Tag: Security

Cloud security


One of the most common reasons people cite for being concerned (or downright afraid) of putting their information into ‘cloud’ services is security. Interestingly, most of their reasoning is based on hearsay and hysteria. Many in fact simply parrot back what they have read or heard somewhere. What I’d like to do here is provide a little bit of balance to the argument and some alternative points of view that I think many naysayers haven’t considered.

1. Security is a journey not a destination. When human beings are involved, nothing will ever be perfect. There will be oversights, errors and mistakes. That is simply a fact. This means that it can happen whether the information is stored locally or whether it is hosted. I will however point out that the chances of error are reduced (you can never eliminate them) when you have multiple people and processes looking at the systems. This is probably more likely going to be the case for hosted environments in large data centres than on a single server at a customers premises.

2. If you are using email you are already sending information insecurely. Emails are generally sent in plain text with no encryption and with no guarantee of delivery. In most cases you have no idea that the person who is reading your email is the one that you sent it to. Some surveys note that up to 20% of legitimate email never gets delivered to the intended inbox. But does this stop people using email? Certainly doesn’t seem to. So, on the one hand people are worried about saving their information on hosted servers yet they freely send that same information in emails, without security to someone they hope is the right person at the other end. If you were so worried about your information being secure you wouldn’t use email now would you? The reality is that the functionality of email far outweighs, for most people, any risk of insecurity.

3. If you are using a device that has access to the Internet, that can browse web pages and receive emails that device is already connected to the ‘cloud’. Further more, if you can get to the ‘cloud’, the ‘cloud’ can get to you. So how worried are you about that server you have on your premises that is connected to the Internet? How secure is the information stored there? How do you know that someone isn’t stealing that information while you are reading this? Generally, you won’t. Sure you have firewalls and other security protection on your equipment but how do you KNOW it is working? Do you employ someone to monitor it constantly? Probably not but large hosting firms do. They can afford to invest a significant amount of money in security and pay the best people to monitor it. Their challenge is no different from yours but chances are they have significantly more resources on tap that someone running a server as part of their business does.

4. The Patriot Act applies everywhere a US company operates. So many people I hear say they want their data stored locally so that it won’t be subject to the US Patriot Act. The reality is that any US based company is subject to the Patriot Act no matter where they operate. That means that if Microsoft or Google had data centres here in Australia (which they don’t currently) they would still be subject to the US Patriot Act. Aside from that, there are far reaching agreements between international law enforcement agencies to provide access to data outside their jurisdiction upon request. And even further to that, local intelligence agencies, like ASIO in Australia, typically already have the right to access your data without your knowledge. Don’t believe me? See:

ASIO Powershttp://www.pcworld.idg.com.au/article/100781/asio_given_power_hack_systems/
“The legislation allows ASIO operatives to hack into PCs and corporate networks to retrieve data, and add, delete, or alter data in the “target” computer, while being immune from prosecution under the Crimes Act hacking provisions.”

and they have had this power since 1999! (Pre 911!).

5. Why worry about hacking our information when they can tap our phones? Many people are paranoid about their information security but give no thought to the fact that their phone conversations could be tapped. Many readily carry on a conversation on their mobile with the person at the other end and the fifteen people in the immediate vicinity. If they were truly paranoid about all their information they would be more judicious about using the phone wouldn’t they? Again, the convenience far outweighs the risk of a breech but that still doesn’t mean it can’t happen, it still doesn’t mean it won’t. How can you maintain information security if you are going to blab it out next time you receive a call in a public place eh?

6. We use the hole in wall (ATMs) to get money when we need it. We use Internet banking as a convenient way of managing our money. If you were truly concerned about security wouldn’t you squirrel you money under your pillow and not trust the banks? You could but most don’t. Why? Because there are far more benefits with trusting your money to bank. They can centralize it and implement better security, they can make it available to you a more convenient places and locations (read ATMs) and so on. Is there a risk that your money will be stolen? Certainly, but again the convenience outweighs the risk. I understand that money is different from information but in a lot of ways the model we understand and use that is modern banking is very similar to ‘cloud’ computing. That seems to work pretty well for most people despite its flaws.

So there you have it. A few of my thoughts on the whole ‘cloud’ security argument. There will of course be people who reject all these and continue to argue that on premises is the only way to be secure. I hope that you can at least see in some little way that such an argument has less and less validity when you do a like versus like comparison without the emotion that seems to litter so many discussions around today on ‘cloud’ security.

I’m sure back in the day, many people questioned how the automobile could replace the trusty horse. Guess what? We don’t see many horses on our roads these days do we?

