[lug] Why is it SO easy to destroy cloud environments?

Bear Giles bgiles at coyotesong.com
Thu Oct 18 15:41:03 MDT 2012


Yes, that was the point I was trying to make. It's easy to do things that
will provide a little better security, the equivalent of using better
windows, but those things also tend to give people a false sense of
security because they still think in terms of what the ecosystem was a
decade ago. It's like saying "I'm safe because I have steel doors" and not
knowing that 1) you can make the master keys for the locks on any decent 3D
printer and 2) well-equipped attackers have portable plasma torches anyway.
They then cut corners elsewhere.

That doesn't mean that the extra efforts are wasted - there are still a lot
of tired sysadmins and script kiddies out there. But if you want real
security you'll have to be able to guarantee results even the bad guys have
full control of your systems.

Related - did you know it's trivial to crack many/most home routers? They
have an 'easy configuration' button on them that's tied to an 8 digit(?)
code that will give full access to the router regardless of how you've
configured it... and it can't be disabled. This isn't a problem with the
guy war-driving but the guy who's parked a few doors down for the day or so
can get in by brute force. This is another situation where you don't have
to worry about script kiddies but if you're targetted it's a huge
vulnerability unless everyone is religious about using VPNs.



On Thu, Oct 18, 2012 at 2:45 PM, Davide Del Vento <
davide.del.vento at gmail.com> wrote:

> > It's great that Linode provides an IP whitelist to the management
> > console.
>
> I thought the same (for a service we provide). The security expert
> coworkers explained that's not effective protection. A skilled
> attacker can use http://en.wikipedia.org/wiki/Ip_spoofing as described
> in the quote below. I argued that it's like using sturdier windows in
> your house, to make them impossible to break with a light hammer .
> They said that will not stop a burglar (either "professional" or
> "rouge kid") from using a larger hammer, or breaking the weak lock on
> the door. They concluded that to get real additional security, the
> windows need to be bulletproof, and only when the doors and their
> lockers are too: protections that just require a heavy vs a light
> hammer do not stop anybody (not even the script kiddies), it just
> creates a small nuisance to the attacker.
>
> I am not sure this example applies exactly to this discussion, but I
> see the "two camps"in this case arguing in the same way we did for our
> service.
> Cheers,
> Davide
>
> PS: Quote from http://en.wikipedia.org/wiki/Ip_spoofing
> IP spoofing can also be a method of attack used by network intruders
> to defeat network security measures, such as authentication based on
> IP addresses. This method of attack on a remote system can be
> extremely difficult, as it involves modifying thousands of packets at
> a time. This type of attack is most effective where trust
> relationships exist between machines. For example, it is common on
> some corporate networks to have internal systems trust each other, so
> that users can log in without a username or password provided they are
> connecting from another machine on the internal network (and so must
> already be logged in). By spoofing a connection from a trusted
> machine, an attacker may be able to access the target machine without
> an authentication.
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20121018/341fdfc0/attachment.html>


More information about the LUG mailing list