1. Top Cloud Threats v2.0 Cloud Security Alliance Michael Sutton, VP Research, Zscaler Dan Hubbard, CTO, Websense

2. Project Engage experts and the broader community to identify top security threats for cloud computing Educate cloud providers/consumers to mitigate risk when deploying/adopting cloud computing Purpose Leaders – Michael Sutton & Dan Hubbard Team - Amer Deeba, Andy Dancer, Brian Shea, Craig Balding, Dennis Hurst, Glenn Brunette, Jake Lee, Jason Witty, Jim Reavis, John Howie, Josh Zachry, Ken Biery, Martin Roesler, Matthew Becker, Mike Geide, Scott Matsumoto, Scott Morrison, William Thornhill, Wolfgang Kandek,Archie Reed, Daniele Cattedu, Dave Cullinane, Giles Hogben,Gunter Ollmann, Jens Jensen, Joshua Pennell, Nils Puhlmann, Rick Howard Participants

3. Contributing Organizations

4. Top Threats for Cloud Computing v1 Goal Identify malicious use and abuse of cloud computing technologies 7 Deadly Sins of Cloud Security Shared Technology Vulnerabilities Account/Service Hijacking Data Loss/Data Leakage Malicious Insiders Interception or Hijacking of Traffic Nefarious Use of Service Insecure APIs DDOS

5. Shared Technology Vulnerabilities Exposed hardware, operating systems, middleware, application stacks and network components may posses known vulnerabilities Description Successful exploitation could impact multiple customers Impact Cloudburst - Kostya Kortchinsky (Blackhat 2009) Arbitrary code execution vulnerability identified in VMware SVGA II device, a virtualized PCI Display Adapter Example

6. Cloudbust Kostya Kortchinsky, Immunity (Blackhat 2009) Research Execute code on a host environment from a guest VM “VMware isn’t an additional security layer. It’s just another layer to find bugs in.” – Kostya Kortchinsky Goal VMware SVGA II – virtualized PCI display adapter Present in VMware Workstation, Player, Server and ESX Run on the host, accessible by the guest Memory is shared between host and guest Vulnerability

7. Cloudburst Kostya Kortchinsky, Immunity (Blackhat 2009)

8. Cloudburst Kostya Kortchinsky, Immunity (Blackhat 2009) #define SVGA_CMD_RECT_COPY /* FIFO layout: Source X, Source Y, Dest, X, Dest Y, Width, Height */

9. Account / Service Hijacking Attacker gains access to account credentials in order to eavesdrop on transactions, manipulate data, return falsified information, and/or redirect requests Description Access to confidential data, reputational damage and potential legal consequences due to malicious use of resources Impact Hackers find a home in Amazon's EC2 cloud (InfoWorld) Zeus botnet C&C servers found running on compromised accounts Example

10. MobileMe – Enumerating Accounts Apple’s MobileMe by default, exposes a public web directory for all new users leveraging their username Account can be password protected but this requires a user initiated change and the URL remains exposed Background Exposing usernames provides a simple mechanism for enumerating accounts Account passwords could then be brute forced or reset Risk Enumerate accounts for the most popular baby names in 2009 Experiment

11. MobileMe – Enumerating Accounts

13. 69% of accounts verified

14. MobileMe – Password Reset

18. Data Loss / Data Leakage Data compromise due to improper access controls or weak encryption Poorly secured data is at greater risk due to the multi-tenant architecture Description Data integrity and confidentiality Impact Hey, You, Get Off of My Cloud: Exploring Information Leakage in Third-Party Compute Clouds (UCSD/MIT) Research detailing techniques to ensure that images are deployed on the same physical hardware as a victim and then leveraging cross-VM attacks to identify data leakage Example

19. MediaMax – Inactive Accounts MediaMax / The Linkup: When the cloud fails By Michael Krigsman | August 27, 2008, 9:55am PDT Online storage service MediaMax, also called The Linkup, went out of business following a system administration error that deleted active customer data. The defunct company leaves behind unhappy users and raises questions about the reliability of cloud computing. … As with most failures, this story is fraught with complications and contradictions. Besides finger pointing and back-biting, which I suppose is to be expected, confusing corporate relationships coupled with a seemingly bizarre level of process and technical carelessness lend a weird flavor to the whole mess.

20. MediaMax Failures MediaMax was shutting down and migrating data to the successor company The Linkup During the migration process, account cleanup wiped out legitimate accounts that were not recovered Data was permanently lost and paying customers not reimbursed Situation "It was not possible to satisfactorily complete the move of files from MediaMax to The Linkup as we had expected… MediaMax Statement Single admin had control to permanently delete data Inadequate testing prior to migration No backup!!! Failures

21. Microsoft – Lost Sidekick Data Microsoft Recovers Lost Sidekick Data OCTOBER 15, 2009, 5:07 P.M. ET By ROGER CHENG Microsoft Corp. said Thursday that it has been able to recover the personal customer data lost from many of T-Mobile USA's Sidekick devices. The Redmond, Wash., software giant said that most, if not all, customer data was recovered, and that the company would begin restoring data as soon as it has validated it. The company said it will start with personal contacts, and move on to the lost calendar, notes, tasks and pictures as quickly as possible.

