Archive for category Cloud Computing Security
Quick Tips on Secure Shell
Posted by Mourad Ben Lakhoua in Best Practices, Cloud Computing Security on January 17, 2010
SSH is a perfect security alternative to Telnet and has been used by system administrators and IT managers to configure and implement servers and network devices, here I wanted to list manual on Secure Shell usage.
First let’s start by choosing SSH client here we will find no problem because generally there are two accepted solutions PuTTY and SecureCRT, both are really good. But while SecureCRT is not a free solution we find that many IT Technician prefer to use PuTTY.
With using PuTTY you can connect to your server via: Raw,Telnet,Rlogin,FTP(SFTP),SSH1,SSH2. In addition to supporting all these protocols you can find more TOOLS:
- Puttygen – generator Rsa / Dsa keys used for authentication.
- Pagent – authentication agent helps to store the keys in memory.
- Plink – command line interface.
- Pscp – utility that provides safe files copying.
- Psftp – secure ftp-client for copying, viewing, renaming files…
Despite all these functionality, working with SecureCRT is more comfortable for one useful option which is using the tabs for different sessions. If you are working on five servers or even more for example with putty you will find some difficulties in switching between them, but to handle this French group released PuTTY Connection Manager. PuTTY Connection Manager is free PuTTY Client Add-on for Windows platforms which goal is to provide a solution for managing multiple PuTTY instances. So PuTTY Connection Manager will only combine the open windows in a user-friendly interface, and also provides an advanced interface for the connection settings.
Well to implement the server side SSH you can use the standard OpenSSH it is by default installed on any UNIX distribution for other system you can setup DropBear. It is an opensource software useful for “embedded”-type Linux (or other Unix) systems, such as wireless routers. For Windows 2000, XP, 2003, Vista, 2008, and 7 you can use WinSSHD or MobaSSH and all that you need is to press install button and the system will immediately adds the new service.
MobaSSH is basically an OpenSSH that is compiled with Cygwin. And you will have a number of useful commands:
- MobaHwInfo: provides information about the OS and Hardware.
- MobaSwInfo: list the software installed on the system
- MobaTaskList, MobaKillTask: a list the processes running on the system and kill the desired processes.
- TCPCapture: Monitor the Network
- Scp, sftp: transmit data in an Encrypted form over ssh-connection
- Rsync, wget: synchronizing local folders to network resources.
If we are talking about SSH we cannot miss the secure file transfer, when you connect to server via SSH client can perform all basic operations: upload file to the server, rename files and folders, change files properties, and create links and shortcuts. One of the most famous utility here on windows is WinSCP.
Now it is very important to keep your system up to date and mitigate the risk but there is a very important thing to do is to protect your system against brute force attack. Authorization using login and password considered not secure so in most cases it is recommended to disable it on server. But if we really need it you should implement intrusion prevention system. For example Sshguard.Sshguard will help to monitor logs, detect attacks and block the attacker with a firewall rule. the logs are collected from (syslog, syslog-ng, metalog, multilog, raw) and it calculate the suspicious activity such as passwords guessing attempts and block IP addresses by using the local packet filtering (pf, ipfw, netfilter / iptables, or hosts.allow file). There is also some similar projects such as Fail2ban and Sshdfilter 1.5.5.
Finally for mobile devices SSH client you can use the following:
- Symbian: PuTTY for Symbian OS
- Windows Mobile: PocketPuTTY
- Java: MidpSSH
- iPhone: iSSH
And for SSH Brute force you can use the following:
- SSH Brute Forcer
- SSHatter
- SSH BruteForcer
- THC Hydra
As you can see it is possible to do your tasks in a fast and secure way regardless the environment implemented using Secure Shell.
make sure you subscribe to my RSS feed!
Malware is Hiding in Amazon Cloud
Posted by Mourad Ben Lakhoua in Cloud Computing Security, Cybercrime & Hacking, News on December 12, 2009
Cybercriminals have made this week unforgettable for Amazon team this is after that security researchers have reported existing of Zeus Botnet at The cloud-based EC2 (Elastic Compute Cloud) control center.
The incident has been detected after a Password-stealing Zeus banking Trojan had infected client computers where hackers were able to compromise a site on EC2 and use it as their own command and control operation.
