Thursday, August 28

Computer forensics & cloud computing

By now, if you're active enough of an online user to be reading this blog, you've surely heard of "cloud computing." You may even have heard of Amazon Web Services (AWS) and their Elastic Compute Cloud, more commonly referred to as EC2.

Cloud computing offers a lot of possibilities and potential. Let's not forget, it "levels the playing field," and all that other corporate jargon that hopefully translates into delivering Fortune 100 computing capabilities to those of us technical sorts who don't, or who no longer, work for the 800 pound gorillas of the industry.

Clouds also unfortunately seem to offer a lot of surface area for abuse and crime. Email spammers have been loving EC2 -- it didn't take long for most of AWS' IP range to get blacklisted by all the major spam watchlists.

What about something a little more sinister? What if an evil foreign spy or terrorist or hacker needs a place to host a bot command & control server, or a temporary shell account for accessing a more meaningful target, or needs a private place to host a "sensitive" IRC conversation or dead drop some blueprints?

When you shut down an AMI instance on EC2, that image resets to its stored state -- all session data is lost. All typical system & service logs, gone. Sure, I know you still have logging at the boundary of the cloud, but with the huge amount of potential data flowing in and out of a cloud, how do you identify individual users of individual services provided by a transient host image, particularly when they make expert efforts to cover their tracks? And what if the owner of the image decides to engage in malicious behavior, through the host server image, from a third IP address, and then claim someone must have stolen their password or keypair to the image?

Now I'm no security expert, perhaps this isn't as big a potential issue as I make it out to be. I'd love to be contradicted here!

Of course, none of that is as scary as the thought of this guy as our Commander in Chief.

Edit: It was noted on #freehackersunion that Tor, and for that matter other such services, offer you an ability to put an anonymous host on the Internet already. Sure, but Tor's bandwidth typically sucks, and the guy sitting on the exit owns you. EC2 basically commoditizes anonymous hosts, all you need is a stolen ID and credit card number.