Sicherheit, Datenschutz und Uberwachung von Cloud-Daten BT-Drucksache 17/12259

Über das Wochenende fand ich Zeit, ein wenig in diesem doch sehr interessanten Dokument zu blättern:

“Kleine Anfrage des Abgeordneten Andrej Hunko u.a. und der Fraktion DIE LINKE. Sicherheit, Datenschutz und Uberwachung von Cloud-Daten BT-Drucksache 17/12259″

Das Dokument befindet sich hier zum Download.

Eine sehr interessante Information ist in Bezug auf Frage 22 zu finden:

22. Wie viele Rechtshilfeersuchen zur Sicherung oder Herausgabe von Cloud-Daten haben welche Bundesbehörden in den letzten zwei Jahren bei welchen Einrichtungen welcher Länder gestellt?

a) Wie viele Rechtshilfeersuchen zur Sicherung oder Herausgabe von CloudDaten haben welche Behörden welcher Länder in den letzten zwei Jahren bei welchen Bundesbehörden gestellt?
b) Wie wurden die Rechtshilfeersuchen jeweils beantwortet?

Als Antwort wurde dann folgendes Statement gegeben:

Zu22, a) und b)
Weder die Anzahl eingehender, noch ausgehender Rechtshilfeersuchen, bzw. die
Art der Beantwortung werden statistisch erfasst.

Sehr interessant – ich frage mich jetzt, warum dem wohl so ist? Man erhebt ja allerlei Dinge in unseren durchaus komplexen bürokratischen Strukturen – warum dann nicht solche interessanten Anfragen?

Hiking the Nibelungensteig / 120 KM, 4000 m Elevation Gains in 40 Hours

Over Easter, it was time again to reach out for the limits of my physical capabilities after the awesome trip in 2011 (200 KM in 3 days). This time, we focussed on the “Nibelungensteig” located near Frankfurt am Main, Germany.

From a cultural perspective, this trail has a lot of interesting locations to provide. Most of the tiny towns along the trail are worth to be visited and explored by foot. Unfortunately, we did not spend much time on this due to the time constraints so this is a compromise you have to make.

According to the website of the Nibelungensteig, the trail is quite challenging with about 124 KM in total and about 4000 meters of altitude that have to be climbed. I highly recommend to download the GPS coordinates of the complete trail – an overview of the trail  can be found here. But please be aware that in some parts the trail management has changed the route, so the GPS coordinates are not totally accurate.

Some of the pics we made along the trail:

On of the interesting things to see on the trail

Camping the night before we kicked of the trail

 

 

80 Km really kicked in

Not the best weather – rain, snow

Church

No hairdresser around

Watch Out!

 

 

One of these very nice castles on the trail.

Roadtrip Turkey 2013

Some while ago, I spent 10 days with old friends doing a roadtrip in the west of Turkey. Here are some basic infos I’d like to share – perhaps they are helpful for some of you:

• We started in Istanbul and rented a car beforehand via Internet – it’s highly recommended to pick up the car at the Airport on the Asian side (Sabiha Gokcen) in order to prevent getting crazy in the Istanbul downtown traffic jams.
• We headed around the Sea of Marmara and drove down until Bergama – Bergama is nice for a 1-day trip.
• From there, we headed to the north to visit the ancient ruins of Troia – 1/2 visit is sufficient except for people who love ruins
• Afterwards, continue north to Canakkale to visit the battlefields of the 1st WW and return back to Istanbul afterwards.
• Turkish highways can drive Middle European drivers crazy – be aware!
• We went there in March which is out of season and hotels, restaurants etc. welcome you with lower prices However, you have to expect lower temperatures and bad weather as well.
• Istanbul is awesome – if you have never been there before, stay at least for 3 days.

