View Full Version : Cloud computing - episodes ...

2011-10-20, 18:48

Bulletproof cybercrime hosting & the Cloud
- http://hostexploit.com/blog/14-reports/3535-bulletproof-cybercrime-hosting-a-the-cloud.html
20 October 2011 - "... In Q3 2011, there were several changes in the top positions in the Top Bad Hosts table:
• The title of #1 Bad Host (Overall Category) now goes to AS33626 Oversee.net*, a monetizer of domain names, for high levels of hosting malicious URLs, badware, Zeus botnet servers and infected sites.
• The US share of the Top 50 has dropped from 23 in Q2 to 16 In Q3 although 5 of the Top 10 are still hosting from the United States including the #1 spot.
• #1 in the most important category, Exploit Servers, in the analysis of malware, phishing or badness as a whole, is AS47583 Hosting-Media**, hosted in Lithuania....

Discussed in this quarter report, also, is the rise of GHOSTing, or 'Bulletproof Cybercrime Hosting and the Cloud', which is increasingly being used as a way of serving malicious material and yet remaining under the radar. It gives, by all intents and purposes, the impression of clean and responsible hosting as no obvious sign of criminal activity is detected on the providers’ servers. This is achieved through the legitimate offering of VPN or VPS services to those clients who wish to host illicit or objectionable badness e.g. malware, botnet C&Cs, phishing, spam operations or even images of child sexual abuses. In this way hosts can feign ignorance or turn a blind eye to their customers’ real intentions. Further information on this practice can be found in the Q3 report..."
> http://hostexploit.com/downloads/viewdownload/7/32.html

* http://www.google.com/safebrowsing/diagnostic?site=AS:33626
"... over the past 90 days, 3 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... the last time suspicious content was found was on 2011-10-20... we found 3 site(s) on this network... that appeared to function as intermediaries for the infection of 4 other site(s)... We found 443 site(s)... that infected 8141 other site(s)..."
** http://www.google.com/safebrowsing/diagnostic?site=AS:47583
"... over the past 90 days, 973 site(s)... served content that resulted in malicious software being downloaded and installed without user consent... the last time suspicious content was found was on 2011-10-20... we found 99 site(s) on this network... that appeared to function as intermediaries for the infection of 467 other site(s)... We found 99 site(s)... that infected 685 other site(s)..."


2011-11-10, 14:35

Amazon cloud 'pre-configured images' risk...
- http://h-online.com/-1376578
10 November 2011 - "Amazon cloud customers have access to more than 8,000 pre-configured Amazon Machine Images (AMIs) worldwide... many of these AMIs contain a variety of security holes... more than half of the images that are available worldwide and identified the same vulnerabilities, as well as additional problems. The Windows AMIs, which represented a small proportion of the 5,300 images that were examined, were particularly badly affected. Security issues were found in 246 out of 253 Windows appliances. A bug that allows arbitrary code to be executed when a certain web site is accessed in Internet Explorer was especially common... researchers found authentication data in about one-fifth of the examined AMIs and were able to reconstruct deleted files in 98 per cent of images. Amazon has informed its customers of these problems and has released guidelines* on how to avoid AMI security issues. A tutorial** is provided to help developers create secure AMIs."
* http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/index.html?AESDG-chapter-sharingamis.html

** http://aws.amazon.com/articles/0155828273219400


2011-11-19, 15:09

Cloud network abused by trojan...
- http://www.securelist.com/en/blog/620/Money_from_the_cloud
November 17, 2011 - "... we discovered a malicious program called Trojan-Downloader.Win32.MQL5Miner.a which also uses the resources of infected computers, but this time to make money in MQL5 Cloud Network, a distributed computing network... MetaQuotes is a developer of software for financial markets. Several weeks ago, information appeared on the net that the company was offering to pay users to participate in distributed computing. Apparently, this is what attracted malicious users to the new cloud service... There are grounds to believe that the malicious program spreads via email. Having infected a computer, the malicious program first determines if the operating system is 32-bit or 64-bit. It then downloads the appropriate version of the official software from MetaQuotes SoftWare. MQL5Miner then launches the service to participate in the cloud computing network. But the cybercriminals specify their own account data and receive the payments for any distributed computing operations that are performed on an infected machine... When it comes to making money, cybercriminals don’t miss a trick. That includes exploiting the resources of infected computers without their owners’ knowledge or consent. We have notified MetaQuotes about the account being used by cybercriminals."


2011-12-15, 13:26

Cybercriminal attack strategy shifting to corporate networks
- http://www.crn.com/232300457/printablearticle.htm
Dec. 13, 2011 - "... Cisco... made predictions* on the weapons cyber-criminals are most likely to use in 2012, based on the return on investment from cyber-crimes. The weaponry expected to reap the most money included data theft Trojans, spyware, click fraud and web exploits. Targets expected to get lots of attention from criminals based on the potential ROI include mobile devices and cloud infrastructure. Clouds service providers have been growing so fast that they have not had the time or inclination to make security a top priority... three in five of the respondents working for companies believed their employers, not themselves, were responsible for protecting information and devices. In addition, more than half allowed others to use their computers without supervision, including family, friends, coworkers and strangers."
* http://www.cisco.com/en/US/prod/collateral/vpndevc/security_annual_report_2011.pdf
13 Dec 2011 - 5.3MB PDF file


2011-12-22, 14:57

Migration plans to Cloud apps dropped...
- https://www.computerworld.com/s/article/9222932/Plans_to_migrate_LAPD_to_Google_s_cloud_apps_dropped
December 22, 2011 - "After more than two years of trying, the City of Los Angeles has abandoned plans to migrate its police department to Google's hosted email and office application platform saying the service cannot meet certain FBI security requirements. As a result, close to 13,000 law-enforcement employees will remain indefinitely on the LAPD's existing Novell GroupWise applications, while other city departments will use the Google Apps for Government cloud platform. Council members last week amended a November 2009 contract the city has with systems integrator Computer Science Corp. (CSC) under which CSC was supposed to have replaced LA's GroupWise e-mail system with Google's email and collaboration system. Under the amended contract, the LAPD will no longer move its email applications to Google... Google maintains that the LAPD's security requirements were never part of the original contract..."

