A cloud based and conventional approach
Download
1 / 94

A CLOUD BASED AND CONVENTIONAL APPROACH - PowerPoint PPT Presentation


  • 132 Views
  • Updated On :

A CLOUD BASED AND CONVENTIONAL APPROACH. IW -. by Manu Zacharia MVP (Enterprise Security), ISLA-2010 (ISC)² C | HFI , C | EH, CCNA, MCP, AFCEH, Certified ISO 27001:2005 Lead Auditor Director – Information Security Millennium Consultants. “ Aut viam inveniam aut faciam ” Hannibal Barca.

Related searches for A CLOUD BASED AND CONVENTIONAL APPROACH

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'A CLOUD BASED AND CONVENTIONAL APPROACH' - leighanna


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
A cloud based and conventional approach l.jpg

A CLOUD BASED AND CONVENTIONAL APPROACH

IW -

byManu Zacharia

MVP (Enterprise Security), ISLA-2010 (ISC)²

C|HFI , C|EH, CCNA, MCP, AFCEH,

Certified ISO 27001:2005 Lead Auditor

Director – Information Security

Millennium Consultants

“Aut viam inveniam aut faciam ”

Hannibal Barca


Whoami l.jpg
#whoami

  • I am an Information Security Evangelist

  • For paying my bills – I work as Director – Information Security – US Based Consultants.

  • Awards

    • Information Security Leadership Achievement Award from International Information Systems Security Certification Consortium - (ISC)²

    • Microsoft Most Valuable Professional (Enterprise Security)

  • Author of a Book – Intrusion Alert – An Ethical Hacker’s Guide to Intrusion Detection Systems


Whoami3 l.jpg
#whoami

  • Developed an Operating System from Linux kernel – Matriux – (www.matriux.com) - Asia’s First OS for Hacking, Forensics and Security testing – Open Source & Free 

  • Some certifications:

    • Certified Ethical Hacker (C|EH)

    • Certified Hacking Forensics Investigator (C|HFI)

    • Cisco Certified Network Associate

    • Microsoft Certified Professional

    • Certified ISO 27001:2005 Information Security Management Systems Lead Auditor

  • Extend service to police force as Cyber Forensics Consultant


Whoami4 l.jpg
#whoami

  • Teaching?? – no!!!!! – I don’t teach, I just train and preach:

    • Indian Navy - Signal School , Centre for Defense Communication and Electronic and Information / Cyber Warfare

    • Centre for Police Research, Pune

    • Institute of Management Technology (IMT) – Ghaziabad

    • IGNOU M-Tech (Information Systems Security) – and also an Expert Member – Curriculum Review Committee

    • C-DAC, ACTS (DISCS (the tiger team) & DSSD (hard core guys))

    • Other International Assignments & Hacking Conferences


Disclaimer s l.jpg
Disclaimer(s)

  • The opinion here represented are my personal ones and do not necessary reflect my employers views.

  • Registered brands belong to their legitimate owners.

    • The information contained in this presentation does not break any intellectual property, nor does it provide detailed information that may be in conflict with actual Indian laws (hopefully...) :)


Question l.jpg
Question

  • So what is Cloud Computing?

  • Do you know what is EC2 and S3?

  • How these services could be exploited?


Contents l.jpg
contents

INTRODUCTION

UNDERSTANDING IW

EXPLOITING THE CLOUD

CLOUD FORENSICS

CONCLUSION



Information warfare l.jpg
INFORMATION WARFARE

  • Clue:

    • Kendo (kumdo in korean)


Information warfare10 l.jpg
INFORMATION WARFARE

  • 風- Swift as the wind

  • 林- Quiet as the forest

  • 火- Conquer like the fire

  • 山- Steady as the mountain


Information warfare11 l.jpg
INFORMATION WARFARE

  • Battle strategy and motto of Japanese feudal lord Takeda Shingen( 武田信玄 )(1521–1573 A.D.).

  • Twenty-Four Generals - famous groupings of battle commanders

    • (Takeda Nijūshi-shō )武田二十四将


Information warfare12 l.jpg
INFORMATION WARFARE

  • Came from the Art of War by Chinese strategist and tactician Sun Tzu (Sunzi)

  • A sort of abbreviation to remind officers and troops how to conduct battle


Information warfare13 l.jpg
INFORMATION WARFARE

  • This is what we need in information warfare


Information warfare14 l.jpg
INFORMATION WARFARE

  • “actions taken to achieve information superiority by affecting adversary information, information-based processes, information systems, and computer based networks while defending one's own”

  • The U.S. Joint Chiefs of Staff


Information warfare15 l.jpg
INFORMATION WARFARE

  • “ Information warfare is the use and management of information in pursuit of a competitive advantage over an opponent. ”

  • WIKIPEDIA


Two schools l.jpg
TWO SCHOOLS

  • Two schools of thoughts exists:

    • Military business

    • By some other agencies with the involvement of military


Forms of iw l.jpg
FORMS OF IW

  • Bringing down of financial infrastructure like banks and stock exchange

  • Enemy communication network spoofing and disabling

  • Jamming of TV / Radio

  • Hijacking of TV / radio for disinformation campaign


Types of players l.jpg
TYPES OF PLAYERS

  • State

  • State sponsored agencies / groups

  • Terrorists

  • Underground war-lords and groups

  • Individuals ‘n’ script kiddies


What s the latest happening l.jpg
What’s the latest happening?

