CLOUD 9:
UNCOVERING SECURITY & FORENSICS DISCOVERY IN CLOUD
by Manu
Zacharia
MVP (Enterprise Security), C|EH,
ISLA-2010 (ISC)², C|HFI, CCNA, MCP
Certified ISO 27001:2005 Lead Auditor
HackIT – Technology & Advisory Services
“Aut viam inveniam aut faciam ”
Hannibal Barca
# whoami
• I am an Information Security Evangelist 
• For paying my bills – I do consulting - HackIT –
Technology & Advisory Services – A startup.
• Awards
• Information Security Leadership Achievement Award
from (ISC)² - 2010
• Microsoft Most Valuable Professional (Enterprise
Security) – 2009 and 2010
• Co-Author of a Book
• President – Information Security Research Association NPO
# whoami
• Chief Architect - Matriux – (www.matriux.com) - OS for
Hacking, Forensics and Security testing – Open Source &
Free 
• Founder c0c0n – International Security & Hacking
Conference
• Extend service to various state and central investigations
agencies as Cyber Forensics Consultant
# whoami
• Speaker at various national and international security,
technology and hacking conferences:
• Microsoft Tech-Ed 2010 (& 2011 upcoming)
• IQPC - Enterprise Security 2010 - Singapore
• Information Security Conference - Bangalore
• ClubHack, etc
•DevCon
# whoami
• Training associations:
• Indian Navy - Signal School , Centre for Defense
Communication and Electronic and Information / Cyber
Warfare and INS Valsura.
• Centre for Police Research, Pune and Kerala Police
• SCIT Symbiosis Centre for Information
Technology,Pune
• Institute of Management Technology (IMT) –
Ghaziabad
• IGNOU M-Tech (Information Systems Security) – Expert
Member – Curriculum Review Committee
• C-DAC, ACTS (DISCS & DSSD)
DISCLAIMER(S)
• The opinion here represented are my personal ones
and do not necessary reflect my employers views.
• Registered brands belong to their legitimate owners.
• The information contained in this
presentation does not break any
intellectual property, nor does it
provide detailed information that may
be in conflict with any laws
(hopefully...) :)
6
REFERENCES
• Information and resources from Internet (including
publications from Cloud Security Alliance) were
extensively used for the creation of this presentation.
7
AGENDA
INTRO & CLOUD ARCHITECTURE
CLOUD SECURITY & RISK ASSESSMENT FRAMEWORK
EXPLOITING CLOUD & FORENSICS
CONCLUSION
8
9
QUESTION
• So what is Cloud Computing?
• Do you know what is EC2 and S3?
• What is SPI Model?
10
WHY THIS TALK?
• cloud is loud
• Headline stealer
• Everybody is concerned about Cloud
Security
11
WHY CLOUD IS DIFFERENT?
• Why handle cloud differently?
• Simple – power of cloud
12
TIGR - ??????
•Barack
Obama's
Technology
Innovation
and
Government
Reform Team (TIGR) describe the
use of cloud computing as "one of
the most important transformations
the federal government will go
through in the next decade."
13
CLOUD POWER
• A 64 node Linux cluster can be online in
just five minutes
• Forget about those sleepless nights in
your data centers
14
EC2
• Amazon Elastic Compute Cloud (Amazon
EC2)
• A web service that provides resizable
compute capacity in the cloud
15
EC2 - WIKIPEDIA
• Allows users to rent computers on which to
run their own computer applications.
• A user can boot an Amazon Machine
Image (AMI) to create a virtual machine,
which
Amazon
calls
an
containing any software desired.
16
"instance",
EC2 - WIKIPEDIA
• A user can create, launch, and terminate
server instances as needed, paying by the
hour for active servers, hence the term
"elastic".
17
S3
• Amazon S3 (Simple Storage Service) is
an online storage web service offered by
Amazon Web Services.
• Provides unlimited storage through a
simple web services interface
18
S3
• $0.15 per gigabyte-month
• 102 billion objects as of March 2010
19
POWER OF CLOUD
• The New York Times - Amazon EC2 and
S3 - PDF's of 15M scanned news articles.
• NASDAQ
uses Amazon S3 to deliver
historical stock information.
20
CLOUD
• Cloud separates:
• application and information resources
from the underlying infrastructure, and
• the mechanisms used to deliver them.
21
CLOUD
Use of a collection of
• services,
• applications,
• information, and
• infrastructure
comprised of pools of compute, network,
information, and storage resources.
