Hosted Solutions -- Hackers Haven
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
Hosted Solutions -- Hackers Haven
by Adriel T. Desautels
::
Rate this Message:
Hi List. This is a subject that seems to come up a lot when we
deliver penetration testing services to our customers. I decided that a quick blog entry on the subject of hosting might be a good idea. I'm not adverse to hosting, but I'd like people to think twice before deciding to outsource their technology to a third party. Specifically, I'd like to see people consider the real risks that they might be introducing to their business. As usual, if there are any comments I'd love to hear them. http://snosoft.blogspot.com/2009/10/hosted-solutions-hackers-haven.html Human beings are lazy by nature. If there is a choice to be made between a complicated technology solution and an easy technology solution, then nine times out of ten people will choose the easy solution. The problem is that the easy solutions are often riddled with hidden risks and those risks can end up costing the consumer more money in damages then what might be saved by using the easy solution. The advantages of using a managed hosting provider to host your email, website, telephone systems, etc, are clear. When you outsource critical infrastructure components you save money. The savings are quickly realized because you no longer need to spend money running a full scale IT operation. In many cases, you don’t even need to worry about purchasing hardware, software, or even hiring IT staff to support the infrastructure. What isn’t clear to most people is the serious risk that outsourcing can introduce to their business. In nearly all cases a business will have a radically lower risk and exposure profile if they keep everything in-house. This is true because of the substantial attack surface that hosting providers have when compared to in-house IT environments. For example, a web-hosting provider might host 1,000 websites across 50 physical servers. If one of those websites contains a single vulnerability and that vulnerability is exploited by a hacker then the hacker will likely take control of the entire server. At that point the hacker will have successfully compromised and taken control of all 50 websites with a single attack. In non-hosted environments there might be only one Internet facing website as opposed to the 1000 that exist in a hosted environment. As such the attack surface for this example would be 1000 times greater in a hosted environment than it is in a non-hosted environment. In a hosted environment the risks that other customers introduce to the infrastructure also become your risk. In a non-hosted environment you are only impacted by your own risks. To make matters worse, many people assume that such a risk isn’t significant because they do not use their hosted systems for any critical transactions. They fail to consider the fact that the hacker can modify the contents of the compromised system. These modifications can involve redirecting online banking portal links, credit card form posting links, or even to spread infectious malware. While this is true for any compromised system, the chances of suffering a compromise in a hosted environment are much greater than in a non-hosted environment. Adriel T. Desautels ad_lists@... -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
Re: Hosted Solutions -- Hackers Haven
by yaroslav-8
::
Rate this Message:
allow me to disagree a bit. generally, this is true for a large
organizations with dedicated IT department. but in a case of small, let's say less than 100 employees, company, which want to go online, the method will be like this:"step 1: go to bookstore and buy 'linux for dummies", step 2: setup a server, step 3: profit!". 'virtual suicide' in other words. generally, hosting providers knows much more about security and threats than average company. do not forget that owning one account from 1000 doesn't mean that you own all the system. it is very close, yes, but not completely. On Tue, Oct 13, 2009 at 3:17 AM, Adriel T. Desautels <ad_lists@...> wrote: > Hi List. This is a subject that seems to come up a lot when we deliver > penetration testing services to our customers. I decided that a quick blog > entry on the subject of hosting might be a good idea. I'm not adverse to > hosting, but I'd like people to think twice before deciding to outsource > their technology to a third party. Specifically, I'd like to see people > consider the real risks that they might be introducing to their business. > > As usual, if there are any comments I'd love to hear them. > > http://snosoft.blogspot.com/2009/10/hosted-solutions-hackers-haven.html > Human beings are lazy by nature. If there is a choice to be made between a > complicated technology solution and an easy technology solution, then nine > times out of ten people will choose the easy solution. The problem is that > the easy solutions are often riddled with hidden risks and those risks can > end up costing the consumer more money in damages then what might be saved > by