RSA Conference Europe 2012 – Hacking the Virtual World

Jason Hart, SafeNet

This talk demonstrates some live tools and hacking demos, so starts with the standard disclaimer;

ALWAYS GET PERMISSION IN WRITING!

Performing scans, password cracking etc. against systems without permission is illegal.

Use any mentioned tools and URLs at your own peril!

CIA – Confidentiality, Integrity, Availability / Accountability / Auditability, while still important has gone out of the window in terms of being the core mantra for many security professionals and managers.

Evolution of the environment and hacking;

1st Age: Servers  – FTP, Telnet, Mail, Web – the hack left a footprint

2nd Age: Browsers – Javascript, ActiveX, Java etc.  These are getting locked down, slowly and incompletely

3rd Age: Virtual Hacking – Gaining someone’s password is the skeleton key to their life and your business.  Accessing data from the virtual world can be simple – Simplest and getting easier!

Virtual World – with virtual back doors.  This is the same for cloud computing and local virtual environments.  What do you do to prevent your virtual environment administrators copying VMs and even taking these copies home?  You need to prove both ownership and control of your data.

The question is posed – how much have we really learnt over the last 15 years or so?  We need to go back to basics and re-visit the CIA model.  Think of the concept of a ‘secure breach’, if our important data is protected and secure, being breached will still not gain access to this.

Demo against VMWare 4.1 update 1.  Using a simple scan, you can find multiple VMware serers and consoles directly to the internet, remember though these attacks can easily be launched from within your environment.

Outside of this talk, this raises the question – how segregated are your networks.  Do you have separate management, server, and database etc. networks with strong ACL policies between them?  If not I’d recommend re-visiting your network architecture.  Now.

Once you find a vCentre server, the admin / password file is easily accessible and only hashed in in MD5.  This can be broken with rainbow tables very quickly.  You can then easily gain access to the console and thus control of the whole environment.

To make things even easier tools like metasploit make this sort of attack as simple as a series of mouse clicks.  I’d recommend checking out metasploit, it’s a great tool.

Look at www.cvedetails.com for details on just how many vulnerabilities there are, this site also classifies the vulnerabilities in terms of criticality and whether they impact CIA.  This is a great input into any risk assessment process.

Discussion around the pineapple wireless tool;

http://hakshop.myshopify.com/products/wifi-pineapple

In brief this tool can do things like;

–          Stealth Access Point for Man-in-the-Middle attacks

–          Mobile Broadband (3G USB) and Android Tethering

–          Manage from afar with persistent SSH tunnels

–          Relay or Deauth attack with auxiliary WiFi adapter

–          Web-based management simplify MITM attacks

–          Expandable with community modules

–          And much more – look it up if you are interested, it has huge capabilities!

This tool is only $99 for anyone who thought the barrier to entry for this type of functionality would be high.

Then try linking tool like this with the capabilities of software such a Cain and Abel;

http://www.oxid.it/cain.html

This is described as a password recovery tool, but can do so much more.  A prime example of the abilities of this tool is Arp poisoning such that you can see all the traffic on a given subnet / vlan.  I have personally used this to record (with approval of course!) VOIP calls in order to demonstrate the need to encrypt VOIP traffic.  Cain even nicely reconstructs individual call conversations for you!

This is another personal favourite of mine – if your VOIP is not encrypted, why not?  Does your board know if is trivially easy to record their calls or those of finance and HR etc. on your network?

Talk went on to cover some further easy attacks such as those using the power of Google search syntax to gain information such as from Dropbox, Skydrive, Google Docs etc.  An example was finding Cisco passwords in Google docs files.  This leads onto another question, are you aware of just how much data your organisation has exposed in the wild to people who merely know how to search intelligently and leverage the powerful searching capabilities of engines such as Google?

To make things even easier, Stach and Liu have a project called ‘Google Hacking Diggity Project’ that has created a feely downloadable tool for creating complex Google / Bing searches with specific tasks in mind such as hacking cloud storage etc.

This and various other attack and defence tools can be downloaded here;

http://www.stachliu.com/resources/tools/google-hacking-diggity-project/

I’d recommend you work with your organisation to use these constructively in order to understand your exposure and then plan to remediate any unacceptable risks you discover.  The live demonstration actually found files online with company usernames and passwords in, so this exposure is demonstrably real for many organisations.

Talk ended with a brief comment on social networking and how the data available here such as where you are from, which schools you went to etc. can give hackers easy access to the answers to all your ‘secret’ questions.

Remember the term ‘secure breach’ – are important data is all encrypted with strong, robust processes.  We were hacked, but it doesn’t matter.  The CI part of CIA is critical!

I loved this talk, some great demos and reminders of useful tools!

As mentioned at the start, please be sensible with the use of any of these tools and gain permission before using them against any systems.

