CounterMeasures - A Security Blog � cloud

You can’t fight the power, but the power has shifted.

Rik Ferguson — Fri, 20 Jan 2012 11:04:35 +0000

One of the largest file sharing services on the Internet was shut down yesterday in US legal action. The site is charged with violation of copyright laws. The indictment (now available on scribd) charges seven individuals with online piracy, four of whom have already been arrested in New Zealand. This 72 page document also details the estimated cost to copyright holders at more than $500 million USD, while themselves allegedly earning $175 million in advertising revenue. The maximum penalty for the offenders could total 50 years of jail time.

Search warrants were executed in nine countries and 18 domain names, including mega-upload.com, were seized along with associated servers.

This indictment, unsealed right in the middle of impassioned debate over SOPA and PIPA quickly aroused the wrath of the Internet community, particularly Anonymous who have been exhorting their supporters to participate in Distributed Denial of Service attacks against US government web sites including the Dept of Justice, the FBI, the Copy right Office and the RIAA and MPAA, who were successfully taken offline as a result.

Anonymous supporters have been using the Low Orbit Ion Cannon (previously detailed here) as well as a new technique of embedded JavaScript. Several web pages have been loaded with JavaScript and the simple act of rendering that page in a web browser will in most cases recruit the browsing computer to the DDoS attack. The attacks have attracted a high level of participation and public sympathy and quickly became a trending topic on Twitter under the #OpMegaupload hashtag.

Akamai’s Real-time Web Monitor is currently showing attack traffic online at more than 24% above normal, giving some idea of the scope and geographic spread of public sympathy.

Whatever your views on online file sharing, there is no denying that this is an issue urgently in need of a solution. Consumers, artists and corporations seem to have devised workable methods in the music industry. A return to the generation of income through live performance has reinvigorated the music scene in many countries and cites. Artists have harnessed the power of the Internet for a direct sales model that bypasses the increasingly archaic music industry and online music stores have evolved to facilitate this, with the participation of the corporations, providing music at reasonable cost. It could even be argued that the new iTunes Match service represents the capitulation of the music industry to the new reality of illegal downloads. This model is beginning to be repeated in the printed world too.

In the early 1900′s music publishers decried the arrival of the “player piano” as a threat to their way of life, when I was a kid, every record bore the legend “Home taping is killing music“, Hollywood was scared to death at the advent of the VCR…

The simple truth is, technology ever advances and with it come new opportunities. Many consumers are taking advantage of those opportunities to access copyrighted material quickly, easily and cheaply (or for free). It is only by facilitating that behaviour backed by a forward-looking business model that the traditional industry can hope to survive into the future.

It’s true that you can’t fight the power, but the power has shifted.

LinkedIn? OptOut!

Rik Ferguson — Thu, 11 Aug 2011 10:40:49 +0000

UPDATE: It seems the Dutch government are already asking questions about whether this new behaviour breaches their data protection legislation.

Having seen this blog post, the first “victim” of social advertising has come forward and he’s one of my own colleagues he tweeted a few days ago:

Click to enlarge

Original Article
_________________________________________________

In my periodic trawl through the account options and settings of the social networks I entrust with my data, I discovered a few new “features” on LinkedIn that really made me angry.In a move reminiscent of some other social network providers *cough*Facebook*cough*, LinkedIn have decided to introduce targeted advertising and “social advertising”.

“Yeah, big deal, I expect advertisements on web sites” might be your initial reaction. Well, do you expect your own name, face and personal information to be used in those advertisements? If you don’t and you’re a LinkedIn user, you might want to log in today and have a look at your new default settings.

Once logged into LinkedIn, look to the top right corner where you will see your name in a drop-down menu, hold the mouse over your name and choose “Settings” in the menu that appears. This is where you can opt out of these new “features”.

Click for a larger image

Once you select the Privacy Controls you will be able to untick the boxes that have allowed your personal information to be used without your consent.

Click for larger image

While you’re in there, I hope you’ll be inspired to have a look around the other account settings, I’m sure you’ll find a few more that you will want to disable, like this little gem (in the Groups, Companies & Applications section)…

Click for larger image

LinkedIn have added these new features and opted all their 120 million users in without any form of notification, even though in my profile at least the option to get feature update mails was ticked (another default). I called the Information Commissioner’s Office in the UK and they confirned that this would be a breach of the Data Protection Act if the data were stored or processed in the UK.

At the risk of repeating advice from yesterday be very careful what information you are sharing online, not only can you not trust strangers, but it appears you also can’t trust your social netowrk provider of choice to keep your details confidential, or even to notify you that they have statred sharing them, don’t forget, it’s not just LinkedIn…

5 Security Questions for your SaaS provider

Rik Ferguson — Thu, 04 Aug 2011 12:49:51 +0000

used by permission from ky_olsen's Flickr stream

Software as a Service is seeing sustained growth and sustained adoption in both enterprise and in the home. According to a Gartner release in July 2011, Software as a Service revenue reached $10 billion in 2010 and is still growing. In fact Gartner estimate growth of over 20% 10 $12.1 billion on 2011.