:spider: :blink:

2011-12-23, 13:20

Cloud patch management issues...
- http://www.theregister.co.uk/2011/12/22/patch_management/
22 December 2011 - "... Cloud-based application vendors update their software regularly without customer input. As an enterprise user, you may be able to stay on an earlier revision for a while by negotiating with the vendor... Other challenges include the consumerisation of IT, which encourages employees and contractors to bring in devices such as tablets and smartphones. Making sure these are adequately patched creates a whole new set of problems, landing us in the sticky area of network access control, network quarantine and policy servers to manage... every so often, a patch appears that takes down a piece of software. For example, Microsoft's recent gaffe, in which it accidentally decided that Google Chrome was a piece of malware*, caused problems for many users."
* http://www.theregister.co.uk/2011/09/30/microsoft_nukes_google_chrome/


2012-01-04, 16:31

New Cloud - New Security - New Year ...
- https://www.computerworld.com/s/article/9223123/The_Cloud_Day_20_What_About_Security
Jan. 3, 2012 - "... If I am going to keep gigabytes upon gigabytes of sensitive data stored online, I need some assurances that it is safe. The data needs to be secured, preferably encrypted, so that it is protected even in the event that the storage that contains it is compromised. But, even encrypting data can be tricky when it comes to third party cloud storage providers... They may share my data if compelled by law enforcement, or employees might access and view the files themselves. It is strictly forbidden as a matter of policy, but anyone who would surreptitiously view my data probably also lacks the moral compass to care about the policy... customers can still encrypt their data through other means with their own keys if they prefer. That really seems to be the only viable solution. If I encrypt the data myself, I know that I hold the keys and theoretically only those people I authorize will be able to access my files. But that complicates things, and adds some administrative and processing overhead. For businesses considering a move to the cloud, there are also compliance mandates to consider. Putting data online comes with some risks, and businesses need to take extra precautions to make sure that data is not exposed or compromised..."


2012-01-27, 12:37

Spammers in the cloud
- http://www.f-secure.com/weblog/archives/00002304.html
January 26, 2012 - "Facebook is recently doing a decent job at keeping survey spam posts at bay (all things considered). So, what's an entrepreneurial Facebook spammer to do? Well, some have tweaked their master plan, and have expanded their use of "cloud" services. Using Amazon's S3 file hosting service solves quite a few problems for these perpetrators. Number 1, Amazon's S3 web service is pretty inexpensive to set up, therefore they can still earn from the surveys. Number 2, because Facebook has been pretty successful at blocking suspicious URLs linked to spam, hosting their scam's code in a safe and popular domain such as amazonaws.com gives them a better chance to sneak through Facebook's protections... All browsers other than Chrome and Firefox are served with a survey page, thereby ending in actual monetization if the spammer's surveys are filled out and submitted. This monetization happens within the Cost Per Action (CPA) marketing model, which is behind most social media spam. Geo-location techniques are used in an attempt to broaden the spammer's survey completion rate. Depending on the location, the fake Facebook page issues a survey that -redirects- to a specific affiliate marketer... Firefox and Chrome are used as avenues to further spread the scam via Facebook by use of a fraudulent YouTube browser plugin. A fake Facebook page displays a plugin installation if visited from either of those two browsers. Spammers recently began using plugins as part of their cat and mouse battle with Facebook... Upon installing the plugin, a redirector URL is generated by randomly selecting from the usernames, mo1tor to mo15tor, in the Amazon web service. Then, the link generated is shortened through bitly.com via the use of any of the 5 hardcoded userID and API key-pairs. These key-pars gives a spammer the ability to auto-generate bit.ly URLs for the Amazon web service link. This ultimately leads to a redirection to the fake Facebook page. Perhaps, in an attempt to confuse defenses, it also produces a random non-existent domain using the format wowvideo [random number] .com. However, only the Amazon S3 web service and bit.ly URLs are working links..."

:sad: :fear:

2012-02-29, 22:12

MS Azure cloud outages ...
- http://www.theregister.co.uk/2012/02/29/windows_azure_outage/
Feb 29, 2012 - "Microsoft's cloud platform, Windows Azure, is experiencing a major outage: at the time of writing, its service management system had been down for about seven hours worldwide... Microsoft has been keeping them updated via the platform's online service page* at least every hour... The service management system first began to have problems at 1.45am GMT (5.45pm PST), according to the page... Microsoft tested the hotfix, before starting the rollout at 9am GMT this morning..."
* http://www.windowsazure.com/en-us/support/service-dashboard/

- http://www.informationweek.com/news/cloud-computing/infrastructure/232601768?printer_friendly=this-page
Feb 29, 2012 - "... Microsoft later said in a statement the service management problems were caused by "a cert issue triggered on 2/29/2012," or a security certificate issue activated once every four years. It said access to services and management functions were "restored for the majority of customers" by 1:30 p.m. GMT in Northern Europe or 7:30 a.m. in the U.S..."

- https://blogs.msdn.com/b/windowsazure/archive/2012/03/01/windows-azure-service-disruption-update.aspx?Redirected=true
29 Feb 2012 - "... final root cause analysis is in progress, this issue appears to be due to a time calculation that was incorrect for the leap year... The fix was successfully deployed to most of the Windows Azure sub-regions and we restored Windows Azure service availability to the majority of our customers and services by 2:57AM PST, Feb 29th. However, some sub-regions and customers are still experiencing issues and as a result of these issues they may be experiencing a loss of application functionality... Customers should refer to the Windows Azure Service Dashboard* for latest status..."

