Friday, April 17, 2015

Why Amazon's Werner Vogel is wrong about cloud security

Werner Vogel, Amazon Web Services (AWS) CTO, speaking at the AWS Summit in London yesterday has made the rather amazing claim that security in the cloud is "much stronger" than anything you can have on-premises. As someone who has been writing about information security for more than 20 years, and covering the cloud security beat for five, I can understand why he may say that. However, it doesn't mean that he was right; not for every customer, not for every implementation. If you are talking about the smaller end of the SME spectrum then, for the most part in my experience, there's a very good chance that the kind of dedicated security know-how and infrastructure investment available from the likes of AWS is beyond the reach of the average business. If you are talking about larger enterprises, which do have dedicated security teams and have already invested heavily in the relevant infrastructure and processes, well sorry Werner but that's a totally different ballpark.

PCI gives 14 months to fix high risk SSL problem

The Payment Card Industry Security Standards Council (PCI SSC) has moved to fix the security vulnerabilities in the Secure Sockets Layer (SSL) and early versions of the Transport Layer Security (TLS) protocols, exposed by both Heartbleed and Poodle, with an out-of-band updated release of PCI DSS v3.1. This latest iteration of the PCI Data Security Standard, however, has split the IT security profession when it comes to just how much protection it is really providing the card holder who shops online.

Saturday, April 11, 2015

Why did Apple take so long to fix Darwin Nuke vulnerability?

According to a SecureList posting dated April 10th, researchers Anton Ivanov, Andrey Khudyakov, Maxim Zhuravlev and Andrey Rubin discovered a vulnerability in the Darwin kernel back in December 2014. Why is this of interest? Well, the Darwin kernel is an open source part of both the Apple operating systems. The vulnerability could allow remote attackers to launch a DDoS on a device running OS X 10.10 or iOS 8. More worryingly, it could allow the attackers to send just a single, solitary incorrect network packet in order to crash the target system and impact upon any corporate network it may be connected to. Sounds pretty serious right? Apple obviously thought so, seeing asAccording to a SecureList posting dated April 10th, researchers Anton Ivanov, Andrey Khudyakov, Maxim Zhuravlev and Andrey Rubin discovered a vulnerability in the Darwin kernel back in December 2014. Why is this of interest? Well, the Darwin kernel is an open source part of both the Apple operating systems. The vulnerability could allow remote attackers to launch a DDoS on a device running OS X 10.10 or iOS 8. More worryingly, it could allow the attackers to send just a single, solitary incorrect network packet in order to crash the target system and impact upon any corporate network it may be connected to. Sounds pretty serious right? Apple obviously thought so, seeing as it took the company which is so profitable that it ranks in the top three companies on the planet more than three months to fix it. The updated OS X 10.10.3 and iOS 8.3 software releases patched the holes, but even so, three months plus!!! it took the company which is so profitable that it ranks in the top three companies on the planet more than three months to fix it. The updated OS X 10.10.3 and iOS 8.3 software releases patched the holes, but even so, three months plus!!!

Firefox fail: Mozilla reinvents encryption wheel, which promptly falls off

It all started pretty well, with the announcement by Mozilla at the end of last month that the Firefox web browser would make the Internet a safer place by encrypting everything. That's everything, even those connections where the servers don't even support the HTTPS protocol. Developers of the Firefox browser have moved one step closer to an Internet that encrypts all the world's traffic with a new feature that can cryptographically protect connections even when servers don't support HTTPS. The 'Opportunistic Encryption' (OE) feature essentially acts as a bridge between non-compliant plaintext HTTP connections and fully compliant and secure HTTPS ones. Firefox 37 made OE active by default, supposedly protecting sites that hadn't bothered with going through the digital certificate authority process, or which don't fully encrypt everything courtesy of embedded plaintext third party content requirements such as adverts for example. All of which was great, and hard to argue with. Mozilla had done a good thing in helping make the Internet a little more secure through enabling the OE functionality in Firefox. And then, a few days later, this happened: Mozilla Foundation Security Advisory 2015-44. Entitled 'Certificate verification bypass through the HTTP/2 Alt-Svc header' it detailed a critical vulnerability in the Firefox implementation of the HTTP Alternative Services specification. Specifically, this vulnerability meant that if an Alt-Svc header is specified in the HTTP/2 response, SSL certificate verification can be bypassed for the specified alternate server. In other words, any warnings of an invalid SSL certificate wouldn't get displayed so the attacker could then impersonate another site through a man-in-the-middle attack: precisely what OE is meant to prevent.

Wednesday, April 08, 2015

Ye Bloody Gods!!! 74 percent of big business yet to fix Heartbleed flaw

According to new research from Venafi, apparently some 74 percent of 'Forbes Global 2000 organizations' (or the big boys of business if you prefer) have yet to properly secure their public facing servers against the Heartbleed OpenSSL threat. That's a year after the thing broke for goodness sake! Venafi found that at least 580,000 hosts belonging to this elite group of enterprises were still vulnerable as full and proper threat remediation had not been applied. They were patched, yes, but did not bother with the equally important steps of replacing private keys and revoking the old certificates. Apparently, looking at the market in general, it would seem that more than half of organizations simply have no idea how many keys or how many certificates have, or even where they are being used. If you are in the US you can be happiest, if that's the right word, as your big business boys sit just behind Germany at the top of the remediation tree with a 41 percent total. That's still pretty poor, of course, but way better than Australia on 16 percent.

Five questions to ask your cloud security solutions partner

Confidence in security is key to deploying any service that gets hands on with your data, and that especially true when the cloud is thrown into the mix. It's a given that you would expect your chosen provider to be both aware of and implement security best practice end to end across the deployment and ongoing usage lifecycle spectrum; but expectation and due diligence are entirely different animals. In order to ensure that you are entering into a relationship with the right cloud solutions partner you need to be asking the right questions relating to the security of your data. Good security is all about balance in implementation (between usability and functionality, risk and reward) and that includes performing due diligence in your choice of CSP. Here are five questions that you really should be asking of yours...