using the easy solution. > > The advantages of using a managed hosting provider to host your email, > website, telephone systems, etc, are clear. When you outsource critical > infrastructure components you save money. The savings are quickly realized > because you no longer need to spend money running a full scale IT operation. > In many cases, you don’t even need to worry about purchasing hardware, > software, or even hiring IT staff to support the infrastructure. > > What isn’t clear to most people is the serious risk that outsourcing can > introduce to their business. In nearly all cases a business will have a > radically lower risk and exposure profile if they keep everything in-house. > This is true because of the substantial attack surface that hosting > providers have when compared to in-house IT environments. > > For example, a web-hosting provider might host 1,000 websites across 50 > physical servers. If one of those websites contains a single vulnerability > and that vulnerability is exploited by a hacker then the hacker will likely > take control of the entire server. At that point the hacker will have > successfully compromised and taken control of all 50 websites with a single > attack. > > In non-hosted environments there might be only one Internet facing website > as opposed to the 1000 that exist in a hosted environment. As such the > attack surface for this example would be 1000 times greater in a hosted > environment than it is in a non-hosted environment. In a hosted environment > the risks that other customers introduce to the infrastructure also become > your risk. In a non-hosted environment you are only impacted by your own > risks. > > To make matters worse, many people assume that such a risk isn’t significant > because they do not use their hosted systems for any critical transactions. > They fail to consider the fact that the hacker can modify the contents of > the compromised system. These modifications can involve redirecting online > banking portal links, credit card form posting links, or even to spread > infectious malware. While this is true for any compromised system, the > chances of suffering a compromise in a hosted environment are much greater > than in a non-hosted environment. > > > > Adriel T. Desautels > ad_lists@... > -------------------------------------- > > Subscribe to our blog > http://snosoft.blogspot.com > > > ------------------------------------------------------------------------ > This list is sponsored by: Information Assurance Certification Review Board > > Prove to peers and potential employers without a doubt that you can actually > do a proper penetration test. IACRB CPT and CEPT certs require a full > practical examination in order to become certified. > http://www.iacertification.org > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
Re: Hosted Solutions -- Hackers Haven
by Roman Medina-Heigl Hernandez
::
Rate this Message:
Shared hosting will always be far more insecure than a dedicated one, as
you are suggesting (tons of websites in the same server multiply the risk of security compromise). But you're mixing concepts: "hosted" usually means "outsourced" but not necessarily "shared" (for instance, you could also hire a dedicated server, managed or not, and "host" your application there). You're refering to shared environments, I guess. Outsourcing has other risks/problems. Cheers, -Román Adriel T. Desautels escribió: > Hi List. This is a subject that seems to come up a lot when we deliver > penetration testing services to our customers. I decided that a quick > blog entry on the subject of hosting might be a good idea. I'm not > adverse to hosting, but I'd like people to think twice before deciding > to outsource their technology to a third party. Specifically, I'd like > to see people consider the real risks that they might be introducing to > their business. > > As usual, if there are any comments I'd love to hear them. > > http://snosoft.blogspot.com/2009/10/hosted-solutions-hackers-haven.html > Human beings are lazy by nature. If there is a choice to be made > between a complicated technology solution and an easy technology > solution, then nine times out of ten people will choose the easy > solution. The problem is that the easy solutions are often riddled with > hidden risks and those risks can end up costing the consumer more money > in damages then what might be saved by using the easy solution. > > The advantages of using a managed hosting provider to host your email, > website, telephone systems, etc, are clear. When you outsource critical > infrastructure components you save money. The savings are quickly > realized because you no longer need to spend money running a full scale > IT operation. In many cases, you don’t even need to worry about > purchasing hardware, software, or even hiring IT staff to support the > infrastructure. > > What isn’t clear to most people is the serious risk that outsourcing can > introduce to their business. In nearly all cases a business will have a > radically lower risk and exposure profile if they