[SecurityRatty] tag: collects

Free tool collects logs, manages security and compliance

Mon, 10 Nov 2008 21:00:00 +0000

QI Labs develops a free version of its enterprise log and compliance management appliance to help potential customers get started collecting security event information and monitoring appropriate network systems.

How to turn a software pirate into a paying customer

Wed, 20 Aug 2008 09:00:00 +0000

V.i. Laboratories' CodeArmor Intelligence product collects data on how and where pirated software is used, and then stealthily sends it back to the software's maker

Links for 2008-07-30 [del.icio.us]

Wed, 30 Jul 2008 20:00:00 +0000

InternetNews Realtime IT News - LogLogic Joins VMware Tech Alliance
LogLogic collects log data from physical and virtual environments and analyzes it, runs searches and creates reports, Anton Chuvakin, chief logging evangelist at LogLogic, told InternetNews.com.

Coding Spyware and Malware for Hire

Mon, 21 Jul 2008 23:52:14 +0000

What type of antivirus evasion do you want today? For the past several years, we have been witnessing the emerging customerization applied in malware and spyware for hire services. What used to be a situation where the malware authors would code and then start promoting a piece of malware including features that he thinks his potential customers would want by generalizing a cybercriminal's needs, is today's "listening to the customer" win-win situation that they've reached already.

The whole maturity from a product concept to customerization is in fact so prevalent these days, that malware authors wanting to preserve their intellectual property are forbidding their customers from reverse engineering their malware modules, presumably fearing that remotely exploitable flaws like this one in one of the most popular Ebanker malwares for the last two yers Zeus, could be discovered due to the malware author's insecure coding practices. Moreover, limiting the distribution of a single license they are given to more than three people will result in the malware author ignoring any future business relationships with the party that ruined the exclusiveness of the malware, thereby leaking it to the public, something that's been happening and will continue happening with web malware exploitation kits.

What would be the price of a custom malware module coded on demand? How much does it cost to have a built in email harvester that would sniff all the incoming and outgoing email addresses from the infected host to later on include them in upcoming spam and malware campaigns? Would the malware author also provide a managed hosting service for the command and control and the actual binaries on a revenue sharing

Here's an automatically translated, and fairly easy to understand random proposition for coding spyware and malware for hire, aiming to answer many of these questions, clearly demonstrating that today's malware is coded in exactly the same way the customer wants it to :

"As you can see in the history of its development turned directly into the combine, while almost no raspuh in weight, full-size pack аж 18 kb and minialno 5 kb, for all nampomnyu again, all descriptions below can be done as otdelnym bot, and any combination of cross except for a few restrictions. This product is targeted at mass-user and will not be all prodavatsya row. So, you can choose from:

Actually loader - is able to load a file from adminki, by country and other characteristics, such as the number of animals on board with a specific bot, a country group of countries, the availability of certain authors or Fire, sredenemu time online, etc. etc.. You can adjust the speed of shipping limits for each file, can load 1 as well as how files simultaneously
300 €

FTP and not only Graber
Analyzes user traffic and collects from the ftp acclamation, that is ftp acclamation would you regardless of how the customer uses ftp user, thus can be obtained most valuable ftp aka (even those to which the password is not saved), you can also grab other in a way not only acclamation acclamation and other tasty things more)
150 €

Assembler spam bases
Analyzes user traffic and collects from all email, snifit http pop3 smtp protocols, keeps records unikallnosti locally on each boat to reduce the burden on the server as well as globally on a server has 2 mode of operation - ie passive with only collects user to please and active - the very beginning to download the entire inet) in search of soap
220 €

Socks 4 / 5
Normal soks with competently implemented multithreading, is activated only if the user real Ip, otherwise not. And also optional, depending on the connection type and speed ineta.
70 €

Indicates
The primitive method, contamination fleshek avtoranom gives 2-3% increase in the first week and up to 7% in the next, a pleasant trifle)
35 €

Scripts
Loader supports internal scripting language - jscript, to carry out arbitrary actions on the victim machine, whether recording data in the register, setting authentic hon-Pago, opening URL in your browser (it was done so to please with 90% punching)), apload arbitrary files on a server, even theoretically possible to form and grabing inzhekty in IE) has only to write the script zaebetes, vobschem lyuboye actions soul who wish)
70 € basic functionality

Assembler passwords
Collects data such as passwords pstorage IE, MSN, etc., will be added at the request of other sources of passwords
70 €

