Tag Archives: denial of service

Botclouds: A Cyberattacker’s Dream

Leave a reply

Offloading your software and data to a cloud computing service has never been easier.

Apple last week became the latest tech company – after Google and Amazon – to offer cheap online storage, with its new iCloud service allowing users to access music, documents and other files from any Apple device. But cloud services could also be used to launch attacks, send spam and commit fraud.

“Right now it’s just a few attacks, most aren’t well publicised and a lot can go undetected,” says Kassidy Clark of the Delft University of Technology in the Netherlands. “As long as cloud service providers are not taking proactive steps to prevent these things, I think this trend will increase.”

As well as basic online storage, firms such as Amazon, which provides the largest cloud service, also offer virtual computing. This allows people to rent as many “virtual computers” as they need.

Now Clark and colleagues have investigated how the cloud could be used to build a botnet, a network of infected computers under an attacker’s control. Traditional botnets are built over time by taking control of ordinary people’s computers without their knowledge, but a cloud botnet – or botcloud – can be put together in a couple of minutes just by purchasing space in the cloud with stolen credit card details. “It makes deployment much faster,” says Clark, who presented his findings at the CLOSER cloud computing conference in Noordwijkerhout, the Netherlands, last month. “You don’t have to wait months for millions of machines around the world to get infected.”

To find out just how easy it is to construct a botcloud, Clark and colleagues hired 20 virtual computers from a leading cloud service provider for around €100 and used them to carry out attacks on their own web server. They first attempted a distributed denial of service (DDoS) attack, which floods a target with massive amounts of traffic. The botcloud pumped out 20,000 page requests per second and brought the server down in just 10 seconds.

Clark also built a larger botcloud and used it to simulate “click fraud” – clicking links in pay-per-click adverts in order to generate fraudulent revenue. Advertising companies normally stop this by tracking the internet protocol (IP) address of each individual computer and blocking one if it clicks a link too many times. The researchers circumvented this defence by setting up a botcloud of 1000 virtual computers, each with its own address. Neither botcloud attack was detected or shut down by the cloud provider.

So are botclouds being used? There were certainly rumours that the recent attack on Sony’s PlayStation Network was carried out via Amazon servers rented using stolen credit cards, but these have not been substantiated. “We have seen spam coming from some of these environments, but not on a massive scale,” says Paul Wood, a senior analyst at Symantec.cloud, which provides cloud-based security services. He says that it is even possible for a virtual computer in the cloud to become infected by an ordinary botnet, because cloud users don’t normally run anti-virus software.

Thomas Roth, a security researcher in Cologne, Germany, who recently showed how to use Amazon’s servers to crack Wi-Fi passwords, agrees the lack of anti-virus protection in the cloud is a problem. “I think that Amazon should provide infrastructure for doing vulnerability assessments and virus scans,” he says.

“Amazon Web Services employs a number of mitigation techniques, both manual and automated, to prevent the misuse of the services,” Amazon told New Scientist. “We have automatic systems in place that detect and block many attacks before they leave our infrastructure.”

But Wood warns that attacks from the cloud could easily take off in countries with more lax web policing. “It’s only a matter of time before a Russian or Chinese equivalent of Amazon offers similar services,” agrees Clark. “You put malicious or illegal software there, it doesn’t matter, they will never take you offline.”

Source

Four Steps To Secured VoIP

1 Reply

Securing Voice over IP (VoIP) doesn’t have to be a challenge for small and medium-sized businesses (SMBs).

VoIP is basically a phone call over the Internet. It offers the same promises – and pitfalls – as the Internet. The promises are cheap and easy communication over a readily available and easy-to-use public network – the Internet. The pitfalls are the same security weaknesses of that network, which wasn’t originally designed for security – or phone calls, for that matter.

But it’s not as scary as it seems for cash-strapped SMBs with limited IT staffs. Most of the tuning required to secure VoIP involves the same efforts as hardening Internet and Web connections your company probably already has in place. And most of that work can be handled by your existing network staff, even without a dedicated information security department.

Even if your SMB doesn’t host its own Web site or Internet service, like a larger enterprise, it still has connections to the Internet through conventional routers. Handling VoIP for them should be a snap.

Security comes first

Before delving into the four best practices for securing VoIP and how to apply them to SMBs, be aware of the overall security issues around VoIP.

There are three major security concerns around VoIP, and they’re the same security issues as those for IP traffic, in general.

