Side Channel Attacks against SaaS

The Register highlights a paper from Microsoft Research and Indiana University on information leakage from popular SaaS applications. Interestingly, the attacks work even when only HTTPs is used and are most effective when the application is relatively sophisticated and uses modern development techniques.

The attack is based on observing the size of packets between a user and an application and subsequently deducing the content. Although this initially sounds rather far fetched, AJAX technology means data transfer has “low entropy” making it far easier to guess the content that for a more basic application. “AJAX (shorthand for asynchronous JavaScript and XML) is a group of interrelated web development techniques used on the client-side to create interactive web applications. With AJAX, web applications can retrieve data from the server asynchronously in the background without interfering with the display and behaviour of the existing page.” * To put this in layman terms, AJAX allows the user and application to efficiently transfer data without the overhead of display and formatting information. It is subsequently much easier to determine the packet content by observing its length as there is less “noise” in the transmission.

The paper gives an example of determining a victim’s gross income by observing packets from an online tax preparation site.

What risk does this pose to everyday users of SaaS type applications? In the main, risk is probably very low as an attacker first needs to invest considerable time in profiling an application. They then need to be able to capture the traffic of the target at the right time. Information leakage, although highly dependant on the application, is unlikely to include specific data such as password or other fields that are not selected from a list. In the real world, an attack would need to be targeted against a specific user or group to have a chance of being effective.

In the list of things you need to worry about for internet security, this kind of attack is fairly low on the list. Of course this may change as exploit techniques develop and so is well worth keeping an eye on.

*Wikipedia

What the Hell is Cloud Computing?

The following link from PrudentCloud leads to a collection of You Tube videos on the definition of Cloud Computing as seen by various industry leaders. I particularly like the one from Larry Ellison of Oracle fame. If you watch all the videos, you will see that Cloud Computing means different things to different people.

My own take on Cloud Computing is based on my experience of working in the ‘Cloud’ space for over ten years. Back in 2000, I was Operations Director for an Application Service Provider (ASP) who towards the middle of the decade, rebranded their product range as Software as a Service (SaaS). Although, the same company is not yet publicly marketing themselves as cloud provider, their competitors are so I am sure it will only be a matter of time. Not surprisingly, the part of their solution that could be called ‘Cloud’, i.e. the delivery method to the client, is exactly the same as it was when the company was an ASP or SaaS provider.

The same seems to be true for ISP/hosting providers. In 1998 I as able to rent web space that would run perl scripts and interface onto a MySQL database (I think it was MySQL), also hosted by the ISP. The pricing model was based on resource utilisation; disk space and bandwidth. Such a service certainly seems to fit into the Cloud Computing definition. The offerings on today’s market are somewhat more advanced but the underlying architecture and pricing model is more or less the same.

Hence, from my perspective, Cloud Computing is more marketing than innovation but as it opens up a whole range of possible Cloud Computing security consultancy opportunities, I probably shouldn’t complain too much.