22. Malicious Insiders Employees of the cloud vendor may abuse privileges to access customer data/functionality Reduced visibility into internal processes may inhibit detection of the breach Description Data confidentiality and integrity Reputational damage Legal repercussions Impact Google Investigates Insider Threat After China Hack (eWeek) “Google is investigating whether some of its own staff are behind the repeated attempts to hack into the Gmail accounts of Chinese human rights activists” Example

23. Google Fires Email Snooper Google fires employee for snooping on users September 16, 2010|By Jessica Guynn, Los Angeles Times The Internet search giant says the software engineer broke its 'strict internal privacy policies.' He allegedly accessed information about four teenagers. Reporting from San Francisco — Google Inc. fired a software engineer for snooping on its users' private information, the Internet search giant confirmed Wednesday. The 27-year-old employee, David Barksdale, allegedly accessed information about four teenagers he met through a Seattle technology group, according to gossip website Gawker, which reported the incident Tuesday.

24. Google Response “We dismissed David Barksdale for breaking Google’s strict internal privacy policies. We carefully control the number of employees who have access to our systems, and we regularly upgrade our security controls–for example, we are significantly increasing the amount of time we spend auditing our logs to ensure those controls are effective. That said, a limited number of people will always need to access these systems if we are to operate them properly–which is why we take any breach so seriously.” Bill Coughran Senior VP of Engineering

25. Facebook Master Password Purported Interview With Facebook Employee Details Use Of 'Master Password' Jason Kincaid Jan 11, 2010 Earlier today, The Rumpus published a very revealing interview with someone claiming to be a Facebook employee. The interview covers a variety of subjects, including privacy restrictions at the world’s largest social network and some of the technological hurdles the site has to deal with. The biggest revelations? That Facebook collects more data about your habits than you may realize, and that there was once a ‘master password’ that would grant employees access to anyone’s Facebook profile — a password that some employees abused.

26. Interception or Hijacking of Traffic Internal – Compromising a host to sniff/redirect traffic for multiple clients External – Redirect traffic destined for the cloud, thereby impacting multiple clients Description Data confidentiality and integrity Reputational damage Denial of service Financial loss Impact Internal Twitter Credentials Used in DNS Hack, Redirect (Wired) Twitter’s website…redirected to a defacement page. Twitter acknowledged...its DNS records “were temporarily compromised.” Example

27. Twitter DNS Redirection Internal Twitter Credentials Used in DNS Hack, Redirect By David Kravets December 18, 2009 | 1:04 pm Twitter’s website went offline for about an hour Thursday, with many tweeters redirected to a defacement page boasting “This site has been hacked by Iranian Cyber Army.” Twitter acknowledged the 10 p.m. takeover, one in a series of security lapses to hit the popular microblogging service. Twitter said its DNS records “were temporarily compromised.” Tom Daly, chief technology officer at Dyn, a New Hampshire-based DNS company that services Twitter, said somebody using a “set of valid Twitter credentials” redirected the site.

28. Insecure APIs APIs designed to permit access to functionality and data may be vulnerable or improperly utilized, exposing applications to attack Web 2.0 is the platform for the cloud Description Data confidentiality and integrity Denial of service Impact P0wning the Programmable Web (Websense – AusCERT 2009_ 80% of tested applications not using available security in APIs (e.g. unencrypted traffic and basic authentication) Demonstrated CSRF, MITM and data leakage attacks Example

29. Insecure API’s

31. The programmable web is run in the cloud & The cloud is programmed by the web

32. Insecure API’s We analyzed a dozen popular Twitter APPS, Gadgets, Facebook APPS, and Mashups and >80% are NOT utilizing the security provided via auth and encryption !!!

33. Insecure API’s Programmable web is… –Straightforward to develop solutions to –Often anonymous or “frictionless” –Can be done from anywhere –Can be done usually from anyone –Can be done on anything (it’s the web after all)

34. Insecure API’s Threats to programmable web: –Man in the middle attack (MITM) –Message replay attacks –Identity spoofing –Message Alterations –Confidentially and Privacy Leaking / Issues

35. Insecure API’s Example of Open graph being compromised and redirecting users

36. Abuse and Nefarious Use The cloud offers virtually unlimited computing power What can be used for good can also be used for bad Description Attackers can use the cloud for their own purposes Impact DDOS, Password cracking, Crypto breaking, Hosting malicious code, controlling bot’s, updating code Examples

37. Abuse and Nefarious Use Hosting attacker toolkits for user infections, updating code, and control and statistics portal

