I completed an Internet Forensics training course this past week where the instructor made that statement. Of the twenty students in the class, only the instructor raised his hand. To which he declared ” Anyone who didn’t raise their hand is a liar!!” He was probably right.

I often fault security professionals and educators who speak in absolutes when trying to increase security awareness. Human nature isn’t absolutist. Any security doctrine that doesn’t account for reasonable human behavior is doomed to failure. Never do this! Never do that! Never use the same password with more than one account! And be sure to change them periodically. Naturally they must be complex passwords including upper and lower case letters, numbers and special characters. Really?

It’s not unusual today for an average Internet user to have 10 or more online accounts. That would mean 10 complex, constantly changing passwords. That would also mean the user will write them all down in a place that is readily available. Oh, I forget the never write passwords down mantra. Sigh.

I’ve taught course where as I went through my list of  “never do’s”, I would watch students’ eyes move from the gleam of interest to dull hopelessness. ” I could never do all THAT!”, someone would say.  Another would chime in, :” That’s why I don’t do online banking!”

Is have the same password for your Facebook and Twitter accounts the harbinger of doom??  Probably not. Myspace and your online bank account? That’s an absolute NO NO.

How do we increase security awareness in average computer users thereby strengthening the “weakest link” in our security posture? We certainly can’t continue to do it by burying them in an avalanche of rules.

As more vendors dive into the cloud computing market, every possible claim regarding the supposed benefits of moving to a cloud-based service is being made.  I ran across an article titled ” Why Cloud-based Monitoring is more reliable and secure than Nagios. ” The auth0r, who represented a cloud-based network monitoring company, contended that the Software-as-a-Service (SaaS) model offered by his company was better for companies than Nagios and other open source products.

The question is not  Cloud Computing vs. Open Source.  In fact, there are open source SaaS providers like MindTouch out there.  If considering a product like Nagios, a better comparison would be open source vs. commercial.  In many cases, cost is the determining factor for companies to look  to open source technologies. Other considerations include flexibility and security.

The more relevant  comparison would be hosting and managing a network monitoring system on site vs. moving to a SaaS provider. For many organizations,  IT is considered overhead and not the primary function of the organization. Companies move to the cloud for most of the same reasons companies out-source.  Can someone else do it better for less?  Cost is ually the easier consideration. Companies have to grapple with the ‘better’. Does it mean more security, availability, capacity? Many cloud providers would say ‘yes’ to all and then some.  Organizations have to really consider and make that determination themselves. Make a real comparision between their options and not just follow the typical vendor hype.

Metasploit provides useful information and tools for penetration testers, security researchers, and IDS signature developers. This project was created to provide information on exploit techniques and to create a functional knowledgebase for exploit developers and security professionals.

Update Summary

• Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
• Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (400K lines of Ruby)
• Over 100 tickets were closed since the last point release and over 200 since v3.3

The full release notes can be found  here.

If you are in cloud computing security (or part of an organization with infrastructure in a public cloud), this paper is a must read. As more organizations seek to realizes the benefits of the cloud, it’s important that we continue to investigate the risks as well. Granted this research only applies to virtual machines on a shared host. Cloud Computing service provider usually provide “private” cloud offerings with only one client’s virtual machines  per physical server.

Does the remote chance of your virtual server being attacked by another virtual server on the same host server justify the added cost of a private cloud deployment? That’s for each client to decide. Ensure you are doing your due diligence before making a decision one way or the other.

Abstract:

Amazon’s EC2, allow users to instantiate virtual machines (VMs) on demand and thus purchase precisely the capacity they require when they require it.In turn, the use of virtualization allows third-party cloud providers to maximize the utilization of their sunk capital costs by multiplexing many customer VMs across a shared physical infrastructure. However, in this paper, we show that this approach can also introduce new vulnerabilities.Using the Amazon EC2 service as a case study, we show that it is possible to map the internal cloud infrastructure, identify where a particular target VM is likely to reside, and instantiate new VMs until one is placed co-resident with the target. We explore how such placement can then be used to mount cross-VM side-channel attacks to extract information from a target VM on the same machine.

Download paper: http://people.csail.mit.edu/tromer/papers/cloudsec.pdf

Facebook claims to have identified the self-proclaimed Russian hacker calling himself  ” Kirlios” .  Newswire report over the weekend reported that Kirlios had succeed in hacking a large number of Facebook accounts.  On hacker forums, Kirlios has been offering up Facebook accounts for sale in batches of 1000 – up to 1.5 million in total. The going price is between $25 and $45 a batch. Quite reasonable really.

Facebook claims they turned the information about the hacker to law enforcement authorities and that the hacker’s claims are grossly overstated. Even if this guy is caught, extradition to the US is unlikely. Russia’s stance on this sort of thing is ” show us the proof and we will prosecute him ourselves”.

The new federal HIPAA privacy and security rule compliance audits of healthcare organizations and their business associates likely will start later this year once a report on a model for the program is completed, a key federal privacy official says.

In the next few weeks, Booz Allen Hamilton will provide a status report on its compliance audit study for the Office for Civil Rights in the Department of Health and Human Services, the governmental unit that enforces the privacy and security rules, says Susan McAndrew, OCR’s deputy director for privacy.

Read Full Article: http://www.healthcareinfosecurity.com/articles.php?art_id=2517

I recently overheard a comment by a co-worker ( shoutout Ben A.) that we read and listen to news reports and assumed the report knows what they are  talking about until they turn to a topic we are familiar with in some depth and realize that report spouting off to potentially millions of people don’t have a clue what they are talking about.  How true!

I ran into this article today  titled ” Botnet exploits Linux users’ ignorance“. The writer makes the point that ” a lack of knowledge and awareness about how to use Linux mail servers could be contributing to the disproportionately large number of Linux machines being exploited to send spam”.

I wholeheartedly agree with this. Companies see open source technologies as a means of saving money but do not have staff adequately trained to secure these systems.

The second point I noticed was that the report from Symantec’s Hosted Services referenced in the article pointed out that ” Linux based machines are 5 times more likely to send out spam than Windows based computers”.

The writer quotes a Symantec Malware Analyst as saying:

“…..one reason there is so much spam from Linux could be that many companies that have implemented their own mail servers, and are using open-source software to keep costs down, have not realised that leaving port 25 open to the Internet also leaves them open to abuse.”