Category Archives: Cloud

Some notes on Content Protection Summit 2014

Posted on by
Reply

The conference was held on 9th December at Los Angeles. The audience was rather large for such event (more than 120 attendees) with representatives of content owners, service and technology providers and a few distributors.

The big trend and message is that cyber threats are more and more severe.  Traditional Content Protection is not anymore sufficient.  It has to be extended to IT cyber threats.  The SPE issue was cited very often.

The conference did not disclose surprisingly new information and technology.  Nevertheless, the event is a good occasion to share knowledge and basic best practices.  The following part will highlight interesting points or figures I collected during the event.

Welcome Remarks (by ROSE M., Ease)

He highlighted that the cyberwar is a reality.  It is performed by government funded teams or hacktivists,  It has serious implications such as wild censorship…

The Global State of Information Security (by BANTHANAVASI S., PcW)

The cyber world becomes more dangerous.  The state seems to degrade.  Some interesting figures from PcW’s annual report:

  • In 2014, the U.S. government notified 3,000 U..S. companies that they had been attacked
  • There was 48% more reported incidents in 2014.  Furthermore, the average cost of a breach increased.
  • Investment in security diminished
  • More and more incidents are attributed to third parties with trusted access

What to do (and who to call) (panel)

The usual stuff.  The most interesting advices were:

  • Log must be switched on.   This is essential in a cloud environment where low-cost plans may not have the logging feature available.  It is worthwhile to pay for it.  It is mandatory to learn and analyze when an incident occurs.
  • Have a response team available beforehand.  You will not have to time to look for and organize it when the incident will occur or will be detected.

The focus of the discussion was always on script kiddies, and never on Advanced Persistent Attack (APT)

This script will self destruct in 2 hours (panel)

The script is of high value, especially when the actual shooting was not started, or that the decision was not yet taken.  Nevertheless, it needs to be convenient.   Typical challenge for a confidential sensitive document that needs controlled distribution.  Warner announced that sometimes they even used 3-factor authentication.  Creative people may have hard feeling about privacy and traceability.

Protecting content: where creativity and security meet (panel)

Key message:  embed security within the existing ecosystem

According to Fox, TV is more forgiven than feature movie in case of leakage (excepted perhaps for the opening and closing episodes).  The biggest coming challenge is the request of international day+1 release of TV shows.

How to Secure Workflows in the age of digital services (panel)

Key message:  be aware of third parties (and their own third parties) and freelancers

The creative process behind great storytelling (panel)

Refreshing session with creative people.  The end of the session was a playdoyer for copyright.  The arguments were similar to the ones in the book Free Ride.

It’s about the money: strategies to disrupt funding piracy (LAWRENCE E., ABS-CBN and SUNDERLAND J., Lionsgate)

According to me, the most interesting session.  They presented real use cases.

Elisha explained how she drastically reduced the online piracy against ABS-CBN (the Philippines Netflix).   She performed different steps:

  1. Analyze the pirate landscape
  2. With SEO, increase the RANK to get the official sites as the first links in Google and bring pirate sites back to farther pages.
  3. Use investigators to collect proofs to enable shutdown sites
  4. Lawsuits with high fines.  The arrested webmaster are interviewed to learn all their techniques and tricks,

Jane explored the methods to have good brands advertising on pirate sites.   80% of the revenues of streaming cyberlockers are coming from advertisement.  Among them, 22% are coming from institutional brands. Tools exist to filter out placement on malicious sites, but brands have to opt-in. Brands should be worried to place their advertisement in such sites as they are sometimes also hosting malwares.

The culture of piracy: A European perspective (VERSTEEG G., Rights Alliance)

He explained the historical rationales why much piracy went from Sweden (Kazaa, The Pirate Bay…)  He asked that there should be a transactional VOD release window concurrent with Theatrical and Home windows.   The price could be dynamic, starting high and decreasing with time.

Being European, I did not see what was specifically European.   It was more his opinion.

What’s the forecast for securing the cloud? (panel)

According to me, the worst session.   No serious discussion on actual security of the cloud.   No discussion of hybrid clouds.  No precise definition of cloud (even no mention of NIST definition).  It seemed even to me that there was a consensus that implementations in cloud would be more secure than today’s implementations.

The topic is far more complex than the simplified vision drawn during the panel.

Cloud services as Command and Control

Posted on by
Reply

Cloud services are increasing the surface of attack of corporate networks.   For instance, we  associate usually to file sharing services the risk of leak of confidential information.  This is a real threat.  These services may also present another more lethal threat: become Command and Control channels (C&C).   C&C is used by botnets or Trojans to communicate with the infected machines.

