RSA 2012 has come and gone from the caverns of Moscone, and I’ve had a (short) chance to digest this year’s event, leaving a little more educated and a lot more wary about the risks facing modern IT when it comes to security.
The biggest wake up call? Security expert Bruce Schneier’s timely reminder that outsourcing, whether to India or the Amazon Cloud, has ripple effects on security and privacy, and that right now the trend is to cut costs and complexity – in exchange for control. That’s not necessarily a mistake, particularly for businesses that are rapidly expanding, businesses that were hit hard by the recession, businesses that need to quickly adapt to a mobile landscape, or pretty much any other business that can benefit from the agility the cloud offers. In other words, the cloud offers a little of something to everyone.
But the allure of the Google way, or even the Microsoft Azure or Amazon S3 way, costs something, whether it’s an increased chance a competitor can sneak a peak at your proprietary data, that a government can subpoena your records or simply that you can’t control when and where outages hit home.
The biggest threat to Internet freedom isn’t traditional “bad guys” like cyberterrorists and hacking groups, says Bruce Schneier, security researcher and author, but the slow, creeping advances of Big Data companies like Google and Amazon that are quietly rewriting the fundamentals of how security is managed.
Schneier explained his fears to a packed room at RSA 2012, outlining how he saw individuals, companies and governments effectively outsourcing security to cloud providers, abdicating ultimate control in exchange for convenience and cost savings.
The result is a state of “security serfdom” where fealty is pledged to one of a few centralized data gatekeepers who promise and deliver great benefits – but upon whom the user becomes completely reliant for basic security. Apple’s legion of adoring gadget geeks and people who live the “Google lifestyle” through GMail, Google Voice and more now rely on those companies to make critical security decisions for them.
It’s not an all together negative trend, particularly since “average users” historically do the bare minimum of backup, encryption and other information security hygiene possible, but it does create a more monolithic landscape that is likely to get harder and harder to opt out of.
“There’s a war on general purpose computing, because companies realize they gave up too much control,” said Schneier.
What really sank (or, to be more precise, exploded) the Death Star wasn’t the usual suspects of Rebel scum, engineering incompetence or even the inevitable triumph of good over evil. Instead, explained Kellman Meghu, a series of common infosec missteps made by Darth Vader, then the acting Chief Security Officer, doomed the ultimate battle station: In an age of consistent, ongoing penetration attempts long ago and far, far away, only the eternally vigilant and over-prepared lived to fight another day.
Kellman, speaking at Security BSides San Francsico 2012, admitted that the erstwhile Anakin got a few things right, particularly when it comes to understanding the threat of data leakage.
“He knew what was important to his business, which is really quite impressive,” he said, stating that a lot of major companies he works with have no idea what is in their data inventory, nor what matters if it were to escape.
Kellman also lauded how well Darth Vader monitored, logged and actually responded to threats: When the Death Star blueprints were leaked by Bothans, he immediately assembled a tactical team to deal with the data breach. Compare that to how often data leaks out through thumbdrives or unsecured laptops and the only notification occurs when the data is posted publicly.
Vader also did an admirable job following through on the seriousness of the threat, marshaling resources to help investigate the breach and respond appropriately.
But at the end of the day, the Death Star was destroyed (twice) and Vader rather dramatically resigned, as is often the case with CSOs after a major data breach.
It didn’t have to end that way, though. Kellman offered some straightforward advice every security Padawan could take to heart and that might have helped Vader ensure a long, happy retirement on a pleasure barge instead of a tragic death at what should have been the middle of an illustrious reign.
Google is coming to the cloud storage community as the search giant prepares to launch its new service soon.
Google joins Dropbox and Apple as companies who have launched cloud storage. The Wall Street Journal reports the storage will be called Drive and your data will be saved to their servers and can be accessed by any device with a WI-FI connection.
This storage device would allow users to fully incorporate their other services, Gmail and Google Docs, and store documents, pictures, and other data on Google’s server.
According to a report from the Wall Street Journal, users would be able to store their files and share it with friends and co-workers.
“If a person wants to e-mail a video from a smartphone, for instance, he can upload it to the Web through the Drive mobile app and e-mail people a link to the video rather than a bulky file,” the Journal said.
