Archive for the 'Cloud' Category

Mar 05 2014

DDoS becoming a bigger pain in the …

Published by under Cloud,General,Hacking,Risk

I’m in the middle of writing the DDoS section of the 2013 State of the Internet Report, which is something that makes me spend a lot of time thinking about how DDoS is affecting the Internet (Wouldn’t be all that valuable if I didn’t put some thought into it, now would it?).  Plus I just got back from RSA where I intereviewed DOSarrest’s Jag Bains and talked to our competitors at the show. Akamai finally closed the deal on Prolexic about three weeks ago, so my new co-workers are starting to get more involved and being more available.  All of which means that there’s a ton of DDoS information available at my fingertips right now and the story it tells doesn’t look good.  From what I’m seeing, things are only going to get worse as 2014 progresses.

This Reuters story captures the majority of my concerns with DDoS.  As a tool, it’s becoming cheaper and easier to use almost daily.  The recent NTP reflection attacks show that the sheer volume of traffic is becoming a major issue.  And even if volumetric attacks weren’t growing, the attack surface for application layer attacks grows daily, since more applications come on line every day and there’s no evidence anywhere I’ve ever looked that developers are becoming at securing them (yes, a small subset of developers are, but they’re the exception).  Meetup.com is only the latest victim of a DDoS extortion scam, and while they didn’t pay, I’m sure there are plenty of other companies who’ve paid simply to make the problem go away without a fuss.  After all, $300 is almost nothing compared to the cost of a sustained DDoS on your infrastructure, not to mention the reputational cost when you’re offline.

I’d hate to say anything like “2014 is the Year of DDoS!”  I’ll leave that sort of hyperbole to the marketing departments, whether it’s mine or someone else’s.  But we’ve seen a definite trend that the number of attacks are growing year over year at an alarming rate.  And it’s not only the number of attacks that are growing, it’s the size of the volumetric attacks and the complexity of the application layer attacks.  Sure, the majority of them are still relatively small and simple, but the outliers are getting better and better at attacking, Those of us building out infrastructure to defend against these attacks are also getting better, but the majority of companies still have little or no defense against such attacks and they’re not the sort of defenses you can put in quickly or easily without a lot of help.

I need to get back to other writing, but I am concerned about this trend.  My data agrees with most of my competitors; DDoS is going to continue to be a growing problem.  Yes, that’s good for business, but as a security professional, I don’t like to see trends like this.  I think the biggest reason this will continue to grow is that it’s an incredibly difficult crime to track back to the source; law enforcement generally doesn’t have the time or skills needed to find the attackers and no business I know of has the authority or inclination to do the same.  Which means the attackers can continue to DDoS with impunity.  At least the one’s who’re smart enough to not attack directly from their own home network, that is.

No responses yet

Nov 25 2013

Two more years of Snowden leaks

Published by under Cloud,Government,Privacy,Risk

I’ve been trying to avoid NSA stories since this summer, really I have.  I get so worked up when I start reading and writing about these stories and I assume no one wants to read my realistic/paranoid ranting when I get like that.  Or at least that’s what my cohosts on the podcast have told me.  But one of the things I’ve been pointing out to people since this started is that there were reportedly at least 2000 documents contained in the systems Edward Snowden took to Hong Kong with him.  There could easily be many, many more, but the important point is that we’ve only seen stories concerning a very small number of these documents so far.

One of the points I’ve been making to friends and coworkers is that given how many documents we’ve seen release, we have at least a year more of revelations ahead of us, more likely two or more.  And apparently people who know agree with me: “Some Obama Administration officials have said privately that Snowden downloaded enought material to fuel two more years of news stories.”  This probably isn’t what many businesses in the US who are trying to sell overseas, whether they’re Cloud-based or not.  

These revelations have done enormous damage to the reputation of the US and American companies; according to Forrester, the damage could be as much as $35 billion over the next three years in lost revenue.  You can blame Mr. Snowden and Mr. Greenwald for releasing the documents, but I prefer to blame our government (not just the current administration) for letting their need to provide safety to the populace no matter what the cost.  I don’t expect everyone to agree with me on this and don’t care if they do.  It was a cost calculation that numerous people in power made, and I think they chose poorly.

