Cloud applications are very vulnerable
Posted 11 September 2009 - 12:55 PM
But many cloud applications are very vulnerable. Web applications: Easy prey for hackers
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
Alliance of Security Analysis Professionals
Posted 11 September 2009 - 09:14 PM
Sept. 8, 2009 - "Users of cloud computing infrastructures should be aware that their sensitive data could be potentially leaked, a group of university researchers say... several computer scientists from the University of California at San Diego (UCSD) and the Massachusetts Institute of Technology (MIT) say they have discovered soft spots in the cloud computing concept that could leave data vulnerable to attack. "Overall, our results indicate that there exist tangible dangers when deploying sensitive tasks to third-party compute clouds"..."
17 Sep 2009 - "... The prospect of having such information stored offsite on a third-party server and accessible remotely via a cloud computing interface is an idea that worries even the most hardened of security experts, and many within the community remain unsure* about the overall effectiveness of cloud security..."
"... companies should not rush into cloud computing, especially with critical corporate data. The model is still new and needs to be carefully checked out in advance, explained Bob Lentz, CSO at the US Department of Defence..."
September 24, 2009 - "... One of the big problems with using “the cloud” is that at times the product may actually upload a file from your computer to the internet. This has very serious privacy implications. Virus scanners make mistakes at times. In this case a file that is proprietary or contains sensitive information may be uploaded and the customer may not want that file to leave their network..."
Edited by apluswebmaster, 25 September 2009 - 09:45 AM.
Posted 23 September 2010 - 06:14 PM
September 23, 2010 - "... it feels quite unpleasant when something like yesterday's attacks happen*. Suddenly a service we've started to rely on is out of order - because of some stupid worm? One moment you're catching up with the latest Tweets, and suddenly you've somehow resent a viral message to all of your followers. And the antivirus program you've bought won't help you. No matter how hard you scan your system, there's nothing there. The worm isn't on your computer: it's on some Twitter server farm in some data center somewhere. This is part of what we call the cloud. Once we start to use cloud services more and more, we also give up the control of our data. If you have your documents on your computer, you can encrypt and secure them. If you store them on a cloud service, you have to hope that someone else does it for you..."
Posted 21 October 2010 - 07:55 AM
Cloud "security challenges"...
21 October 2010 - "IBM unveiled a new security initiative focused on making cloud computing safer. IBM aims to help both users and providers of cloud computing more easily navigate security challenges* through new cloud security planning and assessment services, managed services to help clients secure their clouds, and the introduction of several technology innovations. According to an IBM study, cloud computing raised serious concerns among respondents about the use, access and control of data: 77 percent of respondents believe that adopting cloud computing makes protecting privacy more difficult; 50 percent are concerned about a data breach or loss; and 23 percent indicate that weakening of corporate network security is a concern. As the study illustrates, businesses see the promise of the cloud model, but security remains an inhibitor to adoption..."
Nov. 3/4, 2010 - "... make sure the SLAs from your cloud or software as a service provider do -not- have DDoS loopholes. Cloud-based services need to be able to mitigate DDoS attacks the same way that they have to have back up power to handle power outages..."
October 2010 - "... attackers have been creating their own cloud “services” via botnets for some time now..."
Cloud computing underwhelms...
November 02, 2010
Edited by AplusWebMaster, 06 November 2010 - 06:50 AM.
Posted 19 November 2010 - 03:58 PM
Password cracking in the cloud
November 17, 2010 - "On-demand cloud computing is a wonderful tool for companies that need some computing capacity for a short time, but don't want to invest in fixed capital for long term. For the same reasons, cloud computing can be very useful to hackers - a lot of hacking activities involve cracking passwords, keys or other forms of brute force that are computationally expensive but highly parallelizable. For a hacker, there are two great sources for on-demand computing: botnets made of consumer PCs and infrastructure-as-a-service (IaaS) from a service provider. Either one can deliver computing-on-demand for the purpose of brute-force computation. Botnets are unreliable, heterogeneous and will take longer to "provision." But they cost nothing to use and can scale to enormous size; researchers have found botnets composed of hundreds of thousands of PCs. A commercial cloud-computing offering will be faster to provision, have predictable performance and can be billed to a stolen credit card... With the advent of cloud computing, like with any other technology, the bad guys have also found a new tool. When we consider the balance of risk and reward, the cost/benefit evaluation of a security control we have to consider the significantly lower cost of computing for everyone - attackers included. Passwords, wireless encryption keys, at-rest encryption and even old SSL algorithms must be reevaluated in this light. What you thought was "infeasible" may be well within the means of "average" hackers."
Posted 23 November 2010 - 08:45 AM
Cloud security... -where- is your data?
November 22, 2010 - "... regardless of the technical and organizational realities, there is one element that is completely out of the control of both the customer and cloud provider that makes public cloud an increased risk: the law. Ignoring this means you are not completely evaluating the "security" of potential deployment environments. There are two main forms of "risk" associated with the law and the cloud. The first is explicit legal language that dictates how or where data should be stored, and penalties if those conditions aren't met. The EU's data privacy laws are one such example. The U.K.'s Data Protection Act of 1998 is another. U.S. export control laws... The "risk" here is that the cloud provider may not be able to guarantee that where your data resides, or how it is transported across the network, won't be in violation of one of these laws. In IaaS, the end user typically has most of the responsibility in this respect, but PaaS and SaaS options hide much more of the detail about how data is handled and where it resides. Ultimately, it's up to you to make sure your data usage remains within the bounds of the law; to the extent you don't control of key factors in public clouds, that adds risk..."
Posted 17 December 2010 - 01:09 PM
Recent Email Breaches Demonstrate Cloud Breach Ripple Effect
Dec 15, 2010 - "The recent breach exposing McDonald's customer information was the result of a widespread series of spear-phishing attacks against email service providers that have been under way for about a year and are under investigation by the FBI... The ripple effect on McDonald's and Walgreens' customer data emerged only during the past week. The hacks underline the potential peril and headache to an enterprise when its cloud provider gets hacked... The hack against Gawker that exposed passwords of more than 1 million users also led to other cloud providers, like LinkedIn, to reset any passwords associated with the attack as a precaution... Expect more of these cloud attacks that affect multiple organizations and victims..."
December 15, 2010 - "The recent theft of customer information belonging to McDonald's is thought to be part of a larger security breach that may affect more than 105 companies that contract with Atlanta-based email marketing services firm Silverpop Systems... The incidents underscore the importance of ensuring all sensitive data — whether stored internally or with a third-party — is secure... fewer than 10 percent of databases contain security controls."
Edited by AplusWebMaster, 18 December 2010 - 01:16 PM.