- https://blogs.msdn.com/b/windowsazure/archive/2012/03/01/window-azure-service-disruption-resolved.aspx?Redirected=true
1 Mar 2012 - "... resolved and all regions and related services are now healthy..."

:fear: :sad:

2012-03-03, 02:44

Cloud svc Linode hacked - Bitcoin accounts emptied
- https://threatpost.com/en_us/blogs/linux-based-cloud-service-linode-hacked-accounts-emptied-030212
Mar 2, 2012 - "A security compromise at Linode, the New Jersey-based Linux cloud provider, has warned customers that hackers breached a Web-based customer service portal used by the company and emptied the Bitcoin accounts of eight Linode customers. One Linode customer reports the theft of Bitcoins totalling around $14,000. In a post on the company blog* Friday, Linode acknowledged the incident, which occurred early Wednesday, and said it had isolated the compromised support account, and that no customer credit card information or credentials were taken. However, the attackers appeared to have targeted a handful of Linode customers who used the service to host Bitcoin wallets, allowing them to pilfer thousands in virtual currency..."
* http://status.linode.com/2012/03/manager-security-incident.html
Mar 2, 2012 - "... Here are the facts:
This morning, an intruder accessed a web-based Linode customer service portal. Suspicious events prompted an immediate investigation and the compromised credentials used by this intruder were then restricted. All activity via the web portal is logged, and an exhaustive audit has provided the following:
All activity by the intruder was limited to a total of eight customers, all of which had references to "bitcoin". The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins. Those customers affected have been notified. If you have not received a notification then your account is unaffected. Again, only eight accounts were affected.
The portal does not have access to credit card information or Linode Manager user passwords. Only those eight accounts were viewed or manipulated - no other accounts were viewed or accessed..."

:fear: :sad:

2012-03-22, 17:41

Dropbox - malware distribution
- http://blog.webroot.com/2012/03/21/trojan-downloaders-actively-utilizing-dropbox-for-malware-distribution/
March 21, 2012 - "... a collection of files masquerading as RealNetworks updater executables. These files were all located in a user’s %AppData%\real\update_ob\ directory, and the sizes were all quite consistent... the software is in fact malicious, and that it is actually downloading malicious files from the popular web-based file hosting service Dropbox. These files came in two varieties: some files were randomly-named; other files were named for legitimate software. For example: utorrent.exe, Picasa3.exe, Skype.exe, and Qttask.exe... While some of the potential payloads were not present, some malicious URLs were still active... these target files on Dropbox are not legitimate, and they are definitely malicious. When executed they would write -many- files with legitimate names in generally legitimate locations. In some cases, file icons for the malicious files are not identical to the legitimate software that they are masquerading as.
> https://webrootblog.files.wordpress.com/2012/03/dropbox-spy-3.jpg
... the malware obtains instructions from an XML script accessed via a dynamic DNS service that directs it to directs it to download additional malware and utilities from Dropbox and to disable certain antivirus programs which may be running on the infected PC... Another objective of this spy is to collect VERY specific system information, including hardware ID serials, computer and user names, OS version info, AV info, firewall info, UAC status, video device info, and many other pieces of information that no one would want falling into the hands of a stranger... this Dropbox-utilizing spy runs as a chain of downloaders for additional malware; the non-Dropbox-hosted C&C servers can determine what malware is grabbed by the downloaders so ultimately the end result of the infection is almost limitless. Once installed, malicious actions can vary from serving up rogue AVs, installing keyloggers, rootkits, or whatever the cybercrimal fancies. While it’s unfortunate malware writers have exploited this free service to serve their malware, Dropbox users don’t need to fret. There is no indication that legitimate Dropbox accounts were harvested to serve this malware and it is much more likely the writers simply opened their own accounts within Dropbox to carry this action out."

- http://www.symantec.com/connect/blogs/dropbox-abused-spammers
08 Mar 2012 - "... Dropbox is being abused by malware authors, as well as spammers. We recently saw a Brazilian Portuguese malware message claiming to contain photos and asking if they can be put onto a popular social networking site. The links in the email point to a Trojan hosted on Dropbox... This abuse is a good reminder that -any- site which makes user-supplied content publicly available must continue to be vigilant about dealing with abuse. Although Dropbox is a high-profile site, spammers target all sorts of sites, big and small. There are many things that sites do to deal with such abuse, but in some cases this crucial work is often seen as low priority, despite the damage that such abuse can cause..."

- http://forums.spybot.info/showpost.php?p=424438&postcount=94
13 April 2012 - "... the use of Dropbox as a delivery mechanism is a something that the industry is going to have to take into account and protect against, as it is an emerging trend."


