Stratsec critical of cloud security
Potential haven for botnets, study finds
A study conducted by BAE security subsidiary Stratsec claims that cloud services aren’t doing enough to secure their instances against being used to host attacks.
The company has described a series of experiments here. Stratsec says it was able to set up botnets – it refers to them as botClouds – on all five of the cloud services it tested, and that none either raised alerts nor placed restrictions on the accounts that were originating malicious traffic.
While the study doesn’t name the cloud services it tested, El Reg would assume that all five have had a private notification by Stratsec.
The experiments were conducted by setting up accounts with various cloud providers, setting up ten cloud instances on each account, and using those instances to send malicious traffic at “victim” systems on controlled networks. Common services like HTTP, FTP and SMTP were enabled on the victims.
The cloud services were then used to fire a variety of attacks against the victims: malformed traffic, malware attacks, DoS attacks, brute-force attacks against the FTP passwords, shellcode attacks on the victims’ services, and Web application attacks (such as SQL injection, cross-site scripting, and path traversal).
With this setup in place, four experimental setups were tested with the victim in (a) a corporate-style environment behind an IDS and firewall; (b) on the same cloud service that hosted the attacks; (c) the victim on one cloud service suffering an attack launched from another. In the last experiment, the attack on the private network victim was extended to 48 hours to try and elicit a response from the cloud providers.
Stratsec reports that “although we were expecting responses from cloud providers”, very little happened. There were no connection resets or terminations on the traffic, nor was the malicious traffic throttled or rate limited. The attacks failed to draw a response in the form of an alert or an account suspension, and although one provider blocked FTP, SMTP and HTTP traffic by default, the experimenters only needed to use a non-standard port to continue the attacks.
Without a stronger security posture from cloud providers, the report states, their services offer a cheap, scalable, reliable, and user-friendly platform – for anyone wanting to set up a botCloud. Moreover, they note, a corporate with its own relatively mature in-house security could find itself degrading its protection by moving to the cloud. ®
Re: Re: Live Operational Virtual Environments Rule. Fact and/or Fiction
Moving to the cloud is catastrophic for systems/organisations/defence and security operations which hold secrets, for there are no hiding places there for them…. no locks and no doors or windows to close. The fortunate/unfortunate thing though is, that such systems with secrets are invariably those which are tasked/task themselves to provide security and protection for peace and prosperity, growth and stability, although that has been lacking in any measure for some considerable time. And that is because of a lack of intelligence and intelligence sharing in Man.
Virtual machines, however, are ESPecially designed and immaculately created to circumvent that basic flaw and have no need of slow, as in intellectually challenged and arrogantly ignorant of the fact, operator input/output.
And yes, BYOD is sound advice.
Live Operational Virtual Environments Rule. Fact and/or Fiction
Moreover, they note, a corporate with its own relatively mature in-house security could find itself degrading its protection by moving to the cloud.
And yet such a move to the cloud environment is absolutely essential for any intelligence system/service should they wish to be considered for inclusion and employment as an active leading player in the Greater Games there, rather than having to settle for playing second fiddle to the shenanigans in a reactive spectator passenger role which is always too little, too late and too revealing of all of one's abiding vulnerabilities for leading player exploitation.
That is just the way that it is in these novel IT Command and Control of Computers and Communications in Creative CyberSpace fields. Deny it is so and be eternally disadvantaged in the lifetime of such a non-realisation of the changes that are reshaping the future for the present to leave the past and embrace what can be rather than what is and was, and would be thought to be managed by corporate heads who would think only/mainly/predominantly of maintaining rapidly failing powers in a current, easily perverted and corruptible status quo.
Live Operational Virtual Environments Rule. Fact and/or Fiction, DARPA?
And there shedloads of flash cash to splash around for those into making and breaking cyber security protection systems ........ for one cannot defend a system or organisation or algorithm or whatever if one doesn't know where to stealthily attack it to see it destroyed/brought to its knees with no hope or chance of vital recovery to a failed position of ponzi strength/pseudo control ........ http://www.nytimes.com/2012/10/30/science/rethinking-the-computer-at-80.html?_r=0