[Full-disclosure] Cloud Questions
I’ve been lurking here for some months now and have seen plenty of vulnerabilities go by for applications, and the occasional OS level exploit. I don’t think I’ve seen a single post about cloud security. Is ‘the cloud’, AWS in particular, believed to be secure? Is it simply not targeted? Or would it be covered by some other list? Inquiring minds are, uh, inquiring. TIA, — David ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cloud Questions
On Fri, Nov 8, 2013 at 9:08 AM, David Miller dmil...@metheus.org wrote: ... I don’t think I’ve seen a single post about cloud security. Is ‘the cloud’, AWS in particular, believed to be secure? Is it simply not targeted? Stallman has a term for it: Careless Computing. http://techcrunch.com/2010/12/14/stallman-cloud-computing-careless-computing/. Or would it be covered by some other list? Inquiring minds are, uh, inquiring. The only list I've seen so far is OpenStack's security list. http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security. From what I've seen, cloud security seems to have three broad tracks (in addition to all the secure coding and HTML app stuff). First is low-level security that acts on block devices, like Amazon's CloudHSM and other who focus on VM security. Second is high level security that attempts to secure databases (table fields) and object stores (Amazon S3 and OpenStack Swift), like CipherClod and Armor-Cloud. And third is identity management, like the federated and single sign-on integrations. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cloud Questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello, I will split my answer in two parts, as they represent both views I regularly experience. They aren't all related to security. The first problem is TCO. Cloud services are easy to set up (both as a vendor and as a user), and have little to no hard start-up costs. (costs that initially are billed as startup costs, before the service payments start). This results in decisions which aren't really thinked throughly about in a lot of cases, resulting in poor setups both by the vendor and by the end-user/customer. Being able to ship fast also means that you can make mistakes fast - several providers have been caught in the past while I was using them on blatant mistakes. Another problem is that you trust a service to a third party provider, which has full access to the data. I know, there are ways to prevent this/make this difficult, but in the end it will not be feasible on the long term to employ such techniques. Targeted attacks will always succeed, but are easier on cloud services to my opinion. Support services are useful sources for social engineering (check some of the last cases of DNS hijacking), since they are used to handle requests for all customers, and not only internal employees. The other problem is that you share a physical computer with someone you don't know and cannot trust. Information leakage techniques have been discovered [1] and it wouldn't be the first time that someone finds a clever way to break out of the VM. [2] It is also more feasible to DoS your application if the physical hardware is shared with others if they aren't trustworthy. Most providers monitor extensive resource usage, but try a cheap one, put a VM on full RAM capacity, disk I/O requests and CPU usage and see how long it takes to get a notice to ask you to inspect the machine. There is also a huge thing to tell about stuff which used to be conspiracy theories about surveillance, but this is out of scope for this response to avoid indulging trolling. To my opinion cloud services are good for a temporarily burst of CPU resources, not to store data, and not to be used permanently nor as a SPOF. I sometimes use cloud services to launch a build of a large source tree, and then dispose the machine, but I would never put ownCloud on it to store PGP private keys without a password or my credit card numbers and bank PINs. ~/y [1] http://www.cs.cornell.edu/courses/cs6460/2011sp/papers/cloudsec-ccs09.pdf [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0923 On 08/11/13 15:08, David Miller wrote: I’ve been lurking here for some months now and have seen plenty of vulnerabilities go by for applications, and the occasional OS level exploit. I don’t think I’ve seen a single post about cloud security. Is ‘the cloud’, AWS in particular, believed to be secure? Is it simply not targeted? Or would it be covered by some other list? Inquiring minds are, uh, inquiring. TIA, — David ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.20 (Darwin) Comment: GPGTools - https://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCgAGBQJSfku5AAoJEElyT3Tqk/Mc21sIAK2gyHpoWd/ggCSNiPgQ+9jW ACjqaJ7NEgGAmxYj+2yphWRHK507As2VjL5CwbyvX26XHE/PkmF2cY+6Np30ar6O FTv3BR+F5kmR/0JNvJWGogr1H1SJb9pcL03biQr8X8pNsLstKbPQ8s2IzMtHWkOF y9HVdeMriaAaCz3wWSS4K4TV+2ePgAm0tAsACHfXqt9OnoY8oplUUpjv52qfv/ZC dplZCtC8yv3M1eehDmjhJgYtcc7oQJnhy2TwWpOtMmDNCAlJ+xUqAP8Sb9FboPDI Dx+PmiF5ed9hopPWi8gpGoIFadwpy/4NDK0ztFB12uG36vYbS+5vIgQTR5KjzJE= =P4pu -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cloud Questions