keep everything > in-house. This is true because of the substantial attack surface that > hosting providers have when compared to in-house IT environments. > > For example, a web-hosting provider might host 1,000 websites across 50 > physical servers. If one of those websites contains a single > vulnerability and that vulnerability is exploited by a hacker then the > hacker will likely take control of the entire server. At that point the > hacker will have successfully compromised and taken control of all 50 > websites with a single attack. > > In non-hosted environments there might be only one Internet facing > website as opposed to the 1000 that exist in a hosted environment. As > such the attack surface for this example would be 1000 times greater in > a hosted environment than it is in a non-hosted environment. In a > hosted environment the risks that other customers introduce to the > infrastructure also become your risk. In a non-hosted environment you > are only impacted by your own risks. > > To make matters worse, many people assume that such a risk isn’t > significant because they do not use their hosted systems for any > critical transactions. They fail to consider the fact that the hacker > can modify the contents of the compromised system. These modifications > can involve redirecting online banking portal links, credit card form > posting links, or even to spread infectious malware. While this is true > for any compromised system, the chances of suffering a compromise in a > hosted environment are much greater than in a non-hosted environment. > > > > Adriel T. Desautels > ad_lists@... > -------------------------------------- > > Subscribe to our blog > http://snosoft.blogspot.com > > > ------------------------------------------------------------------------ > This list is sponsored by: Information Assurance Certification Review Board > > Prove to peers and potential employers without a doubt that you can > actually do a proper penetration test. IACRB CPT and CEPT certs require > a full practical examination in order to become certified. > http://www.iacertification.org > ------------------------------------------------------------------------ > ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
Re: Hosted Solutions -- Hackers Haven
by Adriel T. Desautels
::
Rate this Message:
Hi Roman,
My comments are embedded below. On Oct 15, 2009, at 7:11 AM, Roman Medina-Heigl Hernandez wrote: > Shared hosting will always be far more insecure than a dedicated > one, as > you are suggesting (tons of websites in the same server multiply the > risk > of security compromise). Dedicated hosts are at risk too. > > But you're mixing concepts: "hosted" usually means "outsourced" but > not > necessarily "shared" (for instance, you could also hire a dedicated > server, > managed or not, and "host" your application there). You're refering to > shared environments, I guess. Hosted to me means anything that is hosted by a third party. Dedicated, shared, or even virtual doesn't matter. The only thing that changes is the penetration methodology. Our team has tested a wide range of hosting providers. In all cases we were able perform distributed metastasis and slip from client, to provider, to other clients. The primary issue is the fact that most of these providers have some form of centralized client control. Take that control center, you take the clients. In many cases clients can give you access to the control center, in some cases they don't. When that happens you need to go for the throat and take the provider. Another way to think about it is like this. If I'm a black hat why would I bother taking one company at a time when I could just take a hosting provider and pwn 1000 at a time? > > Outsourcing has other risks/problems. > > Cheers, > -Román > > > Adriel T. Desautels escribió: >> Hi List. This is a subject that seems to come up a lot when we >> deliver >> penetration testing services to our customers. I decided that a >> quick >> blog entry on the subject of hosting might be a good idea. I'm not >> adverse to hosting, but I'd like people to think twice before >> deciding >> to outsource their technology to a third party. Specifically, I'd >> like >> to see people consider the real risks that they might be >> introducing to >> their business. >> >> As usual, if there are any comments I'd love to hear them. >> >> http://snosoft.blogspot.com/2009/10/hosted-solutions-hackers-haven.html >> Human beings are lazy by nature. If there is a choice to be made >> between a complicated technology solution and an easy technology >> solution, then nine times out of ten people will choose the easy >> solution. The problem is that the easy solutions are often riddled >> with >> hidden risks and those risks can end up costing the consumer more >> money >> in damages then what might be saved by using the easy solution. >> >> The advantages of using a managed hosting provider to host your >> email, >> website, telephone systems, etc, are clear. When you outsource >> critical >> infrastructure components you save money. The