Mini-AV
When installing loadera wheelbarrows to remove BHO shaped three, zevso-shaped, the majority of shit from all avtoranov, render most keylogerov until all) forward proposals to improve
70 €

File-default
In exe loadera program URL (in adminke) to the file which once progruzit 1 and run at first start loadera on wheelbarrows, while simultaneously helping progruzke Trojan for example, in its entire botnet that does not paired with challenges in adminke, the module operates in 20 seconds after the mini - av which excludes the removal of your Trojan bot, after progruza this exe bot continues to normal activities.
35 €

Form Graber
While in beta version, robbed IE. Sends logs in adminku, folding country. Logs are like logs agent. It consists of:

Graber certificats
On the idea is part formgrabera but could work and of itself, actually there is nothing to describe)

Injections
Literacy sold inzhekty, did not begin work after full progruza pages (as in bolshistve three) and immediately supported injection yavaskript code, which allows avtozalivy and DC inzhekty for data collection. For example not to yuzat acclamation at all is not yet introduce the necessary number of Britain, after which inzhekt ceases to operate. Вобщем mdelat can be anything and in any form) rather than the meager request field pin) And also inzhektov subspecies - a substitute for the issuance of search enginee.

Graber balances
Makes loot aka balances at the entrance to the user acclamation, detail added to the logs.

Screen
Universal method to grab information from absolutely any species and varieties klaiviatur screens, in particular html, flash, in one picture, with a drop-down fields after choosing your encrypted, as well as information such as "enter 3 yu secret letter word" etc. as well as any information which is visible a user but not seen in the logs. Screen settings of adminki, set URL where do screen as well as the type of screen: for virtual keyboard (done several small images of areas around the clique) or to "enter 3 yu secret letter words" (makes 1 full shot). With the withdrawal screen recorded in the log entry with the name of the file to the screen this position.

Antiabuznost for botneta
Feachem adminki, keep botnet enables fast, normal, bezglyuchnyh NEabuzoustoychivyh hosting, with features that you forget what abuzy, nohistory week saporta "abuzoustoychivogo" hosting inaccessibility host to half ineta etc., etc., also with the help of the supplement will be able to keep huge botnety (over SL) at 1 dedike with 512 Lake) and well on the price of hosting a savings, not $ 500 a month and 150. It may use this feature to stroronnim development, Trojans, bots, etc., actually is a separate product. And incidentally, if you do not understand the theory that nenado ask "and how does it work?" imagine that it works and point and neubivaemo in pritsnipe.
600 € +

All prices are in euros, the calculation is made at the rate of CB on the day of purchase. ps I will not disappear as most authors after months of sales, I DONT how to please you get to the assembly ftp, I DONT how many soap collects soap-graber, I DONT what otstuk from loadera, I DONT soksov how many will be from 1 to downloads, and how best To work load a file is not dead quickly, if you are confused my ignorance - that my loader so you do not need more tries)

Rules / Licence
-- Customer has no right to transfer any of his three 3 persons except options for harmonizing with me
-- Customer does not have the right to make any decompile, research, malicious modification of any three parts
-- Customer has no right where either rasprostanyat information about three and a public discussion with the exception of three entries.
-- For violating the rules - without any license denial manibekov and further conversations"

This malware coder seems to be participating in an affiliate program with a malicious ISP that is offering hosting services for the entire campaign, not just the malware binaries, so you have a rather good example that incentives and revenue-sharing models result in value-added services, a all-in-one shop for a customer to take advantage of without bothering to approach a third-party.

Cybercrime is getting even more easier to outsource these days, and with the malicious parties improving their communication and incentives model, the resulting transparency in the underground market

Related posts:
The Underground Economy's Supply of Goods and Services
The Dynamics of the Malware Industry - Proprietary Malware Tools
Using Market Forces to Disrupt Botnets
Multiple Firewalls Bypassing Verification on Demand
Managed Spamming Appliances - The Future of Spam
Localizing Cybercrime - Cultural Diversity on Demand
E-crime and Socioeconomic Factors
Russia's FSB vs Cybercrime
Malware as a Web Service
Localizing Open Source Malware
Quality and Assurance in Malware Attacks
Benchmarking and Optimising Malware

When security staffers fail up

Mon, 21 Jul 2008 00:31:18 +0000

Remember the "Peter Principle" -- the idea that sooner or later people rise to the level of their incompetence? It's alive and well in the security sector. Lisa Vaas collects some stories that'll make you shudder, and gives you some tips for coping if it's a shudder of recognition.

