[SecurityRatty] Lattest Articles

Interview on IMI Tech Talk / KFNX: Cloud Computing and Security

Sun, 06 Jul 2008 17:59:05 +0000

A quick post to say a very warm welcome to IMI Tech Talk / KFNX listeners!

I was recently approached to take part in an interview about Cloud Computing and Security on IMI Tech Talk, broadcast on KFNX News Talk Radio. KFNX is a US based radio station based out of Phoenix, Arizona. More in-depth than the previous opportunity, a range of Cloud Computing technologies were discussed in the 30 minute segment:

Who am I?
What is cloud computing? (*that* question!).
Introduction to virtualization.
Examples of cloud computing services that exist today.
Barriers to entry.
Security issues of processing or storing data in the cloud
cloudsecurity.org

I will update this post when the audio archive of the show is posted.

I did mention I would provide links to useful Cloud Computing resources (as my mind went totally blank during the interview!) - watch for a post next week covering the blogs I read regularly.

Cloudsecurity.org was born as I couldn’t find any dedicated web resource discussing Cloud Computing and Security. If there are subjects you want to see covered, feel free to leave a suggestion in the Skribit sidebar to the right.

I do welcome comments in response to blog posts on the blog itself - don’t be shy :-).

For private communications I can be reached at craig.balding@gmail.com.

My thanks to the IMI Tech Talk team, particularly Tom and Eric.

Enjoy the blog,

Craig

Dont become a statistic in the lost laptop legacy.

Sun, 06 Jul 2008 11:50:19 +0000

The article also has a video showing how easy it is for thieves to steal your lappie.

clipped from consumerist.com

Travelers Leave 12,000 Laptops In Airports Every Week

Absentminded travelers flummoxed by airport security leave 12,000 laptops in airports every single week. Only 30% are ever recovered.

Changhai Ke of ILOG: The More Part of CEP over ESP is Far from Mature

Sun, 06 Jul 2008 07:58:30 +0000

This post was originally a comment On CEP Maturity and the Gartner Hype Cycle by Changhai Ke of ILOG. Changhai Ke’s comment was so well written, I have reposted it as a blog entry.

The “More” Part of CEP over ESP is Far from Mature

By Changhai Ke, ILOG

An EDA and CEP must be understood as 2 different areas. EDA is an architecture pattern for enterprise applications. The components are loosely coupled by the use of events. In its strict sense, this is more an architecture pattern than an algorithm.

CEP, on the other hand, targets at the event processing and pattern recognition level. For me, it’s the research for the right algorithm to use to recognize the situations. Pattern recognition, event correlation are all good characterizations for CEP. Back 15 years ago, the alarm correlation in the telecom area was done using production rules (it is still the case), and this perfectly falls into the CEP area.

In fact, EDA comes after CEP, but the CEP at that period was not explicitly called CEP. The nature of their respective study is not the same, one is at the architecture and middleware level, the other is at the algorithm side. As both are concerned by events, it seems that people more or less implicitly include CEP in EDA, mix the two and introduce confusion. Why not. But it’s important to understand that CEP (on its algorithm side) could mature on its way without being worried about the event transportation layer.

As a system, CEP needs input events for processing. If EDA is considered as the only way to bring and transport events to the CEP systems, then of course CEP won’t become successful without the prior success of EDA. But in my understanding, CEP targets some real-time or close to real-time applications, and the event transport layer in those applications are the most often ad-hoc and over-optimized. I fear that EDA has the same kind of performance goal.

Another distinction needs to be made. CEP is more general than ESP (event stream processing), characterized by an EPL for data aggregation with notifications. Even on the market most of the CEP vendors provide EPL languages, CEP has the vocation to cover more than that. The “more” part is not well defined, at least it should include the event correlation, and correlation is not just data aggregation.

The ESP part of CEP could be considered as quite mature. There are so many EPL languages, and tuning has been made on the runtime side. It seems also that some applications based on ESP have proved to work. But the “more” part of CEP over ESP is far from mature. It is often described that CEP could use several technologies, such as statistical models, Bayesian network, time series, rules, etc. I agree that there are a few systems using rules. But where are the others?

