DISQUS

Flip Bits Not Burgers: Computer forensics & cloud computing

  • krishnan · 1 year ago
    Andrew, this is not the case. EC2 has now released EBS, which is the persistent storage for EC2 instances. Also, you can backup snapshots to S3 from EBS with ease. Even if the instance shuts down, you can still keep all the logs and any trace left by crackers (along with several snapshot backups). In fact, this makes forensics much easier than the traditional web hosting because backup snapshots will help you identify timeline better than traditional servers.
  • andrewbadera · 1 year ago
    But that presumes that you're a responsible image owner. You have to opt in to using EBS rather than transient AMI storage. Say someone with malicious intent is running the image -- it's easily toasted.
  • krishnan · 1 year ago
    Sure. Thatz the case with traditional servers too. We have to be responsible about the security of the server right from maintaining the software up to date to following safer security procedures like checking the MD5SUM of the software we download. I will soon be posting about these kinda memes floating around in the tech blogosphere (in a new blog on cloud computing which will be launched soon). I will send the link your way then. I can assure you that all the vulnerability issues pointed out in the cloud computing realm is true in the traditional hosting realm too. Adding EBS to the server is as easy as mounting a backup drive we have in traditional servers. With services like Rightscale, this will happen with a few clicks on your browser.
  • andrewbadera · 1 year ago
    Difference being, with a traditional server, there's a physical server, there's the physical connection to a service provider, it's not easy to blow everything away, then 12 hours later boom have a completely new server built and in place and connected to or admin'd from a new location. Yes, you can find vulnerable machines and root them, but the cloud makes a server more ephemeral, and the entire process much more convenient. You're eliminating the logistics of a physical server. Which is, of course, a lot of the cloud's business value to begin with.
  • krishnan · 1 year ago
    From a purely security POV, it doesn't matter between a physical server sitting in a data center or a virtual server on the cloud. Can you show me how cloud makes it easy to compromise?
  • dacort · 1 year ago
    I think what he's saying is that the cloud doesn't make it easier to compromise, it makes it easier to clean up your tracks _after_ a compromise if you're an attacker.

    If you break into a system, one of the things you're going to try to do is erase your tracks. There are several interesting attack vectors here, namely:
    1: You can wipe your tracks by simply bringing the system down. No system logs. No hard drives to wipe. Just pop the instance and you're done. Forensics is significantly more difficult if there's no physical system to analyze.
    2: I'm personally a little concerned with all the pre-built images out there. How many of them have old SSH versions on them that make them vulnerable on bootup? What procedures do people have in place to update the AMI's? Yes, this needs to be addressed on physical servers as well, but are people forgetting about security with the set and forget nature of EC2?
    3: Let's say I find a box is vulnerable to something, but the admin bounces it every x hours for whatever reason. Then I have a reliable host that my tracks will be wiped from every x hours.

    Definitely some interesting points here.
  • andrewbadera · 1 year ago
    The maintenance points you make are certainly good ones. EC2 makes it just that much easier for someone -- practically anyone, with Elasticfox instead of cmdline tools -- to deploy an unpatched or unmaintained host, creating a swathe of new targets for script kiddies.
  • andrewbadera · 1 year ago
    As dacort notes, that's not the point, though cleanup is only half the reason. You can now create a host for malicious purposes, essentially out of thin air, and have no _need_ to compromise it -- it's there, available for your use, and darn close to untraceable.
  • Compurer Forensics · 1 year ago
    Read your article and found it very informative. Thanks a lot. I am so glad people like you are coming forward to educate the others about Computer Forensics to make them realize how serious the art of computer forensic is.