Posted 24 December 2010 - 03:19 AM
MS BPOS cloud service hit with data breach
December 22, 2010 - "Company data belonging to customers of Microsoft's hosted business suite BPOS has been accessed and downloaded by other users of the software. The issue affected the Offline Address Book of customers of the Business Productivity Online Suite (BPOS) Standard suite... "We recently became aware that, due to a configuration issue, Offline Address Book information for Business Productivity Online Suite (BPOS) Standard customers could be inadvertently downloaded by other customers of the service, in a very specific circumstance," said Clint Patterson, director of BPOS Communications at Microsoft. The data breach occurred in Microsoft data centers in North America, Europe and Asia. The issue was resolved within two hours of being discovered, Microsoft said in a statement. However, during this time "a very small number" of illegitimate downloads occurred. "We are working with those few customers to remove the files," Patterson said. This Offline Address Book contains an organization's business contact information for employees. It is stored on a server hosted by Microsoft as part of Exchange Online but can be downloaded for offline access. It does not contain Outlook personal contacts, e-mail, documents or other types of information, Microsoft stressed... BPOS includes Exchange Online, SharePoint Online, Office Communications Online and Office Live Meeting. In October, Microsoft outlined the next version of BPOS, called Office 365, intended to be a full-fledged option to Google Apps and other cloud-based suites. Office 365 combines the collaboration and communication elements of BPOS with Office Web Apps and, alternatively, even with Office 2010."
Posted 28 December 2010 - 06:03 PM
Top 10 Cloud Stories Of 2010
12/24/2010 - "Everybody's head was in the cloud, or so it seemed in 2010. Both well established and startup vendors developed solutions and strategies designed to extend their reach or provide entry into this booming market. After all, IDC estimated the cloud market will be worth $55 billion by 2014; Gartner predicted the cloud world could be valued at $148 billion at that time*..."
Windows 8 will be cloud-based...
Posted 31 December 2010 - 06:12 AM
Criminals host trojans on Cloud Storage Service Rapidshare
2010-12-30 - "Spammers are using cloud-based storage services to store malware, allowing them to circumvent e-mail spam filters, according to security experts at Kaspersky Lab and MX Lab. Kaspersky Lab detected the click-fraud Trojan, a variant of the Trojan-Dropper.Wind32.Drooptroop family, which has been in circulation since the beginning of December, said Vicente Diaz, a Kaspersky Lab expert. There are over 7,000 variants of this particular family, according to Kaspersky. As with other types of malware that took advantage of the holiday season, the executable file for this Trojan was named gift.exe, Diaz said. The security firm detected more than 1,000 infections using this technique to distribute this variant, according to Diaz. The Trojan is stored on Rapidshare, a cloud-based file-sharing and storage service. The spam messages that users receive in their Inbox have no text, just a single link pointing to a valid Rapidshare URL. These messages get past spam filters because there are no malicious files attached, the domain name is not considered a “bad” one, and executables hosted on Rapidshare aren’t automatically classified as a threat, said Diaz. There was also a recent fake antivirus spam campaign that included a Rapidshare link pointing to surprise.exe, according to security firm MX Lab. The executable file downloads and installs the fake AV Security Shield on the user’s computer, which runs after the computer is rebooted. Once downloaded, there’s no guarantee that authentic antivirus products will detect these Trojans. According to MX Lab, only 16 of the 43 major antivirus products detected surprise.exe as a Trojan or as fake AV..."
The year of the cloud ...
December 30, 2010
Edited by AplusWebMaster, 31 December 2010 - 06:51 AM.
Posted 09 January 2011 - 12:44 PM
Top 5 Cloud Computing Predictions For 2011
Jan. 8, 2011 - "In the coming year, the cloud will reach milestones that critics said it never would: it will be certifiably secure for credit card transactions; able to host multiple virtual machine types in the same infrastructure; and easier to manage..."
Posted 10 January 2011 - 01:50 AM
Top 5 Cloud Computing Predictions For 2011
Jan. 8, 2011 - "In the coming year, the cloud will reach milestones that critics said it never would: it will be certifiably secure for credit card transactions; able to host multiple virtual machine types in the same infrastructure; and easier to manage..."
interesting read thanks!
Posted 12 January 2011 - 09:44 AM
Has Big Brother gone Global?
Last Updated: 2011-01-12 13:45:46 UTC - "... the Tunsinian Government may be harvesting or hacking information from Gmail accounts and or Facebook accounts. This goes to show the moment it is in the “cloud” it is no longer private. If you want something private, encrypt it. Most of us at the ISC follow the “front page” rule. If you write it, treat it like the information is on the front page of your national newspaper.
Going back to last year, the US National Security Agency considers their network untrustworthy.
Edited by AplusWebMaster, 16 January 2011 - 01:36 PM.
Posted 16 January 2011 - 01:38 PM
Dilbert, Dogbert, and "Cloud Computing"...
"... You say "Cloud Computing" to an executive and their eyes glaze and they sign whatever PO you put in front of them. They have no idea what it is, but they have been told that they want it..."
Posted 19 January 2011 - 07:26 PM
Trojan built to disable cloud AV...
Jan 20, 2011 - "Microsoft has discovered a Trojan that aims to sever the connection between a device and the cloud antivirus (AV) service that is meant to protect it. The Bohu Trojan, which targets Windows machines, contains three main functions: evade detection, install a filter that blocks traffic between the device and service provider, and prevent the local installation from uploading data to the server. The attack appears to aim to knock out the additional layer of security that many antivirus companies have added to bolster defences and reduce the processing burden of ever-expanding signature databases. "Cloud-based virus detection generally works by client sending important threat data to the server for backend analysis, and subsequently acquiring further detection and removal instruction," Jingli Li and Zhitao Zhou of Microsoft Malware Protection Center wrote on the company's blog..."
20 January 2011
Edited by AplusWebMaster, 21 January 2011 - 07:23 AM.
Posted 28 February 2011 - 12:02 PM
Google wipes out Gmail settings and msgs...
Feb 28 2011 - "COMPLAINTS ARE FLOODING IN to Google after some Gmail users woke up to find that their inboxes had been wiped clean of messages. A number of Gmail forum posters report that their messages, labels and settings have all been set back to default. The consensus is that it is a problem on Google's end, with many people deeply concerned because many of them use Gmail as their main email account... Google confirmed that there is a problem on the Google Apps dashboard. Engineers are busy working on the issue, with the affected accounts disabled... Already a major glitch for Google's cloud technology, this will be a horrendous public relations disaster if there is no backup system in place. The company is trying to sort this out quickly."
Posted 01 March 2011 - 08:09 AM
Google: "software update" triggered loss...
