Dimitri McKay’s Nerd News

Pro’s and Con’s of Cloud Security:

Mon, 19 Jul 2010 13:12:21 -0400

Several years ago a new buzzword was formed. “The Cloud”. This was a familiar concept to anyone using “web mail” whether they knew it or not. Email was being offered as a service on the internet. So if you’ve used hotmail, Gmail or Yahoo mail, you’ve used cloud technology. But it goes further than that.
Software as a Service (or SaaS) are cloud based applications not in your local datacenter, but rather, off on servers owned and maintained by some other organization who have a very tightly controlled datacenter, and offers these services.. on the internet.

The processing, the storage, and the data are all part of a large grids and data centers where distributed computing takes place. We’re talking about hundreds of thousands of server farms which can much more effectively manage the processing power of a service, application or company far better than a single server or node of servers. In fact, economically, cloud computing is far cheaper than traditional computing paradigms.

But there’s trouble in paradise.

In a recent survey 60% of respondents expressed some reservations about moving to cloud computing technology, which, considering all the talk of how fantastic Cloud Computing is, it didn’t appear to be on the roadmap of most companies. In fact, 34% of respondants said that cloud was not even a strategic move for their companies. Why? Because according to 26% of those surveyed, said that they had some form of fear over the risks, security, control and transparency in particular. Many felt that the lack of controls created massive security risks.

The biggest question has been, thus far, how do we offer data security and transparency in the cloud, when frankly, it’s the job of the cloud providers to offer that visibility related to those practices.
Even the early technology adopters surveyed said that they wouldn’t be adopting the cloud just yet. So here are the pro’s and con’s of Cloud Computing.

First up, the benefits. Cost. To start, your local IT people who take care of local application servers, local infrastructure to maintain access to those application servers, and security folks to tie it all down are no longer necessary. Your critical applications are moved out to the internet along with the cost of maintaining the infrastructure and server hardware/software/operating systems. The Cloud vendor will have their own gear, infrastructure, and employees. So you can immediately cut back on employee costs.
In addition, cloud computing is super cheap. If you’re growing an application and have an active growth projection model, adding bandwidth, adding processing, adding storage can be dirt cheap. Cloud vendors offer computing power at cents on the dollar.

Lastly, the cloud is hugely scalable. No longer do you have to wonder if you have the horsepower, the bandwidth or the staff to support your growth efforts. Instead, you can build out capacity as you need it. At very low cost.

Now, the bad news in the Cloud.

Regulatory Compliance is an issue. At the end of the day, customers are responsible for their data, even if hosted elsewhere. Although service providers have to deal with their own internal and external audits and various certifications, Cloud Providers are not responsible for SOX or PCI audits, they don’t maintain audit trail, and they will not open their kimono in order to let each customer bring their auditors in to handle that. So what functions can a Cloud provider offer an organization, if that function is outside the scope of compliance? Very little.

With that comes location of data. If you are an enterprise, and your data is located in another country, you are bound by local law of that data. Not where YOU are. Most Cloud providers are global entities which have data centers round the globe. With some Cloud providers, you can define which countries your data will be hosted within the service level agreement.

Cloud = shared environment. And so how do you keep your data segregated from others? This is a concern that many organizations are wary of in moving to the cloud. What happens to data at rest? Is it stored in the clear? Or is it encrypted? Encryption can be wonderful or a complete disaster. Beware of the encryption fumble.

User Access in the cloud is as much a concern as it is in a local datacenter, except for the fact that you don’t know process the Cloud vendor has done to secure your data. The people in the remote datacenter, were background checks done to them? How fast are user accounts shut down when an admin leaves the company? How much access do they have to your data? How secure are the data-centers? Is there any political strife taking place in the hosting country which could be a potential problem for disruption of service?

Although you’ve outsourced your workload, you still have to understand what the cloud provider is offering with regard to disaster recovery. Your data should be distributed across multiple data-centers to ensure that in case of an asteroid hitting the current primary datacenter somewhere on the other side of the world, your business is not affected in ways that could be avoided. But understanding Cloud Provider policy and how they handle disasters, can they do, and how much time will a full restore take?

Here’s another concern. What if I want to change Cloud service providers? How will you get your data back? Is it possible to import that data into another cloud? What happens if the Cloud vendor you use gets acquired or shut down?

Lastly, what will you do if something DOES take place. Data theft, illegal or inappropriate activity... what recourse do you have? Because customer data can be spread across multiple countries, who do you call for an investigation? How do you get access to the evidence? What recourse do you have? These are basically impossible to do. There is no global governance police force that would handle these matters. And local and federal police in each country do not have jurisdiction across multiple countries.

You can outsource reliability but you cannot outsource responsibility. Although the cloud offers inexpensive computing power, reduced IT costs across the board, and uptime guarantees and SLAs... the fact of the matter is that Cloud is not ready for mainstream until these security, compliance and operational use cases are put to pasture.

Emergency Internet Power Switch for President: yikes!