savings are quickly >> realized because you no longer need to spend money running a full >> scale >> IT operation. In many cases, you don’t even need to worry about >> purchasing hardware, software, or even hiring IT staff to support the >> infrastructure. >> >> What isn’t clear to most people is the serious risk that >> outsourcing can >> introduce to their business. In nearly all cases a business will >> have a >> radically lower risk and exposure profile if they keep everything >> in-house. This is true because of the substantial attack surface >> that >> hosting providers have when compared to in-house IT environments. >> >> For example, a web-hosting provider might host 1,000 websites >> across 50 >> physical servers. If one of those websites contains a single >> vulnerability and that vulnerability is exploited by a hacker then >> the >> hacker will likely take control of the entire server. At that >> point the >> hacker will have successfully compromised and taken control of all 50 >> websites with a single attack. >> >> In non-hosted environments there might be only one Internet facing >> website as opposed to the 1000 that exist in a hosted environment. >> As >> such the attack surface for this example would be 1000 times >> greater in >> a hosted environment than it is in a non-hosted environment. In a >> hosted environment the risks that other customers introduce to the >> infrastructure also become your risk. In a non-hosted environment >> you >> are only impacted by your own risks. >> >> To make matters worse, many people assume that such a risk isn’t >> significant because they do not use their hosted systems for any >> critical transactions. They fail to consider the fact that the >> hacker >> can modify the contents of the compromised system. These >> modifications >> can involve redirecting online banking portal links, credit card form >> posting links, or even to spread infectious malware. While this is >> true >> for any compromised system, the chances of suffering a compromise >> in a >> hosted environment are much greater than in a non-hosted environment. >> >> >> >> Adriel T. Desautels >> ad_lists@... >> -------------------------------------- >> >> Subscribe to our blog >> http://snosoft.blogspot.com >> >> >> ------------------------------------------------------------------------ >> This list is sponsored by: Information Assurance Certification >> Review Board >> >> Prove to peers and potential employers without a doubt that you can >> actually do a proper penetration test. IACRB CPT and CEPT certs >> require >> a full practical examination in order to become certified. >> http://www.iacertification.org >> ------------------------------------------------------------------------ >> > Adriel T. Desautels ad_lists@... -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
Re: Hosted Solutions -- Hackers Haven
by Adriel T. Desautels
::
Rate this Message:
Yaroslav, your argument holds no water.
The risk that hosting providers introduce to businesses does not have any relation to the size of the company using the hosting service. More comments embedded below: On Oct 14, 2009, at 4:37 AM, yaroslav wrote: > allow me to disagree a bit. Go ahead. > generally, this is true for a large > organizations with dedicated IT department. How do you propose that the size of the company using a hosting provider has anything to do with the security of the provider? There is absolutely no correlation there. > but in a case of small, > let's say less than 100 employees, company, which want to go online, > the method will be like this:"step 1: go to bookstore and buy 'linux > for dummies", step 2: setup a server, step 3: profit!". Your generalization isn't based on reality. There are many 100 person companies that have full time IT Staff. There are also many 3 person companies that use third party IT Service Providers to manage their networks (outsourced IT staff). In all cases (unless you pull a stupid) then the risk is less if you keep your network in-house. > 'virtual > suicide' in other words. generally, hosting providers knows much more > about security and threats than average company. Are you kidding me? What you just said is laughable! "Generally speaking" these providers are more vulnerable than raw meat left with a pack of hungry wolves. They market themselves as being secure, but most of the time they aren't. I can say that with absolute certainty because we test those providers on a regular basis for our customers. When our customers get the results they tend to have a change of heart and move back to in-house hosting. Sure, there are a "few" good hosting providers, but most of them are not security pro's. Even the ones that are can't control what their customers are doing. > do not forget that > owning one account from 1000 doesn't mean that you own all the > system. it is very close, yes, but not completely. Have you ever penetrated a network? When you take a system that is connected to a network then the network is in fact compromised. In simple terms, at that point you can sniff the data on the network and capture credentials, perform MITM attacks, poison sessions, etc. If you can't figure out how to take the rest of the systems at that point then you shouldn't be hacking in the first place. So yes, you pwn one system on a network then the others are pretty much done (with a few exceptions of course). > > On Tue, Oct 13, 2009 at 3:17 AM, Adriel T. Desautels > <ad_lists@...