Guidelines on Security and Privacy in Public Cloud Computing

Posted on August 16, 2011 by wunderbarb

NIST provides some recommendations when using a public cloud. This excellent document gives very practical guidelines. Every IT manager who plans to use a public cloud infrastructure, and who cares about reliability, security and liability, should read it before making any decisions and selecting the right service provider.

In front of the economic benefits of public cloud, it is extremely difficult to resist to the songs of the mermaids. This document rises some serious issues and may help to keep the things under control. For instance:

Even if you are using a public cloud, your company is accountable for the overall security of your service, i.e. even that of the outsourced part.
As the cloud computing infrastructure is highly uniform, it should be in theory easier to harden the platforms and manage its security (which is a positive point for IaaS). Unfortunately, the use of hypervisors (virtual machines) increases the surface of attack (although many people believe that virtual machines are more secure)
Sharing an infrastructure with unknown parties is a potential issue. A strong assurance should be provided for the mechanism enforcing the logical separation.
Be ready to audit your service provider if security matters to you.

A must read paper if you are about to board on the cloud boat. The paper is about public cloud. Nevertheless, some parts are also useful in the context of private cloud.

Reference

W. Jansen and T. Grance, Guidelines on Security and Privacy in Public Cloud Computing, NIST, 2011 available at http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf.

Migrating

Posted on August 14, 2011 by wunderbarb

The blog of content protection is moving to both a new web hosting and blogging engine. I will now use WordPress. I will try to transfer the old posts under the new blogging engine. Thus, there may be some slight hiccups.

I hope that the new web host will be more reliable than my previous one. My site was too often down

Password re-use

Posted on August 9, 2011 by wunderbarb

We often suppose that some users re-use the same password on many Internet sites. Most probably, the same password will be used to log on their company network. This is an extremely valuable path for hackers, as sometimes some Internet sites are not protecting correctly the stored passwords (if they even protect them). thus, an attacker that get access to such a list of accounts and passwords with a little bit of social engineering may try to log on companies’ accounts.

Gaw and Felten (Princeton, 2006) and Florencio and Herley(Microsoft, 2007) published empirical studies which evaluate the re-use at less than 20%.

Some password accounts have been hacked since the beginning of this year. Joseph Bonneau from Cambridge used this opportunity to make a new empirical study. His conclusions are that the ratio of re-use is higher. With a conservative approach, he estimates that 30% of the people may reuse passwords.

This is worrying but understandable. For every users, the number of sites requiring a logging is exploding. I just checked how many passwords my Firefox password handles (not far from 200 and with several different identities!) How can we reasonably expect users to use for each site a different password.

Nevertheless, it may be mitigated by some observations. One of the important factor is what are the sources of comparisons, i.e. the leaking sites. I suppose (or hope) that many people have multi-level approach of passwords: using a weak re-used password for non important sites, and more robust and diversified ones for more important sites.

For the sites where I do not care to be impersonated, I use the same very simple password. For sites where I must not to be impersonated, I use diversified robust passwords. And of course, for Technicolor accounts, passwords radically different from the ones I use on Internet.

What policy do you use?

In any case, Bonneau’s post is ineteresting to read.

“Securing Digital Video” announced

Posted on July 31, 2011 by wunderbarb

Springer verlag announced my book “Securing Digital Video” on its site. Although the announced publication date is July 2011, some patience is needed. It will be most probably on October 2011.
I will keep you informed on the progress.

The S.978 bill

Posted on June 22, 2011 by wunderbarb

On May 12, 2011, senators KLOBUCHAR, CORNYN, and COONS introduced the S.978 bill to amend the criminal penalty provision for criminal infringement of a copyright such as:

‘‘(2) shall be imprisoned not more than 5 years, fined in the amount set forth in this title, or both, if—
‘‘(A) the offense consists of 10 or more public performances by electronic means, during any 180-day period, of 1 or more copyrighted works; and
‘‘(B)(i) the total retail value of the performances, or the total economic value of such public performances to the infringer or to the copyright owner, would exceed $2,500; or
‘‘(ii) the total fair market value of licenses to offer performances of those works would exceed $5,000;’’

which means that this type of acts are clearly a felony. In the United States, felony is for serious crimes whereas misdemeanor is for lesser crimes. Felony risks more than one year of jail. (It is similar to the French distinction between crime and délit). It provides also some minimal thresholds…

The second set of changes is the systematic addition of public performance to the litigious conditions. Currently, streaming illegal content was not a felony because it was often in the group of public performance rather than reproduction or distribution which were already covered by the law.

In other words, using DDL sites, such as RapidShare or MegaUpload, to illegally stream copyrighted content may become a felony.

The obvious targets are the streaming sites. Nevertheless, the modification may also apply to people who post illegal content on YouTube or to people who would put a link to an illegal YouTube content on their web site/page. Terry HART makes an interesting, well-documented analysis on this “side channel” consequence on copyhype site.

The bill is currently under the scrutiny of the Committee on the Judiciary.

PC game piracy examined

Posted on June 20, 2011 by wunderbarb

Koroush Ghazi maintains a site TweakGuides which purpose is to help to optimize your PC. One of his biggest focus seems to be on PC games.

He publishes a long article “PC game piracy examined”. This paper is excellent. He presents a very balanced, realistic view on piracy, game piracy and especially PC game piracy. His vision encompasses the economical aspects making it realistic. For instance, he explains the lack of games on Mac because initially it was too pirated and the market size was too small to have a ROI.

According to him, piracy harms PC games, because developers may first go to consoles that are less pirated. Clearly, using a hacked game on a console requires either a modchip, or flashing the firmware. All that makes it more difficult for Joe SixPack, and brings some risks (see “Ban under Xray” in security newsletter #18). Therefore, PC became the preferred platform for pirated games.

He also debunks some myths such as DRM generates piracy, or PC games are dead…

If you are interested in game piracy, read it. It is really worthwhile.

Thanks to Yves for the pointer.

North Dakota Security Awareness Training

Posted on June 17, 2011 by wunderbarb

On the site of North Dakota, you may find a security awareness training. It is reasonably good and informative. The targeted audience was North Dakota administration employees. Nevertheless, it can be used by every body.

You may say: “OK, one more”. And you would be right. What I found interesting is the date of this training 2001. It is a jump to the past. And ten years later, it is still valid!!! Of course, there are some missing new threats such as removable storage media (such as USB memories), and the new Internet threats such as phishing, social networks… But the threats that were already present in 2001 are still present in 2011. We have solved none of them , and many new ones appeared.

We rely more on more on IT, and the environment is becoming more and more dangerous. More and more people handle tools that they do neither master, nor understand. We have to make a better training, to increase security awareness. At school, it should be a mandatory training, and that starting at the early age, so that it becomes a pure reflex.

If in 2021, we will look a security awareness training of 2011, will there be at least some old threats that will have disappeared? Medicine succeeded to eradicate some illnesses, why could we not succeed the same in security?