Senators question NebuAd, targeted ad privacy

Thu, 10 Jul 2008 09:00:00 +0000

Senators question NebuAd on its information collection practices at a hearing in which the company's CEO said it does not collect personally identifiable information or keep the information it collects for an extended time.

Montgomery Ward breached, no notification obligation?

Fri, 27 Jun 2008 19:45:03 +0000

Technorati Tag: Security Breach

Date Reported:
6/27/08

Organization:
Direct Marketing Services Inc.

Contractor/Consultant/Branch:
Montgomery Ward
HomeVisions.com
SearsHomeCenter.com
SearsShowPlace.com
SearsRoomForKids.com

Victims:
Customers

Number Affected:
"at least 51,000 records"

Types of Data:
Names, addresses, phone numbers, card numbers, "security codes", and expiration dates

Breach Description:
"NEW YORK (AP) -- The parent company of Montgomery Ward is admitting that it was hit with a credit card hack, but it didn't inform the customers affected."

Reference URL:
The Associated Press
The Associated Press via WZTV Channel 17 News

Report Credit:
The Associated Press

Response:
From the online sources cited above:

At least 51,000 records were exposed in the breach at the parent company of Montgomery Ward.

The venerable Wards chain that began in 1872 went out of business in 2001, but in 2004 a catalog company, Direct Marketing Services Inc., bought the brand name out of bankruptcy.

Direct Marketing Services' CEO, David Milgrom, said the financial company Citigroup detected the computer invasion in December.

By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company's retail properties.
[Evan] The AP story names five of the six Direct Marketing Services retail properties (See Above). I don't know what the sixth is.

It now runs a Wards.com Web site along with six other sites, including three with Sears brands it has acquired: SearsHomeCenter.com, SearsShowplace.com and SearsRoomforKids.com

Milgrom said Direct Marketing Services immediately informed its payment processor and Visa and MasterCard.

Direct Marketing Services closely followed a set of guidelines, issued by Visa, on how to respond to a security breach.
[Evan] This is sad. The Visa documentation regarding breach response is way too narrowly focused to be used as an organizational incident response. Every organization that creates, collects, uses, stores, and/or transfers confidential information should have an incident response policy and accompanying procedures. Take a look at the Visa "What To Do if Compromised" procedures, and judge for yourself.

That included a report to the U.S. Secret Service.

He said he believed by the end of December that Direct Marketing Services had met its obligations.
[Evan] Mr. Milgrom is the president of the company. He really thought that his company had met all of its obligations with respect to this breach? It never occurred to him that he should notify customers, even if he weren't required to by law? Not only was the lack of notification illegal, but I think it is also unethical.

However, those guidelines from Visa are largely technical, and they do not cover a key additional step: that notification laws in nearly every state generally require organizations that have been hacked to come clean to the affected consumers, not just to the financial industry.

Companies that fail to comply can be hit with fines or be sued by affected customers, depending on the state

After being asked about those laws by The Associated Press, Milgrom said Direct Marketing Services now plans to contact consumers.

This hack might have stayed quiet except for online chatter detected in June by Affinion Group Inc.'s CardCops, a group of investigators who track payment-card theft for financial institutions.

In Internet chat rooms frequented by card thieves, CardCops spotted hackers touting the sale of 200,000 payment cards belonging to one merchant.

CardCops then intercepted several hundred of the records, along with the online handles belonging to hackers whose real names remain unknown.

Along with the card numbers, their three-digit "security codes" and expiration dates, the thieves had the cardholders' names, addresses and phone numbers.

The data had been organized in the same way, indicating the numbers likely came from the same database.

CardCops' president, Dan Clements, also noticed that the vast majority of the cardholders were women, a clue that the records came from a merchant catering to a certain demographic.

When he began calling them, the first eight said they had bought things online or through mail order from Montgomery Ward. At that point, Clements realized, "there's a high probability the entire database of Montgomery Ward was breached."
[Evan] This is some good investigative work.

It is not clear to Clements, though, whether the hackers were inflating their claim when they offered 200,000 records or whether Milgrom's number of 51,000 is accurate.
[Evan] According to the article, the "hackers" were able to compromise the information from all six Direct Marketing Services, Inc. properties. 51,000 may be Montgomery Wards customer accounts, and the remainder could be from the other five properties (just speculating).