The three issues are:

1. Lack of authentication.
2. Spoofing, and exposure of unencrypted data.
3. Unwanted traffic similar to email spam, which in the VoIP world is called SPIT, or spam over Internet telephony.

VoIP can also serve as an entry point into your company, just like any other Internet connection, for viruses, spyware and malware. But this isn’t a specific problem of VoIP. Denial-of-service (DoS) attacks are also possible via VoIP but, again, this is a general IP protocol issue and not just a VoIP concern.

IP traffic isn’t authenticated. It moves freely over the Internet and can come from anywhere. This is a problem inherent in the TCP/IP protocol. For VoIP, it means a malicious user could fake, or spoof, your company’s IP address and appear on the caller ID of an unsuspecting customer. This tactic is known as VoIP phishing, which, like its email counterpart, is meant to entice customers to give up confidential account information over the phone to thieves posing as your company employees.

IP traffic moves in the clear by default. It can be easily picked up by conventional packet sniffers like Wireshark (formerly Ethereal), dsniff, Ettercap and their ilk. Any conversations on your new shiny VoIP phones can be eavesdropped by sniffing unencrypted traffic traveling over the Internet. Unlike regular phone lines, which require some effort to tap through the phone company, VoIP can potentially expose your SMB to the whole world just by being on the Internet.

And, just as spam is delivered via email, junk voicemail messages can be pumped into your company through VoIP, clogging your SMB’s phones with SPIT. This is in addition to a DoS attack against your company, just like any other from the Internet, through your VoIP connection.

So, what’s an SMB to do to protect itself from the dangers of VoIP? Here are four suggestions:

1. First, run all your VoIP traffic through a separate Internet connection and separate voice and data traffic into their own network segments. Use a VLAN to separate voice and data. This can prevent an attack via the data stream from the Internet leaking into your voice system, using your VoIP network to attack your primary network. Set up separate servers dedicated just to VoIP traffic and firewall them apart from the rest of your network. For VoIP connections between different buildings, use a virtual private network (VPN) to authenticate users to prevent spoofing.

2. Second, avoid cheap VoIP systems that can be installed on an ordinary desktop or workstation. As tempting as it might be to a cost-conscious SMB, these systems are highly insecure since they can be easily compromised and used as a back door into your network. Go for a real VoIP system from a major provider like Vonage Holdings Corp. or Avaya Inc., which integrates with your existing routers and can be handled by your existing network staff.

3. Third, encrypt any VoIP traffic to keep it confidential and prevent eavesdropping by network sniffers. VoIP encryption is getting better but it can just as easily be set at the router or gateway level and then tunneled through IPSec. This should put less of a strain on your SMB staff members, who may already be setting up these types of connections for your VPN.

4. Lastly, put VoIP servers in a secure physical location, as you would for your other networking equipment. Ideally, if space permits, the equipment should be in its own equipment room separate from that other networking equipment.

Like the rest of your network servers, baseline security controls should be in place for your VoIP system.

Here’s how:

* Make sure all routers and servers hosting your VoIP system have been hardened and all unnecessary services turned off and ports closed.
* Restrict access to VoIP servers to only system administrators and log and monitor all access.
* Use intrusion detection systems to monitor malicious attempts to access your VoIP network.
* Employ a defense-in-depth of strategy with multiple layers of security, including dedicated VoIP-ready firewalls.

Implementing VoIP is not as scary, or as much of a burden, as it seems. Most of the tasks for securing VoIP can be handled by your existing IT staff, since it is already integrated into your network.

2010 Saw the Dawn of Nation-State Cyber Wars: Citrix CTO

Leave a reply

Citrix CTO Simon Crosby looks back at 2010 in the cloud computing sector–and ahead at what 2011 may bring–and isn’t very comfortable with a number of things emerging on the security side of that very hot business.

Crosby has become a go-to resource for knowledge in virtualization, cloud computing and data security. He was founder and CTO of XenSource prior to its acquisition by Citrix for $500 million in 2007. Previously, Simon was a principal engineer at Intel, where he led strategic research in distributed autonomic computing, platform security and trust.

It’s Crosby’s job as the CTO of an international enterprise IT provider to maintain a big-picture view of what the trends are, where they’re going and how they will affect companies making strategic IT plans.

It’s not necessarily cloud infrastructure issues that worry Crosby. It’s protection of stored data and access to servers that keeps him up at night.