Don’t expect this whole issue to blow over any time soon.  Greenwald has a cache of data that any reporter would love to make a career out of.  He’s doing what reporters are supposed to do and researching each piece of data and then exposing it to the world.  Don’t blame him for doing the sort of investigative reporting that he was educated and trained to do.  This is part of what makes a great democracy, the ability of reporters (and bloggers) to expose secrets to the world.  Democracy thrives on transparency.

As always, these are my opinions and don’t reflect upon my employer.  So, if you don’t like them, come to me directly.

No responses yet

Nov 17 2013

Using the Secret Weapon

Published by under Cloud,Personal,Simple Security

I’m not the most organized person in the world; I never have been and I never will be.  But I’ve usually been able to keep a modicum of organization in my life by using pen and paper and a notebook.  Sometimes things would fall through the cracks, as happens to everyone, but I can normally keep up.  Lately though, that hasn’t been true.  Since moving to the UK and expanding my role there, I have so much on my plate that just keeping up with tasks has been a major issue.  So I did what any good security geek does, I asked on Twitter about the tools others are using and how they use it to track their todo list.  By some margin, the biggest response I got was Evernote and The Secret Weapon.

Evernote is a free, with upgrade to premium, note taking/scrapbooking/catch-all program that’s been around for a few years.  I’d signed up when it first came out, but never really understood how to use it for myself.  The Secret Weapon isn’t a piece of software, but instead a way to use Evernote with your email and the Getting Things Done (GTD) system.  Basically, there are a set of tutorials on the Secret Weapon site that walk you through how to set up Evernote and your email and how to use the system going forward.  In all, you can watch the videos in about an hour, though I’d suggest you watch the first few, let it percolate for a little while, watch one or two more, etc. until you’ve watched them all over a few days.  It gives you a very good point to start from for using this system.

Like many people, I’ve had to modify the GTD/TSW methodology to meet my own needs and work style.  I’ve been using a number of the GTD principals for some time without realizing it.  I’m using Mail.app on OSX which allows me to use Smart Mailboxes to tag and flag emails, but I leave them in my inbox, which acts as my archive folder.  And since I’m using Mail, I don’t have the easy integration that would be available if I was using Outlook.  But then I’d have to use Outlook, so I consider manually cutting and pasting into tasks in Evernote to be the lesser of two evils.

Once you’ve set up the system, getting hooked on the organization it gives you is incredibly quick.  I love that I can tag my todo list by priority, project, people involved and any number of other aspects.  I love being able to tell at a glance exactly which projects I should be working on today and knowing that I haven’t forgotten anything major (unless I’ve forgotten to enter it into Evernote). And I’ve started to take more and more of my meeting notes in Evernote as well, though using a keyboard instead of pen and paper can be a bit distracting for me as well as those around me.

And then there’s the downsides.  The biggest concern I have by far is the security of Evernote; you can’t encrypt your notes except individually, which is unrealistic if you have dozens or hundreds of notes, which is bound to be the case once you’ve been using it for a while.  Evernote does have a two-factor authentication capability, but I have yet to try it and I’m not sure I can use it given the amount of travel I do; I never know how much connectivity I’m going to have on any given day.  Evernote has both iOS and Android applications available and I’m starting to dip my toes into them, but quite frankly they both seem to be pretty hard to use, other than for checking the status of your projects.  I’m not very satisfied with the user interface with either operating system and don’t know if I have the patience to deal with them.

The other piece of software that several people suggested I try is Omnifocus.  It also offers integration with iOS devices, but both the desktop and phone/tablet versions are pay for.  And there’s no Android support for the program, which is a pain for me as I have an Android phone and I’m shifting to using my Nexus 7 more than my iPad as time goes by.  

The bottom line for me is that TSW and Evernote works well, but I’m very concerned about having my organizational matrix on the Internet in a way that is much less secure than it could be.  I’d upgrade to a premium account if that’s what it took me to get that encryption and I may end up upgrading since I’m using it so much anyway.  I’m not sending my email to Evernote wholesale as is suggested by TSW tactics, so I feel less uncomfortable than I could be, but I’m still not happy with this security lapse.  

Let me know what your experience has been using Evernote and The Secret Weapon.

