A recent interview I gave has turned up in a SearchCloudComputing.com column:

…GovCloud is an admission by Amazon that it cannot modify its entire cloud so it will isolate data and applications completely. Instead, it has to carve it up.

History shows us that most breaches come from out of scope, “isolated” systems that are not truly separate. The attackers enter through a back door, a system that’s connected to the backplane for emergency use only but gets them into the rest of the network. Could a contractor who is not a U.S. citizen get in under ITAR? Is Amazon hiring separate administrators to run GovCloud?

AWS itself admitted that the major outage of its Elastic Block Storage service in April happened because it did not have good separation of systems. Has it just created a false sense of separation between the GovCloud secure zone and the rest of AWS? It’s certainly given potential attackers something to look for.

I actually said Amazon chose not to modify its entire cloud. They probably had the option to make AWS secure enough to comply with ITAR but apparently it was not worth the expense, so they chose to reduce exposure to the compliance requirements through segmentation. The first thing that jumped into my mind is whether they will charge a premium to be in GovCloud — charge more money to guarantee that employees are U.S. citizens. Otherwise, who in the U.S. wouldn’t want to move all their workloads into GovCloud?

The US DoJ released a press announcement two days ago that says a virtualized environment administrator has admitted to a serious breach.

In the early morning hours of February 3, 2011, Cornish gained unauthorized access to Shionogi’s computer network. Cornish used a Shionogi user account to access a Shionogi server, then took control of a piece of software that he had secretly installed on the server several weeks earlier.

Cornish then used the secretly installed software program to delete the contents of each of 15 “virtual hosts” on Shionogi’s computer network. These 15 virtual hosts (subdivisions on a computer designed to make it function like several computers) housed the equivalent of 88 different computer servers.

That “secretly installed software program” they are talking about sounds really nefarious, but it is actually just VMware vSphere. It is explained better in the formal complaint.

…on or about January 13, 2011, defendant Cornish accessed the CVAULT account and used that to install vSphere — the software program believed to have been used to delete Shionogi’s virtual hosts…officials advised that there was no legitimate business reason for vSphere to be installed or running on the SPVC01 Server.

The press release says Cornish did not attempt a sophisticated attack. He accessed his ex-employer and installed vSPhere from his home network. When he connected again to cause harm (two weeks later) he went to a McDonalds and used his credit card to buy breakfast before using the free wifi.

The investigation by the FBI’s Cyber Crimes Task Force revealed that the attack originated from a computer connected to the wireless network of a Smyrna McDonald’s where Cornish had used his credit card to make a purchase minutes before the attack. Cornish also gained unauthorized access to Shionogi’s network from his home Internet connection using administrative passwords to which he had access as an employee.

The formal complaint again gives more detail.

According to McDonald’s business records, a Visa credit card number ending in 8291 (“the 8291 Visa”) was used at the Smyrna McDonald’s to make an approximately $4.96 purchase…approximately 5 minutes before the attack…

Approximately $4.96? I’d like to see a more exact purchase record.

It seems like he either wanted to be caught or didn’t care much about the risk. Google confirmed that the same credit card number that bought breakfast was linked to an email account used by Cornish. And the credit card issuer, BofA, confirmed that Cornish is the account holder.

Given the timeline and the software and network details this case really boils down to termination procedures and risk management. It’s not about secret software. It’s about a bad actor who abused trust. Cornish worked for Shionogi from 2009 to 2010. The complaint suggests his attack was successful because he could authenticate and use systems many months after his departure without being noticed.

So, on the one hand the DoJ press release is a success story. Logs were available from multiple sources for at least six months of activity and were used to quickly apprehend and get an attacker to admit the crime. On the other hand the details of the attack beg a question of precautions and operational awareness.

It is unfortunate that Shionogi was a victim of this crime but will someone say they should have taken better care, like changing passwords after staff were terminated or left? In other words should a company be externally required to take precautions against an availability loss if there is no impact outside the company (e.g. no regulated data risk)?

It’s a classic case of attack economics. Should a business invest in thicker glass, replace their glass altogether, or improve the chances of catching someone who throws bricks? A related question would be whether and when a victim should realize the level of risk. Did Shinonogi make a conscious decision to leave themselves exposed, or were they somehow led to believe they were safe from easy but devastating harm ($300,000) by former employees?

It’s a good case study of security and compliance as well as the double-edge of remote administration tools in virtual environments.