65 replies to this topic

[AplusWebMaster]

FYI...

'We can hand over Office 365 data without your permission'...
- http://www.zdnet.com...ermission/11041
June 23, 2011 - "... Hidden within a whitepaper*, detailing the security features in the upcoming Office 365 suite, it reveals links to the Trust Center; a treasure trove of data protection policies and legalities of how Microsoft will handle your data in its cloud datacenters. Next week, Microsoft will announce the launch of Office 365 in both New York and London... In light of the Patriot Act furore, customers of cloud services are naturally becoming more aware of the limitations to cloud security and privacy; with legalities and powerful acts of law taking precedent. In short, Microsoft states:
“In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft or others (including the enforcement of agreements or policies governing the use of the service).”
This covers all users and data of Microsoft Online Services, including the current offering of BPOS (Business Productivity Online Suite), currently in migration to Office 365. Current Live@edu users are also affected by this — mostly schools and colleges — which are also upgrading to Office 365... a personal and heartfelt congratulations to Microsoft — in full sincerity — for being as open, honest and transparent in their documentation..."
(More detail at the URL above.)
* http://www.microsoft...s.aspx?id=26552
Security in Office 365 Whitepaper.docx 5.0 MB

Data Use Limits
- http://www.microsoft...al/v2/?docid=23
"... FAQ: ... Question: Can Microsoft Online Services use or disclose my data without my permission? In a limited number of circumstances, Microsoft may need to disclose data without your prior consent..."

Edited by AplusWebMaster, 23 June 2011 - 07:57 PM.

[AplusWebMaster]

FYI...

When consumers go to the Cloud...
- http://www.darkreadi...le/id/231000837
June 30, 2011 - "For four hours last week, a flawed authentication update allowed anyone the ability to access the data of any user of the cloud storage service Dropbox. The error could have caused a massive privacy breach. As it turned out, the company was notified and fixed the error before widespread knowledge allowed the vulnerability to be exploited by malicious actors. "According to our records, there were fewer than a hundred affected users, and neither account settings nor files were modified in any of these accounts," the company wrote in a blog post last Friday*... Dropbox encrypts data on the servers, but not to individual accounts, notes Sorin Mustaca, a product manager with security firm Avira. Anyone with admin access to the server can read all of its data. In addition, data on the servers of external services have lesser legal protections, Mustaca says. "I always advise our users to be very, very careful what they put online because if they put anything online, then the data does not belong to them anymore - it belongs to the cloud," Mustaca says. "This is the most important lesson that needs to be learned by anybody. If you put it online, you lose control of the data"... Dropbox is not the only consumer cloud service that has been the focus of security concerns. Evernote, Apple's MobileMe, iCloud, and cloud offerings from Google and Amazon all have generated security concerns in recent months. Barring employees from using cloud services usually does not work, Chaudhry says. Companies attempted to bar the use of social networks, but employees found ways of using the services anyway..."
* http://blog.dropbox.com/?p=821

[AplusWebMaster]

FYI...

Lawyers in the Cloud ...
- http://blogs.csoonli..._and_their_data
2011-07-27 - "Even state bar associations, the entities that regulate lawyers, are struggling with the cloud. Specifically, the “big” question is “if a lawyer stores attorney-client privileged information in the cloud, will that result in a waiver of that privilege.” Remarkably, only a very few bar associations have directly addressed this issue. Arizona, New Jersey, and New York bar associations have all issued guidances for lawyers regarding cloud storage of sensitive attorney-client information. In general, they find the practice is permissible if reasonable care is used to vet and monitor the cloud provider’s security measures. For example, the New York bar stated, “[A] lawyer may use an online ‘cloud’ computer data backup system to store client files provided that the lawyer takes reasonable care to ensure that the system is secure and that client confidentiality will be maintained.” New York State Ethics Op. 842. The question, of course, is “what constitutes reasonable care?” For example, if a cloud provider has a good record of security and has a great SAS 70 Type II audit report, but specifically disclaims any liability for security breaches and offers only minimal confidentiality protection, is this good enough to satisfy the “reasonable care” requirement? No one knows. What is clear is that, just like all other businesses, lawyers must be cautious in this area and thoroughly vet their cloud providers."

Edited by AplusWebMaster, 27 July 2011 - 09:01 AM.

[AplusWebMaster]

FYI...