“This was the year when nation-state attacks started to happen,” Crosby said. “You’ve got Stuxnet, you’ve got the Chinese government attack on Google, and you’ve got WikiLeaks. My take is that every CIO should be shivering in a state of panic.”

Everybody’s long been aware of denial of service attacks and their potential, but Crosby thinks many people have become indifferent to these events, believing such an attack won’t happen to them.

“All of these have profound lessons for us,” Crosby told eWEEK. “We’re in a space of hyper-innovation, and that’s fueled by Moore’s Law on the client and the server, and Moore’s Law helping the network, so we get the network effect of that. And the network effect of that innovation is unbelievable.

World’s largest cloud: Conficker

“If you look at the world’s largest cloud, it’s probably something called Conficker. It has probably 30 million CPUs. It requires something like 20 terabits of bandwidth, and it’s for hire. You can hire it today, and point it at anything you want,” Crosby said.

“Think cloud now. Every single one of those hosts up there that are infected with Conficker–and there are still millions and millions of them–are all out there, and they can be remotely controlled and instructed to do something. It’s similar to the way the anonymous guys at WikiLeaks have been getting people to download and attack payload, and then they can remotely point that attack payload at any site they want to attack.”

For example, anonymous hackers have been able to put together an attack of 10GB per second and point it at Visa, PayPal, Amazon and a couple of other places to shut them down for various times, Crosby said.

“Conficker is still out there, and that’s 28 terabits/second. If that thing was pointed at any U.S. national interest or any national interest, it would go down in a heartbeat,” Crosby said.

So why hasn’t this happened yet, if there are people in the world devious and knowledgeable enough to activate this dangerous weapon?

“Well, it hasn’t yet for the same reason that nobody has launched an atomic bomb–it’s that big, right?” Crosby said. “It turns out that most of the Conficker stuff is relatively straightforward–denial of service and blackmail stuff in the hands of organized crime.

“But the scary thing is that this was the year [2010] that nation-states started to engage in cyber war actively–and everybody saw it for the first time.”

The Stuxnet worm, which appeared in July 2010, was a prime example, “wreaking havoc on the Iranian nuclear facilities,” Crosby said.

Stuxnet exploited four zero-day vulnerabilities in Windows and a vulnerability in Windows’ Print Spooler service to do its dirty work. Early versions of the virus abused Windows’ AutoRun feature in an effort to infect industrial control systems, Symantec revealed in September.

“The interesting departure [this year] is that we have started to see nation-states play an active role in these attacks,” Crosby said. “That is more threatening than the traditional bad guys who spam you with email or blackmail the gambling sites to say, ‘Your site’s going to be down until you pay me some money.’ ”

Crosby said that all these concerns point to the cloud as the best place to maintain a “survivable” application.

“Here’s a good example: Visa was nailed by the anonymous crew on WikiLeaks. But Amazon didn’t even blink when Anonymous pointed 10 gigabits of traffic at it. Amazon has this massive cloud that’s redundant, has multiple availability zones spread around geographical regions, and so on. So if you want to make your application survive a big attack, the place to run it is called the cloud.”

This is probably counter to what most people think in response to these attacks, Crosby said.

“Most people are going to want to close all the boundaries, run a private cloud, and get my head down in my bunker and hope that I’m secure,” he said. “But in that situation, you are more vulnerable than if you are automated. People are running around your infrastructure with USB sticks and everything else. That’s how WikiLeaks happened.”

When nation-states start pouring defense budget-sized amounts of money into cyber war, then we will see “very interesting attacks,” Crosby said. It has been estimated that it cost somebody “on the order of $10 million” to build Stuxnet, for example, Crosby said.

“We don’t know where it [Stuxnet] came from, but it’s pretty clear that it was organized by a nation-state because of the sophistication of the attack,” Crosby said. “Most attacks use a single vulnerability; Stuxnet used four–four that were previously unknown to anyone, including Microsoft. So that basically suggests that somebody had the Windows source code and used it [for that attack].”

Access to source code a major problem

Many governments have access to this source code, he said. Stuxnet also targeted very specific enterprise devices, Crosby said, and was not aimed at the average consumer.

“It was clearly targeted for political reasons, it cost a lot of money to do, and it was very robust,” Crosby said. “It still has not been cleared; it’s out there causing havoc.”

This trend is going to make IT managers sit up and take notice, he said.

“You may say, well, I have good people and procedures in place, but the more people you have involved, the more vulnerable you are–either through mistakes or deliberate sabotage,” Crosby said.

