www. S D Linux.com » security

Cloudy with a Chance of Pain: IT Security in the Cloud

pacneil — Tue, 12 Oct 2010 18:01:45 +0000

The promise of cloud computing is very compelling. Just listen to the pitch for hybrid clouds: “If your organization needs more computing resources, why purchase extra hardware? Just set up a connection to a public cloud, use the extra machines to your heart’s content, and stop using them when your needs are satisfied.”

Sounds nice, doesn’t it? To be sure, the advantages of any type of cloud computing, be it completely private and internal, public and external, or something in-between, are very real. But there’s potentially a big difference between the promise of instantly expanding your company’s infrastructure and the reality of getting your systems and the cloud’s completely and securely talking to each other.

Thinking about this on the network level alone brings up some daunting questions: if your organization is a public company, you can’t just trustingly connect to a public cloud infrastructure. Your company may have procedural and even regulatory security requirements to meet that would prevent such connections.

SCAP: computer security for the rest of us.

pacneil — Tue, 12 Oct 2010 17:33:47 +0000

by Gunnar Hellekson

I’m setting up a new computer. I get through the registration screens, install my software, change my wallpaper, and everything’s working fine. I’m left, though, with a lingering, uneasy feeling: I don’t know if this machine is secure. I’m a computer guy, so I know how to set up strong passwords and firewalls, but I’m still not sure if I’ve done everything right. I turn to my vendor, who has hopefully published a hardening guide. If I’m very enthusiastic, I might even follow the NSA’s Security and Network Analysis Center Guides. If I do any of these things, I’m already being more diligent that 95% of users out there. And that’s a problem.

Personal responsibility and its sworn enemy, “I have something better to do.”

E-voting machines compromised

pacneil — Fri, 14 Aug 2009 23:11:57 +0000

Researchers at University of California San Diego, Princeton University and University of Michigan have demonstrated a method to compromise and alter the tallies of Sequoia AVC Advantage voting machines. They presented their results at the Usenix 2009 Electronic Voting Workshop, held in Montreal this week. They used a method called return-oriented programming to modify voting tallies on the machines. The did this without access to the source code or the hardware designs.

Quoting from an article in The Register:

Sequoia and manufacturers of other brands of e-voting machines frequently discount vulnerability research into their products by pointing out that the underlying source code is closely guarded. Researchers in many studies, they argue, have unrealistic access to the devices’ inner workings.

“What we have shown or what I hope we have shown in this paper is that that criticism in untrue,” Hovav Shacham a professor at UC San Diego, told The Register. “It might take a little more work if we don’t have the source, but nevertheless we’re able to find vulnerabilities and exploit them in useful ways in machines where the only access we have is the physical artifacts themselves.”

The same method has demonstrated to defeat security measures in Linux, OpenBSD and Solaris. In return-oriented programming snippets of benign code are combined to produce malicious behaviour. The researchers were even able to demonstrate that they could alter the outcome of elections, using this method.

The development, certification and procurement cycle for voting machines is slow. The design of the Sequia AVC Advantage dates back to the early 80′s and many are still used in New Jersey, Louisiana, and elsewhere. The machines used to develop and test the exploit were bought at a Buncombe County North Carolina government surplus auction web site.

Using bright lights, magnifying glasses, a low voltage continuity tester and data sheets for the components, team members were able to develop a circuit diagram of the hardware of the voting machine. From that they were able to deduce how the unit worked. Then they used a disassembler to fill in the remaining details.

Joshua Herback used the hardware functional specifications to develop a simulator, which other team members then improved upon. The exploit was completely developed on the simulator, returning to the actual hardware only to verify the exploit. The exploit worked the first time they tried it.

The researchers have demonstrated that newly developed methods for exploiting systems put otherwise secure systems at risk.

XML Flaws disclosed

pacneil — Fri, 07 Aug 2009 20:04:39 +0000

One of the core components of interactive web services was found to have serious programming flaws. An exploit of these flaws has the potential for anything from denial of service to sending of malicious documents to seize control of users computers. XML is used in all types of web services, including banking, desktop programs and cloud computing applications. Extensible Markup Language is the markup system that allows applications to exchange data.

