Sicherheit, Datenschutz und Uberwachung von Cloud-Daten BT-Drucksache 17/12259

Über das Wochenende fand ich Zeit, ein wenig in diesem doch sehr interessanten Dokument zu blättern:

“Kleine Anfrage des Abgeordneten Andrej Hunko u.a. und der Fraktion DIE LINKE. Sicherheit, Datenschutz und Uberwachung von Cloud-Daten BT-Drucksache 17/12259″

Das Dokument befindet sich hier zum Download.

Eine sehr interessante Information ist in Bezug auf Frage 22 zu finden:

22. Wie viele Rechtshilfeersuchen zur Sicherung oder Herausgabe von Cloud-Daten haben welche Bundesbehörden in den letzten zwei Jahren bei welchen Einrichtungen welcher Länder gestellt?

a) Wie viele Rechtshilfeersuchen zur Sicherung oder Herausgabe von CloudDaten haben welche Behörden welcher Länder in den letzten zwei Jahren bei welchen Bundesbehörden gestellt?
b) Wie wurden die Rechtshilfeersuchen jeweils beantwortet?

Als Antwort wurde dann folgendes Statement gegeben:

Zu22, a) und b)
Weder die Anzahl eingehender, noch ausgehender Rechtshilfeersuchen, bzw. die
Art der Beantwortung werden statistisch erfasst.

Sehr interessant – ich frage mich jetzt, warum dem wohl so ist? Man erhebt ja allerlei Dinge in unseren durchaus komplexen bürokratischen Strukturen – warum dann nicht solche interessanten Anfragen?

Paper: Cloud Forensics: A Meta-Study of Challenges, Approaches, and Open Problems

Cloud Forensics: A Meta-Study of Challenges, Approaches, and Open Problems

Abstract:

In recent years, cloud computing has become popular as a cost-effective and efficient computing paradigm. Unfortunately, today’s cloud computing architectures are not designed for security and forensics. To date, very little research has been done to develop the theory and practice of cloud forensics. Many factors complicate forensic investigations in a cloud environment. First, the storage system is no longer local. Therefore, even with a subpoena, law enforcement agents cannot confiscate the suspect’s computer and get access to the suspect’s files. Second, each cloud server contains files from many users. Hence, it is not feasible to seize servers from a data center without violating the privacy of many other users. Third, even if the data belonging to a particular suspect is identified, separating it from other users’ data is difficult. Moreover, other than the cloud provider’s word, there is usually no evidence that links a given data file to a particular suspect. For such challenges, clouds cannot be used to store healthcare, business, or national security related data, which require audit and regulatory compliance. In this paper, we systematically examine the cloud forensics problem and explore the challenges and issues in cloud forensics. We then discuss existing research projects and finally, we highlight the open problems and future directions in cloud forensics research area. We posit that our systematic approach towards understanding the nature and challenges of cloud forensics will allow us to examine possible secure solution approaches, leading to increased trust on and adoption of cloud computing, especially in business, healthcare, and national security. This in turn will lead to lower cost and long-term benefit to our society as a whole.

Information:

Paper by Shams Zawoad, Ragib Hasan - PDF Download

Brief Discussion:

This paper does not completely bring up a new solution to an already existing problem but discusses work that has been done so far in this sector. Hence, this paper can be seen as an overview which is a good read in case you want to get an overview of the issues in this area. Overall, it strongly reminds me of our paper “Technical Issues of Forensic Investigations in Cloud Computing Environments” published 2 years ago.

Paper: Web-based Attacks on Host-Proof Encrypted Storage

Web-based Attacks on Host-Proof Encrypted Storage

Abstract:

Cloud-based storage services, such as Wuala, and password managers, such as LastPass, are examples of so called host-proof web applications that aim to protect users from attacks on the servers that host their data. To this end, user data is encrypted on the client and the server is used only as a backup data store. Authorized users may access their data through client-side software, but for ease of use, many commercial applications also offer browser-based interfaces that enable features such as remote access, form-filling, and secure sharing.
We describe a series of web-based attacks on popular host-proof applications that completely circumvent their cryptographic protections. Our attacks exploit standard web application vulnerabilities to expose flaws in the encryption mechanisms, authorization policies, and key management implemented by these applications. Our analysis suggests that host-proofing by itself is not enough to protect users from web attackers, who will simply shift their focus to flaws in client-side interfaces.

