So, someone at Dropbox screwed the pooch yesterday and as a result data was open to the world for roughly four hours on June 19th.

You know, I constantly come back to a simple premise. If you leave all of your data with a third party service that you don’t control, there could be repercussions. That’s not to say that you should squirrel away all of your data in a mattress. Not at all. Rather it’s to point out that if you’re going to rely on a service like Dropbox you should be sure to cover your flank. Encrypt your files.

From C|Net:

Web-based storage firm Dropbox confirmed this afternoon that a programmer’s error caused a temporary security breach that allowed any password to be used to access any user account.

The San Francisco-based start-up attributed the security breach to a “code update” that “introduced a bug affecting our authentication mechanism.” Access without passwords was possible between 1:54pm PT and 5:46pm PT yesterday, the company said.

“This should never have happened,” Dropbox co-founder and CTO Arash Ferdowsi said in a blog post. “We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.”

Should “never have happened”…indeed. But, it did. And this on the heels of their recent difficulties when it became apparent that there was some snake oil in the “security” of their service offering.

Some ways to protect yourself would be to encrypt your files using PGP or something similar. You could even create some secure storage on DropBox using TruCrypt for example. The long and the short of it is to trust but, verify.

Article Link

(Image used under CC from Mikey Jon Holm)

Originally posted on Liquidmatrix.org

The days of having difficulty cracking passwords quickly due to a lack of horse power are firmly in the rear view mirror. Now, just rent what you need.

From Stack Smashing:

As of today, Amazon EC2 is providing what they call “Cluster GPU Instances”: An instance in the Amazon cloud that provides you with the power of two NVIDIA Tesla “Fermi” M2050 GPUs. The exact specifications look like this:

22 GB of memory
33.5 EC2 Compute Units (2 x Intel Xeon X5570, quad-core “Nehalem” architecture)
2 x NVIDIA Tesla “Fermi” M2050 GPUs
1690 GB of instance storage
64-bit platform
I/O Performance: Very High (10 Gigabit Ethernet)
API name: cg1.4xlarge

GPUs are known to be the best hardware accelerator for cracking passwords, so I decided to give it a try: How fast can this instance type be used to crack SHA1 hashes?

Crazy to think what you could accomplish these days. So, what did he manage to accomplish exactly?

From The Register:

What used to be the stuff of distributed computing projects with worldwide participants that took many months to bear fruit can now be done by a lone individuals in minutes and using rentable resources that cost the same price as a morning coffee to carry out the trick. Roth’s proof-of-concept exercise cost just $2. This was the amount needed to hire a bank of powerful graphics processing units to carry out the required number-crunching using the Cuda-Multiforcer.

Two dollars? Geez.

Article Link

(Image used under CC from Simon Lieschke)

With the growing move to cloud computing so to grows the interest of the ne’er do well hackers. Nothing like a juicy target that spin up resources as required and be billed to someone else.

Here is an account of an attack on a cloud instance. This attack took place over the past weekend.

From Cloud Ave:

Over the weekend, my cloud computing infrastructure survived a major hacking attack. Here is what happened and what it took to recover it.

This weekend my servers out in the cloud space fended off a major hacking attack across two of the systems that I have given the public access to use them. The attack started simply on Friday night as a simple series of scans to see if there was anything in the IP space that I am using. This is the fairly standard attack pattern that many information security people see every day. Thinking that this was normal I closed up shop on Friday and went home.

Very interesting article. Read on.

Article Link

(Image used under CC from Dan Barak)

What is the threat landscape for cloud computing? A survey is being conducted by the Cloud Security Alliance.

Want to participate? Join in.

Link: http://www.surveymonkey.com/s/VRPMBRM

About a year ago, I put down my thoughts on cloud security from the CISO’s standpoint in a blog post. In it, I said that for the CISO, the transition to the cloud was the act of gracefully losing control. By that I meant that when computing assets (regardless of OSI layer) are moved – the CISO no longer has control over that aspect of the platform while maintaining the responsibility for it’s security.

I also believe that in the transition to the cloud, the CISO will begin to lose their religion. And that’s a good thing.

METRICS CREATING TRANSPARENCY

I had the pleasure of asking the Security Architect of a really big company with lots of security and cloud computing pressures how much transparency he needed from a cloud provider. His answer was, “I have no idea”.

So last week there was some noise about groups developing sets of security metrics for cloud computing, I was pretty happy because I think this is a good thing. We need a commonality between vendors and customers about what security information should be shared, when it should be shared, and how it should be shared. An attempt to create the first round of “transparency” intersubjectivity.

CLOUD SECURITY METRICS CAN BE REASONABLE, BUT NEED TO BE INFORMATIVE

That said, I think we need to acknowledge that cloud metrics are going to carry significant uncertainty in them. When you hear phrases in press releases like, “completely objective metrics” any knowledgeable metrician should be raising scores of red flags. Why that is, is another blog post for another blog, but it’s my opinion that it is more accurate to wish for “reasonable” metrics with uncertainty and subjectivity in them – as long as the collection methods and limitations are well understood.

Unfortunately, the “reasonableness” of metrics requires their ability to create good information for security or impact models, and this is where all these metrics efforts tend to break down. We don’t realize it, but I’ll offer that when you go to conferences and meetings and such and you hear somebody whining about not getting “good” metrics, a good portion of the time what they’re really saying is that they don’t have a good model within which to understand how they can begin to create measurements. Metrics are only as informative as their ability to be understood in the context of a model. Note that for the cloud, your model must not just require which metrics give you a reasonable notion or security or impact, but the must require what I’ll (incorrectly) call “entropy” requirements – how often these metrics must be gathered in order to be informative.

