Archive for August, 2009

Clouds in BlackHat’s conference

Being the other side of the pond I wasn’t able to attend Black Hat, but I have been keeping a keen eye on the posted conference materials and talk recordings being released after the conference’ close. As I’ve recently been researching the latest buzz of Cloud Computing, naturally I was initially drawn to the talks with Cloud computing as a topic.

First up is Kostya Kortchinsky’s Cloudburst: Hacking 3D (and Breaking Out of VMware. This presentation details an exploit vector for breaking out of the guest environment and allowing arbitrary code execution on the underlying host. Kortchinsky clearly knows his stuff, but I’ll admit most of his talk goes well above my head. For reasons touched on below I think this is a virtualisation issue not a Cloud issue, which was likely added to title to cash in on the current buzz, but either way the bottom line is guest escape is rapidly moving from theoretical threat to practical attack vector and something that should be considered when designing any system, network or architecture.

Secondly, the Sensepost team do a great job of explaining security issues new or prevelant to Cloud architecture with Clobbering the Cloud! and include some great (read humorous) images to help illustrate they points. I especially like the idea of building and sharing trojaned/backdoored machine images and waiting for the unsuspecting to take advantage of your generousity 🙂 The videos used within the actual presentation are available direct from the Sensepost site, here.

Taking away the award for longest talk title related to Cloud Computing is: Cloud Computing Models and Vulnerabilities: Raining on the Trendy New Parade. This talk discusses the three components of the cloud ‘stack’; Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (Iaas).

I love the definition used for cloud computing or more accurately the statement that Cloud Computing is NOT:

  • Virtualisation
  • Remote Backup
  • Most of the stuff called cloud computing
  • And: ‘If you’re not re-writing your software, it’s not Cloud Computing’

From my previous research into Cloud Computing I feel that a lot of the security concerns often raised are not new or unique to the Cloud, and that well established and basic best practice will defend against the issues. The speakers of this presentation seem to be of a similar mind, but suggest that the early big players in this market are not necessarily doing all in their power, the example is that something as basic as logging and audit trails aren’t fully available within the current on market solutions.

Likewise depending on Cloud providers contracts and EULA clients of cloud services may not be able to fully control the security testing of ‘their’ environment as some providers forbid ‘malicious’ traffic being targetted at their architecture and platforms, which could limit and/or remove the ability to perform fully comprehensive penetration testing, which depending on location, market and data may be a legal or regulatory requirement.

Whilst not related to the Black Hat conference I read an article from from RackSpace, claiming that the Cloud is going spell the end of shared hosting as we know it. In my view this can only be a PR fluff piece, as anyone that understands hosted services, even those selling Cloud services themselves, agree that regardless of how you rate the benefits of Cloud architecture it is not, and cannot be, a silver bullet to solve all the world’s IT problems, leaving a market for traditional architectures.

If the Cloud is here to stay, so is everything else. Regardless of an individual IT professional’s personal opinion of Cloud computing it must be fully understood and measured on technical merits alongside existing solutions to be able to provide best value and ROI, implementing any solution based on ‘religious’ arguements is not in the best interests of any business.

Andrew Waite

Categories: Uncategorized

Screen Capture and Editing

2009/08/17 Comments off

As part of an upcoming project I’ve been playing with some screen capture and editing software. As I’ve never been one for for the graphical/fluffy side of IT it’s a new area for me, and I was shocked with how simple it can be.

For screen capture I used the free CamStudio application, at first try it seems small, lightweight and most importantly simple and intuitive to use.

Finding decent editing software for free was difficult, @usedtire suggested Cinelerra for Linux. From the site it looks to be an impressive application, but I’ll admit I found no easy way to get this running under Debian/Ubuntu and ended up in dependency hell, so I installed Windows Movie Maker thanks to the links/instructions I found here.

Whilst experimenting with my new found tools I’ve created the somewhat obligitory Metasploit tutorials:

Andrew Waite

Links from my inbox (2009-08-17)

2009/08/17 Comments off

Going through my inbox, today seems to be a good day for sharing links. So I thought I pass some of these on, may be of use to others too.

IronGeek’s Security and Forensic podcasts:

Links to the latest episodes of the podcasts that are regularly listened to by IronGeek, in chronological order. Shouldn’t be too many surprises; PaulDotCom, Exotic Liability, etc. Could be a good way to keep upto date and/or check the content for anything interesting of those podcasts you don’t listen to religiously.

Tools for extracting files from pcaps:

SANS ISC diary has a list and discussion of tools for gathering different files and executables from a PCAP file. Often useful for incident response, forensic or malware analysis work. Looks like a nice compilation of tools to have handy for when the need arises.