> wrote: >> Hi List. This is a subject that seems to come up a lot when we >> deliver >> penetration testing services to our customers. I decided that a >> quick blog >> entry on the subject of hosting might be a good idea. I'm not >> adverse to >> hosting, but I'd like people to think twice before deciding to >> outsource >> their technology to a third party. Specifically, I'd like to see >> people >> consider the real risks that they might be introducing to their >> business. >> >> As usual, if there are any comments I'd love to hear them. >> >> http://snosoft.blogspot.com/2009/10/hosted-solutions-hackers-haven.html >> Human beings are lazy by nature. If there is a choice to be made >> between a >> complicated technology solution and an easy technology solution, >> then nine >> times out of ten people will choose the easy solution. The problem >> is that >> the easy solutions are often riddled with hidden risks and those >> risks can >> end up costing the consumer more money in damages then what might >> be saved >> by using the easy solution. >> >> The advantages of using a managed hosting provider to host your >> email, >> website, telephone systems, etc, are clear. When you outsource >> critical >> infrastructure components you save money. The savings are quickly >> realized >> because you no longer need to spend money running a full scale IT >> operation. >> In many cases, you don’t even need to worry about purchasing >> hardware, >> software, or even hiring IT staff to support the infrastructure. >> >> What isn’t clear to most people is the serious risk that >> outsourcing can >> introduce to their business. In nearly all cases a business will >> have a >> radically lower risk and exposure profile if they keep everything >> in-house. >> This is true because of the substantial attack surface that hosting >> providers have when compared to in-house IT environments. >> >> For example, a web-hosting provider might host 1,000 websites >> across 50 >> physical servers. If one of those websites contains a single >> vulnerability >> and that vulnerability is exploited by a hacker then the hacker >> will likely >> take control of the entire server. At that point the hacker will >> have >> successfully compromised and taken control of all 50 websites with >> a single >> attack. >> >> In non-hosted environments there might be only one Internet facing >> website >> as opposed to the 1000 that exist in a hosted environment. As such >> the >> attack surface for this example would be 1000 times greater in a >> hosted >> environment than it is in a non-hosted environment. In a hosted >> environment >> the risks that other customers introduce to the infrastructure also >> become >> your risk. In a non-hosted environment you are only impacted by >> your own >> risks. >> >> To make matters worse, many people assume that such a risk isn’t >> significant >> because they do not use their hosted systems for any critical >> transactions. >> They fail to consider the fact that the hacker can modify the >> contents of >> the compromised system. These modifications can involve >> redirecting online >> banking portal links, credit card form posting links, or even to >> spread >> infectious malware. While this is true for any compromised system, >> the >> chances of suffering a compromise in a hosted environment are much >> greater >> than in a non-hosted environment. >> >> >> >> Adriel T. Desautels >> ad_lists@... >> -------------------------------------- >> >> Subscribe to our blog >> http://snosoft.blogspot.com >> >> >> ------------------------------------------------------------------------ >> This list is sponsored by: Information Assurance Certification >> Review Board >> >> Prove to peers and potential employers without a doubt that you can >> actually >> do a proper penetration test. IACRB CPT and CEPT certs require a full >> practical examination in order to become certified. >> http://www.iacertification.org >> ------------------------------------------------------------------------ >> >> > > ------------------------------------------------------------------------ > This list is sponsored by: Information Assurance Certification > Review Board > > Prove to peers and potential employers without a doubt that you can > actually do a proper penetration test. IACRB CPT and CEPT certs > require a full practical examination in order to become certified. > > http://www.iacertification.org > ------------------------------------------------------------------------ > Adriel T. Desautels ad_lists@... -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
|
|
Re: Hosted Solutions -- Hackers Haven
by Gleb Paharenko-3
::
Rate this Message:
Adriel, hi!