Staying up to date

One of the most causes of security breeches is out-dated software. However, in a world where you can have hundreds of different applications installed?

 

There is a free solution to keep you informed about the update status of many common applications – Secunai PSI. It is designed to be installed on personal machines and then inform on what applications are installed and how up to date they are.

 

image_2_19C8166F

 

After installing and running a scan you will be able to view a report of the applications installed on your machine. You’ll also see whether any require updating and in most cases you’ll also be given a link to take you to the update page for the software.

 

Once installed the Secunia software will also sit in the background and inform you when new updates become available. This really makes it an easy way to ensure you system is not only up to date but also more secure.

Unfazed

I found the following article via the Sydney Morning Herald app on my iPad but for some reason it doesn’t appear in the online version (or at least that I can find). Which is strange, but here it is with my commentary below:

 

JULY 27, 2011

Customers unfazed by spike in computer glitches, survey reveals

FATIMA KDOUH

THE inconvenience caused to bank customers by meltdowns in information technology does not appear to have had an impact on levels of customer satisfaction with the big four banks.

Figures from the most recent survey of consumer attitudes by Roy Morgan Research continued on an upward trend of 1.2 per cent in June, with 75 per cent of customers saying they were satisfied with their bank despite a recent spike in system glitches across all four banks.

The latest system failure at Westpac, which delayed the processing of payments, was being blamed on a ”corrupt file”.

 

The bank, which has recently embarked on an ambitious, $2 billion computer-system upgrade, insisted yesterday the failure was not a result of any scheduled computer revamp.

The latest headache for Westpac customers is one of a long list of upsets for bank customers in recent times. In April, NAB customers were left unable to access their pay after a processing failure. In May, ANZ customers were unable to access their online accounts and, a month later, a technical error prevented Commonwealth Bank customers from using their online banking accounts.

 

The Commonwealth and NAB are undertaking billion-dollar ”core migration” upgrades of their computer systems, and the Commonwealth is well ahead of its rivals.

 

But ANZ, which has more modern core systems than its rivals, recently said it would not invest in major upgrades of its existing computer technology.

 

The upgrades are complex and involve replacing technology that in some cases is decades old, making teething problems like those experienced of late inevitable.

– My comments –

So why is that relevant? Well, to me it indicates that for all the sensationalism about service level agreements and uptimes with cloud computing it seems, from the above anyway, that most people are willing to put up with glitches.

 

There seems to be this belief that moving to the cloud should guarantee 100% uptime. If it involves technology and if it involves human beings then there is always going to be the chance of downtime. Much the like the banking systems detailed above, such large system are much more reliable in the cloud but they will never be perfect.

 

The key here is:

 

“does not appear to have had an impact on levels of customer satisfaction”

 

Why? Because most customers understand the complexity of these systems and expect issues now and again. Sure, there is a point when enough issues will start impacting their levels of satisfaction but I’d say that if this is the case with banks why won’t it be the same for cloud computing? And why are all these pundits screaming about the unreliability of moving to the cloud? Simple, you get more attention for sensationalism than you do for reality, although reality wins out in the long run. So too will cloud computing. Customers don’t expect it to be perfect but they are happiest when the costs are kept down, which is what moving to the cloud is doing to the cost of technology for most businesses. For that reduction in price most are prepared to tolerate ‘glitches’.

Reality check

I heard a number of people recently say that they wouldn’t store their data in data centres because it is more likely to be hacked and stolen. Ah, …say what…? Rather than get into the technicalities of cloud security let me draw an analogy here.

If you really wanted to you could stick all your money under you mattress at home. Does that make in immune from theft? Nope. Most people elect to trust their money to a bank. You’ll pay a fee for this but you gain a certain amount of increased security and convenience. Given that banks are holding the assets of many people they can spread the cost of improved security across all the customers as well as given them the convenience of accessing their money just about everywhere.

Does this mean you won’t maintain some money at home and in your wallet? Nope. It just means you don’t have to maintain all your savings with you all the time. Does this mean that a bank isn’t subject to theft? Certainly not. But generally you’d have to agree that it is less likely to be subject to theft even though it looks after a lots of people’s money.

Security is never perfect, security is journey not a destination, security is about human beings and human beings are far from perfect and finally it is about risk and return. Sure you could keep all your money under your mattress but is it really more secure? And what price do you pay in convenience over trusting it to a bank? Seems to me that most people see the rewards of being with a bank much greater than the risk. Banks are also commercial entities, which means they need to abide by legislation on how they deal with people’s money. They are also private enterprises whose reputation (and stock price) will suffer if theft occurs. These is just two powerful incentives for banks to ensure they keep people’s money secure.

