TRISC starts today. Only one of the Agile Admins is up in Dallas today, and there are some pretty good speakers lined up today with some really interesting talks.
I am looking forward to talks on DNSSEC, Pen Testing, and a talk from Robert Hansen.
Stay tuned for more TRISC coverage and in the interim, feel free to follow the coverage on my twitter account.
Filed under Conferences, General, Security
Protecting “Cloud” Secrets With Grendel by Sam Quigley (Square, Inc) and Coda Hale (Yammer, Inc.)
Everyone stores private data. Passwords, credit cards, documents, etc. But also personal conversations, personal histories, usage patternns – that’s all private too. So you store private info – yes you – so how do you protect it? Firewalls and VPNs? Passwords? Bah. They are useful against last decade’s attacks.
Application level attacks are the new hotness – see the OWASP Top 10. What you want to do is encryption. But that’s complex. Veracode has analyzed a lot of apps and crypto problems are the #1 problem.
What do we do? Here’s some ideas.
It is a secure document storage system. Open and does minimal/simple. It does data storage, authentication, and access control using the OpenPGP message format and a RESTful interface, it’s in Java, and uses a normal DB backend.
OpenPGP – mature, flexible. It’s for confidentiality and integrity. It uses asymmetric keys. The keys are stored encrypted with passphrases. The keys are used to encrypt documents to one or more recipients.
REST API – http native. Why REST? For all the reasons everyone uses REST. Ubiquitous, well understood, simple, easily debugged (charles), free features.
Java 1.6 + RDBMS. Java because it’s fast and stable and well understood. Uses hibernate. RDBMS because you already have one.
Grendel is simple. One config file. DB location and password and some c3p0 stuff.
java -jar grendel.jar schema -c database.properties
generates a schema. Three tables; users, documents, and links.
java -jar grendel.jar server -c database.properties -p 8080
starts it.
The API has users, docs, links, and linked docs. JSON based.
You can create a user, which makes a new key set behind the scenes.
You can store a document. PUT /users/name/documents/docname with a basic auth header. It decrypts the user’s keys, signs and encrypts the doc, and stores it.
GET /users/name/documents gets you a JSON list. Or get the document and you get the document (duh).
Then you can link the document to another user to share it with them.
So what’s the big deal?
Self defending data. The data itself enforces the access control rules. And business logic is enforced with math.
He didn’t even mention the brilliance of this related to scenarios like things like subpoenas causing Amazon to give up your S3 data to people…
Authentication done right. It’s hard to do it right. Adaptive hashing. A centralized service model. Resistant to modern attacks.
It makes it “sudo for the Web.” You can grant long lived session coolies, and re-auth for privileged access. Yeah, we do that in general not with encryption… Like Amazon.com remembers you but when it’s purchase time you have to reauth securely.
It also mitigates XSS/CSRF attacks, kinda.
This creates a privacy wall. You the admin are locked out of the data. Insider threat defeated.
In the future…
Support for sessions. OAuth 2.0. And spreading the idea in general!
How is this better than symmetric encryption with the user’s password? Since you’re proxying it anywhere. Because you can’t share then.
I guess one downside is that you can’t see inside the docs to search index, etc.
You could use client side certs instead of passwords right? No.
Does it have support for password change? Yes.
I personally am psyched about this – I think we have a product underway that could really benefit from using it.
Filed under Cloud, Conferences, DevOps, Security
Cloud security, bugbear of the masses. For my last workshop of Velocity Day 1 I went to a talk on that topic. I read some good stuff on it in Cloud Application Architectures on the plane in and could stand some more. I “minor” in security, being involved in OWASP and all, and if there’s one area full of more FUD right now than cloud computing, it is cloud security. Let’s see if they can dispel confusion! (I hope it’s not a fluffy presentation that’s nothing but cloud pictures and puns; so many of these devolve into that.)
Anyway, Ward Spangenberg us Directory of Security operations for Zynga Game Networks, which does Farmville and Mafia Wars. He gets to handle things like death threats. He is a founding member of the Cloud Security Alliance ™.
Gratuitous Definition of Cloud Computing time! If you don’t know it, then you don’t need to worry about it, and should not be reading this right now.
Cloud security is “a nightmare,” says a Cisco guy who wants to sell you network gear. Why? Well, it’s so complicated. Security, performance, and availability are the top 3 rated challenges (read: fears) about the cloud model.
In general the main security fuss is because it’s something new. Whenever there is anything new and uncharted all the risk averse types flip out.
With the lower level stuff (like IaaS), you can build in security, but with SaaS you have to “RFP” it in because you don’t have direct control.
Top threats to cloud computing:
The “process next door” may be acting badly, and with IPs being passed around and reused you can get blacklisted ones or get DoSsed from traffic headed to one. No one likes to share. You could get germs. Anyway, they have to manage 13,000 IPs and whitelisting them is arduous.
You don’t have insight into locations and other “data center level” stuff. Even if they have something good, like a SAS 70 certification, you still don’t have insight into who exactly is touching your stuff. Azure is nice, but have you tried to get your logs? You can’t see them. Sad.
Management tools and development frameworks don’t have all the security features they should. Toolsets are immature and stuff like forensics are nonexistent. And PaaS environments that don’t upgrade quickly end up being a large attack surface for “known vulnerabilities.” You can reprovision “quickly” but it’s not instantaneous.