Sincerely,

Changhai Ke

Firewalls On Your Windows Servers

Sun, 06 Jul 2008 04:37:16 +0000

A survey last year by David Litchfield of NGS Software showed "...there are approximately 368,000 Microsoft SQL Servers directly accessible on the Internet and around 124,000 Oracle database servers directly accessible on the Internet." Egad! That's almost certainly not a good thing. Many of them are accessible by accident and many of them are run by just plain incompetent people; 4% of the SQL servers were so old they were still vulnerable to the Slammer worm from many years ago. One point it raises, even if you don't in intend for your server to be accessible directly on the Internet, is defense in-depth. There should be a firewall on the server so that at least the attack surface is somewhat restricted. Out of this philosophy, starting with Windows Server 2008, the Windows Firewall is turned on by default. Many users will notice this change in the form of connectivity failures, but that's a good thing because it forces you to think about what's open and closed on your server and make a decision about it. An entry on the SQL Server Security Blog discusses these changes and how you can approach them to make your Windows Server 2008-hosted SQL Servers secure. First you have to locate your servers; it's a good bet that quite a few owners of those Internet-facing servers that Litchfield found don't even know the servers are up. You need to review the host security implementations on those servers to make sure that they conform to your policy. You also need to review your network firewall policies to make sure that the two are compatible. Verify that it's all working as expected; in other words, test the configuration. Then remedy the problems. Read the blog for more details. On your Windows Server 2003 servers you might even want to turn the firewall on as a defensive measure. Or you might want to turn it off on 2008. But it should be you making a conscious decision.

WTF?Internet addressing agency (ICANN) loses its addressess

Sun, 06 Jul 2008 00:46:40 +0000

The nonprofit agency (ICANN) in charge of the Internet's addresses recently lost track of its own.

The Microwave Scream Inside Your Skull

Sun, 06 Jul 2008 00:30:00 +0000

The U.S. military bankrolls early development of a non-lethal microwave weapon that creates sound inside your head. But in the end, the gadget may be just as likely to wind up in shopping malls as on battlefields.

Life Is A Technology Museum

Sat, 05 Jul 2008 16:13:08 +0000

I went this morning with my family to the Museum of Natural History on Manhattan's Upper West Side. In the subway I noticed one of the machines that sells MetroCards (the fare cards for the NYC transit) rebooting;. I wasn't able to get my cell phone camera going until it was in the boot-time banner. Turns out the machine was a bit of a museum piece itself. Before that I watched it in blue-screen mode and observed that it was running Windows NT 4.0 Workstation Service Pack 3. Wow, that's pretty old. There hasn't been any support at all for NT 4 since January 2005, and that was for Service Pack 6 I believe. To date the software, SP3 was released 8 years ago. Back to the MetroCard machine itself, there's some more detail on the screen: The banner is customized with "Metropolitan Transportation Authority" and it says, I think, "with CTS AVM". I did a little Googling and struck out on what that means. If any of you can help me out I'm curious. The moral of this story is an old one, how technology users can be incredibly conservative, or perhaps "thrifty" is the right word. I ought to follow up with the MTA to see if they plan to leave these systems as-is. Yeah, maybe "if it ain't broke don't fix it," but why did it reboot?

Russian Hackers To Lithuania: All Your Base Are Belong To Us

Sat, 05 Jul 2008 14:36:26 +0000

Hundreds of Lithuanian government and corporate Web sites were hacked and plastered with Soviet-era symbols and other digital graffiti this week in what appears to be a coordinated cyber attack launched by Russian hacker groups.

Storm botnet stages Fourth of July attacks

Sat, 05 Jul 2008 09:00:00 +0000

Hackers tried to entice users into downloading the Storm bot Trojan on July 4 with a flood of Fourth of July spam containing links to malicious sites, several security companies reported.

