Technical Adversary

Over 4,000 so-called legitimate sites worldwide could be selling on subscriber or user data without the knowledge of their users, according to identity theft prevention firm SentryBay.

In an exclusive conversation with V3.co.uk, chief operating officer at the vendor, Marcus Whittington, explained that the figures come from a comprehensive database run by partner organisation, Lucid Intelligence.

The Lucid database offers a unique snapshot into the activity of identity fraudsters by comprising a list of user data which is being bought and sold on the black market.

Computer security researchers had previously shown that when two programs are running simultaneously on the same operating system, an attacker can steal data by using an eavesdropping program to analyze the way those programs share memory space. They posited that the same kinds of attacks might also work in clouds when different virtual machines run on the same server.

In the immensity of a cloud setting, the possibility that a hacker could even find the intended prey on a specific server seemed remote. This year, however, three computer scientists at the University of California, San Diego, and one at MIT went ahead and did it. They hired some virtual machines to serve as targets and others to serve as attackers--and tried to get both groups hosted on the same servers at Amazon's data centers. In the end, they succeeded in placing malicious virtual machines on the same servers as targets 40 percent of the time, all for a few dollars.

Gmail, Twitter, and Facebook are all cloud applications, for example. Web-based infrastructure services like Amazon's--as well as versions from vendors such as Rackspace--have attracted legions of corporate and institutional customers drawn by their efficiency and low cost.

"Today you have these huge, mammoth cloud providers with thousands and thousands of companies cohosted in them," says Radu Sion, a computer scientist at the State University of New York at Stony Brook. "If you don't have everybody using the cloud, you can't have a cheap service. But when you have everybody using the clouds, you have all these security issues that you have to solve suddenly."

Cloud computing actually poses several separate but related security risks. Not only could stored data be stolen by hackers or lost to breakdowns, but a cloud provider might mishandle data--or be forced to give it up in response to a subpoena. And it's clear enough that such security breaches are not just the stuff of academic experiments. In 2008, a single corrupted bit in messages between servers used by Amazon's Simple Storage Service (S3), which provides online data storage by the gigabyte, forced the system to shut down for several hours. In early 2009, a hacker who correctly guessed the answer to a Twitter employee's personal e-mail security question was able to grab all the documents in the Google Apps account the employee used. (The hacker gleefully sent some to the news media.) Then a bug compromised the sharing restrictions placed on some users' documents in Google Docs. Distinctions were erased; anyone with whom you shared document access could also see documents you shared with anyone else.

Andin October, a million T-Mobile Sidekick smart phones lost data after a server failure at Danger, a subsidiary of Microsoft that provided the storage. (Much of the data was later recovered.) Especially with applications delivered through public clouds, "the surface area of attack is very, very high," says Peter Mell, leader of the cloud security team at the National Institute of Standards and Technology (NIST) in Gaithersburg, MD. "Every customer has access to every knob and widget in that application. If they have a single weakness, [an attacker may] have access to all the data."

To all this, the general response of the cloud industry is: clouds are more secure than whatever you're using now. Eran ­Feigenbaum, director of security for Google Apps, says cloud providers can keep ahead of security threats much more effectively than millions of individuals and thousands of companies running their own computers and server rooms. For all the hype over the Google Docs glitch, he points out, it affected less than .05 percent of documents that Google hosted. "One of the benefits of the cloud was the ability to react in a rapid, uniform manner to these people that were affected," he says. "It was all corrected without users having to install any software, without any server maintenance."

Think about the ways security can be compromised in traditional settings, he adds: two-thirds of respondents to one survey admitted to having mislaid USB keys, many of them holding private company data; at least two million laptops were stolen in the United States in 2008; companies can take three to six months to install urgent security patches, often because of concern that the patches will trigger new glitches. "You can't get 100 percent security and still manage usability," he says. "If you want a perfectly secure system, take a computer, disconnect it from any external sources, don't put it on a network, keep it away from windows. Lock it up in a safe."

But not everyone is so sanguine. At a computer security conference last spring, John Chambers, the chairman of Cisco Systems, called cloud computing a "security nightmare" that "can't be handled in traditional ways." At the same event, Ron Rivest, the MIT computer scientist who coinvented the RSA public-key cryptography algorithm widely used in e-commerce, said that the very term cloud computing might better be replaced by swamp computing. He later explained that he meant consumers should scrutinize the cloud industry's breezy security claims: "My remark was not intended to say that cloud computing really is 'swamp computing' but, rather, that terminology has a way of affecting our perceptions and expectations. Thus, if we stop using the phrase cloud computing and started using swamp computing instead, we might find ourselves being much more inquisitive about the services and security guarantees that 'swamp computing providers' give us."

