Jason Hart had a brilliant talk on different techniques to hack virtual worlds. His key message was, as virtualization had taken off, the CIA principles for security have been completely ignored and many of the old vulnerabilities have not only resurfaced; they are even easier to exploit.
Not all of the talk was specifically focused on cloud. Using a Pineapple he showed how easy it is to intercept and decode passwords (even when they are encrypted). After that, accessing systems, virtual or not, is not a big issue.
But his attack techniques on virtualization platforms were the most illuminating - from accessing VMWare's vCenter via cracking the MD5 password; to exploiting the fact that robot.txt files aren't respected in public cloud services (and thus susceptible to google hacking).
It was not a failure of technology (although the Pineapple did exploit protocol weaknesses), but failure to follow basic principles.
No comments:
Post a Comment