Archive for the ‘Cloud Security’ Category

Dual warhead stuxnet

December 7, 2010 Leave a comment

German software engineer who in September was the first to report that a computer worm was apparently designed to sabotage targets in Iran said Friday that the program contained two separate “digital warheads.”… malicious program, known as Stuxnet, is designed to disable both Iranian centrifuges used to enrich uranium and steam turbines at the Bushehr nuclear power plant…link between the worm and an Iranian target was first made at an industrial systems cybersecurity conference in the Washington area on Sept. 20 by Mr. Langner…In a statement Friday on his Web site, he described two different attack modules that are designed to run on different industrial controllers made by Siemens, the German industrial equipment maker. “It appears that warhead one and warhead two were deployed in combination as an all-out cyberstrike against the Iranian nuclear program,”… Mr. Langner said, however, that he had found enough evidence within the programs to pinpoint the intended targets. He described his research process as being akin to being at a crime scene and examining a weapon but lacking a body…second code module — aimed at the nuclear power plant — was written with remarkable sophistication, he said. The worm moves from personal computers to Siemens computers that control industrial processes. It then inserts fake data, fooling the computers into thinking that the system is running normally while the sabotage of the frequency converters is taking place. “It is obvious that several years of preparation went into the design of this attack,”… concerned that computer security organizations were not adequately conveying the potential for serious industrial sabotage that Stuxnet foretells…


Google Machine Learning Black Box

August 27, 2010 Leave a comment

Providing developers with machine learning on tap could unleash a flood of smarter apps…smartest Web services around rely on machine learning–algorithms that enable software to learn how to respond with a degree of intelligence to new information or events….Google has launched a service that could bring such smarts to many more apps. Google Prediction API provides a simple way for developers to create software that learns how to handle incoming data. For example, the Google-hosted algorithms could be trained to sort e-mails into categories for “complaints” and “praise” using a dataset that provides many examples of both kinds. Future e-mails could then be screened by software using that API, and handled accordingly…Currently just “hundreds” of developers have access to the service,… Users range from developers of mobile and Web apps to oil companies…”Many want to do product recommendation, and there are also interesting NGO use cases with ideas such as extracting emergency information from Twitter or other sources online.”… Specialized knowledge of machine learning is typically needed to consider using it in a product…Google’s service provides a kind of machine-learning black box– data goes in one end, and predictions come out the other. There are three basic commands: one to upload a collection of data, another telling the service to learn what it can from it, and a third to submit new data for the system to react to based on what it learned….”Developers can deploy it on their site or app within 20 minutes,” says Green. “We’re trying to provide a really easy service that doesn’t require them to spend month after month trying different algorithms.” Google’s black box actually contains a whole suite of different algorithms. When data is uploaded, all of the algorithms are automatically applied to find out which works best for a particular job, and the best algorithm is then used to handle any new information submitted…Google’s new service may also be more palatable to businesses wary of handing over their data to cloud providers, says Confino. “The data can be completely obfuscated, and you can still use this service. Google doesn’t have to know if those numbers you are sending it are stock prices or housing prices.”… Google does, however, get some information that it can use to improve its machine-learning algorithms. “We don’t look at users’ data, but we do see the same metrics on prediction quality that they do, to help us improve the service,” says Green. The engineers running Prediction API will know if a particular algorithm is rarely used, or if a new one needs to be added to the mix to better process certain types of data…Prediction API has the potential to be a leveler between established companies and smaller startups…een a competitive advantage for large companies like Amazon, whose product recommendation is built on machine learning,” he explains. “Now you still have to have a decent set of training data, but you don’t have to have the same level of expertise….Google’s black box will enable wider use of machine learning, but he contends that the service needs to mature. “Today it is good at predicting which language text is in and also sentiment analysis, for example to pick out positive and negative reviews,” he says….Ultimately, though, being unable to inspect the inner workings of the algorithms and fine-tune them for a specific use may have its limits. “It’s good for cases that are not mission-critical, where you can afford a few false positives,” Bates says. For example, a spam filter that occasionally lets through the occasional junk message could still be usable, but a credit-card company might be less able to accept any errors…

Web OS backed by IBM

January 2, 2010 Leave a comment

Monday, December 28, 2009

IBM Backs an OS for the ‘Private Cloud’

It hopes the operating system will entice companies to use cloud computing technologies.

