I will be presenting at RSA 2011 in San Francisco:

Session ID: CLD-204

Title: Cloud Investigations and Forensics

Scheduled Session Times: Wednesday, Feb 16, 1:00 PM

Room: Orange Room 305

Abstract: Cloud computing’s growth in popularity has been due to the lure of inexpensive and redundant storage, computation and services. This presentation provides an analysis of what happens when things go wrong, by looking at real-world cloud computing investigations and digital forensics. It proposes a set of technical and legal recommendations to reduce risk.

Session Classification: Advanced

This is becoming a point of curiosity for me. A 0-day attack is one that no one is ready for because they have not seen it before. No countermeasures are prepared, no detection is known. This begs the question, what do you really know about your environment?

I know it’s uber sexy to talk 0-day, but is that really what makes Stuxnet dangerous? It looks like a symptom to me, but not the problem.

First, the Windows Print Spooler exploit was from 2009. Stuxnet spread using this known flaw that had not been patched. That makes it three 0-day at best, not the reported four. Microsoft claimed it only heard about it in late 2010 and fixed it 13 days later. I’ll spare you the rant, but guess who really argues the case to call things a 0-day?

See “Print Your Shell” in the September 2009 edition of hakin9 magazine.

Second, not all the Stuxnet vulnerabilities were 0-day. It made use of more than just four infamous vulnerabilities; the RPC vulnerability, for example, was from 2008.

Third, even on a perfect day we expect malware detection to get less than 80%. What does a 0-day really represent (assuming you still believe the three are truly 0-day)? We have messed around with the 0-day attacks for ages (depending on your definition, of course), and yet the known vulnerabilities (non-0-day) also have a very high probability of working. A 0-day may not be as serious as other vulnerabilities. I believe they play a secondary, or even a supporting role.

What I mean is the Stuxnet authors knew an awful lot about their target environment. We can talk all day about the probability of a 0-day relative to known vulnerabilities, but what really defines this Stuxnet attack vector as dangerous is knowledge specific to operations. The danger is that the attack is able to get insider knowledge…trusted access and detailed information. The ability of an attacker to conceal themselves after the breach thus is also a symptom, rather than a primary characteristic of the threat.

A good defensive posture will focus on this as a development of insider-based risk, which requires security information at least as good as an attacker’s, as I tried to explain in my presentation at RSA 2010 in London. Know your environment.

Here is a classic targeted attack example from this past weekend in Australia

The University of Sydney (USyd)…website was last defaced Friday night with a message claiming that Jie Gao, the university’s UNIX systems administrator, is incapable of securing the web server.

That message obviously is not meant to say it is theoretically impossible to secure a web server — the inevitability of 0-day flaws. It is to accuse an administrator of not knowing their environment. Major differences from Stuxnet can be found in this attackers means, motive and opportunity, but probably not methods.

It might seem like a tangent, but the TED presentations by Hans Rosling make an insightful and powerful observation on this topic. He went to fix the equivalent of 0-day health risks in Africa using modern medicine, but realized that the greatest threat was not an unknown virus or from lack of sophisticated technology. Once he began to study the environment he found that the prevention of common malnutrition is more effective to improve child survival rates.

What risks are you running in your environment?

The BBC says the terms “Cyberwar” and “Cyberattack” are used without reasonable definition. More importantly, in the big scheme of disasters, they say not to worry about a high impact severity event.

The Organisation for Economic Cooperation and Development [OECD] study is part of a series considering incidents that could cause global disruption.

While pandemics and financial instability could cause problems, cyber attacks are unlikely to, it says.

Instead, trouble caused by cyber attacks is likely to be localised and short-lived.

Unlike many of those who warn of Cyberwar, the authors of this study (Peter Sommer, LSE and Ian Brown, Oxford) do not seem to have a related book for sale.

You may be wondering whether the OECD has made predictions before, and whether they have been accurate. Twice a year, they publish projections for the world economy. A study in 2007 by the Economics Department, which they call a post-mortem for growth predictions, vaguely suggests an answer:

Regression analysis suggests that both OECD projections and Consensus Economics forecasts add value to naive forecasts

To sum it all up, cyberwar (properly defined) is unlikely but countries will still get value from the careful study of cyberattacks. A cynic might say: The authors are not selling a book to the public; they are selling research to state leaders.