Information:

Paper by K. Bhargavan, A. Delignat-Lavaud – 6th USENIX Workshop on Offensive Technologies (WOOT’12) - PDF Download

Brief Discussion:

This interesting paper describes a series of attacks vs. web-based, storage-only services. In principle all data can be stored in a totally encrypted manner since server-based computation is not needed. First issues come up when the browser is involved – how should be browser treat the encrypted data received from the server?

The paper describes several attacks, which are in general known for years (CSRF etc.), how the architecture can be tricked to disclose e.g. username/password for the service. Although the attacks are not brand-new, the authors make use of them to introduce real-world attacks on well-known services. Therefore, papers like this are needed for showing the other side of the medal – Dropbox & Co bring along their own security issues.

Paper: Using the Cloud to Determine Key Strenghts

Using the Cloud to Determine Key Strenghts

Abstract:

We develop a new methodology to assess cryptographic key strength using cloud computing, by calculating the true economic cost of (symmetric- or private-) key retrieval for the most common cryptographic primitives. Although the present paper gives both the current (2012) and last years (2011) costs, more importantly it provides the tools and infrastructure to derive new data points at any time in the future, while allowing for improvements such as of new algorithmic approaches. Over time the resulting data points will provide valuable insight in the selection of cryptographic key sizes.

Information:

Paper by T. Kleinjung, A.K. Lenstra, D. Page, N.P. Smart - PDF Download

Brief Discussion:

Recently on the airplane I read this paper and totally enjoyed it. It’s not a real “cloud” paper but more focusing on cryptographic key strengths and the potential power of high scalable environments such as clouds. So basically, two main approaches dominate in order to assess cryptographic primitives: software-oriented computations and special purpose hardware coming along with substantial upfront costs. I should also mention that this is ongoing research – so check out this webpage where annually updates can be found: http://www.cs.bris.ac.uk/~nigel/Cloud-Keys/

Within the paper, the following algorithms are assessed: DES, AES, SHA-2 family, RSA and ECC. The cloud platform that is used is AWS EC2. The following techniques are used to attack the algorithms:

DES: bit-sliced implementation method of Biham
AES: traditional AES implementation due to keeping the general approach (it’s also interesting to mention that according to the authors, there is only little research in terms of AES specific hardware attacks due to the key space of 2^128)
SHA-2: parallel “distinguished points” method of van Oorschot and Wiener
RSA: Coppersmith’s variant of the Number Field Sieve (NFS) method
ECC: Pollard’s rho method

Finally, the results are interesting and can, due to the general approach, be repeated frequently. Interesting stuff – so keep in mind that even the cloud cannot solve all issues, fortunately.

Paper: Calm before the Storm: The Emerging Challenges of Cloud Computing in Digital Forensics

Calm before the Storm: The Emerging Challenges of Cloud Computing in Digital Forensics

Abstract:

Cloud computing is a rapidly evolving technological phenomenon. Rather than procure, deploy and manage a physical IT infrastructure to host its software applications, organizations are increasingly deploying the same into remote, virtualized environments, which can be hosted and manage by third party providers. This development in the IT landscape has signicant implications for digital forensic investigators, toolkit developers and corporate compliance and audit departments. Much of digital forensic practice assumes careful control and management of IT assets (particularly data storage) during the conduct of an investigation. This paper summarises the key aspects of cloud computing and analyses how established digital forensic procedures will be invalidated in this new environment. Several immediate research agendas are proposed to begin addressing these new challenges.

Information:

Paper by G. Grispos, T. Storer, and W. B. Glisson - PDF Download

Brief Discussion:

During the review of this paper it turned out that the authors pretty much focused on the applicability of different existing digital forensic frameworks in cloud environments. So the paper can be more or less be seen as an overview paper discussing the different aspects of cloud forensics. Detailed analysis of different aspects cannot be found – but the future work section lists some interesting items that should be in scope of future research activities. For me personally it’s sometimes hard to understand why people  a) use references without numbers and b) huge line shifting .

New Website: cloud-investigation.com

A few days ago, I put one of my new, tiny projects online: www.cloud-investigation.com

The intention of that website is quite clear: It will act as a web repository focusing solely on Cloud Forensics and Cloud Investigations. You can find research ideas, documents, statements etc. on this website which will be collected by myself. Also have a look at the Cloud Investigation Heat Map that will be updated regularly.