The Gartner definition of Software as a Service is software that is “owned, delivered and managed remotely by one or more providers. The provider delivers an application based on a single set of common code and data definitions, which is consumed in a one-to-many model by all contracted customers anytime on a pay-for-use basis, or as a subscription based on use metrics”. The example that is cited in almost every article and presentation on the subject is Salesforce.com, and while they are a major provider in the SaaS arena it is important to recognise that SaaS comes in many different flavours. Customer Relationship Management, Human Resource Management, Cloud backup, Collaboration platforms, accounting platforms, helpdesk management, managed services and web or email filtering to name but a few.

The economic benefits, to providers and customers alike are relatively obvious to spot, the cost of user provisioning (the SaaS model) when compared to the cost of application acquisition, licensing and rollout (the on-premise model) is extremely attractive. The SaaS provider is able to more quickly and easily update and manage the software and service due to its centralised nature, application improvements are easier to make as a result of the visibility the provider has of customer usage patterns and the scalability and pay-per-use is attractive for both customer and provider. In addition the possibilities for integration and open interfaces are greater, with many SaaS providers already offering social media-like collaboration functions or open interfaces (APIs).

While SaaS may offer a flexible and cost-effective alternative to a traditional application environment, it is not without risk. By moving to a hosted platform, as opposed to in-house, enterprises must necessarily sacrifice a large element of control over parts of their operating environment. With SaaS in particular, almost the only choice you have is whether you upload certain data or not, the rest is largely out of your hands. You do of course retain the legal and regulatory accountability for the security of your data.

The risks in a SaaS environment are many, and largely related to the benefits offered. As I mentioned previously, your provider has access to your usage habits of the platform, normally through some kind of web analytics, they also have the capability of accessing all of your data and this in itself presents the risk of unauthorised access or monitoring by an insider.

The centralised nature of the system and the “one configuration fits many” model of the multi-tenanted environment means that, should a vulnerability affect one customer, there is a strong possibility that other customers will be equally affected. The Epsilon breach is one of the more recent examples and it affected many Fortune 500 companies using the same SaaS provider. The scope for exploits of vulnerabilities is wide. Common protocols and the software stack are used by most SaaS providers (HTTP, XML/SOAP, JSON, CSS and JavaScript) and these are readily and regularly exploited if not correctly engineered, implemented or configured. Additionally, the more scope a platform offers for customisation and external integration (a key selling point for SaaS vendors), the more chance there is that some other customer will introduce a vulnerability from which another may suffer the consequences. Such is the nature of a multi-tenanted environment.

5 Key security questions to ask your SaaS provider:

1 – Penetration testing – How is the environment pen tested, how often and do you have the ability to independently pen test your own part of the environment? Without regular, in-depth pen testing you have no visibility of your current security posture.

2 – Data Security – How is data encrypted in storage and in transit across the shared resources of the SaaS provider data centre? Who has access to the keys? Is separation of duties and separation of keys and data maintained? Can the provider offer you a SAS 70 report?

3 – Multi-tenancy – Is there an option that provides for single tenant hosting? Also explore whether this single tenancy comprises simply the application or also the data storage?

4 –Disaster Recovery – In the event of catastrophic failure, or external intrusion and data loss what backup and recovery procedures are in place? Where is backed up data stored (and encrypted again) and how is it effectively restored?

5 – User Authentication – What is the sign on procedure for the SaaS application? Are multiple factors in use? Is it possible to integrate sign-on with authentication structures already in use by the customer?

Russian Security Service proposes ban on Gmail, Skype, Hotmail

Rik Ferguson — Sat, 09 Apr 2011 12:02:51 +0000

In an echo of the move by governments including India, Saudi Arabia and the United Arab Emirates to ban the use of certain encrypted Blackberry services last year, the Russian Federal Security Service have cited Skype, Gmail and Hotmail as a “threat to national security” and has suggested a ban.

According to a release from ITAR-TASS, head of the FSB Information and Special Communication Centre, Alexander Andreyechkin stated:

“Uncontrollable use of such services can create a major threat to Russia’s security“

Andreyechkin reportedly went on to argue that, because the servers and encryption technology used all reside outside Russia it creates difficulty in carrying out investigations, asserting that these services are often used by “foreign extremists”.