Methusela Cebrian Ferrer, senior researcher at CA, said in a blog post the following:
“The group behind this criminal activity is obviously doing it for financial gain – stealing both your identity and your money,” Ferrer stated. “In this variant, we have learned how cloud on-demand pay-as-you-use — offerings could be used to fuel such online cybercrimes.”
After this Incident Amazon should review their entire environment to be sure that they provide a minimum level of security for their customers.
We are also detecting a big concentration on the Cloud based solution in the last time. Moxie Marlinspike has started a new WiFi (WPA) password cracking service hosted in the cloud. Password cracking system is based on comparing the hash from a WiFi AP against 135 million possibilities in 40 min.
make sure you subscribe to my RSS feed!
Attack Hitting Virtual Private Networks & How to Protect Yourself
Posted by Mourad Ben Lakhoua in Cloud Computing Security, News, Vulnerabilities on December 1, 2009
Virtual private network (VPN) software from Cisco, Juniper and other multiple vendors are concerned for a new vulnerability that makes a big number of customers at Risk this is according to a Monday report issued by US-CERT.
Clientless SSL VPN is used to provide internal network access over web browser to several resources such as corporate email server or application servers. The Bug allows an attacker to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content), monitor keystrokes of more than 90 + companies including Cisco, Juniper, SafeNet, and Sonic Wall.
Currently there is no solution to this problem but to mitigate the risk we can do the following:
1- Limit URL rewriting to trusted domains If supported by the VPN server, URLs should only be rewritten for trusted internal sites.
All other sites and domains should not be accessible through the VPN server.Since an attacker only needs to convince a user to visit web page being viewed through the VPN to exploit this vulnerability, this workaround is likely to be less effective if there are a large number of hosts or domains that can be accessed through the VPN server. When deciding which sites can be visited through use of the VPN server, it is important to remember that all allowed sites will operate within the same security context in the web browser.
2- Limit VPN server network connectivity to trusted domains It may be possible to configure the VPN device to only access specific network domains. This restriction may also be possible by using firewall rules.
3- Disable URL hiding featuresObfuscating URLs hides the destination page from the end user. This feature can be used by an attacker to hide the destination page of any links they send. For example, https://
On the other hand It is very important to contact the vendor to ask if the gap already exist and if there is a patch to apply for this Bug.
US-CERT report can be found here.
make sure you subscribe to my RSS feed!
Quick Tips to Fight DDoS Attack
Posted by Mourad Ben Lakhoua in Cloud Computing Security, Web Security, cybersecurity on November 21, 2009
On previous post we shared the way to prepare our system to DDoS attack and the way to mitigate the risk. Now it is important to react in the good moment and make an effective action during the attack. Monitoring routers connection can help victim to detect the beginning of the attack.
First we should monitor the open Syn connections:
# Netstat-na | grep “: 80 \” | grep SYN_RCVD
At the normal situation the number should not pass the three connections. If there is more open connection than you are under attack and you should start by dropping these connections.
This is for the SYN-Flood case but for the HTTP-flood it is more complicated to detect, First you need to count number of Apache processes and number of port 80 connections:
# Ps aux | grep httpd | wc-l
# Netstat-na | grep “: 80 \” | wc-l
Next you need to check the IP-addresses list:
# Netstat-na | grep “: 80 \” | sort | uniq-c | sort-nr | less
To be sure that there is HTTP-flood attack is impossible but you can assume that you are under attack if one address in the list is repeated too many times. Additional evidence can be made using tcpdump:
# tcpdump -n -i < interface > -c 100
the Tcpdump will help you in tracking the source of the attack if a big number of packets targeting a single port / service (cgi-script or web directory).
Finally we have to start to work around the situation by dropping malicious IP-addresses. You can block IP’s directly from the router.
On the FreeBSD we can take some steps to avoid DDoS:
1 – Reduce the packet request time (protection against SYN-flood):
# Sysctl net.inet.tcp.msl = 7500
If an ACK is not received in this time, the segment can be considered “lost” and the network connection is freed.