At Black Hat 2013, Jake Williams presented DropSmack: a C&C tool dedicated to dropbox.  In his paper, he explains the genesis of this tool.  It is a well documented story of an advanced penetration test (worthwhile to read, if you’re not familiar with these tests).  The interesting part of the story is that he succeeded to infect an employee’s home computer.   The employee used this home computer to work on corporate documents using his dropbox account.  Thus, any modification or new file in the dropbox folder was synchronized to the cloud based folder and then synchronized to the company’s computer.   If the attacker succeeds to implement a malware on the home network folder, it will appear and infect the corporate computer.

Thus, using DropSmack, he was able to implement a C&C using dropbox as channel.  What is interesting is that it flies below the radar of firewall, IDS or DLP because the synchronized files are encrypted!  Furthermore, the likelihood that Dropbox is whitelisted is high.  Furthermore, following the statictics presented in my last post, the likelihood that one of your employees is already using Dropbox, even without the blessing of IT department, is extremely high.

Last month, Trendmicro detected a Remote Access Tool using Dropbox as C&C!  It was used to target Taiwanese government agency.

 

A few lessons:

  • When a researcher presents an attack, it does not take long to appear in the wild.  Never downplay a disclosed attack.
  • Cloud brings new threats and we are just seeing the tip of the iceberg.  Worst to come.

 

PS: the same attack may be used on any file sharing service.  Dropbox as used due to its popularity and not because it is vulnerable.   The vulnerability resides in the concept of (uncontrolled) file sharing.

BYOLC: Bring Your Own Loss of Control

Posted on by
Reply

In a recent post, I highlighted my belief that one of the most worrying new threats of the cloud was the Bring Your Own Cloud.   A recent study from LogMeIn and Edge Strategies confirms this risk by focusing on the use of cloud-based services.  They coined it as Bring Your Own App (BYOA)

Following is their infographics that summarizes the major outcomes.

’The

In a nutshell, the problem is more worrying than expected.   Currently, a huge amount of applications (> 85%), and thus data, are under the radar of the IT team!    One of the answers that we proposed is that IT should provide company blessed solutions.   I am a strong proponent of this solution.   This study seems to show that it is not sufficient: 64% bring their own apps when a similar solution is already in place.  I must confess that during the era before cloud, I was doing the same, for instance, using Firefox when IE was blessed, or my preferred software editor…

Even if you ban BYOD, BYOA will be here.   This unavoidable BYOA means that we are losing more and more control on sensitive data.  What is the proper answer: DLP (dubito ergo sum), more control of what is executing on the user’s computer (not compatible with BYOD)…

BYOD + BYOC + BYOA = BRYLC 

Unfortunately, cloud is here and we cannot escape it.   THus ranting is useless.  We have to find new solutions and methods to protect our assets.  What answer do you suggest?

 

Thanks to Gomor for the pointer

Bring Your Own Cloud

Posted on by
Reply

In 2013, the cloud security alliance released “The Notorious Nine” threats for cloud. A few months later, I have the feeling that the most important threat is missing: “Bring Your Own Cloud (BYOC)”.

BYOC is when an employee uses a cloud based service without the blessing of his company for business purpose. The employee clearly puts the company at risk. The employee may bypass all the security policies of the company, as well as the fences the company put to protect its IP or infrastructure.

BYOC is so easy to do and unfortunately it is awfully convenient.

  • You just need to enroll on a free SaaS service to launch it immediately. It is sometimes faster than asking the same service from the IT team. How many of your employees have opened an account at DropBox, Box, GitHub, or whatever other cloud sharing service. How many of your sensitive information are already widely in the cloud? The employee will most probably not check whether the system is secure. The default settings are not necessarily the ones that you would use. Of course, the employee will not have read the SLA.
  • You just need to use the company credit card to open an account at IaaS or PaaS providers. This is clearly faster than asking the IT team to install a bunch of servers in the DMZ. But how secure will they be?

The fast and free/cheap enrollment of cloud services make it extremely attractive for employees. And they do not make it maliciously. They will always have strong rationales for their action.

But, it can become easily a nightmare for the company when the things are going wrong. Especially, if the employee used his/her personal mail to register rather than the company’s email. In that case, the company will have hard time to handle these accounts.