  • What’s happening in the Indian Web Space – last 45 days?

  • 14 Aug–Independence day of Pakistan

  • Underground cracking groups

  • http://www.pakcyberarmy.net/

  • http://www.pakhaxors.com/forum.php


What s the latest happening20 l.jpg
What’s the latest happening?

  • The Two Pakistani Cracker Groups reportedly attacked & defaced a dozen of Indian Websites including:

  • http://mallyainparliament.in/ and

  • http://malegaonkahero.com/




What s the latest happening23 l.jpg
What’s the latest happening?

  • On 15 Aug – In return an Indian underground group called as Indian Cyber Army (http://indishell.in) attacked & defaced around 1226 websites of Pakistan.


Mission statement l.jpg
MISSION STATEMENT

  • Mission Statement - IN

  • “Naval orientation and training of recruits to enable accomplishment of their immediate task with self-assurance”.


Mission statement25 l.jpg
MISSION STATEMENT

  • Mission statement – IAF

  • “The mission of the Flight Safety organization of the IAF is to ensure operational capability by conserving human and material resources through prevention of aircraft accidents.”



Look around l.jpg
LOOK AROUND?

  • UK CyberSafe Command

  • PLA – Chinese PLA

  • What happened last December – Jan?



What is cloud computing l.jpg
what is cloud computing?

  • Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like a public utility.


Cloud in simple terms l.jpg
cloud in simple terms

  • Uses the internet and central remote servers to maintain data and applications.

  • Allows consumers and businesses to use applications without installation and access their personal files at any computer with internet access.


3 types of cloud services l.jpg
3 types of cloud services

  • IaaS - Infrastructure-as-a-Service

  • PaaS - Platform-as-a-Service

  • SaaS - Software-as-a-Service


The cloud l.jpg
THE CLOUD

  • Five essential characteristics:

    • on-demand self-service,

    • broad network access,

    • resource pooling,

    • rapid elasticity, and

    • measured service


Slide33 l.jpg
EC2

  • Amazon Elastic Compute Cloud (Amazon EC2)

  • A web service that provides resizable compute capacity in the cloud


Ec2 wikipedia l.jpg
EC2 - wikipedia

  • Allows users to rent computers on which to run their own computer applications.

  • A user can boot an Amazon Machine Image (AMI) to create a virtual machine, which Amazon calls an "instance", containing any software desired.


Ec2 wikipedia35 l.jpg
EC2 - wikipedia

  • A user can create, launch, and terminate server instances as needed, paying by the hour for active servers, hence the term "elastic".


Slide36 l.jpg
S3

  • Amazon S3 (Simple Storage Service) is an online storage web service offered by Amazon Web Services.

  • Provides unlimited storage through a simple web services interface


Slide37 l.jpg
S3

  • $0.15 per gigabyte-month

  • 102 billion objects as of March 2010


Power of cloud l.jpg
POWER OF CLOUD

  • The New York Times used Amazon EC2 and S3 to create PDF's of 15M scanned news articles.

  • NASDAQ uses Amazon S3 to deliver historical stock information.


Exploiting cloud l.jpg
EXPLOITING CLOUD

  • Sample Task

    • Break PGP passphrases

  • Solution

    • Brute forcing PGP passphrases


Exploiting cloud40 l.jpg
EXPLOITING CLOUD

  • Try – ElcomSoft Distributed Password Recovery (with some patches to handle PGP ZIP)

  • Two elements - EDPR Managers & EDPR Agents


Exploiting cloud41 l.jpg
EXPLOITING CLOUD

  • On a fast dual core Win7 box - 2100 days for a complex passphrase.

  • Not acceptable – too long

  • Lets exploit the cloud.


Exploiting cloud42 l.jpg
EXPLOITING CLOUD

  • First things first – Create an Account on Amazon. Credit Card Required 

  • Install Amazon EC2 API Tools on your linux box.

