For Cloud Workloads: The Right to Ban Uncertainty and Revolt against Taxation

Cloud workloads are similar to their traditional datacenter counterparts in that they are created to serve. Best practices dictate that you should protect your systems in the cloud as you would protect conventional infrastructure. The intentions are good, but the speed in which instances can be created supporting businesses that need elasticity and essential performance can cause problems when traditional security solutions are used.

Many organizations have not yet experienced this burden as they go down their path toward cloud citizenship. In RightScale’s 2014 State of the Cloud Report the majority of respondents are classified as Cloud Beginners or Cloud Explorers.  However 94% of organizations surveyed are running applications or experimenting with infrastructure-as-a-service.


Read more >

OpenSSL Heartbleed Security Update

On Monday, the OpenSSL Project released an update to address the CVE-2014-0160 vulnerability, also known as “Heartbleed”. This serious vulnerability affects a substantial number of applications and services running on the Internet, including the CloudPassage Halo™ service.  As of Tuesday, April 8th at 2:30pm PDT, all CloudPassage production systems have been updated and are no longer vulnerable. All communication between the Halo agents and the Halo analytics engine use message-level encryption, encrypting each payload, in order to mitigate SSL vulnerabilities at the transport layer.

Vulnerability Details

This vulnerability can be remotely exploited to leak encryption secrets from OpenSSL-encrypted sessions, allowing an attacker to retrieve private key material. The vulnerability stems from the way that OpenSSL handles the heartbeat extension in the TLS protocol. The OpenSSL Project has already provided a version that patches this bug and many of the major Linux distributions have already provided updated versions via their regular package management services.

Read more >

What a beautiful cryptocurrency mining operation you’re funding…

cryptocurrency mining

Lately there has been a lot of buzz around public and private cloud machines being compromised and used to mine digital currency, and every day we’re presented with new opportunities to learn from the misfortunes of others.

Because of the expense associated with mining digital currency[1] and the sometimes wide-open security posture of public cloud servers, these machines lend themselves to becoming targets of opportunity for illicit cryptocurrency mining operations.  In this post I’ll outline some preventative measures that can be taken to prevent your cloud servers from being used to mine digital currency by using CloudPassage Halo.

Bitcoin is arguably the most widely-recognized cryptocurrency in the world.  For a quick run-down on Bitcoin and the mining process, look here[2].  As a result of its proliferation it can be very expensive to mine… if you have to pay the power and computing utility bill.  Fortunately for those who don’t like to pay for such things, many public cloud operating systems are left in a near-default state- wide open and unsecured.

We’re going to have a look at some basic best practices that will make your systems a hard target, and we’ll discuss some policies for Indicators of Compromise (IOC) that will alert you before your hosting bill goes off the charts.

First, let’s take a high-level look at a real-life scenario:

 In his blog post[3] on January 7th, Rich Mogull details how his Amazon AWS credentials were obtained by a bad actor and used to spin up a number of virtual machines for mining bitcoin.  In addition to the methods he has taken to further reduce the potential for easy compromise, there are a few more things that Halo customers can do that can offer a generally tighter grip on your virtual infrastructure:

GhostPorts: Since local console access (virtual or otherwise) isn’t always available for cloud servers, SSH is a common method of access… use GhostPorts to make sure it’s only available where, when, and to whom it’s absolutely necessary.

Firewall Orchestration: You should use Halo to manage your host firewalls- not just for inbound communication but for egress as well.  Since mining pools often run on uncommon ports (tcp:3333, tcp:8332, etc) having a default deny for outbound connections is a no-brainer.  Some mining pools offer fallback to HTTP and HTTPS ports, so this isn’t a perfect approach unless you can also limit your egress traffic by IP as well as destination port.

File Integrity Monitoring: A great spot to monitor to make sure that nothing unauthorized kicks off at boot is your startup configuration.  On most distributions, your services are managed by init, so do file integrity monitoring on /etc/init.d/*, /etc/inittab, /etc/rc.local (and anything it references), and all your /etc/rc{1-6}.d directories.

Auditing your cloud servers: If you have CloudPassage Halo installed on all of your cloud servers, seeing one appear which does not have the Halo daemon installed may indicate that your cloud hosting service account has been compromised.  By using this script located in the CloudPassage Toolbox[4] you can ascertain which machines in your accounts do not have the Halo Agent installed.

Sometimes business requirements prevent us from being as tight with firewall communication as we would like, and compromises can happen in spite of our best efforts to secure our cloud infrastructure.  When preventative measures fail it is imperative to have a strategy for detection and remediation.