22
CLOUD
• Components can be
• rapidly orchestrated,
• provisioned,
• implemented & decommissioned, and
• scaled up or down
• Provide an on-demand utility-like model.
23
CLOUD CONFUSION
• From an architectural perspective; there is
much confusion
• How cloud is both similar to and
different
from
existing
computing?
24
models
of
CLOUD CONFUSION
• How these similarities and differences
impact the
• organizational,
• operational, and
• technological approaches
to
network
and
information
practices.
25
security
CLOUD SECURITY – DIFFERENT?
Marcus Ranum -
Same old,
Same old
26
CLOUD SECURITY – DIFFERENT?
Same Client / Server paradigm from
Mainframe days – Bruce Schneier
27
So what is this
cloud?
28
29
CLOUD
• NIST (U.S. National Institute of Standards
and Technology) defines cloud computing
by describing:
• five essential characteristics,
• three cloud service models, and
• four cloud deployment models.
30
CLOUD CHARACTERISTICS
• Five essential characteristics
• On-demand self-service
• Broad network access
• Resource pooling
• Rapid elasticity
• Measured service
31
CLOUD CHARACTERISTICS
• On-demand self-service
• Unilaterally
capabilities
provision
as
needed
computing
automatically,
without requiring human interaction with
a service provider.
• Computing capabilities include server time
and network storage
32
CLOUD CHARACTERISTICS
• Broad network access
• Available
over
the
network
and
accessed through standard mechanisms
33
CLOUD CHARACTERISTICS
• Can
be
heterogeneous
accessed
thin
or
through
thick
client
platforms (e.g., mobile phones, laptops,
and PDAs) as well as other traditional or
cloud based software services.
34
CLOUD CHARACTERISTICS
• Resource pooling
• The provider’s computing resources are
pooled to serve multiple consumers
using a multi-tenant model,
• Different physical and virtual resources
dynamically
assigned
and
according to consumer demand.
35
reassigned
CLOUD CHARACTERISTICS
• Degree of location independence customer has no control or knowledge over
the exact location of the provided resources
• Customer may be able to specify location
at a higher level of abstraction (e.g.,
country, state, or datacenter).
36
CLOUD CHARACTERISTICS
• Examples of resources include:
• storage,
• processing,
• memory,
• network bandwidth, and
• virtual machines.
37
CLOUD CHARACTERISTICS
• Rapid elasticity
• Capabilities can be
• rapidly and elastically provisioned to
quickly scale out ; and
• rapidly released to quickly scale in.
• In some cases this is done automatically.
38
CLOUD CHARACTERISTICS
• Measured service.
• Metering capability at some level of
abstraction appropriate to the type of
service
• Resource
usage
controlled,
and
can
reported
be
—
monitored,
providing
transparency for both the provider and
consumer of the service.
39
CLOUD CHARACTERISTICS
• Example:
• storage,
• processing,
• bandwidth,
• active user accounts
40
MYTHS - CLOUD CHARACTERISTICS
• Myths about Cloud Computing Essential
Characteristics
• Virtualization is mandatory
• Answer is No
• Cloud services are often but not always
utilized in conjunction with, and enabled
by, virtualization technologies
41
MYTHS - CLOUD CHARACTERISTICS
• There is no requirement that ties the
abstraction
of
resources
to
virtualization technologies
• In many offerings virtualization by
hypervisor
or
operating
container is not utilized.
42
system
MYTHS - CLOUD CHARACTERISTICS
• Multi-tenancy as an essential cloud
characteristic
• Multi-tenancy is not called out as an
essential cloud characteristic by NIST
but is often discussed as such.
43
CLOUD SERVICE MODELS
• Divided into three archetypal models.
• The three fundamental classifications are
known as the SPI Model.
• Various other derivative combinations are
also available.
44
CLOUD SERVICE MODELS
• Cloud Service Models
• Cloud Software as a Service (SaaS).
• Cloud Platform as a Service (PaaS).
• Cloud
Infrastructure
(IaaS).
45
as
a
Service
CLOUD SERVICE MODELS - SaaS
• The client use the software / applications
running on a cloud infrastructure.
• Accessed through thin client interface
such as a browser.
46
CLOUD SERVICE MODELS - SaaS
• User does not manage or control the
underlying cloud infrastructure including:
• network,
• servers,
• operating systems,
• storage, or
• even individual application capabilities
47
CLOUD SERVICE MODELS - SaaS
• Possible exception - limited user specific
application configuration settings.