Stuff like DDoS and botnets are classic abuse. He says there’s “always something behind it” – people don’t just DoS you for no profit! And only IaaS and PaaS should be concerned about it! I think that’s quite an overstatement, especially for those of us who don’t run 13,000 servers – people do DoS for kicks and for someone with 100 or fewer servers, they can be effective at it.
Note “Clobbering the Cloud” from DefCon 17.
XSS, injection, CSRF, all the usual… Use the tools. Validate input. Review code. And insecure crypto, because doing real crypto is hard.
Devs, consultants, and the cloud company. You need redundant checks. Need transparent review.
With a virtualized level, you can always potentially attack through it. Check out Cloudburst and Red Pill/Blue Pill.
Can happen. Do what you would normally do to control it. Encrypt some stuff.
Users aren’t getting brighter. Phishing etc. works great. There’s companies like Damballa that work against this. Malware is very smart in lots of cases, using metrics, self-improving.
Advantages – anonymizing effect, large security investments, pre-certification, multisite redundancy, fault tolerance.
Disadvantages – collateral damage, data & AAA security requirements, regulatory, multi-jurisdictional data stores, known vulnerabilities are global.
Going hybrid public/private helps some but increases complexity and adds data and credential exchange issues.
Advantages: Control of encryption, minimized privileged user attacks, familiar AAA mechanisms, standardized and cross-vendor deployment, full control at VM level.
Disadvantages: Account hijacking, credential management, API security risks, lack of role based auth, full responsibility for ops, and dependence on the security of the virtualization layer.
Advantages: Less operational responsibility, multi-site business continuity, massive scale and resiliency, simpler compliance analysis, framework security features.
Disadvantages: Less operational control, vendor lockin, lack of security tools, increased likelihood of privileged user attack, cloud provider viability.
Advantages: Clearly defined access controls, vendor’s responsible for data center and app security, predictable scope of account compromise, integrationwith directory services, simplified user ACD.
Disadvantages: Inflexible reporting and features, lack of version control, inability to layer security controls, increased vulnerability to privileged user attacks, no control over legal discovery.
If you are using something like Flash that goes in the client, how do you protect your IP? You don’t. Can’t. It’ll get reverse engineered. You can do some mitigations. Try to detect it. Sic lawyers on them. Fingerprint code.
Yes, he plays all their games.
In the end, it’s about risk management. You can encrypt all the data you put in the cloud, but what if they compromise your boxes you do the encryption on, or what if they try to crack your encryption with a whole wad of cloud boxes? Yep. It brings the real nature of security into clearer relief – it’s a continuum of stopping attacks by goons and being vulnerable to attacks by Chinese government and organized crime funded ninja Illuminati.
Can you make a cloud PCI compliant? Sure. Especially if you know how to “work” your QSA, because in the end there’s a lot of judgment calls in the audit process. Lots of encryption even on top of SSL; public key crypt it from browser up using JS or something, then recrypt with an internal only key. Use your payment provider’s facilities for hashing or 30-day authorizations and re-auth. Throw the card number away ASAP and you’re good! Protecting your keys is the main problem in the all-public cloud. (Could you ssh-agent it, inject it right into memory of the cloud boxes from on premise?)
Private cloud vs public cloud? Well, with private you own the infrastructure.
This session was OK; I suspect most Velocity people expect something a little more technical. There weren’t a lot of takeaways for an ops person – it was more of an ISSA or OWASP “technology decisionmaker” focused presentation. If he had just put in a couple hardcore techie things it would have helped. As it was, it was a long list of security threats that are all existing system security threats too. How’s this different? What are some specific mitigations; many of these were offered as “be careful!” Towards the end with the specific IaaS/PaaS/SaaS implications it got better though.
Filed under Cloud, Conferences, DevOps, Security
Recently I was able to give a talk at Austin OWASP about DNS Rebinding. I will be uploading slides and example code on this blog soon, but first an overview of the topic.
The most important portion of this topic is the same origin policy of the browsers. It disallows a user from visiting a site, and then executing JavaScript against their local network. Or, at least that is the idea.
In computing, the same origin policy is an important security concept for a number of browser-side programming languages, such as JavaScript. The policy permits scripts running on pages originating from the same site to access each other’s methods and properties with no specific restrictions, but prevents access to most methods and properties across pages on different sites.
This mechanism bears a particular significance for modern web applications that extensively depend on HTTP cookies to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions. A strict separation between content provided by unrelated sites must be maintained on client side to prevent the loss of data confidentiality or integrity. Excerpt from Wikipedia
DNS Rebinding overrides same origin policy so that the client believes it is talking to the same host when it really isn’t. The browser accesses sortabadsite.com and at first is getting legitimate responses from it. Shortly after the first requests (initial page load) are made, all communication is dropped and the browser will make a call back to DNS. At this point the IP address for the domain is swapped (maybe with 127.0.0.1) and the client is now running XHR (XML HTTP Requests) against the localhost. There are some interesting vectors that this can go and will be explored in future posts.
Check back at this blog for a video demo, slide deck and future plans for new code. Right now I am working on writing a DNS Rebinder application in Ruby that includes DNS, a firewall and a web server (or hooks into them). If you are interested, let me know. Gmail: wickett
I would be amiss if I didnt mention RSnake’s work on DNS Rebinding over ha.ckers.org. Check it out!
Filed under Security
the agile admin 