Paper: From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud

From Real-Time Intercepts to Stored Records: Why Encryption Drives the Government to Seek Access to the Cloud

Abstract:

This paper explains how changing technology, especially the rising adoption of encryption, is shifting law enforcement and national security lawful access to far greater emphasis on stored records, notably records stored in the cloud. The major and growing reliance on surveillance access to stored records results from the following changes:

(1) Encryption. Adoption of strong encryption is becoming much more common for data and voice communications, via virtual private networks, encrypted webmail, SSL web sessions, and encrypted Voice over IP voice communications.

(2) Declining effectiveness of traditional wiretaps. Traditional wiretap techniques at the ISP or local telephone network increasingly encounter these encrypted communications, blocking the effectiveness of the traditional techniques.

(3) New importance of the cloud. Government access to communications thus increasingly relies on a new and limited set of methods, notably featuring access to stored records in the cloud.

(4) The “haves” and “have-nots.” The first three changes create a new division between the “haves” and “have-nots” when it comes to government access to communications. The “have-nots” become increasingly dependent, for access to communications, on cooperation from the “have” jurisdictions.

Part 1 of the paper describes the changing technology of wiretaps and government access. Part 2 documents the growing adoption of strong encryption in a wide and growing range of settings of interest to government agencies. Part 3 explains how these technological trends create a major shift from real-time intercepts to stored records, especially in the cloud.

Information:

Paper by Pete Swire – access online

Brief Discussion:

This paper discusses the effect of technical changes on likely paths for lawful access to communications information. Although none of the discussed topics are new, it is interesting to see how they are related to each other when it comes to lawful access to communications information.

The author discuss the traditional CALEA approach stating that telecommunications carriers and manufacturers of telecommunications equipment design their products and services with the intention to ensure that they could carry out a lawful order to provide government access to communications. Secondly, the impact of strong encryption mechanisms on wiretapping capabilities are discussed.

In the third chapter, the four ways for agencies to access communications information are discussed:

1. Break encryption in transit: Check out the implementation flaws of SSL/TLS implementations, basic PKI issues such as establishing trust relationships in the first instance etc.
2. Intercept before or after encryption: Very important – so basically we have to entities that come into the play here: a) the client and b) the server. The connection between a) and b) is encrypted but not the endpoints leading to item 4.
3. Assure access in unencrypted form 
4. Access after the fact, in stored form, often in the Cloud:The following statement given by the author is probably not know to the broad public but seems to be straightforward:“Similarly, because Skype interconnects with the traditional telephone network, it is required to be wiretap-ready under the 2005 FCC CALEA order, and agencies have reason to come to that company for access.”

   This whole section four is providing very good reasons why the key should never be stored at the CSP and therefore cloud-based solutions storing the encryption key right beside the ciphertext are somehow useless from a security perspective. However, the author also shares the opinion that proper encryption concepts will not be a big barrier for lawful access since a) there are still significant technical challenges for efficient search and retrieval of encrypted data and b) it is extremely risky for users to store data in the cloud without having a backup of the keys.

Eventual Consistency – High Impact on Cloud Forensics Capabilities?

Recently, I stumbled upon a paper on “Eventual Consistency: How soon is eventual? - An Evaluation of Amazon S3’s Consistency Behavior” written by David Bermbach and Stefan Tai (both KIT). Although this paper has not been directly written for security but more for economic purposes, I consider it to have a high impact on the forensic capabilities in cloud environments. This is actually pretty interesting stuff.

Eventual Consistency describes a state in which a data object has not been fully replicated throughout the whole cloud storage environment. This means, it will be replicated in the future, however this requires a) time and b) no further errors in the replication process.

The authors proposed the following basic steps in order to measure the consistency:

1. Create a timestamp.
2. Write a version number to the storage system.
3. Continuously read until the old version number is no longer returned, then create a new timestamp.
4. Calculate the difference between the write timestamp and the second timestamp (time of the last read of the previous version).
5. Repeat these steps to achieve statistical significance.

The results for S3 of AWS have been quite interesting and I can highly recommend to have a look at the paper. But what’s the impact on forensics now?

Well, first of all, the approach mentioned above is quite interesting in terms of putting more light into the cloud blackbox. In general, I can see some basic similarities to the paper published by Ristenpart et al. The intention is somehow the same – isn’t it?

Secondly, this consistency issues is interesting in terms of data remnants that could be used in potential forensic investigations.

