Dropbox Drops Their Pants

June 21st, 2011 by Dave Lewis No comments »

So, someone at Dropbox screwed the pooch yesterday and as a result data was open to the world for roughly four hours on June 19th.

You know, I constantly come back to a simple premise. If you leave all of your data with a third party service that you don’t control, there could be repercussions. That’s not to say that you should squirrel away all of your data in a mattress. Not at all. Rather it’s to point out that if you’re going to rely on a service like Dropbox you should be sure to cover your flank. Encrypt your files.

From C|Net:

Web-based storage firm Dropbox confirmed this afternoon that a programmer’s error caused a temporary security breach that allowed any password to be used to access any user account.

The San Francisco-based start-up attributed the security breach to a “code update” that “introduced a bug affecting our authentication mechanism.” Access without passwords was possible between 1:54pm PT and 5:46pm PT yesterday, the company said.

“This should never have happened,” Dropbox co-founder and CTO Arash Ferdowsi said in a blog post. “We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.”

Should “never have happened”…indeed. But, it did. And this on the heels of their recent difficulties when it became apparent that there was some snake oil in the “security” of their service offering.

Some ways to protect yourself would be to encrypt your files using PGP or something similar. You could even create some secure storage on DropBox using TruCrypt for example. The long and the short of it is to trust but, verify.

Article Link

(Image used under CC from Mikey Jon Holm)

Originally posted on Liquidmatrix.org

Cracking Passwords In The Cloud

November 21st, 2010 by Dave Lewis No comments »

The days of having difficulty cracking passwords quickly due to a lack of horse power are firmly in the rear view mirror. Now, just rent what you need.

From Stack Smashing:

As of today, Amazon EC2 is providing what they call “Cluster GPU Instances”: An instance in the Amazon cloud that provides you with the power of two NVIDIA Tesla “Fermi” M2050 GPUs. The exact specifications look like this:

22 GB of memory
33.5 EC2 Compute Units (2 x Intel Xeon X5570, quad-core “Nehalem” architecture)
2 x NVIDIA Tesla “Fermi” M2050 GPUs
1690 GB of instance storage
64-bit platform
I/O Performance: Very High (10 Gigabit Ethernet)
API name: cg1.4xlarge

GPUs are known to be the best hardware accelerator for cracking passwords, so I decided to give it a try: How fast can this instance type be used to crack SHA1 hashes?

Crazy to think what you could accomplish these days. So, what did he manage to accomplish exactly?

From The Register:

What used to be the stuff of distributed computing projects with worldwide participants that took many months to bear fruit can now be done by a lone individuals in minutes and using rentable resources that cost the same price as a morning coffee to carry out the trick. Roth’s proof-of-concept exercise cost just $2. This was the amount needed to hire a bank of powerful graphics processing units to carry out the required number-crunching using the Cuda-Multiforcer.

Two dollars? Geez.

Article Link

(Image used under CC from Simon Lieschke)

Amazon Downsizes…Well Sort Of

September 9th, 2010 by Dave Lewis No comments »

Today Amazon announced the release of the “micro” instances.

From Amazon:

We are excited to announce the immediate availability of Micro instances for Amazon EC2, a new, low cost instance type designed for lower throughput applications and web sites.

Micro instances provide 613 MB of memory and support 32-bit and 64-bit platforms on both Linux and Windows. Micro instance pricing for On-Demand instances starts at $0.02 per hour for Linux and $0.03 per hour for Windows.

A very interesting attempt by Amazon to lower the bar for access to smaller companies and organizations. Not much of a security angle here with the minor observation that this would be great for building a DDoS botnet.

Just saying.

Article Link

(Image used under CC from Art of Precision)

Back From The Dead

August 6th, 2010 by Dave Lewis No comments »

So, after a four month hiatus, due to illness and life in general, we’re back and ready to roll. I hope to keep a consistent pace going forward.

Fingers crossed and stapled. OW!


(Image used under CC from Seth W)

Intel Launches Security Focused Data Center Processors

March 19th, 2010 by Dave Lewis No comments »

Intel raised the bar in the processing game when this Tuesday they announced the release of the first 32nm processors. The big selling point here, according to the vendor, is the security aspects.