With Google’s availability to data servers all across the world, Dropbox and Box could see a significant decrease from their users but Box’s CEO Aaron Levie praised Google’s new arrival.
“The long-awaited entry of Google Drive will create awareness and acceptance of consumer cloud storage solutions, just like Apple’s launch of iCloud put the spotlight on this space last year,” Levie said.
We can all understand Levie’s enthusiasm about the idea of cloud storage evolving but he must be aware his company is going up against Google, right?
While Dropbox offers members up to 2 GB free and $9.99 a month for 50 GB, Google could offer storage at a level their competitors won’t be able to match. Along with being able to save up to 1GB for free on Google Docs, they will offer free storage to businesses and consumers, only charging for large file sharing.
Unless competitors can evolve and maintain a storage device which is cost efficient and allows more GB, it looks like Google will reign supreme once again.
Michael Tidmarsh is the Assistant Community Editor for ITKnowledgeExchange.com. He can be reached at Mtidmarsh@techtarget.com.
Once again, the IT Watch Blog is packing up its bags and reading to San Francisco for RSA, one of the security industry’s largest conferences. This year, mobile device threats are front and center: As Rob Westervelt with SearchSecurity reported, one firm hopes to make a big splash by debuting a new Android-based attack. Mobile attacks are a continued focus this year not only because of new attacks but because of continuing trends: Knowledge workers continue to BYOD (Bring Your Own Device) leaving IT with less control and visibility even as more critical data is pushed out into more places.
Other hot topics this year are cloud security best practices and standard compliance issues. I’ll be covering the most interesting sessions and news right here, but SearchSecurity will also be providing special RSA 2012 coverage with the site’s editors out in force during the duration of the show.
Jason D. O’Grady’s post regarding Apple’s frustrating PR practices kept popping up in my inbox today:
Then I got an idea. Since Apple PR never responds to my voicemails or emails, maybe they’d respond to the guys that do have access. So I contacted several prominent Apple pundits (who shall remain nameless) that are known for their access to Apple (some of whom get replies from Apple “every time”) and I asked them to enquire about Apple’s stance on enforcing its policy on address book uploads.
And you know what? None of them would do it.
Why? They’d probably say that Apple wouldn’t comment. But someone’s got to ask if they expect Apple to reply. I mean come on! Apple’s not going to press release its shady developers that steal your contacts.
The fact of the matter is that most journos with access to Apple are afraid of losing it. They’re afraid of asking the tough questions. They’re afraid of getting blacklisted. Like me.
The post is right on one thing: Apple is a pain in the ass to get a hold of, and almost impossible to get a substantive comment out of. A bit paranoid? Possessive? Absolutely. But saying Apple has a blacklist is far from my experience: Dozens of reporters I know have tried over the years to get a comment about this or that, and almost invariably fail, whether or not their Apple coverage is positive, negative or (usually) a bit of both. Instead, Apple has a whitelist: Those reporters it chooses to give access to, while blocking off the rest of the world. It’s not retribution for aggressive reporting. It’s that the universe of people Apple cares about in media is very, very small (though probably expanding if it’s doing one-on-ones as standard practice now). Continued »
The search engine and file-sharing site, BTJunkie, is voluntarily shutting down its website following the recent shut down of MegaUpload.com and the arrest of its founder, Kim Dotcom.
BTJunkie issued a statement on their website saying goodbye to their users and proclaiming the move was voluntary. “This is the end of the line my friends. The decision does not come easy, but we’ve decided to voluntarily shut down. We’ve been fighting for years for your right to communicate, but it’s time to move on. It’s been an experience of a lifetime, we wish you all the best!”
With file-sharing sites already looking over their shoulders, BTJunkie decided enough is enough and needed to make a major change.
After seeing this, the major question becomes: How much longer will file sharing be able to last?
Several other sites have been scared off: QuickSilverScreen has shut down and FileSonic and FileServe has restricted themselves to files members have uploaded themselves.
Even though BTJunkie didn’t host files for download, the website allowed users to download them from others and quickly became one of the top file sharing websites in the world.
In the recent months, we have seen illegal downloading and online piracy become an issue across the world. Leading the charge was SOPA/PIPA followed by Kim Dotcom’s arrest. It seems to me the damage has been done: File sharing sites are now on notices and much more carefully watching where they tread.
