This week in Cloud Security Headlines

Court order help Microsoft tear down Waledoc botnet

In this case, Microsoft used a legal take down order for 277 .com domains. These domains were managing a peculiar form of Application-As-A-Service, or if you prefer, SPAM-As-A-Service. Believe me, I think this is wonderful, but it points out a particular weakness in cloud-based services ...

they are vulnerable to legal-takedown, DNS, or Domain misconfiguration, hijacking, or “force majeure” (see google: “Pakistan causes worldwide YouTube outage”).

Mitigation: Get your services from more than one cloud domain, make sure your cloud provider service level agreements cover these eventualities. Oh, and avoid providers with one data center located in the hurricane track.

Source: Network World

Phishing campaigns step up with hits on Twitter and Fotolog this week

Demonstrated previously at MySpace cloud services present an excellent vector for spreading a worm to the cloud user population. The providers are getting better but the languages and applications constantly change so we should not expect this threat to go away.

Mitigation: Employ security filtering and inspection tools in the access pipe to your provider. Use white listing to allow your provider services and default deny everything else coming from the provider. Application services like Twitter and Fotolog will never request that you download files in this manner…

Source: SC Magazine

Baidu: Registrar ‘incredibly’ changed our e-mail for hacker.

I’m still chuckling about this one. I still have a soft spot for social engineering attacks – they are always so much fun to execute. Handing domain admin over to a hacker in a text chat may seem unlikely – but it happened. In previous cases cloud administration has been compromised by weak passwords, phishing, and vulnerable hoster software.

Mitigation: Two-factor authentication, done. Just try to social engineer my key card or left thumb (insert obvious movie sub-plot here). Weak passwords are a fact of life like death and taxes. The only solution is adding a second factor, and this should be a law for privileged users. The Baidu hack would have been easily detected if technical support had requested a secret word or PIN code for verification of ID.

Source: Computer World

Michael
www.catbird.com