38. Twitter and other web services have been used for command and control of BOT’s Abuse and Nefarious Use

39. Using Google’s search platform for poisoning search results ~15% of searches for hot trends end up at malicious Websites Attackers use web api’s like hot trends, topics, tweets, and mining

40. Keep in mind that this is essentially a DoS attack. Launch it against a site that isn’t yours and very bad things will happen to you. But for testing your own site’s performance, Bees with Machine Guns is awesome — all you need is an EC2 account and the script. Abuse and Nefarious Use

41. 1 of 2,208 IPs http://ec2-184-73-228-133.compute-1.amazonaws.com/ (fake AV) Amazon 13 of 2,208 IPs generatorservices.in (Exploits) fabvid.com (Exploits) soundcomputers.net (Directs to exploits) down-south.com (Directs to exploits) pics.imagephun.com (CRiMEPACK) ashtartours.com (Directs to exploits) admincareers.com, alkarmel.com.jo, allwebjobs.com, an-inconvenient-truth.com, crowncraftsinc.com, espdesign.com.au, expojordan.com.jo, infoportsolutions.com (Directs to exploits) white.be (RFI) lasvegasusacasino.com (Casino.Adware) adware-2009.com (Fake Antivirus) www.antivirus-live.com (Fake Antivirus) www.onebigmaine.com (Directs to exploits) antiadwarepro.com (Rogue) Rackspace

42. Abuse and Nefarious Use Other examples of potential abuse: –Password and encryption cracking –Data warehousing of large amounts of data, identities –DDOS (we talk about that later) –Hosting malicious files, phishing pages –Hiding behind services for data mining –Breaking CAPTCHA’s or other security checks

43. Top Threats for Cloud Computing v2 Goal Identify malicious use and abuse of cloud computing technologies 8 Deadly Sins of Cloud Security? Shared Technology Vulnerabilities Account/Service Hijacking Data Loss/Data Leakage Insecure APIs Malicious Insiders Interception or Hijacking of Traffic Nefarious Use of Service Distributed Denial of Service Attacks (DDoS)

44. Distributed Denial of Service DDOS was the #1 threat not in our top list that respondents suggested As a sub-set of abuse and nefarious use Description Attackers can use the cloud for their own purposes Impact Taking down web sites, services, etc Examples

45. Distributed Denial of Service Using Twill, automated account generation Instances limited to 20 per user Each instance created new users accounts which generated 20 more instances No CAPTCHA required Single credit card used for all instances Process Cycle to generate 20 accounts took 3 minutes In 10 minutes, thousands of instances running Distributed clouds means more power Outcome

46. Distributed Denial of Service Attacks could be launched from different zone’s, geo’s, and services to help thwart takedowns Attacker could be shutdown but damage could be done, IP space now blacklisted Another version is a financial DDOS that goes against a service user of IaaS that is paying per drink. Much harder to stop and detect

47. Future Candidates to Think About All things Cloudy: Mobile / Tablets –Application Hacking –Location based service hacking –Eavesdropping Social Hacking –Location based service hijacking –“meatspace” attacks –Hacking the social graph –Hacking social trust –Vendor miss-use or abuse

48. Co-operation is the new control

49. CSA TOP THREATS SURVEY Feedback from the masses

50. Survey Overview Solicited feedback from cloud providers and consumers Survey promoted through technical blogs and on CSA website and at RSA CSA Cloud Security Summit Received more than 300 responses to the survey Survey opened from Jan – March, 2010

51. Survey Highlights: Demographics * # of employees: Small Business 10,000

52. Top Survey Statistics: Data Leakage 82 % of respondents believe that the likelihood of Data Leakage in the cloud is possible, likely, or frequent.

53. Top Survey Statistics: Malicious Insiders 76 % of respondents believe that the likelihood of Malicious Insiders in the cloud is possible, likely, or frequent.

54. Survey Results RankThreatPercentage 1Data Loss/Leakage26.5% 2Abuse and Nefarious use of Cloud Computing19.4% 3Insecure API’s14.2% 4Malicious Insiders12.9% 5Account/Service and Traffic Hijacking12.3% 6Unknown Risk Profile8.4% 7Shared Technology Vulnerabilities6.5%

55. Status Top threats list will be updated 2x per year Revisions Recommended changes will be solicited from CSA participants Recommendations will be summarized and solicited to judges for review Judges will vote on any recommended changes Participate! Improve the Top Threats! Process

56. Participation Propose new ‘threat templates’ Description of threat Pertinent examples Impact Remediation Comment on existing Recommended Additions/Deletions http://cloudsecurityalliance.org/topthreats_form.html

57. Questions http://cloudsecurityalliance.org/topthreats Michael Sutton VP, Security Research Zscaler msutton@zscaler.com Dan Hubbard CTO Websense dhubbard@websense.co m