Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cloud Questions

From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 9 Nov 2013 16:22:11 -0500
On Sat, Nov 9, 2013 at 9:51 AM,  <silence_is_best () hushmail com> wrote:

On 11/09/2013 at 7:32 AM, "David Miller" <dmiller () metheus org> wrote:

I’ve been lurking here for some months now and have seen plenty of
vulnerabilities go by for applications, and the occasional OS level exploit.

I don’t think I’ve seen a single post about cloud security.

Is ‘the cloud’, AWS in particular, believed to be secure? Is it simply not
targeted? Or would it be covered by some other list? Inquiring minds are,
uh, inquiring.


TIA,

— David

There is no such thing as "cloud security" (to me at least).  Companies may
transfer/store encrypted, but if the NSA/law enforcement ask for it, they
give it up.  That's not secure to me..that's more...."data held hostage
(iCloud anyone?)".

I think you are right in that "good" bad guys (law enforcement) "bad"
bad guys (cyber-criminals) attack the node. In this case, the node is
the cloud provider.

But it also depends on what the data is. I have no faith in CloudHSM,
HighCloud or other low level machinery. That's the unattended key
storage problem, and its a problem without a solution. Plus, the data
becomes available as soon as the VM is powered on.

Objects in storage (Amazon S3 or OpenStack Swift) can be encrypted
using standard crypto methods with minimal risk. The encryption
function will act like a PRP, and the cipher text will be
indistinguishable from random.

Minimal risk would include leaking the origin (LE probably has that
through the account) and leaking file size (unless specific measures
are taken). If the owner of the document wants anonymity, they should
probably use a Tor hidden service.

Other higher level services, like SaaS and DaaS, probably won't fair
so well. Those tokenization schemes used for database field encryption
by CipherCloud do not live up to expectations. It probably wanders
near false/misleading and fraud, and the FTC should investigate some
of their claims (unless CipherCloud have a homomorphic encryption
system that no one knows about). As a matter of fact, when an informal
security analysis was performed and posted to StackExchange,
CipherCloud issued a DRM takedown!
https://www.google.com/search?q=ciphercloud+drm+takedown.

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: