Clouds in BlackHat's conference

Being the other side of the pond I wasn’t able to attend Black Hat, but I have been keeping a keen eye on the posted conference materials and talk recordings being released after the conference’ close. As I’ve recently been researching the latest buzz of Cloud Computing, naturally I was initially drawn to the talks with Cloud computing as a topic.

First up is Kostya Kortchinsky’s Cloudburst: Hacking 3D (and Breaking Out of VMware. This presentation details an exploit vector for breaking out of the guest environment and allowing arbitrary code execution on the underlying host. Kortchinsky clearly knows his stuff, but I’ll admit most of his talk goes well above my head. For reasons touched on below I think this is a virtualisation issue not a Cloud issue, which was likely added to title to cash in on the current buzz, but either way the bottom line is guest escape is rapidly moving from theoretical threat to practical attack vector and something that should be considered when designing any system, network or architecture.

Secondly, the Sensepost team do a great job of explaining security issues new or prevelant to Cloud architecture with Clobbering the Cloud! and include some great (read humorous) images to help illustrate they points. I especially like the idea of building and sharing trojaned/backdoored machine images and waiting for the unsuspecting to take advantage of your generousity 🙂 The videos used within the actual presentation are available direct from the Sensepost site, here.

Taking away the award for longest talk title related to Cloud Computing is: Cloud Computing Models and Vulnerabilities: Raining on the Trendy New Parade. This talk discusses the three components of the cloud ‘stack’; Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (Iaas).

I love the definition used for cloud computing or more accurately the statement that Cloud Computing is NOT:

  • Virtualisation
  • Remote Backup
  • Most of the stuff called cloud computing
  • And: ‘If you’re not re-writing your software, it’s not Cloud Computing’

From my previous research into Cloud Computing I feel that a lot of the security concerns often raised are not new or unique to the Cloud, and that well established and basic best practice will defend against the issues. The speakers of this presentation seem to be of a similar mind, but suggest that the early big players in this market are not necessarily doing all in their power, the example is that something as basic as logging and audit trails aren’t fully available within the current on market solutions.

Likewise depending on Cloud providers contracts and EULA clients of cloud services may not be able to fully control the security testing of ‘their’ environment as some providers forbid ‘malicious’ traffic being targetted at their architecture and platforms, which could limit and/or remove the ability to perform fully comprehensive penetration testing, which depending on location, market and data may be a legal or regulatory requirement.

Whilst not related to the Black Hat conference I read an article from datacentreknowledge.com from RackSpace, claiming that the Cloud is going spell the end of shared hosting as we know it. In my view this can only be a PR fluff piece, as anyone that understands hosted services, even those selling Cloud services themselves, agree that regardless of how you rate the benefits of Cloud architecture it is not, and cannot be, a silver bullet to solve all the world’s IT problems, leaving a market for traditional architectures.

If the Cloud is here to stay, so is everything else. Regardless of an individual IT professional’s personal opinion of Cloud computing it must be fully understood and measured on technical merits alongside existing solutions to be able to provide best value and ROI, implementing any solution based on ‘religious’ arguements is not in the best interests of any business.

Andrew Waite

Screen Capture and Editing

As part of an upcoming project I’ve been playing with some screen capture and editing software. As I’ve never been one for for the graphical/fluffy side of IT it’s a new area for me, and I was shocked with how simple it can be.
For screen capture I used the free CamStudio application, at first try it seems small, lightweight and most importantly simple and intuitive to use.
Finding decent editing software for free was difficult, @usedtire suggested Cinelerra for Linux. From the site it looks to be an impressive application, but I’ll admit I found no easy way to get this running under Debian/Ubuntu and ended up in dependency hell, so I installed Windows Movie Maker thanks to the links/instructions I found here.
Whilst experimenting with my new found tools I’ve created the somewhat obligitory Metasploit tutorials:

Andrew Waite

Links from my inbox (2009-08-17)

Going through my inbox, today seems to be a good day for sharing links. So I thought I pass some of these on, may be of use to others too.