2012-04-10, 12:26

Zeus targets Cloud Payroll Service ...
- http://www.trusteer.com/blog/zeus-targets-cloud-payroll-service-siphon-money-enterprises
April 10, 2012 - "... we have discovered a Zeus attack that focuses on cloud payroll service providers. These attacks are designed to route funds to criminals, and bypass industrial strength security controls maintained by larger businesses. Our researchers have captured a Zeus configuration that targets Ceridian, a Canadian human resources and payroll solutions provider. In this attack, Zeus captures a screenshot of a Ceridian payroll services web page ... when a corporate user whose machine is infected with the Trojan visits this website. This allows Zeus to steal the user id, password, company number and the icon selected by the user for the image-based authentication system... The financial losses associated with this type of attack can be significant. In August of last year, Cyberthieves reportedly funneled $217,000 from the Metropolitan Entertainment & Convention Authority (MECA). According to published reports an employee at MECA was victimized by a phishing e-mail and infected with malware that stole access credentials to the organization’s payroll system. With valid credentials, the cyberthieves were able to add fictitious employees to the MECA payroll. These money mules, who were hired through work-at-home scams, then received payment transfers from MECA's bank account which they sent to the fraudsters. We expect to see increased cybercriminal activity using this type of fraud scheme for the following reasons:
First, targeting enterprise payroll systems enables attackers to siphon much larger amounts of money than by targeting individual consumers.
Second, by stealing the login credentials belonging to enterprise users of these payroll services, fraudsters have everything they need to route payments to money mules before raising any red flags. Using these valid credentials fraudsters can also access personal, corporate and financial data without the need to hack into systems, while leaving very little evidence that malicious access is occurring.
Third, by targeting a cloud service provider, the criminals are bypassing tight security mechanisms that are typically employed by medium to large enterprises. In a cloud service provider environment, the enterprise customers who use the service have no control over the vendor’s IT systems and thus little ability to protect their backend financial assets.
Fourth, cloud services can be accessed using unmanaged devices that are typically less secure and more vulnerable to infection by financial malware (e.g. Zeus)..."


2012-04-25, 17:32

What Google Analytics -doesn't- show you...
- http://www.incapsula.com/the-incapsula-blog/item/225-what-google-doesnt-show-you-31-of-website-traffic-can-harm-your-business
"... 31% of your website visitors are likely to be damaging intruders. Google Analytics doesn’t show you 51% of your site’s traffic including hackers, spammers & other non-human stalkers. Most website owners don’t know that a startling 31% of any site’s traffic can harm its business. And although most website owners rely on Google analytics to track who’s visiting their site, Google simply doesn’t show you 51% of your site’s traffic including some seriously shady non-human visitors including hackers, scrapers, spammers and spies of all sorts who are easily thwarted, but only if they’re seen and blocked...
> http://www.incapsula.com/images/blog-images/stalking_%20Pie.jpeg
As website owners work hard to attract good human traffic, it’s just as important to see and block the bad guys & bots that can hack your site, steal your customer’s data, share your proprietary business information, and a whole lot more. It’s time to see who’s visiting your site, and make sure the good guys get through fast while the bad guys are kept out. So who's stalking your site?...
> http://www.incapsula.com/images/blog-images/stalking%20table.jpeg
... Information was anonymously compiled from a sample of one thousand websites of Incapsula customers, with an average of 50,000 to 100,000 monthly visitors."

:fear: :fear:

2012-05-25, 13:23

Security in the Clouds - Part 1 ...
- http://www.wired.com/cloudline/2012/05/security-in-the-clouds-part-1/
May 24, 2012 - "... Securing a cloud environment involves doing everything we do for traditional IT security plus more. In other words, the fundamental issues of ensuring the CIAs of security – Confidentiality, Integrity and Availability – are still in play. In fact, it’s even more complicated since now we are dealing with the additional complexity of someone else’s infrastructure. That means we have to begin with a comprehensive risk assessment and from there proceed to develop relevant policies, a solution architecture, a solid implementation that enforces those policies and finish up with a process to analyze results and feedback improvements into the previous steps of the cycle. Nothing new here but sometimes in the cloud rush some people think the laws of gravity have somehow been suspended... What the public cloud adds to the equation is a heightened need to get all this right since it will be in a shared infrastructure at a remote location. In addition, things like federated single sign-on (to connect across disparate authentication systems), federated account provisioning/deprovisioning (to create and delete the correct access privileges on the system you no longer have direct access to) and securing the hypervisor layer of the virtualization system used by the service provider become key issues. That last part is often overlooked but it shouldn’t be because each new layer of infrastructure represents a potential attack vector. We know OS’s and apps aren’t perfect so we harden them, patch them and stand up intrusion prevention layers to protect them from the bad guys. The hypervisor in a virtualized computing environment needs the same protections but doesn’t always get the same scrutiny... what happens if the SLA is not met? Many assume that the provider has the capability to guarantee this commitment but in some cases this may be nothing more than a best effort statement with no penalties if violated and no actual ability to deliver this level of service...
Some questions to consider:
• Is the data sufficiently isolated from other users of the shared cloud?
• Are access controls up to the task of keeping the prying eyes of unauthorized users at bay?
• Are you protected against data leakage by administrators working for the cloud provider who are not authorized to view the data but may, by virtue of their privileged status, be able to subvert protections in place?
• Can you get easy access to an audit trail showing who, when, from where, etc., has accessed the data?
• Is it being backed up in case a hard drive crashes?
• Is the environment sufficiently provisioned to handle the demand placed upon it not only by legitimate users but also by attackers launching a denial of service attack?
• What about disaster recovery?
• Is there a mechanism to failover to hot or warm standby at a substantially different geographical location so as to not disrupt operations during an outage?
• Will auditors and regulators be satisfied with your answers to all of these questions?
... so it may not be all that simple to let someone else handle it as you might have first thought as you clearly have some due diligence to perform before turning over the keys to the kingdom..."