48
CLOUD SERVICE MODELS - PaaS
• User
can
deploy
onto
the
cloud
infrastructure consumer-created or acquired
applications created using programming
languages and tools supported by the
provider.
49
CLOUD SERVICE MODELS - PaaS
• The consumer does not manage or control
the underlying cloud infrastructure including
• network,
• servers,
• operating systems, or
• storage,
50
CLOUD SERVICE MODELS - PaaS
• Has
control
applications
and
over
the
possibly
deployed
application
hosting environment configurations.
51
CLOUD SERVICE MODELS - IaaS
• The user can provision
• processing,
• storage,
• networks, and
• other fundamental computing resources
52
CLOUD SERVICE MODELS - IaaS
• The consumer is able to deploy and run
arbitrary
software,
which
can
include
operating systems and applications.
• The consumer does not manage or control
the underlying cloud infrastructure
53
CLOUD SERVICE MODELS - IaaS
• Has control over
• operating systems,
• storage,
• deployed applications, and
• possibly
networking
limited
control
components
firewalls).
54
of
(e.g.,
select
host
CLOUD DEPLOYMENT MODELS
• Regardless of the service model, there
are four cloud deployment models:
• Public Cloud
• Private Cloud
• Community Cloud
• Hybrid Cloud
55
CLOUD DEPLOYMENT MODELS
• There
are
derivative
variations
address specific requirements.
56
that
CLOUD DEPLOYMENT MODELS
• Public Cloud
• The
cloud
infrastructure
is
made
available to the general public or a large
industry group
• Owned by an organization providing
cloud services.
57
CLOUD DEPLOYMENT MODELS
• Private Cloud
• The cloud infrastructure is operated
solely for a single organization.
• It may be managed by the organization
or a third party, and may exist onpremises or off-premises.
58
CLOUD DEPLOYMENT MODELS
• Community Cloud
• The cloud infrastructure is shared by
several organizations
• Supports a specific community that has
shared concerns
59
CLOUD DEPLOYMENT MODELS
• Examples:
• mission,
• security requirements,
• policy, or
• compliance considerations
60
CLOUD DEPLOYMENT MODELS
It may be managed by the:
• organizations or
• a third party
and may exist
• on-premises or
• off-premises.
61
CLOUD DEPLOYMENT MODELS
• Hybrid Cloud
• Composition of two or more clouds
(private, community, or public)
• They remain unique entities but are bound
together by standardized or proprietary
technology
that
enables
application portability
62
data
and
CLOUD DEPLOYMENT MODELS
• Example - Hybrid Cloud
• Cloud
bursting
for
between clouds.
63
load-balancing
CLOUD BURSTING
• New twist on an old concept :)
• Bursting into the cloud when necessary, or
• using the cloud when additional compute
resources are required temporarily
64
CLOUD BURSTING
• Example - used to shoulder the burden of
some
of
the
application's
processing
requirements.
• How it is done?
• Basic application functionality could be
provided from within the cloud
65
CLOUD BURSTING
• More critical (e.g. revenue-generating or
mission critical) applications continue to be
served from within the controlled enterprise
data center.
66
CLOUD BURSTING
• How it is different from the traditional
bursting?
• Traditionally been applied to resource
allocation and automated provisioning / deprovisioning of resources
• Historically focused on bandwidth.
67
CLOUD BURSTING
• In the cloud, it is being applied to
resources such as:
• servers,
• application servers,
• application delivery systems, and
• other infrastructure…
68
CLOUD BURSTING
• …required
to
provide
on-demand
computing environments that expand and
contract as necessary, without manual
intervention.
69
CLOUD BURSTING
• Without manual intervention means?
• We generally call it - automation
• But is automation sufficient for cloud? or is
it the right thing for cloud?
70
CLOUD ORCHESTRATION
Orchestration describes the automated
• arrangement,
• coordination, and
• management of
complex computer systems, middleware,
and services.
71
CLOUD ORCHESTRATION
• Generally used in the context of:
• Service Oriented Architecture,
• virtualization,
• provisioning, and
• dynamic datacenter topics.
72
DERIVATIVE - DEPLOYMENT MODELS
• Derivative cloud deployment models are
emerging due to the maturation of market
offerings and customer demand.
• Example
• Virtual Private Clouds
73
VIRTUAL PRIVATE CLOUDS
• Public cloud infrastructure in a private or
semi-private manner
• By interconnecting these resources to the
internal
resources
datacenter,
usually
a
via
virtual
network (VPN) connectivity.
