Category: Cloud Computing


The Broken Philosophies of Third Party Digital Certificates and How They Put you at Risk

Filed Under: Cloud Computing, Internet, Open Source, Security by William — Leave a comment
January 13, 2013

This has been a long standing procedure.  If you are online and what to have an online identity certificate that identifies you you have been required to go to various third parties(Verisign, GoDaddy just to name two) and pay them to issue you a digital certificate that other folks then accept as being genuinely unique to you.  The problem is…now you have placed the security and authenticity of your online identity in the hands of a third party.  What happens when, not if,  that third party gets hacked?  Your online identity has been compromised and now these digital certificates aren’t worth much now are they?  This philosophy is very counter-intuitive due to the fact in banking we tell clients…you must be careful to not allow your identity to be stolen and we rail against allowing third parties access to your information.  yes for online security we are doing just that?  One of the basics is to NOT trust third parties with your information.  We spent enormous amounts of time and money trying to prevent this very thing as much as possible.  Why are we then spending the same amount of time and money doing just to opposite to verify we are who we say we are when we are talking about the Internet?  If you just look at these two side by side..one is best practices and one is backwards.  If we are going to tell folks self protection and generation is the way to go why do the opposite online?  The RSA company was compromised and now two factor authentication tokens are now all worthless until the RSA generates a new algorithm   Comodo just was compromised by a third party of theirs that then compromised their own certificate database for some very high profile sites.  If you have not updated your browsers(yes all of them) you could now be receiving bad certificates that say they are genuine but aren’t.  Frankly this makes no sense to me.  All a third party has to do is screw up once..and ALL of their clients can be affected.  You then have to do something like update all of your software or redo all of your dongles once that occurs.  I use only self-generated certificates.  That way I know they are genuine and aren’t compromised.  If i get compromised It’s only me.   I don’t see how this reliance on third party for online security is progress.

 

Brian krebs tweet: as w/ this Comodo cert issue and the RSA mess, I’m struck by how many big security threats r beyond user’s ability to do squat about them

comodo incident listing http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html

ms advisory on issue http://www.microsoft.com/technet/security/advisory/2524375.mspx

Steve Gibson on RSA hack http://steve.grc.com/2011/03/19/reverse-engineering-rsas-statement/ follow embedded links too.

Comment

Don’t Allow Direct Internet Access to Your Network.

Filed Under: Cloud Computing, Internet, Security, Security Alerts by William — Leave a comment
December 15, 2012

Folks…a firewall isn’t enough.  You should not even leave the ports open for these devices.  the only way to have a remote chance of doing this safely is to use a vpn so your connection is encrypted then you can get it. Honestly for these systems that are deemed critical it is simply foolish to have it on the internet at all…it will get taken over even with firewalls and vpn’s in place.  Unless folks really want to use proper security(which most don’t) these incidents are not only going to continue but will grow in size and damage potential..or damage actually caused.  Small businesses are also very lax in their security postures these days.  many of the compromises could be avoided with some simple behavioral changes…technology can’t solve the issue if the issue is the loack of good security habits by their human operators or caretakers.

 

Hackers illegally accessed the Internet-connected controls of a New Jersey-based company’s internal heating and air-conditioning system by exploiting a backdoor in a widely used piece of software, according to a recently published memo issued by the FBI.

The backdoor was contained in older versions of the Niagara AX Framework, which is used to remotely control boiler, heating, fire detection, and surveillance systems for the Pentagon, the FBI, the US Attorney’s Office, and the Internal Revenue Service, among many others. The exploit gave hackers using multiple unauthorized US and international IP addresses access to a “Graphical User Interface (GUI), which provided a floor plan layout of the office, with control fields and feedback for each office and shop area,” according to the memo, which was issued in July. “All areas of the office were clearly labeled with employee names or area names.”

An IT contractor for the unnamed business told FBI agents the “Niagara control box was directly connected to the Internet with no interposing firewall,” according to the memo, which was published Saturday by Public Intelligence. The website has an established track record of posting authentic government documents. Barbara Woodruff, a spokeswoman in the Newark, New Jersey division of the FBI, where the memo originated, said the document appeared to be authentic.