Researchers at Codenomicon Ltd., a security testing company from Oulu, Finland, say they found multiple critical flaws in XML libraries, code that is used and re-used to process XML data. They used CROSS, or Codenomicon Robust Open Source Software, to test libraries failure modes. By inputting manipulated data into XML libraries Codnomicon tested their ability to contend with corrupted data. The results were disconcerting.

The Codenomicon researches said:

Early this year (2009) we released some of our first XML-based tools to the market and used XML fuzzing technology against a set of open source XML implementations. The result was that once again, everything broke.

These XML libraries are used in cloud computing services, 3-dimensional programs, and a wide range of business software. RSS feeds, openoffice documents and all types of programs that exchange data, use these libraries. XML libraries are linked both statically and dynamically. XML is coded directly into applications and parsers are implemented directly in application software. Parsers and applications coded in the C language are especially vulnerable, since stack overflow errors in C are not uncommon. There may be millions of applications using XML and XML parsers.

The XML flaws can be attacked both locally and remotely. Malformed network requests could cause application to go into loop and become unavailable. When remote communication is involved remote exploits are possible. Social networking sites and nearly all interactive web sites use some type of XML. Malicious code can be embedded inside documents, web sites or even data streams.

Nearly every sector of the economy is effected by this flaw. Banking, Manufacturing, Retail, Health Care, Government, Electric/Gas/Water Network Companies all use XML for data interchange and communication.

Sun Microsystems, Apache Software Foundation and Python Software Foundation have all announced patches and fixes for found vulnerabilities in their software.

Codenomicon said:

We cannot discuss the security of commercial XML products or library versions within the CROSS project, as the project is intended to benefit the open source community only.

Linux Security Updates

pacneil — Wed, 05 Aug 2009 22:42:24 +0000

Redhat announced kernel security and bug fix update multiple vulnerabilities (Also applies to CentOS). Also Fedora 10 & 11 have kernel updates for multiple vulnerabilities.

Updates to Firefox products have also cascaded into Fedora updates: blam (F10, F11), chmsee (F11), epiphany (F11), epiphany-extensions (F11), evolution-rss (F10, F11), firefox (F10, F11), galeon (F10, F11), gecko-sharp2 (F10), gnome-python2-extras (F10, F11), gnome-web-photo (F10, F11), google-gadgets (F10, F11), hulahop (F11), kazehakase (F10, F11), Miro (F10, F11), mozvoikko (F10, F11), mugshot (F10), pcmanx-gtk2 (F10), perl-Gtk2-MozEmbed (F10, F11), ruby-gnome2 (F10, F11), seahorse-plugins (F11), xulrunner (F10, F11), and yelp (F10, F11).

Mandriva is providing security advisories for phpmyadmin and ruby.

OpenSuSE announced a security update of flash-player

Ubuntu announced security updates for firefox and xulrunner, nspr, nss, and bind 9 in the last week.

Debian anounced security updates for libmodplug, xml-security-c — design flaw, znc — directory traversal and a similar patch for bind9.

Wasn’t Twitter was Google Apps that was hacked

pacneil — Sat, 18 Jul 2009 21:25:58 +0000

I’ll not rewrite what Gary Barnett has to say, except to reprint his abstract. I think it’s a thoughtful criticism of what’s been written about the Twitter fiasco, as well as cloud computing and security.

If you’re busy, here’s the abstract:

It wasn’t twitter that was hacked – it was Google Apps
Please don’t confuse “network” with “cloud” – it’s embarrassing to read and makes you look stupid
This is not a story about cloud computing, it’s a story about security
The moment you make a computer accessible via the internet you have a security challenge
Security is an important issue for cloud computing – So instead of hyping it, or denying it, we need to deal with it
The good the bad and the ugly – Some of the articles/blog posts I’ve seen on this topic

Gary Barnett’s blog post ……