Category: News

Other foundational members of the Cloud Commons initiative include: Carnegie Mellon University, TM Forum, Red Hat and Insight Investments, which is hosting the site.

“Demand for cloud services holds significant potential for the technology and communications industries, but many barriers still exist to widespread adoption at an enterprise level,” said Martin Creaner, president, TM Forum.

This marketplace is expected to include vendor service ratings to enable participants to compare service options.

“Today, there is no comprehensive, unbiased source that solicits and aggregates the most current and relevant knowledge about cloud computing and the accumulated, actual experiences that organizations are having with the cloud,” said David Hodgson, senior vice president of the Cloud Products & Solutions business line at CA Technologies.

New products:

* CA Cloud Insight, which gives customers a way of assessing their cloud for what applications are in use, as well as any rogue applications that are in use.

* CA Cloud Optimize, which will help customers make use of the SMI and information from the Cloud Commons Web site.

* CA Cloud Orchestrate, which will provide workflow control based on information from Cloud Insight, Cloud Compose, Cloud Optimize and Cloud Commons.

Both CA Cloud Insight and CA Cloud Compose will go on sale at the end of the year; CA Cloud Optimize and CA Cloud Orchestrate will go on sale next year.

http://it.tmcnet.com/topics/it/articles/85530-new-cloud-commons-community-helps-it-pros-learn.htm
http://news.google.com/news/url?sa=t&ct2=us%2F0_0_s_0_3_aa&ct3=MAA4AEgAUANqAnVz&usg=AFQjCNEuRD_GU4miOEtyqGCNhvIc3H7QMg&cid=8797540854095&ei=8RrzS_jSAc6clQfAt6_nAQ&rt=SEARCH&vm=STANDARD&url=http%3A%2F%2Fgcn.com%2Farticles%2F2010%2F05%2F18%2Fca-unveils-new-name-and-cloud-products.aspx

The report — by the University of Toronto’s Citizen Lab, the Ottawa-based think-tank SecDev Group and U.S. researchers from the Shadowserver Foundation — stressed that the federal government needs to take urgent action or risk being targeted by hackers who use social media, such as Twitter, to steal secret government or corporate information.

“In addition to being virtually unattributable, these remotely operated attacks offer a productive, secure and low-risk means to conduct espionage,” the CSIS briefing says.

Government officials have said they are working to develop a framework to deal with cyber-attacks — the federal government’s throne speech in March promised a cyber-security strategy. However, Canada still has no official plan for responding to a co-ordinated cyber-attack. “Canada is without a plan and we have a government that has given us little more than words.

Canada dependent Ron Deibert, director of the Citizen Lab at the University of Toronto’s Munk Centre, said Canada needs a “coherent, comprehensive strategy” on cyberspace, given how dependent Canadians are on telecommunications. “We’re a large landmass with a population spread across the country,” he said.

http://www.cbc.ca/canada/story/2010/05/17/cyber-security-hack-csis.html

“As a victim, you have to identify the IP address that is attacking you. For Tarpitting (a defence against HTTP-based DDOS attacks), set your TCP/IP window size to zero [which] means the attacker will keep resending un-acknowledged packets and will be stuck in a loop. The overall effect is that traffic reduces more using tarpits than if you drop it and don’t respond. “When we drop packets, the CPU load of the bot is constant and the bot can handle it.

He poured cold water on hype surrounding the use of peer-to-peer networks to control botnets, and said they are too difficult to control and fully decentralise. He said the infamous Storm botnet used peer-to-peer networks to connect nodes, as an “overlay”, but the coommand and control servers connected normally and were taken down. He said Google Groups and Twitter are often used to obfuscate botnets.

http://www.networkworld.com/news/2010/051810-auscert-2010-australia-protected-by.html?source=nww_rss

The addition of Multi-AZ provides better database availability by automatically configuring a standby copy of the database, which is stored in a different physical location from the original in Amazon’s cloud.

From start to finish, the failover between the two databases typically completes within five minutes, according to Amazon.

Amazon RDS is based on MySQL 5.1 and is still in beta.

Amazon is also working on a second feature that will replicate data to improve scalability by using multiple database instances at the same time.

http://www.infoworld.com/d/cloud-computing/amazon-cloud-based-database-gains-high-availability-feature-213?source=rss_infoworld_news

“Over the years, you can spend millions of dollars protecting your network, but [many organizations] are leaving the front door wide open. They are missing huge gaping holes” in their physical security of the data center, says Jones, who will discuss his findings at the conference today in Sao Paulo, Brazil.

