Welcome to the eleventh edition of the JW Secure Informer, our bi-monthly newsletter. This is an opportunity to share what’s on our radar, specifically with respect to enterprise network security, but also regarding IT and business more generally.
The Informer is intended to be useful content and good for a quick read. So if it’s just clutter in your inbox, we’ve failed, and I hope you’ll let us know.
Cloudy with a Chance of Crime
By now everyone has heard about the incredible benefits available from cloud computing: the ability to scale up or scale down capacity as needs demand, the replacement of capital expenditures with operational expenditures, and the broad reach across oceans and continents.
With any new technology, however, it’s natural for organizations to be concerned about new problems they might encounter by adopting it. The industry has been focused mostly so far on manageability and reliability, with security concerns mostly targeted to authentication of the user to the cloud ecosystem. However, whenever any function is moved to a remote server, criminals will try to subvert either the remote server or the client’s connection to it.
Putting any enterprise assets into the cloud exposes them to new attacks from the Internet. Fortunately, the attacks against cloud resources have been addressed by cloud providers. For example, the link below describes an attack that was made possible by the co-location of virtual machines (VMs) in a cloud environment that was discovered and fixed before it was exploited. Security researchers and attackers will find similar vulnerabilities over the coming years, and these vulnerabilities will be fixed. There have already been threat analyses of virtualization schemes that are used by most cloud providers, including private clouds; however, the particular problems of moving services from an internal network to the internet have yet to be adequately examined.
IT organizations are gearing up for security that is not dependent on an impregnable boundary perimeter between the Internet and the enterprise network, (AKA de-perimeterization). The public cloud is the ultimate realization of deperimeterization, but criminals have yet to perfect their techniques for exploiting enterprise data in the public cloud. However, that will soon change. Attackers have already completed simple attacks, such as using fraudulent websites to exploit simple problems, such as customers accidentally typing the wrong URL for a company or an attacker confusing customers with a legitimate-appearing phishing email with non-Latin characters in a company’s URL. Unfortunately, the ecosystem’s current attempts to fix these attacks with Extended Validation SSL certificates and DNS-SEC have had little impact. While those approaches give consumers the information needed to make correct decisions, only a fraction of users will understand and use them, in part because so few sites today are using techniques to provide this verification to the user.
Attacks against servers are not new. For example, the original release of Microsoft Terminal Server did not require TLS authentication or encryption of the client’s link to the server. This lack of encryption allowed attackers to take advantage of a man-in-the-middle attack to intercept and read RDP traffic between the client and the server. Once the vulnerability was discovered, Microsoft quickly added TLS support. We are now in a similar situation with the cloud—if enterprise resources are in the cloud, the attackers can use various social engineering attacks to lure enterprise users to bogus sites that appear to be legitimate. Because detailed threat analyses have not been created for the entire cloud infrastructure, these vulnerabilities are not being mitigated in most deployments. To be fully secure, each new cloud infrastructure should be methodically analyzed for potential vulnerabilities. JW Secure has been creating detailed threat analyses for security implementations at all levels of integration since the concept was first introduced. Let us build one for you.
To learn more about the concepts discussed in this article, see the following pages:
- Security Researchers Rain on Amazon’s Cloud (Technology Review)
MIT’s Technology Review on the threats of co-location.
- Extended Validation SSL (VeriSign)
VeriSign provides details about a new certificate that can give consumers more confidence.
- Configure authentication and encryption on terminal server (Microsoft)
Details how to enable encryption (this is not the default setting for a terminal services).
- Microsoft RDP Server Private Key Disclosure (Microsoft)
Details the terminal server vulnerability discussed in this article (this issue was patched soon after it was disclosed).