2012-06-30, 17:03

AWS power outages...
- http://status.aws.amazon.com/?rf
Amazon CloudSearch (N. Virginia) - Elevated error rates
10:16 PM PDT We are investigating elevated error rates impacting a limited number customers. The high error rates appear related to a recent loss of power in a single US-EAST-1 Availability Zone...
Jun 30, 2:18 AM PDT CloudSearch control plane APIs are operating normally. We are continuing to recover impacted CloudSearch domains that are still experiencing high error rates.
Amazon Elastic Compute Cloud (N. Virginia) - Power issues
Jun 30, 12:37 AM PDT ELB is currently experiencing delayed provisioning and propagation of changes made in API requests. As a result, when you make a call to the ELB API to register instances, the registration request may take some time to process....
Jun 30, 7:14 AM PDT We are continuing to make progress towards recovery of the remaining EC2 instances, EBS volumes and ELBs...
Amazon Relational Database Service (N. Virginia) - Power Issues
8:33 PM PDT We are investigating connectivity issues for a number of RDS Database Instances in the US-EAST-1 region.
9:24 PM PDT We can confirm that a large number of RDS instances are impaired. We are actively working on recovering them...
Jun 30, 7:38 AM PDT We are continuing to make progress in recovering the impacted RDS database instances...
AWS Elastic Beanstalk (N. Virginia) - Power Issues...

> http://status.aws.amazon.com/
Current Status...

3 million without power - 13 killed
> http://www.washingtonpost.com/politics/storms-ravage-mid-atlantic-knocking-out-power-to-nearly-2m-people-after-dc-sets-heat-record/2012/06/30/gJQAMzbuCW_story.html
June 30, 2012

- http://hardware.slashdot.org/story/12/06/30/162250/more-uptime-problems-for-amazon-cloud
June 30, 2012 - "An Amazon Web Services data center in northern Virginia lost power Friday night during an electrical storm, causing downtime for numerous customers — including Netflix, which uses an architecture designed to route around problems at a single availability zone. The same data center suffered a power outage two weeks ago and had connectivity problems earlier on Friday."

- http://www.informationweek.com/news/cloud-computing/infrastructure/240002170?printer_friendly=this-page
June 15, 2012

:sad: :fear::fear::spider:

2012-07-10, 19:14

Salesforce.com hit with second major outage in two weeks
Seven instances were affected at one time or another
- https://www.computerworld.com/s/article/9228967/Salesforce.com_hit_with_second_major_outage_in_two_weeks
July 10, 2012 - "Salesforce.com suffered a significant service outage on Tuesday, less than two weeks after another serious set of system problems. The cloud-based CRM (customer relationship management) vendor's systems are divided into many instances around the world, each serving customers in different geographic regions. Seven instances went down at some time or another on Tuesday, starting with NA1, NA5 and NA6 in North America, according to a notice posted at 12:49 a.m. PDT on Salesforce.com's system status page*. Shortly thereafter, the CS0, CS1, CS3 and CS12 regions... Salesforce.com's Application Store also went down because it shares infrastructure with the NA6 instance, the site said in another update... It wasn't immediately clear what caused the problems... "power problems" had been detected and fixed, but the outages persisted. Some Salesforce.com customers may still be reeling from the last system outage, which occurred in late June. Those problems were caused by a fault in Salesforce.com's storage tier, the company said at the time."
* http://trust.salesforce.com/trust/status/

:fear: :sad:

2012-07-18, 00:06

Dropbox users targeted by spammers
- https://krebsonsecurity.com/2012/07/spammers-target-dropbox-users/
July 17, 2012 - "... trouble began earlier today, when users on the Dropbox support forums began complaining of suddenly receiving spam at email addresses they’d created specifically for use with Dropbox. Various users in Germany, the Netherlands and United Kingdom reported receiving junk email touting online gambling sites... At around 3 p.m. ET, the company’s service went down in a rare outage, blocking users from logging into and accessing their files and displaying an error message on dropbox.com*...
Update, 6:37 p.m. ET: Dropbox just issued the following statement about today’s events: 'We‘re aware that some Dropbox users have been receiving spam to email addresses associated with their Dropbox accounts. Our top priority is investigating this issue thoroughly and updating you as soon as we can...'"
* http://status.dropbox.com/
Dropbox client running normally
Dropbox web running normally
... as of date/time of this post.

> https://krebsonsecurity.com/wp-content/uploads/2012/07/dropboxdropped.png

Email-Address leaked from Dropbox
> http://forums.dropbox.com/topic.php?page=5&id=64367
17 July 2012 - "... junk mail to the email address registered to Dropbox..."

> http://www.geek.com/articles/geek-pick/dropbox-users-reporting-unusual-spam-address-leak-suspected-20120717/
July 17, 2012
> http://techcrunch.com/2012/07/17/dropbox-users-targeted-by-spam-possible-address-leak-to-blame/
July 17, 2012 - "... Update 3, 6 PM ET: Dropbox says the downtime was unrelated..."

- http://h-online.com/-1646660
18 July 2012 - "... On the Dropbox forums, the company announced that it has asked its security team to investigate the incident, and has also called in outside experts*. At present, it has found no evidence of unauthorised access to Dropbox accounts, but this could change as the investigation moves forward..."
* http://forums.dropbox.com/topic.php?id=64367&page=4&replies=110#post-455535

:fear: :sad:

2012-08-07, 14:52

iCloud attack began with Amazon hack
- http://h-online.com/-1661646
7 August 2012 - "... Mat Honan has detailed how attackers broke into his iCloud account and remotely wiped his iPhone, iPad and MacBook. In an article in Wired*, Honan explains how the attackers used flaws in Amazon's and Apple's customer service lines to expose his iCloud password... Once the account had been breached, Honan notes that the password reset email messages from the services were quickly moved to the trash by the attackers and within forty minutes of the call to Apple they had reset his Twitter password, posted a claim to the hack on his Twitter account, deleted his Google account and sent wipe commands to Honan's iPhone, iPad and MacBook. He has since been contacted by the hackers who say they were only attempting to "grab" his three character Twitter id and that the account deletions and device wiping were collateral damage... Apple told the New York Times** that it made a mistake when resetting the password, and protocols were not completely followed in this case..."