Mar 01 2011 - "... Google has confirmed that a storage software update was responsible for causing some Gmail users to lose access to their e-mail. Some Gmail users complained of losing e-mails, contacts, and folders. Google claimed that 0.29 per cent of the user base was affected by the problem but has since revised that figure to less than 0.02 per cent, or about 40,000 of the service's 200 million accounts. Ben Treynor, Google VP of engineering and site reliability czar, said sorry for the mess and said he expects to have the lost data restored soon. He said that the data was not completely lost and Google had restored most of it already... Users might be wondering how safe all this cloud computing lark really is if, as Google promises, all the data was backed up in different locations with the keys owned by people who have never met each other. Treynor said this is because in some rare instances software bugs can affect several copies of the data..."
Posted 30 April 2011 - 11:04 AM
Some Customer Data Permanently Destroyed in Amazon Cloud Crash
April 29, 2011 - "... You can put your data in the cloud - it's getting it back that's the hard part..."
... Lessons to other cloud-based businesses.
April 28, 2011 - "... A note posted to the Amazon Services Health Dashboard April 24 said the three-day service outage will be fully explained in "a detailed post mortem." On April 27, AWS CTO Werner Vogels posted to his blog a 2010 letter that Amazon CEO Jeff Bezos wrote to shareholders, extolling AWS' technology innovation and commitment to customers..."
Amazon Web Services » Service Health Dashboard
Current Status: http://status.aws.amazon.com/
(Scroll down for 'Status History')
April 29, 2011 - "... Amazon posted updates, short and bulletin-like, throughout the outage, but what it offered in its postmortem* is entirely different. This nearly 5,700-word document includes a detailed look at what happened, an apology, a credit to affected customers, as well a commitment to improve its customer communications. Amazon didn't say explicitly whether it was human error that touched off the event, but hints at that possibility when it wrote that "we will audit our change process and increase the automation to prevent this mistake from happening in the future." The initial mistake, followed by the subsequent increase in network load, exposed a cascading series of issues, including a "re-mirroring storm" with systems continuously searching for a storage space..."
Edited by AplusWebMaster, 30 April 2011 - 11:28 PM.
Posted 03 May 2011 - 07:01 AM
VMware - Cloud Foundry service outages
May 02,2011 - "VMware's new Cloud Foundry service was online for just two weeks when it suffered its first outage, caused by a power failure. Things got really interesting the next day, when a VMware employee accidentally caused a second, more serious outage while a VMware team was writing up a plan of action to recover from future power loss incidents. An inadvertent press of a key on a keyboard led to 'a full outage of the network infrastructure [that] took out all load balancers, routers, and firewalls... and resulted in a complete external loss of connectivity to Cloud Foundry.' Clearly, human error is still a major factor in cloud networks."
May 02, 2011 - "... 69% of cloud providers think that cloud users are most responsible for security, and only 16% think it's a shared responsibility. But according to a Ponemon study conducted last year, 33% of users see cloud security as a shared responsibility, and 32% think that the provider alone is most responsible. Only 35% of cloud users, meanwhile, think that users should be most responsible for cloud security... Legally speaking, however, cloud providers really aren't responsible for data security, as long as they make some effort, according to their end user license agreements (EULAs)..."
Edited by AplusWebMaster, 03 May 2011 - 07:11 AM.
Posted 09 May 2011 - 08:08 AM
Cloud Over cloud computing...
May 9, 2011 - "It isn’t just Sony that has suffered from the hacker breach of their network, the whole cloud computing movement has taken a bit of a knock, or perhaps has had a wake-up call.
We reported the findings of a survey by the Ponemom Institute which, surprisingly, found that cloud service providers do not see security as their main concern. Perhaps Sony’s experience will make them think again. International news agency Reuters reckons it might*... One of the issues with cloud is liability. If there is a breach and data is lost, whose liability is it? At the moment the industry is trying to establish guidelines and working practices; but until that issue is resolved — if it ever is — expect pubic cloud adoption to be slow and cautious."
"Shares of companies that specialize in cloud computing have been some of top-performing stocks over the past year. But the attack on Sony, as well as a massive outage at Amazon.com Inc’s cloud computing center, have caused some businesses to put the brakes on plans to move their operations into the cloud. “Nobody is secure. Sony is just the tip of this thing,” said Eric Johnson, a professor at Dartmouth University who advises large corporations on computer technology strategies. Since news of the Sony breach broke on April 26, shares of companies involved in cloud computing have underperformed the broader market. Salesforce.com Inc, a maker of web-delivered software, has dropped 3 percent. VMware Inc, which sells software for building clouds, has declined 2 percent. The Standard & Poor’s 500 Index has climbed 3.3 percent... the first round of contracts for early adopters are coming to an end after three-year deals and companies are seeking better performance and terms for disasters."
Posted 14 May 2011 - 04:37 PM
Microsoft BPOS cloud outage...
13 May 2011 - "... Customers on BPOS in the US and worldwide were kicked off their hosted Exchange email systems, being unable to read, write, or access their messages. All users were affected – from down in the cubicle farm all the way up to the CEO's corner office. The outages started Tuesday and came after weeks of the service slowly degrading. The cause of the problem, Thomson said*, was "malformed email traffic" in BPOS's Exchange Servers... "obscure cases" and "related issues"..."
Posted 14 May 2011 - 04:55 PM
I feel really sorry for Corporate Vice-President, Microsoft Online Services.
And for the state of Minnesota and Hyatt hotels; I assume they were affected. http://blogs.technet...customer story/
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
Alliance of Security Analysis Professionals
Posted 15 May 2011 - 07:01 AM
Amazon cloud used by hacks...
2011-05-13 - "Amazon’s Web Services cloud-computing unit was used by hackers in last month’s attack against Sony's online entertainment systems, according to a person with knowledge of the matter. Hackers using an alias signed up to rent a server through Amazon’s EC2 service and launched the attack from there, said the person, who requested anonymity because the information is confidential. The account has been shut down, the person said. The development sheds light on how hackers used the so- called cloud to carry out the second-biggest online theft of personal information to date... The hackers didn’t break into the Amazon servers, the person said. Rather, they signed up for the service just as a legitimate company would, using fake information... The Federal Bureau of Investigation will likely subpoena Amazon as part of its investigation process..."
Posted 31 May 2011 - 07:38 AM
Eucalyptus cloud - critical vuln...
30 May 2011 - "... critical vulnerability in Eucalyptus, an open source implementation of the Amazon EC2 cloud APIs. An attacker can, with access to the network traffic, intercept Eucalyptus SOAP commands and either modify them or issue their own arbitrary commands. To achieve this, the attacker needs only to copy the signature from one of the XML packets sent by Eucalyptus to the user. As Eucalyptus did not properly validate SOAP requests, the attacker could use the copy in their own commands sent to the SOAP interface and have them executed as the authenticated user. All versions up to and including 2.0.2 are vulnerable; a fixed version, 2.0.3*, is available to download. Ubuntu's Eucalyptus-based Ubuntu Enterprise Cloud (UEC) is also vulnerable; updates for Ubuntu 10.04 LTS, 10.10 and 11.04 are already available in Canonical's repositories. Eucalyptus does note** that the changes made to close the holes may lead to some existing tools failing to work as the system will interpret them as a replay attack if they issue commands too rapidly."
