65 replies to this topic

[AplusWebMaster]

FYI...

Top 5 Cloud Computing Predictions For 2011
- http://www.informati...cleID=228801016
Jan. 8, 2011 - "In the coming year, the cloud will reach milestones that critics said it never would: it will be certifiably secure for credit card transactions; able to host multiple virtual machine types in the same infrastructure; and easier to manage..."

[AplusWebMaster]

FYI...

Has Big Brother gone Global?
- http://isc.sans.edu/...l?storyid=10261
Last Updated: 2011-01-12 13:45:46 UTC - "... the Tunsinian Government may be harvesting or hacking information from Gmail accounts and or Facebook accounts. This goes to show the moment it is in the “cloud” it is no longer private. If you want something private, encrypt it. Most of us at the ISC follow the “front page” rule. If you write it, treat it like the information is on the front page of your national newspaper.
http://www.fastcompa...gmail-anonymous
Going back to last year, the US National Security Agency considers their network untrustworthy.
http://www.net-secur...ld.php?id=10333 ..."

- http://dilbert.com/s...mic/2011-01-07/

Edited by AplusWebMaster, 16 January 2011 - 03:38 AM.

[AplusWebMaster]

FYI...

Dilbert, Dogbert, and "Cloud Computing"...
- http://dilbert.com/s...1-01-07/?Page=2
"... You say "Cloud Computing" to an executive and their eyes glaze and they sign whatever PO you put in front of them. They have no idea what it is, but they have been told that they want it..."

[AplusWebMaster]

FYI...

Trojan built to disable cloud AV...
- http://www.itnews.co...-antivirus.aspx
Jan 20, 2011 - "Microsoft has discovered a Trojan that aims to sever the connection between a device and the cloud antivirus (AV) service that is meant to protect it. The Bohu Trojan, which targets Windows machines, contains three main functions: evade detection, install a filter that blocks traffic between the device and service provider, and prevent the local installation from uploading data to the server. The attack appears to aim to knock out the additional layer of security that many antivirus companies have added to bolster defences and reduce the processing burden of ever-expanding signature databases. "Cloud-based virus detection generally works by client sending important threat data to the server for backend analysis, and subsequently acquiring further detection and removal instruction," Jingli Li and Zhitao Zhou of Microsoft Malware Protection Center wrote on the company's blog..."
* http://blogs.technet...-the-cloud.aspx

- http://www.theregist...busting_trojan/
20 January 2011

Edited by AplusWebMaster, 21 January 2011 - 06:23 AM.

[AplusWebMaster]

FYI...

Google wipes out Gmail settings and msgs...
- http://www.theinquir...counts-messages
Feb 28 2011 - "COMPLAINTS ARE FLOODING IN to Google after some Gmail users woke up to find that their inboxes had been wiped clean of messages. A number of Gmail forum posters report that their messages, labels and settings have all been set back to default. The consensus is that it is a problem on Google's end, with many people deeply concerned because many of them use Gmail as their main email account... Google confirmed that there is a problem on the Google Apps dashboard. Engineers are busy working on the issue, with the affected accounts disabled... Already a major glitch for Google's cloud technology, this will be a horrendous public relations disaster if there is no backup system in place. The company is trying to sort this out quickly."

[Doug]

this will be a horrendous public relations disaster if there is no backup system in place.

Privacy
Security
Ease of Access
Expense
Exploits
Infection

I haven't changed my own mind or usage habits.
Which is to say that I am not going to online or cloud storage nor services any time soon for my own computer needs.

Which is also not to say, that I have any control over what my bank, credit, online client services, and commercial entities will do with my identity, correspondence with them, or account management with them..... They've already gone to the clouds.

I'm not optimistic.

[AplusWebMaster]

FYI...

Google: "software update" triggered loss...
- http://www.theinquir...ered-gmail-loss
Mar 01 2011 - "... Google has confirmed that a storage software update was responsible for causing some Gmail users to lose access to their e-mail. Some Gmail users complained of losing e-mails, contacts, and folders. Google claimed that 0.29 per cent of the user base was affected by the problem but has since revised that figure to less than 0.02 per cent, or about 40,000 of the service's 200 million accounts. Ben Treynor, Google VP of engineering and site reliability czar, said sorry for the mess and said he expects to have the lost data restored soon. He said that the data was not completely lost and Google had restored most of it already... Users might be wondering how safe all this cloud computing lark really is if, as Google promises, all the data was backed up in different locations with the keys owned by people who have never met each other. Treynor said this is because in some rare instances software bugs can affect several copies of the data..."

[AplusWebMaster]

FYI...

Some Customer Data Permanently Destroyed in Amazon Cloud Crash
- https://www.sans.org...issue=34#sID200
April 29, 2011 - "... You can put your data in the cloud - it's getting it back that's the hard part..."

