Re: Hosted Solutions -- Hackers Haven

["Adriel T. Desautels" <ad_lists () netragard com>]

Hi Roman,
        My comments are embedded below.


On Oct 15, 2009, at 7:11 AM, Roman Medina-Heigl Hernandez wrote:

> Shared hosting will always be far more insecure than a dedicated  
> one, as
> you are suggesting (tons of websites in the same server multiply the  
> risk
> of security compromise).

Dedicated hosts are at risk too.

> But you're mixing concepts: "hosted" usually means "outsourced" but  
> not
> necessarily "shared" (for instance, you could also hire a dedicated  
> server,
> managed or not, and "host" your application there). You're refering to
> shared environments, I guess.

Hosted to me means anything that is hosted by a third party.  Dedicated,
shared, or even virtual doesn't matter.  The only thing that changes  
is the
penetration methodology.

Our team has tested a wide range of hosting providers.  In all cases  
we were
able perform distributed metastasis and slip from client, to provider,  
to
other clients.

The primary issue is the fact that most of these providers have some  
form
of centralized client control.  Take that control center, you take the  
clients.

In many cases clients can give you access to the control center, in some
cases they don't.  When that happens you need to go for the throat and
take the provider.

Another way to think about it is like this.  If I'm a black hat why  
would I
bother taking one company at a time when I could just take a hosting
provider and pwn 1000 at  a time?





> Outsourcing has other risks/problems.
>
> Cheers,
> -Román
>
>
> Adriel T. Desautels escribió:
> > Hi List.  This is a subject that seems to come up a lot when we  
> > deliver
> > penetration testing services to our customers.  I decided that a  
> > quick
> > blog entry on the subject of hosting might be a good idea.  I'm not
> > adverse to hosting, but I'd like people to think twice before  
> > deciding
> > to outsource their technology to a third party.  Specifically, I'd  
> > like
> > to see people consider the real risks that they might be  
> > introducing to
> > their business.
> >
> > As usual, if there are any comments I'd love to hear them.
> >
> > http://snosoft.blogspot.com/2009/10/hosted-solutions-hackers-haven.html
> > Human beings are lazy by nature.  If there is a choice to be made
> > between a complicated technology solution and an easy technology
> > solution, then nine times out of ten people will choose the easy
> > solution.  The problem is that the easy solutions are often riddled  
> > with
> > hidden risks and those risks can end up costing the consumer more  
> > money
> > in damages then what might be saved by using the easy solution.
> >
> > The advantages of using a managed hosting provider to host your  
> > email,
> > website, telephone systems, etc, are clear.  When you outsource  
> > critical
> > infrastructure components you save money.  The savings are quickly
> > realized because you no longer need to spend money running a full  
> > scale
> > IT operation.   In many cases, you don’t even need to worry about
> > purchasing hardware, software, or even hiring IT staff to support the
> > infrastructure.
> >
> > What isn’t clear to most people is the serious risk that  
> > outsourcing can
> > introduce to their business.  In nearly all cases a business will  
> > have a
> > radically lower risk and exposure profile if they keep everything
> > in-house.  This is true because of the substantial attack surface  
> > that
> > hosting providers have when compared to in-house IT environments.
> >
> > For example, a web-hosting provider might host 1,000 websites  
> > across 50
> > physical servers.  If one of those websites contains a single
> > vulnerability and that vulnerability is exploited by a hacker then  
> > the
> > hacker will likely take control of the entire server.  At that  
> > point the
> > hacker will have successfully compromised and taken control of all 50
> > websites with a single attack.
> >
> > In non-hosted environments there might be only one Internet facing
> > website as opposed to the 1000 that exist in a hosted environment.   
> > As
> > such the attack surface for this example would be 1000 times  
> > greater in
> > a hosted environment than it is in a non-hosted environment.  In a
> > hosted environment the risks that other customers introduce to the
> > infrastructure also become your risk.  In a non-hosted environment  
> > you
> > are only impacted by your own risks.
> >
> > To make matters worse, many people assume that such a risk isn’t
> > significant because they do not use their hosted systems for any
> > critical transactions.  They fail to consider the fact that the  
> > hacker
> > can modify the contents of the compromised system.  These  
> > modifications
> > can involve redirecting online banking portal links, credit card form
> > posting links, or even to spread infectious malware.  While this is  
> > true
> > for any compromised system, the chances of suffering a compromise  
> > in a
> > hosted environment are much greater than in a non-hosted environment.
> >
> >
> >
> >    Adriel T. Desautels
> >    ad_lists () netragard com
> >        --------------------------------------
> >
> >    Subscribe to our blog
> >        http://snosoft.blogspot.com
> >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification  
> > Review Board
> >
> > Prove to peers and potential employers without a doubt that you can
> > actually do a proper penetration test. IACRB CPT and CEPT certs  
> > require
> > a full practical examination in order to become certified.
> > http://www.iacertification.org
> > ------------------------------------------------------------------------



        Adriel T. Desautels
        ad_lists () netragard com
        --------------------------------------

        Subscribe to our blog
        http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------