SpyEye in the Amazon cloud ...
- http://www.securelis..._through_SpyEye
July 28, 2011 - "... According to our research, cybercriminals have been running SpyEye activities and from Amazon for the past couple of weeks... One hurdle for these cybercriminals to abusing Amazon S3 is the creation of an Amazon Web Services (AWS) account. These accounts require a legitimate identity and method of payment, so it is evident that criminals are using stolen data to overcome this challenge. Data shows that Amazon cloud services were abused heavily this month to spread malware. The following graph shows the domains used for this campaign from the second half of July 2011...
> http://www.securelis...g/208193067.png
... there are isolated cases, but the tendency to exploit services like cloud storage is in full expansion. This trend clearly represents a critical point for online storage services and requires special treatment. We have reported these domains to the appropriate security teams..."
___

>> http://google.com/sa...c?site=AS:16509
___

- http://blog.trendmic...o-host-malware/
Aug 1, 2011 - "... collected approximately 22Mb of malware for analysis & detection that was hosted on AWS... advice is to avoid clicking on any suspicious link either in an unsolicited e-mail, or an apparently benign link embedded in a webpage hosted on AWS (e.g. zx1uporn.s3.amazon .com, et al.) until this problem is resolved. We have recently seen about 30-50 various subdomains and specific URLs created on AWS which appear to harbor malicious content. We have reported this to Amazon Security..."
___

SpyEye Tracker
- https://spyeyetracker.abuse.ch/
"... quick statistics about the SpyEye Trojan:
SpyEye C&C servers tracked: 381
SpyEye C&C servers online: 184
SpyEye C&C server with files online: 38
• Average SpyEye binary Antivirus detection: 26.14% ..."

ZeuS Tracker
- https://zeustracker.abuse.ch/
"... quick statistics about the ZeuS crimeware:
ZeuS C&C servers tracked: 659
ZeuS C&C servers online: 223
ZeuS C&C servers with files online: 53
ZeuS FakeURLs tracked: 19
ZeuS FakeURLs online: 6
• Average ZeuS binary Antivirus detection rate: 38.67% ..."

(... as of 2011.08.04)

Edited by AplusWebMaster, 04 August 2011 - 05:12 AM.

[AplusWebMaster]

FYI...

MS CRM Online, Office365 outage ...
- http://www.zdnet.com...359?tag=nl.e539
August 17, 2011 - "Microsoft CRM Online and Office 365 users were hit with outages to their cloud services on August 17. Microsoft has yet to respond as to what’s going on. A number of customers using the Microsoft-hosted Dynamics CRM Online and its Office 365 cloud service were reporting performance problems aon August 17... On the CRM Online front, “performance is slow for most users, to the point that some can’t use CRM at all,” one Microsoft CRM user said. His company is based in the U.S., he said, but international users of the system were affected, as well..."

- http://rcpmag.com/ar...ne-outages.aspx
August 17, 2011 - "... UPDATE: Microsoft said as of late Wednesday afternoon, all systems are back up. The company is still investigating the root cause of the network failure."

- http://www.neowin.ne...ncing-an-outage
17 August 2011

Edited by AplusWebMaster, 19 August 2011 - 11:06 AM.

[AplusWebMaster]

FYI...

Hotmail, Skydrive and Office365 knocked offline...
- http://www.theinquir...knocked-offline
Sep 09 2011

- http://windowsteambl...s.aspx#comments
Sep. 08, 2011 - UPDATE 9:45 PM PT, UPDATE 11:02 PM PT, UPDATE 11:49 PM PT...

[AplusWebMaster]

FYI...

AWS C&C malware...
- https://blogs.techne...amm-rubble.aspx
13 Sep 2011 - "The family selected for addition to MSRT this month is Win32/Bamital*. Win32/Bamital was first discovered in September 2009 and was able to intercept and modify queries performed by search engines such as AltaVista, Bing, Google and Yahoo... authors of Win32/Bamital are employing the use of Amazon Web Services as part of their command and control infrastructure. We notified Amazon of the abuse and received confirmation that it is being investigated."
* http://www.microsoft...e=Win32/Bamital
___

- http://www.infosecur...puting/406.aspx
14/09/2011

Edited by AplusWebMaster, 03 October 2011 - 07:05 AM.

[AplusWebMaster]

FYI...

