A CLOUD BASED AND CONVENTIONAL APPROACH IW - byManu Zacharia MVP (Enterprise Security), ISLA-2010 (ISC)² C|HFI , C|EH, CCNA, MCP, AFCEH, Certified ISO 27001:2005 Lead Auditor Director – Information Security Millennium Consultants “Aut viam inveniam aut faciam ” Hannibal Barca
#whoami • I am an Information Security Evangelist • For paying my bills – I work as Director – Information Security – US Based Consultants. • Awards • Information Security Leadership Achievement Award from International Information Systems Security Certification Consortium - (ISC)² • Microsoft Most Valuable Professional (Enterprise Security) • Author of a Book – Intrusion Alert – An Ethical Hacker’s Guide to Intrusion Detection Systems
#whoami • Developed an Operating System from Linux kernel – Matriux – (www.matriux.com) - Asia’s First OS for Hacking, Forensics and Security testing – Open Source & Free • Some certifications: • Certified Ethical Hacker (C|EH) • Certified Hacking Forensics Investigator (C|HFI) • Cisco Certified Network Associate • Microsoft Certified Professional • Certified ISO 27001:2005 Information Security Management Systems Lead Auditor • Extend service to police force as Cyber Forensics Consultant
#whoami • Teaching?? – no!!!!! – I don’t teach, I just train and preach: • Indian Navy - Signal School , Centre for Defense Communication and Electronic and Information / Cyber Warfare • Centre for Police Research, Pune • Institute of Management Technology (IMT) – Ghaziabad • IGNOU M-Tech (Information Systems Security) – and also an Expert Member – Curriculum Review Committee • C-DAC, ACTS (DISCS (the tiger team) & DSSD (hard core guys)) • Other International Assignments & Hacking Conferences
Disclaimer(s) • The opinion here represented are my personal ones and do not necessary reflect my employers views. • Registered brands belong to their legitimate owners. • The information contained in this presentation does not break any intellectual property, nor does it provide detailed information that may be in conflict with actual Indian laws (hopefully...) :)
Question • So what is Cloud Computing? • Do you know what is EC2 and S3? • How these services could be exploited?
contents INTRODUCTION UNDERSTANDING IW EXPLOITING THE CLOUD CLOUD FORENSICS CONCLUSION
INFORMATION WARFARE • Clue: • Kendo (kumdo in korean)
INFORMATION WARFARE • 風- Swift as the wind • 林- Quiet as the forest • 火- Conquer like the fire • 山- Steady as the mountain
INFORMATION WARFARE • Battle strategy and motto of Japanese feudal lord Takeda Shingen( 武田信玄 )(1521–1573 A.D.). • Twenty-Four Generals - famous groupings of battle commanders • (Takeda Nijūshi-shō )武田二十四将
INFORMATION WARFARE • Came from the Art of War by Chinese strategist and tactician Sun Tzu (Sunzi) • A sort of abbreviation to remind officers and troops how to conduct battle
INFORMATION WARFARE • This is what we need in information warfare
INFORMATION WARFARE • “actions taken to achieve information superiority by affecting adversary information, information-based processes, information systems, and computer based networks while defending one's own” • The U.S. Joint Chiefs of Staff
INFORMATION WARFARE • “ Information warfare is the use and management of information in pursuit of a competitive advantage over an opponent. ” • WIKIPEDIA
TWO SCHOOLS • Two schools of thoughts exists: • Military business • By some other agencies with the involvement of military
FORMS OF IW • Bringing down of financial infrastructure like banks and stock exchange • Enemy communication network spoofing and disabling • Jamming of TV / Radio • Hijacking of TV / radio for disinformation campaign
TYPES OF PLAYERS • State • State sponsored agencies / groups • Terrorists • Underground war-lords and groups • Individuals ‘n’ script kiddies
What’s the latest happening? • What’s happening in the Indian Web Space – last 45 days? • 14 Aug–Independence day of Pakistan • Underground cracking groups • http://www.pakcyberarmy.net/ • http://www.pakhaxors.com/forum.php
What’s the latest happening? • The Two Pakistani Cracker Groups reportedly attacked & defaced a dozen of Indian Websites including: • http://mallyainparliament.in/ and • http://malegaonkahero.com/
What’s the latest happening? • On 15 Aug – In return an Indian underground group called as Indian Cyber Army (http://indishell.in) attacked & defaced around 1226 websites of Pakistan.