Amazon announced plans to offer a "private cloud" service that ensures more secure passage of data from a corporate network to Amazon's servers. (The company said this move was not a response to the research by the San Diego and MIT group. According to Adam Selipsky, vice president of Amazon Web Services, the issue was simply that "there is a set of customers and class of applications asking for even more enhanced levels of security than our existing services provided.")

The problem of how to manipulate encrypted data without decrypting it, meanwhile, stumped researchers for decades until Gentry made a breakthrough early in 2009. While the underlying math is a bit thick, Gentry's technique involves performing calculations on the encrypted data with the aid of a mathematical object called an "ideal lattice." In his scheme, any type of calculation can be performed on data that's securely encrypted inside the cloud. The cloud then releases the computed answers--in encrypted form, of course--for users to decode outside the cloud. The downside: the process eats up huge amounts of computational power, making it impractical for clouds right now. "I think one has to recognize it for what it is," says Josyula Rao, senior manager for security at IBM Research. "It's like the first flight that the Wright Brothers demonstrated." But, Rao says, groups at IBM and elsewhere are working to make Gentry's new algorithms more efficient.

"Clouds are systems," says NIST's Peter Mell. "And with systems, you have to think hard and know how to deal with issues in that environment. The scale is so much bigger, and you don't have the physical control. But we think people should be optimistic about what we can do here. If we are clever about deploying cloud computing with a clear-eyed notion of what the risk models are, maybe we can actually save the economy through technology."

Copyright Technology Review 2009.

The full article here talks about the expense (in computational power) of encryption churn, future interoperability concerns resembling the 90s between competitors, and other anticipated challenges along the way.

Not a bad attempt at a future and failures in-a-nutshell article.

Like the current thinking on carbon-based fuels, added costs of risk exposure and additional governance needs to be baked into so called cloud and virtualized offerings.

The threat landscape has exploded exponentially in internet applications from where it was only a few years ago with the advent of visualization, massively increased distribution of assets, explosion of wireless access, and quick-to-market applications that have unprecedented amounts of software flaws that pose risks of disclosure of private data.

I say this not to overly criticize innovation and more aggressive and fast-paced development, but to clarify to those that do not realize that reigning in and controlling access at inception of these services is required to control them.

Without foresight in building infrastructure in secure ways, the risk of difficult systematic problems creates the space for unintended commerce in leaked or stolen information. Nature abhors a vacuum and in highly complicated systems there will invariably be backwaters where this will occur.

The trick here is to make modular systems that guard against inappropriate disclosure at each step using the defense in depth model. Once actual costs are assigned to risk by means of open data and metric information, market forces should make this a reality.

H.R. 2221 defines personal information as, "an individual's first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:

• (i) Social Security number
• (ii) Driver's license number or other State identification number
• (iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual's financial account."

Some more details include:

• The Federal Trade Commission would be the responsible agency.
• The FTC would ultimately define the proper technical procedures for protecting data.
• Organizations that have data need to establish a data security policy.
• Organizations must identify an information security officer.
• Organizations must have a process for identifying vulnerabilities, and monitoring for breaches.
• Organizations need a process for securely destroying data that is no longer required.
• Breaches need to be reported to the consumers affected, and the FTC, unless:
  • "there is no reasonable risk of identity theft, fraud, or other unlawful conduct.", which will be defined by the FTC should the bill pass.
  • The organization experiencing the breach does not fall under the jurisdiction of the FTC.

The malware writers and criminals who run botnets for years have been using shared hosting platforms and so-called bulletproof hosting providers as bases of operations for their online crimes. But, as law enforcement agencies and security experts have moved to take these providers offline, the criminals have taken the next step and begun setting up their own virtual data centers.

IP address space allocation is handled by five regional Internet registries (RIR), each of which is responsible for a particular group of countries. The RIRs work with large enterprises, ISPs, telecoms and other organizations that need large blocks of IP space. These organizations typically have to go through an application and screening process in order to get these allocations, including providing legal documentation listing the officers of the company, its business and why the address space is needed.

And that's the way it's supposed to work everywhere. Applicants who can't show a need for the IP space are told politely to take a walk. But in some cases, criminals have found a way around this by going through local Internet registries (LIR) or by taking advantage of RIRs that don't have the resources to investigate every application as fully as they'd like.

Technical adversaries are increasingly a non-national entity; a fluid force in the world that moves to where enforcement is not.