K

What is your current Desktop strategy? part 1 – VDI options compared

If you are currently evaluating or planning to evaluate VDI (Virtual Desktop Infrastructure) solutions for your businesses it can be hard to know where to start, with various vendors currently offering mature solutions that will all meet the majority of businesses VDI requirements.  These include;

– Citrix Xendesktop

– Citrix VDI in a box

– VMware View

– Microsoft VDI

– Quest vWorkspace

When tasked with looking for a VDI solution for your company the first thing you should do, indeed the first thing you should do for most if not all projects, is understand the requirements from the solution.  For something like this that may be adding quite a lot of new functionality and future options to the business, this is likely to incorporate some of the usual solid requirements such as;

–         Number of users

–         Performance and scalability

–         Ease of management

–         Interoperability with existing user and management applications

–         Integration with existing infrastructure

–         …

In addition to the ‘solid’ requirements there will likely be a lot of potential ‘requirements’ that are effectively potential benefits the solution could bring to the business such as;

–         Improved data security

–         Improved resilience of the workstation environment

–         Improved agility of the workstation environment

–         Enabling BYOD

–         Improved productivity

–         Enabling ‘work from anywhere’

–         …

The next thing to do is to assess the various VDI products on the market in order to choose the best one for your environment.  Given the variety of solutions available, some Hypervisor independent, some dependant, some easier to manage and deploy, some with lower costs it can be a daunting and more importantly resource intensive task to assess and test all of the viable options.

This is where the very helpful and impartial ‘VDI smackdown’ from the guys at PQR comes in.  This document is kept reasonably up to date with version 1.3 released earlier this year.  This can be found here;

http://www.pqr.com/images/stories/Downloads/whitepapers/vdi%20smackdown.pdf

Note – free registration may be required to download the PDF.

The white paper covers topics including;

–         Desktop virtualisation concepts

–         Pros and cons of VDI (virtual desktop infrastructure)

–         Comparison of the different VDI vendors solutions and their features.

Overall this document is well worth a read if you are planning to embark on a new or upgrade VDI project or indeed if you just wish to learn more about VDI and the features currently available.

An upcoming post will cover some of the areas I think need to be considered when creating you virtual desktop strategy.

K

VMmark – VMWare performance and capacity planning

Need to test the potential scalability or performance of your VMWare virtual environment?  Then this tool from VMWare will possibly fit the bill;

http://www.vmware.com/products/vmmark/overview.html

VMmark is a free tool VMWare provides that enables you to assess the performance of a physical host when running a variety of workloads.  These different workloads are referred to as ’tiles’ as is demonstrated by this diagram;

This method can be used for testing the scalability of a single workload, multiples of a single type of workload, or a variety of workloads.  All of which may be the use case you need to understand prior to deployment or changes in requirements.

If you are looking to specify new hardware or understand the harware requirements of upcoming projects there are VMmark results for many server types and configurations already uploaded here;

http://www.vmware.com/a/vmmark/

This is a great reference for understanding real world server performance from actual users and companies other than VMWare.

K

VMWare Crib Sheets

I stumbled across this excellent VMWare blog called vReference that I wanted to share;

http://www.vreference.com/

This is overall an excellent blog written by a guy called Forbes Guthrie who has in depth VMWare knowledge and has even written (in conjunction with others) books on the topic.  This blog covers many VMWare / vSphere related topics from SAN booting to Windows clustering.

Of particular note are the reference cards he creates that are incredibly useful and cover a surprising amount of detail from maximum guest sizes to maximum numbers of hosts in a cluster through many useful command line installation options, storage management, and using vCentre..

vSphere 5 reference card can be found here;

http://www.vreference.com/vsphere-5-card/

vSphere 4.1 reference card can be found here;

http://www.vreference.com/vsphere4-card/

He even still has the 4.0 card for anyone yet to upgrade from this version.  I very much recommend move to a more current version in the near future if you are still on 4.0 as you’ll get many benefits in all areas from performance to BCP/DR to scalability and management!  4.0 card can be found here;

http://www.vreference.com/public/vReference-vSphere4card2.2.pdf

K

 

Some 2012 projects / plans

Following on from my brief overview of progress during 2011 I thought I would share some of the projects I’ll be undertaking during 2012.  This will give anuone reading this blog an idea of some of the likely content that will appear during this year on top of general thoughts and some book reviews.

1. Complete my masters, which assuming I have passed my most recent module means choosing and completing my project.  Based on the university schedule the bulk of this will be completed between April and September.  Now to decide on a topic!

2. Lead (co-chair) the Cloud Security Alliance – Security as a Service working group through the delivery of the planned implementation guides covering each of the categories detailed in the white paper we published in 2011.

3. Become a lot more familiar with the Xen hypervisor, in addition to the VMWare products in order to better assess virtualisation options for both desktops and servers.  This is for a combination of reasons around expanding my knowledge and better understanding the options around Xen (open source and Citrix variants) and VMWare and the various virtual desktop solutions.  Also with people like Amazon and Rackspace using Xen it must be worth a closer look..

4. Having recently done some study around secure coding I’ve been prompted that I should probably brush up my scripting skills, so I plan to put a little time into Perl this year.

…  Likely a few other things will be added around architecture, potentially some further study / research, databases and security, but these have yet to be finalised and I need to be realistic about what I’ll achieve this year.  I’d rather do less well than try to do too much and not be satisfied with the results!

Expect to see blog posts on the above topics throughout this year, feel free to email or comment if there are any specific areas you would like detailed blog posts on.

K