Michael Tidmarsh is the Assistant Community Editor at ITKnowledgeExchange.com. He can be reached at email@example.com.
Privacy is the forefront issue once again as Congress is preparing to attack Google over their latest changes to their privacy policies. Several lawmakers are concerned with how Google will collect a user’s data across their services.
Members of the House Subcommittee on Commerce, Manufacturing and Trade, Mary Bono Mack and G.K Butterfield, wrote a letter to the Internet giant expressing their concerns on their privacy changes.
Beginning on March 1st, Google will be able to cross reference data from their users which is collected from their various services including Google Apps, Gmail, and Youtube.
Google fired back to explain the new changes as Google director of public policy Pablo Chavez wrote a blog post accompanying the letter.
“We’re not collecting more data about you. Our new policy simply makes it clear that we use data to refine and improve your experience on Google.”
Last year, the FTC reached a settlement with Google regarding complaints of unfair practices and the company would submit to reviews by an independent auditor.
Michael Tidmarsh is the Assistant Community Editor for ITKnowledgeExchange.com. He can be reached at Mtidmarsh@techtarget.com.
With one simple call, the CSO of Rapid 7, HD Moore, could see into the boardrooms of law firms, pharmaceutical and oil companies, and even Goldman Sachs.
With only exploring 3% of the Internet, Moore and Mike Tuchen, found over 5,000 video conferencing unsecured systems not installed into their firewall. The result: anyone all across the world could watch and listen in to their meetings.
In an interview with the New York Times, Moore explains why video conferencing security is extremely important. “These are literally some of the world’s most important boardrooms-this is where their most critical meetings take place-and there could be silent attendees in all of them,” he said.
Why would companies set up their video conferencing this way? Moore explains it’s easier for other companies to be included in conference calls but it restricts their safety.
Imagine: a multi-national corporation having a board meeting pertaining to their projected revenue or future deals and their competitors are watching without them even noticing.
Moore explains how easy it was to break into several video conferencing systems. “Any machine that accepted a call was set to autoanswer. It was fairly easy to figure out who was vulnerable, because if they weren’t vulnerable, then they would not have picked up the call,” Moore said.
This can become a troubling problem for companies if it’s not settled quickly and quietly. Tuchen believes the safest way to secure calls is to install a ‘gatekeeper’ that connects calls outside the firewall. However, the process takes time and is usually skipped.
One would have to imagine if these two men could successfully hack into thousands of video conferencing systems, what could some of the world’s greatest hackers do?
“Any reasonably computer literate 6-year-old can try this at home,” Tuchen said.
Now companies have to ask themselves: security over access?
Michael Tidmarsh is the Assistant Community Editor at ITKnowledgeExchange.com. He can be reached at firstname.lastname@example.org
What will happen if SOPA passes through Congress? Is the FBI going to come after us? Should I shut down my whole system? If you run one of the various popular file hosting services, these might just be a few of the thoughts running through your head lately.
With Internet protests against SOPA and the arrest of Megaupload founder Kim Dotcom, there is no telling what will come next.
Many web-based storage companies have come out and publicly opposed Internet piracy. Mediafire CEO Derek Labian, for example, has publicly stated his website is legitimate and doesn’t support illegal fire-sharing. “Like many other cloud-based sharing services like Box.net and Dropbox, we’re a legitimate business targeting professionals.”
A quick Google of “Mediafire mp3” plus various song names, however, still found numerous high quality download links for popular songs – all for free and presumably unlicensed.
Other websites have sharply curtailed operations. File-sharing website FileSonic posted a banner on their website explaining it’s partial shutdown. “All sharing functionality on FileSonic is now disabled. Our service can only be used to upload and retrieve files that you have uploaded personally.” In other words, users can still use it to save and retrieve their own files, but sharing publicly is now nixed.
The question for file storage websites comes down to this: Do they continue to look the other way and continue to allow pirated material to be stored on their website or do they take a stand and control the content coming in? And can this currently shady underbelly of the storage world turn legit before its wiped out by legal threats?
At least some companies will continue to run their sites without fear or anxiety for now. A spokesperson for Rapidshare spoke after the Megaupload arrests, “File hosting itself is a legitimate business, so we’re not concerned or scared about the raid.”
Should they be concerned? Only time will tell but if their caught, they will have a lot of explaining to do.