Theft-as-a-Service: Blocking the Cybercrime Market

Nerval's Lobster writes "The same layers of virtualization that have made networked business computing so much more convenient and useful have also given bad guys much easier access to both physical and virtual servers within previously-secure datacenters. A group of engineering researchers from MIT has demonstrated one approach to making secure servers harder to access using a physical system that prevents attackers from reading a server's memory-access patterns to figure out where and how data are stored. Ascend, which the group demonstrated at a meeting of the International Symposium on Computer Architecture in Tel Aviv in June (PDF), is designed to obscure both memory-access patterns and the length of time specific computations take to keep attackers from learning enough to compromise the server. The approach goes beyond simply encrypting everything on the whole server to try to shut off one of the most direct ways attackers can address the server directly — whether the server is an air-gapped high-security machine sitting in an alarmed and guarded room at the NSA or a departmental server whose security settings are a little too loose. Other ways to try to obscure memory-access patterns were built as applications to run on the server. Ascend is the first time a hardware-only approach has been proposed, and the first to approach an acceptable level of performance, according to Srini Devadas, Edwin Sibley Webster Professor of Electrical Engineering and Computer Science, the MIT researcher who oversaw the team developing the hardware."

Great, another magic gun for hunting unicorns...

[Shoten]

The overwhelming majority of breaches are not exotic. It's been shown that 85% of recent breaches would have been stopped by four fundamental security processes: patching, proper antimalware (both signature-based and whitelisting) and restriction of user access rights. Exotic hardware-based solutions to protect data in RAM do not help you when the application server itself has been compromised and the attacker has the same rights to the Oracle DB that your SAP instance has. I think it's great that people are working on defenses against these kinds of attacks, but the fact of the matter is that the way most organizations manage security, this is like getting vaccinated against Anthrax when you're a guy who rides a motorcycle drunk without a helmet every day. It's dealing with the wrong risk.

Re:Great, another magic gun for hunting unicorns..

[CastrTroy]

Kind of this this Collapsible bike helmet made by a guy who rides a brakeless fixie in slip-on shoes. But what you say is really right. Most of the breaches are from just that, people getting remote desktop or SSH access to the servers. Weak passwords, services accessible directly from the internet, and other easily solvable problems means that this kind of stuff just shouldn't happen. But it still does on quite a regular basis.

Re:Great, another magic gun for hunting unicorns..

[mianne]

You are correct. The reason why you are correct is key though. You can keep everything up-to-date, and lock down systems as tight as you want. But as long as any user has legitimate access to the system; there are weak links in the chain. If a user has access to the internet or a phone, they're susceptible to social engineering attacks.Email or web in particular, exposes the company to spear phishing attacks. Access to I/O ports or removable media devices creates a potential attack vector. Heck even without users who aren't highly security conscious, any hardware is a potential trojan assuming you haven't fully examined the code in every ROM of every motherboard, peripheral, router, etc. Every piece of software is also susceptible to 0-day exploits.

So despite all best practices, there'll almost always be low-hanging fruit for attacks. Conversely, any system sufficiently locked down to make them impenetrable not just by script kiddies, but by organized criminal enterprises or by foreign or domestic surveillance would also make it pretty much impossible to get any work done. So while doing your best to enforce basic security measures is a good first step, delving into the arcane and esoteric to further secure systems is still necessary if you wish to stay afloat in the arms race of cybercrime.