Security Ripcord

Paul Asadoorian and Larry Pesce’s recent interview with Intelguardian’s Ed Skoudis, Tom Liston, and Matt Carpenter is another must listen.  It gives a great background to how the Intelguardian team approached escaping from a virtual guest to obtain control of the host operating system.  If you don’t have time to listen Ed gave some similar but less detailed information in a comment to my original post on their release of this information.

Security professionals who are responsible for maintaining a security posture within their organization should, however, listen to the podcast whether they employ virtual environments or not.  There are two reasons for this.  First, if you don’t deploy virtual hosts then it is very likely that somebody will either ask you to investigate the technology or they will tell you to deploy it.  Second, because this interview gives a great insight to the methodologies used by people who are trying find attack vectors.

Let me elaborate on the second topic a little more.  The days of hacking for fun are over.  I think it is safe to say that nearly everybody has come to that realization (there may be a few holdouts in upper management but they will not last long).  This means that the stakes are higher for the good guys and the bad guys.  The interview with InGuardians shows us how a group of skilled and seasoned professionals attack a problem.  If you think that the bad guys cannot get this organized then you are kidding yourself.  Certainly there is always going to be the individual rouge element which, because of the focus a single person can apply, is dangerous.  But when you get people operating together they become more efficient and effective.  Sure, it took InGuardians two years to get a piece of software to function in a way that it was not intended and, now that their funding is over, they will not be focusing on this area.  This is how the good guys act.  They find and validate a threat vector, disclose it responsibly, and either keep working on the issue or move on to the next issue depending on funding.  Do you think the bad guys would stop here?  Do you think they would be satisfied with a proof of concept?  Do you think their funding would dry up at this point?  I do not.  There is a reason the term “weaponized exploit” has been coined.  If you still feel that the bad guys cannot get this organized just ask Germany how they feel about their recent encounter with the Chinese.  If you think one or two people were capable of this type of penetration then you are sadly mistaken.  This was an organized, focused, and methodical attack.  Does it matter whether it was a criminal organization or government funded group?  In the case of this point, no.  In the case of broader ramifications, yes.  But that is another topic for another day.

This brings us back around to the concerns about virtual machine escape.  I very much like how Ed and crew have kept their message on target.  The proof of concept exploit that they demoed at SANS Fire 2007 is important because of the fact that it is just that, a Proof Of Concept.  Is it possible that they have a “weaponized exploit” that goes above and beyond what they demoed?  Yes.  But the fact remains, and they repeat this at the end of the podcast, the protections are merely taking the possibility of this threat into consideration during your design, deployment, monitoring, and maintenance of your virtual environments.  They have established a new threat vector and if organizations, especially the vendors of virtual environments, do not take it into consideration then, sometime in the future, you or somebody like you will get p0wned. 

If you do get p0wned, don’t forget to call InGuardians to handle the incident response.  I hear they have a lot of experience in this area and, since they are professionals, I doubt they will say they told you so.

Go forth and do good things,
Cutaway

P.S. All of this reminds me.  Don’t forget Paul and Larry’s book on Linksys WRT54G Ultimate Hacking.

Technorati Tags: Security Ripcord, InGuardians, PDC, Ed Skoudis, Tom Liston, Matt Carpenter, Paul Asadoorian, Larry Pesce, VMEscape, VMWare, virtual guest, virtual machine

Powered by ScribeFire.

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.