Distributed computing is a alive and well in 2010. The Hadoop project is carrying the banner for open source distributed computing with its Hadoop Distributed File System and MapReduce engine. Hadoop is in use at many of the world's largest online media companies including Facebook, Fox Interactive Media, LinkedIn, Powerset (now part of Microsoft) and Twitter. Hadoop is entering the enterprise as evidenced by Hadoop World 2009 presentations from Booz Allen Hamilton and JP Morgan Chase. Hadoop has also been elevated to the "cloud" and made available as a service by Amazon and Sun. What the heck is it? Can it be secure? What do I do if I discover it on a network I am testing?
When Hadoop development began in 2004 no effort was expended on creating a secure distributed computing environment. In 2009 discussion about Hadoop security reached a boiling point. The developers behind Hadoop decided they needed to get some of that "security" stuff. After a thorough application of kerberos pixie dust Hadoop is now secure, or is it?
This talk will describe the types of attacks the Hadoop team attempted to prevent as well as the types of attacks the Hadoop team decided to ignore. We will determine whether Hadoop was made any more secure through the application of copious amounts of kerberos. We will complete the talk with a short discussion of how to approach a Hadoop deployment from the perspective of an penetration tester.
iSEC Partners, Inc. Andrew Becherer is a Senior Security Consultant with iSEC Partners, a strategic digital security organization. His focus is web application and mobile application security. Prior to joining iSEC Partners, he was a Senior Consultant with Booz Allen Hamilton. Mr. Becherer spent several years as a Risk and Credit Analyst in the financial services industry. His experience in the software security field -consulting financial, non-profit and defense sectors -has provided him experience with a wide range of technologies. Mr. Becherer has lectured on a number of topics including emerging cloud computing threat models, virtualization, network security tools and embedded Linux development. At the Black Hat Briefings USA 2009, Andrew, along with researchers Alex Stamos and Nathan Wilcox, presented on the topic "Cloud Computing Models and Vulnerabilities:Raining on the Trendy New Parade." Andrew's research on this topic focused on the effect of elasticity and virtualization on the Linux pseudorandom number generator (PRNG). At Black Hat USA 2008, he was a Microsoft Defend the Flag (DTF) instructor and, he is a recurring speaker at the Linuxfest Northwest conference. In addition to his educational outreach work with user groups, he is a member of several nationally recognized organizations. These organizations include the Association of Computing Machinery (ACM), FBI InfraGard and Open Web Application Security Project (OWASP). Mr. Becherer received a B.S. in Computing and Software Systems from the University of Washington, Tacoma, and holds a B.A. in Sociology from the University of Kentucky.