So how is it that people seem to think their data is more secure if it is saved on a server in their office? Chances are that server is connected to the Internet full time. This makes it its own data centre. Why is it people believe their own little in house data centre is less subject to attack that a large commercial data centre? It really just doesn’t make any sense.

Of course there is the argument that if you money gets stolen while in a bank it will generally get refunded by the bank but what happens in the case of your information being stolen? Once your information has been stolen there is generally not a lot a way to ‘replace’ it. However, let’s look at the fact that people are happy to send emails full of that same information to people they have never met, unencrypted and unsecured across the public Internet without a moments thought. Even given this hugely insecure process it still remain wildly popular doesn’t it? Why? Because the convenience trumps the security issues. Risk and reward at work again.

There are certainly challenges with cloud computing including the storage and security of data. Yes by all means lets have a debate about the issue, but lets have a debate about the reality of the world we live in not some hysterical emotional response to a perception of the truth.

Facebook https

When you do your Internet banking you (hopefully) do so over a secure encrypted connection. Amoungst other things, this ensures that no one else can see what you are doing. Unfortunately, other sites don’t usually do any encryption.

 

Enter Firesheep. This is a free utility anyone can download, install on their wifi enabled machine and basically take over your Facebook connection if you use it an open wifi hotspot like a coffee shop. Have a look at this article for more information on what is possible.

 

One way to thwart such attacks is to use a https (i.e. http with security) when using a service. Problem is most common social networking services don’t support a connection at their end. However, now Facebook does.

 

To enable this go into your Facebook account settings and select Account Security

 

image_2_2A2D3C03

 

Save the setting and then reconnect to Facebook. You should now see that you are connecting via https (i.e. securely).

 

image_4_2A2D3C03

 

Clicking on the security lock (i.e. certificate) shows:

 

image_6_2A2D3C03

 

This means all information sent from your browser to Facebook and back is encrypted and secure.

 

Hopefully it won’t be long before all the other majority sites also go secure. In reality there is no real technical reason why every site can’t be https. However, there are people out there who still really want to see where you browse and they have a fair amount of clout. Don’t forget that you still need to ENABLE this, so do it NOW and you’ll be much safer when you access facebook.

 

Hopefully the first steps to a fully https world!

Backup or be devastated

Here’s a copy of an article I wrote that appears in an e-zine from MyMate (on page 13) which can be found at:

 

http://www.wanttobebigger.com/MyMate-e-zine-June-2010.html

 

In the world of technology your last line of defence is the humble back
up, yet many businesses, especially small ones, remain extremely
caviller about this critical function of a business.

Nearly every business these days depends on IT. So what happens
when IT isn’t available? You have probably experienced a mild disaster
such as the internet being unavailable or a hard disk failing. The
question is, how long did that issue interrupt your business and how
much money did it cost you?

Now imagine a much bigger disaster, say your office being burnt down
or flooded. How long would it take you to get up and running again?
Most small businesses have never invested the time to consider their
disaster recovery planning – and they should – because without it there
is good chance they’ll go out of business after even a minor problem.

Let’s examine one simple aspect of disaster planning, backups. Most
businesses would probably say that they do backups, the problem is that
is only half of the solution. When was the last time that you actually
tested that your backups worked? You certainly don’t want to find out
that your backups don’t work after a disaster. So it is important that you
regularly test that you can restore from your backups. You should also
plan on doing a complete restore of all your data somewhere every 6-12
months to make sure you can get it all back.

Next consider how you would cope in a real disaster like a fire. What
plans do you have in place to keep your business operational? How long
will it take you to get up and going? How are you going to cope having to
get new IT resources like workstations, servers and printers? It really is
much better to plan for these eventualities ahead of time rather than
trying to have to manage them on top of everything else in the event of a
disaster.

Hopefully you will never have to implement your IT disaster plan but it is
important that you not only have one but that you practice its
implementation. This means that at least once a year you should
simulate an IT disaster and see how well your plan works and what may
need adjusting.

Too many businesses see their IT as simply an overhead. They fail to
realise that it is one of the most vulnerable parts of your business –
without which, you may be unable to operate.

If you value your data then you should value your backup and disaster
recovery plan, as they are going to save you. It is no good trying to
develop these in the middle of a disaster. They need to be planned,
implemented and tested beforehand, because as they say failing
to plan only means you’re planning to fail.