Example: 
Let’s assume that a customer uploads a data object into the cloud storage environment and of course, due to load balancing features, the data object is only uploaded to one specific storage server based in Europe first. After a given time frame n this object will be replicated to k different storage servers around the globe. However, due to the nature of the storage environment, only one data object with a specific name can be stored (see S3) at a time.

Furthermore, we now assume that this customer is now in scope of a forensic investigation because it is assumed that the uploaded data objects contain information about potential terrorist attacks (bad example, I know ). He knows that the law enforcement agencies will come after him and therefore tries to get rid of all data objects in his cloud storage account. He knows that simple deletion is not enough and hence he decides to upload random data objects with the same name in order to overwrite the existing sensitive data (versioning is not provided by the CSP) objects. In terms of cloud forensics, the following to cases could be interesting for the forensic examiners:

Huge replication time window:
Given the case that the time n needed to replicate the random data objects to all storage servers is high, the forensic examiners could still be able to extract the sensitive data from other servers. On these server the old data object is still available.

Error in Replication Process:
The forensic examiners should consider and investigate the case that the replication to all k storage servers hasn’t been successful. There is still a chance, that only e.g. k-3 storage servers have received the new data object and the old data object is still available on 3 servers globally.

Finally, I guess this topic could be worth to be investigated further from a forensics perspective.

Paper: Challenges for Provenance in Cloud Computing

Challenges for Provenance in Cloud Computing

Abstract:

Many applications which require provenance are now moving to cloud infrastructures. However, it is not widely realised that clouds have their own need for provenance due to their dynamic nature and the burden this places on their administrators. We analyse the structure of cloud computing to identify the unique challenges facing provenance collection and the scenarios in which additional provenance data could be useful.

Information:

Paper by Imad M. Abbadi and John Lyle - Proceedings of the Third USENIX Workshop on the Theory and Practice of Provenance (TaPP 2011) - PDF Download

Brief Discussion:

Within this paper, the authors try to identify the unique challenges facing provenance information in cloud environments. This is a very important topic which will definitively receive more attention during the next years since incidents/forensics in such environments will also become more important.

Though the paper is short, it discusses the specific challenges of provenance data in the cloud very well. The authors propose that all layers, sub-layers and groups of a cloud system should incorporate a mechanism to support the collection of linkable data providing the provenance of events related to a specific activity. This sounds good – however it is not discussed how this shall be achieved.

Paper: Cloud Forensics

Cloud Forensics

Abstract:

Cloud computing may well become one of the most transformative technologies in the history of computing. Cloud service providers and customers have yet to establish adequate forensic capabilities that could support investigations of criminal activities in the cloud. This paper discusses the emerging area of cloud forensics, and highlights its challenges and opportunities.

Information:

Paper by Keyun Ruan, Joe Carthy, Tahar Kechadi and Mark Crosbie – PDF Download (paywall)

Brief Discussion:

Within this paper, the emerging area of cloud forensics is discussed as well as challenges and opportunities are highlighted.

So for me the most interesting part of the paper is what the authors expect of the notion “cloud forensics”. What exactly does it mean to them?

The first phrase considering this point is stated in section 2: “Cloud forensics is a subset of network forensics.”

Well, I totally disagree. Network forensics is an important part of cloud forensics because the network is a huge part of today’s cloud environments. However, afaik it is not a good idea to reduce cloud forensics to network forensics. What about the client? What about the VM? What about the application? These components are not covered by simple network forensics.

Later on in section 2.1, the authors state that “forensic data includes client-side artifacts that reside on client premises and provider-side artifacts that are located in the provider infrastructure.” There we go – so how can we address these artifacts with simple network forensics?

Paper: Leveraging Forensic Tools for Virtual Machine Introspection

Leveraging Forensic Tools for Virtual Machine Introspection 

Abstract:

Virtual machine introspection (VMI) has formed the basis of a number of novel approaches to security in recent
years. Although the isolation provided by a virtualized environment provides improved security, software that makes
use of VMI must overcome the semantic gap, reconstructing high-level state information from low-level data sources
such as physical memory. The digital forensics community has likewise grappled with semantic gap problems in
the field of forensic memory analysis (FMA), which seeks to extract forensically relevant information from dumps
of physical memory. In this paper, we will show that work done by the forensic community is directly applicable
to the VMI problem, and that by providing an interface between the two worlds, the difficulty of developing new
virtualization security solutions can be significantly reduced.