Posted 07 June 2011 - 10:40 PM
Attackers use Amazon Cloud to host malware
June 6, 2011 - "Attackers are beginning to host their malicious domains and drive-by download sites, and most recently researchers have discovered a number of domains on Amazon's cloud platform that are being used to install malware as part of a spam and phishing campaign designed to steal banking credentials and other sensitive data... attack sites are installing a variety of malicious files on victims' machines, including a component that acts as a rootkit and attempts to disable installed anti-malware applications. Other components that are downloaded during the attack include one that tries to steal login information from a list of nine banks in Brazil and two other international banks, another that steals digital certificates from eTokens stored on the machine and one that collects unique data about the PC itself, which is used by some banks as part of an authentication routine. Researchers say that the attacks likely originated in Brazil and are targeting users in Brazil, specifically. The domains that are being used in this attack have now been removed by Amazon, according to Kaspersky Lab researcher Dmitry Bestuzhev, who discovered the malicious domains*... The advent of commodity cloud computing platforms gives attackers one more venue in which to host their attack domains, but the attacks themselves are quite similar to what users have been seeing for years."
June 5, 2011
June 6, 2011
June 6, 2011
Edited by AplusWebMaster, 09 June 2011 - 03:52 AM.
Posted 20 June 2011 - 08:32 AM
Amazon cloud users reveal confidential data...
20 June 2011 - "Sharing Amazon Machine Images (AMIs) to run on Amazon's Web Services (AWS) can open the door to attackers when users do not follow appropriate safety advice. The AMIs may contain private cryptographic keys, certificates and passwords, as researchers at the Darmstadt Research Center's CASED (Center for Advanced Security Research Darmstadt) found. In a report** [German language], they say that they examined 1100 public AMIs for cloud services and found that 30 per cent were vulnerable to manipulation that could allow attackers to partially or completely take over virtual web service infrastructure or other resources... Amazon Web Services have also been informed which customers are affected."
20 June 2011 - "... As many people use the same password in multiple places, criminals can use the passwords to obtain unauthorised access to further services... Cloud, CUDA and multi-core computer technologies are both a blessing and a curse: they can greatly accelerate the processing of data and make even complex simulations available to end users. Unfortunately, crackers use the same high-speed computing power to reconstruct plain-text data from an encrypted password, and then they use the password to log into a system as administrators. In this context, password crackers can take advantage of the fact that the harvested hashes were probably created using the MD5 algorithm, which is optimised for fast processing..."
Posted 23 June 2011 - 04:26 PM
'We can hand over Office 365 data without your permission'...
June 23, 2011 - "... Hidden within a whitepaper*, detailing the security features in the upcoming Office 365 suite, it reveals links to the Trust Center; a treasure trove of data protection policies and legalities of how Microsoft will handle your data in its cloud datacenters. Next week, Microsoft will announce the launch of Office 365 in both New York and London... In light of the Patriot Act furore, customers of cloud services are naturally becoming more aware of the limitations to cloud security and privacy; with legalities and powerful acts of law taking precedent. In short, Microsoft states:
“In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service).”
This covers all users and data of Microsoft Online Services, including the current offering of BPOS (Business Productivity Online Suite), currently in migration to Office 365. Current Live@edu users are also affected by this — mostly schools and colleges — which are also upgrading to Office 365... a personal and heartfelt congratulations to Microsoft — in full sincerity — for being as open, honest and transparent in their documentation..."
(More detail at the URL above.)
Security in Office 365 Whitepaper.docx 5.0 MB
Data Use Limits
"... FAQ: ... Question: Can Microsoft Online Services use or disclose my data without my permission? In a limited number of circumstances, Microsoft may need to disclose data without your prior consent..."
Edited by AplusWebMaster, 23 June 2011 - 08:56 PM.
Posted 01 July 2011 - 07:50 AM
When consumers go to the Cloud...
June 30, 2011 - "For four hours last week, a flawed authentication update allowed anyone the ability to access the data of any user of the cloud storage service Dropbox. The error could have caused a massive privacy breach. As it turned out, the company was notified and fixed the error before widespread knowledge allowed the vulnerability to be exploited by malicious actors. "According to our records, there were fewer than a hundred affected users, and neither account settings nor files were modified in any of these accounts," the company wrote in a blog post last Friday*... Dropbox encrypts data on the servers, but not to individual accounts, notes Sorin Mustaca, a product manager with security firm Avira. Anyone with admin access to the server can read all of its data. In addition, data on the servers of external services have lesser legal protections, Mustaca says. "I always advise our users to be very, very careful what they put online because if they put anything online, then the data does not belong to them anymore - it belongs to the cloud," Mustaca says. "This is the most important lesson that needs to be learned by anybody. If you put it online, you lose control of the data"... Dropbox is not the only consumer cloud service that has been the focus of security concerns. Evernote, Apple's MobileMe, iCloud, and cloud offerings from Google and Amazon all have generated security concerns in recent months. Barring employees from using cloud services usually does not work, Chaudhry says. Companies attempted to bar the use of social networks, but employees found ways of using the services anyway..."
Posted 27 July 2011 - 09:53 AM
Lawyers in the Cloud ...
2011-07-27 - "Even state bar associations, the entities that regulate lawyers, are struggling with the cloud. Specifically, the “big” question is “if a lawyer stores attorney-client privileged information in the cloud, will that result in a waiver of that privilege.” Remarkably, only a very few bar associations have directly addressed this issue. Arizona, New Jersey, and New York bar associations have all issued guidances for lawyers regarding cloud storage of sensitive attorney-client information. In general, they find the practice is permissible if reasonable care is used to vet and monitor the cloud provider’s security measures. For example, the New York bar stated, “[A] lawyer may use an online ‘cloud’ computer data backup system to store client files provided that the lawyer takes reasonable care to ensure that the system is secure and that client confidentiality will be maintained.” New York State Ethics Op. 842. The question, of course, is “what constitutes reasonable care?” For example, if a cloud provider has a good record of security and has a great SAS 70 Type II audit report, but specifically disclaims any liability for security breaches and offers only minimal confidentiality protection, is this good enough to satisfy the “reasonable care” requirement? No one knows. What is clear is that, just like all other businesses, lawyers must be cautious in this area and thoroughly vet their cloud providers."
Posted 30 July 2011 - 10:16 AM
SpyEye in the Amazon cloud ...