... Lessons to other cloud-based businesses.
- http://www.informati...endly=this-page
April 28, 2011 - "... A note posted to the Amazon Services Health Dashboard April 24 said the three-day service outage will be fully explained in "a detailed post mortem." On April 27, AWS CTO Werner Vogels posted to his blog a 2010 letter that Amazon CEO Jeff Bezos wrote to shareholders, extolling AWS' technology innovation and commitment to customers..."
___

Amazon Web Services » Service Health Dashboard
Current Status: http://status.aws.amazon.com/
(Scroll down for 'Status History')
___

- https://www.computer...iguration_error
April 29, 2011 - "... Amazon posted updates, short and bulletin-like, throughout the outage, but what it offered in its postmortem* is entirely different. This nearly 5,700-word document includes a detailed look at what happened, an apology, a credit to affected customers, as well a commitment to improve its customer communications. Amazon didn't say explicitly whether it was human error that touched off the event, but hints at that possibility when it wrote that "we will audit our change process and increase the automation to prevent this mistake from happening in the future." The initial mistake, followed by the subsequent increase in network load, exposed a cascading series of issues, including a "re-mirroring storm" with systems continuously searching for a storage space..."
* http://aws.amazon.com/message/65648/

Edited by AplusWebMaster, 30 April 2011 - 10:27 PM.

[AplusWebMaster]

FYI...

VMware - Cloud Foundry service outages
- http://tech.slashdot...ring-From-First
May 02,2011 - "VMware's new Cloud Foundry service was online for just two weeks when it suffered its first outage, caused by a power failure. Things got really interesting the next day, when a VMware employee accidentally caused a second, more serious outage while a VMware team was writing up a plan of action to recover from future power loss incidents. An inadvertent press of a key on a keyboard led to 'a full outage of the network infrastructure [that] took out all load balancers, routers, and firewalls... and resulted in a complete external loss of connectivity to Cloud Foundry.' Clearly, human error is still a major factor in cloud networks."
- http://support.cloud...6-2011-downtime

- http://www.informati...endly=this-page
May 02, 2011 - "... 69% of cloud providers think that cloud users are most responsible for security, and only 16% think it's a shared responsibility. But according to a Ponemon study conducted last year, 33% of users see cloud security as a shared responsibility, and 32% think that the provider alone is most responsible. Only 35% of cloud users, meanwhile, think that users should be most responsible for cloud security... Legally speaking, however, cloud providers really aren't responsible for data security, as long as they make some effort, according to their end user license agreements (EULAs)..."

Edited by AplusWebMaster, 03 May 2011 - 06:12 AM.

[AplusWebMaster]

FYI...

Cloud over cloud computing...
- http://blogs.wsj.com...loud-computing/
May 9, 2011 - "It isn’t just Sony that has suffered from the hacker breach of their network, the whole cloud computing movement has taken a bit of a knock, or perhaps has had a wake-up call.
We reported the findings of a survey by the Ponemom Institute which, surprisingly, found that cloud service providers do not see security as their main concern. Perhaps Sony’s experience will make them think again. International news agency Reuters reckons it might*... One of the issues with cloud is liability. If there is a breach and data is lost, whose liability is it? At the moment the industry is trying to establish guidelines and working practices; but until that issue is resolved — if it ever is — expect pubic cloud adoption to be slow and cautious."
* http://www.reuters.c...E7455C020110506
"Shares of companies that specialize in cloud computing have been some of top-performing stocks over the past year. But the attack on Sony, as well as a massive outage at Amazon.com Inc’s cloud computing center, have caused some businesses to put the brakes on plans to move their operations into the cloud. “Nobody is secure. Sony is just the tip of this thing,” said Eric Johnson, a professor at Dartmouth University who advises large corporations on computer technology strategies. Since news of the Sony breach broke on April 26, shares of companies involved in cloud computing have underperformed the broader market. Salesforce.com Inc, a maker of web-delivered software, has dropped 3 percent. VMware Inc, which sells software for building clouds, has declined 2 percent. The Standard & Poor’s 500 Index has climbed 3.3 percent... the first round of contracts for early adopters are coming to an end after three-year deals and companies are seeking better performance and terms for disasters."

[AplusWebMaster]

FYI...

Microsoft BPOS cloud outage...
- http://www.theregist...t_bpos_apology/
13 May 2011 - "... Customers on BPOS in the US and worldwide were kicked off their hosted Exchange email systems, being unable to read, write, or access their messages. All users were affected – from down in the cubicle farm all the way up to the CEO's corner office. The outages started Tuesday and came after weeks of the service slowly degrading. The cause of the problem, Thomson said*, was "malformed email traffic" in BPOS's Exchange Servers... "obscure cases" and "related issues"..."
* http://blogs.technet...ail-issues.aspx

[AplusWebMaster]

FYI...

