Hacking the Cloud

Jason Hart CISSP CISM

VP, Cloud Solutions

“Are you Secure?”

About Me

Legal Disclaimer

ALWAYS GET PERMISSION IN WRITING.

• Performing “scans” against networked systems without

permission is illegal. Password cracking too

• You are responsible for your own actions!

• If you go to jail because of this material it’s not my fault,

although I would appreciate it if you dropped me a postcard.

• This presentation references tools and URLs - use them

at your own risk!

What a great world

Remote Users Internal people 3rd Party Access Branch Offices PDA Users

Users and their workspaces

Today's World

Cloud Applications SaaS Apps

Virtual Word – With Virtual Back Doors

Welcome to the Future

Cloud Computing

Virtual Environment

With Virtual Security holes

During the past 15 years with learnt nothing

We have forgotten

Confidentiality

Integrity

Availability

Accountability

Auditability

We have not learnt

a thing?

Welcome to the 3rd Age of Hacking

• 1st Age: Servers • Servers

• FTP, Telnet, Mail, Web.

• These were the things that consumed bytes from a bad guy

• The hack left a foot print

• 2nd Age: Browsers: • Javascript, ActiveX, Java, Image Formats, DOMs

• These are the things that are getting locked down

– Slowly

– Incompletely

• 3rd Age: Mobile devices: Simplest & getting easier • Target the mobile devices to gain someone's password is the

skeleton key to their life and your business

• Totally invisible – no trace

Password Attack

Welcome to the Future of Hacking

Attack channels: web, mail, open services

Targeted attacks against users and business and or

premium resources

Password attack is totally invisible to you

Mobile devices are becoming an easy target for

Advanced persistent threats (APT)

During the Past 7 Days

10

Quoted from the report:

“…..So, it really comes as no surprise that authentication based attacks (guessing, cracking, or reusing valid credentials) factored into about four of every five breaches involving hacking in our 2012 dataset. …

“... 66% of the breaches in our 2013 report took months or even years to discover (62% months, 4% years).”

Verizon’s annual Data Breach

Next Generation Hacking

www

Probe requests

Pro

be r

eq

ue

sts

Live Attack A g a i n s t y o u r V i r t u a l W o r l d . . . . A R P A t t a c k

http://www.slickhackers.com/password_hacking_services.html

17

More Weapons

Key loggers both software and hardware

So easy

And many more

e- LIVE

Facing challenges you can’t address?

SaaS applications

VPNs

Web-based portals Virtual Environments

More users to protect:

employees, partners,

contractors

More data and

applications to protect

More end points being

used

Thank you

Jason Hart CISSP CISM

VP Cloud Solutions

Jason.Hart@Safenet-inc.com