* http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/

** http://bits.blogs.nytimes.com/2012/08/06/mat-honan-itunes-hack/

- http://www.gfi.com/blog/secure-cloud-computing-101/
August 9, 2012 - "... practical tips for users on how to keep their information safe online and in the cloud:
• Back up information and files onto multiple hard drives and store them somewhere safe.
• Take advantage of two-factor authentication if this feature is available to your service provider.
• Make data security a priority. Secure credentials with authentication devices and never reveal or share them with anyone..."


2012-10-10, 00:23

CloudStack - critical vulnerability
- http://h-online.com/-1726599
09 Oct 2012 - "Citrix and the Apache Software Foundation have alerted* users to a critical vulnerability in the CloudStack open source cloud infrastructure management software. All versions downloaded from the cloudstack .org site will be vulnerable. CloudStack is also an incubating Apache project but there have been no official releases from Apache of that project. If users have taken the source from the Apache project, that software will be vulnerable. Details of the issue were disclosed on Sunday; it appears that the system had a configuration issue which meant that any use could execute arbitrary CloudStack API calls such as deleting all the VMs in the system. A workaround, detailed in the various announcements, involves logging into the MySQL database that backs the system and setting a random password on the cloud .user account. The Apache CloudStack code has been updated with a fix for the issue and it is believed that the issue should not affect any upcoming releases of the incubating Apache CloudStack project; version 4.0 has currently been frozen and a release candidate is expected soon."
* http://cloudstack.org/blog/185-cloudstack-configuration-vulnerability-discovered.html
08 Oct 2012 - "A configuration vulnerability has been discovered in CloudStack that could allow a malicious user to execute arbitrary CloudStack API calls, such as deleting all VMs being managed by CloudStack... The issue does have a workaround that can be applied immediately... This is considered a critical vulnerability. You should take action to mitigate the issue immediately. Note that this can be mitigated with no downtime..."


2012-11-14, 23:44

Data in the Cloud: Safer, but more attractive to Attackers
- http://www.gtcybersecuritysummit.com/pdf/2013ThreatsReport.pdf
Nov 14, 2012 - Georgia Tech Information Security Center report - PDF (Pg.3): "Consider data storage in the cloud. As security expertise is increasingly being located within cloud service providers, companies and their customers typically improve the overall security posture of their data. However, while improved virtualization infrastructure means that mass compromises are unlikely, the growing trove of data concentrated in these cloud storage services will attract attackers... In June, attackers compromised DDoS mitigation service CloudFlare by using flaws in AT&T’s voicemail service for its mobile users and in Google’s account-recovery service for its Gmail users. The attack — which aimed to get control over the site of one of CloudFlare’s customers — failed, but only because the company moved quickly when it discovered the incident... 'We will see more of these types of attacks, because a lot of interesting data is being hosted on [these] sites,' Kirda said. Google’s latest approach to two-factor authentication is a good hybrid method, he said. Using a recognized device and a password, a user logs in and authorizes applications on other devices. By providing a different password for each application-device combination, the service provides stronger, yet usable, security... (Pg.6) Cloud infrastructure is not just about data, however. The ability to stand up virtualized computers, if successfully exploited by attackers, can be used to quickly create botnets. Just as large collections of data in the cloud become a siren call to attackers, the ability to create vast computing resources will continue to convince cybercriminals to look for ways to co-opt the infrastructure to their own ends, said Yousef Khalidi, distinguished engineer with Microsoft’s Windows Azure group. “If I’m a bad guy, and I have a zero-day exploit and the cloud provider is not up on their toes in terms of patching, the ability to exploit such a big capacity means I can do all sorts of things,” Khalidi said. The most obvious exploit that could lead to the creation of malicious compute clouds is simple credit-card fraud. Most cybercriminals have access to thousands, if not millions, of stolen credit card numbers. Using the stolen accounts to buy cloud computing resources can be a quick way for attackers to create dangerous clusters of virtual systems..."


2013-07-19, 18:18

Dropbox used by hacks to spread malware
- http://www.nbcnews.com/technology/dropbox-used-chinese-hackers-spread-malware-6C10642402
July 15, 2013 - "... Comment Crew*, the same Chinese cyberespionage team thought to be behind the recent attack on The New York Times, has been using publicly shared Dropbox folders** to spread malware, reports... Cyber Squared. "The attackers have simply registered for a free Dropbox account, uploaded the malicious content and then publicly shared it with their targeted users," a Cyber Squared blog posting*** explained last week. For malicious hackers, Dropbox is an attractive malware distribution platform because it's widely used in the corporate environment and is unlikely to be blocked by IT security teams. In this way, Cyber Squared wrote, "the attackers could mask themselves behind the trusted Dropbox brand, increasing credibility and the likelihood of victim interaction with the malicious file from either personal or corporate Dropbox users"..."
* http://www.technewsdaily.com/17012-fake-chinese-hacker-reports.html

** http://www.technewsdaily.com/4196-2-minute-expert-cloud-file-syncing.html

*** http://www.cybersquared.com/killing-with-a-borrowed-knife-chaining-core-cloud-service-profile-infrastructure-for-cyber-attacks/

:fear::fear: :sad: :mad:

2014-01-17, 14:49

Malware in the cloud - 2014
- https://net-security.org/malware_news.php?id=2675
Jan 15, 2014 - "... malware distributors are rapidly and widely adopting cloud computing, either by buying services directly or by compromising legitimate domains. This trend is allowing distributors to quickly and cost-effectively develop sites and bring them online, as well as to avoid geographic blacklisting by hiding behind the reputations of major hosting providers such as Amazon, GoDaddy and Google... The cloud is allowing malware distributors to create, host and remove websites rapidly, and major hosting providers such as Amazon, GoDaddy and Google have made it economical for malicious actors to use their services to infect millions of computers and vast numbers of enterprise systems..."