By Erica Naone

An open-source Web-based operating system called eyeOS is getting a big boost from IBM. The computer giant has begun selling high-end mainframe servers with eyeOS pre-installed, hoping the operating system will entice customers who are hesitant about using cloud computing.

Managed by a small company based in Barcelona, eyeOS lets users access a virtual desktop through a Web browser. The user can treat that virtual desktop like the desktop of a regular PC, launching and running applications within it.

Though individuals can use the operating system over the Internet through a site hosted by eyeOS, IBM makes it possible for customers to host the service themselves. With the software installed on the mainframe server, a company could offer virtual desktops to its employees, who could then access their “work computers” from any device.

Unlike projects like Google’s ChromeOS, which is designed to let people access the entire world of Web applications through the browser, eyeOS is designed to access a specific set of applications “installed” on the virtual desktop. Using the system, an organization could provide employees with productivity applications, its own custom applications, and access to proprietary data. The ability to access these through a single Web-based operating system, says the project’s founder, Pau Garcia-Mila, saves users from needing passwords to different Web-based services. It also allows the applications to be more compatible with each other.

Cloud computing most often means running data and applications on remote servers hosted by a company such as New technologies allow the hosting company to share its processing and storage resources efficiently among all its customers, enabling it to offer low prices. Customers of cloud providers save money because the rates are low, they don’t have to buy their own equipment, and they can buy just as much computing power as they need, changing the quantity as their demands fluctuate.

IBM’s goal with this product is to help customers build “private clouds,” since some companies hesitate to host data and applications on public clouds, often due to concerns about security and reliability. The idea of a private cloud is to set up–on a company’s own servers–the same sorts of efficiencies used by cloud providers, without having to entrust sensitive data to an outside organization.

“For most well-established, large enterprises, there is in general some distrust with public cloud services,” says IBM’s mainframe cloud initiative leader, Andrea Greggo. “This is driving the focus on wanting to contain these environments behind [a] firewall but still benefit from the value of cloud.”

Customers can use IBM’s new servers for the data processing typically expected of mainframes, but Greggo says the servers also let customers take advantage of products such as eyeOS.

But Frank Gillett, a principal analyst at Forrester Research, calls the term “private cloud” an oxymoron. He compares what IBM offers to virtualization services already offered by companies such as VMWare.

Gillett acknowledges that eyeOS is different from other virtual desktop systems because it allows users to access the desktop through a Web browser instead of a special application. Nonetheless, he remains skeptical because eyeOS is not based on a popular operating system such as Microsoft Windows. He believes many businesses will stick with virtualization services that let them use familiar software. Though some companies have tried to build Web-based operating systems, he says, “None of these startups have made it into the mainstream conversations.”

Copyright Technology Review 2009.

Cloud security

November 27, 2009 Leave a comment

How Secure Is Cloud Computing?

Cryptography solutions are far-off, but much can be done in the near term, says Whitfield Diffie.

By David Talbot

Cloud computing services, such as Amazon’s EC2 and Google Apps, are booming. But are they secure enough? Friday’s ACM Cloud Computing Security Workshop in Chicago was the first such event devoted specifically to cloud security.

Cryptography pioneer: Whitfield Diffie, a cryptographer and security researcher, and visiting professor at Royal Holloway, University of London.
Credit: David Talbot

Speakers included Whitfield Diffie, a cryptographer and security researcher who, in 1976, helped solve a fundamental problem of cryptography: how to securely pass along the “keys” that unlock encrypted material for intended recipients.

Diffie, now a visiting professor at Royal Holloway, University of London, was until recently a chief security officer at Sun Microsystems. Prior to that he managed security research at Northern Telecom. He sat down with David Talbot, Technology Review’s chief correspondent.

Technology Review: What are the security implications of the growing move toward cloud computing?

Whitfield Diffie: The effect of the growing dependence on cloud computing is similar to that of our dependence on public transportation, particularly air transportation, which forces us to trust organizations over which we have no control, limits what we can transport, and subjects us to rules and schedules that wouldn’t apply if we were flying our own planes. On the other hand, it is so much more economical that we don’t realistically have any alternative.

TR: The analogy is interesting, but air travel is fairly safe. So how serious are today’s cloud computing security problems, really?

WD: It depends on your viewpoint. From the view of a broad class of potential users it is very much like trusting the telephone company–or Gmail, or even the post office–to keep your communications private. People frequently place confidential information into the hands of common carriers and other commercial enterprises.