What can we do? Cloud is inevitable, thus we must anticipate the movement. A few actions:

  • Provide a company blessed solution in the cloud for the type of services will need. This solution can be fine tuned to have the security requirements you expect. The account will be in the name of the company, thus manageable. Premium services offer often better security services such as authentication using your Active Directory, logging, metering…
  • Update your security policy to make it mandatory to use only the company blessed solution
  • Educate your employees so that they are aware of the risks of BYOC
  • Listen to their needs and offer an attractive list of company blessed services
  • Make it convenient to enroll the company blessed services.

 

Do you share this concern? What would you recommend?

Top threats for cloud computing

Posted on by
Reply

The Cloud Security Alliance released a document listing the nine top threats of cloud computing: “The Notorious Nine”.  The top nine threats are:

  1. Data breaches; an attacker may access your data
  2. Data loss; the loss may result either from an attack, a technical problem or a catastrophe.   The document wisely highlights the issue raised by encryption (to protect against threat 1)
  3. Account hijacking
  4. Insecure APIs;  this one is extremely important, especially for system designers.  It is not necessarily unique to the cloud, but it is clearly exacerbated with a cloud infrastructure.
  5. Denial of service
  6. Malicious insiders
  7. Abuse of cloud services;  using the cloud for nefarious actions such as password cracking. Well, every coin has two sides.
  8. Insufficient due diligence; jumping in the cloud wagon without enough preparation may be an issue.  This is not proper to the cloud. It is true for any new paradigm.  BYOD (Bring your own device) is a perfect illustration of such problem.
  9. Shared technology vulnerability; As you share components, pieces of software with not necessarily enough isolation, a single vulnerability may impact many players.

Each threat is described and illustrated by a real world example of an attack.  A risk matrix allows to compare them.

This list has been established by conducting a survey of industry experts.  Unfortunately, the document does not give details about the number of surveyed experts, their locations, and their qualifications.

Good document to read.

Insuring clouds

Posted on by
2

Every body is running, very enthusiastically, towards cloud computing.  Sometimes, it reminds me lemmings.  I hope that I am wrong.  Let’s be positive.  Obviously, cloud computing will bring advantages.  Nevertheless, according to me, cloud security is only in its early infancy.

 

Thus, any cloud deployment should make a serious risk analysis (even if we have only a vague idea of the real threats).  When risks appear, insurance should also appear.

 

A company Cloud Insure seems to explore this new opportunity.

CloudInsure is a Cloud Insurance platform designed to specifically address emerging liabilities within the Cloud environment. In partnership with global insurance and reinsurance carriers, we’ve engineered privacy & security liability coverage to meet the needs of the Cloud Computing space for enterprise customers. Through our innovative underwriting models and proprietary analytics, we bring insurance solutions that move at the pace of Cloud technology.

Are you aware of other such companies?

Linksys and the cloud snafu

Posted on by
Reply

A new trend in management of gateways and routers is to use the cloud. Currently, gateways and routers are locally managed by the user, and often remotely managed by the operator through protocols such as TR69.    The new trend delocalizes the device management to the cloud.   In other words, to modify the router/gateway, you have to use a remote service.  Most manufacturers, if not all, are following this path.

Last month, Cisco launched its Cisco cloud connect service that offers this capability.  For that purpose, Cisco has to install new firmware into deployed Linksys routers.  Cisco launched such update. Thus, many customers who had opt-in the automatic firmware upgrade (which, by the way, is usually a smart decision) where automatically upgraded loosing the local ability to manage their device.   This automatic upgrade started a huge rumpus on the forums; many people having the feeling that loosing the local management was equivalent to lose the ownership of their router.  This was the first issue.  Many people believed that this upgrade would be systematic for every Linksys router.

Unfortunately, inside the Terms Of Services (TOS) of Cisco Cloud Connect, it was mentioned that Cisco might keep track of a variety of information including Internet history and might share “aggregated and anonymous user experience information” with service providers and other third parties.  This second issue was even more devastating for Cisco.

Cisco quickly reacted and took a set of appropriate actions:

  • Explaining that the upgrade was done only if the customer requests it or if he opted-in of automatically upgrading.  Cisco provided a method to revert to local management,
  • Modifying the TOS to remove the section related to collection of data such as Internet history,
  • And highlighting that Cisco does not use the routers to collect information about Internet usage.

Lessons:

  • Full remote management of a user owned device may be adversely perceived.   Hardware ownership is strongly connoted of control.
  • Privacy is important for some people and not necessarily rationale.   Privacy’s perception is complex.  How many of the people who complained regularly use Google (or whatever search engine) and click on the proposed link leaving a trace of their Internet usage to Google?    An interesting sociological study to do;  Privacy is a touchy complex topic.
  • There are some people who carefully read TOS!!!

 

Thanks to RG for the initial pointer.