 

2 responses so far

Nov 04 2013

Attacking the weakest link

Published by under Cloud,Government,Hacking,Privacy,Risk

I spend far too much time reading about governmental spying on citizens, both US and abroad.  It’s a job hazard, since it impacts my role at work, but it’s also what I would be researching and reading about even if it wasn’t.  The natural paranoia that makes me a good security professional also feeds the desire to know as much as possible about the people who really are spying on us.  You could almost say it’s a healthy paranoia, since even things I never would have guessed have come to pass.  

But every time I hear about someone who’s come up with a ‘solution’ that protects businesses and consumers from spying, I have to take it with a grain of salt.  A really big grain of salt.  The latest scheme is by Swisscom, a telecommunications company in Switzerland that wants to build a datacenter in that country to offer up cloud services in an environment that would be safe from the US and other countries’ spying.  The theory is that Swiss law offers many more protections than other countries in the EU and the rest of the world and that these legal protections would be enough to stop the data at rest (ie. while stored on a hard drive in the cloud) from being captured by spies.  The only problem is that even the Swisscom representatives admit that it’s only the data at rest that would be protected, not the data in transit.  In other words, the data would be safe while sitting still, but when it enters or leaves Swiss space, it would be open to interception.  

It was recently revealed that the NSA doesn’t need to get to the data at rest, since they simply tap into the major fiber optic cables and capture the information as it traverses the Internet.  Their counterparts here in the UK do the same thing and the two organizations are constantly sharing information in order to ‘protect us from terrorists’.  Both spy organizations have been very careful to state that they don’t get information from cloud providers without court orders, but they haven’t addressed the issue of data in motion. 

So while the idea of a Swiss datacenter built to protect your data is a bit appealing, the reality is that it wouldn’t do much to help anyone keep their data safe, unless you’re willing to move to Switzerland.  And even then, this solution wouldn’t help much; this is the Internet and you never know exactly where your data is going to route through to get to your target.  If it left Swiss ‘airspace’ for even one hop, that might be enough for spy agencies to grab it.  And history has proven that at least GCHQ is willing to compromise the data centers of their allies if it’ll help them get the data they believe they need.  

No responses yet

Oct 24 2013

LinkedIn Outro

“I know!  Let’s build a man in the middle (MITM) attack into our iPhone app so that we can inject small bits of information into their email that show how useful our site and service are.  At the same time we’ll now have access to every piece of email our users send, and even if we only have the metadata, well, that’s good enough for the NSA and other national spying agencies, isn’t it?  Let’s do it!”

I have to imagine the thinking was nothing like that when LinkedIn decided to create Intro, but that’s basically what the decided to do anyway.  If you read the LinkedIn blog post, you can see that they knew that what they were doing is a MITM attack against your email, even if they are calling it a proxy.  They’ve broken the trusted, or semi-trusted, link between you and your IMAP provider in order to get access to your email so they could insert a piece of HTML code into each and every email you receive.  Additionally, they’ve figured out how to make it so that this code is executable directly in you’re email.

Basically, what LinkedIn is asking you to do is create a new profile that makes them the proxy for all your email.  This is similar to what you do for your corporate email when setting it up on a new phone, but rather than having something that’s finely tuned for that corporation, LinkedIn makes the new profile on the fly by probing your phone’s configuration and basing it on the settings it finds.  

I have a hard time believing that someone at LinkedIn didn’t wave a red flag when this was brought up.  You’re asking users to install a new profile making you their new trusted source for all email, you’re asking that they trust you with their configuration and you’re capturing, or at least having access to the stream of all authentication data for their email.  Didn’t anyone at LinkedIn see a problem with that?  I have to imagine there are plenty of corporate email administrators who’ll have a problem with it.

Given recent history and the revelations that metadata about a person’s communications, LinkedIn is  audacious to say the least.  They know what they have, or at least want to have: information similar to what Google and Facebook have about your daily contacts and habits.  This is a huge data mining operation for them, aimed at learning everything they can about their users and applying that to advertising.  But I think they have overreached in their their desire to have this information and are going to get shut down hard by Apple.  And this doesn’t even take into account the fact that they’ve already had data breaches and are being sued for reaching into consumers’ calendars and contact information.