74
consumers’
of
private
CLOUD SERVICE BROKERS
• Providers
monitoring,
that
offer
intermediation,
transformation/portability,
governance, provisioning, and integration
services.
• They also negotiate relationships between
various cloud providers and consumers.
75
CLOUD SERVICE BROKERS
• They take advantage of the incompatibility
issues prevailing and provide an interface
for customers.
• Acts as proxy (middle man)
76
OPEN AND PROPRIETARY API
• Open and proprietary APIs are evolving
which seek to enable things such as
• management,
• security and
• inter-operatibility
for cloud.
77
OPEN AND PROPRIETARY API
• Open Cloud Computing Interface Working
Group,
• Amazon EC2 API,
• VMware’s DMTF-submitted vCloud API,
• Sun’s Open Cloud API,
• Rackspace API, and
• GoGrid’s API,
78
OPEN AND PROPRIETARY API
• Play a key role in cloud portability and
interoperability
as
well
as
common
container formats such as the DMTF’s
Open Virtualization Format (OVF).
• DMTF - Distributed Management Task
Force
79
MULTI-TENANCY IN CLOUD
• Not an essential characteristic of Cloud
Computing in NIST’s model.
• Generally
identified
element of cloud.
80
as
an
important
MULTI-TENANCY IN CLOUD
• Implies a need for
• policy-driven enforcement,
• segmentation,
• isolation,
• governance,
• service levels, and
• chargeback/billing models for different
consumers.
81
CLOUD
82
CLOUD CUBE
83
CLOUD REFERENCE MODEL
• Understanding
the
relationships
and
dependencies between Cloud Computing
models is critical to understanding Cloud
Computing security risks.
84
CLOUD REF MODEL
• IaaS is the foundation of all
cloud services, with PaaS
building
upon
IaaS,
and
SaaS in turn building upon
PaaS
• As
the
capabilities
are
inherited, so are information
security issues and risk.
85
CLOUD REF MODEL
86
87
CLOUD – WHAT COULD BE TARGETTED?
• From an attackers point of view:
• The boxes,
• Storage,
• Applications
88
WHY CLOUD SECURITY IS DIFFERENT?
• With any new technology comes new risks
• New vectors - that we need to be aware of
• Confusion exists - how cloud is both
similar to and different from existing models
of computing
89
SECURITY ISSUES
• Cloud based security issues, also commonly
know as Cloud Based Risk – CRISK
90
SECURITY ISSUES
Lock-in
• When a cloud user decides to migrate (due
to various reasons including poor SLA) to
another cloud service provider or to in-house
IT
• Different cloud service providers use
different API – not compatible with each other
for migrating the data 
91
SECURITY ISSUES
Lack of:
• Tools,
• Procedures,
• Standard data formats, and
• Interfaces,
can considerably delay or
successful migration.
92
prevent
a
SECURITY ISSUES
Shared Service Consequences
• Any kind of intentional and un-intentional
malicious activity carried out or executed on
a shared platform may affect the other
tenants and associated stake holders.
93
SECURITY ISSUES
Examples - Shared Service Consequences:
• Blocking of IP ranges
• Confiscation of resources as part of an
investigation - the availability is in question.
94
SECURITY ISSUES
Examples - Shared Service Consequences:
• The diversity of application running on the
cloud platform and a sudden increase in the
resource usage by one application can
drastically
affect
the
performance
and
availability of other applications shared in the
same cloud infrastructure.
95
SECURITY ISSUES
Sudden Acquisitions and Take-overs
• Cloud is upcoming and promising domain
for organizations to venture and expand.
• Sudden take over can result in a deviation
from the agreed Terms of Use & SLA which
may also lead to a Lock-In situation.
96
SECURITY ISSUES
Run-on-the-cloud
• Similar to the conventional run on the bank
concept.
• Bankruptcy and catastrophes does not
come with an early warning.
97
SECURITY ISSUES
• What happens if the majority clients
withdraw the associated services from a
cloud infrastructure?
98
SECURITY ISSUES
• The cloud service providers may try to
prevent that move through direct and
indirect methods – which may include a
lock-in also.
99
SECURITY ISSUES
Maintaining Certifications & Compliance
• Organizations need to ensure that they can
maintain the same when moving to cloud.
• ToU prohibits VA/PT
• This may introduce security vulnerabilities
and gaps
• Result – Loose your certification.
