Client access is the Achillies' heel of the cloud
-
date post
19-Oct-2014 -
Category
Technology
-
view
1.110 -
download
0
description
Transcript of Client access is the Achillies' heel of the cloud
Bryce Galbraith ©2013, All Rights Reserved 1
Client AccessThe Achilles’ Heel of the Cloud
The SANS Institute
Bryce Galbraith, Layered Securityhttps://www.linkedin.com/in/bgalbraith
This presentation is available at:http://www.slideshare.net/brycegalbraith/
Bryce Galbraith ©2013, All Rights Reserved 2
Who am I?
• A professional (ethical) hacker• Contributing author of, Hacking Exposed• Co-author of Foundstone’s, Ultimate Hacking
course series• The founder of Layered Security• Certified instructor and course author with the
SANS Institute• Frequent speaker, blogger, Tweeter
https://www.linkedin.com/in/bgalbraith
Bryce Galbraith ©2013, All Rights Reserved 3
Great quote (1)
"There's a war out there, old friend. A world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think…it's all about the information!”
Bryce Galbraith ©2013, All Rights Reserved 4
Great quote (2)
"The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeroes, little bits of data. It's all just electrons.”
-- Cosmo from, “Sneakers” (1992)
Bryce Galbraith ©2013, All Rights Reserved 5
Front page moments
• Everywhere you look, major incidents– National secrets, intellectual property, PII, lost
revenue, expensive cleanups, embarrassment, shame and numerous other negative effects…
– Even bankruptcy (e.g. DigiNotar)– Continuous stream of announcements– No one seems to be immune– Many don’t even realize they are compromised– People are losing their zeros and ones, in mass
Bryce Galbraith ©2013, All Rights Reserved 6
The Actors
• There are many actors–Nation states (APT)–Organized crime–Hacktivists–Terrorists–Cyber punks– Insiders…
Bryce Galbraith ©2013, All Rights Reserved 7
So, what do we do about it?
• Clearly there’s a problem– Advanced adversaries– Limited budgets and staff– Limited management support– Infinite complexities– Effective security is hard (and expensive)
• The solution?– Move it to the cloud! (a.k.a. outsourcing ;-)
Bryce Galbraith ©2013, All Rights Reserved 8
Industry Focus
Bryce Galbraith ©2013, All Rights Reserved 9
Bryce Galbraith ©2013, All Rights Reserved 10
Meanwhile…
Bryce Galbraith ©2013, All Rights Reserved 11
Attackers choose the path of least resistance…
Bryce Galbraith ©2013, All Rights Reserved 12
Unfortunately, endpoint security is “terrifically
weak”
Bryce Galbraith ©2013, All Rights Reserved 13
The Attacks (1)
• Man-in-the-middle– ARP cache poisoning (LAN)
• Ettercap, Cain & Abel, Subterfuge, arpspoof, etc.
– LAN, WLAN, cellular networks, etc.• Nation-in-the-middle
– Governments, ISPs, etc.• One of the most powerful positions
– “All your bits are belong to us!”
Bryce Galbraith ©2013, All Rights Reserved 14
Bryce Galbraith ©2013, All Rights Reserved 15
The Attacks (2)
• Redirection– DNS spoofing– HTTP request hi-jacking
• Attack vectors– Send to spoofed sites and trick users into
giving up credentials– Exploit victims with Metasploit or SET
• auxiliary/spoof/wifi/airpwn (and dnspwn)• auxiliary/server/browser_autopwn• Social Engineering Toolkit (can clone sites)
Bryce Galbraith ©2013, All Rights Reserved 16
The Attacks (3)
• What about SSL/TLS to the cloud?– Authenticates site (via a certificate)– Encrypts the HTTP transactions– Fundamentally important to protecting
most cloud-based services• Can be completely stripped away…
– sslstrip by Moxie Marlinspike• http://www.thoughtcrime.org/software/sslstrip/• It only strips HTTPS to/from the client, not the cloud.
Bryce Galbraith ©2013, All Rights Reserved 17
The Attacks (4)
• Code injection– Once SSL/TLS has been stripped
away, arbitrary code can be injected– In either direction– Ettercap, BeEF, xssf, etc.
• Keyloggers, Metasploit exploits, steal cookies, modify page content, redirect victims browser and many other nasty things…
• http://bellard.org/jslinux/ (JavaScript Linux distro!)
Bryce Galbraith ©2013, All Rights Reserved 18
The Attacks (5)
• Session side-jacking– With SSL/TLS removed, the session
token representing the user is exposed– Once side-jacked, the attacker can
simply submit an HTTP Request using the token value and they are in!
– Bypasses many authentication methods– Cookie Cadger
• https://www.cookiecadger.com/
Bryce Galbraith ©2013, All Rights Reserved 19
The Attacks (6)
• Cellular man-in-the-middle– Numerous demonstrations at various hacker
conferences over the past few years – it works– At DEFCON they dropped rootkits on Android
cell phones all weekend• Client-side malware is still prevalent
– Can easily log credentials or session tokens to the cloud resources• http://www.flexispy.com/• http://www.technologyreview.com/view/429394/placeraider
-the-military-smartphone-malware-designed-to-steal-your-life/
Bryce Galbraith ©2013, All Rights Reserved 20
Extending the Attacks
• Imagine what an attacker could do if they were in the middle of the Internet– Nation states, ISPs, etc.
• Certificate Authority (CA) trust issues • Government officials can demand access to data
and providers may have very little recourse, if any
• Spear-phishing attacks to steal user/admin credentials to the cloud– “One click is all it takes…” - http://goo.gl/e5tfA2
• The HB Gary incident (blended attack)
Bryce Galbraith ©2013, All Rights Reserved 21
Industry Focus
Bryce Galbraith ©2013, All Rights Reserved 22
Bryce Galbraith ©2013, All Rights Reserved 23
Summary
• The cloud is here to stay…• Assuming we can actually secure it
(big assumption), our data is relatively secure, in the cloud.
• The problem is, it doesn’t stay there…• We have to acknowledge this and
work diligently to protect our zeros and ones wherever they end up.
Bryce Galbraith ©2013, All Rights Reserved 24
Client AccessThe Achilles’ Heel of the Cloud
The SANS Institute
Bryce Galbraith, Layered Securityhttps://www.linkedin.com/in/bgalbraith
This presentation is available at:http://www.slideshare.net/brycegalbraith/