There is another class of user who would not use the telephone without taking security precautions beyond trusting the common carrier. If you want to procure storage from the cloud you can do the same thing: never send anything but encrypted data to cloud storage. On the other hand, if you want the cloud to do some actual computing for you, you don’t have that alternative.

TR: What about all of the interesting new research pointing the way to encrypted search and even encrypted computation in the cloud?

WD: The whole point of cloud computing is economy: if someone else can compute it cheaper than you can, it’s more cost effective for you to outsource the computation. It has been shown to be possible in principle for the computation to be done on encrypted data, which would prevent the person doing the computing from using your information to benefit anyone but you. Current techniques would more than undo the economy gained by the outsourcing and show little sign of becoming practical. You can of course encrypt the data between your facility and the elements of the cloud you are using. That will protect you from anyone other than the person doing the computing for you. You will have to choose accountants, for example, whom you trust.

TR: If a full cryptographic solution is far-off, what would a near-term solution look like?

WD: A practical solution will have several properties. It will require an overall improvement in computer security. Much of this would result from care on the part of cloud computing providers–choosing more secure operating systems such as Open BSD and Solaris–and keeping those systems carefully configured. A security-conscious computing services provider would provision each user with its own processors, caches, and memory at any given moment and would clean house between users, reloading the operating system and zeroing all memory.

An important component of security will be the quality of the personnel operating the data centers: good security training and appropriate security vetting. A secure data center might well be administered externally, allowing a very limited group of employees physical access to the computers. The operators should not be able to access any of the customer data, even as they supervise the scheduling and provisioning of computations.

TR: Would any public-policy moves help or hurt the situation?

WD: A serious potential danger will be any laws intended to guarantee the ability of law enforcement to monitor computations that they suspect of supporting criminal activity. Back doors of this sort complicate security arrangements with two devastating consequences. Complexity is the enemy of security. Once Trojan horses are constructed, one can never be sure by whom they will be used.

Encryption and cloud computing

November 27, 2009 Leave a comment

Encryption Is Cloud Computing Security Savior

Posted by Alexander Wolfe, Nov 16, 2009 03:36 PM

I’m beginning to think that fears about cloud security are overblown. The reason: an intellectual framework is already in place for protecting data, applications, and connections. It’s called encryption. What’s evolving now, and isn’t anywhere near fully baked, is a set of agreed-upon implementations and best practices. Today’s post talks about some relevant and interesting work from Trend Micro and from IBM.


I’m beginning to think that fears about cloud security are overblown. The reason: an intellectual framework is already in place for protecting data, applications, and connections. It’s called encryption. What’s evolving now, and isn’t anywhere near fully baked, is a set of agreed-upon implementations and best practices. Today’s post talks about some relevant and interesting work from Trend Micro and from IBM.

Along with the leadership we’re seeing from Trend Micro and IBM, it’s only fair to add that most of the security vendors and cloud-service providers themselves are researching this stuff. (I’ll cover those efforts in future posts.) One impediment in writing about cloud security is that people tend to be closed-mouth, because of the seriousness of security, as per the old phrase: “If I tell you, then I’d have to kill you.”

From my perspective, as I’ve started blogging about cloud security — see “Cloud Security In Focus Amid Data Theft Fears” — I’ve begun to see up close this reluctance of experts to provide deep data dumps. (A corollary is that those who don’t know tend to be voluble.)

Quite apart from the fact that chatter is antithetical to the security and intelligence-community ethos (not always, though), there’s so much disparate activity it’s hard to get a holistic understanding of where things are headed. Thus, my funneling everything into the encryption bucket is an attempt to summarize and make some sense of where the nexus of activity lies.

So, while I’ve been hoping to pull together comprehensive posts, I can see what I’m going to have to do is offer up incomplete bits and pieces, blogging about this stuff as I get wind of it. Accordingly, here are three interesting, albeit very loosely connected, items:

Encryption is already being used

First, here’s a heads up I got from one reader (as a comment to my earlier post), about his use of encryption to secure his cloud connections:

“I can only speak from experience using Amazon Web Services since early 2006, but all the tools are there if only they are used. For instance you can have rotating keys and my favorite is private VPN’s. If you have a good working security structure in place you can now use a private VPN from within your existing system to scale cloud resources without opening your system to the outside.These are a lot of the same issues we faced when we hooked up those pesky LANs to the transactional mainframe systems via SNA gateways in the early 80’s.”


