Cloud Threat : Malicious Insiders

1.   A lesser known fact but a serious threat comes in form of a malicious insider ie the people who work for the organisation delivering the cloud services.In a typical organisation,one malicious insider can put the company in serious trouble and embarassment unless all are monitored by placing strict access controls and policies.Thus the threat multifolds in capacity of doing damage in case of companies who offer cloud models as service since all services and customers under a single management domain, combined with a general lack of transparency into provider process and procedure. For example, a provider may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance.To complicate matters, there is often little or no visibility into the hiring standards and practices for cloud employees. This kind of situation clearly creates an attractive opportunity for an adversary — ranging from the hobbyist hacker, to organized crime, to corporate espionage, or even nation-state sponsored intrusion. The level of access granted could enable such an adversary to harvest confidential data or gain complete control over the cloud services with little or no risk of detection. 

2.   Recommendations by CSA are put up below :

-  Enforce strict supply chain management and conduct a comprehensive supplier assessment.

-  Specify human resource requirements as part of legal contracts.

-  Require transparency into overall information security and management practices, as well as compliance reporting.

-   Determine security breach notification processes.

3.   Thanks CSA

Cloud Threat : Unknown risk profile

1.    The best thing all of us like and promote about cloud is that we have very little and reduced investment in software and hardware and also that the cloud user is able to focus on his core business.Like for a bank he should not be worried about what server should he buy or what storage should he provision...the bank should be able to focus on how to improve the banking procedures and profits.So this way the distraction is less for the prime user.But at the same time these benefits must be weighed carefully against the contradictory security concerns which are complicated by the fact that cloud deployments are driven by anticipated benefits, by groups who may lose track of the security requirements and musts.Would ever the Bank,in an case example,bother to know the Versions of software, code updates, security practices, vulnerability profiles, intrusion attempts, and security design ?I am sure no bank would do that once they have outsourced their worries to the Cloud.Details and Information with whom the same infrastructure is being shared becomes critical.One loose hole and u get compromised.Although this is not so easy....but we should know that the cyber criminals and hackers work more then us to keep all of us on toes and if successful then on Knees:-)

2. An old, 2009, real case example exploiting this specific threat is available at http://www.pcworld.com/article/158038/heartland_has_no_heart_for_violated_customers.html

3.  Recommendations by CSA :

-  Disclosure of applicable logs and data.

-  Partial/full disclosure of infrastructure details (e.g., patch levels, firewalls, etc.).

-  Monitoring and alerting on necessary information.

4.  Thanks https://cloudsecurityalliance.org

Cloud Threat : Insecure Interfaces and APIs

1.    How does a typical cloud user interacts,manages and configures his cloud ? This interaction is achieved with Cloud Computing providers exposing the user to a set of software interfaces or APIs.Thus the overall demand,settings,managing and all configuration is achieved using this interface and APIs only.Thus comes the aspect of security of handling and designing these interfaces and APIs.The security and availability of ANY cloud service is dependent upon the security of these basic APIs. From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy.Not only this,but all the third parties often build upon these interfaces to offer value-added services to their customers. This introduces the complexity of the new layered API.The recommended remediation's vide CSA are mentioned below :

- Analyze the security model of cloud provider interfaces.

- Ensure strong authentication and access controls are implemented in concert with encrypted transmission.

- Understand the dependency chain associated with the API

2.   Thanks CSA : CLOUD SECURITY ALLIANCE

Cloud Threat : Shared Technology Issues

1.   When a computer processor is designed/manufactured...viz core 2 Duo or quad-core processor or for this purpose any processor,the processor doesn't know what will it be finally used for....I mean it may be used as a standalone machine or a server machine!!!Here's the issue..ie this processor was not meant to be used for cloud....but how does this matter?This matter because from the security point of view this processor was meant to support strong ISOLATION properties which is not the case in routine manufacturing.Only dependent on the hypervisors for the regular interface as discussed at an earlier post here.In cases of cloud we have to handle two platforms ..one is the OS running like windows or any other OS which comes along with inbuilt and already exploited vulnerabilities that keep getting patched(what about Zero day???) and the other is hypervisor vulnerabilities(just google on hypersvisor vulnerabilities and u see what's in store to get surprised).Both of these combined together would be deadly if not taken care of...because in the cloud world, reacting to a damage would be like taking some one to hospital after an accident or a bomb blast whereas it should be the other way round....remove all possibilities of the accident and ensure 100% secure Areas....latter being too tough to imagine in current environment.