IronGeek’s Security and Forensic podcasts:

Links to the latest episodes of the podcasts that are regularly listened to by IronGeek, in chronological order. Shouldn’t be too many surprises; PaulDotCom, Exotic Liability, etc. Could be a good way to keep upto date and/or check the content for anything interesting of those podcasts you don’t listen to religiously.

Tools for extracting files from pcaps:

SANS ISC diary has a list and discussion of tools for gathering different files and executables from a PCAP file. Often useful for incident response, forensic or malware analysis work. Looks like a nice compilation of tools to have handy for when the need arises.

40 Tools for your sysadmin bag:

Sunbelt provides a list of 40 tools useful for SysAdmin and security work. Some good tools listed, but as it’s compiled by Sunbelt some of the entries should be taken with a pinch of salt. For instance Sunbelt’s own sandbox is listed as being ‘similar to VirusTotal’, without the more ubiquitous VirusTotal itself making the list.

Andrew Waite

Tools for extracting files from pcaps

BCS Exit Survey

Sorry for the non-security related rant. I recently recieved my renewal reminder for the BCS, I’ve been increasingly disappointed with the ‘advantages’ of being a member. Whilst I don’t like not being a member of a professional body for my craft, I simply cannot justify the cost any longer. I don’t like being negative but my response to a question on the exit survey says it all:

What, if anything, do you feel BCS could be doing to better serve it’s members?

Primarily: Better regional events. Most (all?) events are located in London, making events infeasible for members in other regions of the country. When I joined as a member there were several good events, covering a wide range of topics, held by my local groups. My local branch (Newcastle) has not ran a decent event in excess of 12months and currently do not have ANY events organised for the future (using newcastle.bcs.org as a source and point of contact).
Alternative groups in the area (SuperMondays, CloudCamp NE, among others) are free of charge and provide significantly better events, networking opportunites and information than BCS alternatives. Taking the geographical location out of the equation, the quality of discussion on the BCS’s online forums is limited, infrequent and in most cases superfical. It seems most members do not view the forums as a good source for information or discussion.
The last event I attended was finished off with a presentation and Q&A session by Rachael Burnett, at the time president of the BCS. For the head of the organisation Rachael appeared out of touch with the real-world industry, this is a situation that I’ve seen mirrored in the organisation as a whole in my experience.
When starting my career, the information provided by the newsletters, email announcements, etc. from the BCS were valuable. Lately however, the articles have been dated, with me already recieving the information from another source in some cases weeks before the BCS version. As a result the BCS emails now recieve little more than a cursory glance before being deleted.
I’m aware that there is work in progress to provide a local branch of the YPG in my region. Whilst I sincerely hope this is successful I do not have high hopes for it’s success and after several years paying membership with seeing any real benefit this move is too little too late for me.
There is a hugely active and skilled computing profession in the North East of England, but the BCS seems to completely ignore the region and fails (from my experience) to provide any benefit to the region or the region’s members; either that or the BCS is equally out of touch and poorly serving the UK’s IT community as a whole.
Andrew Waite

CloudCamp Lightening talks

Last week’s CloudCamp in Newcastle started of with a series of lightning talks, five minutes on a topic of the speakers choice.
Simon @ Amazon
Simon focused on security issues arising from implementing service provision based on Cloud architecture, starting of suggesting that most cloud implementations don’t consider security issues until after the initial implementation. It was also proposed that a lot of the security concerns were physcological, people feel less confidence in the security of their systems if they don’t control the physical hardware, but that sufficient security can be achieved by following best practice at other layers of the system architecture. To assist, Amazon’s cloud provision denies access to all network ports by default.
Gehan Munasighe @ Flexiscale
Gehan discussed provisioning cloud systems in more general terms. Cloud services are not virtualisation, but virtualisation is an integral component to a functional cloud offering. The goal of a cloud provider, and the benefit to a client hosting within the cloud, is that a client should not notice or be aware of any system failure within the cloud.
Stewart Townsend @ Sun
This presentation contained nearly every buzzword related to the Cloud, but trying to prove that the buzzwords aren’t important. The benefits provided by a Cloud environment are low-cost, increased agility and greater efficiency. Stewart claims the the technology required for Cloud systems is simple, the roadblocks to Cloud implementation are often developers and deployers, and in some case out-dated corporate policy.
Matt Deacon @ Microsoft
Cloud computing is required for progressive enterprises. The computing industry is currently an industry in transistion, but this transistion will likely not be realised for another 20 years.
Steve Caughey @ Arjuna
Steve started out by detailing some universal laws of computing. In addition to the well known Moores Law which states that processor power doubles every 18months, the law of storage states that disk capacity doubles every 12 months and Gilder’s law doubles every 6 months. These increases mean that geography and phyical location of resources become less important over time, allowing businesses to take advantage of economies of scale, but this must be tempered by consideration of local legal requirements.
Ross Cooney @  EmailCloud
Ross discussed a use for Cloud services that he calls ‘Boot strap & Transistion’. The theory is that by utilising Cloud services in the short term, start-ups and new services can be instantiated without the initial capital expenditure commonly associated with new IT environments. Once business is stable, and return on investiment can be proven the service can be transistioned back to in house hardware to increase control of the service and to increase potential client base as some businesses currently do not trust the cloud model. Alternatively if the venture proves unsuccessful the stakeholders can walk away with penalty or outstanding debt.
Andrew Waite