“That basically says you need to get on the cloud.”

Bradley Manning, the U.S. military IT assistant implicated in the WikiLeaks controversy, used a USB stick on a PC to access most of the information that ended up being published on the site.

“Now, if that organization had been using desktop virtualization, that would never have been allowed to happen. Every single device on every client is policy controlled for access, and you can shut these off. Any properly automated cloud would have prevented WikiLeaks from happening,” Crosby said.

Prior to founding XenSource, Crosby was the founder of CPlane Inc., a network-optimization software vendor, where he held a variety of executive roles. Before CPlane, Simon was a tenured faculty member at the University of Cambridge, UK, where he led research on network performance and control, and multimedia operating systems.

He is author of more than 35 research papers and has patents on a number of data center and networking topics, including security, network and server virtualization, resource optimization and performance. In 2007, Simon was named one of InfoWorld’s Top 25 CTOs.

Source

3 Legal Issues to Consider When Going to the Cloud

1 Reply

Cloud Computing can help your business reduce costs as you don’t have to invest in hardware and other physical infrastructure, your data is stored on a secure location and you only pay for what you use – there are no licensing fees associated with cloud computing.

Legal Issues associated with Cloud Computing

That said, there are some important legal issues that must be taken care of before you sign-up with any of the cloud vendors for your business.

These issues, discussed below, are more relevant for business owners who are planning to shift to the cloud and may not really matter if you are a consumer who merely uses the cloud for storing emails or office documents.

1. The Physical Location of your Data

1a. Where is your data stored physically?
Your data could be stored in any country and you may not even know where the data centre is situated. The ‘physical location’ raises the question of legal governance over the data. The customer must be clear so as to the provisions of the prevailing law in that particular nation.

1b. If a dispute arises, what will be the place of jurisdiction?
In case a conflict arises between the cloud vendor and the customer (you), which country’s court system will settle the dispute?

Say you are a business owner in China and your cloud service provider is based in the US. The vendor will definitely prefer settling the case in in an American court but as a customer, do you have the financial means and resources to get the dispute settled in the jurisdiction of another nation?

2. Responsibility of your Data

2a. What if the data centre is hit by a disaster?
It might happen that the vendor’s premises is severely affected due to a disaster. Even the 10-Q filings of Google Inc. with the U.S Securities and Exchange Commission mentions such a risk:

Our systems are vulnerable to damage or interruption from earthquakes, terrorist attacks, floods, fires, power loss, telecommunications failures, computer viruses, computer denial of service attacks, or other attempts to harm our systems.

The question is whether you are indemnified by the insurance company for loss of your business or not?

2b. Is there any liability coverage for breach of privacy?
If a privacy breach occurs due to a fault of cloud vendor, is there any liability coverage policy taken up by the vendor? The scope of breach of privacy has widened considerably over the years in the field of cyber insurance. Some insurance carriers offer coverage even for breach of minor information and the customer is compensated on on behalf of the cloud vendor.

2c. What can be done if the data center gets hacked?
Though all cloud vendors try their best to fend off hackers, no security setting is assumed to be foolproof. If the data center gets hacked, can you move against the vendor for claiming lost profits?

3. Intellectual Property Rights

3a. Is your data protected under intellectual property rights?
If it happens that the data is your own creation (like photographs, literature, etc), then is it protected under the intellectual property rights of that country? What means do you have if they get infringed?

3b. How secure are trade secrets?
Your data stored in the ‘cloud’ may have trade secrets or privileged information which must be protected under attorney-client relationship. How secure will such information be in hands of the cloud vendor?

Or consider a reverse situation. If you leak out a trade secret of another business entity, how far will your cloud storage provider go to protect your data when they have been summoned to the court with all your stored data, access logs, etc.

3c. Third party access?
The vendor may grant some privileged third parties access to your stored data. The identity of such parties, if any, must be disclosed to the customer. Here, the third party could be a legal authority or even an internal employee. The customer should always be informed before the vendor allows third parties to access the stored data.

To protect the interest of your business, it may therefore be extremely essential that your read the terms and conditions meticulously before signing up for a cloud based services.

If the vendor provides a standard form of contract (which is a general practice), then you must be must be fully aware of all the terms and conditions. It will save you from nasty surprises and you will be financially, mentally and legally prepared to save your business from unfavorable consequences of cloud computing.

Source