Wednesday, October 9, 2013

Cloud & Hosted Security



SO it’s a blast watching patch 61 of 98 installing at 2AM…

Something my troubled brain has pondered is why companies seem to be migrating services to cloud servers in droves.  How can you trust anything if you don’t manage the physical hardware?

Whoever manages that physical hardware is holding all the keys.  No matter how “secure” you make the VM from network attacks, use duper strong pass phrases and keep the system patches and even install HIPS its easily bypassed by the provider.

This article about how a collection of 3 letter agencies were able to take down "The Silk Road" a website that operated in the Tor network (just to be clear I am not upset they took the website down but this is not a post about morality).  Anyway this re-started my brain pondering the security of cloud VMs and hosted servers.

The interesting part in the article was “the government asked for an image of the server's hard drives”.  This was accomplished without turning off or shutting down the VM.  It happened without the owner ever knowing something happened.

It’s a security issue that’s been raised before.

So what can we do to mitigate this type of security issue?
Nothing.  Seriously, nothing.

For example how about installing PGP WDE/TrueCrypt on the VM and encrypt the entire VM contents?  Sound like that would fix everything right?  I mean the virtual drive is encrypted and so if they capture that then it’s still encrypted.  Great!  Oh well the problem is "they" have physical access to the host so the operator can simply snapshot the entire VM and dump the VM Memory to a file.  Now can you guess where the encryption keys are stored while the VM is running?  Yep in memory.  So now they just search the memory for where PGP WDE/TrueCrypt stores the keys.  Well shoot we didn’t even have to hack into the console redirection code of the host operating system to log console redirection when the VM owner had to manually enter the PGP WDE/TrueCrypt key to get the VM to boot.

So not even the coveted whole disk encryption can save your VM from curious eyes that might be working for a cloud provider. 

Now this could have also been done on any physical server with raid 1 drives.  They would just have to pull a drive out claiming it had failed and needed to be replace.  Once pulled they could simply  pop that drive into another system and capture the image.  For physical servers there is some additional security such as adding some type of whole disk encryption on the physical server would prevent the drive from being pulled and used to capture the system image.  However it would still be possible to extract the encryption keys from the physical servers memory the process is much more involved and would require some noticeable downtime while the system memory was dumped.

There is also the TPM (Trusted Platform Module) chip on some motherboards that provides a secure location to store the encryption keys between rebooting.  This eliminates the requirement to enter any pass phrase to being booting the system.  The problem here is that the manufacture creates the RSA keys used by the TPM chip and they cannot be re-generated (to my knowledge).  So every TPM chip produced is intentionally compromised.  Yah very “trusted”.  This is similar to the issue with centralized Certification Authorities.  So even [insert trusted root CA here] SSL certificates are intentionally compromised but that’s another rant of mine.

If you cannot trust the physical network, physical security and host the VM is being executed on there is no amount of “security” you can patch on to make it secure. 

So where does that leave us?  Lockup your servers in a dark, cold, tower of a room and do not let anyone in.

Ok back to watching servers patch.

J