Security Concerns Cloud “Cloud Computing”

Dark security clouds are gathering above what has been termed “cloud computing”– the resourceful Software as a Service (SaaS) model that provides applications, memory space and other services to companies who need them. The introduction of cloud computing saw rave reviews for this storage and administration model, with pundits calling it the next paradigm shift in the world of computing. The silver lining that shone so bright a year or so ago has now dimmed to invisible levels, and people are wising up to the security issues that go hand in hand with cloud computing.

Protecting your information on your own systems is a task that’s hard to manage even with the best of resources, and so, it makes sense to turn to the big guns like IBM, Google, Amazon, Dell and others when you’re a fledgling in the security department. You believe that they have the wherewithal to provide adequate protection for your data and applications. But the attack on Amazon’s cloud servers sometime during the middle of 2008 has turned the tide, and security has become a huge concern again.

Research firm Gartner lists these factors among the top security concerns in cloud computing –

  • user access to data and information
  • compliance with regulations
  • location of the data
  • the encryption used at every level
  • recovery measures in the event of a security breach
  • investigative support
  • long-term viability of the agreement between the provider and the user.

The biggest security concern with cloud computing is the issue of trust:
  1. How do you know for certain that the key people who manage your data and applications on the cloud are completely trustworthy?
  2. Who else besides you has access to sensitive information?

If an MP3 player bought at a thrift store for a mere $9 is found to hold secret military information, it means that the Pentagon’s security system itself is a serious cause for concern. If a question mark hangs over something as important as national security, how safe is the information belonging to the rest of us?

Another issue that looms large when we consider cloud computing is the fact that we’re putting all our eggs in one basket. Hackers know that if they’re able to render one cloud vulnerable, they can have a field day – they can bring down a host of sites and steal a ton of information. It’s like bringing down an entire world with just one humongous weapon.

Besides this, there’s also the fact that data storage is not standardized – each provider of cloud computing services has its own formats and standards, and this makes it more difficult to switch to a different host when you feel that your current provider has been compromised.

These are the early days of cloud computing, and I’m sure many more security concerns will emerge out of the woodwork as the days go by and hackers try new tricks to gain entry into these networks. The only silver lining in these dark clouds is that there is always some brainstorming going on as to how to keep one step ahead of the bad guys and protect sensitive data and applications.

Contributed by guest blogger - Holly McCarthy, who writes on the subject of Criminal Justice careers. She invites your feedback at hollymccarthy12 at gmail dot com

ShortInfosec thanks for the contribution.

Talkback and comments are most welcome

Related posts
Cloud Computing - Premature murder of the datacenter

Whisperbot analysis - Revisited

I got a response from Matt at Whisperbot regarding my post Whisperbot - No thanks, I'll use e-mail.
You can read the reply here, it's the third reply on the post

Regarding the previous post, I would like to clarify that I have no interest to attack the Whisperbot service, and I hope that their team will use my analysis to improve on the service.

Here is a deeper analysis of my points with references from the Whisperbot reply


1. Message transport in cleartext
Actually, there is an https secure version at https://www.whisperbot.com
  • Although there is a https site, the default service is on a cleartext http site. And most users will always use the default service without even bothering to look for the https variant. Whisperbot is offering confidentiality, so a default encrypted channel is a must.

2. Message is stored on Whisperbot servers with unspecified and not very reliable security measures
Yes, its in a database, of course. But, I rebut that its not secure - I'll happily share with you the database content and I'll let you see if you can decrypt it. Everything - from message to email address is encrypted - and we're not talking md5 here ;-)
  • First, MD5 is a hashing, not an encryption algorithm. And since it's nearly non-reversible for long messages (the rainbow tables will be enormous) you can't use it. The whisperbot service obviously uses reversible encryption, and I have no intention on disputing the strength of the encryption (although they won't publish the algorithm). What I am disputing is the fact that the whisperbot servers also hold the encryption/decryption keys, since the servers present the message in cleartext to the recipient. So, the first risk are disgruntled administrators who can leak or steal the key database. Also, as an attacker, I would direct my efforts at tapping/stealing the key database. Just publishing the key database without any actual stolen message will be annihilating to the whisperbot service, since it is based on trust of the users.