I don’t think LinkedIn has been a good steward of the information they’ve had before, and there’s no way I’d install Intro onto one of my iDevices if I was a heavy user.  The fact is, I have an account that I mostly keep open out of habit and this is nearly enough to make me shut it down for good.  If I wanted my every move tracked, I’d just keep open a Facebook tab in my browser. And while they may not be much of an example when it comes to privacy, I guess Facebook is a great example when it comes to profitability.  Way to go LI.

 

No responses yet

Oct 20 2013

Yandex selling Cocaine?

Published by under Cloud,Humor

Talk about subtle marketing, Russian search engine Yandex has started a new cloud offering called Cocaine.  “Grab some cocaine in containers” is one of their taglines.  I’m sure someone is buying, but I wonder how they expect to get this delivered for their late night parties.

I want to say something about hosting your app engine in Russia, but right now I’m not certain that having it based there is any worse to many people than having it based in the US.  I would strongly suggest anyone considering building a new application to review the laws in Russia as well as the contract they’re signing.  Of course I’d suggest the same to anyone building upon a service based in the US as well.  In any case, encrypt your storage as securely as you can, no matter where you’re storing the application data!

I wonder how developers are going to explian that their applications are built using Cocaine?  This isn’t the 80′s and such things aren’t as acceptable as they once were.  

No responses yet

Oct 14 2013

Your email won’t be any safer over here

I’m not sure why anyone has the illusion that their data would be safer in Europe than it might be in the US.  While some of the countries in Europe seem to have better laws for protecting email, it’s not a clear cut thing and there are always trade-offs.  While they might have better protections for data at rest, while in transit it might be fair game, or vice versa.  Plus, if you’re an American, you’re the foreigner to those nations, so many of the protections you might think you’re getting are null and void for you.

Rather than simply speculate, as many of us do, Cyrus Farivar at Ars Technica has written an article, Europe Won’t Save You: Why Email is Probably Safer in the US.  If you examine the laws closely, you’ll find that while countries like Germany appear to have stronger privacy laws, some of the caveats and edge cases make a lie of that appearance.  In this particular example, German law puts a  gag order in place by default that prevents your service provider from notifying you in case they’re served with a subpoena or similar device.  Think on that for a moment: if your service provider is served, you’ll never hear about it by default, rather than only when the large intelligence agencies take an interest in you.

Since I moved to the UK I’ve been hip deep in similar arguments with regards to cloud service providers.  Many folks in and around Europe seem to think that their own laws will somehow protect them from the threat of having their data raided by the NSA or some other, even more shadowy US organization.  But the reality is that in many countries they have less protection from their own governments than they do from the US.  Which barely scratches the fact that the core internet routers in many, if not all, countries are compromised by multiple governments, who are getting feeds of every packet that flows across their infrastructure.

The other concern that I hear quite often is about US businesses and information leaving the European Union.  I find this concern interesting, and believe it is likely to be a much more legitimate issue.  In the EU, the data protection laws appear to be much stronger than they are in the US, especially the Safe Harbor Principles.  But the reality is that businesses see the value of having as much personal information as they can get their hands on, so Safe Harbor is given lip service, while the businesses find ways to get around these requirements.  Or in many cases, ask users to opt out of some of the protections to get additional functionality out of a site.

Don’t think that hosting your email or other service is going to protect you if a government wants to get its digital fingers into your email.  As Farivar points out, the closest thing you’ll have to privacy is if you store your email on your own devices and encrypt it with your own encryption keys.  Storing it anywhere else leaves you open to all sorts of questionable privacy laws between you and your hosting provider.  You can’t just consider the jurisdiction you’re in, you have to consider every route your data might take between point A and point Z.  Being the Internet, you’ll never know exactly what route that is going to be.

Personally, I’m not pulling the plug on my Gmail account any time soon.  No government is worse than Google when it comes to intrusive monitoring of your email, lets be honest.

No responses yet

Oct 13 2013

Time to change DNS methods

I’m going to ignore the whole question of whether or not social engineering is ‘hacking’ for now.  The difference between the two is mostly academic, since the effect of having your site hacked due to a weakness in the code and having all your traffic redirected to a site that the bad guys own is immaterial.  Either way, your company is effectively serving up something other than the page you intended, which is what really matters.

