Download - DEFCON 18 Bryan Anderson Cloud Computing
![Page 1: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/1.jpg)
Cloud Computing
A Weapon of Mass Destruction?
![Page 2: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/2.jpg)
David M. N. Bryan - CISSP
• Technology Enthusiast
(Aka “Hacker” or
VideoMan)
• Security Consultant (Other
Company)
• PGP Key on key servers
![Page 3: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/3.jpg)
Michael Anderson - Newb
• Security Consultant
(NetSPI)
• michael.anderson@netspi.
com
![Page 4: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/4.jpg)
NetSPI
• Founded in 2001
• Exclusive Focus: Information Security Consulting – Security & compliance assessments, security program
development
– Vendor neutral – services only
• PCI QSA, ASV, and PA-QSA Certifications
• Government Clearances
• Industry Focus:
• Retail / payment apps
• Financial services
• Healthcare
• Energy & Power
![Page 5: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/5.jpg)
What is the “Cloud”
![Page 6: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/6.jpg)
What can I do in the cloud?
![Page 7: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/7.jpg)
What’s required to start?
![Page 8: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/8.jpg)
Cloud Computing?
• Is it a useful tool? • Or a WMD?
![Page 9: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/9.jpg)
Cloud Computing WMD
• Outline
• Threat Agents– Who and why?
• Attacks– Command and
Control
– Attack Types
– Results
• Defenses– Incident Response
![Page 10: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/10.jpg)
Threat Agents
• Who are they?
– Business Rivals
– Organized Crime
– Foreign Powers
![Page 11: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/11.jpg)
Motivates
• What do they want?
– Bragging Rights
– Money
– Power
![Page 12: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/12.jpg)
Power
![Page 13: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/13.jpg)
Terms
• DDoS
– Distributed Denial of
Service Attack
• Fragmentation Attack
• TCP Syn Flood
– Sending packets with
only the Syn bit set, and
not listening for a
response
![Page 14: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/14.jpg)
Typical Command And Control
• Who is your herder?
– Typical CNC
– Herder
• Controller or Scripts
– Bots
• Infected Clients
• Lots of Hosts (Millions?)
• Requires lots of time
• Most systems are Windows
![Page 15: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/15.jpg)
Command And Control
![Page 16: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/16.jpg)
Thunder Clap
• Its a proof of concept
• Run DDoS attacks
from the cloud
• Can use social media
as herder
• Rapid deployment
and ramp up of
systems
![Page 17: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/17.jpg)
New Command And Control
• Who is your herder?
– Cloud is Herder and Botnet
– Bandwidth is plentiful
• Less dispersed
• Little prep time
– Control of attack
• Social Media
• Anonymous
• Hard to track
![Page 18: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/18.jpg)
Command And Control
![Page 19: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/19.jpg)
Attack Types
• TCP Full Connection
– Could be less effective; not
stealthy
• Packet Fragmentation
– Not implemented in proof-of-
concept
• TCP Syn Flood
– Dangerous, but requires some
serious bandwidth
![Page 20: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/20.jpg)
What can we do with this?
• Target a website, server, or service
• Target multiple components or sites
• Potentially target distributed
systems
• Run a lowlife blackmail scheme (we
won’t but, organized crime might)
• Sell DDoS services to your
competitors
• Ensure your website is down, for
good.
![Page 21: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/21.jpg)
Outcome
• Threat agents can hold
your environment
hostage
– Easily
– Cheaply
– Who watching again?
![Page 22: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/22.jpg)
ThunderClap
![Page 23: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/23.jpg)
Create Environment
• Get credit card
• Create machine image
– Include dependencies
• Deploy zombies
![Page 24: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/24.jpg)
Development
• Create tools– Scapy
– Hping
– Libdnet
• Develop attacks
– TCP Full
– Syn No Data
– Random Source IP?
![Page 25: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/25.jpg)
Boom – pwnt!
D00D, we is 1337
![Page 26: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/26.jpg)
Outcome?
• Profit
• A series of tubes…
![Page 27: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/27.jpg)
Inter workings of TC
![Page 28: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/28.jpg)
Attack!
![Page 29: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/29.jpg)
Work to be done?
![Page 30: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/30.jpg)
Defense?
• How can you protect yourself?
![Page 31: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/31.jpg)
Incident Response
• CSIRT Teams?
• NIST 800-61 Incident Response
![Page 32: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/32.jpg)
Could Computing Pros
• Cloud computing is nimble
– Provides agility to start ups
– Easy to deploy large numbers of
servers
– Cost effective for small company
– Only requires a credit card
– Storage, CloudFront, Queues, etc
![Page 33: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/33.jpg)
Cloud Computing Cons
• "Storing data yourself, on your own computers—
without relying on the cloud—is the most legally
secure way to handle your private information,
generally requiring a warrant and prior notice. The
government asserts that it can subpoena your data
from cloud computing providers, with no prior
notice to you.“ -Granick and Opsahl, EFF
• No monitoring or response
• Quick and nimble server deployment
• Low cost to run effective DDoS
• Use stolen credit card for environment
![Page 34: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/34.jpg)
Unmonitored…
• We could end up
with the next large
scale attack in the
clouds.
![Page 35: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/35.jpg)
Conclusion
• Unmonitored – IDS/IPS?
• Cloud allows for quick and
nimble deployments
• Reduce your server costs
• Your data can be
subpoenaed with our your
consent or knowledge
• What about logging?
![Page 36: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/36.jpg)
Q and A
![Page 37: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/37.jpg)
Thank You
NetSPI800 Washington Avenue North
Minneapolis, MN 55401
612-465-8880
![Page 38: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/38.jpg)
![Page 39: DEFCON 18 Bryan Anderson Cloud Computing](https://reader034.vdocuments.mx/reader034/viewer/2022052409/543d3c92afaf9fb00a8b45e9/html5/thumbnails/39.jpg)
References
• http://zvis.com/nuclear/detonation/ctyankee/ctyankee.shtml
• http://www.indelibleinc.com/kubrick/films/strangelove/images/kingkong.jpg
• http://commons.wikimedia.org/wiki/File:Tcp_synflood.png
• http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf
• http://upload.wikimedia.org/wikipedia/commons/7/71/AirForceMuseum_FatManReplic
a.jpg
• http://www.strangeloveforcongress.com/o/30070/images/warroom.jpg
• http://www.eff.org