Information:

Paper by B. Dolan-Gavitt, B. Payne, W. Lee - Technical Report - PDF Download

Brief Discussion:

Within this technical report, the authors want to show that efforts and progress done by the forensic community is directly applicable fo the virtual machine introspection (VMI) problem. Normally, this is not an easy task since high-level semantic knowledge about the guest operating system must be reconstructed based on low-level sources such as physical memory and CPU registers. The authors refer to this problem as the semantic gap.

In the paper, the authors differentiate between VMI and forensic memory analysis (FMA) – the main difference is that VMI operates at runtime whereas FMA is static and already known to the research community. However, both techniques have also something in common: They rely on physical memory in order to reconstruct states of the OS. Hence, VMI as well as FMA applications must be able to translate virtual addresses to their physical location in memory. Since VMI is a live forensic investigation, one huge difficulty comes up: The CPU and the memory state will change as analysis is performed.

The authors also discuss how forensic tools could be used for VMI – they need to access the memory of the guest VM and this can be done in two ways: attach existing forensic software to the VM or present the memory of the VM to the forensic application in a way it understands. The authors implemented both ways: filesystem interface and extension API.

Paper: Cloud Computing and Data Jurisdiction: A New Challenge for Digital Forensics

Cloud Computing and Data Jurisdiction: A New Challenge for Digital Forensics

Abstract:

Although it has become clear that digital forensics – the practical analysis of digital data following the acquisition of a bit-stream image of a suspect’s hard disk – suffered a setback with the wide adoption of mobile devices and the increasing use of flash memory and encryption systems, it is undoubtedly also the case that it experienced a fundamental change due to the incredible expansion of cloud computing systems. In this article, the aim is to study the jurisdictional problems that cloud computing systems cause and the possible solutions at an EU level that have been adopted by legislators and the courts of the European Union in relation to the gathering of digital evidence that may be concealed in the ‘clouds’. Particular attention must be paid to German and Italian case law experience as Courts in these countries have addressed the problem, providing different solutions to resolve the same problem.

Information:

Paper by G. Vaciago – published at CYBERLAWS 2012 - PDF Download

Brief Discussion:

Disclaimer first – this is primarily a legal paper and does hardly touch any technical aspects. However, I was directed to this paper by a lawyer and since it consists only of 6 pages, I had a quick read.

The author tried to focus on the jurisdictional problems that cloud systems cause and discussed the possible solutions at an EU level that have been adopted by legislators and the courts of the European Union. He paid particular attention to the German and the Italian case law experience.

Since I’m not a lawyer, I can’t discuss the complete paper due to missing skills of mine within this field. However, the comparison of the different approaches vs. the “loss of location” issue could be quite interesting also for engineers. Loss of location is another way of saying: Cloud environments come along with the possibility to put digital data onto a set of servers which location is not totally clear to the customer. This means, the customer could be based in one jurisdiction but his/her data that is processed e.g. on a daily basis, is located in another jurisdiction.

Within this paper, four principles are explained:

1. Territorial Principle by Virtue: The court in the place where the data is located obtains the jurisdiction.
2. Nationality Principle by Virtue: The nationality of an adversary is used to establish criminal jurisdiction.
3. Flag Principle: Crimes committed on ships, aircraft etc. are subject to the jurisdiction of the flag state.
4. Power of Disposal Approach: More information can be found here.

UPDATE: I discussed the content of this paper with a lawyer and he asked what this paper has to do with cloud computing except for the discussion of the principles? The rest of the cases that are discussed have little or nothing to do with cloud computing at all. Interesting …

Paper: Investigating the Implications of Virtual Machine Introspection for Digital Forensics

Investigating the Implications of Virtual Machine Introspection for Digital Forensics

Abstract:

Researchers and practitioners in computer forensics currently must base their analysis on information that is either incomplete or produced by tools that may themselves be compromised as a result of the intrusion. Complicating these issues are the techniques employed by the investigators themselves. If the system is quiescent when examined, most of the information in memory has been lost. If the system is active, the kernel and programs used by the forensic investigators are likely to influence the results and as such are themselves suspect. Using virtual machines and a technique called virtual machine introspection can help overcome these limits, but it introduces its own research challenges. Recent developments in virtual machine introspection have led to the
identification of four initial priority research areas in virtual machine introspection including virtual machine introspectiontool development, applications of virtual machine introspection to non-quiescent virtual machines, virtual machine introspection covert operations, and virtual machine introspection detection.

