vCloud Air Attack: Back to Basics

VMware recently announced an upgrade to vSphere, 5.5 Update 2d, that fixes an issue with transparent page sharing (TPS). This issue allowed an attacker to break encryption keys if VMs shared the same server even for a small amount of time. This is not a trivial problem, but it brings me to a simple point. We think encryption will solve everything related to security. But encryption is only a part of the solution, and not even the most important part. Nor the most powerful.

The most important part of any security solution is the people involved. I am not talking just about IT and its myriad security components, but about all the people who make up the company. Let us be honest here: if you do not work in IT security, do you even care about security? Is it foremost in your thoughts? Generally, I would say that unless you work in a highly regulated industry or organization, this is just not the case. Security is way down on the list of things that are important to you.

But what if I asked you the following:

Are you concerned about the well being and safety of your family?

I imagine that everyone would put this at the top of their “most important” list. Family always comes first, and rightly so. However, your actions and those of your family members and children could be jeopardizing your family’s safety. Just like touching a live electrical wire is unsafe, telling people personal information, your location, and excerpts from your day is unsafe. “But this is where we may differ,” you may be thinking. “No duh on the electrical wire, but using my iPhone to communicate with Facebook to let all my friends know that I am enjoying Cancun is not dangerous.” Yet, the potential for harm is actually higher. We do things with our devices that are just not wise. We do them without thinking sometimes. We need to be more aware of our impact and the impact of others on us.

I call this “situational awareness.” You need to be aware that what you do online, via email, or even with your TV is traced, tracked, and used. When bad guys get their hands on this data, and they will, then bad things could happen. Let us look at a few examples:

Back to Basics #1

Who do you tell you are out of town?

In the past, you told close friends and relatives. You often did not mention this to anyone else, outside the police, perhaps. In most cases, however, you may have stopped the mail and newspaper deliveries.

Now, we tell everyone. When? When we go on Facebook, Twitter, Google+, Foursquare, or Swarm and announce that we are at an airport, in another city, or somewhere else exciting. Before, we only had to worry about people who might pay attention when mail and newspaper deliveries were stopped and to refrain from telling a complete stranger face to face. Now, we tell complete strangers electronically that we are not at home. One friend of mine tells everyone via one of these mechanisms whether he is at work or at home.

Outcome: Thieves monitor these channels to determine when is the best time to rob your home, your car, or anywhere else vulnerable. Since this information is available publicly on the Internet, it is now available for thieves to use.

Solution: Only publicly tell people that you have traveled after you have returned from your trip. Do not give thieves any more help then they already have. Make them really work to track you down. If it is too much effort, they will not proceed. They go for the lowest-hanging fruit.

Back to Basics #2

To whom do you send photos of your children?

In the past, we sent photos to friends and relatives and not many others. We may have shown new friends our photo albums to become better acquainted and share past experiences.

Now, we show everyone our photos of our children. We do so using Facebook, Twitter, Google+, Instagram, Tumblr, and many other services. These photos often contain location and other information that can be used to track down your family and children. We tell complete strangers the names of our children, where they have been, and many other items about them.

Outcome: Child kidnappers, molesters, and others can stalk your children and, using this information you publicly provided, tempt them and most likely succeed in causing harm. There have even been court cases about kidnappers showing your photos to judges as their very own with the original parents Photoshopped out of the photo. Some of these have been so good that the experts could not even tell they were fakes. This is where film cameras and negatives could come in very handy.

Solution: Do not post photos of your children. For foster families, it is actually illegal to post photos of foster children for this very reason.

Back to Basics #3

With whom do you discuss your misadventures and relationships?

In the past, we only discussed our misadventures and relationships of all types within the confines of our home and with very close friends and family members: people we trusted implicitly.

Now, we tell everything to everyone, on Facebook, Twitter, and Google+, not to mention chat rooms and other electronic media. We share things about ourselves that we would be embarrassed to tell our own mothers.

Outcome: Social engineers will use this information to steal your identity and determine your passwords to banking and other accounts. They will become you. We post so much information about ourselves that it is very easy for people to know the names of our children, our pets, and the like. Things that are easy for us to remember for security question and password purposes become easy for others to locate or guess. All someone needs to know is the type of person you are, where you have been, and other information they can glean from electronic media.

Solution: Share only information that all people should know about you: information that is already public knowledge. Perhaps share only the type of information that used to be in phone books and high school yearbooks, which were our public face. But leave the rest off of electronic media.

 Back to Basics #4

To whom do you normally complain about your job?

In the past, we voiced job complaints only to close friends and loved ones: people we trusted implicitly.

Now, we tell everyone our feelings and, worse, what happens in the office, by various means that are public: email, Facebook, Twitter, and more. It is all public, and therefore it is recorded somewhere for later retrieval.

Outcome: You could lose your job or not be able to obtain the job you desire.

Solution: Do not put anything in writing you would not tell your mother or want three feet high in bright red letters in a court of law.

Back to Basics #5

To whom do you tell your innermost secrets, desires, and wishes?

In the past, we would voice these to our spouses, lovers, partners: those with whom we had a relationship or to whom we were committed.

Now, thanks to modern televisions, we may be telling our deepest secrets not only to those who share our relationships but also to unknown people somewhere else in the world. The recordings these televisions make are stored and will be retrieved later for business use.

Outcome: Our secrets become known, and could then be used against us.

Solution: Either do not buy a voice-activated television, speak in another room (but these things have long ears), cover up the camera and microphones with something (at one conference, Cylance gave out a nifty item to act as a sliding blackout cover for laptop cameras), or disable the functionality within the television itself by not agreeing to the use of voice controls (yet that severely hampers some televisions).

Final Thoughts

This is where IT security and even the general security of a company fall down. If we, in our personal lives, do not have the situational awareness to help protect even ourselves and our families from bad things, how can a company expect the workforce to care about protecting the organization? This leads to draconian security measures that will be ignored as a bad thing, when in reality the company is trying to protect against bad things and bad actors.

The TPS hack mentioned above is also an issue of situational awareness. We need to know what happens within a cloud in order to protect the workloads from attack and therefore the organization. But protection really does hinge on a mindset that begins with the employee, and it is something we must install at a basic level.

Be aware of your surroundings, both physical and cyber. Family safety can translate into business security, but only if we are aware of what is happening around us. In essence, IT security needs to concentrate on the people and train them to keep their families safe. That will translate into keeping the organization safer.

Posted in SDDC & Hybrid Cloud, SecurityTagged , , , ,