Tue, 6 Jul 2010 12:22:53 -0400

I received a DM on Twitter from @ChrisColoma asking for my opinion on the Emergency Internet Power switch (http://news.cnet.com/8301-13578_3-20007418-38.html) that allows the federal government, and the president specifically to... “immediately comply with an emergency measure or action developed”. So... what that means is... the US Government can flip a switch (figuratively) and turn off the internet.

So here are my thoughts.

If this is a “kill all internet” if we are under attack thing... then okay. I get it if they are attempting to protect SPECIFIC ASSETS... but it’s misguided. We can’t take down our primary means of communication with the flip of a switch. Imagine if all of a sudden everyones phones went dark? Same thing. How would VOIP phones work in case of emergency? How about hospitals getting information on patients from other hospitals or doctors? That no longer works. How about keeping citizens abreast of what’s going during this time? state of emergency? local news? That’s scary to me. That’s cutting off your nose to spite your face.

But if is a “turn off some sites or assets for the sake of US internet security... well... that’s pretty scary too. What if the government tomorrow decides that you and your website are a threat to the population, and begins to use this law as a way of censoring, swaying the public, manipulating the population? Only let people read state sponsored news? Hi. 1930’s germany called. They want their propaganda back.

So, my official opinion is that this isn’t our best route. if the kill switch just took down power plants, government networks speficialy and strategic government based networks, then fine, okay... I get it... but leaving all of the US population out of the loop or using a law designed to protect us as a way of hurting us is a big issue with me.

We should look at this thing one more time.

Apple iPhone 4: Our new love affair - my initial thoughts.

Thu, 24 Jun 2010 15:30:02 -0400

Hell yes I’m a fanboy. HELL yes. Make no mistake about it. I’m an Apple bigot. I love all things Apple. But don’t think for a second that I don’t know about the world outside Apple. I’ve spent time on Windows7 and Ubuntu. I’ve had several iterations of Palm, Motorola, Nokia, Samsung, Sanyo and HTC phones. I’ve played with Android, fiddled with WebOS, and gone hog wild on Chrome.

But I’m a firm believer in having the very best equipment out there. It just happens that Apple makes the best gear out there. Period.

So, let’s talk about the iPhone 4. My first impressions when I pulled it out of the box were these.

1. Buttons don’t feel familiar. They’re foreign. They stick way out. Feel strange.
2. It’s sharper than the 3Gs. Less warm. Less soft. It feels like a cold, sharp ice cube.
3. fast. boots fast. loads fast. switches apps fast. fast. fast. fast. And until today I thought the iPhone 3Gs and iPad were fast. This feels faster.
4. The front facing camera should have always been there. It’s glorious. And the photos are too, even if the subject of those photos (me) isn’t exactly George Clooney handsome.
5. Why the frig won’t the verification finish so I can actually make calls on this thing.

So that’s the conversation that went on in my head. She’s been syncing for the last 6 hours. 6 hours. Straight. Syncing. And I’m at about 1/2 way. 32 gigs is still a pretty hefty amount of storage. But loading onto it is slloooowwww.... I’m sure it’s my Western Digital NAS. But still. Waiting on verification to happen. I get the feeling that AT&T has once again shit the bed. And that’s just great.

I’ll post more, and update this once I actually get the new unit on the AT&T network.

Feel like getting robbed at Starbucks? How bout not knowing it?

Thu, 24 Jun 2010 00:27:01 -0400

I often see folks at Starbucks online, working, browsing or surfing the web. Some are shopping, some are chatting, some are emailing. But there’s a false sense of security there. Secure online communications to your local bank, to your credit report, to your favorite online retailers and even to your mail server are all vulnerable to attack while you sit on public wireless hotspots like Starbucks or McDonalds. Although security has improved, wireless hotspots are still vulnerable to attacks that were demonstrated a year ago when I was at Black Hat Vegas. And that scares me.

The vulnerability involves a man-in-the-middle attack, the attacker lurking as victims think their connections are secure via SSL connections with banks, retailers, or even the office via something like an SSL VPN. These attackers sit patiently picking off passwords, or credit card data... banking logons and social security numbers. They steal data that can be used to empty your bank accounts, attack your employer, or dupe your identity.

Although an improved method of qualification for businesses, the EV SSL Certificates (Extended Validation), which turns the address bar green in most modern browsers (such as Firefox or Internet Explorer). This green bar technology is used to indicate to users that they are connecting to a legitimate business, verified by a trusted Certificate Authority, and not by a hacker pretending to be a legitimate business. And the process of purchasing this green bar technology involves a much more expensive, much more paperwork intensive, and much longer verification process. The SSL Certificate purchaser has been scrutinized quite a bit more than the average SSL Certificate.

And that leads me to my mortal enemy, the DV SSL Certificate. Or “Domain Verified SSL Certificate”. Most stores, banks, and other secure websites on the internet are running with the lowest form of SSL Certificate available. And there is a simple reason for that. Hosting companies throw in these $5.00 SSL Certificates with any hosting package as an up-sell. If you have an email address, you too can have a valid SSL Certificate. There’s no guarantee that you are who you say you are. There’s been no actual verification. There’s been no paperwork, no scrutiny, no any actual checking. Which means the security involved isn’t all that secure at all. Those Domain Validated SSL Certificates and their connections can be compromised by attackers.