3. Security is based on obscurity
There is an option to use a passphrase - so, even if someone else gets the link, they can't read the message without the passphrase.
  • I stand corrected as long as Whisperbot MANDATES a passphrase on every message. As long as the service maintains the current solution, it's still just using security by obscurity.

4. Message retention cannot be controlled
Agreed with the need for a delete button of sorts - right now, we just trim the message after it's been read and stored for a period of time.
  • Instead of a delete button, i would suggest an automatic erase after the presentation of the message - this will reduce the database capacity requirement but will increase the I/O load on the database. Whisperbot will probably be going with the 'pruning' option first at times when the servers are at minimum load. While this option is good for the servers, it's not as secure as an auto-destruct method.

Talkback and comments are most welcome

Related posts
Whisperbot - No thanks, I'll use e-mail.

Whisperbot - No thanks, I'll use e-mail

Whisperbot is a new free service that claims it delivers confidential messages to your friends without e-mail.
According to their own site, they say: Stop using e-mail for your confidential messages!

While this is a nice slogan to have on a site, we say, stick to e-mail and add encryption.
Here is why Whisperbot should be avoided for any confidential messages:

  1. Message transport in cleartext - the submitter and the reader are accessing the 'confidential' messages via HTTP protocol by default - thus any typed and read content is open to sniffing and archiving via proxies
  2. Message is stored on Whisperbot servers with unspecified and not very reliable security measures - supposedly, Whisperbot stores the messages in encrypted format. This cannot be confirmed, but even if it can, since the message is presented to the recipient in the original form, the message is stored in reversible encryption. Thus, the security of the message is the same as a safe full of money with the key left in the lock.
  3. Security is based on obscurity - the main point of the security measures of Whisperbot is that the path to the message is unique and not known to anyone except the recipient. But the path to the message is sent to the recipient via cleartext e-mail, which can be captured and read at any number of places on the path of the e-mail message.
  4. Message retention cannot be controlled - the message is kept on the Whisperbot servers for an undisclosed amount of time, thus opening it up to the possibility of a later access by someone else.
With the above deficiencies in full swing, i would trust Whisperbot with confidential messages as much as i would a IRC chat room.

Instead, for confidential messages you should rely on e-mail, with the added security of GNU Privacy Guard (GPG)

Talkback and comments are most welcome

Related posts
3 Controls to Secure Corporate Off Computers
Example - SMTP message spoofing
No Privacy - Saw You Cheating on Image Search
Creating secure CD/DVD media for transport usingTruecrypt

Paying for Software Support - When to do it?

For a long while, the MySQL Database Server is the choice of start up developers. Since it can be used under the GPL model, it seems free to use it. But is there a point where one would pay for MySQL.

Here is an analysis of the conditions under which it would be wise to invest in software support, through the example of MySQL
.

The popularity of MySql is mainly due to it's seamless use with web applications, which is closely tied to the popularity of PHP, which is often combined with MySQL. Also, it is quite often deemed a cheap solution since it can be freely downloaded and installed, since it can be used under the GNU General Public License (GPL) license.

So do you need to pay anything with MySQL? While the first answer is no, since you can use it under the GPL license, any serious user will soon have a wealth of information stored in a MySQL Database.

Here is an analysis based purely on costs of licenses vs value of information


A common misconception based on simple logic is that the point in which the value of the stored information is higher then the value of the MySQL server, it makes a sense to invest in support and services for MySQL.