Move your server in a blackhole when a TCP packet is received on a closed port. When set to ‘1′, SYN packets arriving on a closed port will be dropped without a RST packet being sent back
# Sysctl net.inet.tcp.blackhole = 2
# Sysctl net.inet.udp.blackhole = 1
Limits ICMP replies to 50 per second (protection against ICMP-flood):
# Sysctl net.inet.icmp.icmplim = 50
Increase the maximum number of sockets to the server that can be open (protection against all types of DDoS):
# Sysctl kern.ipc.somaxconn = 32768
Finally enable a kernel feature called DEVICE_POLLING (significantly reduces the load on the system during DDoS Attack):
1. Compiling the kernel with option “options DEVICE_POLLING”;
2. Activate the mechanism of polling: “sysctl kern.polling.enable = 1″;
3. Add the entry “kern.polling.enable = 1″ in / etc / sysctl.conf.
These are a well balanced steps to mitigate getting exposed for Distributed Denial of Service Attack.
make sure you subscribe to my RSS feed!
Universal Tips to Avoid DDoS Attack
Posted by Mourad Ben Lakhoua in Cloud Computing Security, Web Security on November 15, 2009
There are some points that can helps to carefully prepare our systems to avoid Distributed Denial of Service:
1- Prepare a simple and fast way to reboot remotely servers exposed to external network (webservers ,mailservers ,application servers..) this can be using SSH, we can also create a second network interface to access the server while the main channel is down.
2- Keeping all software packages up to date, to protect our systems from DoS attacks that exploit bugs in the available services.
3- Restrict access to all admin services to only authorized users, for example using IP restriction for acceding devices like firewalls, routers and network devices so an attacker will not be able to lunch a DoS attack or brute force.
4- Monitor the traffic by installing network analyzing tools (Netflow) on the routers to help identify the attack in an early phase and react to prevent it as soon as detected.
5- Adding to /etc/sysctl.conf the following lines:
# Vi /etc/sysctl.conf
# Protection against spoofing
net.ipv4.conf.default.rp_filter = 1
# Check TCP-connection every minute.
net.ipv4.tcp_keepalive_time = 60
# Repeat the test in ten seconds
net.ipv4.tcp_keepalive_intvl = 10
# Attempts number before closing the connection
net.ipv4.tcp_keepalive_probes = 5
Here it is very important to note that the listed method aims only to reduce the risk of DDoS attack, and can protect against small botnets and you can consider 90% that your server is protected against these attacks. There is more sophisticated ways like load balancing method which is extremely expensive, so if a server fails all new clients will be redirected to a clustered server and provides a very high availability.
make sure you subscribe to my RSS feed!
Cisco Intended to purchase ScanSafe, Leading SaaS Web Security Provider
Posted by Mourad Ben Lakhoua in Cloud Computing Security, News, Web Security on October 29, 2009
Cisco is about to purchase ScanSafe a web security company for a 183 million dollars. This step will allow Cisco to increase the competition with other big companies in this industry such as Symantec and McAfee.
ScanSafe provides products in the web filtering security services to protect corporate workstations and networks from hackers. You will already notice on the home page a message shows that “Cisco to acquire ScanSafe”.
Symantec and McAfee are the leaders in Computer security software field and are offering already a bunch of advance Cloud based security software with a high growth in sales that exceeds the traditional antiviruses.
This step will help Cisco to expand their security services to include Web security and email security services that are already provided by Ironport, so we expect a Total space security by Cisco.
make sure you subscribe to my RSS feed!
DDoS Attack Hits Amazon Cloud!
Posted by Mourad Ben Lakhoua in Cloud Computing Security, Cybercrime & Hacking on October 6, 2009
Bitbucket a web Service designed to host programming projects has faced an outages last weekend, the failure period was more than 19 hours which is relatively long. According to Amazon the incident was due to a DDoS attack on their computing infrastructure.
This Attack can only brings a doubt in the IT services that are provided by Amazon (Amazon Elastic Compute Cloud EC2), we had previously posted on a several cases of DDoS attacks, Jesper posted on the company blog some details about the incident which is not usual.
The story started when they noticed on the server a high load, even by turning off anything that took up CPU. They submitted an “urgent” ticket to the Amazon support system and in 5 minute the support responded by phone to help on the issue.
Later the support identified the problem it was a massive flood of UDP packets targeting the Bitbucket website and consuming the whole bandwidth to the box. This is what we call a distributed denial of service.
The source of attack was not identified but the developer assumed that the attack targeted one of their projects.
make sure you subscribe to my RSS feed!
Protecting the Cloud with MSK Security Solution
Posted by Mourad Ben Lakhoua in Cloud Computing Security on September 12, 2009
Many people go wrong by relying completely on the data protection provided by default in the database server , like password setting and good DB version, well now a day this is not enough.