How do they do it? Simple. The evil-doers simply set up a laptop on a public Wi-Fi network, such as those at Starbucks, and using a very well known method for compromising wireless access points.

To take advantage of this weakness, hackers would set up laptops in a public Wi-Fi zone and use well known methods for compromising the wireless access points such as ARP flooding or DNS spoofing or hacking the management platform. Once in control of the DNS for the access point, the crooks can set their laptops up to monitor what victims on that network are doing.

They can redirect users to malware sites designed to install malware to steal passwords later, they can redirect to phishing sites that look exactly like the users banking website. Or worse yet, they can let victims connect to EV SSL Certified cites, let the address bar turn green, and steal the data that passes in between the victims laptop and the server he’s connected to. Lastly, they can redirect the connection to a DV SSL connection under an illicit certificate, and the browser will still show the green bar. It’s a false sense of security for the user who looks for the lock icon, the green bar, or even for the S for security in HTTPS. Most people won’t even see a difference. The only way they would see something happened would be that their bank accounts are then emptied, but that’s post-sale. That’s when the job is done. The hacker is long gone when that happens.

The fix for this requires a change in the way the modern web browser deals with EV Certificates. Locking out pieces of a website secured by DV SSL certificates is one option. Course, the page the user is looking for could potentially look broken due to the lack of pieces in the browser. The other option is for websites to be completely locked down with EV SSL Certificates, including any additional web modules from 3rd parties that are displayed on the sites. They should secure the whole lot.

Most sites that use an Extended Validation EV SSL require users to log in, but the entire site might not be locked down with an EV SSL Certificate. There might be DV SSL certificates protecting elements of a website, and those elements are susceptible to attack.

Also, web browser makers need to let users know when something is “secured” not only with an EV SSL Certificate, but also of DV SSL Certificate content. The browser should bark to let users know that they could be a victim of identity or information theft.

So, although the fix for these Domain Validated SSL Certificates isn’t an inexpensive solution, nor is it fixed over-night, there are options. I would recommend just avoiding a situation where you could potentially be cyber-mugged by a crook lurking in the area, stealing your packets, and your data with it, and then sneaking off into the night. Like a rat.

Open letter to AT&T and to Apple: You have a responsibility

Thu, 10 Jun 2010 16:13:37 -0400

I'm an early adopter. I'm the guy watching the clock with his finger on the buy button for the moment that new toy is available.
Powerbook? That was me. iPod? Me too (for all of them). Macbook Pro with Intel? Hi. Me again.
iPhone? Slept in my car to get one. 3Gs? Me. AppleTV? uh. Hi. iPad 3G? Crap. Hi. Yea. You guessed it.
And after standing in line to get it, I was one of the first iPad 3g owners. And now I'm questioning my decision.
it's not the iPad that I'm concerned about. The iPad is "magical". It's light, it's fast, it's sexy, it's sleek, it's smooth, and it's powerful.
It's the network it's on... a network which has failed me since the iPhone v1. Then again with the promises with the iPhone 3G and then the iPhone 3Gs.
And it's continuing to fail me with the iPad.

AT&Ts network is spotty, it's unreliable, and now, not only does the network fail me continuously within the last two weeks but I've fallen victim to not only a bait and switch tactic by AT&T, but now I'm also the victim of AT&T's poor security.
Fantastic. That pit in my stomach? That's regret. I'm feeling regret.

So here's my open message to both AT&T and Apple:

AT&T you have a responsibility.
Your responsibility is not only to provide a service, but to do so in a way that is safe to your customers.
Your job is to manage expectations for your customers.

You've failed to deliver on your promises of service.
You've failed to deliver on your promises of stability.
You've failed to deliver on your promises of growth.
But most importantly, you've failed to deliver on the security of your customer data. And that's the worst crime of all.

Instead of spending a ton of money on advertising, perhaps you should spend your money on growing, stabilizing and SECURING your network.
That last part? More important than all of those others combined.
That feeling of regret I have is because I know that in 2 weeks i'll be re-signing a contract with you, knowing full well that I shouldn't, just to have that new toy.

Apple, you have a responsibility.
Your responsibility isn't just to provide high quality (and very sexy) products, but to partner with those who will help bring your products to market.
You have a responsibility to hold your partners at a standard, and if they cannot attain that standard, you should have the backbone to find someone who will.

Foxconn is your partner. There is a failure taking place there.
AT&T is your partner. There are lots of failures taking place there.
And so in turn, Apple... you're failing.

I realize the business is all about the dollar, but if you won't protect your customers, someone else will.
Frankly, Apple, you've outgrown AT&T. They're holding you back, and it's time to sever the ties.
You need to be responsible and you'll grow as we all do. But part of that growth is protection.

You need to protect yourself. Protect your manufacturers. Protect your customers.

Apple, you have a responsibility.