Bulletproof cybercrime hosting & the Cloud
- http://hostexploit.c...-the-cloud.html
20 October 2011 - "... In Q3 2011, there were several changes in the top positions in the Top Bad Hosts table:
• The title of #1 Bad Host (Overall Category) now goes to AS33626 Oversee.net*, a monetizer of domain names, for high levels of hosting malicious URLs, badware, Zeus botnet servers and infected sites.
• The US share of the Top 50 has dropped from 23 in Q2 to 16 In Q3 although 5 of the Top 10 are still hosting from the United States including the #1 spot.
• #1 in the most important category, Exploit Servers, in the analysis of malware, phishing or badness as a whole, is AS47583 Hosting-Media**, hosted in Lithuania....

Discussed in this quarter report, also, is the rise of GHOSTing, or 'Bulletproof Cybercrime Hosting and the Cloud', which is increasingly being used as a way of serving malicious material and yet remaining under the radar. It gives, by all intents and purposes, the impression of clean and responsible hosting as no obvious sign of criminal activity is detected on the providers’ servers. This is achieved through the legitimate offering of VPN or VPS services to those clients who wish to host illicit or objectionable badness e.g. malware, botnet C&Cs, phishing, spam operations or even images of child sexual abuses. In this way hosts can feign ignorance or turn a blind eye to their customers’ real intentions. Further information on this practice can be found in the Q3 report..."
> http://hostexploit.c...nload/7/32.html

* http://www.google.co...c?site=AS:33626
"... over the past 90 days, 3 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... the last time suspicious content was found was on 2011-10-20... we found 3 site(s) on this network... that appeared to function as intermediaries for the infection of 4 other site(s)... We found 443 site(s)... that infected 8141 other site(s)..."
** http://www.google.co...c?site=AS:47583
"... over the past 90 days, 973 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... the last time suspicious content was found was on 2011-10-20... we found 99 site(s) on this network... that appeared to function as intermediaries for the infection of 467 other site(s)... We found 99 site(s)... that infected 685 other site(s)..."

[AplusWebMaster]

FYI...

Amazon cloud 'pre-configured images' risk...
- http://h-online.com/-1376578
10 November 2011 - "Amazon cloud customers have access to more than 8,000 pre-configured Amazon Machine Images (AMIs) worldwide... many of these AMIs contain a variety of security holes... more than half of the images that are available worldwide and identified the same vulnerabilities, as well as additional problems. The Windows AMIs, which represented a small proportion of the 5,300 images that were examined, were particularly badly affected. Security issues were found in 246 out of 253 Windows appliances. A bug that allows arbitrary code to be executed when a certain web site is accessed in Internet Explorer was especially common... researchers found authentication data in about one-fifth of the examined AMIs and were able to reconstruct deleted files in 98 per cent of images. Amazon has informed its customers of these problems and has released guidelines* on how to avoid AMI security issues. A tutorial** is provided to help developers create secure AMIs."
* http://docs.amazonwe...haringamis.html

** http://aws.amazon.co...155828273219400

[AplusWebMaster]

FYI...

Legal Issues in the Cloud
- http://www.wwpi.com/...;Itemid=2701734
14 November 2011 - "... Because cloud providers store large volumes of data from various parties, they present an attractive target for hackers. Google, Amazon and Salesforce.com have all reported major data breaches, and a survey this summer found that nearly half of IT executives reported a security lapse or security issue with their cloud services provider within the last 12 months. A cloud customer could be liable for security breaches by the cloud provider it uses...
- Sarbanes-Oxley Act of 2002 (SOX) applies to publicly traded companies and contains requirements related to, among other things, email retention, data security and integrity, as well as oversight requirements which encompass cloud providers.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Actregulate the use and protection of health information. Companies in the healthcare field may need to have their cloud service providers sign a Business Associate agreement. HIPAA also requires that individuals have access to their health information, so cloud vendors may need to adjust their policies and procedures to allow for such access.
- Gramm-Leach-Bliley Act (GLB) governs the collection, disclosure and protection by financial institutions of consumers’ nonpublic personal information.
- Payment Card Industry Data Security Standard (PCI DSS) is a set of industry standards providing requirements for security and storage of credit card information; in June, it was clarified that the PCI DSS apply to cloud providers.
- State laws. Almost all states have laws covering notification in the case of a data breach. Also, some states, such as Massachusetts and Nevada, have enacted laws providing requirements for data security..."

[AplusWebMaster]

FYI...