Some impressions of the trip:

 

Paper: Cloud Forensics: A Meta-Study of Challenges, Approaches, and Open Problems

Cloud Forensics: A Meta-Study of Challenges, Approaches, and Open Problems

Abstract:

In recent years, cloud computing has become popular as a cost-effective and efficient computing paradigm. Unfortunately, today’s cloud computing architectures are not designed for security and forensics. To date, very little research has been done to develop the theory and practice of cloud forensics. Many factors complicate forensic investigations in a cloud environment. First, the storage system is no longer local. Therefore, even with a subpoena, law enforcement agents cannot confiscate the suspect’s computer and get access to the suspect’s files. Second, each cloud server contains files from many users. Hence, it is not feasible to seize servers from a data center without violating the privacy of many other users. Third, even if the data belonging to a particular suspect is identified, separating it from other users’ data is difficult. Moreover, other than the cloud provider’s word, there is usually no evidence that links a given data file to a particular suspect. For such challenges, clouds cannot be used to store healthcare, business, or national security related data, which require audit and regulatory compliance. In this paper, we systematically examine the cloud forensics problem and explore the challenges and issues in cloud forensics. We then discuss existing research projects and finally, we highlight the open problems and future directions in cloud forensics research area. We posit that our systematic approach towards understanding the nature and challenges of cloud forensics will allow us to examine possible secure solution approaches, leading to increased trust on and adoption of cloud computing, especially in business, healthcare, and national security. This in turn will lead to lower cost and long-term benefit to our society as a whole.

Information:

Paper by Shams Zawoad, Ragib Hasan - PDF Download

Brief Discussion:

This paper does not completely bring up a new solution to an already existing problem but discusses work that has been done so far in this sector. Hence, this paper can be seen as an overview which is a good read in case you want to get an overview of the issues in this area. Overall, it strongly reminds me of our paper “Technical Issues of Forensic Investigations in Cloud Computing Environments” published 2 years ago.

Packrafting River Glatt / Switzerland – Part 2

As promised in this blog post, we continued our mission to packraft the Glatt River from the Greifensee lake to the Rhine. This time, it didn’t snow fortunately but it was still bloody cold and the river was getting more challenging as can be seen in the video. Due to fact that we didn’t wear any helmet and are still in the “learning phase”, we circumvented some white water rapids which turned out to be right decision in most of the cases

However, again, it was an awesome trip we both totally enjoyed – watch out for some more stuff to come! Our Packrafting-TODO List for Switzerland is growing each and every day almost

Packrafting the Glatt River – Switzerland – March 2013 – Part 2 from Domber42 on Vimeo.

Winter Hiking in Maloja, Engadin, Switzerland

We spent only one weekend in Engadin, Switzerland, and did some walking on the frozen lake as well as a minor hike in the nearby mountains. St. Moritz is not a place normal people have to visit – not much special to see there except for rich and wonna-be rich people.

Packrafting River Glatt / Switzerland

Snow, degrees hardly above zero and from time to time some sun – what do you do then in Switzerland? Exactly – Skiing! Packrafting!

This time we focussed on the river Glatt – starting at the Greifensee lake, we had to get out of the river several times due to some dams. After various hours, we finished this trip near the town of Rümlang. However, we will continue from here the next time and follow the Glatt river until it meets the Rhein.

Packrafting the Glatt River – Switzerland – February 2013 from Domber42 on Vimeo.

Winter Hiking the “Schwäbische Alb”

Although it was around -10 degrees the last weekend in Germany, it is always fun to go out into the nature with good old friends and do some hiking. This time, the “Schwäbische Alb” was our main target. We started Friday evening around 7pm in Owen(Teck), slept in an old ruins and went on Saturday on to Bad Urach. Simple, straight and awesome!

Packrafting Vierwaldstättersee / Switzerland

Lefix and I “wasted” last Saturday hiking and packrafting the area around the Vierwaldstättersee near Luzern. Unfortunately, I’ve forgotten my GPS clock but were able to draw an estimation of the trail we did by foot and raft.