Information:

Paper by K. Nance, B. Hay and M. Bishop - paper in Proceedings of the 2009 International Conference on Availability, Reliability and Security - PDF Download

Brief Discussion:

The paper begins with an interesting statement: Researchers and forensic practitioners base their analysis typically on information that is either incomplete or produced by tools that may themselves be compromised as a result of the intrusion. I can totally agree – logfiles, for instance, that are stored on the compromised system, cannot be viewed as a reliable source of information. The adversary could have modified or deleted them.

The authors argue that non-quiescent (e.g. live) analysis become more common but also suffers of effects such as the observer effect: Any action performed during the live analysis process modifies the state of the system that is investigated. Virtual machine introspection tries to mitigate this issue by “investigating from remote”.

Within the paper, the authors introduce four research issues within this field: the development of forensic tools, the monitoring of active virtual machines, active monitoring and the detection of virtual machine introspection techniques from within the VM.

Btw. – I guess some parts of the LaTeX template have been forgotten to be deleted – page 2, second column:

Wherever Times is specified, Times Roman or Times New Roman may be used. If neither is available on your word processor, please use the font closest in appearance to Times. Avoid using bitmapped fonts if possible. True-Type 1 or Open Type fonts are preferred. Please embed symbol fonts, as well, for math, etc.

 

Baseline crypto information on Bitcasa – the shining star on the secure storage horizon?

Data deduplication techniques in cloud-based storage environments come along with several issues discussed already by Pinkas et al and Mulazzani et al - so this is an old problem. However, I never heard of a service fixing this issue properly and in a way it still leverages practicality – until recently when the advent of BITCASA went through the press.

Bitcasa claims to solve the issue of security and privacy of data but still makes use of data deduplication. The usage of server-side deduplication has been confirmed here and is obviously a “must-have” for smaller cloud storage providers like Dropbox and others. The crux for deduplicated systems is that a plaintext encrypted on the client with two different keys normally ends up in two different ciphertexts which can hardly be deduplicated since the content is different. Bitcasa claims to solve this issue by making use of convergent encryption which has been proposed already in a paper by Microsoft Research and later again by Storer et al.

According to the Microsoft paper, convergent encryption is “… a cryptosystem, … that produces identical ciphertext files from identical plaintext files, irrespective of their encryption keys.”.

You will probably ask yourself how this is done – well, the whole magic lies in the usage of the hash of the plaintext as the encryption key. This leads to the fact that two equal plaintexts produce the same hash and hence the same key. Afterwards you encrypt the hash (the key in fact) with the public key of the readers which can decrypt the the ciphertext and get the hash. All this information is described in a pretty clear manner in this paper in chapter 3. So, unfortunately even this pretty good information does not provide details of how they setup their security architecture but it’s fun to listen. Further brief information can also be found here and here. Finally, this article seems to provide also a pretty good discussion.

Using Cloud Services in Financial Environments

As you may have noticed, Google obviously “persuaded” a Spanish bank recently to move their internal communication to the “google cloud” . For sure, this is an interesting topic to discuss since using the Cloud comes along with various issues especially for financial services.

According to the article on BBC.co.uk …

BBVA … stressed that all customer data and other key banking systems would “stay in our own data centres” and be completely separate from the cloud solution.

Ok, fair enough, however I cannot imagine how BBVA is going to do this – how can they distinguish in such a strict manner between “internal communication” and “customer data”? They plan to use email, calendar, docs, chat, video conferencing without customer data? Financial business is primarily about customers and data related to these since the customers are the ones who bring the money in. What else does BBVA want to communicate about?

Of course, Google is pretty happy about that deal:

But the deal with BBVA, argues Mr Marotte, is important not only “because it is the largest ever agreement we have signed with an organisation, it is important because it is a very large financial company, it shows that now even banks are moving to the cloud”.

You know, I’m pretty much interested in the risk assessment made by BBVA before the deal was done. Furthermore, I guess that BBVA has some internal security standard that their projects and infrastructure needs to be compliant against. How did they manage to get this done?

Here you can find the official press release by the BBVA bank:

Because they will be able to access the information they need at any time from any internet connected device, anywhere in the world, BBVA’s workers will be able to be more flexible and mobile. 

So they took care of people/employees loosing their devices? Is proper encryption for all of these devices in place? How does commissioning/decommissioning work? How do they prevent employees using malware infected systems in internet cafes around the planet?