July 28, 2011 - "... According to our research, cybercriminals have been running SpyEye activities and from Amazon for the past couple of weeks... One hurdle for these cybercriminals to abusing Amazon S3 is the creation of an Amazon Web Services (AWS) account. These accounts require a legitimate identity and method of payment, so it is evident that criminals are using stolen data to overcome this challenge. Data shows that Amazon cloud services were abused heavily this month to spread malware. The following graph shows the domains used for this campaign from the second half of July 2011...
... there are isolated cases, but the tendency to exploit services like cloud storage is in full expansion. This trend clearly represents a critical point for online storage services and requires special treatment. We have reported these domains to the appropriate security teams..."
Aug 1, 2011 - "... collected approximately 22Mb of malware for analysis & detection that was hosted on AWS... advice is to avoid clicking on any suspicious link either in an unsolicited e-mail, or an apparently benign link embedded in a webpage hosted on AWS (e.g. zx1uporn.s3.amazon .com, et al.) until this problem is resolved. We have recently seen about 30-50 various subdomains and specific URLs created on AWS which appear to harbor malicious content. We have reported this to Amazon Security..."
"... quick statistics about the SpyEye Trojan:
SpyEye C&C servers tracked: 381
SpyEye C&C servers online: 184
SpyEye C&C server with files online: 38
• Average SpyEye binary Antivirus detection: 26.14% ..."
"... quick statistics about the ZeuS crimeware:
ZeuS C&C servers tracked: 659
ZeuS C&C servers online: 223
ZeuS C&C servers with files online: 53
ZeuS FakeURLs tracked: 19
ZeuS FakeURLs online: 6
• Average ZeuS binary Antivirus detection rate: 38.67% ..."
(... as of 2011.08.04)
Edited by AplusWebMaster, 04 August 2011 - 06:11 AM.
Posted 18 August 2011 - 12:44 PM
MS CRM Online, Office365 outage ...
August 17, 2011 - "Microsoft CRM Online and Office 365 users were hit with outages to their cloud services on August 17. Microsoft has yet to respond as to what’s going on. A number of customers using the Microsoft-hosted Dynamics CRM Online and its Office 365 cloud service were reporting performance problems aon August 17... On the CRM Online front, “performance is slow for most users, to the point that some can’t use CRM at all,” one Microsoft CRM user said. His company is based in the U.S., he said, but international users of the system were affected, as well..."
August 17, 2011 - "... UPDATE: Microsoft said as of late Wednesday afternoon, all systems are back up. The company is still investigating the root cause of the network failure."
17 August 2011
Edited by AplusWebMaster, 19 August 2011 - 12:09 PM.
Posted 09 September 2011 - 07:51 AM
Hotmail, Skydrive and Office365 knocked offline...
Sep 09 2011
Sep. 08, 2011 - UPDATE 9:45 PM PT, UPDATE 11:02 PM PT, UPDATE 11:49 PM PT...
Posted 14 September 2011 - 06:38 AM
AWS C&C malware...
13 Sep 2011 - "The family selected for addition to MSRT this month is Win32/Bamital*. Win32/Bamital was first discovered in September 2009 and was able to intercept and modify queries performed by search engines such as AltaVista, Bing, Google and Yahoo... authors of Win32/Bamital are employing the use of Amazon Web Services as part of their command and control infrastructure. We notified Amazon of the abuse and received confirmation that it is being investigated."
Edited by AplusWebMaster, 03 October 2011 - 08:04 AM.
Posted 20 October 2011 - 11:51 AM
Bulletproof cybercrime hosting & the Cloud
20 October 2011 - "... In Q3 2011, there were several changes in the top positions in the Top Bad Hosts table:
• The title of #1 Bad Host (Overall Category) now goes to AS33626 Oversee.net*, a monetizer of domain names, for high levels of hosting malicious URLs, badware, Zeus botnet servers and infected sites.
• The US share of the Top 50 has dropped from 23 in Q2 to 16 In Q3 although 5 of the Top 10 are still hosting from the United States including the #1 spot.
• #1 in the most important category, Exploit Servers, in the analysis of malware, phishing or badness as a whole, is AS47583 Hosting-Media**, hosted in Lithuania....
Discussed in this quarter report, also, is the rise of GHOSTing, or 'Bulletproof Cybercrime Hosting and the Cloud', which is increasingly being used as a way of serving malicious material and yet remaining under the radar. It gives, by all intents and purposes, the impression of clean and responsible hosting as no obvious sign of criminal activity is detected on the providers’ servers. This is achieved through the legitimate offering of VPN or VPS services to those clients who wish to host illicit or objectionable badness e.g. malware, botnet C&Cs, phishing, spam operations or even images of child sexual abuses. In this way hosts can feign ignorance or turn a blind eye to their customers’ real intentions. Further information on this practice can be found in the Q3 report..."
"... over the past 90 days, 3 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... the last time suspicious content was found was on 2011-10-20... we found 3 site(s) on this network... that appeared to function as intermediaries for the infection of 4 other site(s)... We found 443 site(s)... that infected 8141 other site(s)..."
"... over the past 90 days, 973 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... the last time suspicious content was found was on 2011-10-20... we found 99 site(s) on this network... that appeared to function as intermediaries for the infection of 467 other site(s)... We found 99 site(s)... that infected 685 other site(s)..."
Posted 10 November 2011 - 08:27 AM
Amazon cloud 'pre-configured images' risk...
10 November 2011 - "Amazon cloud customers have access to more than 8,000 pre-configured Amazon Machine Images (AMIs) worldwide... many of these AMIs contain a variety of security holes... more than half of the images that are available worldwide and identified the same vulnerabilities, as well as additional problems. The Windows AMIs, which represented a small proportion of the 5,300 images that were examined, were particularly badly affected. Security issues were found in 246 out of 253 Windows appliances. A bug that allows arbitrary code to be executed when a certain web site is accessed in Internet Explorer was especially common... researchers found authentication data in about one-fifth of the examined AMIs and were able to reconstruct deleted files in 98 per cent of images. Amazon has informed its customers of these problems and has released guidelines* on how to avoid AMI security issues. A tutorial** is provided to help developers create secure AMIs."
Posted 15 November 2011 - 04:56 PM
Legal Issues in the Cloud
14 November 2011 - "... Because cloud providers store large volumes of data from various parties, they present an attractive target for hackers. Google, Amazon and Salesforce.com have all reported major data breaches, and a survey this summer found that nearly half of IT executives reported a security lapse or security issue with their cloud services provider within the last 12 months. A cloud customer could be liable for security breaches by the cloud provider it uses...
- Sarbanes-Oxley Act of 2002 (SOX) applies to publicly traded companies and contains requirements related to, among other things, email retention, data security and integrity, as well as oversight requirements which encompass cloud providers.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Actregulate the use and protection of health information. Companies in the healthcare field may need to have their cloud service providers sign a Business Associate agreement. HIPAA also requires that individuals have access to their health information, so cloud vendors may need to adjust their policies and procedures to allow for such access.