On 11/09/2013 at 7:32 AM, David Miller wrote:I’ve been lurking here for some months now and have seen plenty of vulnerabilities go by for applications, and the occasional OS level exploit. I don’t think I’ve seen a single post about cloud security. Is ‘the cloud’, AWS in particular, believed to be secure? Is it simply not targeted? Or would it be covered by some other list? Inquiring minds are, uh, inquiring. TIA, — David There is no such thing as cloud security (to me at least). Companies may transfer/store encrypted, but if the NSA/law enforcement ask for it, they give it up. That's not secure to me..that's moredata held hostage (iCloud anyone?). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cloud Questions
The first problem is TCO. Cloud services are easy to set up (both as a vendor and as a user), and have little to no hard start-up costs. (costs that initially are billed as startup costs, before the service payments start). Also see http://www.gossamer-threads.com/lists/openstack/dev/32772, where some are considering charging you for the I/O to securely delete a VM! Jeff On Sat, Nov 9, 2013 at 9:50 AM, Yvan Janssens i...@yvanj.me wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello, I will split my answer in two parts, as they represent both views I regularly experience. They aren't all related to security. The first problem is TCO. Cloud services are easy to set up (both as a vendor and as a user), and have little to no hard start-up costs. (costs that initially are billed as startup costs, before the service payments start). This results in decisions which aren't really thinked throughly about in a lot of cases, resulting in poor setups both by the vendor and by the end-user/customer. Being able to ship fast also means that you can make mistakes fast - several providers have been caught in the past while I was using them on blatant mistakes. Another problem is that you trust a service to a third party provider, which has full access to the data. I know, there are ways to prevent this/make this difficult, but in the end it will not be feasible on the long term to employ such techniques. Targeted attacks will always succeed, but are easier on cloud services to my opinion. Support services are useful sources for social engineering (check some of the last cases of DNS hijacking), since they are used to handle requests for all customers, and not only internal employees. The other problem is that you share a physical computer with someone you don't know and cannot trust. Information leakage techniques have been discovered [1] and it wouldn't be the first time that someone finds a clever way to break out of the VM. [2] It is also more feasible to DoS your application if the physical hardware is shared with others if they aren't trustworthy. Most providers monitor extensive resource usage, but try a cheap one, put a VM on full RAM capacity, disk I/O requests and CPU usage and see how long it takes to get a notice to ask you to inspect the machine. There is also a huge thing to tell about stuff which used to be conspiracy theories about surveillance, but this is out of scope for this response to avoid indulging trolling. To my opinion cloud services are good for a temporarily burst of CPU resources, not to store data, and not to be used permanently nor as a SPOF. I sometimes use cloud services to launch a build of a large source tree, and then dispose the machine, but I would never put ownCloud on it to store PGP private keys without a password or my credit card numbers and bank PINs. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Cloud Questions
On Sat, Nov 9, 2013 at 9:51 AM, silence_is_b...@hushmail.com wrote: On 11/09/2013 at 7:32 AM, David Miller dmil...@metheus.org wrote: I’ve been lurking here for some months now and have seen plenty of vulnerabilities go by for applications, and the occasional OS level exploit. I don’t think I’ve seen a single post about cloud security. Is ‘the cloud’, AWS in particular, believed to be secure? Is it simply not targeted? Or would it be covered by some other list? Inquiring minds are, uh, inquiring. TIA, — David There is no such thing as cloud security (to me at least). Companies may transfer/store encrypted, but if the NSA/law enforcement ask for it, they give it up. That's not secure to me..that's moredata held hostage (iCloud anyone?). I think you are right in that good bad guys (law enforcement) bad bad guys (cyber-criminals) attack the node. In this case, the node is the cloud provider. But it also depends on what the data is. I have no faith in CloudHSM, HighCloud or other low level machinery. That's the unattended key storage problem, and its a problem without a solution. Plus, the data becomes available as soon as the VM is powered on. Objects in storage (Amazon S3 or OpenStack Swift) can be encrypted using standard crypto methods with minimal risk. The encryption function will act like a PRP, and the cipher text will be indistinguishable from random. Minimal risk would include leaking the origin (LE probably has that through the account) and leaking file size (unless specific measures are taken). If the owner of the document wants anonymity, they should probably use a Tor hidden service. Other higher level services, like SaaS and DaaS, probably won't fair so well. Those tokenization schemes used for database field encryption by CipherCloud do not live up to expectations. It probably wanders near false/misleading and fraud, and the FTC should investigate some of their claims (unless CipherCloud have a homomorphic encryption system that no one knows about). As a matter of fact, when an informal security analysis was performed and posted to StackExchange, CipherCloud issued a DRM takedown! https://www.google.com/search?q=ciphercloud+drm+takedown. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