However the following diagram presents the flaw in the previous logic:


  1. Up until the time the value of stored information reaches the cost of licensing, the company was generating revenue, but with risk to the data.
  2. Should the company decide to license the server software at the time the value of stored data matches the costs, it will cease to be profitable. Even if the growth of the company continues as planned, it will take time to reach the level of profitability it had prior to licensing.
  3. As the value of stored information continues to grow, it reaches a point where the the costs of licensing become stable over time. This is a good point to invest in licensing and services, since the licensing costs can be factored into the price of the information as a fixed item and will not increase the price of information significantly
Of course, this is not the only approach. The diagram may be quite different if the licensing increases the value of the stored information (For example, adding some enterprise features of availability or integrity)

Such changes will merit licensing at a much earlier point in time.

Talkback and comments are most welcome

Related posts
Software vendor relationship - can you make it better?
High Availability - Clusters have Issues
Know the Difference - Backup vs. Archive
Strategic Choice - Proper Selection of Web Hosting

SANS Announced Top 25 Programming Errors

Today in Washington, DC, experts from more than 30 US and international cyber security organizations jointly released the consensus list of the 25 most dangerous programming errors that lead to security bugs and that enable cyber espionage and cyber crime.

The errors are categorized into 3 general categories

  • Insecure Interaction Between Components (9 errors)
  • Risky Resource Management (9 errors)
  • Porous Defenses (7 errors)
There are very interesting examples, like Race Conditions, some very well known but overlooked like Download of Code Without Integrity Check and some that were already discussed on Shortinfosec, like .

SANS also includes recommendation for risk mitigation for each error.
The full list of errors is published here


Talkback and comments are most welcome

Scalpel - File Carving from Partially Wiped Evidence Disk

On the previous article on proper information disposal, a visitor suggested that Darik's Boot and Nuke (DBAN) can be used for emergency evidence destruction. While it is quite correct, DBAN takes time to finish. So, what evidence can be recovered from a disk on which someone interrupted the DBAN process?

Example Scenario
We created a simulation of an interrupted information destruction. Here is the scenario:
An employee has been collecting illegal material on his corporate computer.

  • The employee is accidentally notified that internal audit investigators will review his computer in several minutes
  • The employee boots to a Darik's Boot and Nuke to destroy the disk contents
  • The investigators intercepts and disconnect the power to the computer before DBAN finishes

Analysis
Since DBAN will overwrite information, it can be assumed that the File Allocation Tables are destroyed, as well as some of the data.
  1. The investigator creates a DD image of the disk drive, as presented in the Tutorial - Computer Forensics Evidence Collection
  2. The DD image is loaded into the Helix investigator computer
  3. All strings are extracted from the image using the 'strings' command - this activity creates a huge file that needs to be analyzed manually
  4. All possible files are extracted using the 'scalpel' file carving tool - this is an automated tool which can search for a lot of known file types and tries to extract them by matching the beginning and end of the file
  5. The carved files and strings are analyzed one by one. Most of the carved files are useless, since there is fragmentation on every drive so part of the files are lost, or the carving tool cannot match the other parts of the file.




Conclusions
  • While evidence recovery from a partially wiped drive is possible, it is both difficult and time consuming to achieve. At any rate, no investigator can guarantee successful results.
  • Also, it must be noted that after the first pass of the DBAN write, a very large percentage of information is already destroyed, so one has to be very lucky to walk in on the person while he/she is wiping the hard drive and interrupt the process on time.

Talkback and comments are most welcome

Related posts
New Helix3 Forensic CD - Welcome
Competition - Computer Forensic Investigation
Tutorial - Computer Forensics Evidence Collection
Tutorial - Computer Forensics Process for Beginners

Information Disposal Procedure

Your organization bought computers, used them and now it's time to discard them. Most old hardware is donated to schools or is simply auctioned off. However, all that data contains a lot of confidential information, and it is essential that such data is properly erased so it cannot be recovered.

Any organization should have a simple and brief procedure that will treat information carriers of systems that are to be discarded. Here is a brief summary of the Information disposal procedure elements.

1. Functional systems that are to be donated
These are realistically functional computers, from which data should be properly erased.