100
SECURITY ISSUES
Example - Maintaining Certifications:
• In
general
scenario,
the
PCI
DSS
compliance cannot be achieved with the
Amazon EC2/S3 cloud service.
• Major downfall in performance and quality
metrics may affect your certifications.
101
SECURITY ISSUES
Technical and Procedural Vulnerability
• Vulnerabilities applicable to the conventional
systems & networks are also applicable to
cloud infrastructure.
• Lack of could based security standards and
non-adherence to procedures may affect the
CIA of customer data.
102
SECURITY ISSUES
Confidentiality is @ Risk
• The information deleted by the customer
may be available to the cloud solution
provider as part of their regular backups.
• Insecure and inefficient deletion of data, true
data wiping not happening, exposing the
sensitive information to other cloud users.
103
SECURITY ISSUES
Lack of transparency in cloud
•The service provider may be following good
security procedures, but it is not visible to the
customers and end users.
• May be due to security reasons.
• But end user is finally in the dark.
104
SECURITY ISSUES
Lack of transparency in cloud
• End user questions remains un-answered:
• how the data is backed up,
•who back up the data,
•whether the cloud service provider does it
or has they outsourced to some third party,
105
SECURITY ISSUES
• how the backup is transferred to a remote
site as part of the backup policy,
• is it encrypted and send,
• is the backup properly destroyed after the
specified retention period or
106
SECURITY ISSUES
• is it lying somewhere in the disk,
• what kind of data wiping technologies are
used.
• The lists of questions are big and the cloud
users are in dark
107
SECURITY TESTING
• Problems testing the cloud?
• Permission
• How do you get permission to test your
application running on Amazon EC2 when
the results of your testing could show you
data from another client completely?
108
SECURITY TESTING
• Getting black hole or getting kicked-off
• "In
networking, black holes refer to places in the
network where incoming traffic is silently discarded
(or "dropped"), without informing the source that the
data did not reach its intended recipient." - From
Wikipedia
109
SECURITY TESTING
• How do you track version?
• How do you do regression testing?
• How do you know what version of the
search engine google is currently running on?
110
SECURITY TESTING
• If you test an application today and find it
vulnerable or not vulnerable, how do you
know that the app you testing tomorrow is the
same one that you tested yesterday? - You
don't
111
THEN WHY WE MOVE?
If its not good, safe or not even new, then
why cloud adoption happening?
112
FEW TOP REASONS
• Management by in-flight magazines
• Management version – something new
and promising – let’s try it out
• Geek version – It’s really cool
• There is nobody to put a break when these
two people join together.
113
OTHER REASONS
• Poor uptime and service delivery experience
from IT department.
• Economical factors
• Multi-tenancy means cost sharing
114
OTHER REASONS
• Cost saving makes it attractive during
recession.
• Cloud computing allows you to move from
CAPEX to OPEX.
• Save 30% of IT Operational Cost
115
OTHER REASONS
• Variable cost subscription model – rapidly
scale up and scale down.
• Go Green or Green IT also influenced many.
• Powerful - A 64 node Linux cluster can be
online in just five minutes - forget about those
sleepless nights in your data centers
116
117
ADDRESSING CLOUD SECURITY
•Adopt a risk based approach
• Evaluate your tolerance for moving an
asset to cloud
• Have a framework to evaluate cloud risks.
118
RA FRAMEWORK FOR CLOUD
• Identify the asset for cloud.
• Evaluate the asset
• Map the asset to cloud deployment models
• Evaluate cloud service models & providers
• Sketch the potential data flow
119
1 - IDENTIFY THE ASSET
• Two types of assets are supported by
cloud:
• Data
• Applications/Functions/Processes
•Either
partial
functions
applications
120
or
full
1 - IDENTIFY THE ASSET
• In cloud, we do not need data and
application to reside at the same location.
• We can shift parts of functions to the cloud.
121
1 - IDENTIFY THE ASSET
• Example:
• Host the main application and data in our
own data-centre.
• Outsource a portion of its functionality to
the cloud through Platform as a Service
(PaaS).
122
1 - IDENTIFY THE ASSET
•First step in evaluating risk for the cloud determine exactly what data or function is
being considered for the cloud.
•Include potential use of the asset once it
moves to the cloud
123
1 - IDENTIFY THE ASSET
• This will help you account for scope creep
• Data and transaction volumes are often
higher than expected.
124
1 - IDENTIFY THE ASSET
• What is scope creep?