2.   I read about this few years back when I was not very much clear on Cloud Computing concepts(though still naive but better then past!!! :-),there was an incident involving a hypervisor breach that was not widely publicized.Now if u know about XBox 360(is a video game console developed by Microsoft that competes with Sony's PlayStation 3 and Nintendo's Wii),it has an embedded hypervisor (surprisingly not Hyper-V),so it was some time in 2007, that there was a documented buffer overflow vulnerability in this hypervisor which could be exploited to gain access to the hypervisor mode and thus, to the entire system. Microsoft immediately released a patch for this.Now unlike regular Windows OS Option, patches are not optional for Xbox users. Thus,the patch was applied the next time a user connected to Xbox Live or installed a new game. Proof of concepts quickly appeared that exploited the hypervisor vulnerability as well as online documentation on how people have used the Xbox “hypervisor exploit” to crack their systems.(...got this info from http://blogs.gartner.com/neil_macdonald/2009/02/20/hypervisor-attacks-in-the-real-world/)

3.   Thus arises a need for strong secured compartments to ensure that the individual cloud users are not compromised in a manner that would ensure unmanageable losses in monitory terms as well as brand devaluation.The CSA gives the following point wise remidiation format for designing the policy boundaries to counter Shared Technology Issues : 

-  Promote strong authentication and access control for administrative access and operations.

-  Monitor environment for unauthorized changes/activity.

-  Enforce service level agreements for patching and vulnerability remediation.

-  Implement security best practices for installation/configuration.

-  Conduct vulnerability scanning and configuration audits.

Cloud Computing : The Darker Side

1.            Cloud computing…the word has generated enough buzz already across the corporate…the techies…the possibilities in future but all this comes at a backend question on security. If there is one thing that stops 80% of possible users using this powerful technology,it is only one aspect of it and that’s SECURITY….The question that comes in an auto mode to any possible cloud service enthusiast like how safe will be my data stored with them…even if its private who controls the key generation algorithms code…who is the single point of contact and so many…but perhaps evry question on this comes under one umbrella by the name of SECURITY…..

2.            So …are they right in thinking so?…when a technology that’s coming up so strong and so globally accepted  is it possible that the giant rise comes without an inbuilt security module? Actually it goes like right they are…the users…their fears stand right when they think about their data ownership.Released by https://cloudsecurityalliance.org,  in Dec 2010,they have identified few imminent threats in the sphere of cloud computing which they have meticulously covered under few major heads as identified below.These are not in the sequence of severity of threat as no seniority levels in this have been identified by the CSA.The original version of this paper by the Cloud Security Aalliance is at https://cloudsecurityalliance.org/topthreats/csathreats.v1.0.pdf

Threat  1: Shared Technology Issues

Threat  2: Insecure Interfaces and APIs

Threat  3: Unknown Risk Profile

Threat  4: Malicious Insiders

Threat  5: Data Loss or Leakage

Threat  6: Abuse and Nefarious Use of Cloud Computing

Threat  7: Account or Service Hijacking

3.            Each of these security threats, I plan to discuss further in other posts within the week or as I am able to spare time….read some from CSA and put it in the manner I understand that.Thanks https://cloudsecurityalliance.org

Bulk SMS Ban : Carry on India

1.    The government has recently banned bulk SMS and MMS messages for 15 days in view of the exodus of people from the northeast from cities like Bangalore, Pune and Hyderabad, following rumours that they would be attacked.

2.    Now how do u feel about this ban?...do u think it is going to be effective?.....certainly not if it were actually the bulk sms that did the damage.Does'nt the govt know about various sites offering these services of bulk sms for free on a simple registration? or do they not know about various smart phones applications that can still send bulk sms via a different mode.Is it not known to them that this ban is going to be effective for pre paid owners only?....and not for post paid owners.

3.    These orders come like axing the problem instead of putting in efforts to manage it. Read the following paragraph@http://www.hindustantimes.com

"The five-SMS-per-day cap is adversely affecting a group of unsuspecting victims, the hearing impaired.A deaf individual sends up to 250 messages per day on an average as it is their only mode of conversation. "The five SMS cap is a real pain for us. It is the only way I can stay in touch with my family or friends when I go to college. If I want to have a proper conversation with someone, I have to send at least 50 messages. It is easy for people who can call and stay in touch. For us, this is the only mode that boosts our mobility. It is insensitive of the government to discount the deaf community when they take these decisions," said Mahesh P, a hearing impaired Delhi University student."