40 Tools for your sysadmin bag:

Sunbelt provides a list of 40 tools useful for SysAdmin and security work. Some good tools listed, but as it’s compiled by Sunbelt some of the entries should be taken with a pinch of salt. For instance Sunbelt’s own sandbox is listed as being ‘similar to VirusTotal’, without the more ubiquitous VirusTotal itself making the list.

Andrew Waite

Categories: Uncategorized

BCS Exit Survey

Sorry for the non-security related rant. I recently recieved my renewal reminder for the BCS, I’ve been increasingly disappointed with the ‘advantages’ of being a member. Whilst I don’t like not being a member of a professional body for my craft, I simply cannot justify the cost any longer. I don’t like being negative but my response to a question on the exit survey says it all:

What, if anything, do you feel BCS could be doing to better serve it’s members?

Primarily: Better regional events. Most (all?) events are located in London, making events infeasible for members in other regions of the country. When I joined as a member there were several good events, covering a wide range of topics, held by my local groups. My local branch (Newcastle) has not ran a decent event in excess of 12months and currently do not have ANY events organised for the future (using as a source and point of contact).

Alternative groups in the area (SuperMondays, CloudCamp NE, among others) are free of charge and provide significantly better events, networking opportunites and information than BCS alternatives. Taking the geographical location out of the equation, the quality of discussion on the BCS’s online forums is limited, infrequent and in most cases superfical. It seems most members do not view the forums as a good source for information or discussion.

The last event I attended was finished off with a presentation and Q&A session by Rachael Burnett, at the time president of the BCS. For the head of the organisation Rachael appeared out of touch with the real-world industry, this is a situation that I’ve seen mirrored in the organisation as a whole in my experience.

When starting my career, the information provided by the newsletters, email announcements, etc. from the BCS were valuable. Lately however, the articles have been dated, with me already recieving the information from another source in some cases weeks before the BCS version. As a result the BCS emails now recieve little more than a cursory glance before being deleted.

I’m aware that there is work in progress to provide a local branch of the YPG in my region. Whilst I sincerely hope this is successful I do not have high hopes for it’s success and after several years paying membership with seeing any real benefit this move is too little too late for me.

There is a hugely active and skilled computing profession in the North East of England, but the BCS seems to completely ignore the region and fails (from my experience) to provide any benefit to the region or the region’s members; either that or the BCS is equally out of touch and poorly serving the UK’s IT community as a whole.

Andrew Waite

Categories: Uncategorized

CloudCamp Lightening talks

2009/08/01 Comments off

Last week’s CloudCamp in Newcastle started of with a series of lightning talks, five minutes on a topic of the speakers choice.

Simon @ Amazon

Simon focused on security issues arising from implementing service provision based on Cloud architecture, starting of suggesting that most cloud implementations don’t consider security issues until after the initial implementation. It was also proposed that a lot of the security concerns were physcological, people feel less confidence in the security of their systems if they don’t control the physical hardware, but that sufficient security can be achieved by following best practice at other layers of the system architecture. To assist, Amazon’s cloud provision denies access to all network ports by default.

Gehan Munasighe @ Flexiscale

Gehan discussed provisioning cloud systems in more general terms. Cloud services are not virtualisation, but virtualisation is an integral component to a functional cloud offering. The goal of a cloud provider, and the benefit to a client hosting within the cloud, is that a client should not notice or be aware of any system failure within the cloud.

Stewart Townsend @ Sun

This presentation contained nearly every buzzword related to the Cloud, but trying to prove that the buzzwords aren’t important. The benefits provided by a Cloud environment are low-cost, increased agility and greater efficiency. Stewart claims the the technology required for Cloud systems is simple, the roadblocks to Cloud implementation are often developers and deployers, and in some case out-dated corporate policy.

Matt Deacon @ Microsoft

Cloud computing is required for progressive enterprises. The computing industry is currently an industry in transistion, but this transistion will likely not be realised for another 20 years.

Steve Caughey @ Arjuna

Steve started out by detailing some universal laws of computing. In addition to the well known Moores Law which states that processor power doubles every 18months, the law of storage states that disk capacity doubles every 12 months and Gilder’s law doubles every 6 months. These increases mean that geography and phyical location of resources become less important over time, allowing businesses to take advantage of economies of scale, but this must be tempered by consideration of local legal requirements.

Ross Cooney @  EmailCloud

Ross discussed a use for Cloud services that he calls ‘Boot strap & Transistion’. The theory is that by utilising Cloud services in the short term, start-ups and new services can be instantiated without the initial capital expenditure commonly associated with new IT environments. Once business is stable, and return on investiment can be proven the service can be transistioned back to in house hardware to increase control of the service and to increase potential client base as some businesses currently do not trust the cloud model. Alternatively if the venture proves unsuccessful the stakeholders can walk away with penalty or outstanding debt.

Andrew Waite

Categories: Cloud