The unauthorized access began in February, a few weeks after someone using the Twitter handle @ntisec posted comments indicating hackers were targeting SCADA—or supervisory control and data acquisition—systems. One tweet included a list of Internet addresses, including one that was assigned to the heating system belonging to the New Jersey business. The hack came five months before security researchers Billy Rios and Terry McCorkle blew the whistle on serious vulnerabilities in the Niagara system, which is marketed by Tridium, a company with US offices located in Richmond, Virginia.

Only getting worse

The revelation that Niagara vulnerabilities have been actively exploited in the wild is significant because the system is widely used to control critical equipment used around the world. Further, the number of Internet-facing Niagara systems appears to be growing. A search using the Shodan computer search engine late last year found about 16,000 systems, with more than 12,000 of those based in the US, according to Billy Rios, one of the security researchers who documented the vulnerabilities in the industrial control system. This year, the same search returned more than 20,000 systems, with about 16,000 of them in the US. While patches released earlier this year apply only to versions 3.5 and 3.6 of Niagara, Shodan continues to show “tons” of systems running earlier versions, including 1.1, Rios said.

“These things keep popping up,” he told Ars. “It’s not going away. It’s getting worse.”

Perhaps the only other documented case of an industrial control system being breached in the US came in 2009, when a security guard abused his physical access to breach computers that controlled air-conditioning systems at a Texas hospital. The intrusion came to light after he posted a screenshots and other evidence showing he had control of the systems that cool operating rooms and other critical areas of the Texas facility, where temperatures regularly hit the triple digits. He has spent most of his time since in federal prison.

via Intruders hack industrial heating system using backdoor posted online | Ars Technica.

Comment

The Cloud(and by Extension BYOD) Increase the Risk to Businesses.

Filed Under: Cloud Computing, Security by William — Leave a comment
December 12, 2012

Many folks cringe at IT having tight control…but then when users in organizations start tossing things into the cloud they then expect IT to bail them out.  That’s an impossible place and I’ve seen more and more It folks going,” you threw it up there without consulting us..it’s your baby now”.  the results are usually disastrous and things get put back form the cloud once that inevitable disaster begins.  the cloud can be leveraged in a good way but i wouldn’t put anything critical or private into it.  The cloud is ripe for a major data harvesting attack to explode…I’m sure it has already occurred..we just don’t know about it yet.

 

In many cases, IT organizations are not fully aware of which cloud applications are in use across the enterprise, which makes it more difficult than ever for enterprises to monitor and control user access to mission-critical applications and data. In fact, only 34% of companies bring IT staff into the vendor selection and planning process when a cloud application is procured without using IT’s budget, making it very difficult to proactively address security and compliance requirements for those applications.

SailPoint’s survey found that business users have gained more autonomy to deploy cloud applications without IT involvement, yet they do not feel responsible for managing access control. In fact, 70% of business leaders believe that IT is ultimately responsible for managing user access to cloud applications. Adding to IT’s challenge, more than 14% of business leaders admit they have no way of knowing if sensitive data is stored in the cloud at all. This lack of visibility and control greatly increases an organizations risk of security breaches, exposure to insider threats and failed audits.

“As organizations adopt cloud applications, they are very likely to increase their risk exposure by putting sensitive data in the cloud without adequate controls or security processes in place,” said Jackie Gilbert, VP and GM of SailPoint’s Cloud Business Unit. “And this year’s survey illustrates how ‘at risk’ companies already are. Many companies lack visibility not only to what data is in the cloud, but also to who can access that data. It’s imperative that companies put in place the right monitoring and controls to mitigate these growing risks.”

via Increasing cloud adoption puts enterprises at risk.

Comment

Dangerous Minds | FACEBOOK: I WANT MY FRIENDS BACK

Filed Under: Cloud Computing, Internet by William — Leave a comment
December 4, 2012

I have a Facebook page i help admin and I’ve noticed the stats in all areas cratering.  I never could figure it out until I saw the “promote” “feature”.  I then knew what this was….yet another backdoor sneak attempt by Facebook to extract money form folks.  if Facebook wasn’t so sneaky and shady in its operations folks might actually pay.  I can tell you right now spending money to get a presence on Facebook is now a fool’s game.  Facebook will now continue to break the site to get you to pay for “better reach”…that’s not going to go far.  Be prepared for your Facebook investments to crater.