There have been a number of high profile sites that have recently been attacked through their DNS registrar.  Registrars are the companies who are responsible for keeping track of who owns which domains and providing the base DNS information for where to find the systems associated with a domain.  In theory, they’re supposed to be some of the most heavily defended type of enterprise on the Internet.  But the practice is different from theory, and even registrars have their weaknesses.  In the case of Register.com, this appears to be social engineering attacks.

The latest victims of social engineering attacks were Rapid7 and the Metasploit project, as were AVG Antivirus, Avira and WhatsApp.  What’s almost funny about the latest attack is that the attackers had to send a fax in as part of the change request to make the changes.  To think that a technology that had it’s heyday in the 80′s would be the method used to attack companies in the second decade of the 21st century is amusing.  Hopefully Register.com has already begun reviewing their processes to prevent a similar event from happening again in the future.  And, again hopefully, other registrars are learning from the mistakes of Register.com and reevaluating their own processes.

There is something companies can do to lessen the chance of a similar attack happening to them, called a registrar lock. This isn’t a step a lot of companies have taken yet, since it slows down the change process by requiring the administrator to first unlock the domain before making any changes, a step that has varying complexity depending on the registrar.  Also, not all registrars support locking, so this isn’t always an available option.  If your registrar doesn’t support registrar locking, it’s time to push for it or consider a new registrar.  That last part usually gets their attention.

I do understand the pressure the registrars are under; on one hand they have to secure their clients’ DNS records, but on the other they have to be flexible for clients who have a hard time understanding the basics of DNS.  It’s not an enviable position to be in.  Which is why registrars have to work harder to prepare for social engineering attacks than most other businesses out there.  But understanding the pressure doesn’t mean I cut them any slack for failing in their duty.

Update: Add two more to the compromised list, Bitdefender and ESET.  And again Register.com is the common point of weakness.

No responses yet

Oct 02 2013

Malicious compliance from Lavabit

This was a brilliant move from Ladar Levison, the owner of the now shuttered private email service, Lavabit.  When the FBI compelled him to give up the encryption keys to his service for Edward Snowden, Levison complied, though quite a bit maliciously; the keys were given to the FBI in printed form on 11 pages of 4 point font.  I’m not sure why 5 512-bit encryption keys would require 11 pages at that size, but I have to approve of his method of delivery.

The disturbing part of this story isn’t how Levison delivered the keys to the FBI, but rather the overreach of the FBI to try to read the email of one person.  Apparently, the FBI agents weren’t satisfied with having the keys required to decrypt their target’s email, they actually wanted the master encryption keys to Lavabit’s entire archive.  This would have given them access to the email of 400,000 people who had subscribed to the Lavabit service, the equivalent of the city of Milwaukee.  It’s still not clear why this level of access is needed in order to investigate the crimes of one person, which the judge apparently agreed with, since he quashed the motion as well as the motion to put a gag order on Levison.

I’ve never had the opportunity to meet Levison, so I can’t make any comments on his personality or ethics, but I have to applaud his efforts to protect the privacy of his clients, to the point of having to close his business.  If Microsoft, Google and other tech giants had shown even a fraction of his willpower to push back on a law enforcement regime that has been pushing it’s power to the edge of abuse and past it, we’d be having a very different discussion in public right now.  Except most citizens of the US have already forgotten that this conversation is even going on.  Europe, on the other hand, is very aware.

No responses yet

Mar 04 2012

RSAC 2012 Microcast: AlertLogic

Published by under Cloud,Podcast

My first interview this year at the 2012 RSA Conference was with Urvish Vashi from AlertLogic.  We talked briefly about the recent acquisition of ArmorLogic, but my real interest was the State of Cloud Security Report issued by AlertLogic.  It’s an interesting report and gives us some fuel for the debate about which is more secure, cloud or on-premise.  But it’s a first effort and raises more questions than it answers and definitely doesn’t answer the ‘which is more secure’ question.  It’s hard when you’re comparing apples to cucumbers, which is what AlertLogic has done, unless they’ve normalized the data to take into account that desktops are included in the statistics.  Which they fully acknowledge, by the way.

RSAC 2012 Microcast:  AlertLogic

No responses yet

Next »