http://crackingdrupal.com/taxonomy/term/34/0 en http://crackingdrupal.com/blog/greggles/cloudy-chance-zero-day <p>This was a presentation by Jon Rose and Tom Leavey of Trustwave. They started off with about 15 minutes worth of cloud background. The problems (and potential problems) they identified were:</p> <ul> <li>Vendor lock in may come up since the Amazon cloud is somewhat different from writing for Google's App Engine which is different from...</li> <li>Enterprise ready vs. experimental, meaning that most uses of the cloud right now are non-mission-critical.</li> <li>Forensics in the cloud are somewhat harder to perform since you can't necessarily get the log files.</li> <li>Compliance is more difficult because you can't do physical visits to the data center.</li> <li>Misuse is possible because you can not only use the cloud for good but can also fire up a malicious virtual machine.</li> </ul> <h3>They reviewed the Google Application Engine</h3> <p>After some discussion of how GAE works, they got into some possible attacks.</p> <ul> <li>You can post data and that counts against incoming bandwidth, even if the application doesn't accept post requests at that URL. So, using XSS to get all the browsers to a site to run a POST against an application can easily blow past a site's incoming bandwidth quota and take them offline.</li> <li>The task queue has a limit of 5 requests/second can be blown out with an attack.</li> <li>Create dozens of proxies on GAE as a way to hide who you are when doing an attack.</li> <li>You can create new versions of your application and switch between them, but using this means any visitor can choose which version of your application they want to run.</li> <li>GQL Injection - may be possible to do injection, but they couldn't. Seems like it's probably not possible.</li> </ul> http://crackingdrupal.com/blog/greggles/cloudy-chance-zero-day#comments cloud computing security Thu, 12 Nov 2009 20:57:12 +0000 greggles 41 at http://crackingdrupal.com