The Crucial Security Forensics Blog lists reasons why the VMware Virtual Disk Development Kit (VDDK) might be useful for a forensics investigation that needs to mount and manipulate VMDK files.

Some scenarios might include master boot record infection such as the Stoned bootkit. The Stoned bootkit is a Windows bootkit, which attacks all Windows versions from 2000 up to 7. It is loaded before Windows starts and is memory resident.

Another scenario involves the malware inserting itself into all VMDK files on the system.

Thirdly, having offline access to the VMDK would be essential if the malware was able to steal essential files such as the system and software hives, SAM and/or private keys.

Fourth, if the virtualized disk were using full disk encryption, the analyst would be able to access the files via the VDDK API without decryption taking place.

Lastly, if the machine had other controls in place such as AV or host-based firewall protection on certain files, an analyst would have access to them and not require booting up the virtual disk.

Differences in interpretation of the EU's 1995 data protection rules may soon be resolved, according to a proposal by Viviane Reding, Vice-President of the EC in charge of Justice, Fundamental Rights and Citizenship

A single set of European rules on data protection valid everywhere across the European Union, so one rule for the 27 Member States and for the 500 millions people. One data protection authority for one company: a one stop shop and one authorisation for the whole European Union. This will reduce administrative burden and will save the businesses around 2.3 billions Euros a year.

The new rules carry some interesting concepts such as a new burden of proof for companies to retain personal information. Reding advocates for the ability of a person to request that their data be deleted ("right to be forgotten") unless a company can prove a "legitimate reason" for retention. She also has said companies will have to report a breach "as soon as possible," which has been suggested to mean 24 hours. Compliance is expected to be managed by a data-protection officer that will be required at all companies by more than 250 employees.

Seems like connecting to video cameras on the Internet has been a thing to do for about a decade now. The classic example was to use a search engine to identify the cameras by their URL:

• inurl:/view/index.shtml
• inurl:"viewerframe?mode=motion"

The next phase was to fingerprint the more network-aware cameras with FTP and web servers to take them over with exploits, stolen credentials or different forms of management software.

The basic story was so common that by 2006 even FOX news ran a story on "hacking" cameras (700K views):

The word hacking is usually a stretch, since you are just connecting to something without any security, but eventually came some interesting reverse attacks on cameras, fooling the camera controller with a bogus stream or device to steal credentials.

Now I see a story from the New York Times that confirms video conference systems still are being setup without authentication.

Strangely, however, the NYT mentions nothing of the long history and background to the problem. The NYT story then gets echoed as if this issue was only just discovered. Is anyone really surprised that cameras are still exposed in 2012?

Simply put, customers do not demand that vendors ship the product in a safe-mode. Vendors do not change because they say customers want easy, not secure. Some might see this as yet another "hot coffee" moment waiting to happen.

Perhaps we can hope a NYT version of the story will have some effect on market tolerance for silent yet weak defaults. The story probably will have more effect than years of warnings in forum discussions and local news videos. But until then, more cameras will be connected to the network while the ability to find, index and connect to them will stay trivial.

NIST has released as final their special publication 800-144 (SP800-144). Perhaps the single biggest takeaway from the guide is that risk management has not changed fundamentally from non-cloud environments, but the devil may be in the details.

It offers the following list of benefits from the transition to public cloud.

Benefits

• Staff specialization
• Platform strength
• Resource availability
• Backup and Recovery
• Mobile endpoints
• Data Concentration

You might read that list and want to ask "yes, but what about all the Amazon outages or the high-profile breaches like Dreamhost…," which is why they also wrote a "Security and Privacy Downside".

Risks

• System complexity
• Shared multi-tenant environment
• Internet-facing services
• Loss of control

o0o security research has posted a review of the SEC Consult Vulnerability Lab Security Advisory on Apache Struts2 along with a remote code execution exploit.

The problem, in brief, is that Struts2 fails to properly handle user input. A malicious user can elevate privileges by manipulating a design flaw in how HTTP parameter names are handled by Object-Graph Navigation Language (OGNL).

