Cloud Computing: More Java holes found in Google App Engine

Grazed from ITNews. Author: Juha Saarinen.

A Polish security firm has discovered more vulnerabilities in the Java coding platform used on Google's App Engine (GAE) cloud computing service, which could allow users to get access beyond their own virtual machines. The Security Explorations team, which has made a name for itself by unearthing large numbers of security holes in Oracle's Java framework over the past few years, said it had reported seven vulnerabilities to Google, along with proof of concept code.

Three of the flaws allow complete bypass of the GAE Java security sandbox. Such a bypass could be used by attackers to glean information about the Java Runtime Environment as well as Google's internal services and protocols to spawn further attacks on the GAE platform itself...

Tor Cloud Project killed-off by failure to fix software bugs

Grazed from ComputerWeekly.  Author: Caroline Donnelly.

The closure of the Tor Cloud Project should be seized by users as an opportunity to find an alternative way to access the internet anonymously using the cloud, its operators have claimed.  The Tor Cloud Project was set up in November 2011 so users could deploy Tor bridges using Amazon EC2 instances and – in doing so – donate bandwidth for other members of the Tor network to use.

However, since hitting peak usage in mid-2013, the number of Tor Cloud bridges being deployed has steadily dropped off and now the operators of the pro-privacy internet network have called time on it completely...

EU cloud fragmentation impacting trust

Grazed from CBROnline. Author: Editorial Staff.

The European cloud market, from a legal standpoint, is still a fragmented one which leads to a complexity which may impact trust in cloud adoption for companies. Across 28 European countries, no specific cloud contract laws were found to exist and no 'cloud cases' were seen to be reported.

This has resulted in general laws being applied to a cloud environment, which leads to fragmented solutions internationally on various topics, with one key example relating to the debate on the return of data stored in the cloud after a contract's termination. There is also confusion on an EU level on how to deal with protected information that is stored in the cloud...

Cloud Computing: New Browser Hack Can Spy On Eight Out Of Ten PCs

Grazed from Forbes. Author: Bruce Upbin.

A group of Columbia University security researchers have uncovered a new and insidious way for a hacker to spy on a computer, Web app or virtual machine running in the cloud without being detected. Any computer running a late-model Intel microprocessor and a Web browser using HTML5 (i.e., 80% of all PCs in the world) is vulnerable to this attack.

The exploit, which the researchers are calling “the spy in the sandbox,” requires little in the way of cost or time on the part of the attacker; there’s nothing to install and no need to break into hardened systems. All a hacker has to do is lure a victim to an untrusted web page with content controlled by the attacker...

NSA's Grand Plan to Snowden-Proof Its Data Using the Cloud

Grazed from NextGov.  Author: Frank Konkel.

Almost two years ago, the National Security Agency forever lost its “No Such Agency” nickname at the hands of one of its contractors -- a once-trusted insider by the name of Edward Snowden.

Snowden’s stream of leaked NSA secrets about classified surveillance programs shined the public spotlight on the clandestine government organization. Though the stream has now dissipated to a trickle, the impact to the intelligence community continues...

The Privacy Challenges of Cloud Computing

Grazed from InfoSecurity. Author: Andy Kimble.

As technology advances, companies are increasingly turning to cloud-based solutions to solve the challenges posed by the increasing costs of traditional infrastructure. However, cloud-based solutions pose their own challenges, particularly where personal data is being stored or accessed from the cloud.

The Data Protection Act 1998 (DPA) governs the processing of personal data in the United Kingdom by data controllers. A data controller is an organization that (either alone, jointly or in common with other persons) determines the way in which personal data is, or will be, processed. A data processor is an organization that processes personal data on behalf of a data controller...

Cloud Computing: 3 Reasons Apple Is Pushing for NSA Spying Reforms

Grazed from TechCheatSheet.  Author: Nathanael Arnold.

Earlier this week, Apple and several other major U.S. tech companies renewed their calls for the U.S. government to reform its controversial electronic surveillance programs. In an open letter addressed to President Barack Obama, NSA Director Admiral Rogers, Attorney General Eric Holder, and several prominent members of Congress, Apple and dozens of other signatories urged the government to end the bulk data collection practices that were authorized under Section 215 of the USA Patriot Act.

As noted in the letter, Section 215 of the USA Patriot Act is used as the legal basis for the NSA’s bulk collection of electronic communications metadata. The letter also asked the government to institute “transparency and accountability mechanisms for both government and company reporting” for decisions made by the secret Foreign Intelligence Surveillance Court...

Cloud Computing: Amazon doesn't want you to know how many data demands it gets

Grazed from ZDNet. Author: Zack Whittaker.

Amazon remains the only US internet giant in the Fortune 500 that has not yet released a report detailing how many demands for data it receives from the US government. Although people are starting to notice, the retail and cloud giant has no public plans to address these concerns. Word first spread last week when the ACLU's Christopher Soghoian, who's spent years publicly denouncing companies for poor privacy practices, told attendees at a Seattle town hall event that he's "hit a wall with Amazon," adding that it's "just really difficult to reach people there."

Almost every major internet company issues on a bi-annual basis a report of how many demands for data it receives from the US government (and others). In the wake of the PRISM surveillance scandal, where nine tech companies were accused of being complicit in NSA surveillance, the tech industry wanted more transparency...

'Security, privacy' main barrier to 'government cloud' rollout in EU

Grazed from TheRegister. Author: Editorial Staff.

Security and privacy issues are holding back "the cloudification of governmental services" in the EU, according to a new report. The European Union Agency for Network and Information Security (ENISA) said concerns about how sensitive data is protected in a cloud computing environment have not been resolved. It said data security and privacy issues were the main reasons that "deployment of governmental cloud computing is in general at a very early stage (click through for 40-page/3.03MB PDF)" in the EU.

"Security and privacy issues are considered as key factors to take into account for migration, and at the same time are the main barriers for adoption," ENISA said. "Protection of sensitive data is still an issue seeking solution, spanning from the SLA provisions to the actual technological mechanisms i.e encryption etc...

Is cloud computing secure enough for spies? CIA bets on Amazon

Grazed from ZDNet. Author: Steven J. Vaughan-Nichols.

When you think spy agencies and the cloud, you probably think about the National Security Agency (NSA) snooping on the cloud. Well, guess what? Intelligence agencies use the cloud for their own IT as well. Or, at least the Central Intelligence Agency (CIA), aka the Company, does with its own private Amazon cloud.

Why would the CIA do this? Well, as Michael McConnell, former director of the National Security Agency, said in 2012, "The economics of the cloud are so compelling they can't be denied. [But,] we have to get the security aspects right." So while I'm sure the CIA's cloud takes the notion of a private cloud to new levels, it's not going to share its cloud security secrets...