IBM to spend $1.2 billion to expand cloud services
- http://www.reuters.com/article/2014/01/17/us-ibm-datacenters-idUSBREA0G05P20140117
Jan 16, 2014 - "IBM Corp said it will invest more than $1.2 billion to build up to 15 new data centers across five continents to expand its cloud services and reach new clients and markets. The new cloud centers will be in Washington D.C., Mexico City, Dallas, China, Hong Kong, London, Japan, India and Canada, with plans to expand in the Middle East and Africa in 2015... IBM said the global cloud market is estimated to grow to $200 billion by 2020... it will use web hosting technology from SoftLayer for the delivery of its cloud services..."

:fear: :mad: :fear:

2014-05-19, 17:30

Creative Cloud crash - no cloud is too big to fail
Adobe's ID services went down for over 24 hours, leaving Creative Cloud users - and a great many others - locked out of their software and accounts
- http://www.infoworld.com/t/cloud-computing/adobe-creative-cloud-crash-shows-no-cloud-too-big-fail-242674
May 16, 2014 - "A problem with Adobe Creative Cloud locked users of Adobe's software out of their programs - and a good deal else on top of that - for more than 24 hours starting Wednesday night. According to a blog post by Adobe*, the failure "happened during database maintenance activity and affected services that require users to log in with an Adobe ID." This includes Adobe's Creative Cloud service, which provides cloud-hosted and -managed versions of Adobe's flagship software, such as Adobe Photoshop and Adobe Premiere... every other Adobe service that used Adobe's ID system was also affected... This isn't the first cloud-related black eye Adobe's suffered, either. Last year Adobe admitted to having 130 million passwords stolen from a backup system that was to have been decommissioned. Many Facebook accounts were also indirectly affected. Adobe's also received sharp criticism for aggressively shepherding its users into cloud subscription, pay-as-you-go plans for its software; in 2013 Adobe stopped selling standalone editions of the Creative Suite altogether... no cloud infrastructure is too big or too important to fail. Dropbox went down for 16 hours in January of 2013, and Google Drive experienced a similar 17-hour meltdown of its own in March. One estimate has put the cost of major-league cloud outages at some $71 million since 2007, but failures like Adobe's - where a single piece of failing infrastructure brings down multiple systems - have most likely driven that estimate far higher..."
* http://blogs.adobe.com/adobecare/2014/05/15/recent-service-outage/

- http://www.theinquirer.net/inquirer/news/2345560/ibm-openstack-is-the-cloud-as-an-application
May 19 2014 - "IBM HAS LAUNCHED a version of Openstack that can be downloaded directly from its Marketplace like any other application. IBM Cloudmanager with Openstack is based on IBM Cloudentry, and includes full access to Icehouse, the latest version of Openstack. As well as appearing in its own right, it can also be bought as part of a package along with the recently announced IBM Power Systems server range to form the extensively titled IBM Power Systems Solution Edition for Scale Out Cloud..."

:fear::fear: :sad:

2014-07-29, 02:12

Amazon cloud attackers install DDoS bots ...
Attackers are targeting Amazon EC2 instances with Elasticsearch 1.1.x installed
- https://www.computerworld.com/s/article/9249991/Attackers_install_DDoS_bots_on_Amazon_cloud_exploit_Elasticsearch_weakness
July 28, 2014 - "Attackers are exploiting a vulnerability in distributed search engine software Elasticsearch to install DDoS malware on Amazon and possibly other cloud servers. Elasticsearch is an increasingly popular open-source search engine server developed in Java that allows applications to perform full-text search for various types of documents through a REST API (representational state transfer application programming interface). Because it has a distributed architecture that allows for multiple nodes, Elasticsearch is commonly used in cloud environments. It can be deployed on Amazon Elastic Compute Cloud (EC2), Microsoft Azure, Google Compute Engine and other cloud platforms. Versions 1.1.x of Elasticsearch have support for active scripting through API calls in their default configuration. This feature poses a security risk because it doesn't require authentication and the script code is -not- sandboxed. Security researchers reported earlier this year that attackers can exploit Elasticsearch's scripting capability to execute arbitrary code on the underlying server, the issue being tracked as CVE-2014-3120* in the Common Vulnerabilities and Exposures (CVE) database. Elasticsearch's developers haven't released a patch for the 1.1.x branch, but starting with version 1.2.0, released on May 22, dynamic scripting is disabled by default. Last week security researchers from Kaspersky Lab** found new variants of Mayday, a Trojan program for Linux that's used to launch distributed denial-of-service (DDoS) attacks. The malware supports several DDoS techniques, including DNS amplification. One of the new Mayday variants was found running on compromised Amazon EC2 server instances, but this is not the only platform being misused... Users of Elasticsearch 1.1.x should upgrade to a newer version and those who require the scripting functionality should follow the security recommendations made by the software's developers in a blog post*** on July 9."

* https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3120 - 6.8

- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4326 - 7.5 (HIGH)

- http://www.elasticsearch.org/blog/logstash-1-4-2/
Jun 24
Changelog for 1.4.2
- https://github.com/elasticsearch/logstash/blob/master/CHANGELOG

** https://securelist.com/blog/virus-watch/65192/elasticsearch-vuln-abuse-on-amazon-cloud-and-more-for-ddos-and-profit/

*** http://www.elasticsearch.org/blog/scripting-security/

- https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch

Insecure default in Elasticsearch enables remote code execution
- http://bouk.co/blog/elasticsearch-rce/
May 2014 - "... How to secure against this vulnerability..."