Improved cloud encryption techniques are being researched

My contacts at Trend Micro have hinted at some conceptual work they’re doing, for future delivery at an unspecific date (i.e., I want to make clear that they’re not yet talking productization) about an encryption scheme for public cloud computing. The work is based on technology acquired from Identum Ltd., a British started incubated at Bristol University, which Trend Micro acquired in 2008. Identum’s work has formed the basis for the e-mail encryption solutions currently offered by Trend.

Indentum’s encryption expertise is now in play in this cloud research. The basic, and very powerful, idea is to apply encryption agents to every virtual computing instance. Thus, every VM would have its own resident manager to ensure the proper application of encryption security resources.

The big win here is you’d have, in essence, automated application of security policies everywhere. Thus, you’d have cryptographic key management built into the process, and also not have to worry about unprotected VM instances amongst your computing resources.

Third time’s a charm

(OK, I couldn’t think of a good subhead.) As a transition between the Trend Micro item and this one on IBM, I should mention that management of cryptographic keys is by no means a trivial thing. When you think about it, all of your cloud security rests on being able to generate and hand out those keys, while keeping them out of the hands of bad guys. (Hackers aren’t going to be able to break your keys; what they’ll do to breach your security is to steal them instead.)

Which leads into the IBM research on homomorphic encryption. (See press release, IBM Researcher Solves Longstanding Cryptographic Challenge, from July.) This is very arcane stuff, but as best as I can reduce it, what this IBM breakthrough would enable is that you could send encrypted data throughout the cloud, manipulate it any way you want, and then at the end of the day, you’d still be able to decrypt it.

Currently, there are severe limitations on the operations you can perform on aencrypted data, because some of the manipulations will muck it up so that it’s no longer decryptable.

Why is this a problem? Well, you want to be work on encrypted data as long as possible without having to render it back into its plainly visible form. That way, you don’t have to mess around with keys, or, more toxically, provide those keys to users you’re not sure you trust.

The thing with this IBM research is it’s not really clear that they’ve solved the problem. The always authoritative Bruce Schneier says that the work is theoretically impressive but completely impractical. Regardless, IBM gets props for pushing things forward.

In closing, I’d like to point you to a good post from George Reese over at O’Reilly Community: Twenty Rules for Amazon Cloud Security. The basic thrust of his advice is “encrypt everything” and only allow your decrypt key to surface for the very brief instances you’re using it.

A more secure cloud

November 27, 2009 Leave a comment

Thursday, October 01, 2009
A More Secure, Trustworthy Cloud
Virtual private clouds bridge real and virtual computing infrastructure.
By Christopher Mims
After weeks of testing, is preparing to bring out of beta a service that will let customers merge their own computer systems with its cloud-computing services.
Amazon’s Virtual Private Cloud (VPC) service, currently in beta testing, integrates remote, virtual resources with physical computers, giving customers the option to use cloud computing while keeping sensitive information on one of their own machines. Amazon’s service is the latest part of a larger trend in cloud computing: creating secure connections between real and virtual machines. Similar offerings are available from other cloud-computing companies, including CohesiveFT, IBM, and Enomaly.
Cloud computing allows companies to perform feats of computation that would otherwise have been impossible, or at least prohibitively expensive. However, cloud computing has generally lacked the security features typically required by small and medium-sized enterprises.
Amazon’s technology enables cloud-based resources to appear as part of a regular local network of servers. It uses Internet Protocol Security (IPsec) to establish a secure connection with existing data centers. Servers in the cloud can then be assigned specific network addresses and mapped onto an existing network.
Previously, computer network concepts could not easily be realized within the cloud, because the network itself was not virtualized–just the processing and storage. Amazon’s VPC offering goes some way toward allowing the virtualization of this infrastructure. “I can take a machine that’s lived for 10 years at one [address] in my data center and give it that same address on Amazon,” says Patrick Kerpan, CTO of cloud-computing software vendor CohesiveFT.
One of the reasons why there has been so much demand for VPCs, says Kerpan, is that enterprise IT teams are so comfortable with legacy computer networks. “The world of network thinking–the tools, the subnets, et cetera–if you’re a networking team, you’re using skills you’ve mapped to the network in order to solve problems,” says Kerpan. “They build maps in their head and in their tools.”
However, Reuven Cohen, founder and CTO of cloud-computing company Enomaly, argues that no VPC can ever be as secure as a physically isolated network. “It provides an extra level of security from your neighbor seeing your data,” says Cohen, “but it doesn’t address one fundamental problem: the idea of trust. If you’re using Amazon, you inherently have to trust them.”
James Comfort, vice president of integrated delivery platforms at IBM, says that VPCs are only one solution in a spectrum of potential secured cloud offerings. “VPC is a bit of a misnomer,” says Comfort. “In our mind, the difference between the private and the public cloud is a business model.” The difference is that a private cloud is run internally by a company, solely for its own use, while a public cloud consists of leased resources from a cloud service provider.
For large companies, it may be safer, and cheaper, to rely entirely on internal infrastructure. According to a McKinsey & Company report issued in April, moving a large company’s data center architecture to a cloud-computing platform can as much as double costs.
For small and medium enterprises, however, virtual private cloud offerings from Amazon and others may prove more attractive. “You can tell customers–millions of IT people worldwide–you need to relearn everything [so that you can move your infrastructure to the cloud,] or you can make the migration as easy as humanly possible,” says Kerpan. “If people have learned a set of skills, we try to figure out how we can make it natural for them to continue to use those skills.”
Copyright Technology Review 2009.