  1. Empty all CD-ROM drives - you'll be surprised how many CD's are forgotten in discarded systems
  2. Use Darik's Boot and Nuke to destroy the information on the system.
  3. For medium security systems (standard employee system with limited access to information) use the DoD short method - 3 passes
  4. For high security systems (systems used by managers, auditors and similar which have access to significant amounts of information) use the Gutmann method - minimum of 25 passes

2. Non-functional systems whose hard drive is functional
While such systems are not directly useable, the users can attach the disks to other computers and attempt information recovery.
  1. Empty all CD-ROM drives - you'll be surprised how many CD's are forgotten in discarded systems
  2. Attach the disk drive from the discarded system to another system
  3. Use Darik's Boot and Nuke to destroy the information on the attached disk.
  4. For medium security systems (standard employee system with limited access to information) use the DoD short method - 3 passes
  5. For high security systems (systems used by managers, auditors and similar which have access to significant amounts of information) use the Gutmann method - minimum of 25 passes

3. Non-functional systems whose hard drive is not functional
In case of non-functioning drives, it shouldn't be assumed that all data on it is lost. A lot of disk drives can be revived with a replaced logic board, and there are companies which perform data recovery by direct magnetic analysis of the disk plates
  1. Empty all CD-ROM drives - you'll be surprised how many CD's are forgotten in discarded systems
  2. Remove the disk drive from the system
  3. Use a degausser to physically destroy any possible information on the disk - this will in effect also destroy the disk geometry rendering the disk unuseable
  4. In case a degausser in not available, dismantle the magnetic plates of the disk, and use a large hammer on them


Talkback and comments are most welcome

Related posts
6 steps to securing your backup media
Be Aware of Security Risks of USB Flash Drives
Tutorial - A Poor Man's Secure USB

Custom Encryption - No Thank You!

A lot of companies think that they can make the full solution from scratch, including all technical mechanisms for security and encryption - including the hardware and the encryption algorithms and implement them in their solutions.

While the company strategists can have a field day of developing their own special market differentiation product, the enterprise customer should tread very lightly when evaluating solutions with custom encryption

The sales pitch
Naturally, when a salesperson gives his "latest and greatest solution" pitch, he'll be sure to include the possible benefits of having a custom encryption solution

  1. It's much stronger encryption then any on the open market.
  2. You get the best (insert technology buzz name) for keeping the encryption keys at a very affordable price.
  3. Nobody knows our algorithm, so it's impossible to hack it.

The risks of choosing a custom solution
While the sales pitch may sound great, let's analyze the actual risks of having a custom encryption solution in your enterprise:
  1. The custom encryption algorithm is not proven - the sales pitch of nobody knowing the algorithm is stupid. Security by obscurity does not work and that has been proven a lot of times. On the other hand, since nobody knows the algorithm, no independent test of the algorithm has been performed. For all that you know, the algorithm can have enough mathematical flaws to make breaking it a child's play.
  2. The custom hardware for the encryption keys (if offered) is not tested according to well known standards - the latest and greatest in hardware means very little if not properly implemented. When talking about hardware for storing of encryption keys, there is a well known standard - FIPS 140-2. You should choose only hardware certified at FIPS 140-2 level 3 or 4
  3. There is a high possibility of backdoors into the encryption - custom solutions can mean that the programmers have left in some backdoor. Having such backdoors is actually quite common, since it makes the programmer's life much easier in supporting the customer. Closed solutions mean that there is no open test to weed out these backdoors - and not too many vendors test their own solutions through independent contractors. Therefore, there is a risk of a disgruntled programmer using this back door to gain personal benefits, or simply to harm his former employer


So when someone offers you a solution with theirs own superstrong encryption - Just walk away

Talkback and comments are most welcome

Related posts
Hardware Security Module for Dummies

Information Risks when Branching Software Versions

3 rules to keep attention to detail in Software Development

8 Golden Rules of Change Management

Application security - too much function brings problems

Security risks and measures in software development

Security challenges in software development


System Hardening Process Checklist

Most administrators and security officers are well aware of the necessity of system hardening for corporate systems.