Breaking news! AV not effective.

Tapping into drones’ video feeds was just the start. The U.S. military’s primary system for bringing overhead surveillance down to soldiers and Marines on the ground is also vulnerable to electronic interception, multiple military sources tell Danger Room. That means militants have the ability to see through the eyes of all kinds of combat aircraft — from traditional fighters and bombers to unmanned spy planes. The problem is in the process of being addressed. But for now, an enormous security breach is even larger than previously thought.

The military initially developed the Remotely Operated Video Enhanced Receiver, or ROVER, in 2002. The idea was let troops on the ground download footage from Predator drones and AC-130 gunships as it was being taken. Since then, nearly every airplane in the American fleet — from F-16 and F/A-18 fighters to A-10 attack planes to Harrier jump jets to B-1B bombers has been outfitted with equipment that lets them transmit to ROVERs. Thousands of ROVER terminals have been distributed to troops in Afghanistan and Iraq.

But those early units were “fielded so fast that it was done with an unencrypted signal. It could be both intercepted (e.g. hacked into) and jammed,” e-mails an Air Force officer with knowledge of the program. In a presentation last month before a conference of the Army Aviation Association of America, a military official noted that the current ROVER terminal “receives only unencrypted L, C, S, Ku [satellite] bands.”

So the same security breach that allowed insurgent to use satellite dishes and $26 software to intercept drone feeds can be used the tap into the video transmissions of any plane.

[Photo: USAF]

Once again, WSJ uses "hack" wrong. Insurgents, as they are well funded and highly motivated, spent a handful of dollars on software and are eavesdropping on unencrypted satellite and downlink signals. This isn't a feat. It is base functionality.

As usual, it isn't as bad as the media makes it out to be. There is no hack. There is only signal intel generated from eavesdropping on unencrypted communications. No one is taking control of drones. The sloppy deployment and management of some of their abilities, specifically the ROVER terminals and downlinks, is shameful.

Look at the large variety of reporting. This is inaccurate:

This previous dismissal of the problem was wrong as well.

This is pathetic. If the technology game at the United States armed forces is this out to lunch, they clearly need some oversight to make sure they're not making basic mistakes in their technology infrastructure.

Akamai Technologies is introducing a cloud-based managed service called Web Application Firewall it claims will head off the bulk of Web applications attacks before they get inside corporate data centers.

Application firewalls within Akamai's network of more than 55,000 servers worldwide weed out the most common application exploits including SQL injection, cross-site scripting among others listed by the Open Web Application Security Project as the most prevalent.

Definitely a step in the right direction by incorporating the OWASP hitlist blocking into popular hosted services. I hope they will post metrics of their success and failure in the coming months.

Wired hits on the whole COFFEE/DECAF escalation.

The folks who run Amazon's EC2 cloud service must be happy the week is nearly over.

The cloud-based EC2 (Elastic Compute Cloud) was kept jumping this past week by two incidents: a compromised internal service that triggered a botnet, and a data center power failure in Virginia.

[...]

Responding to a request for comment, an Amazon representative said Friday: "We take all claims of misuse of the services very seriously and investigate each one. When we find misuse, we take action quickly and shut it down...which we did in this case. Our terms of usage are clear and we continually monitor and work to make sure the services aren't used for illegal activity. We also take the privacy of our customers very seriously, and don't inspect their instances. This is part of the reason why legitimate customers of all types are comfortable running production applications on Amazon EC2."

The representative also added: "It's also important for developers who leverage cloud services to use the same security best practices that they would if they were operating in their own data center or a collocation facility. We provide security best practices to help customers protect themselves from malicious users inside or outside of the cloud."

[...]

At least one other site hosted on EC2 has also been the victim of cyberattacks. In October, hosting service Bitbucket was knocked offline for a long stretch of time by a distributed denial of service (DDoS), an incident described in detail by The Register.

Updated at 2:25 p.m. PST with a response from Amazon.

It's an interesting line to walk between privacy of customers and cloud malware.

It should be worth mentioning that in most situations, when code is inactive and data deleted in a cloud environment, there is no viable forensic recovery.

Vericool, which supplied the ­software to Kingsbridge Community College in Devon, is owned by US ­company Anteon, used by many US government departments including security and counter terrorism.

The system used at the school ­copies the unique contour of each youngster’s fingerprint, but head teacher Roger Pope insists it is impossible for the digital record to be used to recreate a complete fingerprint.

One pupil said: “This is the sort of biometric information banks of the ­future could use to access accounts.”