Self-policing cloud computing

November 27, 2009 Leave a comment

Friday, November 20, 2009
Self-Policing Cloud Computing
IBM security tool searches for and destroys malicious code in the cloud.
By David Talbot
Cloud computing presents inherent privacy dangers, because the cloud provider can see a customer’s data and leased computational apparatus, known as “virtual machines.” New research suggests that as long as the cloud can see things, it might as well check that its customers aren’t running malicious code, new research suggests.
Researchers at IBM’s Watson Research Center in Yorktown, NY, and IBM’s Zurich Research lab have developed a system for cloud computing “introspection monitoring,” in which elements of the cloud would act as a kind of virtual bouncer. They’d frisk virtual machines to check what operating systems they’re using, whether they are running properly, and whether they contain malicious code, such as root-kits.
“It works by looking inside the virtual machine and trying to infer what it does. You don’t want malicious clients to give you all kinds of malware in their virtual machines that you will run in the cloud,” says Radu Sion, a computer scientist at Stony Brook University, who was not involved in the research. “Today the cloud does not offer privacy, so we might as well use the lack of privacy for introspection.”
The work by IBM was one of several papers presented last Friday at the ACM Cloud Computing Security Workshop, a first-of-its-kind event. The paper extends earlier research on introspection to make it more applicable to cloud settings such as Amazon’s EC2 service. “In clouds, the barrier to entry is lower, and the thing customers are most concerned about is their information. We want to make sure their information is handled in a manner consistent with their expectation of security and privacy,” says J.R. Rao, senior manager for secure software and services for IBM.
One specific way that clouds could present hazards is if hackers figure out how to place their malicious virtual machines on the same physical servers as those of their victims, as recent research has shown is possible. Cloud providers use multiple data centers and many thousands of servers, so finding the right one could be a crucial first step to a cloud computing attack. (Earlier research has shown that hackers using a given operating system can steal data from other users of the same operating system, and that similar vulnerabilities can exist when operating systems share the same servers.)
The next step could be data-theft from cache memory on multicore systems within the server. These caches, or temporary memory, are shared between different virtual machines, presenting a theoretical risk. At the conference, Microsoft proposed a system that would create hierarchies within the cache memory. Such a system would serve as a kind of partition and could guard against cache attacks of this kind.
The IBM and Microsoft papers are representative of new research that’s important to the future of cloud computing because it points to ways of making fundamental cloud infrastructure more secure. “They are particularly good at fixing problems in the core, as opposed to just discussing the security of applications in the cloud,” such as e-mail, says Sion of the two companies. The proposed solutions could be ready for commercialization within a year, he added.
Also at the conference, combined research by PARC and Fujitsu pointed out other ways that clouds could help provide security. Specifically, clouds can provide convenient places to cheaply and easily do computing that helps diagnose and solve security threats.
For example, consider a scenario in which mobile devices start acting strangely, possibly because a virus is spreading via text messages or e-mails. A wireless carrier could aggregate data from these mobile phones and, in a cloud setting, analyze the problem and devise the best response. “All of that work is done outside the mobile device. It allows dramatic speed-up in how you can respond to threats,” says Markus Jakobsson, a principal scientist at PARC, in Palo Alto, CA.
“When people use the words ‘cloud’ and ‘security’ together–it is often with a frown. But we are saying it is a huge boon,” in enabling easy processing of security-related tasks, Jakobsson added. “If we don’t use it, we are missing out on something truly amazing.”
Copyright Technology Review 2009.