Daily Mail publisher admits to stolen laptop

Sat, 05 Jul 2008 08:55:49 +0000

Technorati Tag: Security Breach

Date Reported:
7/4/08

Organization:
Daily Mail and General Trust plc

Contractor/Consultant/Branch:
Northcliffe Media
Associated Newspapers Ltd

Victims:
Staff, suppliers and contributors

Number Affected:
"thousands"

Types of Data:
"name, address, bank account number and bank sort code"

Breach Description:
"Daily Mail publisher Associated Newspapers has admitted that a laptop containing financial and personal details of thousands of staff, suppliers and contributors has been stolen."

Reference URL:
ComputerWorldUK
Guardian News (UK)
Guardian News (UK) additional info

Report Credit:
Guardian Newspaper

Response:
From the online sources cited above:

Daily Mail publisher Associated Newspapers has admitted that a laptop containing financial and personal details of thousands of staff, suppliers and contributors has been stolen.

A Daily Mail & General Trust spokeswoman said: "DMGT confirms that a laptop company computer containing certain confidential information was stolen last week.

After months of criticising "criminally careless" government departments for losing confidential records, the company has been forced to send out an embarrassing letter telling journalists they may now be at risk of identity theft
[Evan] This is the same Daily Mail managed by Associated Newspapers that according to The Guardian "has been at the forefront of coverage of the recent bank and government department missing data scandals". It would be very difficult for Associated Newspapers to claim that they didn't know any better than to store confidential information on a poorly protected laptop.

Details such as names, addresses, bank account numbers and sort codes were on the laptop

the laptop was "password protected" but tell recipients to contact their banks and also "consult the government website ... for advice on avoiding or dealing with identity theft"
[Evan] The mention of password protection is nothing more than an effort to minimize the effect of the breach. It does very little (if anything) to protect the personal information.

In a letter to those who details were affected, Simon Dyson, finance director at Daily Mail publisher Associated Newspapers, and Martyn Hindley, his counterpart at sister company Northcliffe, said it was likely that the details had been erased by the thief.
[Evan] How is the conclusion drawn? I don't see how there could be enough information to determine what the thief was likely to do.

From the letter to affected persons from the Associated Newspapers group finance director, Simon Dyson, and his Northcliffe counterpart, Martyn Hindley:

"Unfortunately one of the company's laptops has been stolen."

"The contents included personal data, some of which related to you."

"The laptop was password-protected. "
[Evan] So what? This won't adequately protect the information on the laptop, so why mention it?

"We are writing to you as quickly as possible to alert you to the fact that the theft has happened and to inform you of the data types lost, so that you can take appropriate action."
[Evan] I guess we should give some credit for the quick notification, if nothing else.

"In your case, your name, address, bank account number and bank sort code were the sensitive information lost."

"The likelihood is that this theft was carried out in an opportunistic manner by a thief who will not realise that there is any personal data on the laptop and who may just erase what is on the hard disk in order to disguise the fact that the laptop is stolen."
[Evan] This is nothing more than speculation. I can't imagine that there are any specific facts for which this conclusion is based on.

"We have, of course, notified the police of the theft of the laptop and are talking to the Office of the Information Commissioner about what has happened."

"On behalf of the company, I would like to offer my sincere apologies for any annoyance and inconvenience to you that this breach of security may cause."

"I can assure you that we take security of personal data very seriously and have, since this incident, which was inadvertently caused by a technical issue, already further strengthened procedures."
[Evan] This breach was caused by a "technical issue"? Like what? I presume that the technical aspects surrounding this breach were working exactly as they were designed to in the manner of which that they were implemented. Without further elaboration, "strengthened procedures" is subjective and means little. Organizations should offer details, instead of general statements in order to bolster some sense of confidence.

Commentary:
This breach must be embarrassing for Associated Newspapers. A breach like this should be embarrassing for any organizations. Unencrypted lost of stolen laptops storing personal (or other confidential) information is a pretty well-known risk nowadays. An unacceptable risk for most.

Past Breaches:
Unknown