• Also known as
• focus creep,
• requirement creep,
• feature creep,
• function creep
125
1 - IDENTIFY THE ASSET
• Refers to uncontrolled changes in a
project's scope.
• Can occur when the scope of a project is
not
properly
defined,
controlled.
126
documented,
or
2 - EVALUATE THE ASSET
• Determine how important the data or
function is to the organization.
• A detailed valuation is recommended only if
the organization has an existing process for
that.
127
2 - EVALUATE THE ASSET
• If not, a rough assessment of the following
is recommended:
• how sensitive an asset is, and
• how important an application / function /
process is.
128
2 - EVALUATE THE ASSET
• How do we do it?
• For
each
asset,
ask
the
following
questions:
• How would we be harmed if the asset
became
widely
public
distributed?
129
and
widely
2 - EVALUATE THE ASSET
• How
would
we
be
harmed
if
an
employee of our cloud provider accessed
the asset?
• How would we be harmed if the process
or function were manipulated by an
outsider?
130
2 - EVALUATE THE ASSET
• How would we be harmed if the process
or function failed to provide expected
results?
• How would we be harmed if the
information/data
were
changed?
131
unexpectedly
2 - EVALUATE THE ASSET
• How would we be harmed if the asset
were unavailable for a period of time?
132
2 - EVALUATE THE ASSET
• What are we doing basically with the above
process?
• Assessing confidentiality, integrity, and
availability requirements for the asset;
and
• how those are affected if all or part of
the asset is handled in the cloud.
133
3 – MAP THE ASSETS
• Step 3 - Map the asset to potential cloud
deployment models
• Determine which deployment model is
good for the organizational requirement.
134
3 – MAP THE ASSETS
• Decide
whether
the
organization
can
accept the risks implicit to the various
deployment
models
(private,
public,
community, or hybrid); and hosting scenarios
(internal, external, or combined).
135
3 – MAP THE ASSETS
• For the asset, determine if you are willing
to accept the following options:
• Public.
• Private, internal/on-premises.
• Private, external (including dedicated or
shared infrastructure).
• Community
• Hybrid
136
3 – MAP THE ASSETS
• End of this phase you should have answer
to the following:
• Deployment models and locations that fits
your security and risk requirements.
137
4 – EVALUATE MODELS & PROVIDERS
• Focus on the degree of control you’ll have
at each SPI tier to implement any required
risk management.
138
5 – SKETCH DATA FLOW
• Map out the data flow between:
• your organization,
• the cloud service, and
• any customers/other nodes.
139
5 – SKETCH DATA FLOW
• High-level design can be adopted for the
same.
• Absolutely
essential
to
understand
whether, and how, data can move in and out
of the cloud before finalizing.
140
RA - CONCLUSION
• You should have a clear understanding of
the following:
• the
importance
of
what
considering moving to the cloud,
• risk tolerance,
141
you
are
RA - CONCLUSION
• which combinations of deployment and
service models are acceptable, and
• potential exposure points for sensitive
information and operations.
142
RA - CONCLUSION
• For low-value assets you don’t need the
same level of security controls
• Can skip most of the recommendations —
such as on-site inspections, discoverability,
and complex encryption schemes.
• A high-value regulated asset might entail
audit and data retention requirements.
143
144
DO YOU KNOW THIS?
145
INFORMATION WARFARE
• Clue:
• Kendo (kumdo in korean)
146
INFORMATION WARFARE
風 - Swift as the wind
林 - Quiet as the forest
火 - Conquer like the fire
山 - Steady as the mountain
147
INFORMATION WARFARE
• Battle strategy and motto of Japanese
feudal lord Takeda Shingen ( 武 田 信 玄 )
(1521–1573 A.D.).
• Twenty-Four Generals - famous groupings
of battle commanders
• (Takeda Nijūshi-shō ) 武田二十四将
148
INFORMATION WARFARE
• Came from the Art of War by Chinese
strategist and tactician Sun Tzu (Sunzi)
• A sort of abbreviation to remind officers
and troops how to conduct battle
149
INFORMATION WARFARE
• This is what we need in information
warfare or when launching an attack
150
EXPLOITING CLOUD
• Sample Task
• Break PGP passphrases
• Solution
• Brute forcing PGP passphrases
151
EXPLOITING CLOUD
•Try – ElcomSoft Distributed Password
Recovery (with some patches to handle
PGP ZIP)
•Two elements - EDPR Managers & EDPR
Agents
152
EXPLOITING CLOUD
• Dual core Win7 box - 2100 days for a
complex passphrase.