Bad guys win again (Part IV)

The Internet is a neutral place. For as much good as it allows it also permits equal amounts of bad. It is simply a medium. Probably the thing that most people have problems comprehending is just how ‘global’ cybercrime is. You can have your bank account details stolen by someone in Russia or you can have your server brought down by someone else in China. Given the growing speeds and pervasiveness of the Internet it is actually getting easier.

A recent program on 4 Corners “Fear in the Fast Lane” gives you some insight into the challenges faced. You can find a complete replay of the episode here:

http://www.abc.net.au/reslib/200908/r419212_1990446.asx

One of the cases it details is how an Alice Springs betting company was sent bankrupt because they failed to pay ‘cyber’ extortion money. Another instance shows how a simple drive through a Sydney suburb revealed about 20% of home wireless networks had no protection. So many people are using computers and networks these days but every few grasp the issues they face and the challenges security brings. If you are interested I created a video a while back that illustrates what can arise from insecure wireless networks after demonstrating the issues to a friend:

http://www.youtube.com/watch?v=mknGP-TOFu8
In an interesting turn of events, it seems that the Australian Federal Police featured in the story, who took over an underground hacking site, had their sting turned against them as “Hackers break into police computer as sting backfires” details. It further illustrates that there are just too many opportunities available for people to exploit vulnerabilities and weaknesses in computer systems. As I always tell people:

Q. How many different types of attacks and attackers do you have to protect yourself against?
A. ALL OF THEM.

now

Q. How many vulnerabilities or weaknesses does need to find to get inside your computer?
A. JUST ONE.

How can you win against these odds? Security is a huge investment that needs to be constantly maintained. Now consider your average computer user. Do they have the knowledge or the skills to even understand the threats they face – nope. As one of the Feds in the show says, it is probably about time that computer security be given same national priority as health but what are the chances of that?

As the show details, the problems are only going to get worse with the roll out of the Australian National Broadband network that will provide huge improvements in access speeds. I’m sure that the criminals can’t wait for that either because it means they can now achieve their ill gotten gains in a much shorter time period. A much better ROI.

Bottom line is that as we base more and more of our lives and society on computers without educating end users we are all losing out. It is typically the non-IT literate user who has their computer compromised without their knowledge. That computer is then added to a fleet of other compromised computers which are used to do the bidding of a cyber crim somewhere.

http://www.youtube.com/watch?v=BRhauoXpNSs
Because we all live on the Internet it is up to everyone to be aware and maintain the security of their own systems. People are just not doing that, which in effect impacts us all and makes the Internet a worse place to be. My contention has always been, imagine the roads if we didn’t have rules, cyber crime can reek just as much havoc yet we happily allow people to buy a computer and connect it directly to the Internet with no training or understanding. Don’t appreciate the problems this can cause? Watch the 4 Corners program and visit the accompanying site to see why the Internet is fast becoming a place that you MAY NOT want to be!

WiFi bounty hunter

After reading “The great WiFi robbery: police to patrol down your street” what I want to know is there some sort of bounty that I can claim if I find an open WiFi hotspot? It is interesting that police are now diverting resources to warn people about the issues of unprotected wireless.

 

“All unsecured WiFi networks out there are open for exploitation by the crooks and the average mum and dad don’t understand the vulnerabilities”

I have no argument with this statement but is it likely that others are going to appreciate the seriousness of the issue? As I mentioned in another recent post, most people still have no idea about the differences a digital world has created. An even earlier post I detailed how, on a recent visit to a friend, I found an unprotected WiFi hot spot in the street. This is not a new issue.

 

The article also says:

 

“He blamed computer equipment sellers for not doing enough to educate customers on the importance of security.”

 

Again no argument there. For my part I have created a YouTube video that highlights the issues with WiFi security. When I teach my Wireless Networking course at community college I ensure that I drum into attendees that wireless is ALWAYS more insecure that wired. It can be made more secure but it can never be made totally invulnerable to attack or compromise. The biggest problem is that generally out of the box most WiFi is totally insecure.

 

So where does the responsibility for WiFi security lie? With the user? With the equipment provider? With the installer? With the police? As the article highlights:

 

“The Queensland operation could attract criticism from those who believe police time would be better spent seeking out drug dealers and robbers, but Detective Superintendent Hay said the issue was just as important as any other.”

 

Which again harks back to my thoughts on how little most people really understand our digital world and the interaction it plays in the real world. The best advice I can give is to take responsibility for your own digital security. If you don’t understand then learn, otherwise sooner or later you’ll become a victim.