2010JohnStrandKeynote pdf

(1)

(2)

What is Cloud Computing?

 I had to look it up

 I hear about it a lot, but I don’t have a clear concept of what it is

 Straight to the Wiki!

 “Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like a public

utility.”

 I get it… It is like a Bot-Net!

(3)

But What is it?

 “It is a paradigm shift..” Oh oh… This is going to be good.

 It is a paradigm shift following the mainframe and client-server shifts that preceded it.

Details are abstracted from the users who no longer have need of,

expertise in, or control over the technology infrastructure "in the cloud" that supports them.[1]Cloud computing describes a new supplement, consumption

and delivery model for IT services based on the Internet, and it typically involves the provision of dynamically scalable and often virtualized resources as a service over the

Internet.[2][3]It is a byproduct and consequence of the ease-of-access to

remote computing sites provided by the Internet.[4]

 The term cloud is used as a metaphor for the Internet, based on the cloud drawing used in the past to represent the telephone network [5]_{, and later to depict the Internet in computer}

network diagrams as an abstraction of the underlying infrastructure it represents.[6]_{Typical cloud}

(4)

I Am Letting Wikipedia Write All

of My Presentations!

 Security could improve due to centralization of data[35]_,

increased security-focused resources, etc., but concerns can persist about loss of control over certain sensitive data, and the lack of security for stored kernels[36]_.

Security is often as good as or better than under

traditional systems, in part because providers are able to devote resources to solving security issues that many

customers cannot afford.[37] _{Providers typically log}

(5)

(6)

But Wait!!!

Did they say “Internet”

 “The term cloud is used as a metaphor for the Internet.”

 But the Internet is Evil!!

(7)

Lets set the stage..

 We have to know who it is we are working with

 Who are the people we are defending?

 Who is attacking?

 What are their capabilities?

 What are their means?

 What are the tools we have to defend ourselves?

(8)

Your Users

 They are trying to go places they shouldn’t

 Security is not a major concern

 They never get into trouble

 “It was just a pop-up!”

 They “think” they know what it would look like if they were attacked.

 No skull and crossbones? Good to go!

 You “think” they are “stupid”

(9)

Granny Max

 Loves to gamble

 Likes Polka Dots

 Likes anything with “Polka” in it

 Thinks the CD tray is a coaster

 Collects Gnomes

(10)

Phil… From Accounting

 Works with numbers…

 ... and Terabytes of Porn!

 Has a “slight” problem

 Does not get along with Granny Max

 Hates cats

(11)

The “Average” Users

 Does not gamble…

 … at work

 Does not surf porn…

 ….at work

 Likes: Facebook, YouTube,

Politics, eBay, Googling, Fantasy football, Fark, Drudge Report, the Huffington Post, CNN, Amazon

 Dislikes: Web filters

(12)

The Bad Guys

 Motivated

 Can you imagine their HR department?

 Wicked skilled (more on this later)

 They either own or infect many of the sites your more “interesting” users are going to

(13)

The Cloud

 The Internet is big…

 … really big

 You just won't believe how vastly hugely

mindboggingly big it is...

 Most of it is worthless.. and Evil!

 Many of your users will

(14)

Back to the Ninjas…

 Those “defenses” you have?

 Yea, about those

 Antivirus

 Can be bypassed easily

 SSL can be use against you

 and can be stripped off

 IDS/IPS can be bypassed

(15)

(16)

Ninja Evil #1: AV

 Last time I was out we bypassed AV with Metasploit

 One of you ratted me out

 Either that, or I could blame my father..

 Lets blame my father

 Now 6 out of about 40 AV Vendors consistently catch Metasploit Virus payloads

 In .exe form… They still don’t catch the word docs, Java, Javascript, C, Raw, or “other” encodings

 Uppercase

 In-fact… They don’t “catch” the malware… They catch the .exe template

(17)



Polypack is a Ninjas friend



Polypack will automagicly pack your executable

with 10 packers and check them against 10 major

AV vendors



You can then download the one that bypasses the

AV of your choice!!!



The angry calls to AV vendors will continue!!

(18)

(19)

(20)

(21)

Ninja Evil #2: SSLStrip

 Another great tool from Moxie Marlinspike

 This tool strips away SSL from the end user

 Hence the name

 The HTTPS will become HTTP

 No negative feedback to the user

 The vast number of users will not notice

 Even the very paranoid ones

(22)

SSLStrip Walkthrough

(23)

(24)

(25)

(26)

SSLStrip: Got one!

(27)

SSLStrip: Checking the logs

(28)

SSL Strip: /hackme

(29)

“But if the attacker is not on my

network….?”

 Stop. Right. There.

 They don’t have to be

 Starbucks

 Hotels

 Airports

 Remember Phil and Gran Max?

 They were using TOR proxies…

 SSL Strip works great in TOR proxies

 How much you want to bet they have the synchronized passwords?

 BGP Prefix attacks

(30)

BGP Prefix attack

 Announce someone else's Autonomous System Number

 Just be more specific

 Pakistan Vs. Youtube

 Pakistan 1, YouTube 0

 http://news.cnet.com/8301-10784_3-9878655-7.html

(31)

But if we fire Phil and Gran Max

we are cool… Right?

 Not so fast…

 In 2009 77% of sites that were hosting Malware were “legitimate” sites

(32)

Some offenders

 Newsweek

 MLB.com

 Facebook

 MySpace

 CNN

 Every blog site you can think of

(33)

The Point…

 If anything touches the Internet assume that it is going to be compromised eventually

 We covered just a few Ninja tricks, but there are many more

 Obfuscated Javascript and Flash attacks are scary

 If we start with this concept in mind we can adequately model the threats we are facing

 You cannot be too paranoid

 Cloud Computing does not help

(34)

Step #1

 Filter and monitor outgoing traffic

 I know I ripped on this earlier… But stay with me

 Restrict outbound ports

 Do your users need SSH, FTP, RDP, Telnet?

 Implement Web filters

 They are at least a start

 Look into Highly Predictive Blacklists

 For Traffic in and Traffic out

(35)

Step #2: Your Users Systems

 If they have a firewall…. Turn it on

 But we are behind our corporate firewall?

 You are protecting your users from each other

 If one system gets compromised it does not necessarily mean all of your systems get compromised

 Have a different Local Admin Account password for every workstation

 Sounds hard?

 It is not so bad

(36)

Step #3: Dealing with the Cloud

 Be careful with you outsource. Yea.. I said outsource. That

is what it is.

 Some things are great!

 Email, Ping Power Pipe hosting, DNS

 Some things are “less-great”

 Database processing, Document Management, HR

 Look at the contract

(37)

Your Administrators

 Should never, ever go to the Internet with Admin Privileges

 Need to be trained in systems/applications base-lining and hardening and incident identification

 SANS 564 Security for Systems Administrators

 This means the security team too!!

 Start talking about what a Internet white-list approach would look like

(38)

Conclusions

 The Internet is evil

 You will get compromised

(39)

Upcoming SANS Classes

 SANS Security for Systems Administrators

 http://www.sans.org/security-training/security-architecture-systems-administrators-1312-mid

 PaulDotCom

(40)

FIN

 http://pauldotcom.com

 [email protected]

 Twitter: strandjs

 Youtube Videos: strandjsgmail and pauldotcom