Bryce Galbraith ©2013, All Rights Reserved 1

Client AccessThe Achilles’ Heel of the Cloud

The SANS Institute

Bryce Galbraith, Layered Securityhttps://www.linkedin.com/in/bgalbraith

bryce@layeredsec.com

This presentation is available at:http://www.slideshare.net/brycegalbraith/

Bryce Galbraith ©2013, All Rights Reserved 2

Who am I?

• A professional (ethical) hacker• Contributing author of, Hacking Exposed• Co-author of Foundstone’s, Ultimate Hacking

course series• The founder of Layered Security• Certified instructor and course author with the

SANS Institute• Frequent speaker, blogger, Tweeter

https://www.linkedin.com/in/bgalbraith

Bryce Galbraith ©2013, All Rights Reserved 3

Great quote (1)

"There's a war out there, old friend. A world war. And it's not about who's got the most bullets. It's about who controls the information. What we see and hear, how we work, what we think…it's all about the information!”

Bryce Galbraith ©2013, All Rights Reserved 4

Great quote (2)

"The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeroes, little bits of data. It's all just electrons.”

-- Cosmo from, “Sneakers” (1992)

Bryce Galbraith ©2013, All Rights Reserved 5

Front page moments

• Everywhere you look, major incidents– National secrets, intellectual property, PII, lost

revenue, expensive cleanups, embarrassment, shame and numerous other negative effects…

– Even bankruptcy (e.g. DigiNotar)– Continuous stream of announcements– No one seems to be immune– Many don’t even realize they are compromised– People are losing their zeros and ones, in mass

Bryce Galbraith ©2013, All Rights Reserved 6

The Actors

• There are many actors–Nation states (APT)–Organized crime–Hacktivists–Terrorists–Cyber punks– Insiders…

Bryce Galbraith ©2013, All Rights Reserved 7

So, what do we do about it?

• Clearly there’s a problem– Advanced adversaries– Limited budgets and staff– Limited management support– Infinite complexities– Effective security is hard (and expensive)

• The solution?– Move it to the cloud! (a.k.a. outsourcing ;-)

Bryce Galbraith ©2013, All Rights Reserved 8

Industry Focus

Bryce Galbraith ©2013, All Rights Reserved 9

Bryce Galbraith ©2013, All Rights Reserved 10

Meanwhile…

Bryce Galbraith ©2013, All Rights Reserved 11

Attackers choose the path of least resistance…

Bryce Galbraith ©2013, All Rights Reserved 12

Unfortunately, endpoint security is “terrifically

weak”

Bryce Galbraith ©2013, All Rights Reserved 13

The Attacks (1)

• Man-in-the-middle– ARP cache poisoning (LAN)

• Ettercap, Cain & Abel, Subterfuge, arpspoof, etc.

– LAN, WLAN, cellular networks, etc.• Nation-in-the-middle

– Governments, ISPs, etc.• One of the most powerful positions

– “All your bits are belong to us!”

Bryce Galbraith ©2013, All Rights Reserved 14

Bryce Galbraith ©2013, All Rights Reserved 15

The Attacks (2)

• Redirection– DNS spoofing– HTTP request hi-jacking

• Attack vectors– Send to spoofed sites and trick users into

giving up credentials– Exploit victims with Metasploit or SET

• auxiliary/spoof/wifi/airpwn (and dnspwn)• auxiliary/server/browser_autopwn• Social Engineering Toolkit (can clone sites)

Bryce Galbraith ©2013, All Rights Reserved 16

The Attacks (3)

• What about SSL/TLS to the cloud?– Authenticates site (via a certificate)– Encrypts the HTTP transactions– Fundamentally important to protecting

most cloud-based services• Can be completely stripped away…

– sslstrip by Moxie Marlinspike• http://www.thoughtcrime.org/software/sslstrip/• It only strips HTTPS to/from the client, not the cloud.

Bryce Galbraith ©2013, All Rights Reserved 17

The Attacks (4)

• Code injection– Once SSL/TLS has been stripped

away, arbitrary code can be injected– In either direction– Ettercap, BeEF, xssf, etc.

• Keyloggers, Metasploit exploits, steal cookies, modify page content, redirect victims browser and many other nasty things…

• http://bellard.org/jslinux/ (JavaScript Linux distro!)

Bryce Galbraith ©2013, All Rights Reserved 18

The Attacks (5)

• Session side-jacking– With SSL/TLS removed, the session

token representing the user is exposed– Once side-jacked, the attacker can

simply submit an HTTP Request using the token value and they are in!

– Bypasses many authentication methods– Cookie Cadger

• https://www.cookiecadger.com/

Bryce Galbraith ©2013, All Rights Reserved 19

The Attacks (6)

• Cellular man-in-the-middle– Numerous demonstrations at various hacker

conferences over the past few years – it works– At DEFCON they dropped rootkits on Android

cell phones all weekend• Client-side malware is still prevalent

– Can easily log credentials or session tokens to the cloud resources• http://www.flexispy.com/• http://www.technologyreview.com/view/429394/placeraider

-the-military-smartphone-malware-designed-to-steal-your-life/

Bryce Galbraith ©2013, All Rights Reserved 20

Extending the Attacks

• Imagine what an attacker could do if they were in the middle of the Internet– Nation states, ISPs, etc.

• Certificate Authority (CA) trust issues • Government officials can demand access to data

and providers may have very little recourse, if any

• Spear-phishing attacks to steal user/admin credentials to the cloud– “One click is all it takes…” - http://goo.gl/e5tfA2

• The HB Gary incident (blended attack)

Bryce Galbraith ©2013, All Rights Reserved 21

Industry Focus

Bryce Galbraith ©2013, All Rights Reserved 22

Bryce Galbraith ©2013, All Rights Reserved 23

Summary

• The cloud is here to stay…• Assuming we can actually secure it

(big assumption), our data is relatively secure, in the cloud.

• The problem is, it doesn’t stay there…• We have to acknowledge this and

work diligently to protect our zeros and ones wherever they end up.

Bryce Galbraith ©2013, All Rights Reserved 24

Client AccessThe Achilles’ Heel of the Cloud

The SANS Institute

Bryce Galbraith, Layered Securityhttps://www.linkedin.com/in/bgalbraith

bryce@layeredsec.com

This presentation is available at:http://www.slideshare.net/brycegalbraith/