http://www.flexiscale.com/

BlackHat 2009 resources on-line

For those of us that are unable to attend BlackHat in person, the talk resources are now available online. Currently the video/recordings of the talks themselves aren’t uploaded but there are slideshows, whitepapers etc. available for each talk.
It’s a long list of good looking information, to the point I’m still struggling to decide what to look through first, and unlike looking through the line-ups of previus years there is very little that doesn’t spark my interest.
Get you fill of BlackHat material here
Andrew Waite

CloudCamp sound bites

Same story as my previous post on the event; I’m still trying to fully digest all of the information and ideas presented. Whilst I research further I thought I’d share some of the comments and soundbites (mostly paraphrased) a took a note of during the event, which are currently bouncing around my head.
(If any of the speakers feel these are mis-quoted or out of context, please let me know)
Reading back through my notes, I find it interesting that most of these could relate equally well to any form of IT-based service, feeding back into my original feeling that cloud computing isn’t especially new but is simply the evolution of other shared IT frameworks (main-frames, multi-user systems, etc.). Which brings me nicely to my first quote:

The ideas and technologies behind cloud computing aren’t new; it is the billing model that is innovative and creating opportunities.

Use multiple cloud providers to ensure tolerance to failure

Balance the cost of a failure against the cost of mitigating the risk

Run a business/service expecting failures to happen, and plan accordingly

Contractual SLAs are not insurance against failure

Security issues related to Cloud computing aren’t new or worse than security issues within traditional architectures, they’re just more visible

Traditional systems don’t scale well within a cloud architecure

Todays archicture and system components will evolve to be more efficient with a cloud based environment

The cost of failure is often the biggest cost of IT systems

Traditional licensing models for OS and applications needs to evolve to match the requirements of cloud based services

And finally, which was said with a wry smile:

Cloud computing is good news for consultants

Andrew Waite

Initial thoughts from CloudCamp

Tonight was the second CloudCamp event in the North East of England, and my first serious look at cloud computing. I really enjoyed the event and believe I recieved excellent value from attendence, so thanks to all those who helped run the event, presented and discussed aspects of the field with me during the breakout sessions.
My head is still spinning with new ideas and understanding as a result of the event so I’ll try to keep this brief and to act as a semi disclaimer for future postings regarding cloud computing.
Before the event my understanding of cloud computing was very cursory and I was very dubious of both it’s implementation and actual value to an organise. As such I attended the event in an effort to gain a greater insight into this new buzz word in service provisioning, either to join the bandwagon and take advantage of the Cloud’s potential, or to be able to better argue against adoption with a more reasoned argument than ‘I don’t like it’.
For this goal the event was perfect for my needs, as I know have a better understanding of what Cloud computing is (and isn’t) and have been able to answer some of my fundemental questions.
Short and sweet was the intention of this post so I’ll finish with a quote (paraphrased) from the event which has in some ways changed my outlook on Cloud computing, and more specifically the ability to secure a Cloud:

Security issues related to Cloud computing aren’t new or worse than security issues within traditional architectures, they’re just more visible.