MISSION STATEMENT • Mission Statement - IN • “Naval orientation and training of recruits to enable accomplishment of their immediate task with self-assurance”.
MISSION STATEMENT • Mission statement – IAF • “The mission of the Flight Safety organization of the IAF is to ensure operational capability by conserving human and material resources through prevention of aircraft accidents.”
LOOK AROUND? • UK CyberSafe Command • PLA – Chinese PLA • What happened last December – Jan?
what is cloud computing? • Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like a public utility.
cloud in simple terms • Uses the internet and central remote servers to maintain data and applications. • Allows consumers and businesses to use applications without installation and access their personal files at any computer with internet access.
3 types of cloud services • IaaS - Infrastructure-as-a-Service • PaaS - Platform-as-a-Service • SaaS - Software-as-a-Service
THE CLOUD • Five essential characteristics: • on-demand self-service, • broad network access, • resource pooling, • rapid elasticity, and • measured service
EC2 • Amazon Elastic Compute Cloud (Amazon EC2) • A web service that provides resizable compute capacity in the cloud
EC2 - wikipedia • Allows users to rent computers on which to run their own computer applications. • A user can boot an Amazon Machine Image (AMI) to create a virtual machine, which Amazon calls an "instance", containing any software desired.
EC2 - wikipedia • A user can create, launch, and terminate server instances as needed, paying by the hour for active servers, hence the term "elastic".
S3 • Amazon S3 (Simple Storage Service) is an online storage web service offered by Amazon Web Services. • Provides unlimited storage through a simple web services interface
S3 • $0.15 per gigabyte-month • 102 billion objects as of March 2010
POWER OF CLOUD • The New York Times used Amazon EC2 and S3 to create PDF's of 15M scanned news articles. • NASDAQ uses Amazon S3 to deliver historical stock information.
EXPLOITING CLOUD • Sample Task • Break PGP passphrases • Solution • Brute forcing PGP passphrases
EXPLOITING CLOUD • Try – ElcomSoft Distributed Password Recovery (with some patches to handle PGP ZIP) • Two elements - EDPR Managers & EDPR Agents
EXPLOITING CLOUD • On a fast dual core Win7 box - 2100 days for a complex passphrase. • Not acceptable – too long • Lets exploit the cloud.
EXPLOITING CLOUD • First things first – Create an Account on Amazon. Credit Card Required • Install Amazon EC2 API Tools on your linux box. • sudo apt-get install ec2-api-tools
EXPLOITING CLOUD • Select an AMI (Amazon Machine Image) • Example - use a 32 bit Windows AMI - ami-df20c3b6-g
EXPLOITING CLOUD • Start an instance from the Linux shell as follows: • ec2-run-instances -k ssh-keypair ami-df20c3b6-g default
EXPLOITING CLOUD • Once the instance is up and running, we enumeratedthe instance ID and public IP address of the running instance with the command • ec2-describe-instances
EXPLOITING CLOUD • Wait for the instance status has to change from “pending” to “running” • Extract the admin password for the instance • ec2-get-password -k ssh-keypair.pem $instanceID
EXPLOITING CLOUD • Configure EC2 firewall to permit inbound RDP traffic to the instance. • ec2-authorize default -p 3389 -s $trusted_ip_address/32
EXPLOITING CLOUD • Configure the firewall in front of the EDPR manager system to permit TCP/12121 from anywhere. • RDP into the instance & configure EDPR
EXPLOITING CLOUD • Use the administrator password obtained from the ec2-get-password command to login to the instance.
EXPLOITING CLOUD • Install EDPR Agent, • Configure the Agent to connect to the Manager. • 3 points to configure mainly