One of the most important feature that is considered as a part of the CIA triad is ensuring data integrity, there are situations in which even if there are strong system protection data security is a big concern, On a daily bases examples of incident that can show how an insider employer cracked a database server using a simple brute force tool over the terminal connection and sold the sensitive customer information to any third party.
Having a physical security measures for the local area network will not solve this threat, because an insider can simply make a man in the middle attack to gain access to the database. At this level he can read the entries, modify it or simply remove it without discovering who was responsible for this attack, well such a gap in the corporate environment can lead to serious breaches.
MSK Security Company has made a solution for all these threats by providing an effective way designed to allow secure login, payment processing and digital signature.MSK Security uses the multi-factor authentication system, something you know (Password, Image and patterns), something you have (OTP Tokens, Smart Card and Unique client programs), something you are (Finger print, Retina, DNA and Picture ID from a trusted source).
These methods of authentication can build a strong layer in defending information system especially for the banking sites, however bad guys do not fake this as well, the next scenario of attack will be a phishing an email scam that can be sent by an insider or from an internet user asking to confirm your account information as well with a URL link leads to an identical banking website owned by the attacker, The site asks for your user name and password, as well as the token-generated key.
MSK Security Company has also solved this type of attack by inventing the “Non-Linear authentication”, with this technology user’s can never give away the credentials even if they wanted to. The technology is based on three parties the End-user, the service (can be also website) and the Authentication service (Auth server). firstly the end-user and the service have to authenticate themselves to the Authentication service, the next step is the end-user picks a service to login to, the service then authenticate itself, now the end-user authenticates to the authentication-service, finally the end-user logs in. so all these mechanisms helps customer to eliminate many attacks such as: SQL injection, key loggers, phishing, pharming and the Man-in-the-Middle.
MSK Security Company makes customers feel more secure and safe, where all the access rights are set and all reporting is done with a full customization to the type of reporting that the customer requires. You can find more details about MSK Security services on the official website.
make sure you subscribe to my RSS feed!
Panda introduces cloud antivirus
Posted by Mourad Ben Lakhoua in Cloud Computing Security on April 29, 2009
Cloud computing is getting the top concern and achieved a lot of interest in the RSA2009 conference while the biggest issue in cloud is security many security software companies are working these days to adapt there security solutions to the cloud computing.
Panda security team have announced today there free cloud antivirus solution, they have added what they call Collective Intelligence, to detect viruses, malware, rootkits, and heuristicsin this technique according to panda classify new malware in under six minutes, and that it handles more than 50,000 new samples per day.
The Cloud Antivirus works by classifying threats into executables that must be scanned immediately, and non-executables that are checked at a lower priority usually when the machine is idle this help in treating a great amount of data.
you can try the Panda Cloud Antivirus and use it for free.
make sure you subscribe to my RSS feed!
Cloud computing a 'security nightmare,' says Cisco CEO
Posted by Mourad Ben Lakhoua in Cloud Computing Security on April 23, 2009
If anyone has the right to be excited about cloud computing, it’s John Chambers. But on Wednesday Cisco Systems’ Chairman and CEO conceded that the computing industry’s move to sell pay-as-you-go computing cycles available as a service on the Internet was also “a security nightmare.”
Speaking during a keynote address at the annual security confab, Chambers said that cloud computing was inevitable, but that it would shake up the way that networks are secured. “You’ll have no idea what’s in the corporate data center,” he said. “That is exciting to me as a network player. Boy am I going to sell a lot of stuff to tie that together.”
However, he added, “It is a security nightmare and it can’t be handled in traditional ways.”
Cloud computing is a hot topic here at the RSA security conference in San Francisco this week. Big computing companies like Cisco and IBM are eager to talk about it, but security experts see a lot of work ahead.
“I think it’s really going to be a focal point of a lot of our work in the cyber security area,” said Ronald Rivest a MIT computer science professor and noted cryptographer, speaking during a conference panel Tuesday. “Cloud computing sounds so sweet and wonderful and safe… we should just be aware of the terminology, if we go around for a week calling it swamp computing I think you might have the right mindset.”
[Source: Computer world]
-
You are currently browsing the archives for the Cloud Computing Security category.
SUBSCRIBE