A spokeswoman for Discover Financial Services LLC, Mai Lee Ua, said her company had addressed the problem by sending new cards to its cardholders who appeared in the compromised records.

Ua said they weren't told which merchant had been breached

Visa declined to comment.
[Evan] Visa always declines to comment. No sense in even seeking one.

MasterCard issued a statement Friday acknowledging it was aware of the breach at Direct Marketing Services, and had notified the banks that issue MasterCards, telling them to monitor the accounts for suspicious charges.
[Evan] Three different card companies, three entirely different responses. Of the three, I think I like the Discover one the best.

Such silence was the norm in the industry for years. But in response to fears of identity theft, 44 states have passed laws that generally require organizations holding consumer data to tell people when their information has leaked

Clements and other security analysts say that despite those laws, many breaches still are kept quiet, judging by the data being hawked in online black markets.

Avivah Litan, an analyst at Gartner Inc., believes unreported data breaches might still outnumber the ones that do get publicized.
[Evan] I absolutely agree. You would be naïve to think that victim notifications go out in all breaches. Too many corporate leaders would rather not notify and hope that nobody notices.

Litan says it especially is the case with online merchants. She believes it happens because of a lack of pressure from credit card companies, which are not responsible for fraudulent charges in "card not present" transactions over the Web and mail order.

Until fraud actually appears on the card, they'd rather avoid the cost of voiding compromised cards and giving consumers new ones, she said.

"What it reveals is the convoluted banking system," she said. "If this had taken place at a grocery store, we all would have heard about it."

In fact, because of the silence that still sometimes follows data breaches, even people who have never been informed one of their records has leaked should assume their information is floating online, Litan said.

"Probably every one of our cards is up there somewhere now," she said.
[Evan] I agree with all of the statements made by Avivah Litan except this one. This is a stretch.

On the Net:
Links to the 44 state notification laws

Commentary:
Is this a case of a company that was caught trying to cover up a breach, or was this a company that didn't know any better? I lean towards the former. Either way, is ignorance of the law any kind of valid excuse?

Let's assume for a second that company really didn't know that they were required to notify victims. If this were true, then this leads me to believe that the company doesn't govern information security well (due care?), probably has no formal information security program, lacks incident response policy and procedures, and doesn't manage risk well.

I could only guess how the "hack" took place. What vulnerability was exploited? Even in this, the company appears to have not detected the attack. Direct Marketing Services, Inc. had to be told of it by Citibank. Does this mean that the company did not use intrusion detection/prevention?

I could go on and on, but in the end I don't have much confidence here.

Past Breaches:
Unknown

"many of Colt's clients" affected by breach, CNET included

Wed, 25 Jun 2008 07:25:20 +0000

Technorati Tag: Security Breach

Date Reported:
6/13/08

Organization:
CNET Networks, Inc. ("CNET")

Contractor/Consultant/Branch:
Colt Express Outsourcing Services, Inc. ("Colt")

Victims:
"current and former employees and their dependants"

Number Affected:
"around 6,500"

Types of Data:
"first names, last names, date of birth, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder"

Breach Description:
"Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized. Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET. The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees."

Reference URL:
Maryland State Attorney General breach notification
PCWorld
WebProNews
PogoWasRight

Report Credit:
The Maryland State Attorney General

Response:
From the online sources cited above:

On June 6, 2008, CNET received the attached letter from Colt Express Outsourcing Services, Inc., ("Colt") who has provided our client with employee benefit plan administrative services for the past 8 years.

Colt informed our client by this letter that on Memorial Day, Monday, May 26, 2008, Colt's offices in Walnut Creek, California were burglarized.
[Evan] Uh Oh!, this is starting to read like and smell like the ASI breach reported in February.

The breach occurred on Memorial Day, Monday, May 26, 2008, between approximately 4:30 p.m. and 5:00 p.m. PST, when someone broke into Colt Express's office at 2125 Oak Grove Road, Suite 210, Walnut Creek, California, 94598

Certain computer equipment was taken which contains the human resources data of several of their clients, including CNET.
[Evan] According to a CNET spokesperson, via PogoWasRight.org, the "computer equipment" did not employ encryption to protect the information. Encryption could have been a prudent control in a defense-in-depth approach, a mitigating control to protect information against a physical break-in and theft.