Finland 2012, Inari – Hiking, Packrafting, Trailrunning, Hitch-Hiking the Northern Hemisphere

Well, this trip is already some weeks old, however I still need to find time to sort out all pictures and write down a brief report about it – let’s start with this one:

In the end of September, I went off to Inari, Finland, with two old friends in order to do a canoe trip combined with some hiking. In total, we spent 2 weeks there and experienced the end of summer and the early beginning of the winter – amazing. The nights were fresh with almost 0 degrees and some days quite cloudy. However, it didn’t rain a lot during the days.

At this time, the huts are abandoned and you have the lake of Inari for you alone. The same counts for the trails around Inari, Ivalo and upper north.

Here are some tips I want to share:

• Inari and Ivalo are small towns, don’t expect something extraordinary here but there are at least places to get some food and basic gear.
• Near the airport of Ivalo (3 km), on the way downtown, there is a place called “Riverside Camping”. You get a hut for 4 persons for about 35 Euros / night. They have also a small shop and a bar where on the weekends some locals drop by. Can recommend that place.
• Obviously there is no direct bus to Ivalo downtown from the airport – try hitch-hiking instead or walk (1 – 1.5 hours)
• End of September/beginning of October: There are only a few busses / day which you can take to get from Ivalo to Inari –> try hitch-hiking instead. Cross the bridge in Ivalo towards Inari and start hitch-hiking at the bus stop 100 meters behind the bridge.
• If you want to do a canoe trip out of season, book your canoe in advance.
• The museum in Inari is worth visiting – spend 2-3 hours there. The people there are also very helpful in terms of trip preparation.
• Renting a car: Do it via the Internet instead of booking it locally – it’s much cheaper. You can even go to the North Cape as we did – buy all food / beverages in Finland since Norway is much more expensive.
• The trail to the wooden church near Inari is awesome – ask in the museum for the trail and further information.
• The North Cape is just a place you have to go in order to tick the checkbox: “Have been there” – nothing special there.

Some pics from the trip:

Paper: Web-based Attacks on Host-Proof Encrypted Storage

Web-based Attacks on Host-Proof Encrypted Storage

Abstract:

Cloud-based storage services, such as Wuala, and password managers, such as LastPass, are examples of so called host-proof web applications that aim to protect users from attacks on the servers that host their data. To this end, user data is encrypted on the client and the server is used only as a backup data store. Authorized users may access their data through client-side software, but for ease of use, many commercial applications also offer browser-based interfaces that enable features such as remote access, form-filling, and secure sharing.
We describe a series of web-based attacks on popular host-proof applications that completely circumvent their cryptographic protections. Our attacks exploit standard web application vulnerabilities to expose flaws in the encryption mechanisms, authorization policies, and key management implemented by these applications. Our analysis suggests that host-proofing by itself is not enough to protect users from web attackers, who will simply shift their focus to flaws in client-side interfaces.

Information:

Paper by K. Bhargavan, A. Delignat-Lavaud – 6th USENIX Workshop on Offensive Technologies (WOOT’12) - PDF Download

Brief Discussion:

This interesting paper describes a series of attacks vs. web-based, storage-only services. In principle all data can be stored in a totally encrypted manner since server-based computation is not needed. First issues come up when the browser is involved – how should be browser treat the encrypted data received from the server?

The paper describes several attacks, which are in general known for years (CSRF etc.), how the architecture can be tricked to disclose e.g. username/password for the service. Although the attacks are not brand-new, the authors make use of them to introduce real-world attacks on well-known services. Therefore, papers like this are needed for showing the other side of the medal – Dropbox & Co bring along their own security issues.

Paper: Using the Cloud to Determine Key Strenghts

Using the Cloud to Determine Key Strenghts

Abstract:

We develop a new methodology to assess cryptographic key strength using cloud computing, by calculating the true economic cost of (symmetric- or private-) key retrieval for the most common cryptographic primitives. Although the present paper gives both the current (2012) and last years (2011) costs, more importantly it provides the tools and infrastructure to derive new data points at any time in the future, while allowing for improvements such as of new algorithmic approaches. Over time the resulting data points will provide valuable insight in the selection of cryptographic key sizes.