AT THE END OF THE DAY, THE CISO WILL HAVE TO HAVE FAITH IN THEIR PROVIDER

The ability to have good state of wisdom (what I should do) requires a good state of knowledge (what does this mean) which requires a good understanding of the state of nature (that is, the development and communication of reasonable metrics). Unfortunately, the CISO isn’t going to get a full or maybe even reasonable state of nature from their XaaS vendor. So what can we do?

With all apologies to thousands of years of theologians, I’ll simply describe the act of faith as operating in the face of significant uncertainty. When we have to act (have wisdom) with a less then reasonable understanding of state of nature, we’re operating by faith. I’ll offer that with this definition, faith can be optimistic in nature, trusting that the individual will fulfill their promises, or pessimistic in nature, trusting that the individual will fail.

What will be the important outcome of any metrics sharing between vendor and customer for cloud computing is how those “readings” of state of nature move us towards an optimism or pessimism. That optimism or pessimism is generated in the context of a model. Thus, what we can do is have a good model, and create reasonable metrics that feed the model.

GAINING FAITH BUT LOSING RELIGION?

If you’ll let me continue to carry the analogy, if faith is operating based on acknowledged uncertainties in evidence, then religion we might define (with a slight negative connotation) as the performance of actions that attempt to increase faith but have no known real correlation to reducing the uncertainty. In other words, the Shaman attempts to reduce uncertainty about the weather, volcano, outcome of battle, what have you, by performing rituals that have no real ability to, or even logical linkage to, reducing uncertainty about those things.

In this sense, it is my sincere hope that moving assets to the cloud will drive a reduction in the religion we build for ourselves (if I buy this technology, I might get hacked less, I guess) by driving us towards a more certain faith (I have more or less security due to changes in the metrics I’m getting from my provider.

In my little opinion, this would be a very good thing for our industry.

About time. There was a great deal of resistance to cloud computing from federal government hinged largely on security and privacy concerns. Now, faced with escalating costs and and ageing IT staff the move into the cloud seem inevitable. We’ve already seen this sort of behaviour in different parts of the world. A couple of easy examples are the cities of Los Angeles and Orlando.

From Network World :

There are 325,000 employees in federal government, 140 departments (all with their own CIO), 124 networks and 144 data centres across the country that he knows of. And 120,000 Wintel and Unix servers use less than 10 per cent of their capacity. “To make matters worse, 40 per cent of IT professionals are eligible for retirement in next five years,” he said. “So we have to leverage the private sector a lot more.”

The Treasury Board of Canada has obtained agreement across departments on the language and definitions for cloud computing and received endorsement for the Government of Canada’s cloud computing roadmap — one that can be validated with countries such as the U.S., the U.K., Australia and New Zealand.

Great news to see them move forward. My only hope being that they do not crash forward without proper due care.

Article Link

(Image used under CC from dani-santana)

So what, might you ask, is Cloud Audit? Chris Hoff has a write up on the launch of the new site CloudAudit.org.

From Rational Survivability:

I’m happy to announce that the Automated Audit, Assertion, Assessment, and Assurance API (A6) working group is organizing under the brand of “CloudAudit.” We’re doing so to enable reaching a broader audience, ensure it is easier to find us in searches and generally better reflect the mission of the group. A6 remains our byline.

We’ve refined how we are describing and approaching solving the problems of compliance, audit, and assurance in the cloud space and part of that is reflected in our re-branding.

Here is the preamble from the new site.

From Cloudaudit.org:

The goal of CloudAudit (codename: A6) is to provide a common interface that allows cloud computing providers to automate the Audit, Assertion, Assessment, and Assurance (A6) of their infrastructure (IaaS), platform (PaaS), and application (SaaS) environments and allow authorized consumers of their services to do likewise via an open, extensible and secure interface and methodology.

CloudAudit is a volunteer cross-industry effort from the best minds and talent in Cloud, networking, security, audit, assurance and architecture backgrounds.

For more read the entire posting over on Hoff’s blog Rational Survivability.

Article Link

(Image used under CC from Florin Mogos)

The vendor gold rush is underway.

From eWeek:

As security vendors have added cloud-based services to their portfolios, there have been ongoing discussions about how best to combine these services with on-premises security products.

While many vendors offer both delivery models, Websense took it a step further Feb. 9 with a new platform that integrates data loss prevention, secure Web gateway and e-mail security while allowing users to manage the company’s on-premises and cloud security offerings through a single console.

Trend Micro announced something similar back in November. Now, this is an offering that is currently only available to early adopters. It would be interesting to see more information on this offering.

Article Link

(Image used under CC from US Army Korea – IMCOM)

The calendar may show a different date but, the argument remains the same. Back in ’99 I had a protracted/heated exchange with my corporate ISP regarding DDoS attacks. Their logic was simple. Not our problem. They used the analogy of a cab. We get you there but, that’s it.

Ugh.

From ZDNet:

At a Cloud Law Summit in London on Wednesday, Microsoft’s head of legal, Dervish Tayyip, said the company would not provide financial guarantees against data-protection issues on cloud contracts.

“We’re not an insurance company,” Tayyip told ZDNet UK. “What is important is that customers understand the [cloud] offerings are standardised — they are what they are. If the offering does not meet customer needs, maybe the cloud is not a realistic offering.”

Wow. How not to win the hearts and minds of potential customers.

Article Link

(Image used under CC from Philipp Klinger)