The remarks, made before a government Communication & Technology committee meeting, which subsequently continued without press presence, appear to have cause a certain amount of confusion in the Kremlin. Dimitry Peskov, press secretary to Vladimir Putin confirmed that this opinion represented the official position of the FSB, saying “FSB representatives don’t express personal points of view. Naturally, that was the position of the agency“. Whereas Russian Communications minister Igor Shchegolev stated “We have no plans to cancel or close Skype, gmail, hotmail or any other foreign internet services in Russia“, adding perhaps a little more worryingly, “We are now discussing how to regulate such technologies, including economically.“

The main cause of concern for the FSB seems to be in the encryption employed by these services and the aim appears to be either to deny access to services such as these, or to use the threat of such a ban in order to open negotiations to improve the access of Russian security services to encrypted information. The countries that threatened a ban on Blackberry use reached an agreement with RIM, the Blackberry manufacturer, that allowed usage to continue uninterrupted, details of this compromise have never been revealed.

Vladimir Putin is currently heading a committee, set up by the Communication & Technology commission, charged with setting out a plan to regulate the mass use of internet encryption technology within Russia. The committee is due to report on October the 1st of this year. Watch this space…

Finding the G-Cloud.

Rik Ferguson — Wed, 19 Jan 2011 13:22:16 +0000

A report released this month by the
European Network and Information Security Agency (ENISA) has investigated the utility and applicability of cloud services for governments across Europe.

The report, entitled “Security and Resilience in Governmental Clouds” aims to provide a decision making model that can be used by governments and other public bodies, to assess the information security challenges posed by cloud computing and to guide them in the definition of their requirements when planning such a migration.

All in all it is a thorough piece of work and should absolutely be on the recommended reading for anyone; private enterprises included, considering the commercial benefits of cloud.

One conclusion of the report though did seem at best premature, if not a little under researched. The report recommends:

“its [public cloud] adoption should be limited to non-sensitive or non critical applications and in the context of a defined strategy for cloud adoption which should include a clear exit strategy.”

On the face of it this is sensible advice but unfortunately the report does not go on to address the strategies and technologies that exist to mitigate these risks, making public cloud a viable and secure platform for enterprises and public bodies alike.

Some of the risks identified in the report are: improper access to confidential data (either at the service provider or by intrusion), service provider lock-in due to proprietary technologies, lack of audit and monitoring capabilities, concerns over application and OS patching strategies and access to encryption keys among others. Unfortunately the recommendations while sound do not offer any concrete detail on architectural strategies that overcome these issues even though this is already a technical possibility, at least in the Infrastructure as a Service model.

The multi-tenanted nature of public cloud means that organisations need to be able to reduce their effective perimeter to the edge of their virtual machine, effectively segmenting their systems away from other customers. The service provider’s network should be treated as public. In the IaaS environment the customer retains ownership of and responsibility for the patch levels of their virtual machines, host level firewalling and vulnerability shielding offer the opportunity to neutralise the threat of exploitation of vulnerability, even in the absence of a patch. Log and file integrity monitoring offer a means of audit and control and in the IaaS environment are simple to implement at host level.

The challenge of data security in public clouds has typically been more complex to answer, as encryption services are usually managed by the cloud provider. Organisations need the ability to segment their data away from other customers but also away from the service provider. Service providers need that too, otherwise they risk inheriting some serious liability. Data should be provisioned to the cloud in an encrypted format, the data owner should retain ownership and control of the keys and only the customer’s own machines should be able to get access to those keys ensuring that the data is only ever in-the-clear inside the secure perimeter of their own virtual machines.

Properly architected data encryption that operates transparently and is engineered for the cloud, encryption that is managed by the customer and not the service provider is a business enabler. It accelerates adoption of cloud services, drives down costs, and allows regulatory and legislative compliance. It means you no longer have to worry about how you’re going to delete the cloud when you decide to change service provider.

Psst!… Want some free security software?

Rik Ferguson — Thu, 09 Sep 2010 16:20:42 +0000

Used under creative commons from elliottbledsloe's photostream

UPDATE: This promotion has now closed

Hopefully regular readers of the blog will have noticed that I try to avoid using Countermeasures to push product. However, this afternoon I have been offered 100 licence keys for our new Windows security software to give away to readers of the blog and I thought giving you free stuff was definitely something I should be doing!

Trend Micro Titanium was released this week and is already getting great reviews from journalists and testing houses alike. In all honesty, I love the product too, I know I sound like a shill but it has to be tried to be believed. Titanium is security software that has been designed not to get in your way, it won’t slow down your PC and at the same time it doesn’t compromise on the quality of protection. Anyway don’t take my word for it, give it a test drive and I’ll give you a free serial number.