Information:

Paper by T. Kleinjung, A.K. Lenstra, D. Page, N.P. Smart - PDF Download

Brief Discussion:

Recently on the airplane I read this paper and totally enjoyed it. It’s not a real “cloud” paper but more focusing on cryptographic key strengths and the potential power of high scalable environments such as clouds. So basically, two main approaches dominate in order to assess cryptographic primitives: software-oriented computations and special purpose hardware coming along with substantial upfront costs. I should also mention that this is ongoing research – so check out this webpage where annually updates can be found: http://www.cs.bris.ac.uk/~nigel/Cloud-Keys/

Within the paper, the following algorithms are assessed: DES, AES, SHA-2 family, RSA and ECC. The cloud platform that is used is AWS EC2. The following techniques are used to attack the algorithms:

DES: bit-sliced implementation method of Biham
AES: traditional AES implementation due to keeping the general approach (it’s also interesting to mention that according to the authors, there is only little research in terms of AES specific hardware attacks due to the key space of 2^128)
SHA-2: parallel “distinguished points” method of van Oorschot and Wiener
RSA: Coppersmith’s variant of the Number Field Sieve (NFS) method
ECC: Pollard’s rho method

Finally, the results are interesting and can, due to the general approach, be repeated frequently. Interesting stuff – so keep in mind that even the cloud cannot solve all issues, fortunately.

Paper: Calm before the Storm: The Emerging Challenges of Cloud Computing in Digital Forensics

Calm before the Storm: The Emerging Challenges of Cloud Computing in Digital Forensics

Abstract:

Cloud computing is a rapidly evolving technological phenomenon. Rather than procure, deploy and manage a physical IT infrastructure to host its software applications, organizations are increasingly deploying the same into remote, virtualized environments, which can be hosted and manage by third party providers. This development in the IT landscape has signicant implications for digital forensic investigators, toolkit developers and corporate compliance and audit departments. Much of digital forensic practice assumes careful control and management of IT assets (particularly data storage) during the conduct of an investigation. This paper summarises the key aspects of cloud computing and analyses how established digital forensic procedures will be invalidated in this new environment. Several immediate research agendas are proposed to begin addressing these new challenges.

Information:

Paper by G. Grispos, T. Storer, and W. B. Glisson - PDF Download

Brief Discussion:

During the review of this paper it turned out that the authors pretty much focused on the applicability of different existing digital forensic frameworks in cloud environments. So the paper can be more or less be seen as an overview paper discussing the different aspects of cloud forensics. Detailed analysis of different aspects cannot be found – but the future work section lists some interesting items that should be in scope of future research activities. For me personally it’s sometimes hard to understand why people  a) use references without numbers and b) huge line shifting .

Hell Yeah! 33km Trailrun on a Monday Afternoon

Knabenschiessen means in Zurich half a day off! Perfect time to run 33 km out of the box with the sun in your face.

One friend who joined me is in a much better shape than I am when it comes to running such distances. So this time I was pushed hard instead of pushing others which made the whole concept kind of interesting for me.  Anyway, we took the train to Siggenthal and tried to find the way back to Zurich. It took us about 4.5 hours to finish 33 km and approx. 1300 meters up and down. However, in the end we reached Zurich and really enjoyed this trip – the countryside is simply beautiful even in this area.

Map of the trail:

Some further pics I made during the trip:

Approaching the Rheinwaldhorn via Olivone – Tessin

The weather forecast was pretty bad but it was still an awesome trail, although it wasn’t possible to put our original plans into reality. We took the bus until Olivone and camped on the way to the Lago di Luzzone. On Saturday, we hiked via the Lago Di Luzzone towards Passo del Laghetto. From 2000m altitude onwards, heavy snowfall cloaked the trails so we decided not to pass the Laghetto pass. I still share the opinion that this was the right decision.

At the Capanna Adula UTOE about 40 persons made a reservation and none of the showed up due to bad weather forecast, according to the cottage owners. We were the only visitors this Saturday.