From The Taiwan Economic Times:

According to world`s No.1 chipmaker, the new processors are the industry`s first 32nm enterprise-grade devices integrating security capabilities that enhance data integrity and server virtualization as well as first six-core embedded computing processors. New structures enable the processors to deliver up to 60% greater performance than the 45nm Intel Xeon 5500 cousins, allowing data centers to replace 15 single-core servers with only one Xeon 5600-driven server and achieve a return on their investment in as little as five months.

The big selling points here being cloud computing and the financial sector. The real rub here will be how it will stand up against Joanna Rutkowska this time. Last time this is what happened (.pdf).

Article Link

(Image used under CC from Josh Bancroft)

Originally posted on Liquidmatrix Security Digest

Cloud Security Alliance Summit Failure

March 8th, 2010 by Dave Lewis No comments »

Made the trip to RSA 2010 in San Francisco last week. I went a day early with the hopes of attending the Cloud Security Alliance meeting.

From Cloud Security Alliance:

If you are attending the RSA Conference 2010 in San Francisco with either a delegate or expo pass, please consider attending the Cloud Security Alliance Summit. The next generation of computing is being delivered as a utility. Cloud Computing is a fundamental shift in information technology utilization, creating a host of security, trust and compliance issues. The Cloud Security Alliance is the world’s leading organization focused on the cloud, and has assembled top experts and industry stakeholders to provide authoritative information about the state of cloud security in the Cloud Security Alliance Summit.

I registered.

Silly me. I figured that would mean that I was going to be permitted entry.


When I arrived I discovered that not only were they way over capacity but, the staffers working the door weren’t checking to see if people had registered. So to them I say, bite me.

I had planned a long write up on the summit.

No love.

(Image used under CC from noone)

When The Cloud Comes Under Attack

February 23rd, 2010 by Dave Lewis No comments »

With the growing move to cloud computing so to grows the interest of the ne’er do well hackers. Nothing like a juicy target that spin up resources as required and be billed to someone else.

Here is an account of an attack on a cloud instance. This attack took place over the past weekend.

From Cloud Ave:

Over the weekend, my cloud computing infrastructure survived a major hacking attack. Here is what happened and what it took to recover it.

This weekend my servers out in the cloud space fended off a major hacking attack across two of the systems that I have given the public access to use them. The attack started simply on Friday night as a simple series of scans to see if there was anything in the IP space that I am using. This is the fairly standard attack pattern that many information security people see every day. Thinking that this was normal I closed up shop on Friday and went home.

Very interesting article. Read on.

Article Link

(Image used under CC from Dan Barak)

Cloud Security Alliance Threat Survey

February 23rd, 2010 by Dave Lewis No comments »

What is the threat landscape for cloud computing? A survey is being conducted by the Cloud Security Alliance.

Want to participate? Join in.

Link: http://www.surveymonkey.com/s/VRPMBRM


February 19th, 2010 by Dave Lewis 2 comments »

There are times where I am amazed at what people will put forward to an unsuspecting (or in this case suspecting) public.

This company, Private Planet, headed by Dr Janko Mrsic-Flagel aspires to lead us down the primrose path.

From UK Technology Live:

“Well both are paramount,” explains Dr. Mrsic-Flagel. “One of the great differences between us and the likes of Amazon and Google is that in our model you actually OWN your own cloud computer. This is a big difference. The telecom operator will host it for you. You will be the telecom operator’s customer, but you will own that computer. The privacy issue goes away, because you own the equipment that holds your data and it is not shared with any others. Unless you want it to be.”

In a datacenter that you have no control over and…and…

I have no words.

Read on.

Article Link

(Image used under CC from purplemattfish)

WordPress Outage Traced To Router Failure

February 19th, 2010 by Dave Lewis No comments »

There are times when cloud computing must seem like a pretty sweet option. I would imagine that the folks at WordPress were pondering something to that effect today. Earlier today they had an outage that lasted 110 minutes. Their worst outage in 4 years apparently.

From WordPress.com

What Happened: We are still gathering details, but it appears an unscheduled change to a core router by one of our datacenter providers messed up our network in a way we haven’t experienced before, and broke the site. It also broke all the mechanisms for failover between our locations in San Antonio and Chicago. All of your data was safe and secure, we just couldn’t serve it.

I imagine that a LOT of coffee was downed while they scrambled to fix the outage. Change control is there for a reason. Which can only mean that as soon as the dust settles that someone will be looking for a new job. And that single point of failure will surely haunt them.

Article Link

(Image used under CC from bitzcelt)

Rss Feed Tweeter button Reddit button Linkedin button Delicious button Digg button Youtube button