Monday, September 29, 2008

Trusting the Cloud

“Trust is like a vase...once it's broken, though you can fix it, the vase will never be same again.”
- anonymous

I was reading Holden Karau's blog this morning and he discusses discovering that Yahoo's Zimbra Desktop exposes plain text authentication credentials when authenticating with a Yahoo! IMAP server. Holden stumbled across this while working on a spam mail filter project during the Yahoo! sponsored HackU project at Waterloo University. He needed an IMAP server, which Yahoo! didn't appear to have or at least allow access to via the standard Yahoo! Mail service. However, he later discovered that Yahoo! did indeed expose IMAP servers to certain clients as that's exactly what Zimbra Desktop was using. Yahoo! acquired Zimbra, a messaging and collaboration company in September of 2007. While sniffing traffic to determine how Zimbra Desktop was authenticating to the server, he was surprised to see that the connection did not leverage SSL. Credentials were passed in plain-text, available to anyone with access to the traffic.

Curiosity got the best of me and I decided to see if the issue had been addressed. After all, the post was picked up by Slashdot, which means that it was seen by a fairly broad audience. This morning I installed the latest iteration of Zimbra Desktop 0.90 (build 1278) and sure enough, as can be seen in the Wireshark screenshot, the username (zscaler2008) and password (cloudsecurity) of my test account was sent unencrypted.

Passing plain-text authentication credentials is hardly a new or even interesting threat, but it got me to thinking. A significant challenge for cloud computing requires building trust. We're moving from a world where everything related to IT is controlled by the enterprise, to one where we heavily rely on outside entities. Whether enterprises adequately leverage their control to properly mitigate risk or not, at least they know they have it. Afterall, I may not know how to manage a server, but if it's in my data center, at least I can always reboot it. Webmail is perhaps the most mature cloud computing application and we see here that adequate security, even for a player the size of Yahoo!, still is not a given.

Cloud based applications allow us to defer the pain and headache of maintenance and security to others, but in doing so, we place trust third parties. If SaaS players fail to build an adequate level of trust, or squander it once it has been achieved, they will be destined to fail.

Lessons Learned
  1. Guilty Until Proven Innocent - Place the burden of proof on your SaaS vendor. It's up to them to gain your trust and prove that they have adequate security in place. Insist that they provide details of their architecture, internal security procedures and perhaps third party audit reports such as a SAS 70.
  2. Is the Whole the Sum of It's Parts? - When the solution is cobbled together from multiple partners, it increases the likelihood that security will slip through the cracks. In the case of the Zimbra Desktop example above, Zimbra was acquired through an acquisition and it's clear that security was not adequately reviewed/integrated.
  3. A chain is Only as Strong as It's Weakest Link - In this case, the vulnerability does not exist in the Yahoo! webmail cloud, but rather in the Yahoo! provided client used to connect to the cloud. Cloud computing extends your network, connecting it to third party resources. Security is required at all nodes - in the third party data centers, in your local LAN and in the connections between the two. One weak link, breaks security in the system as a whole.
- michael

Friday, September 26, 2008

2008 OWASP USA Roundup

On Wednesday, I had the pleasure of attending the 2008 OWASP USA Conference in NYC. While I could only attend day one (start-up life, what can I say), it was well worth the visit. As with any conference, it wasn't possible to hit all of the talks that I was hoping to see but there were a few highlights.

Clickjacking - yea, this is bad... (Jeremiah Grossman and Robert 'RSnake' Hansen)
This is one of the talks that I was particularly looking forward to given that it was to reveal a new client-side exploitation technique. Unfortunately, ahead of the conference, Jeremiah and Robert decided to pull the talk as Adobe had requested additional time to address the vulnerabilities before details were made publicly available. In the end they proceeded with the talk but were limited to discussing why they had chosen not to proceed, so very little was disclosed that wasn't already known. I was pleased to see Adobe acknowledge the choice made my Jeremiah and Robert. Adobe has come a long way from the arrest of Dmitry Sklyarov at Blackhat in 2001. While I'm sure that I would have made the same decision as Jeremiah and Robert, it always makes me nervous when knowledge of the existence of a vulnerability is public but the timeline for details is in the hands of vendors. If Dan Kaminsky's DNS vulnerability taught us one thing, it's that you can't 'kind of' disclose a vulnerability without peaking the interest of smart and motivated researchers that are likely to beat the vendor to the punch.