 

This has been brewing since around May. At least that’s when we first started noticing it here at Dangerous Minds and we certainly weren’t the only ones.

Spring of 2012 was when bloggers, non-profits, indie bands, George Takei, community theaters, photographers, caterers, artists, mega-churches, high schools, tee-shirt vendors, campus coffee shops, art galleries, museums, charities, food trucks, and a near infinite variety of organizations; individuals from all walks of life; and businesses, both large and small, began to detect—for it was almost imperceptible at first—that the volume was getting turned down on their Facebook reach. Each post was now being seen only by a fraction of their total “fans” who would previously have seen them.

But it wasn’t just the so-called “fan pages,” individual Facebook users were also starting to notice that they weren’t seeing much in their newsfeeds anymore from the various entities they “liked”—or even updates from their closest friends and family members. Something was amiss, but unless you had a larger “data set” to look at—or a formerly thriving online business that was now getting creamed—it probably wasn’t something that you noticed or paid that much attention to.

When we first noticed the problem, our blog had about 29,000 Facebook “likes.” Our traffic was growing 20% month over month, but our Facebook fans grew at a far faster pace. We were getting hundreds of new ‘likes” every day. Still do. As I write this, our Facebook fans now number over 53,000, not quite double what it was then, but give it another month or so and it will be.

53,000 is a more than respectable number of Facebook fans for a blog that’s only been around for a little over three years. So why is it that our pageviews—our actual inventory, what we sell to advertisers—coming from Facebook shares are off by half to two thirds when the number of new “likes” has risen so dramatically during this same time period?!?!

In a widely read—and widely shared on Facebook—NY Observer article titled “Broken on Purpose: Why Getting It Wrong Pays More Than Getting It Right,” (emailed to me by a friend, a prominent blogger, with the subject line: “Why putting a lot of energy into building a Facebook presence is a sucker’s game”) PR strategist and social media expert Ryan Holiday succinctly laid out the case against the damage Facebook had inflicted upon its most active users with its recently rolled out Promote “option”:

It’s no conspiracy. Facebook acknowledged it as recently as last week: messages now reach, on average, just 15 percent of an account’s fans. In a wonderful coincidence, Facebook has rolled out a solution for this problem: Pay them for better access.

As their advertising head, Gokul Rajaram, explained, if you want to speak to the other 80 to 85 percent of people who signed up to hear from you, “sponsoring posts is important.”

In other words, through “Sponsored Stories,” brands, agencies and artists are now charged to reach their own fans—the whole reason for having a page—because those pages have suddenly stopped working.

This is a clear conflict of interest. The worse the platform performs, the more advertisers need to use Sponsored Stories. In a way, it means that Facebook is broken, on purpose, in order to extract more money from users. In the case of Sponsored Stories, it has meant raking in nearly $1M a day.

I love how Rajaram phrases that so delicately: “Sponsoring posts is important.”

It’s perhaps the most understated stick-up line in history, worthy of a James Bond villain calmly demanding that a $365 million dollar ransom gets collected from all the Mom & Pop businesses who use Facebook. How many focus groups do you reckon it took until Facebook’s highly paid marketing and PR consultants finally arrived at such an innocuous phrase for describing information superhighway robbery?

via Dangerous Minds | FACEBOOK: I WANT MY FRIENDS BACK.

Comment

Microsoft Bloat in Mobile shows itself: Microsoft Surface can not compete against real tablet | SemiAccurate

Filed Under: Cloud Computing, Hardware, Microsoft, Tablets, Windows 8 by William — Leave a comment
November 2, 2012

Microsoft Surface can not compete against real tablet | SemiAccurate.

Comment

Windows New Tablet System Could be a Vista..Only Worse

Filed Under: Apple, Cloud Computing, Hardware, Internet, Microsoft, Tablets, Windows, Windows 8 by William — Leave a comment
September 19, 2012

If Microsoft really plans to get into the mobile space(and Win8 is all about tablets) this is not the way to do it.  $600 bucks for a tablet isn’t going to fly when Andriod and Ipads are already established with superior featuresets already.