- Gramm-Leach-Bliley Act (GLB) governs the collection, disclosure and protection by financial institutions of consumers’ nonpublic personal information.
- Payment Card Industry Data Security Standard (PCI DSS) is a set of industry standards providing requirements for security and storage of credit card information; in June, it was clarified that the PCI DSS apply to cloud providers.
- State laws. Almost all states have laws covering notification in the case of a data breach. Also, some states, such as Massachusetts and Nevada, have enacted laws providing requirements for data security..."
Posted 19 November 2011 - 09:03 AM
Cloud network abused by trojan...
November 17, 2011 - "... we discovered a malicious program called Trojan-Downloader.Win32.MQL5Miner.a which also uses the resources of infected computers, but this time to make money in MQL5 Cloud Network, a distributed computing network... MetaQuotes is a developer of software for financial markets. Several weeks ago, information appeared on the net that the company was offering to pay users to participate in distributed computing. Apparently, this is what attracted malicious users to the new cloud service... There are grounds to believe that the malicious program spreads via email. Having infected a computer, the malicious program first determines if the operating system is 32-bit or 64-bit. It then downloads the appropriate version of the official software from MetaQuotes SoftWare. MQL5Miner then launches the service to participate in the cloud computing network. But the cybercriminals specify their own account data and receive the payments for any distributed computing operations that are performed on an infected machine... When it comes to making money, cybercriminals don’t miss a trick. That includes exploiting the resources of infected computers without their owners’ knowledge or consent. We have notified MetaQuotes about the account being used by cybercriminals."
Posted 15 December 2011 - 07:22 AM
Cybercriminal attack strategy shifting to corporate networks
Dec. 13, 2011 - "... Cisco... made predictions* on the weapons cyber-criminals are most likely to use in 2012, based on the return on investment from cyber-crimes. The weaponry expected to reap the most money included data theft Trojans, spyware, click fraud and web exploits. Targets expected to get lots of attention from criminals based on the potential ROI include mobile devices and cloud infrastructure. Clouds service providers have been growing so fast that they have not had the time or inclination to make security a top priority... three in five of the respondents working for companies believed their employers, not themselves, were responsible for protecting information and devices. In addition, more than half allowed others to use their computers without supervision, including family, friends, coworkers and strangers."
13 Dec 2011 - 5.3MB PDF file
Posted 22 December 2011 - 09:01 AM
Migration plans to Cloud apps dropped...
December 22, 2011 - "After more than two years of trying, the City of Los Angeles has abandoned plans to migrate its police department to Google's hosted email and office application platform saying the service cannot meet certain FBI security requirements. As a result, close to 13,000 law-enforcement employees will remain indefinitely on the LAPD's existing Novell GroupWise applications, while other city departments will use the Google Apps for Government cloud platform. Council members last week amended a November 2009 contract the city has with systems integrator Computer Science Corp. (CSC) under which CSC was supposed to have replaced LA's GroupWise e-mail system with Google's email and collaboration system. Under the amended contract, the LAPD will no longer move its email applications to Google... Google maintains that the LAPD's security requirements were never part of the original contract..."
Posted 23 December 2011 - 07:22 AM
Cloud patch management issues...
22 December 2011 - "... Cloud-based application vendors update their software regularly without customer input. As an enterprise user, you may be able to stay on an earlier revision for a while by negotiating with the vendor... Other challenges include the consumerisation of IT, which encourages employees and contractors to bring in devices such as tablets and smartphones. Making sure these are adequately patched creates a whole new set of problems, landing us in the sticky area of network access control, network quarantine and policy servers to manage... every so often, a patch appears that takes down a piece of software. For example, Microsoft's recent gaffe, in which it accidentally decided that Google Chrome was a piece of malware*, caused problems for many users."
Posted 04 January 2012 - 10:26 AM
New Cloud - New Security - New Year ...
Jan. 3, 2012 - "... If I am going to keep gigabytes upon gigabytes of sensitive data stored online, I need some assurances that it is safe. The data needs to be secured, preferably encrypted, so that it is protected even in the event that the storage that contains it is compromised. But, even encrypting data can be tricky when it comes to third party cloud storage providers... They may share my data if compelled by law enforcement, or employees might access and view the files themselves. It is strictly forbidden as a matter of policy, but anyone who would surreptitiously view my data probably also lacks the moral compass to care about the policy... customers can still encrypt their data through other means with their own keys if they prefer. That really seems to be the only viable solution. If I encrypt the data myself, I know that I hold the keys and theoretically only those people I authorize will be able to access my files. But that complicates things, and adds some administrative and processing overhead. For businesses considering a move to the cloud, there are also compliance mandates to consider. Putting data online comes with some risks, and businesses need to take extra precautions to make sure that data is not exposed or compromised..."
Posted 27 January 2012 - 06:40 AM
Spammers in the cloud
January 26, 2012 - "Facebook is recently doing a decent job at keeping survey spam posts at bay (all things considered). So, what's an entrepreneurial Facebook spammer to do? Well, some have tweaked their master plan, and have expanded their use of "cloud" services. Using Amazon's S3 file hosting service solves quite a few problems for these perpetrators. Number 1, Amazon's S3 web service is pretty inexpensive to set up, therefore they can still earn from the surveys. Number 2, because Facebook has been pretty successful at blocking suspicious URLs linked to spam, hosting their scam's code in a safe and popular domain such as amazonaws.com gives them a better chance to sneak through Facebook's protections... All browsers other than Chrome and Firefox are served with a survey page, thereby ending in actual monetization if the spammer's surveys are filled out and submitted. This monetization happens within the Cost Per Action (CPA) marketing model, which is behind most social media spam. Geo-location techniques are used in an attempt to broaden the spammer's survey completion rate. Depending on the location, the fake Facebook page issues a survey that -redirects- to a specific affiliate marketer... Firefox and Chrome are used as avenues to further spread the scam via Facebook by use of a fraudulent YouTube browser plugin. A fake Facebook page displays a plugin installation if visited from either of those two browsers. Spammers recently began using plugins as part of their cat and mouse battle with Facebook... Upon installing the plugin, a redirector URL is generated by randomly selecting from the usernames, mo1tor to mo15tor, in the Amazon web service. Then, the link generated is shortened through bitly.com via the use of any of the 5 hardcoded userID and API key-pairs. These key-pars gives a spammer the ability to auto-generate bit.ly URLs for the Amazon web service link. This ultimately leads to a redirection to the fake Facebook page. Perhaps, in an attempt to confuse defenses, it also produces a random non-existent domain using the format wowvideo [random number] .com. However, only the Amazon S3 web service and bit.ly URLs are working links..."