• Not acceptable – too long
• Lets exploit the cloud.
153
EXPLOITING CLOUD
• First things first – Create an Account on
Amazon. Credit Card Required 
• Install Amazon EC2 API Tools on your linux
box.
sudo
apt-get
install
tools
154
ec2-api-
EXPLOITING CLOUD
• Select an AMI
• Example - use a 32 bit Windows AMI - ami-
df20c3b6-g
155
EXPLOITING CLOUD
• Start an instance from the Linux shell as
follows:
ec2-run-instances
-k
ami-df20c3b6-g default
156
ssh-keypair
EXPLOITING CLOUD
• Enumerate the instance ID & public IP:
ec2-describe-instances
157
EXPLOITING CLOUD
• Instance status change from “pending” to
“running”
• Extract the admin password for the
instance
ec2-get-password
-k
keypair.pem $instanceID
158
ssh-
EXPLOITING CLOUD
• Configure EC2 firewall to permit inbound
RDP traffic to the instance.
ec2-authorize default -p 3389 -s
$trusted_ip_address/32
159
EXPLOITING CLOUD
• Configure the firewall in front of the EDPR
manager system to permit TCP/12121 from
anywhere.
• RDP into the instance & configure EDPR
160
EXPLOITING CLOUD
• Login using the password obtained from
ec2-get-password command
161
EXPLOITING CLOUD
• Install EDPR Agent,
• Configure the Agent to connect to the
Manager.
• 3 points to configure mainly
162
EXPLOITING CLOUD
• Configure the public IP address or
hostname of the EDPR manager you have
configured.
163
EXPLOITING CLOUD
•Interface tab - Set the Start-up Mode to "At
Windows Start-up".
164
EXPLOITING CLOUD
• Registry hack
• EDPR creates a pair of registry values
which are used to uniquely identify the agent
when connecting to the manager.
• We need to scrub these values – why?
165
EXPLOITING CLOUD
• If we don’t, every single instance we initiate
will appear to be the same agent to the
manager.
•Output = The job handling will be totally
corrupted.
166
EXPLOITING CLOUD
HKEY_LOCAL_MACHINE\Software\ElcomS
oft\Distributed Agent\UID
• Set the value of the UID key to null, but
DO NOT DELETE THE KEY.
167
EXPLOITING CLOUD
• Let’s bundle the EC2 instance.
• Remember in cloud, bundle is similar to
creating a ‘template’ in VMware terminology.
168
EXPLOITING CLOUD
• Install and configure EC2 AMI Tools
• Command:
ec2-bundle-instance $instance_id b $bucket_name -p $bundle_name
-o
$access_key_id
-w
$secret_access_key
169
EXPLOITING CLOUD
• Bundling process runs sysprep on the
Windows instance, compress and copies the
instance to S3.
170
EXPLOITING CLOUD
• Check the progress of the bundle task:
ec2-describe-bundle-tasks
171
EXPLOITING CLOUD
• Register the bundled AMI:
ec2-register
$bucket_name/$bundle_name.manifest.
xml
172
EXPLOITING CLOUD
• The register command returns AMI ID
• Used to spawn instances of the EDPR
agent. Example:
IMAGE
ami-54f3103d
173
ACTION TIME 
•Start EDPR manager & configure task.
• to
brute
an
password
composed
of
uppercase letters, lowercase letters, and the
numbers 0-9, with a length of between 1 to 8
characters against a PGP ZIP file.
174
ACTION TIME 
175
ACTION TIME 
• Start a single instance of our EDPR agent:
ec2-run-instances -k $ssh-keypair
ami-54f3103d -g default
176
ACTION TIME 
• Agent check in with the EDPR manager.
177
ACTION TIME 
• We started it with default parameters
• EC2 “small” instance
• Trying 500K keys per second
• How long will it take?
178
ACTION TIME 
•What???? 3600 days? = 10 years!!!!!
179
ACTION TIME 
• Let’s scale up – deploy 10 additional
instances:
ec2-run-instances
-n
10
-k
ssh-
keypair ami-54f3103d -g default -t
c1.medium
180
ACTION TIME 
• The -n 10 parameter tells EC2 to launch 10
instances.
• c1.medium instance = “High CPU" instance
181
ACTION TIME 
182
ACTION TIME 
• Now we have more cracking agents in the
party!!!
• 2+M keys/second
• So what's the time required now???