Conclusion: Another awesome trip – beautiful nature and views – weather was better than expected!

New Website: cloud-investigation.com

A few days ago, I put one of my new, tiny projects online: www.cloud-investigation.com

The intention of that website is quite clear: It will act as a web repository focusing solely on Cloud Forensics and Cloud Investigations. You can find research ideas, documents, statements etc. on this website which will be collected by myself. Also have a look at the Cloud Investigation Heat Map that will be updated regularly.

Paper: Secure Logging and Auditing in Electronic Health Records Systems: What Can We Learn from the Payment Card Industry

Secure Logging and Auditing in Electronic Health Records Systems: What Can We Learn from the Payment Card Industry

Abstract:

not available

Information:

Position paper by Jason King, Laurie Williams – HealthSec’12 – PDF Download

Brief Discussion:

I read this article because I wanted to see the differences between PCI (Payment Card Industry) and HIT (Health Information Technology)  in terms of logging requirements from an academic security perspective. The authors are quite right with their statement: “If cardholder data is breached in the PCI, payment card companies may then remove fraudulent charges from the customer’s account and/or issue the customer a new payment card. However, once a person’s PHI has been breached, the PHI has been breached forever.”

In the short paper, you can find some brief comparison of logging requirements between PCI and HIT and also find the outcome, that HIT needs to catch up with the PCI and hopefully surpass the PCI in terms of securing and protecting personal heath information. Interesting …

Paper: From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud

From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud

Abstract:

This paper explains how changing technology, especially the rising adoption of encryption, is shifting law enforcement and national security lawful access to far greater emphasis on stored records, notably records stored in the cloud. The major and growing reliance on surveillance access to stored records results from the following changes:

(1) Encryption. Adoption of strong encryption is becoming much more common for data and voice communications, via virtual private networks, encrypted webmail, SSL web sessions, and encrypted Voice over IP voice communications.

(2) Declining effectiveness of traditional wiretaps. Traditional wiretap techniques at the ISP or local telephone network increasingly encounter these encrypted communications, blocking the effectiveness of the traditional techniques.

(3) New importance of the cloud. Government access to communications thus increasingly relies on a new and limited set of methods, notably featuring access to stored records in the cloud.

(4) The “haves” and “have-nots.” The first three changes create a new division between the “haves” and “have-nots” when it comes to government access to communications. The “have-nots” become increasingly dependent, for access to communications, on cooperation from the “have” jurisdictions.

Part 1 of the paper describes the changing technology of wiretaps and government access. Part 2 documents the growing adoption of strong encryption in a wide and growing range of settings of interest to government agencies. Part 3 explains how these technological trends create a major shift from real-time intercepts to stored records, especially in the cloud.

Information:

Paper by Pete Swire – access online

Brief Discussion:

This paper discusses the effect of technical changes on likely paths for lawful access to communications information. Although none of the discussed topics are new, it is interesting to see how they are related to each other when it comes to lawful access to communications information.

The author discuss the traditional CALEA approach stating that telecommunications carriers and manufacturers of telecommunications equipment design their products and services with the intention to ensure that they could carry out a lawful order to provide government access to communications. Secondly, the impact of strong encryption mechanisms on wiretapping capabilities are discussed.

In the third chapter, the four ways for agencies to access communications information are discussed:

1. Break encryption in transit: Check out the implementation flaws of SSL/TLS implementations, basic PKI issues such as establishing trust relationships in the first instance etc.
2. Intercept before or after encryption: Very important – so basically we have to entities that come into the play here: a) the client and b) the server. The connection between a) and b) is encrypted but not the endpoints leading to item 4.
3. Assure access in unencrypted form 
4. Access after the fact, in stored form, often in the Cloud:The following statement given by the author is probably not know to the broad public but seems to be straightforward:“Similarly, because Skype interconnects with the traditional telephone network, it is required to be wiretap-ready under the 2005 FCC CALEA order, and agencies have reason to come to that company for access.”

