Re: Cloud Forensics continued [Was - Re: Bruce Schneier on Google Apps...}

["J. Oquendo" <sil () infiltrated net>]

Ali, Saqib wrote:
> > Fed on stand: "No we weren't allowed to check states or make bit copies..."
> >     
>
> Firstly, Google or any other SaaS provider operate under exactly the
> same laws that you do.
>
> You make valid arguments. But I suppose the same arguments were made
> when the world moved from paper based memos to email for official use.
> The memos were filed in a in a locked filing cabinet. And any type of
> tampering was fairly evident. But once we moved electronic mail, there
> was no locked metal filing cabinet. Everything resided on a user's PC,
> which could be infested with malware and rootkits. How do you know
> that some rootkit was not modifying or deleting the user's emails. The
> rules of investigation and evidence collection changed with the
> introduction of email, and same will happen when we move to cloud for
> email. Things change.
>
> Just my $0.02
>
> Saqib
>   
One of the things many aren't even factoring in when it comes to Google
is... Google throws out machines when they go bad. It's not
cost-effective to repair machines so let's think about that for a
moment... Imagine a company you've tasked to keeping your data "in the
cloud". That company has some insane RAID scheme going on where your
data is mirrored across X amount of stripes, drives, etc. Hardware goes
bad, you don't notice because its immediately replaced with new
hardware... How and what is Google or any other company - not singling
Google out here - what is being done prior to chucking machines. Are
they degaussing, wiping, what exactly are they doing cause guess what -
they're not telling you up-front are they.

As for your other commentary (malware, etc.), I suggest you take a quick
read at "I Didn't Write This Document And I Can Prove It!"
http://www.infiltrated.net/WasntMe.pdf as there are little factoids
you're making known to me or other forensics
"staff/newbies/experts/hobbyists/etc". Clouds make things *that* much
more complicated in the end then they help. Again - cloud companies can
market to you the opinions of why they're better - but in the end
reality sinks in and they're worse off for you than keeping things in
house from a forensics point of view and an incident response point of
view. If you need to act real-time how do you know that our cloud
provider didn't outsource to a rogue country which is attacking you?

Not singling out a country so I'll make one up - Animonia. Company_X
located in the United States outsourced to Animonia to save money. They
placed the systems administration and systems engineering tasks abroad
to cut costs and make buku profits. The government of Animonia is in
cahoots with the Impression Business Network (IBN) and the IBN has
launched massive fraud against the virtualized clientele on Company_X.
Company_X gets a call from a client "oh noez, we was pwnd!" do you
sincerely expect the country of Animonia to perform diligently? What
about... What about someone from Animonia flat out selling access to the
IBN.

Bottom lines... These things happen more often than some care to
believe, you don't hear about them because quite frankly, its not in the
best interest of companies to let the cat out of the bag. They're views
are distorted: "It wasn't us! It was Animonia therefore we don't have to
report". Government will step in, slap on regulatory controls. NIST will
write a framework. The framework will take years to become some form of
standard, by the time NIST publishes it, attackers have moved on and
companies are implementing outdated standards and guidelines. Welcome to
the wonderful world of the herding instinct ad-nauseam.

You keep thinking the rules will change for cloud providers, the only
thing that will change it lobbying by them.

CREAM (wu) ;)

-- 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently." - Warren Buffett

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E


------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------