183
ACTION TIME 
• Down to 122 days
184
ACTION TIME 
• Kickoff another 89 to hit a century.
ec2-run-instances
-n
89
-k
ssh-
keypair ami-54f3103d -g default -t
c1.medium
Note: Check your EDPR License.
185
ACTION TIME 
• Error:
Client.InstanceLimitExceeded:
Your
quota
more
allows
for
9
instance(s). You requested at least
89
186
ACTION TIME 
• Option 1
• Request to instance amazon EC2 Instance
Limit
-
http://aws.amazon.com/contact-
us/ec2-request/
187
ACTION TIME 
• Option 2
• Amazon spot instances - allows us to bid
on unused Amazon EC2 capacity and run
those instances.
188
ACTION TIME 
• Option 3
• Create custom python script to bypass this
limitation
189
ACTION TIME 
• With a couple more of instances, we can
reduce it to hours
• A successful
cloud
cracking system.
190
based
distributed
191
CLOUD FORENSICS
• Mixed Responses
• Bad guys have started using cloud based
services and infrastructure for launching
attacks
• Cloud do provide a good platform for
incidence
response
investigations
192
and
forensics
CLOUD FORENSICS
• By utilizing the inherent features of cloud
computing, computer forensic can become an
on-demand
service
circumstances.
193
under
certain
CLOUD FORENSICS
• Regular business and operations are not
affected when a cloud environment needs to
be forensically examined.
• Not
the
case
with
the
traditional
infrastructure where the equipments are
seized.
• Cloud Example – Amazon EBS
194
CLOUD FORENSICS
• Cloud based forensics took a new turn when
Amazon introduced Elastic Block Store (EBS)
volumes
• Enables the user to launch an instance with
an Amazon EBS volume that will serve as the
root device.
195
CLOUD FORENSICS
• When there is a need to preserve a cloud
environment, EBS can create an exact replica
of the cloud instance & put it on the same
cloud
for
forensics
evaluation
and
examination.
• Since the forensic investigators will be
working with another instance of the
environment, the regular operations is not
affected in any way.
196
CLOUD FORENSICS
• Replication
process
achieved
in
few
minutes.
• Forensic evidences are invalid if they are
not cryptographically hashed.
• This can be easily achieved using the ondemand feature of cloud.
197
CLOUD FORENSICS
• Replication
process
achieved
in
few
minutes.
• Forensic evidences are invalid if they are
not cryptographically hashed.
• This can be easily achieved using the ondemand feature of cloud.
198
CLOUD FORENSICS
•The cloud based hashing takes less time and
is much faster when you compare it with the
traditional cryptographic hashing process.
• Amazon Web Services is already providing
a good forensic feature where it can provide a
MD5 hash of every file that is on the cloud
system.
199
CLOUD FORENSICS
• What this practically means is that when a
bit
by
bit
copy
is
initiated
(forensic
duplication), you have systems in place which
can ensure that you made the exact replica
and not even a bit has changed during the
replication and copying process.
200
CLOUD FORENSICS
• Even though you have all the above
services available, cloud forensics is still
challenging.
• Virtualization of various entities like the
applications and host systems, which once
used to be in-house is now scattered on the
cloud.
201
CLOUD FORENSICS
• Makes evidence gathering a challenging
task
• Since we are acquiring data from a virtual
environment, the forensic investigator should
have a clear and precise understanding of
how they work and what files are interesting
and required to acquire.
202
CLOUD FORENSICS
• Near to impossible to acquire the complete
hard disk due to various reasons including but
not limited to:
• multiple data owners on the same disk,
• remote geographical location,
• jurisdictional difficulties,
• RAID configurations etc
203
AND FINALLY
• Questions also arise on the compatibility
and
reliability
of
the
tools
used
for
investigating cloud forensics - because most
of the tools are meant for real time systems
and not for virtualized environments.
• A collaborative and collective effort is
required to address what we discussed.
204
205
CONCLUSION
• The architectural mindset used when
designing solutions has clear implications on
the:
• future flexibility,
• security,
• collaborative capabilities, and
• mobility
of the resultant solution.
206
CONCLUSION
• With so many different cloud deployment
and
service
models,
and
their
hybrid
permutations — no list of security controls
can cover all these circumstances.
207
GOOD SECURITY PROFESSIONAL
A good security professional is someone who
always looks both ways before crossing a oneway street.
208
QUESTIONS??
Manu Zacharia
m@matriux.com
or
m@HackIT.co
or
209