"Shaped like a Blogg! or a Garden hose!"

It is awesome to see that Ian Latter’s work on bypassing all security measures to exfiltrate data via the screen is starting to be received by the InfoSec community. Today an article written by Richard Stiennon on Ian’s presentation at COSAC has been syndicated through to Forbes. Well done Ian!! this follows up on a post I did in July when I was allowed to start talking about TGXf.

As part of Ian’s presentation preparation (and in response to a number of CFP reviewers NOT READING HIS SUBMISSIONS) he also prepared a number of videos demonstrating the capability of ThruGlassXfr along with his ThruKeyboardXfr.

ThruGlassXfer Open Letter (PDF) – TGXf VER8 FPS5 GD
http://youtu.be/IXlYDYjqFLU

Android smart-phone in flight mode, downloading a PDF from Youtube via a Laptop screen
http://youtu.be/2_8GlFdlb0Y

TGXf Demo – Open Letter PDF, ANSI (Terminal) Version 1 at 8 FPS
http://youtu.be/ZrMN54Rooec
(i.e. you don’t need graphical access to steal data)

TKXf Demo – Keyboard upload of virus to hardened Windows platform
http://youtu.be/2Szza7dQZsY
(i.e. I can type a virus into Windows .. stop me)

TKXf Demo – Keyboard upload of payload via Windows to Linux
http://youtu.be/QmROf-Tx92E
(i.e. I can type any payload into anything via anything .. stop me)

TCXf Demo – Attacker exfiltration from Linux via socket over PuTTY/XPe/HP Thin Client
http://youtu.be/sMHx5VDpFjQ
(i.e. I can route anything via anything over screen and keyboard)

And my personal favourite!!!!!
TCXf Demo – IP networking over Screen and Keyboard!
http://youtu.be/PdjhevoBKbs

Yes that last one is a functional network over TGXf and TKXf…

As a Security Enthusiast I love seeing this, though I have to say as a Security Technology Vendor and IT Outsourcing and Management Supplier it causes me pause. Now I finally have that enthusiasm back to write that paper on the risks of BYOD.

I noticed that I started too get a few emails from Wordfence about invalid login attempts. Now as I have both wordfence and Google two factor authentication happening I wasn’t worried, though I thought I’d do a large IP range block just to cut down on the noise.

 

 

It seems to be an almost biannual occurrence, people arc up and talk about cloud security, specifically data security/protection. It even got attention at this year’s Cisco Live in Melbourne. The last time I had a rant about this in “Cloud computing protection – Is this the place for Law?” I looked at malpractice laws for misuse or mishandling of data but not the bigger picture:

• Data sovereignty;
• Government mandate on export of data (EU as an example);
• Compliance and regulatory;
• housing in politically unstable regions;
• Data Destruction; and
• Damage and/or destruction.

The above are by no means exhaustive, these are just the ones that I’ve got kicking about in my head at present. 12-18 month ago I had a great chat with a lawyer who was taking a keen interest in this area and at the time was as confused as I on some of the ramifications (he put out a paper as well, when I can find it I’ll link to it here). For getting it out of my head sake I thought I’d put it here for good measure; as it has been sitting in my drafts for about that long.

Data Sovereignty – In a nutshell, this is the issue where what laws come into play based on the location of the data. This is a nebulous area and one that I think most in the law profession are still coming to grips with. Even here in Australia we have a crazy scary amount of laws, depending upon the information type (personal, financial, health, etc) not to mention international laws. This need to be taken into account when looking at what it is you place in the cloud.

Government mandate on export of data – I was thinking of the EU’s law specifically here, where the personal information (combined & interpreted data) cannot be exchanged with non-EU countries unless they have equivalent or better security standards (adequate level of data protection). What does this mean for a providers infrastructure residing in the EU destruction, or for someone in the EU trying to use a cloud service. There is a good blog article it including some examples and explanations. here. Another issue could be that the local/federal government may dictate that data is not to be off-shored. Are you sure that the provider is going to provide you with the ability to ensure that? Including backups?

Compliance and regulatory – This is the same old piece that every monkey trots out. Most of the control requirements are subjective, as in it is up to the auditor’s discretion on whether or not the control is adequate or not (unless it is extremely specific). Most of these are box ticking exercises. If there is a smart control mechanism that will meet your businesses security requirements, and you have clearly documented your rationale so you can call it a compensating measure.

Housing in politically unstable regions – Comes back to knowing what country your data resides in. If by chance it happens in a country where the local government has no qualms in walking in and taking ownership of the entire facility (or a subset there of), including your data, what happens then? What happens if that can be used to replicate your business model, take your customers, etc? Similarly, what about when government or law enforcement requests that data be disclosed, does the provider comply with the request or resist?

Data Destruction – When you decide to move platforms, services, providers, etc, will the provider destroy your data sufficiently so that it isn’t recoverable?

Damage and/or Destruction – What happens to you/your business when data is accidentally or maliciously damaged or destroyed. What happens to your reputation? What are your liabilities? This I covered off briefly in the above mentioned post, “Cloud computing protection – Is this the place for Law?“.

Depending on he size of your business and the service you are going for your ability to negotiate the SLAs will vary greatly. At the end of it, you will still have to look at all of these generic risks as well as the specific risks associated with your business and decide accordingly (through risk assessment). As with most of these, there are compensating measures that can be put in place to mitigate or reduce the affects.

At the end of the day, like any traditional outsourced relationship you don’t want to rely on a service credit against a breached SLA when your business is impacted. I’m not trying to take an alarmist approach, I prefer to see this as a more pragmatic one.

Just my $0.02 worth.

It’s official, after an eight (8) month stint in the back of house looking after new business for the delivery arm of the big T I’m moving back into a technical role.

Whilst I’ve learnt many things and worked with some great people, I really am looking forward to getting back into the thick of it, rather than watching from the sidelines. So this time next month I’ll have taken over the reigns of the Lead Security Architect for Telstra Enterprise and Government.

I have some pretty HUGE shoes to fill but I’m really looking forward to the challenge.

There have been several debates on the twittersphere of late, OK these have been raging over several months, discussing how secure or insecure cloud computing is. Generally this is focused on Public clouds and comments have ranged from the surreal, or down right ridiculous , to the sublime. so I decided to pause a little and gather my thoughts.

What I find amusing is that a lot of these comments I’ve seen are from providers, some vendors. I don’t understand painting everyone with the same brush because cloud computing is still a relatively new[1] industry offering and providers are still defining and re-defining their niche. Everyone sets up their product a little differently and aims to please certain markets.

The question:

How secure is the Cloud, or Cloud computing? Well that depends,  you need to know what your requirements are. I wrote about this some time ago talking about collaboration tools, and I even alluded to the same considerations being applicable to the cloud model at the time. Essentially: Know what you are after (requirements), understand the risks of going down a certain path, and mitigate those risks.

The counter argument:

“How do I know that the IaaS/PaaS/SaaS provider is doing what they say they are in order to confirm to my requirements?”. That, in itself, has been another heavily debated discussion. Current practice is to bombard the service provide with documentation requests. This is great if it is a contractually obliged deliverable. Providers are overwhelmed with request from customers, or potential customers, asking about SAS70 audits,  ISO27001 compliance, PCI DSS compliance, and the list goes on.

Read more…