    • sudo apt-get install ec2-api-tools


Exploiting cloud43 l.jpg
EXPLOITING CLOUD

  • Select an AMI (Amazon Machine Image)

  • Example - use a 32 bit Windows AMI - ami-df20c3b6-g


Exploiting cloud44 l.jpg
EXPLOITING CLOUD

  • Start an instance from the Linux shell as follows:

    • ec2-run-instances -k ssh-keypair ami-df20c3b6-g default


Exploiting cloud45 l.jpg
EXPLOITING CLOUD

  • Once the instance is up and running, we enumeratedthe instance ID and public IP address of the running instance with the command

    • ec2-describe-instances


Exploiting cloud46 l.jpg
EXPLOITING CLOUD

  • Wait for the instance status has to change from “pending” to “running”

  • Extract the admin password for the instance

    • ec2-get-password -k ssh-keypair.pem $instanceID


Exploiting cloud47 l.jpg
EXPLOITING CLOUD

  • Configure EC2 firewall to permit inbound RDP traffic to the instance.

    • ec2-authorize default -p 3389 -s $trusted_ip_address/32


Exploiting cloud48 l.jpg
EXPLOITING CLOUD

  • Configure the firewall in front of the EDPR manager system to permit TCP/12121 from anywhere.

  • RDP into the instance & configure EDPR


Exploiting cloud49 l.jpg
EXPLOITING CLOUD

  • Use the administrator password obtained from the ec2-get-password command to login to the instance.


Exploiting cloud50 l.jpg
EXPLOITING CLOUD

  • Install EDPR Agent,

  • Configure the Agent to connect to the Manager.

    • 3 points to configure mainly


Exploiting cloud51 l.jpg
EXPLOITING CLOUD

  • Configure the public IP address or hostname of the EDPR manager you have configured.


Exploiting cloud52 l.jpg
EXPLOITING CLOUD

  • Interface tab - Set the Start-up Mode to "At Windows Start-up".


Exploiting cloud53 l.jpg
EXPLOITING CLOUD

  • Registry hack

  • EDPR creates a pair of registry values which are used to uniquely identify the agent when connecting to the manager.

  • We need to scrub these values – why?


Exploiting cloud54 l.jpg
EXPLOITING CLOUD

  • If we do not edit, every single instance we spawn / initiate will appear to be the same agent to the manager, and the job handling will be totally corrupted.


Exploiting cloud55 l.jpg
EXPLOITING CLOUD

  • HKEY_LOCAL_MACHINE\Software\ElcomSoft\Distributed Agent\UID

    • Set the value of the UID key to null, but DO NOT DELETE THE KEY.


Exploiting cloud56 l.jpg
EXPLOITING CLOUD

  • Let’s bundle the EC2 instance.

  • Remember in cloud, bundle is similar to creating a ‘template’ in VMware terminology.


Exploiting cloud57 l.jpg
EXPLOITING CLOUD

  • Install and configure EC2 AMI Tools

  • Command:

  • ec2-bundle-instance $instance_id -b $bucket_name -p $bundle_name -o $access_key_id -w $secret_access_key


Exploiting cloud58 l.jpg
EXPLOITING CLOUD

  • Remember the values - we need it later to register the bundled AMI.

  • Bundling process runs sysprep on the Windows instance, compress and copies the instance to S3.


Exploiting cloud59 l.jpg
EXPLOITING CLOUD

  • To check the progress of the bundle task, use the command:

    • ec2-describe-bundle-tasks


Exploiting cloud60 l.jpg
EXPLOITING CLOUD

  • Register the bundled AMI, which allows it to be used to run instances:

  • ec2-register $bucket_name/$bundle_name.manifest.xml


Exploiting cloud61 l.jpg
EXPLOITING CLOUD

  • The register command will return an AMI ID, which we will use to spawn instances of the EDPR agent. Example:

    • IMAGE ami-54f3103d


Action time l.jpg
ACTION TIME

  • Start the EDPR manager, and configure the task.

  • to brute an password composed of uppercase letters, lowercase letters, and the numbers 0-9, with a length of between 1 to 8 characters against a PGP ZIP file.



Action time64 l.jpg
ACTION TIME

  • Start a single instance of our EDPR agent with the following command:

  • ec2-run-instances -k $ssh-keypair ami-54f3103d -g default


Action time65 l.jpg
ACTION TIME

  • After the instance status changes from ‘pending’ to ‘running’, the agent will check in with the EDPR manager.


Action time66 l.jpg
ACTION TIME

  • We started it with default parameters

  • EC2 “small” instance

  • Trying 500K keys per second

  • How long will it take?


Action time67 l.jpg
ACTION TIME

  • Whattt???? 3600 days? = 10 years!!!!!


Action time68 l.jpg
ACTION TIME

  • Let’s scale up – deploy 10 additional instances:

  • ec2-run-instances -n 10 -k ssh-keypair ami-54f3103d -g default -t c1.medium


Action time69 l.jpg
ACTION TIME

  • The -n 10 parameter tells EC2 to launch 10 instances.