Http Bot Research (Steven Adair)
Andre' DiMino was unable to present due to a work conflict but Steven did great job flying solo. I'm particularly intrigued by the growth of HTTP as the protocol of choice for bot herders. It's a logical progression from IRC and P2P based botnets, given the ubiquity of HTTP traffic. Ports 80 and 443 are always open on corporate networks and it's easy for C&C traffic to hide like a needle in a haystack among the sea of requests/responses traversing a typical network. Steven even went so far as to state his belief that HTTP is now the dominant protocol for C&C traffic. I discussed this with him afterward given that C&C blacklists that I've seen to date typically have minimal port 80/443 addresses. He felt that this is more a reflection of our comfort with detecting IRC based botnets, which has been largely automated and not a reflection of the real distribution. When it comes to analyzing HTTP based C&C traffic, we still have plenty to learn.

Industry Outlook Panel
Being a New York based conference, we were treated to a panel filled with true industry heavyweights. CISO and SVPs from a half dozen major financial institutions discussed their thoughts on where web security needs to go in the financial sector. It was certainly an interesting time for such a panel given the current financial crisis. Half of the panel had inherited new employers in the past week while the other half were coping with new regulations thanks to becoming commercial banks literally overnight.

All in all, the conference was another great OWASP initiative. My hat is off to Jeff Williams, Dave Wichers, Tom Brennan, Dinis Cruz and the rest of the crew for all of their hard work.

- michael

Cloud Cover

The term 'cloud computing' is quickly becoming a standard part of our vernacular but do security services have a place in the cloud? We have seen a handful of fundamental shifts in computing over the decades and I firmly believe that cloud computing represents a major evolution in information technology and that the evolution has only just begun. For proof of this, Google the term 'cloud computing' and see just how many news hits result. As I write this, the number is north of 4,000 and a quick scan of the headlines is like a drive through Silicon Valley - the usual suspects are everywhere. Sounds like a quick, steep climb up the hype cycle to me. The question for me is not will cloud computing stick around, but rather how quickly will it be adopted and more specifically, how must security services adapt to accommodate this paradigm shift?

Some industries have quickly adopted cloud computing while others have moved more cautiously. Google is of course a pioneer in the space, having invested heavily in the belief that the day will come when storing data in the cloud will be the de facto standard. So far their gamble seems to be paying off. Gmail (despite eternal beta status) has gone from being an interesting Hotmail competitor, to the email infrastructure leveraged by enterprises, big and small. Even Google Docs shows promise. I've gone from being a skeptic to appreciating the collaborative power of hosting apps online, especially in a world where employees are commonly separated by geography.

Privacy concerns present a challenge that must be overcome for cloud computing to enjoy broad adoption and rapid growth. That barrier is however coming down quickly. There was a time when companies wouldn't have considered housing sensitive sales data anywhere other than on the corporate LAN and today Salesforce is one of the true success stories of the cloud computing era. Reliability is the second critical challenge which must be tackled and when major players such as Google or Amazon have outages, no matter how brief, it makes headlines. This challenge however, will be solved too. When customers demand reliability and money is on the line, there is no shortage of incentive to solve such problems and solve them quickly.

So where does this leave security services? My bias is obvious and I won't hide it. I believe that security services are destined to shift from products to services. Security is a necessary evil. Banks don't hire hoards of security experts because they want to, they do so because they have to. If a reliable service were in place, which could provide an equivalent or better level of security at a lower TCO, would enterprises adopt it? I think so. While to date few such services have existed, the acceptance and adoption of cloud computing in other industries will continue to facilitate the adoption of security services in the cloud as well. The challenges will be similar for the security industry - privacy and reliability, with special emphasis on the former. The challenge is real and it has arrived. It's now up to us to solve it.

- michael