Amazon cloud used by hacks...
- http://www.bloomberg...com-server.html
2011-05-13 - "Amazon’s Web Services cloud-computing unit was used by hackers in last month’s attack against Sony's online entertainment systems, according to a person with knowledge of the matter. Hackers using an alias signed up to rent a server through Amazon’s EC2 service and launched the attack from there, said the person, who requested anonymity because the information is confidential. The account has been shut down, the person said. The development sheds light on how hackers used the so- called cloud to carry out the second-biggest online theft of personal information to date... The hackers didn’t break into the Amazon servers, the person said. Rather, they signed up for the service just as a legitimate company would, using fake information... The Federal Bureau of Investigation will likely subpoena Amazon as part of its investigation process..."

[AplusWebMaster]

FYI...

Eucalyptus cloud - critical vuln...
- http://www.h-online....ds-1252593.html
30 May 2011 - "... critical vulnerability in Eucalyptus, an open source implementation of the Amazon EC2 cloud APIs. An attacker can, with access to the network traffic, intercept Eucalyptus SOAP commands and either modify them or issue their own arbitrary commands. To achieve this, the attacker needs only to copy the signature from one of the XML packets sent by Eucalyptus to the user. As Eucalyptus did not properly validate SOAP requests, the attacker could use the copy in their own commands sent to the SOAP interface and have them executed as the authenticated user. All versions up to and including 2.0.2 are vulnerable; a fixed version, 2.0.3*, is available to download. Ubuntu's Eucalyptus-based Ubuntu Enterprise Cloud (UEC) is also vulnerable; updates for Ubuntu 10.04 LTS, 10.10 and 11.04 are already available in Canonical's repositories. Eucalyptus does note** that the changes made to close the holes may lead to some existing tools failing to work as the system will interpret them as a replay attack if they issue commands too rapidly."
* http://open.eucalyptus.com/downloads

** http://open.eucalypt...-eucalyptus-203

[AplusWebMaster]

FYI...

Attackers use Amazon Cloud to host malware
- http://threatpost.co...-malware-060611
June 6, 2011 - "Attackers are beginning to host their malicious domains and drive-by download sites, and most recently researchers have discovered a number of domains on Amazon's cloud platform that are being used to install malware as part of a spam and phishing campaign designed to steal banking credentials and other sensitive data... attack sites are installing a variety of malicious files on victims' machines, including a component that acts as a rootkit and attempts to disable installed anti-malware applications. Other components that are downloaded during the attack include one that tries to steal login information from a list of nine banks in Brazil and two other international banks, another that steals digital certificates from eTokens stored on the machine and one that collects unique data about the PC itself, which is used by some banks as part of an authentication routine. Researchers say that the attacks likely originated in Brazil and are targeting users in Brazil, specifically. The domains that are being used in this attack have now been removed by Amazon, according to Kaspersky Lab researcher Dmitry Bestuzhev, who discovered the malicious domains*... The advent of commodity cloud computing platforms gives attackers one more venue in which to host their attack domains, but the attacks themselves are quite similar to what users have been seeing for years."
* http://www.securelis..._Services_Cloud
___

- http://www.informati...kPrintable=true
June 6, 2011

- https://www.computer...age_Gets_the_Ax
June 6, 2011

Edited by AplusWebMaster, 08 June 2011 - 02:45 PM.

[AplusWebMaster]

FYI...

Amazon cloud users reveal confidential data...
- http://www.h-online....ta-1263704.html
20 June 2011 - "Sharing Amazon Machine Images (AMIs) to run on Amazon's Web Services (AWS) can open the door to attackers when users do not follow appropriate safety advice. The AMIs may contain private cryptographic keys, certificates and passwords, as researchers at the Darmstadt Research Center's CASED (Center for Advanced Security Research Darmstadt) found. In a report** [German language], they say that they examined 1100 public AMIs for cloud services and found that 30 per cent were vulnerable to manipulation that could allow attackers to partially or completely take over virtual web service infrastructure or other resources... Amazon Web Services have also been informed which customers are affected."
* http://aws.amazon.com/amis
** http://www.sit.fraun...oud-nutzung.jsp

- http://www.h-online....rm-1255576.html
20 June 2011 - "... As many people use the same password in multiple places, criminals can use the passwords to obtain unauthorised access to further services... Cloud, CUDA and multi-core computer technologies are both a blessing and a curse: they can greatly accelerate the processing of data and make even complex simulations available to end users. Unfortunately, crackers use the same high-speed computing power to reconstruct plain-text data from an encrypted password, and then they use the password to log into a system as administrators. In this context, password crackers can take advantage of the fact that the harvested hashes were probably created using the MD5 algorithm, which is optimised for fast processing..."