Hardening is the process of securing a system by reducing its surface of vulnerability. By the nature of operation, the more functions a system performs, the larger the vulnerability surface.

Since most systems are dedicated to one or two functions, reduction of possible vectors of attack is done by the removal of any software, user accounts or services that are not related and required by the planned system functions. System hardening is vendor specific process, since different system vendors install different elements in the default install process.


However, all system hardening efforts follow a generic process. So here is a checklist and diagram by which you can perform your hardening activities.

  1. Perform initial System Install - stick the DVD in and go through the motions.
  2. Remove unnecessary software - all systems come with a predefined set of software packages that are assumed to be useful to most users. Depending on your target use of the system, you should remove all software that is not to be used like graphics and office packages on a web server.
  3. Disable or remove unnecessary usernames and passwords - most systems come with a lot of predefined user accounts for all kinds of purposes - from remote support to dedicated user accounts for specific services. Remove all remote and support accounts, and all accounts related to services which are not to be used. For all used accounts, ALWAYS change the default passwords.
  4. Disable or remove unnecessary services - just as the two previous points, remove all services which are not to be used in production. You can always just disable them, but if you have the choice remove them altogether. This will prevent the possible errors of someone activating the disabled service further down the line.
  5. Apply patches - after clearing the 'mess' of the default install, apply security and functionality patches for everything that is left in the system - especially the target services.
  6. Run Nessus Scan - update your Nessus scanner and let her rip. Perform a full scan including dangerous scans. Do the scan without any firewalls on the path of the scan. Read through the results, there will always be some discoveries, so you need to analyze them.
  7. If no Vulnerabilities are discovered, use system - after the analysis of the results, if there is noting significant discovered, congratulations! You have a hardened system ready for use.

Here is the described checklist as a process diagram


Talkback and comments are most welcome

Related posts

Checking web site security - the quick approach
Protecting from Meddling Web Applications
Strategic Choice - Proper Selection of Web Hosting
Web Site that is not that easy to hack - Part 1 HOWTO - the bare necessities
Web Site that is not Easy to hack - Part 2 HOWTO - the web site attacks
Rules for good Corporate Web Presence

Hiding Information in Plain Sight - Steganography

A very common theme in action movies is walking away with the stolen goods in plain sight. Although popular in movies, the subject of hiding information is often overlooked in information security. Here is an analysis of how easy it is to hide valuable information in harmless files.

The art and science of writing hidden messages in such a way that no-one apart from the sender and intended recipient even realizes there is a hidden message is known as Steganography
Generally, a steganographic message will appear to be something else: a picture, an article, a shopping list, or some other message. This apparent message is the covertext.

There are many ways to use steganography in electronic communications: A hidden text can be transported in an image, a music file, another text file, executable file or even in the TCP/IP stream.

Here is an example

The following text file is hidden within the image.
Below is the original image used for hiding the file - a standard test image also known as Lenna (a cropped image from a Playboy magazine centerfold picture of Lena Söderberg)



Below is the image of Lenna with the hidden file inside it. The only user-detectable difference is the file size. But to most users, this difference means nothing and you'll need to find the untampered image to make a comparison.


The tool
The above hiding process is completed with StegoShare. The tool is simple, straightforward and very efficient. Ofcourse, it is limited to hiding data in lossless compression images and cannot hide data in other types of files (audio, documents).


Risk Analysis
Although steganography is not widely discussed on security forums, it can be used to efficiently bypass security measures, and here is why

  • There is no straightforward detection method for finding hidden information in files unless you know exactly what you are looking for.
  • There are multitude of open source tools for steganography that run in user space - no need for installation on the computer
  • There are numerous channels by which a hidden file is able to transit (web, e-mail, usb, printout...)

Talkback and comments are most welcome

Designed by Posicionamiento Web