Cloud network abused by trojan...
- http://www.securelis..._from_the_cloud
November 17, 2011 - "... we discovered a malicious program called Trojan-Downloader.Win32.MQL5Miner.a which also uses the resources of infected computers, but this time to make money in MQL5 Cloud Network, a distributed computing network... MetaQuotes is a developer of software for financial markets. Several weeks ago, information appeared on the net that the company was offering to pay users to participate in distributed computing. Apparently, this is what attracted malicious users to the new cloud service... There are grounds to believe that the malicious program spreads via email. Having infected a computer, the malicious program first determines if the operating system is 32-bit or 64-bit. It then downloads the appropriate version of the official software from MetaQuotes SoftWare. MQL5Miner then launches the service to participate in the cloud computing network. But the cybercriminals specify their own account data and receive the payments for any distributed computing operations that are performed on an infected machine... When it comes to making money, cybercriminals don’t miss a trick. That includes exploiting the resources of infected computers without their owners’ knowledge or consent. We have notified MetaQuotes about the account being used by cybercriminals."

[AplusWebMaster]

FYI...

Cybercriminal attack strategy shifting to corporate networks
- http://www.crn.com/2...ablearticle.htm
Dec. 13, 2011 - "... Cisco... made predictions* on the weapons cyber-criminals are most likely to use in 2012, based on the return on investment from cyber-crimes. The weaponry expected to reap the most money included data theft Trojans, spyware, click fraud and web exploits. Targets expected to get lots of attention from criminals based on the potential ROI include mobile devices and cloud infrastructure. Clouds service providers have been growing so fast that they have not had the time or inclination to make security a top priority... three in five of the respondents working for companies believed their employers, not themselves, were responsible for protecting information and devices. In addition, more than half allowed others to use their computers without supervision, including family, friends, coworkers and strangers."
* http://www.cisco.com...report_2011.pdf
13 Dec 2011 - 5.3MB PDF file

[AplusWebMaster]

FYI...

Migration plans to Cloud apps dropped...
- https://www.computer...ud_apps_dropped
December 22, 2011 - "After more than two years of trying, the City of Los Angeles has abandoned plans to migrate its police department to Google's hosted email and office application platform saying the service cannot meet certain FBI security requirements. As a result, close to 13,000 law-enforcement employees will remain indefinitely on the LAPD's existing Novell GroupWise applications, while other city departments will use the Google Apps for Government cloud platform. Council members last week amended a November 2009 contract the city has with systems integrator Computer Science Corp. (CSC) under which CSC was supposed to have replaced LA's GroupWise e-mail system with Google's email and collaboration system. Under the amended contract, the LAPD will no longer move its email applications to Google... Google maintains that the LAPD's security requirements were never part of the original contract..."

[AplusWebMaster]

FYI...

Cloud patch management issues...
- http://www.theregist...tch_management/
22 December 2011 - "... Cloud-based application vendors update their software regularly without customer input. As an enterprise user, you may be able to stay on an earlier revision for a while by negotiating with the vendor... Other challenges include the consumerisation of IT, which encourages employees and contractors to bring in devices such as tablets and smartphones. Making sure these are adequately patched creates a whole new set of problems, landing us in the sticky area of network access control, network quarantine and policy servers to manage... every so often, a patch appears that takes down a piece of software. For example, Microsoft's recent gaffe, in which it accidentally decided that Google Chrome was a piece of malware*, caused problems for many users."
* http://www.theregist..._google_chrome/

[AplusWebMaster]

FYI...

New Cloud - New Security - New Year ...
- https://www.computer..._About_Security
Jan. 3, 2012 - "... If I am going to keep gigabytes upon gigabytes of sensitive data stored online, I need some assurances that it is safe. The data needs to be secured, preferably encrypted, so that it is protected even in the event that the storage that contains it is compromised. But, even encrypting data can be tricky when it comes to third party cloud storage providers... They may share my data if compelled by law enforcement, or employees might access and view the files themselves. It is strictly forbidden as a matter of policy, but anyone who would surreptitiously view my data probably also lacks the moral compass to care about the policy... customers can still encrypt their data through other means with their own keys if they prefer. That really seems to be the only viable solution. If I encrypt the data myself, I know that I hold the keys and theoretically only those people I authorize will be able to access my files. But that complicates things, and adds some administrative and processing overhead. For businesses considering a move to the cloud, there are also compliance mandates to consider. Putting data online comes with some risks, and businesses need to take extra precautions to make sure that data is not exposed or compromised..."