Andrew Waite

July SuperMondays Review

This months SuperMondays started of with the usual round of pre-event geek talk and networking. As a result I now definitely want to get myself down to Bletchley Park and I’m some-what gutted that I wasn’t aware of the Big Geek Day Out before it happened, sounds like those involved had a blast.
The event proper started off with an announcement from Mike at Orange Bus stating that they are currently hiring. If graphical work and web design is your thing give them a look.
The presentation proper was provided by John Colqulon, John introduced his project with Newcastle University aiming to provide aid to GPs and other medical practitioners to determine a patients risk to cardivascular problems. There are other applications that provide this level of support available, but this project goes one step further, by visualising the impact a mitigation and/or lifestyle change could have to that patients risk, using several underlying research models (who’s names I can’t remember, sorry)
I’ll admit that this wasn’t exactly my favourite of topics, but both John’s presentation and the debate raised in the questions section provided a good insight into the many different aspects that need to be considered to complete a complex IT system, from interface design to data protection issues. Although I personally struggle to understand the importance of using smiley faces to represent discrete mathematical figures, just not my field of expertise…
The second part to this month’s event was a first in SuperMondays history, no presentation just a group wide discussion of a selected topic, in this case encryption and ‘sharding’. Despite most people’s original understanding that isn’t a typo, sharding with a ‘d’. The concept is to break up meaningful files into smaller component parts (with each encrypted if the information warrents it) and scattering the shards to multiple locations. Theory is that if one location or server is compromised, the data it holds is useless without the other shards, or the blueprint information to rebuild the original file.
It certainly generated a lively discussion, with various weaknesses, trade-offs and mitigations being proposed and countered by differing group members, the wide array of different fields of expertise was within the attendees as different issues and factors where introduced from angles I had never considered. I enjoyed the format of the discussion and thought it worked well, although how well this was recieved if the topic was outside of your zone of interest and/or speciality I’m not sure. To counteract this it was proposed that it may be beneficial to move to a bar-camp type structure for similar setups to allow for multiple topics of discussion, allowing attendees to get involved in the topic that most interests them.
Rounding off the event was the announcement that Gavurin are also hiring (what credit crunch?), again if this is within your field and are looking for a new challange give them a look.
As usual, the event ended in the local pub for more highly geeky conversation over a drink, this time round I ended up in some interesting discussions on the legalities of accessing or operating an insecure wireless access point, support contracts for companies with (seriously) legacy systems and everyones ‘love’ of telco providers.
As I usually state, if you’re in the area and industry, and haven’t been to a SuperMondays gathering: Why Not? But it’s looking like this may get easier to attend, as SuperMondays is growing there are developments afoot to create an official not for profit organisation to take the group forward and to widen the location of events to across the North East, rather than just Newcastle itself.
See you all at the next event,
Andrew Waite
P.S. thanks to David Coxon who beat be to a review of the event, and made it easier to find some of the links I wanted.

War-walking case

I’ve just complete work on a project I’ve had in mind for a while now, a warwalking case. As you can probably guess it involves fitting a war-drive rig (car excluded) inside a carryable case.
As I had one going spare I started off with a fairly standard CD carry case:

Case before modification - closed
Case before modification - closed

Bit of fun with a hacksaw and foam later and theres an alcove for my external Alfa wireless card:
War Drive case with Alfa card
War Drive case with Alfa card

The grooves cut into the central partition create secure compartment for my Acer AA1, both in transit and whilst running, (not sure about cooling ventilation yet, still a work in progress):
War Drive case with AA1 running Kismet
War Drive case with AA1 running Kismet

Finally, a groove in the edge of the case allows for external access for the omni antenna and GPS reciever. Complete kit below:
Complete War Walk rig
Complete War Walk rig

Now it’s complete I’m not sure whether this kit will actually get used though. It looks a bit suspicious and is now commonly referred to as ‘the bomb’. Not sure I’m looking forward to explaining to an armed response unit that I’ve got nothing more dangerous in the case than an up to date Metasploit install.
Andrew Waite