   This whole section four is providing very good reasons why the key should never be stored at the CSP and therefore cloud-based solutions storing the encryption key right beside the ciphertext are somehow useless from a security perspective. However, the author also shares the opinion that proper encryption concepts will not be a big barrier for lawful access since a) there are still significant technical challenges for efficient search and retrieval of encrypted data and b) it is extremely risky for users to store data in the cloud without having a backup of the keys.

Eventual Consistency – High Impact on Cloud Forensics Capabilities?

Recently, I stumbled upon a paper on “Eventual Consistency: How soon is eventual? - An Evaluation of Amazon S3’s Consistency Behavior” written by David Bermbach and Stefan Tai (both KIT). Although this paper has not been directly written for security but more for economic purposes, I consider it to have a high impact on the forensic capabilities in cloud environments. This is actually pretty interesting stuff.

Eventual Consistency describes a state in which a data object has not been fully replicated throughout the whole cloud storage environment. This means, it will be replicated in the future, however this requires a) time and b) no further errors in the replication process.

The authors proposed the following basic steps in order to measure the consistency:

1. Create a timestamp.
2. Write a version number to the storage system.
3. Continuously read until the old version number is no longer returned, then create a new timestamp.
4. Calculate the difference between the write timestamp and the second timestamp (time of the last read of the previous version).
5. Repeat these steps to achieve statistical significance.

The results for S3 of AWS have been quite interesting and I can highly recommend to have a look at the paper. But what’s the impact on forensics now?

Well, first of all, the approach mentioned above is quite interesting in terms of putting more light into the cloud blackbox. In general, I can see some basic similarities to the paper published by Ristenpart et al. The intention is somehow the same – isn’t it?

Secondly, this consistency issues is interesting in terms of data remnants that could be used in potential forensic investigations.

Example: 
Let’s assume that a customer uploads a data object into the cloud storage environment and of course, due to load balancing features, the data object is only uploaded to one specific storage server based in Europe first. After a given time frame n this object will be replicated to k different storage servers around the globe. However, due to the nature of the storage environment, only one data object with a specific name can be stored (see S3) at a time.

Furthermore, we now assume that this customer is now in scope of a forensic investigation because it is assumed that the uploaded data objects contain information about potential terrorist attacks (bad example, I know ). He knows that the law enforcement agencies will come after him and therefore tries to get rid of all data objects in his cloud storage account. He knows that simple deletion is not enough and hence he decides to upload random data objects with the same name in order to overwrite the existing sensitive data (versioning is not provided by the CSP) objects. In terms of cloud forensics, the following to cases could be interesting for the forensic examiners:

Huge replication time window:
Given the case that the time n needed to replicate the random data objects to all storage servers is high, the forensic examiners could still be able to extract the sensitive data from other servers. On these server the old data object is still available.

Error in Replication Process:
The forensic examiners should consider and investigate the case that the replication to all k storage servers hasn’t been successful. There is still a chance, that only e.g. k-3 storage servers have received the new data object and the old data object is still available on 3 servers globally.

Finally, I guess this topic could be worth to be investigated further from a forensics perspective.

Trail: Züri Oberland-Höhenweg

I was totally aware of the fact that today’s weather forecast was bad – rain, rain, rain – however after weeks with heavy business as well as private workload I felt the need of going out there and check whether my old and wasted body is still working when I want him to do so.

On wanderland.ch (very helpful site btw.) I came across the following trail: Züri Oberland-Höhenweg
So my intention was clear – jump in fast and finish faster – at least a part since the complete trail is about 72Km

Unfortunately, I started pretty late in Turbenthal where my train arrived. Then I had some issues with my GPS – hence, the recording omitted the first few kilometers.

Here are some dates I extracted from my GPS-enabled clock:

Complete time for the trail: 4:34 hours (including only short stops)
Distance: 32,2 KM
Wasted Calories: 4265 Cal
Climb-up: 1209m
Climb-down: 1114m

Map of the trail:

Scale of Meters in Altitude:

Some further pics I made during the trip (sorry for the bad quality – mobile cam only):