Generally, I consider the issue of moving to the cloud similar to the one coming up in case large parts of internal business processes are getting outsourced – just add some more additional security, legal and compliance issues coming along.

Finally, here you can find the german news on heise saying that BBVA trusts in the Safe Harbor agreement which has been signed by Google.

Paper: A Virtual Machine Introspection Based Architecture for Intrusion Detection

A Virtual Machine Introspection Based Architecture for Intrusion Detection

Abstract:

Today’s architectures for intrusion detection force the IDS designer to make a difficult choice. If the IDS resides on the host, it has an excellent view of what is happening in that host’s software, but is highly susceptible to attack. On the other hand, if the IDS resides in the network, it is more resistant to attack, but has a poor view of what is happening inside the host, making it more susceptible to evasion. In this paper we present an architecture that retains the visibility of a host-based IDS, but pulls the IDS outside of the host for greater attack resistance. We achieve this through the use of a virtual machine monitor. Using this approach allows us to isolate the IDS from the monitored host but still retain excellent visibility into the host’s state. The VMM also offers us the unique ability to completely mediate interactions between the host software and the underlying hardware. We present a detailed study of our architecture, including Livewire, a prototype implementation. We demonstrate Livewire by implementing a suite of simple intrusion detection policies and using them to detect real attacks.

Information:

Paper by Tal Garfinkel and Mendel Rosenblum (Stanford) – accepted paper at NDSS‘03 - PDF Download

Brief Discussion:

The authors propose the idea of virtual machine introspection for intrusion detection (IDS) purposes. In a virtual environment, the activity of the VM is analyzed by directly observing hardware state and inferring software state based on a priori knowledge of its structure. Although the idea is almost 10 years old, it is getting probably even more important nowadays with the advent of IaaS cloud environments.

Since the IDS running outside of a VM has normally only access to the hardware-level state (e.g. interrupts and memory accesses) and events, the authors solve this issue by using the knowledge of the OS structures inside the VM. Within this contect, the authors state that commercial anti-virus tools make use of “esoteric” methods – so true

According to the paper, the VMM has to obtain three essential capabilities: Isolation, inspection and interposition. The inspection principle is substantial to VM forensics. Furthermore,  for the IDS capability, a policy engine has been defined that states the heart of the IDS. The complete idea has been implemented and experimental results have been provided – nice read!

On the Definition of “Cloudwashing” and Cloud Definitions in general

I totally appreciate the notion of “Cloudwashing” provided by James Staten of Forrester Research. Although this seems to be a non-security issue at the first view, it is in fact of greater importance for “cloud security” in general. We all have to learn that sticking to one definition for cloud computing is much more efficient than creating X different definitions for one huge buzzword.

So what’s the impact on cloud security?

In case we have X different definitions, nobody knows exactly what the other persons refers to. This means that potential security issues/solutions are applicable to a specific service model in one definition but not to the same service model in another definition. You see, this makes things worse. Why don’t we all stick to one definition, e.g. provided by the NIST? If everybody refers to the NIST definition, everybody knows what the other person refers to.

So what is Cloudwashing?

According to Forrester Research, Cloudwashing is to “delineate what is a new type of technology and what is simply last year’s technology in new clothing (what I call “cloud-washing”).”.  Unfortunately, I observed a lot of Cloudwashing within the German IT industry. Obviously, some vendors put “cloud” and “security” into their old-school product in order to push their sales figures. In most of the cases, these “cloud security products” have nothing to do with what is considered to be the “cloud”. I don’t want to provide some specific brands here but you should ask yourself the following questions:

1. Does my product obtain at least one of the 5 essential cloud characteristics defined by the NIST?
2. Can I put my product/service into one of the 3 service models provided by the NIST?
3. Can I use one of the 4 deployment models provided by the NIST definition?

Results:

3 YES – Your product/service fits into the NIST definition for cloud computing.
2 YES – Especially in case you answered the first two questions with YES, your product/service will be considered to be cloud-related.
1 YES – Highly depends on where your answer is related to. However, I recommend to leave the notion of “cloud” out of your marketing strategy.
0 YES – You probably relate your product/service to “Cloud Computing” due to marketing reasons. I hope your customers will be clever enough to realize your buzzword bingo and move on to another vendor.

Recently, in San Francisco the annual “Washies” award was given to the worst offenders of painting over traditional IT technology with the word “cloud”. Please check out the results here - we should definitively create something like this for the German cloud market and perhaps the security market. However, in contrast to the “Washies” award, it should be supervised by an independent organization and not by Cloud Company itself which makes this whole award a little bit awkward. Finally, this article provides also some interesting aspects of cloudwashing companies.

