lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 9 Nov 2013 16:22:11 -0500
From: Jeffrey Walton <noloader@...il.com>
To: silence_is_best@...hmail.com
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Cloud Questions

On Sat, Nov 9, 2013 at 9:51 AM,  <silence_is_best@...hmail.com> wrote:
> On 11/09/2013 at 7:32 AM, "David Miller" <dmiller@...heus.org> wrote:
>
> I’ve been lurking here for some months now and have seen plenty of
> vulnerabilities go by for applications, and the occasional OS level exploit.
>
> I don’t think I’ve seen a single post about cloud security.
>
> Is ‘the cloud’, AWS in particular, believed to be secure? Is it simply not
> targeted? Or would it be covered by some other list? Inquiring minds are,
> uh, inquiring.
>
>
> TIA,
>
> — David
>
> There is no such thing as "cloud security" (to me at least).  Companies may
> transfer/store encrypted, but if the NSA/law enforcement ask for it, they
> give it up.  That's not secure to me..that's more...."data held hostage
> (iCloud anyone?)".
I think you are right in that "good" bad guys (law enforcement) "bad"
bad guys (cyber-criminals) attack the node. In this case, the node is
the cloud provider.

But it also depends on what the data is. I have no faith in CloudHSM,
HighCloud or other low level machinery. That's the unattended key
storage problem, and its a problem without a solution. Plus, the data
becomes available as soon as the VM is powered on.

Objects in storage (Amazon S3 or OpenStack Swift) can be encrypted
using standard crypto methods with minimal risk. The encryption
function will act like a PRP, and the cipher text will be
indistinguishable from random.

Minimal risk would include leaking the origin (LE probably has that
through the account) and leaking file size (unless specific measures
are taken). If the owner of the document wants anonymity, they should
probably use a Tor hidden service.

Other higher level services, like SaaS and DaaS, probably won't fair
so well. Those tokenization schemes used for database field encryption
by CipherCloud do not live up to expectations. It probably wanders
near false/misleading and fraud, and the FTC should investigate some
of their claims (unless CipherCloud have a homomorphic encryption
system that no one knows about). As a matter of fact, when an informal
security analysis was performed and posted to StackExchange,
CipherCloud issued a DRM takedown!
https://www.google.com/search?q=ciphercloud+drm+takedown.

Jeff

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists