Grazed from InformationWeek. Author: Matthew J. Schwartz.
Want to succeed at security? Then lose the perfectionism, stay skeptical, and treat new technologies, including the cloud, with caution.
Those were three common themes that emerged during last week’s Black Hat Europe conference in Amsterdam. Of course, the annual gathering also featured plenty of hardware hacking, details of new bugs in everything from SAP to Cisco VoIP systems, all-day technical training sessions, and loving tear-downs of Apple iOS and Google Android mobile operating systems…
But throughout many of the sessions these three themes–along with corresponding admonishments and warnings–were consistently voiced:
1. Forget Perfectionism. Cryptographer Whitfield Diffie, in his keynote speech opening the conference, highlighted a persistent challenge faced by information security practitioners: they get no credit for all of the attacks they successfully repel. "Even when defense has done its job well, it is blamed for doing anything other than doing it perfectly," he said. But who has the time–or money–for perfection? Instead, businesses must emphasize getting something in place that’s good enough to do the job.
One case in point involves Bradley Manning, who allegedly leaked confidential government memos to WikiLeaks. "In one sense, very clearly, for the [Department of Defense] it is a security failure," he said. But what really happened? Foreign adversaries didn’t break the Pentagon’s high-grade cryptography, crypto equipment, or key management setup. Instead, the attack hinged on a single insider who already had access to the materials in question.
"A variety of people who designed the system should say, we did a pretty good job of that. We had an awful thing happen, but it’s something that the opponents can’t mass produce," Diffie said. In other words, almost any security can be defeated. But just how gracefully does it fail, and how difficult or expensive would it be for an attacker or attackers to successfully repeat the effort?
2. Keep Cloud Security In Perspective. Avoid the cloud? Hardly. As long as it offers lower costs and better ease of use than traditional on-premises systems, that’s never going to happen. From a security standpoint, however, cloud architecture isn’t always ideal, and thus it demands strong doses of security skepticism for anyone who’s called on to secure business data that’s stored there.
"What I find interesting is that Web security bugs are existing with companies that we’re pretty sure know what they’re doing," said Felix "FX" Lindner, head of Recurity Labs in Berlin, in an interview at Black Hat. "Even Google has issues doing that," he said.
In other words, it’s tough to get security right in the cloud, not least because clouds aren’t static. Developers keep pushing new code, as do business partners, plug-in providers, and everyone else who’s tied into the cloud ecosystem. "The inherent problem with cloud is it’s a moving target," he said. Furthermore, just one coding error in any of that code might be exploited by an attacker to gain access to a cloud-based target.
That constantly evolving code base may also not be protected with extra layers of security. In fact, the opposite is most often true. "We worked on privilege separation in the operating systems for years and years–don’t work as root, and stuff like that," said Lindner. "But the cloud does it, and sometimes there’s just one account, or password." In such scenarios, attackers may need to compromise only one credential to gain the keys to a business’s cloud kingdom.
Some cloud providers, however, are better than others. "Ridiculous as it might sound, I think Microsoft is doing it right with Live.com–‘We’re using the secure development lifecycle, and we don’t do anything without SSL,’" said Lindner. "I don’t understand why any Google functionality is available via HTTP; it’s not like they don’t have the computer power to do it all in HTTPS." Indeed, if the cloud remains hard to secure, why aren’t cloud providers offering as much out-of-the-box security, by default, as possible?
3. Beware Free Lunches. Whether it pertains to cloud security, the challenge of hardening mobile devices, or the speed with which vendors patch, Black Hat presenters urged skepticism: trust nothing, verify as much as possible, and above all, get working security in place quickly.
For a profession that tends to reward paranoia, however, many conference attendees appeared to arrive without their skepticism intact. The well-known first rule of Black Hat, notably, is to never trust the conference’s wireless network, since it’s more than likely that someone will be sniffing your packets or attempting to own your mobile device. Accordingly, deactivate Bluetooth, and beware Wi-Fi–especially hotspots with names such as "LEGITFREEWIFI."
Otherwise, you may end up on the wireless router with that SSID, which happens to be owned by Steve Lord, a director at information security consultancy Mandalorian. Lord brought an extra router with him to Black Hat Europe, then used dsniff to log the credentials that flew across the router. "Weaponizing hotspots is fun," he said in his Black Hat Europe presentation.
Any "should have known better" free hotspot takers? He had more than a few, including one apparent conference attendee who used the hotspot to telnet into his Cisco router–username: "Cisco," password: "Cisco." "But I’ve no way of knowing if someone was just messing with me or they really logged on, as dsniff didn’t log the full session, just what was sent," said Lord in an interview.
Thankfully, Lord also said he would name no names and had deleted all of the collected data, noting that it was lucky he wasn’t running an "evil mobile coffee hotspot."
Of course, it was alarming to see information security professionals fall for what should have been an obvious trick. The moral: "If something at a security conference looks too good to be true … don’t connect to it," Lord said. Those are words to live by–and not just at security conferences.
Today, there are two startups in focus – Vaultive and Eccentex.
Racemi, provider of technology that accelerates migrations to cloud computing, on Wednesday announced it has joined the Cloud Tools Network with Rackspace Hosting, a specialist in the hosting and cloud computing industry.
Dell is looking to position itself as a one-stop provider for cloud computing with the launch of a reference platform based on OpenStack and Ubuntu, running on Dell hardware and backed by its service and support know-how.
EMC Corporation today announced an expanded portfolio of cloud services to help customers accelerate the adoption, consumption, optimization, and management of cloud technologies. The new services help customers accelerate their IT transformation initiatives, enabling IT to more quickly deliver ITaaS to their clients, thereby helping customers to fully realize the benefits of efficiency and agility gained through all phases of their cloud computing. The new EMC services announced today address the transformation of people, process and technology and range from strategy and business case development, to design and deployment, to support, optimization, and education…
The hot IPO this week is — what else — another cloud computing-type company, ExactTarget, looking to price 8.5 million shares from $15-$17 tonight (Wednesday), for trading tomorrow.