
* # of employees: Small Business < 100, Medium 100-10,000, Large > 10,000
Top Survey Statistics: Data Leakage
82 % of respondents believe that the likelihood of Data Leakage in the cloud is possible, likely, or frequent.
6.15%12.31%
34.56%31.49%
15.49%
Likelihood of Data Leakage Occurring
Very UnlikelyUnlikelyPossibleLikelyFrequently
Top Survey Statistics: Malicious Insiders
76 % of respondents believe that the likelihood of Malicious Insiders in the cloud is possible, likely, or frequent.
6.11%
19.04%
44.20%
25.15%
5.50%
Likelihood of Malicious Insider
Very Unlikely
Unlikely
Possible
Likely
Frequently
Survey Results
Rank Threat Percentage
1 Data Loss/Leakage 26.5%
2 Abuse and Nefarious use of Cloud Computing 19.4%
3 Insecure API’s 14.2%
4 Malicious Insiders 12.9%
5 Account/Service and Traffic Hijacking 12.3%
6 Unknown Risk Profile 8.4%
7 Shared Technology Vulnerabilities 6.5%
Status
Participation
http://cloudsecurityalliance.org/topthreats_form.html