Posted 29 February 2012 - 04:08 PM
MS Azure cloud outages ...
Feb 29, 2012 - "Microsoft's cloud platform, Windows Azure, is experiencing a major outage: at the time of writing, its service management system had been down for about seven hours worldwide... Microsoft has been keeping them updated via the platform's online service page* at least every hour... The service management system first began to have problems at 1.45am GMT (5.45pm PST), according to the page... Microsoft tested the hotfix, before starting the rollout at 9am GMT this morning..."
Feb 29, 2012 - "... Microsoft later said in a statement the service management problems were caused by "a cert issue triggered on 2/29/2012," or a security certificate issue activated once every four years. It said access to services and management functions were "restored for the majority of customers" by 1:30 p.m. GMT in Northern Europe or 7:30 a.m. in the U.S..."
29 Feb 2012 - "... final root cause analysis is in progress, this issue appears to be due to a time calculation that was incorrect for the leap year... The fix was successfully deployed to most of the Windows Azure sub-regions and we restored Windows Azure service availability to the majority of our customers and services by 2:57AM PST, Feb 29th. However, some sub-regions and customers are still experiencing issues and as a result of these issues they may be experiencing a loss of application functionality... Customers should refer to the Windows Azure Service Dashboard* for latest status..."
1 Mar 2012 - "... resolved and all regions and related services are now healthy..."
Edited by AplusWebMaster, 02 March 2012 - 05:05 PM.
Posted 02 March 2012 - 08:40 PM
Cloud svc Linode hacked - Bitcoin accounts emptied
Mar 2, 2012 - "A security compromise at Linode, the New Jersey-based Linux cloud provider, has warned customers that hackers breached a Web-based customer service portal used by the company and emptied the Bitcoin accounts of eight Linode customers. One Linode customer reports the theft of Bitcoins totalling around $14,000. In a post on the company blog* Friday, Linode acknowledged the incident, which occurred early Wednesday, and said it had isolated the compromised support account, and that no customer credit card information or credentials were taken. However, the attackers appeared to have targeted a handful of Linode customers who used the service to host Bitcoin wallets, allowing them to pilfer thousands in virtual currency..."
Mar 2, 2012 - "... Here are the facts:
This morning, an intruder accessed a web-based Linode customer service portal. Suspicious events prompted an immediate investigation and the compromised credentials used by this intruder were then restricted. All activity via the web portal is logged, and an exhaustive audit has provided the following:
All activity by the intruder was limited to a total of eight customers, all of which had references to "bitcoin". The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins. Those customers affected have been notified. If you have not received a notification then your account is unaffected. Again, only eight accounts were affected.
The portal does not have access to credit card information or Linode Manager user passwords. Only those eight accounts were viewed or manipulated - no other accounts were viewed or accessed..."
Posted 22 March 2012 - 11:38 AM
Dropbox - malware distribution
March 21, 2012 - "... a collection of files masquerading as RealNetworks updater executables. These files were all located in a user’s %AppData%\real\update_ob\ directory, and the sizes were all quite consistent... the software is in fact malicious, and that it is actually downloading malicious files from the popular web-based file hosting service Dropbox. These files came in two varieties: some files were randomly-named; other files were named for legitimate software. For example: utorrent.exe, Picasa3.exe, Skype.exe, and Qttask.exe... While some of the potential payloads were not present, some malicious URLs were still active... these target files on Dropbox are not legitimate, and they are definitely malicious. When executed they would write -many- files with legitimate names in generally legitimate locations. In some cases, file icons for the malicious files are not identical to the legitimate software that they are masquerading as.
... the malware obtains instructions from an XML script accessed via a dynamic DNS service that directs it to directs it to download additional malware and utilities from Dropbox and to disable certain antivirus programs which may be running on the infected PC... Another objective of this spy is to collect VERY specific system information, including hardware ID serials, computer and user names, OS version info, AV info, firewall info, UAC status, video device info, and many other pieces of information that no one would want falling into the hands of a stranger... this Dropbox-utilizing spy runs as a chain of downloaders for additional malware; the non-Dropbox-hosted C&C servers can determine what malware is grabbed by the downloaders so ultimately the end result of the infection is almost limitless. Once installed, malicious actions can vary from serving up rogue AVs, installing keyloggers, rootkits, or whatever the cybercrimal fancies. While it’s unfortunate malware writers have exploited this free service to serve their malware, Dropbox users don’t need to fret. There is no indication that legitimate Dropbox accounts were harvested to serve this malware and it is much more likely the writers simply opened their own accounts within Dropbox to carry this action out."
08 Mar 2012 - "... Dropbox is being abused by malware authors, as well as spammers. We recently saw a Brazilian Portuguese malware message claiming to contain photos and asking if they can be put onto a popular social networking site. The links in the email point to a Trojan hosted on Dropbox... This abuse is a good reminder that -any- site which makes user-supplied content publicly available must continue to be vigilant about dealing with abuse. Although Dropbox is a high-profile site, spammers target all sorts of sites, big and small. There are many things that sites do to deal with such abuse, but in some cases this crucial work is often seen as low priority, despite the damage that such abuse can cause..."
13 April 2012 - "... the use of Dropbox as a delivery mechanism is a something that the industry is going to have to take into account and protect against, as it is an emerging trend."
Edited by AplusWebMaster, 13 April 2012 - 09:17 AM.
Posted 10 April 2012 - 05:18 AM
Zeus targets Cloud Payroll Service ...
April 10, 2012 - "... we have discovered a Zeus attack that focuses on cloud payroll service providers. These attacks are designed to route funds to criminals, and bypass industrial strength security controls maintained by larger businesses. Our researchers have captured a Zeus configuration that targets Ceridian, a Canadian human resources and payroll solutions provider. In this attack, Zeus captures a screenshot of a Ceridian payroll services web page... when a corporate user whose machine is infected with the Trojan visits this website. This allows Zeus to steal the user id, password, company number and the icon selected by the user for the image-based authentication system... The financial losses associated with this type of attack can be significant. In August of last year, Cyberthieves reportedly funneled $217,000 from the Metropolitan Entertainment & Convention Authority (MECA). According to published reports an employee at MECA was victimized by a phishing e-mail and infected with malware that stole access credentials to the organization’s payroll system. With valid credentials, the cyberthieves were able to add fictitious employees to the MECA payroll. These money mules, who were hired through work-at-home scams, then received payment transfers from MECA's bank account which they sent to the fraudsters. We expect to see increased cybercriminal activity using this type of fraud scheme for the following reasons:
First, targeting enterprise payroll systems enables attackers to siphon much larger amounts of money than by targeting individual consumers.