  • c1.medium instance = “High CPU" instance



Action time71 l.jpg
ACTION TIME

  • Now we have more cracking agents in the party!!!

  • 2+M keys/second

  • So what's the time required now???


Action time72 l.jpg
ACTION TIME

  • Down to 122 days


Action time73 l.jpg
ACTION TIME

  • Kickoff another 89 to hit a century.

  • ec2-run-instances -n 89 -k ssh-keypair ami-54f3103d -g default -t c1.medium

  • Note: Check your EDPR License.


Action time74 l.jpg
ACTION TIME

  • Error:

  • Client.InstanceLimitExceeded: Your quota allows for 9 more instance(s). You requested at least 89


Action time75 l.jpg
ACTION TIME

  • Option 1

  • Request to instance amazon EC2 Instance Limit - http://aws.amazon.com/contact-us/ec2-request/


Action time76 l.jpg
ACTION TIME

  • Option 2

  • Amazon spot instances - allows us to bid on unused Amazon EC2 capacity and run those instances.


Action time77 l.jpg
ACTION TIME

  • Option 3

  • Create custom python script to bypass this limitation


Action time78 l.jpg
ACTION TIME

  • With a couple more of instances, we can reduce it to hours

  • A successful cloud based distributed cracking system.


Cloud forensics l.jpg
CLOUD FORENSICS

  • Mixed Responses

  • Bad guys have started using cloud based services and infrastructure for launching attacks

  • Cloud do provide a good platform for incidence response and forensics investigations


Cloud forensics80 l.jpg
CLOUD FORENSICS

  • By utilizing the inherent features of cloud computing, computer forensic can become an on-demand service under certain circumstances.


Cloud forensics81 l.jpg
CLOUD FORENSICS

  • Regular business and operations are not affected when a cloud environment needs to be forensically examined.

  • Not the case with the traditional infrastructure where the equipments are seized.

  • Cloud Example – Amazon EBS


Cloud forensics82 l.jpg
CLOUD FORENSICS

  • Cloud based forensics took a new turn when Amazon introduced Elastic Block Store (EBS) volumes

  • Enables the user to launch an instance with an Amazon EBS volume that will serve as the root device.


Cloud forensics83 l.jpg
CLOUD FORENSICS

  • When there is a need to preserve a cloud environment, EBS can create an exact replica of the cloud instance & put it on the same cloud for forensics evaluation and examination.

  • Since the forensic investigators will be working with another instance of the environment, the regular operations is not affected in any way.


Cloud forensics84 l.jpg
CLOUD FORENSICS

  • Replication process achieved in few minutes.

  • Forensic evidences are invalid if they are not cryptographically hashed.

  • This can be easily achieved using the on-demand feature of cloud.


Cloud forensics85 l.jpg
CLOUD FORENSICS

  • Replication process achieved in few minutes.

  • Forensic evidences are invalid if they are not cryptographically hashed.

  • This can be easily achieved using the on-demand feature of cloud.


Cloud forensics86 l.jpg
CLOUD FORENSICS

  • The cloud based hashing takes less time and is much faster when you compare it with the traditional cryptographic hashing process.

  • Amazon Web Services is already providing a good forensic feature where it can provide a MD5 hash of every file that is on the cloud system.


Cloud forensics87 l.jpg
CLOUD FORENSICS

  • What this practically means is that when a bit by bit copy is initiated (forensic duplication), you have systems in place which can ensure that you made the exact replica and not even a bit has changed during the replication and copying process.


Cloud forensics88 l.jpg
CLOUD FORENSICS

  • Even though you have all the above services available, cloud forensics is still challenging.

  • Virtualization of various entities like the applications and host systems, which once used to be in-house is now scattered on the cloud.


Cloud forensics89 l.jpg
CLOUD FORENSICS

  • Makes evidence gathering a challenging task

  • Since we are acquiring data from a virtual environment, the forensic investigator should have a clear and precise understanding of how they work and what files are interesting and required to acquire.


Cloud forensics90 l.jpg
CLOUD FORENSICS

  • Near to impossible to acquire the complete hard disk due to various reasons including but not limited to:

    • multiple data owners on the same disk,

    • remote geographical location,

    • jurisdictional difficulties,

    • RAID configurations etc


And finally l.jpg
And finally

  • Questions also arise on the compatibility and reliability of the tools used for investigating cloud forensics - because most of the tools are meant for real time systems and not for virtualized environments.

  • A collaborative and collective effort is required to address what we discussed.


Forum l.jpg
# forum

  • http://chat.theadmins.info

  • or

  • irc://irc.chat4all.org/#theadmis


Contact me l.jpg
# contact me

thank you!



ad