>> http://www.rapid7.com/db/modules/exploit/multi/elasticsearch/script_mvel_rce

- http://atlas.arbor.net/briefs/index#-961013762
High Severity
31 Jul 2014

:fear::fear: :mad:

2014-08-20, 15:15

Azure cloud restored after major outage...
- http://www.theinquirer.net/inquirer/news/2360970/microsofts-azure-cloud-restored-after-suffering-a-major-outage
Aug 19 2014 - "Microsofts's Azure Cloud Service has encountered partial, and in some cases complete, outages around the world. Twitter users have reported Azure being slightly wobbly for the past few days, and then last night a number of outage reports were posted on the Azure service status webpage*..."
* https://azure.microsoft.com/en-us/status/#history

Also see: Sep/Oct 2014 history @ URL above.

- http://www.netskope.com/blog/84-european-security-practitioners-report-dont-believe-cloud-service-providers-notify-immediately-intellectual-property-business-confidential/
Sep 17, 2014 - "84% of European IT and security practitioners report that they don’t believe their cloud service providers would notify them immediately if their intellectual property or business confidential information were breached. This finding is from our most recent report entitled “Data Breach: The Cloud Multiplier Effect in European Countries,” a collaboration with research firm the Ponemon Institute*. It highlights the profound lack of trust that European IT professionals have in the cloud, and the significant hurdle the industry must overcome for those professionals to get comfortable with the massive cloud adoption that is happening in enterprises across the region."
* http://www.ponemon.org/blog/can-a-data-breach-in-the-cloud-result-in-a-larger-and-more-costly-incident

- http://www.netskope.com/reports/ponemon-2014-data-breach-cloud-multiplier-effect/
"... highlights from the report:
• Increasing use of cloud services can increase the probability of a $20 million data breach by as much as 3x
• 36 percent of business-critical applications are housed in the cloud, yet IT isn’t aware of nearly half of them
• 30 percent of business information is stored in the cloud, yet 35 percent of it isn’t visible to IT ..."


2014-10-13, 22:16

Dropbox glitch leaves some users with deleted files
- http://www.theinquirer.net/inquirer/news/2375294/dropbox-glitch-leaves-some-users-with-deleted-files
Oct 13 2014 - "... a 'glitch' in some versions of the Dropbox app resulted in the deletion of files... The bug occurred when certain versions of the desktop sync app were shutdown prematurely by a program or system crash, and was limited to users of the selective sync feature where only certain folders are replicated on the desktop..."


2015-05-27, 22:20

• The 'IoT' time bomb ...
- http://www.networkworld.com/article/2921004/internet-of-things/beware-the-ticking-internet-of-things-security-time-bomb.html
May 11, 2015 - "IBM’s Andy Thurai didn’t quite put the words into former RSA CTO Deepak Taneja’s mouth, but did prompt him by asking at the start of a TIE Startup Con panel in Cambridge, Mass., earlier this month whether Internet of Things security is a 'time bomb ready to explode'. Taneja responded that technology is advancing at a rate that’s -outstripping- enterprises’ ability to secure internal and -cloud- resources, and then along comes IoT in the form of all sorts of networked sensors and gadgets. 'Organizations aren’t spending that much on security. It’s increasing, but it’s not enough and IoT only makes it worse,’ he said. 'So it is a time bomb. Money will start being spent on IoT security once serious breaches occur...'" (-After- the fact.)

- http://www.theinquirer.net/inquirer/news/2409457/2015-has-gone-denial-of-service-attack-crazy
May 21 2015 - "... Akamai's regular report paints a detailed picture of the threat landscape. The view this year so far was blighted by the DoS attack to an even greater degree than during the previous quarter. The firm said that the number of such attacks increased by around a third during the period and by over 100 percent against the same period last year. The largest distributed DoS (DDoS) attack during the quarter peaked at 170Gbps. Attacks on Simple Service Discovery Protocol systems made up 20 percent of DoS attacks, mainly targeting Internet of Things devices..."

- http://blog.trendmicro.com/trendlabs-security-intelligence/cto-insights-whose-data-is-it-anyway/
May 26, 2015 - "... All of these devices are generating one thing: data. The smartwatch is keeping track of my health data. The thermostat is keeping track of what’s going on inside my home. The cameras are keeping track of what they see and when they are turned on. A lot of this data is passed on to the providers of these services, which frequently say they are “free”... Service providers can – and already, are – using Big Data to provide 'improved services to their customers'. In a way, they already know you better than you know yourself. Who is in control of all this data? Is it us consumers, or is it the service providers? What happens to the data – is it used just to provide services to the customers, or is it also sold off to other third parties? Businesses may say as part of their terms of service that they won’t -sell- your information, but is that really the case? When the American retailer RadioShack went bankrupt, customers may have -thought- that their personal information would simply vanish into thin air, but that wasn’t the case. RadioShack is actually trying to -sell- this information... This includes your name, address (both physical and e-mail), phone number, and what items you bought. You may not feel this information is particularly secret, but few of us would be happy to see this info sold to the highest bidder. It’s a good thing that several states have expressed concern about this, as ordinary consumers deserve to have their information protected. Consider who could be interested in the data that your smart devices collect. Your health insurance would be very interested; imagine if they -charged- people who didn’t meet their daily steps goal higher premiums... What’s important is consent and opt-in. Users need to be in control of their data – who gets it, and what is it used for... The Internet of Things can be a venue for innovation and new possibilities, but it can also be used to break basic notions of privacy and confidentiality. Companies should endeavor to keep the interests of users in mind, otherwise... government regulations... used to protect consumers. This may have consequences that we cannot predict..."

>> https://en.wikipedia.org/wiki/Internet_of_Things#Security
11 Aug 2015

> https://en.wikipedia.org/wiki/Web_of_Things#History
11 Aug 2015