Second, by stealing the login credentials belonging to enterprise users of these payroll services, fraudsters have everything they need to route payments to money mules before raising any red flags. Using these valid credentials fraudsters can also access personal, corporate and financial data without the need to hack into systems, while leaving very little evidence that malicious access is occurring.
Third, by targeting a cloud service provider, the criminals are bypassing tight security mechanisms that are typically employed by medium to large enterprises. In a cloud service provider environment, the enterprise customers who use the service have no control over the vendor’s IT systems and thus little ability to protect their backend financial assets.
Fourth, cloud services can be accessed using unmanaged devices that are typically less secure and more vulnerable to infection by financial malware (e.g. Zeus)..."
Posted 25 April 2012 - 09:56 AM
What Google Analytics -doesn't- show you...
"... 31% of your website visitors are likely to be damaging intruders. Google Analytics doesn’t show you 51% of website traffic including hackers, spammers & other non-human stalkers. Most website owners don’t know that a startling 31% of any site’s traffic can harm its business. And although most website owners rely on Google analytics to track who’s visiting their site, Google simply doesn’t show you 51% of your site’s traffic including some seriously shady non-human visitors including hackers, scrapers, spammers and spies of all sorts who are easily thwarted, but only if they’re seen and blocked...
> http://www.incapsula...lking_ Pie.jpeg
As website owners work hard to attract good human traffic, it’s just as important to see and block the bad guys & bots that can hack your site, steal your customer’s data, share your proprietary business information, and a whole lot more. It’s time to see who’s visiting your site, and make sure the good guys get through fast while the bad guys are kept out. So who's stalking your site?...
> http://www.incapsula...king table.jpeg
... Information was anonymously compiled from a sample of one thousand websites of Incapsula customers, with an average of 50,000 to 100,000 monthly visitors."
Posted 10 May 2012 - 03:01 PM
• Is Cloud Security in the Clouds?
May 10, 2012 - "... Before jumping onto a cloud, you might want to get the legal team or hire a lawyer to help parse through the Service Level Agreements (SLA) and other contracts that binds the vendor to a responsibility for the company or individual’s interests, assets and IT functions to better understand where the buck will stop so as not to fall through in a security worst case scenario... That could be worded a million different ways in legalese but there is more likely verbiage about up time and setting the expectations of the quality of services provided versus an offer to shoulder the burden of security. Shoot right to the disclaimers and the fine print that absolves the basic model of the confidentiality, integrity and availability of data and services of the provider... The threats can come from the -lack- of designed and implemented security by the provider. This may be intentional or not but the lack of oversight or negligence in this area can potentially cause disputes over the difference of control versus accountability..."
Posted 25 May 2012 - 06:25 AM
Security in the Clouds - Part 1 ...
May 24, 2012 - "... Securing a cloud environment involves doing everything we do for traditional IT security plus more. In other words, the fundamental issues of ensuring the CIAs of security – Confidentiality, Integrity and Availability – are still in play. In fact, it’s even more complicated since now we are dealing with the additional complexity of someone else’s infrastructure. That means we have to begin with a comprehensive risk assessment and from there proceed to develop relevant policies, a solution architecture, a solid implementation that enforces those policies and finish up with a process to analyze results and feedback improvements into the previous steps of the cycle. Nothing new here but sometimes in the cloud rush some people think the laws of gravity have somehow been suspended... What the public cloud adds to the equation is a heightened need to get all this right since it will be in a shared infrastructure at a remote location. In addition, things like federated single sign-on (to connect across disparate authentication systems), federated account provisioning/deprovisioning (to create and delete the correct access privileges on the system you no longer have direct access to) and securing the hypervisor layer of the virtualization system used by the service provider become key issues. That last part is often overlooked but it shouldn’t be because each new layer of infrastructure represents a potential attack vector. We know OS’s and apps aren’t perfect so we harden them, patch them and stand up intrusion prevention layers to protect them from the bad guys. The hypervisor in a virtualized computing environment needs the same protections but doesn’t always get the same scrutiny... what happens if the SLA is not met? Many assume that the provider has the capability to guarantee this commitment but in some cases this may be nothing more than a best effort statement with no penalties if violated and no actual ability to deliver this level of service...
Some questions to consider:
• Is the data sufficiently isolated from other users of the shared cloud?
• Are access controls up to the task of keeping the prying eyes of unauthorized users at bay?
• Are you protected against data leakage by administrators working for the cloud provider who are not authorized to view the data but may, by virtue of their privileged status, be able to subvert protections in place?
• Can you get easy access to an audit trail showing who, when, from where, etc., has accessed the data?
• Is it being backed up in case a hard drive crashes?
• Is the environment sufficiently provisioned to handle the demand placed upon it not only by legitimate users but also by attackers launching a denial of service attack?
• What about disaster recovery?
• Is there a mechanism to failover to hot or warm standby at a substantially different geographical location so as to not disrupt operations during an outage?
• Will auditors and regulators be satisfied with your answers to all of these questions?
... so it may not be all that simple to let someone else handle it as you might have first thought as you clearly have some due diligence to perform before turning over the keys to the kingdom..."
Posted 30 June 2012 - 09:58 AM
AWS power outages...
Amazon CloudSearch (N. Virginia) - Elevated error rates
10:16 PM PDT We are investigating elevated error rates impacting a limited number customers. The high error rates appear related to a recent loss of power in a single US-EAST-1 Availability Zone...
Jun 30, 2:18 AM PDT CloudSearch control plane APIs are operating normally. We are continuing to recover impacted CloudSearch domains that are still experiencing high error rates.
Amazon Elastic Compute Cloud (N. Virginia) - Power issues
Jun 30, 12:37 AM PDT ELB is currently experiencing delayed provisioning and propagation of changes made in API requests. As a result, when you make a call to the ELB API to register instances, the registration request may take some time to process....
Jun 30, 7:14 AM PDT We are continuing to make progress towards recovery of the remaining EC2 instances, EBS volumes and ELBs...
Amazon Relational Database Service (N. Virginia) - Power Issues
8:33 PM PDT We are investigating connectivity issues for a number of RDS Database Instances in the US-EAST-1 region.
9:24 PM PDT We can confirm that a large number of RDS instances are impaired. We are actively working on recovering them...
Jun 30, 7:38 AM PDT We are continuing to make progress in recovering the impacted RDS database instances...
AWS Elastic Beanstalk (N. Virginia) - Power Issues...
3 million without power - 13 killed
June 30, 2012
June 30, 2012 - "An Amazon Web Services data center in northern Virginia lost power Friday night during an electrical storm, causing downtime for numerous customers — including Netflix, which uses an architecture designed to route around problems at a single availability zone. The same data center suffered a power outage two weeks ago and had connectivity problems earlier on Friday."
June 15, 2012
Edited by AplusWebMaster, 01 July 2012 - 11:06 PM.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users