I agree with that point that shared environments increases the attack surface. But in case decision for outsourcing environment is done in a right manner, first risks/profits should be assessed and analysed if shared hosting acceptable. It is good to have a threats check-lists for different hosting types as a guidelines for risk assessment. There might even operational issues (cpu/memory quotas), not only pure security! 2009/10/13 Adriel T. Desautels <ad_lists@...>: > Hi List. This is a subject that seems to come up a lot when we deliver > penetration testing services to our customers. I decided that a quick blog > entry on the subject of hosting might be a good idea. I'm not adverse to > hosting, but I'd like people to think twice before deciding to outsource > their technology to a third party. Specifically, I'd like to see people > consider the real risks that they might be introducing to their business. > > As usual, if there are any comments I'd love to hear them. > > http://snosoft.blogspot.com/2009/10/hosted-solutions-hackers-haven.html > Human beings are lazy by nature. If there is a choice to be made between a > complicated technology solution and an easy technology solution, then nine > times out of ten people will choose the easy solution. The problem is that > the easy solutions are often riddled with hidden risks and those risks can > end up costing the consumer more money in damages then what might be saved > by using the easy solution. > > The advantages of using a managed hosting provider to host your email, > website, telephone systems, etc, are clear. When you outsource critical > infrastructure components you save money. The savings are quickly realized > because you no longer need to spend money running a full scale IT operation. > In many cases, you don’t even need to worry about purchasing hardware, > software, or even hiring IT staff to support the infrastructure. > > What isn’t clear to most people is the serious risk that outsourcing can > introduce to their business. In nearly all cases a business will have a > radically lower risk and exposure profile if they keep everything in-house. > This is true because of the substantial attack surface that hosting > providers have when compared to in-house IT environments. > > For example, a web-hosting provider might host 1,000 websites across 50 > physical servers. If one of those websites contains a single vulnerability > and that vulnerability is exploited by a hacker then the hacker will likely > take control of the entire server. At that point the hacker will have > successfully compromised and taken control of all 50 websites with a single > attack. > > In non-hosted environments there might be only one Internet facing website > as opposed to the 1000 that exist in a hosted environment. As such the > attack surface for this example would be 1000 times greater in a hosted > environment than it is in a non-hosted environment. In a hosted environment > the risks that other customers introduce to the infrastructure also become > your risk. In a non-hosted environment you are only impacted by your own > risks. > > To make matters worse, many people assume that such a risk isn’t significant > because they do not use their hosted systems for any critical transactions. > They fail to consider the fact that the hacker can modify the contents of > the compromised system. These modifications can involve redirecting online > banking portal links, credit card form posting links, or even to spread > infectious malware. While this is true for any compromised system, the > chances of suffering a compromise in a hosted environment are much greater > than in a non-hosted environment. > > > > Adriel T. Desautels > ad_lists@... > -------------------------------------- > > Subscribe to our blog > http://snosoft.blogspot.com > > > ------------------------------------------------------------------------ > This list is sponsored by: Information Assurance Certification Review Board > > Prove to peers and potential employers without a doubt that you can actually > do a proper penetration test. IACRB CPT and CEPT certs require a full > practical examination in order to become certified. > http://www.iacertification.org > ------------------------------------------------------------------------ > > -- Best regards. Gleb Pakharenko. http://gpaharenko.livejournal.com http://www.linkedin.com/in/gpaharenko +380503116172 ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------ |
| Free embeddable forum powered by Nabble | Forum Help |