You knew there was going to be a catch though, like Alice Cooper said “Nothing’s Free”… I only have 100 serial numbers to give away, so here’s what you have to do. Go here. Click the blue button to download a trial copy and install it. There’s an option to log in with your Facebook account rather than your email address if you prefer. The first 100 people to post a review of their experience with Titanium, either here as a comment to this blog post or on the Titanium page on Facebook will each get a 12 month subscription free of charge and obligation.

So there you have it, end of shameless promo!

Head in the Clouds, Feet on the Ground.

Rik Ferguson — Thu, 15 Jul 2010 13:28:01 +0000

If there’s one topic that’s apt to get security professionals uptight – and provoke stand-up rows in the office – then it’s cloud computing. Tony Lock from FreeformDynamics recently conducted a poll on the subject in a workshop for The Register.

The big issue is, of course, loss of control. If you trust your information to someone else’s servers, then you have to trust their security procedures and technical measures to look after it. That makes a lot of IT professionals uneasy, for very understandable reasons. But just like outsourcing anything, there is good and bad. All businesses outsource some things – things like cleaning, deliveries and physical security (burglar alarms, etc.) – for three reasons:

It’s not their speciality. They make widgets. And they have the staff they need to make, deliver, develop and support those widgets. Other people can do non-widget related activities better than they can;
They don’t need the overhead, time commitment and complexity that employing all these extra people demands. Yes, they could hire their own cleaner, but it’s a lot simpler to get on the phone and let a cleaning agency take care of that;
It’s a lot more cost-effective that way. Our widget company could invest in a worldwide fleet of planes, vans and delivery-people but that would be ludicrously expensive when they can phone a courier company and have them delivered for a few pounds a day.

So three very good reasons for outsourcing: better service, simplicity and cost. These lines of reasoning can easily be applied to IT. Outsourced IT can be better, simpler and cheaper. Yay, let’s go for it, say those hotheads in accounting.

Where this sort of analogy starts to fall down, however is in the risk assessment. If the cleaner doesn’t turn up, then it’s no big deal. If they don’t turn up on a regular basis, you fire the agency and get a new one. There might be a few more biscuit crumbs and sandwich remnants for the new cleaner to deal with, but no harm done, by and large.

If your outsourced IT services turn out to be useless, on the other hand, then the consequences could be pretty brutal. Your information could be exposed; you could lose access at a crucial moment or they could manage to lose the lot. You don’t want that to happen, because it could make you bankrupt or put you in prison.

But people don’t like risk-assessment, of course. It’s boring. It puts paid to a lot of exciting new things. It reminds you of your mum when you were five.

I hate to say it, though, but your mum was probably right.

Cloud Control

Rik Ferguson — Thu, 11 Feb 2010 19:13:58 +0000

Three quarters of UK CIOs see security as being the major barrier to cloud adoption and yet if you take a look at the Wikipedia (I know, I know) entry on cloud computing, “Security” is listed as one of the Key Characteristics of cloud-based services, how can this be?

One of the reasons for this apparent contradiction must surely lie with the language itself, and not the technology. We already know that the term “cloud” when applied to technology has a different meaning to everyone who uses it and everyone who hears it. Hell, the term “cloud” when applied to clouds has a multitude of possibilities! The truth is though the same is true of the term “security”.

If you talk to a sysadmin, a network admin, a coder, a hacker, a security guard, a facilities manager or a three star general about security then once again they will each have their own understanding of the definition, the aims and the means of achieving that elusive “security”. If you ask a C-level executive what security means, especially in the context of cloud, then they will have a different understanding again.

To an executive, security is all about control and accountability. Data and the management of data are the asset and the task that are currently mostly considered for delegation to cloud providers. Today’s legislation places a burden and corresponding sanctions on corporate executives to ensure that the data which they hold is stored and processed in a secure manner. Future legislation promises to extend this burden of accountability and the penalties for non-compliance can be severe, stretching, if you’ll pardon the pun, to even to jail-time.

When your most precious assets are tucked up tight in your own data centre, handled by your own employees on physical systems that you can secure discretely then creating an audit trail and accountability is far simpler. The control remains with the data owner. In the cloud environment as it currently stands, much of this control is outsourced, but none of the accountability.

Virtualisation, multi-tenancy and storage area-networks are the technological engines powering cloud services. The rapid provisioning of virtual machines across highly-scalable, highly available infrastructure gives cloud providers the economic advantage that is their business promise. Cloud customers need to be secure in the knowledge that they retain control over the secure perimeter of their virtual machine and that it is not dependent on any configuration at the provider end. Cloud customers need to know that their data is sufficiently encrypted in the SAN that it cannot be accessed or used by anyone other than those who hold the keys and that the keys are not held by the cloud provider.

In order to increase the acceptability of cloud to the enterprise executive, we need to design tools that ensure control over the security of key underlying technologies. It is only when a CIO has control that they can reasonably be expected to accept accountability.