HAKIN9 05/2012: CLOUD COMPUTING

RIEF

By Armando Romeo, eLearnSecurity and ID Theft Protect

As usual specialists from companies eLearn Security and ID Theft protect will share with us latest news from IT security world. Read it to up-date yourself.

Cloud Security

by Gurav Shah

There are a number of security issues/concerns associated with cloud computing but these issues fall into two broad categories: Security issues faced by cloud providers and security issues faced by their customers. In most cases, the provider must ensure that their
infrastructure is secure and that their clients’ data and applications are protected while the customer must ensure that the provider has taken the proper security measures to protect their information. The extensive use of virtualization in implementing cloud infrastructure brings unique security concerns for customers or tenants of a public cloud service. Virtualization alters the relationship between the OS and underlying hardware – be it computing, storage or even networking. This introduces an additional layer – virtualization – that itself must be properly configured, managed and secured. Specific concerns include the potential to compromise the virtualization software, or “hypervisor”. While these concerns are largely theoretical, they do exist.

Hacking the Cloud. Did someone say Swiss Cheese?

by Gary S. Milefsky

What is the cloud? Is it the glorified internet? Is it an ISP who likes to run virtualized servers? Once we truly understand what Cloud Computing is, then let us look at the holes in the Cloud…I argue that yes, the cloud is like Swiss Cheese, loaded with holes and ripe for exploitation. By the way, who is responsible for compliance when it comes to ‘moving’ everything to the cloud – is it the Cloud Service provider or is it you, the company providing a service to end-customers/consumers? When it comes to regulatory compliance, if your cloud provider is not SAS-70 audited regularly (most are NOT) then don’t expect them to be responsible for your compliance posture. If there is a breach in the cloud, the bottom line is that it’s your responsibility, if you are using Cloud Computing to host servers or services used for your outward facing business or if you store confidential customer records ‘in the cloud.’

A Secure Cloud?

by David Prokop

As IT professionals we can’t look into our inboxes without seeing a new whitepaper or webcast related to the cloud. While usually helpful, rarely does the information address our favorite topic, security. In reality can a cloud based system protect your data? In short, yes. Security threats to a system based on cloud services are similar to a traditional data center the threats just manifest in a different way. The two primary differences are that your organization will share infrastructure resources with other organizations. Second, your organization trusts the strength of the selected cloud vendor’s security infrastructure, policies, and procedures. During the selection of your organizations cloud computing services look in depth at the following areas and ensure that your selected vendor has addressed each topic and meets your organizations security policies and regulatory requirements.

Do You Have The Correct Cloud? Cloud Privacy

by Christopher Pedersen

In both personal and business settings, clouding can be a great tool. But how do you know that when you upload your information into the cloud it is private? Can anyone just connect to your data-store and start perusing through your information? These are a few questions that we will discuss. If you don’t know what the correct type of cloud is that you need, you may fail. The reason for this failure could primarily be a privacy issue. Yes, Privacy.The first question is, why are you using the cloud – business or personal? Most people don’t use the right type of cloud. Are you launching applications, servers, or developing? Are you using the correct cloud type that also delivers the correct amount of privacy?

Secure commerce in the Mist

by Craig S. Wright

We are starting to move to IPv6 and the cloud. Right now, the uptake is minimal at best with very few early adopters for all of the hype. The climate is changing. Soon, IP addresses will be on everything and even the concept of non-disclosure agreements and contracts designed to protect intellectual property will require that we consider the nature of the cloud and the Internet as a platform for contractual negotiation.

Understanding Cyber Warfare and its Strategic Applications

by Skyler Onken

Simplicity is very important in every aspect of warfare. It is very difficult to coordinate such a large group of people to do a variety of tasks perfectly synchronized with each other. Every level of complexity adds an exponential amount of time that is needed to train and rehearse the coordinated effort. Because of this cyber assets should keep their tasks relatively straight forward when working within a combined arms mission. When follow on units will be relying upon the efforts of a non-kinetic cyber force, it creates a large amount of “what-if” scenarios for that unit. Cyber assets should be given specific tasks as a form of fire support, not to be seen as a maneuvers element itself when in a combined arms environment.

Understanding the Crime Revolution

by Ivan Venclova

Our Internet Earth is currently too small to host all of our ideas because our space is defined by IPv4 address limitation. Asian companies, for example, can’t park anywhere or build anything new because they are officially out of IP addresses. We have a sound solution, IPv6, and it is scheduled to take affect soon. Once it is in place our mega-technology-churches will create new neighborhoods full of buildings and parking lots and aggressively recruit members away from already existing networks by implementing seeker-friendly approach based on intensive market
research and targeted advertising. This will be accomplished in order to re-pay their business loans, in the name of our personal desires and this will change our neighborhood crime ratings again.

Using Social Engineering to reconnaissance your victim.

by Mohsen Mostafa Jokar

Social Engineering is a phase of hacking, That including the External reconnaissance. It is nontechnical approach to breaking a system of network. It is deceiving users of a system. with social engineering hacker convincing user to perform acts useful. Hacker cab be earn information about victim. Social engineering is a important phase because hacker can use it to attack the human element. Hacker use social engineering before or during an attack, if you look at Wikipedia about it, you can see ‘The practice of obtaining confidential information by manipulation of legitimate
users.’

Secure deletion

by Mervyn Heng

The Internethas empowered us to do more with our electronic devices. We do everything from our taxes to shopping and sending private messages. Our devices become a hotbed of personal data that is of interest to malicious parties. Deletion of files and caching is insufficient in preventing harvesting of your information that resides on your devices. The solution is secure deletion or wiping to overwrite those files with random data to eliminate the chances of data recovery.
There are readily available tools out there that facilitates wiping of files. Free tools that can be downloaded and installed include popular tools like Eraser, CCleaner as well as BleachBit.
This column will explore wiping of files and caching with the use of a tool called Secure-delete.

Zombies and Economics – Why the Law Inhibits Good Security Business Cases

by Drake

Considering information security as a standalone good or service that is demanded specifically by business leadership is incredibly misleading. A while ago, I was doing some academic research into cost models for information security. As part of this, I developed a panel of experts to bounce some ideas off, drawing on individuals with extensive bodies of security experience in banking, government, telecoms, and a number of other areas. One of the ideas that was discussed was that organisations don’t, in fact “buy security”. On of the panel members, a respected security manager with especial expertise in rooting out vulnerabilities in regulated environments ( e.g. banking) went a little further.