The theft of this equipment may have compromised the personal information of our client's current and former employees and their dependants, and our client is working to understand the extent of any exposure for its employees.
[Evan] Not "may have", but did. Information security and control can no longer be reasonably assured, which in my book constitutes a compromise.

Colt has also informed us that they reported the break-in to Walnut Creek police and to REACT High Tech Crimes Task Force in Silicon Valley when they discovered the burglary and that there is an ongoing criminal investigation.

report number 08-12367

In speaking directly with the Walnut Creek Police on June 12, 2008, Officer Greg Leonard, the primary investigator for the incident informed us that they are not aware of any misuse of personal information as a result of this theft at this time.

The information included first names, last names, Social Security numbers, address, employer, hire date, benefits group numbers, and relationship to the policy holder for around 6,500 of our client's current and former employees, and their dependants.

some of your current and former employees and their dependants during the time period of 01-Aug-00 to present.
[Evan] August 1st, 2000 through May 26th, 2008 is almost eight years of information! I wonder what the data retention policy states at Colt, supposing one exists.

We do not have any understanding that the computers stored personal health information.

Our client is providing written notification to all affected individuals at the last home address we have on record

Although there is no evidence of misuse of the data to date, our client's notification will also inform affected individuals that it has contracted with Equifax to provide Equifax Credit Watch Gold with 3 in 1 Monitoring service, including identity theft insurance, for one full year at no cost.
[Evan] I have said it before, and I will say it again. One year of semi-effective protection should not be considered adequate for information that has a usable life that far exceeds this time frame. It should be pointed out howevere that it is better than nothing and the company is not required to offer it.

Although we are not aware of the exact number of individuals affected by the Colt breach, we do know that we were among many of Colt's clients whose data were stored on the stolen computers.
[Evan] The word that catches my attention almost immediately is "many". How many clients will be affected in the end? PogoWasRight is already following up on another company that may be affected.

Colt Express takes the protection of its customer and personal information very seriously.
[Evan] Making a statement like this and the demonstration by action are two entirely different matters. An organization such as Colt Express creates, collects, stores and transfers very sensitive information as an integral part of their business. This being said, I wonder why this information was not protected better.

Colt Express is taking steps to ensure that a potential data security breach does not occur in the future.

We installed an alarm system on Friday, May 30th.
[Evan] Are we to assume that there was none prior to May 30th? I hope not!

Colt Express is looking into what additional steps may be taken to provide enhanced security.

By this letter and enclosures, we are providing you with all the information we believe you need, and that we are able to give you. We do not have the resources, financial and otherwise, to assist you further.
[Evan] Say huh?

Towards the end of last year, our customer base was reduced to an unsustainable level.

Colt has been in the process of going out of business, while at the same time providing time for remaining customers to find alternative solutions.
[Evan] This is a twist. How long has the company been in the process of going out of business and was CNET (and the "many" other clients) aware of it? If so, this could have been a sign that could have spurred some action. Then again, maybe not.

http://www.colthr.com/

Those decisions are now final.

We are firmly committed to protecting all of the information that is entrusted to us both before and after we close down.

We sincerely apologize for the inconvenience and concern this incident will cause.

Commentary:
As I stated earlier in the post, I am a little fearful that this breach could end up as significant or more significant (in terms of number of people and organizations affected) than the ASI breach reported in February. The ASI breach was the 2nd most popular posting in The Breach Blog's history at the time, based on number of online page reads and comments posted.

This breach has got me thinking. Some of the key risks that we address with the organizations we work with are those involving the management of vendor and third-party relationships. Ideally, information security personnel are involved throughout the relationship, including the initial vendor feasibility assessment. Vendors and "trusted" third-parties need to be held to the same high security standards that we set for the organization. The methods in which this can be accomplished vary from organization to organization, but typically include risk assessments (initial and ongoing), information security requirements built into contractual language, and enforcement actions if necessary. If a vendor is not encrypting confidential information or employing burglar alarms, it is known (and hopefully addressed).

Past Breaches:
Unknown

Security Between Virtual Machines?

Sun, 22 Jun 2008 11:30:57 +0000

Is there security needed between virtual machines? Some say no, some say yes. I've been out talking to a number of virtualization users and non users on this topic and I'm finding that some say no and some say yes. The users of virtualization technology tend to say yes while others looking at virtualization from the outside tend to say no. Why is this?