“These are the top ways we get in.”

One of the flaws in the physical design of most data centers is their drop ceilings and raised floors, Jones says. “The walls don’t go all the way up [to the ceiling] or down [to the floor],” he says. The drop ceiling leaves a void for an intruder to remove a ceiling tile from a nearby area and then crawl to the data center from above it. “You can crawl down carefully to where you need to drop down,” Jones says.

And raised floors — built for cabling and cooling purposes — can also be physically exploited, he says. “With a raised floor, there’s a gap between the installed floor and the concrete bottom of the building,” he says. Jones says crawling in via ceiling tiles or through raised floor gaps are easy ways to get inside without getting noticed or doing any damage to the structure. “I’ve seen employees take advantages of these weaknesses” for things like going back to get keys they left in the office, he says.

The best fix is to fill those gaps with sheet rock, he says. Some organizations opt to lay metal fencing or chicken wire there as well, but Jones acknowledges that a determined intruder could merely cut the wire and gain entry into the data center.

Social engineering expert and penetration tester Steve Stasiukonis, founder and vice president of Secure Network Inc., says these gaps are “brilliant” ways to get inside the data center. If there’s sheetrock in the way, he says, it’s easy to cut a hole in it and squeeze inside. “A lot of government facilities have a ‘code of silence room’ [where] they have to make sure the sheetrock goes to the roof and there’s a barrier so no one can climb over the ceiling tiles,” says Stasiukonis, who doesn’t perform any carpentry-type breaches on behalf of his clients because it’s too destructive to the data center environment.

Another common physical weakness in the data center is the door lock: Jones says he sees many weak locks and unprotected door latches at the data center threshold. “Most data centers have cheap, regular key locks on their doors,” he says. He says his team sometimes installs small wireless cameras you can purchase from a spy shop that snoops on keyed-entry doors to learn the code when someone enters the data center. Proximity access keys are best, according to Stasiukonis, because they also authenticate the user who enters the data center and provides an audit trail of the person’s comings and goings.

Jones and Stasiukonis both swear by “tailgating” as a foolproof way to get into the building — or even the data center — via legitimate employees. The only ways to mitigate this type of unauthorized entry is to have either turnstile-based badge entry, where only one person can get in at a time and with a badge, or with some sort of rotating door, he says.

If the company loses a lot of money [due to an intrusion], they might not have a job anymore,” Jones says.

Then there’s the classic social engineering ploy of posing as a technician, salesperson, cleaning crew, or contractor as a way to gain entry into the building without raising suspicion or being questioned. “It shouldn’t cost any extra money for the contractor to fix it.

http://www.darkreading.com/database_security/security/management/showArticle.jhtml?articleID=224900081&cid=RSSfeed

Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation.

Recovery and analysis of exfiltrated data, including one document that appears to be encrypted diplomatic correspondence, two documents marked “SECRET”, six as “RESTRICTED”, and five as “CONFIDENTIAL”. These documents are identified as belonging to the Indian government. However, we do not have direct evidence that they were stolen from Indian government computers and they may have been compromised as a result of being copied onto personal computers.

Just like the majority of targeted malware attacks, this one was also relying on client-side exploits (Report: Malicious PDF files comprised 80 percent of all exploits for 2009) served through different file types (PDF, PPT, DOC) using a relevant topic of interest to Indian and Tibetan communities, which were then spamvertised to the victims of interest.

What’s particularly interesting about the cyber espionage facilitating network in question, is the mix of legitimate and purely malicious infrastructure in an attempt to not only increase the life cycle of the campaign, but also, to make it harder for network administrators to detect the malicious use of popular free email service providers, as well as social networks. In fact, in 2009 cybercriminals continued demonstrating their interest in abusing legitimate services such as Twitter, Google Groups, Facebook as command and control servers, as well as Amazon’s EC2 as a backend.

Moreover, although the report is logically emphasizing on the actual attack vectors used in this particular cyber espionage network, there’s another attack vector that’s been trending over the past few years, having an identical cyber espionage potential to the targeted attacks in general.

http://blogs.zdnet.com/security/?p=6042