Michael's blog

Court order help Microsoft tear down Waledoc botnet

In this case, Microsoft used a legal take down order for 277 .com domains. These domains were managing a peculiar form of Application-As-A-Service, or if you prefer, SPAM-As-A-Service. Believe me, I think this is wonderful, but it points out a particular weakness in cloud-based services ...

With all the recent attention to the Kneber bot net, I am reminded that we must consider how we would detect bot infections in the cloud. Most bot infections are well-hidden from local security tools and like Kneber only reveal themselves via detection of suspicious network activity. Most cloud providers do not allow tenants to monitor the network. How will cloud tenants detect when their cloud based systems are compromised?

Collected from US-CERT and other sources:

Microsoft has released out-of-band Security Bulletin MS10-002
(http://www.microsoft.com/technet/security/bulletin/MS10-002.mspx) to resolve seven privately reported vulnerabilities and one publicly disclosed vulnerability. This update includes resolution for a recently, reported zero-day vulnerability in Internet Explorer (IE) which is detailed in Microsoft Security Advisory 979352. (http://www.microsoft.com/technet/security/advisory/979352.mspx)

This vulnerability may have been used in the recent attacks on Google and other organizations. Knowledge of this attack is now widely known and the broader criminal community is now leveraging this exploit.

In my first two posts, here and here, I wrote about PCI compliant network segmentation or firewalls in the cloud. For the next part, let’s imagine that you are not the only customer in the cloud. In PCI DSS, the cloud falls under their “hosted environment” requirements and each customer is an entity hosted in the cloud. I imagine that a few cloud providers will specialize in offering PCI compliant hosting. Now, let’s look at PCI Requirement 2 for entities (customers) and providers...

In Part A, I discussed the functional requirements for a virtual firewall. Now let's take a look at the technologies required to make this work.

The new cloud (or if you prefer hosted computing services, or IAAS) rests on top of virtualization. If we’re going to take the cloud seriously, it will have to be compliant. One of the more stringent compliance frameworks is PCI DSS. Let’s look at requirement one and start building a solution for the cloud.