Some Bitcoin miners can be used to mine other bitcoin-based currencies like Litecoin, Peercoin, and Dogecoin.  We’re going to take a look at a couple of *coin miners and how to catch them before they blow up your bill.  For CPUMiner[5] and CudaMiner[6] we’ll look at three aspects- Benefits, Deployment, and Detection.  Remediation will depend on your internal policies.  If you have the time it would be interesting to forensically investigate the method of compromise, and if you don’t you can just destroy the cloud server and move on.

To download the policy to detect these two programs, go here[7]


  • Benefits: It’s pretty easy to install (precompiled binaries are available) and only depends on curl and jansson to run.
  • Deployment: You can grab a precompiled binary from SourceForge ( for a number of different platforms.  Or, you can build it on your own.  With so few running requirements, you just need to make sure that your dependencies are met and drop the binary in place, then add a line to /etc/rc.local to kick it off on boot.
  • Detection: Since you can drop the binary in a number of different places, a more accurate way of detecting it is checking your process table.  The process name is ‘minerd’.  Create a policy in Server Configuration Policies in CloudPassage Portal to trigger if this processname is detected.


  • Benefits: This miner makes use of Nvidia’s CUDA, which lets you leverage GPUs to get a faster rate of production- orders of magnitude faster than CPUMiner.
  • Deployment: Since this relies on specific hardware and drivers, the process is a little more involving.  You must install Nvidia’s CUDA as well as a number of other packages to get CUDAMiner running on a server.
  • Detection: If you follow the build instructions, the binary will land at /usr/local/bin/cudaminer.  Setting a system configuration policy to look for this file is a great place to start.  As with the CPUMiner detection section above, this is set in the Configuration Policies in the CloudPassage Portal.

To summarize, cloud computing requires a shift in mindset, away from the old datacenter model where the perimeter is tightly controlled.  When public attack surface is every host, a weak security posture can lead to not only data exfiltration or denial of service, but an enormous increase in your utility computing bill- especially when a compromised server can be utilized at maximum capacity to create monetary instruments like Bitcoin.

When each cloud server is a public target, you must harden and audit every single one.



CloudPassage Announces Series C: Establishing Leadership in Securing Cloud Environments

At CloudPassage, we have created a security solution designed for the cloud. And while we already have 400 production cloud application deployments, including a number of Fortune 1000 enterprises, and automate security for more than 10,000 new cloud workload instances each month, we can do more. Every organization using the cloud needs a security solution purpose built for the cloud.

With the announcement of our Series C, we are aggressively accelerating our go-to-market strategy and cementing ourselves as the leader in securing cloud environments.

Gartner predicts that cloud computing will become the bulk of new IT spend by 2016, but security remains the top inhibitor to cloud adoption. Our investors Benchmark Capital, Meritech Capital Partners, Musea Ventures, Shasta Ventures, Stephen Luczo, CEO of Seagate, and Tenaya Capital understand that securing the cloud is a need that must be met and recognize that CloudPassage has built the best solution for the job.

For the last three years, we have been focused on perfecting a solution that overcomes the challenges of securing the cloud. The benefits the cloud offers for scalability and flexibility are well understood, but security has been a puzzle. Traditional solutions, designed for well-defined, static environments and fixed perimeters, are square pegs trying to fit round holes. CloudPassage’s Halo™ is built like the cloud — flexible, lightweight and fast to deploy and scale, regardless of the environment.

We have integrations with leading cloud and security technologies, including VMware, Rackspace, Amazon Web Services, RightScale, Splunk and HP ArcSight. We have laid the groundwork for an ecosystem that caters to the tools large enterprises rely on. Our goal is to be the defacto solution for securing enterprise cloud environments, synonymous with allowing organizations to seamlessly move to the cloud, automate security and compliance, and enjoy the full-breadth of benefits that cloud computing offers. Software Defined Security (SDSec), we are here.

5 Cloud Predictions for 2014

As we begin 2014, we have the opportunity to review the past and look to the future. Here at CloudPassage we talk to organizations implementing cloud computing every day, and we have designed our security solutions to address these cloud environments. So what do we predict for the new year? Here are our 5 cloud predictions for 2014:

1. Cloud First for New Applications: We’ll see a significant increase in the number of companies that will rely on the cloud for new applications.  As we talk with our customers, we are seeing more companies that are relying on Infrastructure-as-a-Service (IaaS) infrastructure for new application development and hosting. Also in our 2013 survey, almost 40% of companies using the public cloud are deploying all of their new applications in the cloud. (View the blog post on these survey results.) This will continue to grow as cloud platforms include more enterprise features and businesses become more aware of purpose-built cloud security options.

Read more >