CVE-2011-3923 is the result of ParametersInterceptor allowing parentheses and thus allowing expression evaluation, which can be exploited as follows:

/myaction?foo=&(foo)('meh')=

and here's what happens:

1. Action attribute foo is set to the value of the foo HTTP parameter and will hold attacker's OGNL statement
2. Second HTTP parameter named (foo)('meh') will be evaluated as an expression evaluation OGNL statement and foo action attribute will be retrieved from the action (remember we control its value via HTTP parameter) and its value will be evaluated as another OGNL statement.

Since attacker's OGNL statement is in HTTP parameter value we bypass the regular expression and are allowed to use special symbols to modify OGNL context properties to allow method execution.

Chris Colotti and Massimo Re Ferre’ are hosting a #cloudtalk next week on cloud predictions for 2012. Please join to help flood them with questions about compliance and security:

In a recent Fortune article, Mathew Lodge predicted the hybrid cloud will continue to grow and that Platform-as-a-Service will win the hearts of developers. Do you agree or disagree? We want to hear your thoughts during our first #cloudtalk of 2012 on January 31st at 11am PT.

The U.S. Constitution's Fifth Amendment states no one can be "compelled in any criminal case to be a witness against himself". Yet Judge Robert Blackburn has ruled in Colorado that courts can force Americans to disclose information that will incriminate them. The EFF filed a brief last year with a nice explanation of the two sides to this key issue (pun not intended).

Forcing an individual to supply a password necessary to decrypt data is more like revealing the combination to a wall safe than to surrender a key: the witness is being compelled to disclose information that exists in her mind, not to hand over a physical item.

Those who believe that a defendant who knows a password is withholding the equivalent of a physical key argue that they are not protected by the Constitution. Those who believe a password is information argue that it is protected. It might be helpful to the debate if the judge would reference how their decision affects the three factors of authentication — something you know, something you have, something you are.

Something you have has not been protected under the 5th Amendement. Blackburn is stating that something you know should also lose protection. CNet quotes the reason offered by prosecutors for the change.

Failing to compel Ms. Fricosu amounts to a concession to her and potential criminals…that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible.

That has a strange tone for many reasons. Here are just a few that jump to mind:

First, it would only be impossible to prosecute if a number of particular and narrow conditions exist. That is hardly a concession to criminals in a broad sense; they already know that if they perform a perfect crime they won't be caught. There are a number of ways encryption will fail and/or fail protection under the Fifth Amendment.

Second, "make their prosecution impossible" does not seem like a valid argument on its own since the Fifth Amendment clearly carves out situations that are protected. A prosecution already has to work within a limited framework even if it makes prosecution impossible.

Third, refusing to produce something physical seems very different than refusing to reveal something you are believed to know. Forgetting, in my mind, (pun not intended) is very different than the reasons that could lead to the inability to give physical access. This case begs the question of how and why information security differs from physical security; why is logical integrity of a password so different from physical integrity of a metal key?

Perhaps it helps to consider the case like this: Contempt of court for refusal to hand over something that you have should be distinct from refusal to hand over something that you know. Blackburn does not seem to see the difference but I suspect he might change his view if he had to defend it in all cases of authentication.

Veeam Software, a business continuity product company for virtualization, has a complete list of vCenter Events sorted by ID. Here's the first event in the list:

 
Clicking on the ID starts a javascript popup with event details:

Event: AccountCreatedEvent

Cid: '200'
ManagedObject: 'VC'
MessageGroup: 'MsgGroupHost'
OptionVar: 'EventId="${eventid}" Timestamp="${timestamp}" ComputeResource="${computeresource}" Datacenter="${datacenter}" HostName="${hostname}" Server="${server}" Username="${username}" DisplayName="${vm.name}" UUID="${vm.uuid}"'

This event records that an account was created on a host.

Here's the event when the new ESXi 5.0 syslogd service is unable to communicate with syslog (KB 2003127):

 
This is an important change from prior versions of ESXi, which would not stop logs on an error (note the "Since 5.0" in the Message Catalog Text field). An alarm for this event can easily be created by using "esx.problem.vmsyslogd.remote.failure" as the trigger.