Well, I thought I'd blog on my thoughts on this!

You see, in the physical datacenter there is no firewalling between servers plugged into the same switch and because of this some people think, well if its not done in the physical world why should it be done in the virtual world. I believe that its not done in the physical world today because there are no solutions today that embed security into datacenter switches. Should it be done in the physical world? I think so! It never hurts to get security as close as possible to the things you are trying to protect and what better place than the switch port in which the critical asset are connected to. This is why people have HOST BASED FW/IPS ON SERVERS! To get security as close as possible! Is that needed?

So my first response to those that say, security between virtual machines is not needed because its not done in the physical world is: Well, just because people have done things one way for many years doesn't mean there isn't a better way.

Would environments be more secure if there was security between servers? I tend to think so. You see, many of the attacks that are taking place these days are not attacks for fame but attacks for fortune and gone are the days where people just hacked to spread nasty viruses. Its all about the data these days (ie. credit cards, social security numbers, etc). We've all heard about the TJ Max security breach where customer data was compromised and many others like banks that have had credit cards compromised.

How and the heck do you think most of these things happened? Attackers are targeting the datacenter these days. Physical or Virtual. Their gateway into these environments are the Web Front End Servers. Let me say that again. The Web Front End Servers! Hackers get to the data from the web front end server that talks to the database backend server. This useually occurs by something called "Cross-Site Scripting" or "SQL Injection" breaches.

Here is a trival way of how this happens:

A hacker finds a vulnerable web site. He sometimes does this by something called Google Hacking. He uses Google to search for sites that has vulnerabilities on it. Say a web site has some content on one of the pages that says "Powered by Drupal 4.1". If a hacker knows that Drupal 4.1 software has a vulnerability in it, he can now target all the search results related to this. Click Here for more detail.

Now lets say Drupal 4.1 on a web site has a SQL-Injection vulnerability because the developer of the Drupal software didn't do Form Field Validation properly. A Form field is something you fill out on a web page like a form that asks for the user name and password. User names and passwords to log into the web site are stored on whats called a Database Server. Hmmm... So this means the web server needs to talk to the database server right? Yes! Keep this in the back of our head for now. The hacker enters in "Admin" for the user ID and "password doesn't matter 'or 1=1--" for the password. And presto! He is logged in to the server as Admin.

The reason he was able to log in is because the web site sends a SQL Database command to the Database server and because the developer of the Drupal software didn't do "Form Field Validation" properly (method of checking for invalid characters like the ' (single quote) symbol), the user was able to bypass the password. Notice the 'OR 1=1 command appended to the password. One does equal one so therefore it will return a TRUE result to the password checker and the OR says use the password typed in (password doesnt matter) OR check to see if one is equal to one. If its true then the password is valid for this user which is Admin.

Now that the user is on the web server, he probably has the ability to connect to the database server or other servers in the network. Why? Because there is connectivity from the web front end to all of the backend servers. He essently can backdoor his way throughout the network.

Another method is for him to append some SQL statement to another SQL statement. Lets say their is a FORM FIELD on the website that collects some information from the database to display it to web site users. It could be entering in the Zip code to find store locations in your area. Instead of putting in the zip code you could put in "95123 'UNION SELECT * FROM credit_card_table--". The hacker is injecting via the UNION command (which means join one SQL statement with another one) a command that says grab all (via the asterisk) information out the credit card table.

Lastly, the hacker can use the UNION command to write text of his desire to a text file on the database server. He may write some nasty code, tell the database to write the code to a file and then tell the server to execute that file. The code could be used to do a denial of service attack to the other virtual machines or whatever. The possibilities are endless!!

Anyway, these are high level examples. I think you get the point.

The Web Front End Virtual Machine has a need to talk to the Web Back End Virtual Machine and security such as Firewalling, Intrusion Prevention definately needs to be in place to have a higher level of security.

Another reason to have security between virtual machines is because servers are now mobile in the virtual world. They move between trust domains to take advantage of computing resources that may be available on a given piece of hardware. Lets say one PHYSICAL server was hosting database VM's and another PHYSICAL server was hosting file server VM's. The file server VM could VMOTION to the same environment as the database VM's. Now where is your isolation between trust domains or unlike resources?

People should think about this problem in greater detail. I'd love to hear everyones comments as to whether or not they think security between VM's is needed.

John Peterson
Montego Networks