4.   Everi one knows that it is wrong...it is not effective...but hey come on ...carry on INDIA....it is just another passe...

Anti Keylogger : KeyScrambler

1.   How would u ever know that all your key logs on the PC are not being logged by a key logger working incognito in the background?...if u r not the SMARTEST....m sure u will never know....so what can u do to avoid that when u know u r equally prone like anyone across the web space?...stop typing...or use OSK(on screen keyboard) or use KEY SCRAMBLER....which would encrypt every key stroke that u type on your pc immediately as you type....available in three versions....at this site at http://www.qfxsoftware.com/index.html.The good news is that one version is free that will take care of most of you.....

2.   Something about KeyScrambler.....is an anti-keylogging program that encrypts user keystrokes at the keyboard driver level, deep in the operating system. The scrambled keys are indecipherable while they travel to the destination app so that no keylogger can steal your passwords or other crucial information. Thus it defeats known and unknown keyloggers.The unobtrusive overlay window lets realtime encryption in process so you know how and when KeyScrambler is working. 

Image Courtesy : http://www.qfxsoftware.com/index.html (Click to enlarge)

HOW IT WORKS ?

-   As u type, this simultaneously encrypting your keystrokes at the keyboard driver level. Because KeyScrambler is located in the kernel, deep in the operating system, it is difficult for key loggers to bypass the encryption.

-   While the encrypted keystrokes travel along the crucial path, it doesn't matter if they get logged, or whether the keylogging malware is known or brand new, because your keystrokes remain completely indecipherable the whole time.

-   When the encrypted keystrokes finally arrive at the destination app, the decryption component of KeyScrambler goes to work, and you see exactly the keys you've typed.

3.   Thanks http://www.qfxsoftware.com/

Excellent posts on 3D Printing

Would like to share link to this wonderful site at              http://www.3dprinter.net/author/mark for the best info on 3D Printers.....

Unbelievable world of 3D Printers!!!

1.   I read about 3D Printers few years back and then just forgot to follow the developments...and now when I googled about these printers it was completely a happy shocking event for me.....what I saw was printing actual toys....printing real life machine components...just watch these videos below to see it with your own eyes of what could be in offering in the very near future now on but first see these videos :

(This one is original from BBC)

2.   Might as well have shocked you..but these are just few from the thousands stored on the internet already......now read further....shocking is yet to come....that allows eatable food to be printed

3.   Will not be a big thing if some one tells or u come to know from somewhere that Google  offers free meals to their employees in their onsite cafeteria...so whats the big deal about this...a billionaire company can afford that!!!!!now if I tell you that Google’s cafeteria has a 3D printer in the kitchen that prints out pasta.... With customized-everything all the rage, why not pasta? And of all places, of course it would be at Google. Chef Bernard Faucher says that since everyone has their own favorite style of pasta, he can program their 3D printer to create any conceivable, printable shape..........(I read this from http://www.3dprinter.net/mama-mia-google-cooks-up-some-3d-printed-pasta)

4.   3D printers in food applications have recently been in news,but this is a first of any kind...i know reading till this much would have let you believe all this to be a bogus....but its a fact...and it is just tip of the iceberg of whats in store for future....

5.  For more on 3D Printing...please google and shock your self!!!!!!!!!

BARE METAL ENVIRONMENT & HYPERVISORS

1.   I had till now been playing around with Virtual Machines for quiet some time . I started with loading xp on Vista around 2006-7 and then tried networking,played around with basic linux OS....but what I did everi time was that I loaded the host OS first and then allocated the desired resources in form of some RAM and HDD and then booting the new OS....but then I was wasting the host OS Resource that actually is running the various virtual machines on it.....so how to use that, is where Bare Metal Environment comes in to rescue.

2.    Simply told,a bare metal environment is a system in which a virtual machine is installed directly on hardware rather than within the host operating system (OS). The term "bare metal" refers to a hard disk, the usual medium on which a computer's OS is installed.But then how come it is called virtual when the machine is directly running on the hardware? So actually a kind of  a pseudonym since a virtual machine running directly on bare metal would technically not be a virtual machine. In such cases VMs run within a hypervisor which creates the abstraction layer between physical and virtual hardware. So whats Hypervisor?? :-)

3.    A hypervisor is actually the virtual machine manager (VMM), or a virtualization technique allowing multiple operating systems to run concurrently on a host computer. Multiple instances of a variety of operating systems may share the virtualized hardware resources.The hypervisors are classified into basically two types as follows :

Type 1 refers to bare metal hypervisors that run directly on the host's hardware to control the hardware and to manage guest operating systems. 

