In the course of a current virtualization research project, I was reviewing a lot of documentation on hypervisor security. While “hypervisor security” is a very wide field, hypervisor breakouts are usually one of the most (intensely) discussed topics. I don’t want to go down the road of rating the risk of hypervisor breakouts and giving appropriate recommendations (even though we do this on a regular base which, surprisingly often, leads to almost religious debates. I know I say this way too often:I’ll cover this topic in a future post ;)), but share a few observations of analyzing well-known examples of vulnerabilities that led to guest-to-host-escape scenarios. The following table provides an overview of the vulnerabilities in question:
Continue reading “Analysis of Hypervisor Breakouts”
Category: Breaking
Microsoft Surface RT, a quick insight
After being on the market for a few months now, Microsoft started quite a large advertising campaign in Germany for its new Surface RT . We had a comprehensive look at the new tablet PC and here are a few thoughts and impressions:
Running a slightly reduced ARM version of Windows 8, I heard somebody calling it “Windows 8 Home”, which in comparison to older versions hits the spot, Microsoft offers an easily usable interface. Software is reduced to market apps (the minimal run level on a plain Windows is 0, any, and 8, Microsoft, on Windows RT), so you can’t just install your favourite app, or can you?
Continue reading “Microsoft Surface RT, a quick insight”
BPDU Guard in Virtualized Environments (2)
Just a quick update here: Ivan (who gave the magnificent Virtual Firewalls talk at Troopers recently) blogged about this and some guy added some feedback from an environment with Cisco FEX and “one of the server guys start[ing] a Citrix Netscaler” ;-). See the second comment to his post.
This shows, once more, that the dependencies of various technologies (and what they are used for) must be well understood in cloud/virtualized environments. Complexity … but who do we tell. Y’ all know that, right?
best
Enno
Continue reading3 Ways for 3-Letter-Agencies to get your Government Proof, Indecipherable Cloud Text Messages
The gritsforbreakfast blog post making the rounds on the Liberation Tech mailing list about security of Apple’s iMessaging service is gaining quite some attention. The post refers to a CNET article on how the iMessage service “stymied attempts by federal drug enforcement agents to eavesdrop” conversations due its end-to-end encryption and commends Apple for protecting the user’s privacy while pointing out that Gmail and Facebook Messaging don’t. However, I disagree on some points of the blog post and therefore want to discuss them here.
Continue readingThoughts on Cloud Governance, Part 1
Last week Rapid7 posted an interesting analysis of the Amazon S3 storage system: Apparently roughly one out of six S3 buckets (a bucket is, simply said, a kind of folder) is accessible without any authentication mechanism. Accessing those files, the Rapid7 guys were able to download a wide range of data, also comprising confidential information such as source code or employee information, comparable to past research for other platforms (see also this presentation I gave on some of the biggest Cloud #Fails)
Continue reading “Thoughts on Cloud Governance, Part 1”
BPDU Guard: Bringing Down Infrastructures
As you may already be familiar with some of our previous work which was mainly focused on isolation issues of hypervisors, we also want to present you an issue concerning availability in Cloud environments. This issue was already covered in some of our presentations, but will be explained in greater detail in this blog post.
Continue reading “BPDU Guard: Bringing Down Infrastructures”
A Word on Cisco Jabber
Recently we took a look on Ciscos XMPP client, called Cisco Jabber. The Client is used in combination with Ciscos Unified Communication Server (CUCM) and Ciscos Unified Presence Server (CUPS). Only the latter one is used for XMPP communication.
We built a small lab setup with this components (CUCM, CUPS and the Win7 Client) and watched the client working. Continue reading “A Word on Cisco Jabber”
Continue readingVMDK Has Left the Building — Newsletter
We are pleased to announce that we summarized the results from our VMDK research in our latest newsletter.
We hope you enjoy the reading and will get some “food for thought”!
The newsletter can be found at:
ERNW_Newsletter_41_ExploitingVirtualFileFormats.pd
A digitally signed version can be found at:
ERNW_Newsletter_41_ExploitingVirtualFileFormats_signed.pdf
Enjoy your weekend,
Matthias
Corporate Espionage via Mobile Compromise: A technical deep dive
This is a guest post from David Weinstein
Mobile devices play an important role in the business world. Yet with increased emphasis on the Bring Your Own Device (BYOD) model, defenses are not where they need to be to slow the loss of valuable intellectual property.
Corporate defenses have traditionally focused on the network, the endpoints, and not necessarily on the ecosystem of how these devices interact outside of network sockets. Smartphones bring unique network connectivity, an array of sensors, and can be overlooked by resources invested on IDS/IPS not being effectively leveraged.
Getting to the core of an exemplar attack, a Mobile Remote Administration Tool (RAT) is devastating. With access to the microphone, GPS/network location, camera, and an accelerometer, having control of a mobile device in a corporate setting is a dream for an attacker. We’ve improved an open source RAT and introduced a new feature, the ability to turn the mobile device into a virtual person sitting at the computer, able to type commands into the console.
Using a USB device to gain access to a computer is not new and the dangers of an unprotected port are extraordinary (see upcoming troopers talk, You wouldn’t share a syringe. Would you share a USB port? Bratus & Goodspeed). The takeaway from this particular talk is that the attack need not be performed from a specialized device (Teensy, Facedancer), like a thumb drive. The attack can be mounted from a common device that is routinely plugged into computers for charging or data transfer purposes… the Android mobile phone in your employee’s pocket!
Continue reading “Corporate Espionage via Mobile Compromise: A technical deep dive”
Continue readingApple iOS and the history of a workin’ lockscreen… NOT
Once again a vulnerability in Apples mobile operating system iOS was found by some guys of the Jailbreak Nation. The newest version of this operating system suffers from a weakness that makes it possible to unlock the lockscreen of all iPhones that use iOS version 6.1. In this case it does not matter whether a PIN or a password is used to unlock the phone. After successful exploitation an attacker is able to see and edit contact-information, to add new contacts to the phonebook, to view all pictures, to call the inbox or any of the contacts and to see and delete the list of recent calls or parts of it.
Continue reading “Apple iOS and the history of a workin’ lockscreen… NOT”