 

For a while there it seemed that Microsoft was going to do something spectacular which was going to give Android and Apple a real kicking and establish itself as a leader in the tablet market.

The rumour had been that Vole was going to release a subsidised Windows RT tablet for about $300 which was practically a giveaway. While this would anger hardware makers, it would establish Microsoft’s new operating system and lead to the company becoming a leader in the mobile market.

Unfortunately the rumour was based on the assumption that Microsoft would use common sense and its piles of money to make itself relevant again.

According to Extreme Tech, the rumour mongers had forgotten that Microsoft is a huge elephant of a corporation ruled by competing factions and overseen by Steve Ballmer. So far it has yet to come up with anything that is responsive or innovative to push itself into the mobile market.

Now, a leak has confirmed that Microsoft’s inability to come up with a decent business plan to deal with mobile is about to snatch another defeat from the jaws of victory.

A leaked slide from Asus says that its Vivo Tab RT, due to be released alongside Windows RT at the end of October, will start at $600.

This is more expensive than the iPad 3, and a full $200 more than the iPad 2 or Galaxy Tab 2 10.1. So to be competitive it should have some insane hardware specs – right?

Er, no. The Vivo Tab RT has a low-res 10.1-inch 1366×768 IPS display, quad-core Tegra 3 SoC, 2GB of RAM, NFC, 8-megapixel camera… and that’s about it.

Basically it is the Android Transformer which can be plugged into a keyboard/battery dock for an extra $200 and a docking station only costs $150.

Microsoft is assuming that people will buy the tablet because it has Windows RT on it. This attitude is rather arrogant because it forgets that people are doing rather nicely thank-you-very-much with their Android machines and do not really need Windows.

Vole is basically charging what it always does with its licences, and has no plans to relax the “Windows Tax” to push itself into the mobile market.

via Microsoft prepares to stuff up tablet plans – Asus leak shows Vole’s own goal | TechEye.

Comment

iPhone 5 – Meh

Filed Under: Apple, Cloud Computing, Hardware, Internet, Microsoft, Smartphone by William — Leave a comment
September 12, 2012

So Iphone is stil behind the competition in many ways.  Plus you get locked into doing it Apple’s way or no way.  No thanks.  pricing is ok abut I can get my nexus for $99 and an s3 for less than 200 both with features not found in ithingies.  Apple is no longer innovating..they are following Samsung and HTC.  No wonder they are becoming more like Microsoft and trying to sue their competition instead of innovating.  Iphon5 + refreshed Iphone4..etc etc etc.  When Apple comes out with something new i’ll see about it again.

 

iPhone 5 Brings Size and Speed – Ina Fried – Mobile – AllThingsD.

Comment

(the dangers of the public cloud)This Week in Enterprise Tech 8 | TWiT.TV

Filed Under: Cloud Computing, Security by William — Leave a comment
September 3, 2012

Discussing the high profile compromise of an online journalist and how to protect yourself.  However it doesn’t address the underlying insecurity of the public cloud.  one thing that still holds true…if you are going to use the cloud..make sure you have a local copy of your dat for when the cloud fails.

 

This Week in Enterprise Tech 8 | TWiT.TV.

Comment

How To Install VMWare Tools v4 on Ubuntu 12.04 LTS Server – Ghost Tx

Filed Under: Cloud Computing, Linux, Open Source by William — Leave a comment
August 30, 2012

How To Install VMWare Tools v4 on Ubuntu 12.04 LTS Server – Ghost Tx.

Comment

No more VRAM: VMware abandons controversial pricing model | Ars Technica

Filed Under: Cloud Computing by William — Leave a comment
August 28, 2012

What was interesting is the CEO who announced this horrid pricing was a former Microsoftie so I can’t say the announcement was surprising in that regard.  To borrow from another blogger...vmware thought they had more leverage over their client base than they did..they were wrong.  Now that a former Intel guy is there that insanity is gone along with sane pricing models again.  The question is…have enough folks been driven to hyper-v(microsoft) and Linux alternatives to hurt Vmware for only the short term?

 

No more VRAM: VMware abandons controversial pricing model | Ars Technica.

Comment