Paper: Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space

Dark Clouds on the Horizon: Using Cloud Storage as Attack Vector and Online Slack Space

Abstract:

During the past few years, a vast number of online file storage services have been introduced. While several of these services provide basic functionality such as uploading and retrieving files by a specific user, more advanced services offer features such as shared folders, real-time collaboration, minimization of data transfers or unlimited storage space. Within this paper we give an overview of existing file storage services and examine Dropbox, an advanced file storage solution, in depth. We analyze the Dropbox client software as well as its transmission protocol, show weaknesses and outline possible attack vectors against users. Based on our results we show that Dropbox is used to store copyright-protected files from
a popular filesharing network. Furthermore Dropbox can be exploited to hide files in the cloud with unlimited storage capacity. We define this as online slack space. We conclude by discussing security improvements for modern online storage services in general, and Dropbox in particular. To prevent our attacks cloud storage operators should employ data possession proofs on clients, a technique which has been recently discussed only in the context of assessing trust in cloud storage operators.

Information:

Paper by Martin Mulazzani, Sebastian Schrittwieser, Manuel Leithner, Markus Huber, and Edgar Weippl - accepted paper at USENIX Security’11 - PDF Download

Brief Discussion:

The authors provide some information about weaknesses in cloud storage services such as Dropbox and outline possible attack vectors against users. This was primarily done by analyzing the transmission protocol and the client. Besides the fact that the idea of abusing the deduplication feature of cloud services is not new, the paper is well structured and interesting to read. It takes old ideas and accumulates them with fresh results in a pretty interesting way.

However, at first I missed a little bit the main difference to the paper by Pinkas et al. In March 2011, I had the pleasure to talk to Benny Pinkas in Zurich at IBM by myself after his talk about the deduplication design flaws in cloud storage services. The attack is quite simple – unfortunately, mitigations are not. Further information can be found in the paper by Pinkas.
Furthermore, for the section “Stolen Host ID Attack” I miss proper references. This issues has obviously been discovered by Derek Newton half a year ago, or am I wrong? A referencing link would be nice in this case.

Obviously, SBA Research followed the responsible disclosure process according to comment #134 on the blog of Derek. Thx to Tobi for this information.

Cyber Forensics in the Cloud – Magazine Article

Cyber Forensics in the Cloud

In volume 14 of the IAnewsletter, an article about forensics in the cloud was published. Although this magazine is more focussing on industry related readers and most of the topics in the article are already known, the article by Scott Zimmermann and Dominick Glavach was quite interesting to read.

Especially the aspect of time synchronization is important, imho. All involved entities during and before an investigation have to have time synchronization. Otherwise, evidence matching will be difficult, especially in front of a court.

Another interesting topic was “tools for performing”: If you ask me, it is not possible to create ONE specific tool for cloud forensics due to the current lack of standards. In most of the cases, you have to combine several other tools in order to get your results. In the future, in case there will be ONE standard for all cloud implementations , one tool could solve a lot of forensic issues – but this will hardly be realistic.

The authors talk in the article about signature based analysis for forensic collections – I do not think that this method will be applicable in real world scenarios. The past has shown that the AV industry pretty much fails if it comes to reach the 100% detection rate. 90% reliable evidence within digital forensic investigations is not enough.

Information:

Magazine paper by Dominick Glavach and Scott Zimmermann – PDF Download

Paper: Cloud Architectures

Cloud Architectures

Abstract:

It’s obviously missing

Information:

Paper by Jinesh Varia – published in 9th IEEE Annual Conference, IEEE Stanford and IEEE Silicon Valley Chapter, July 2008 – PDF Download

Brief Discussion:

First of all, I consider without any doubt this paper as one of the best papers ever read regarding the basics of cloud architectures. It describes in a clear, understandable language an example application that relys on the AWS infrastructure and does pattern-matching across millions of web documents – so this is a typical cloud scenario in which infrastructures such as AWS make sense. Jinesh uses within his example application the Hadoop framework, an open source distributed processing framework.

I pretty much like the simple structure of the paper – you get anything you need and it makes fun to read it! Especially for people who wonna know for what exactly AWS can be used for and who don’t know the difference between S3, SQS, SimpleDB, EC2 etc. this paper is highly recommended.