…at least according to this interesting blog post from OpenDNS’ Allison Rhodes. It makes sense to me… in the AM, we are all going through our emails, getting ready for the day to come and in a hurry to get caught up with the latest news. I saw this post as a result of being on OpenDNS’ site from here at the Agahozo Shalom Youth Village, where we are using OpenDNS to provide web filtering to keep the students away from some of the, um, racier sites on the Net. OpenDNS seems to be a really good, easy to use solution for web filtering in the cloud. If you have young web surfers at home, you might want to check it out.
Tomorrow afternoon, a group of my Liquidnet colleagues and I will be boarding a flight for Amsterdam to connect with another flight to Kigali, Rwanda. We’re going to the Agahozo Shalom Youth Village in Rwamagana, Rwanda to help upgrade and extend the village’s wireless networks and servers.
The Agahozo-Shalom Youth Village (ASYV) is a residential community in rural Rwanda. Its 144 acres are home to youth who were orphaned during and after the genocide in 1994. The Village is designed to care for, protect and nurture these young people. It is a place of hope, where “tears are dried” (signified by the Kinyarwanda word agahozo) and where the aim is to live in peace (from Hebrew, shalom). The marrying of these two languages and concepts in the name of the Village is intended as a reminder of the success of similar efforts in Israel, where genocide also changed the face of a nation. — ASYV web site
I’ll be posting pictures, and updates from the trip (which includes a trip to visit with Rwanda’s Mountain Gorillas) on a separate Tumblr blog – alinrwanda.tumblr.com. Please join me over there for a look at how technology is helping change kids’ lives in central Africa.
From the department of things that should be common sense, but are not… it is not safe to put confidential data on cloud based file sharing sites like RapidShare, FileFactory and Easyshare. Some researchers in Belgium did some poking around on these sites and the results are yet another that security through obscurity just doesn’t cut it.
Spear phishing has been in the news quite a bit lately – it seems like just about all of the recent high profile hacks began with someone clicking on a link or opening a document. Here’s a data point which seems to corroborate the innate sense of trust that leads people to do really stupid things. According to an entry in Bruce Schneier’s blog… in Istanbul, police dressed up as doctors, knocking on doors unannounced, were able to persuade 86% of subjects to take a pill. And this is after a rash of crimes in which people who are not police did the same thing, using powerful sedatives to disable victims and ransack their homes. My belief in knowledge of human psychology as the most powerful hacking tool remains strong. Or maybe there is something in the water in Istanbul…
The National Security Agency isn’t all about listening in on other people’s conversations or being the object of insanely paranoid fantasies. The NSA also has an Information Assurance mission, protecting guvmint computers from hackers, spies, and this guy. Now taxpayers can take advantage of the billions of dollars they have paid in to keep the NSA running… the agency has released a pretty good guide to securing home computers (PDF file) with information for Windows and Mac users. Unfortunately, it is a little bit on the techie side – you can’t just email it grandma and assume she’s good to go, but it does provide a great checklist to help you (and your colleagues) batten down those cyber-hatches. Worth a read.
I love the obituaries in UK newspapers… none of that namby pamby covering up of the dearly departed’s foibles or less than stellar achievements. This past week, the Telegraph ran a (sort of) tribute to Colonel Albert Bachmann who in the words of the of the obit writer, “had reduced the Swiss military intelligence agency, in which he had mysteriously managed to rise to a senior role, to a state bordering on chaos, not to mention bankruptcy. So catastrophic was his impact that, when he was finally unmasked, many assumed he must be a double agent. He was not.”
Cloud storage provider DropBox provides a great example of some of the security issues that individuals and companies face when entrusting sensitive data to the cloud. Over the past few weeks, DropBox has made the news twice regarding its security and we all know that making the news is generally not a good thing when it comes to security.
Dropbox’s first issue came up in early April, when a security researcher named Derek Newton discovered a significant weakness in the service’s authentication mechanism. One of the primary benefits of DropBox is that it allows the user to set up synchronized file systems across multiple devices. When files are added to, modified on or deleted from any DropBox enabled computer, iPhone, iPad or other device, the changes are automatically replicated to all of the other devices associated with the user’s account. This is a really useful feature for many people. In order for this file synchronization to work properly, you need to install a piece of software on each device used to access your account. Newton found that the Windows DropBox client stores the information needed to access the DropBox server in a configuration file which contains a “host ID” used to authenticate to DropBox. Simply by copying this file to another computer with the DropBox software installed on it, an attacker would have full read/write access to the files in the DropBox account.
This opens up a whole range of possibilities for attackers. For instance, it would be possible to write malware which specifically looks for the DropBox configuration file and sends it back to the attacker. Once an attacker has the configuration file, they would have continued access to the compromised DropBox account even after the malware was removed from the user’s computer. The user would have to remove their own computer from the list of devices allowed to access their DropBox account and reinstall the software to close the door on the attacker.
As of today, the vulnerability still exists… DropBox plans to rollout a software update which would make the configuration file useless on a second machine, but has not provided a timeline for remediation. I would recommend not using DropBox until such a fix is made.
DropBox also made the news for a change in their terms of service. The original terms of service assured users that since their files were stored in encrypted form on the DropBox servers, DropBox employees could not peek into their data. Well, it turns out that this is not exactly the case. A “limited number” of DropBox employees do, in fact, have the ability to decrypt user files in order to comply with law enforcement requests for data in connection with an investigation. Now, I understand that DropBox wants to be a good corporate citizen, but there is a significant distinction between “our employees can’t read your data” and “only some of our employees can read your data.” I applaud DropBox for making their terms of service clearer (and more accurate), but this incident (and the reaction from DropBox users) is an example of one of the major problems facing users and organizations when they make the decision to move their data to the cloud.
The problem is two fold… customers don’t know the right questions to ask and vendors just don’t seem to understand that users require security for their cloud data, even if they cannot exactly describe what security measures they are looking for. A recent Ponemon survey on cloud computing providers’ views of the security of their services showed that among survey respondents (who we can assume are amongst the more security aware providers), vendors had the least confidence regarding some important security features of their services, such as
- Their ability to authenticate users before granting access
- Their ability to prevent or curtail external attacks
- Their ability to encrypt sensitive or confidential information assets whenever feasible
- Their ability to determine the root cause of cyber attacks
It is clear to me that many individuals and business are rushing in to take advantage of the cost advantages and convenience of cloud computing without knowing how safe or unsafe their information is while it rests in the cloud. The efforts of organizations like the Cloud Security Alliance to develop baseline language, best practices and assessment tools are a step in the right direction, but the road to cloud security is still foggy and treacherous.