Type 2 refers to hypervisors that run within a conventional operating system environment. With the hypervisor layer as a distinct second software level, guest operating systems run at the third level above the hardware.This classification can be made more clear with the help of figures below :

TYPE 1 : THE NATIVE BARE METAL TYPE

(click to enlarge)

TYPE 2 : HOSTED TYPE

(click to enlarge)

4.    Thanks Wiki and http://forums.hornfans.com

Cloud Computing & Virtualisation

 1.    Recently got an opportunity to give a presentation to a school/college audience about whats all the fuzz of Cloud Computing and Virtualization about?I tried building up the presentation from scratch to handling some secuity issues in the cloud.The copy is for you to see for reference : 

Cloud computing and Virtualisation

Power Searching with GOOGLE :Get Certified

1.   Few weeks back I came across a link in some blog that said the following :

"Google is offering a new free, 13 days, certification program on 'Google Power Searching' .The course is totally free and registration ends on July 16th. The course will sharpen your internet searching skill and help you learn advanced tricks to make internet searches. There are several short activities as a part of the course. Once the course is completed, a printable Google certificate will be emailed to you."

So the next thing I looked for was registering for the same....and yes it happened exactly the same way as was expected....the course started on time....i attended on line classes with wonderful simple videos to understand by google itself...became more crued up with the serch engine tools and tricks...appeared for the exams and i got the certificate as shown below.

2.  Would like to recommend this to everi one who googles....it really makes you a stronger searcher....for more details what else...u GOOGLE....

FinFisher : THE LAWFUL INTERCEPTOR

1.  Some thing to read here about one security software named FINFISHER thats making some news...a sequence wise time line of events related to this is produced below : 

-  FinFisher is security software. 

-  Marketed by Gamma International to various government security officials assuring that it could be covertly installed on suspect's computers through exploiting security lapses.

-  In the name of Lawful Interception (LI), FinFisher was found in the Egyptian Secret Police Spy headquarters used to track people down during the revolution when Egyptian dissidents ransacked the office's of Egypt's secret police during the overthrow of President Hosni Mubarak 

-  Egyptian dissidents who ransacked the office discovered a contract with Gamma International for £287,000 for a license to run the FinFisher software.

-  A security flaw in so called "designed secure" applications like Apple's iTunes allowed unauthorized third parties to use iTunes online update procedures to install unauthorized programs.Gamma International offered presentations to government security officials at security software trade shows where they described to security officials how to covertly install the FinFisher spy software on suspect's computers using iTunes' update procedures.

FEATURES OF FINFISHER : 

-  FinFisher is able to record Skype and other voice over IP communications.

-  Logs keystrokes and turn on a computer's webcam and microphone. 

-  Can also steal files from a hard disk

-  Built to bypass dozens of antivirus systems.

-  Presently found across 12 C&C servers in 10 countries: the US, Indonesia, Australia, Qatar, Ethiopia, Czech Republic, Estonia, Mongolia, Latvia and Dubai.

-  Not confirmed by any govt agencies as being used officially but then who else would at such a large scale???

-  Expected to be particularly difficult to detect. 

-  Used to access target Systems to give full access to stored information with the ability to take control of target systems' functions to the point of capturing encrypted data and communications. 

"When used in combination with enhanced remote deployment methods, the Government Agencies will have the capability to remotely deploy software on target systems".............................extract from official finfisher site at http://www.finfisher.com/FinFisher/en/portfolio.php

2.    Thanks http://thehackernews.com and http://www.bloomberg.com

Bitter Truth : If NOT on FB,u r INSANE!!!

1.   Read this article today vide a TOI post that says that if you are not on FB ur insane.Facebook revolution has become so important aspect in people's lives, that increasing number of employers, and psychologists, believe people who aren't on social networking sites, could be insane....does that bring a exclamation mark on ur face...it did to me.....the post is available here

2.   It is strange that such things come as a analysis/study reports from psychologists......it lets us know how psycho are these psychologists who r deeply gripped by the FB revol...