This week, during the CanSecWest 2017 Conference in Vancouver, British Columbia, is held the PWN2OWN™ CONTEST organized by Zero-Day Initiative (http://zerodayinitiative.com/). A team carried on an attack on Microsoft’s Edge browser allowing them to escape a VMware Workstation virtual machine in which it ran. This exploit fetched them 105 000$ of reward. On the same day, another team successfully exploited 3 vulnerabilities and succeed to perform a virtual machine escape.
I will state what is obvious to me since the rising of the hardware virtualization technologies: Virtual Machines aren’t as safe as Physical one. I feel stupid writing it as it is just a matter of fact but it seems it has not yet been accepted by a lot of system admins who are still in denial.
And VMware is not the only to blame, all the Virtualization solutions have already been breached (Xen, KVM,…) one way or another. And those ares just the known exploits. So, whoever you’re talking too, there is no way (s)he can pretend the risks are the same between a physical and a virtual machine.
Of course, there is economics upsides using virtualization and that’s why it is a matter of risk management. But when it comes to crown jewels, we might have to think twice or at least strongly insist on a physical segregation between more sensitive systems and internet facing one.
I don’t say we shouldn’t use virtual machine, I just say we must stop pretending they are as safe as physical one. It is just not true. Risk are different and we must take that into account. The wolfs can pass the fences…
This past few years, interest and budgets for ethical hackers and pentesters has grown rapidly. They gain more and more visibility (see the Belgian Cyber Security Challenge or the European Cyber Security Challenge). More important, consulting companies are recruiting young and talented hackers by the dozen those last years.
During the last decade, lot of (nor to say most) TV shows and even novels have included or even starred a hacker:
Lisbeth Salander in Millenium,
Harold Finch in Person of Interest,
Felicity Smoak in Arrow,
Elliot Alderson in Mr Robot,
Skye in Marvell’s Agent of Shields,
Christopher Pelant in Bones,
Penelope Garcia in Criminal Minds,
Luther Stickell in Mission Impossible,
and the list goes on.
Nowadays, being an (ethical) hacker is sexy, trendy and well paid. It’s no surprise that a lot of young graduates want to embrace this professional career. As such, it is a good thing as we need more skilled and talented professionals in cyber Security.
However, it might be a bit short sighted as Artificial Intelligence’s powered automated hacking systems are on our doorstep (see DARPA’s Cyber Grand Challenge and other AI powered systems in the links at the bottom of this post).
Nevertheless, that’s not really my point here. With all these young genius at work uncovering our weaknesses, we still don’t have enough talented people to fix the issues.
WE NEED MORE FIXERS!
When I talk about fixers, I don’t only mean people skilled enough to fix the vulnerabilities discovered by our code breakers but also people able to fix governance, processes, organization and people. We need professional who can make effective security awareness (meaning that will make people change their behaviour), people who can implement a flawless IT & security governance. People able to define processes preventing attacks by design. People able to define new strategies and able to implement them (or at least to make people implement them). Person who can understand in which detail the devil is hidden. Hackers just need to find one vulnerability, we have to fix them all. It is less sexy, even more complicated and there is not enough people who wants to fix the problems… but we clearly need more. So, young geniuses, when you’ll be bored of breaking things, please come to the light side and help us fix this mess.
You may have heard that the US federal Judge Thomas Rueter has ruled against Google in their refusal to seize personal emails of one of their customer to the FBI based on the fact that these data were stored in an European Data Center.
While in 2016, in a case against Microsoft, a federal judge ruled that US investigators could not force the company to hand over emails stored on a server in Europe (Dublin in that specific case).
Of course, there is much more at stake here than just access to one customer’s email. There is billions of dollars at stake here. Most companies and individuals in Europe are moving their data to the cloud. The biggest cloud services suppliers in the world are American based companies (Amazon, IBM, Google and Microsoft representing together around 50% of the market) and a large number of European companies are outsourcing their services to these vendors. However, the GDPR (the European General Data Protection Regulation, see also Wikipedia for an overview) requires a strong protection of our personal data (including our emails). As US and EU aren’t totally aligned on this matter, most European companies requires their cloud providers to store and process their data in European Data Centers in order to guarantee the European regulation will be enforced.
And now, this new ruling might jeopardize all that (or at least be the start of it). If the sole fact of having an American based company as a supplier can allow US to bypass the GDPR, would European companies still be allowed to use them to store personal data? Would we see European companies and individuals leaving Gmail, Google apps, AWS, Outlook and other related US based services for European based and owned companies? It would be a big mess… and maybe a huge opportunity for some European challengers.