Cloud Security

Cloudsecurity.org is proud to be supporting the “Cloud Security Challenge”.

If you’ve a bright idea for cloud security or you know someone who has, this is an opportunity to grow it quickly.

The competition is run by the Global Security Challenge (GSC) who aim “to empower entrepreneurs in the security technology space.”

They do this through running challenges that anyone with a clever idea and a decent business plan can enter. A panel of experts select the most promising security technology start-ups.

The winner of this challenge will receive a 10,000USD grant and mentorship from CapGemini. HP Labs in Bristol UK are sponsoring the event and offering use of their test-bed for up to 3 finalists.

Ultimately it may provide a path to additional funding — top contenders from previous challenges raised 57MM USD.

The competition is free to enter and the deadline is 15th March.

To learn more and submit your idea, visit the Global Security Challenge website

Let me know if you have any questions and I’ll do my best to get them answered.

Today, when it comes to security due diligence and on-going operational security visibility of cloud services, enterprise security pros are acting out the childrens game, Pin the Tail on the Donkey.

With security policy in hand, we’re groping around, blindfolded by a lack of security visibility whilst disoriented by the scale and combination of new (and old) technologies and service models. The Cloud Donkey – known for a strong sense of preservation – looks on.

The problem is that there are many donkeys, and even more tails. Worse, we’re all trying to stick different tails on the same donkeys.

If we don’t like what we’re (not) seeing, we can either moan about our predicament or try to change things. Like collaborating with others that share the same concerns to develop the “Audit, Assertion, Assessment, and Assurance API (A6)” for cloud services.

If you’re a security pro, don’t be an ass, join the A6 security group.

Photo credit: cherrypatter

If you’ve been looking for a way to extend a hand to the people of Haiti, or you want your cloud venture to spread some goodwill, this post is written for you.

On Wednesday this week, many of us will be attending CloudCamp Haiti – and you can join us.

Here’s what you need to know

CloudCamp Haiti is a virtual unconference held as a public webinar. CloudCamp Haiti builds upon the popular CloudCamp format by providing a free and open place for the introduction and advancement of cloud computing. For this event, we are raising funds to donate to the aid effort in Haiti. Funds will be donated directly to the Red Cross efforts in Haiti.

Using an online meeting format attendees can exchange ideas, knowledge and information in a creative and supporting environment, advancing the current state of cloud computing and related technologies.

Date/Time:
- Jan 20th 11:00am – 2:30pm Eastern Standard Time (EST)

Location:
- Online Webinar via GoToMeeting

Get involved:
If you are interesting in getting involved as a presenter contact John Willis (john.willis AT zabovo.com) Interested in sponsoring? contact Dave Nielsen (dave AT platformd.com)

What You Can Do

Sponsor this event – either as a company or privately, or register to attend for 25USD.

If you’re still reading, what are you waiting for?

Amazon just announced "Spot Pricing" for their EC2 instances:

"Spot Instances are a new way to purchase and consume Amazon EC2 Instances. They allow customers to bid on unused Amazon EC2 capacity and run those instances for as long as their bid exceeds the current Spot Price. The Spot Price changes periodically based on supply and demand, and customers whose bids meet or exceed it gain access to the available Spot Instances. Spot Instances are complementary to On-Demand Instances and Reserved Instances, providing another option for obtaining compute capacity.

For customers with flexibility in when their applications can run, Spot Instances can significantly lower their Amazon EC2 costs. Additionally, Spot Instances can provide access to large amounts of additional capacity for applications with urgent needs. Just a few examples of categories of applications well-suited to Spot Instances are:

* Image and video processing, conversion and rendering
* Scientific research data processing
* Financial modeling and analysis"

This is innovative and in a world of "fair play" is a smart move by Amazon. But lets consider this from a Black Hat hacker perspective for a moment:

Black Hats have all kinds of reasons for needing massive compute power. The obvious one is password cracking and that can take an awful lot of CPU power...

But bad guys feel the credit crunch too and don't like to pay list price even when its not their money (think stolen credit cards). Spot prices for EC2 instances are discounts on regular EC2 pricing for all. The downside is, you have to wait until the spot price is equal to, or lower than your maximum bid. Some people won't wait for "the market" - they want their goodies faster. Since the market is nothing more than current utilization level of EC2, the spot price goes down when EC2 is less utilized. As a Black Hat, you might want to influence that to drive the spot price down. Suddenly all those DoS attacks that you could only use to either cripple your online enemies or bribe gambling sites and the like, have a new use case - crashing existing customers EC2 instances to artificially decrease demand for EC2 instances and thus lower the spot price.

Ouch.

The counterargument is that Black Hats won't bother going to all this effort - they don't need to. They already have access to enough disposable credit lines and/or vulnerable machines that they just won't bother. It's hard to disagree today. In Amazon PR terms, this is more a 'theoretical' attack - for now.

Regardless, the downside is that the introduction of an innovative pricing model today by Amazon, leaves existing EC2 customers more exposed to DoS attack than they were before.

Update:

Amazon note in their updated AWS Customer Agreement:

"You may not, directly, indirectly, alone or in cooperation with any third party, attempt to control, influence or manipulate the price for Spot Instances. Without limiting the foregoing, you may not submit requests for Spot Instances through any third party (e.g., “proxy bidding”) or share information with any third party regarding the maximum prices specified in your Spot Instance Requests".

Next Tuesday Wednesday (!) I'll be part of a virtual panel as part of a on-line event organised by InformationWeek’s Dark Reading and Black Hat. I encourage you to virtually attend as it promises to be an excellent Cloud/Virtualization Security discussion. You can register for free here.

The session will be hosted by my good friend and co-host of the Cloud Security Podcast, Chris Hoff.

In addition to the expertise that Chris brings to the table, the other guests are all hardcore in their own right. I promise you'll learn something - I'm pretty sure I will!

Here's the blurb:

Virtualization, Cloud Computing, And Next-Generation Security

The concept of cloud computing creates new challenges for security, because sensitive data may no longer reside on dedicated hardware. How can enterprises protect their most sensitive data in the rapidly-evolving world of shared computing resources? In this panel, Black Hat researchers who have found vulnerabilities in the cloud and software-as-a-service models meet other experts on virtualization and cloud computing to discuss the question of cloud computing’s impact on security and the steps that will be required to protect data in cloud environments.

Panelists: Glenn Brunette, Distinguished Engineer and Chief Security Architect, Sun Microsystems; Edward Haletky, Virtualization Security Expert; Chris Wolf, Virtualization Analyst, Burton Group; Jon Oberheide, Security Researcher; Craig Balding, Cloud Security Expert, cloudsecurity.org

Moderator: Christofer Hoff, Contributing Editor, Black Hat

Register for free here.