In their presentation they first looked at SMS.  SMS is a building block of the phone system and essential to the working of the modern network because it is used for all kinds of stuff. Why is it good to attack? No firewall, processed by all phones, no user interaction and you only need a phone number to send an SMS.

So how is an SMS processed? Phones have two processors: CPU and Modem which talk via an (often simulated) serial line. The modem is controlled by a specific set of AT commands. If an SMS is received by the modem, the modem sends an unsolicited AT result to the CPU. This is what can be fuzzed.

For practical reasons they did not want to send all these SMS’s that where coming out of their fuzzer over the network. First of all I would cost too much money. During the tests they sent over 500,000 messages. Secondly if the messages where sent over the air, it would mean that the would be able to watch the fuzzing going on. Last but not least they might get into trouble because the tests might actually crash the equipment of the telco’s. So for various different phones (iPhone, Android and Windows Mobile) they developed a MitM SMS injection application which sits in the middle of the virtual serial line. This gave them a fast way to send messages and gives free SMS sniffing capabilities

The testing results had to be tested in real life because not all messages could be sent through all mobile networks.

It turns out that it is very easy to perform a DoS attack on various phones. While DoS may be a lame attack, it is still a very useful attack.

On the iPhone the bugs are in the section of code that handles concatenated test messages. If a single message gets too big, it is split up in multiple messages. It turn out that these routines act funny when they are presented with the number -1.

If you tell the iPhone to expect -1 messafes parts of it crash and prevent the phone from working normally. They demoed this attack agains a guy from Vodafone who volunteered.

It turns out that if you tell the iPhone to expect a reasonable amount of messages and you then send it message number -1 you get, under the right conditions, the ability to overwrite memory. But, is it possible to exploit the heap via SMS?

Via subtle SMS manipulation the heap can be controlled via “mini heap feng shui”. And actuall exploitation is possible even though it takes about 519 SMS’s (@ 1/sec)

The is also a DoS against Android powered phones. Google was notified June 19 and fixed the vulnerability last week.

Windows Mobile Phone: Any text messages with %n crashes an HTC Windows mobile phone.

Cloud computing is actually defined as three types of services: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastrcture as a Service (IaaS). A large VMWare farm for one company is not cloud computing.

Each of the models has their pro’s and cons.

Model 1: Software as a Service (SaaS) – Alex Stamos

With SaaS in stead of running and building your own applications, you are using web applications provided to you by the SaaS provider. This might actually be a good idea because SaaS companies generally know about application security.

Unfortunately using SaaS means that your data will actually reside on the vendor’s location. Also some SaaS vendors use a password recovery mechanism that will make your datacenter admin password as secure as his email account.

Most SaaS vendors do not provide the audit logs needed for an enterprise. That is why it is probably a bad idea to put regulated data into SaaS.

Some allow you to address password and auditing issues by allowing you to use SAML authentication. It takes away some the benefits from SaaS, but you can do things like dual factor authentication, have control over password policies, provide an internal password reset, do auditing and anomaly detection or even restrict the login page behind a VPN.

SaaS does bring large legal concerns because the contracts exclude all the important stuff, e.g. liability and support in case of compromise. Most vendors prevent you from executing penetration test on their services in their EULAs. Exceptions: Amazon, Google, Salesforce.com

SaaS provides far less protection again search en seizure. In the US a hard drive in you house is protected by the US constitution, a hard drive in a service providers datacenter isn’t.

Model 2: Platform as a service (Paas) – Nathan Wilcox

With PaaS you get provided with a development framework that you can use to develop you own service. Examples are:

• Google AppEngine
• SalesForce.com Platform as a Server, Force.com
• Windows Azure

In order to see if applications developed in this way are more or less secure, Nathan did a simple investigation to see how easy/hard is was to get/avoid common issues like CSRF, XSS and SQL Injection as a developer.

CSRF can be mitigated transparently by all the three platforms. But is requires some action on the developer it is easy to forget.  Force.com is an exception, all controls are enabled by default.

Cross Site Scripting prevention requires more developer awareness then CSRF prevention. In cloud computing this is not different from tradition methodologies.

SQL Injection is easier to prevent in PaaS then it is in classic frameworks

Model 3: Infrastructure as a Service (IaaS) – Andres Brecherer

With IaaS you get control over everything above the hypervisor. Because hundreds of machines gets cloned, there are issues here with the Psuedo Random Number Generator (PRNG). This can lead to SSH key compromises.