Recent Articles
Amazon Responds to Zeus Botnet C&C Incident
Dec 18, 2009 Security News Leave a comment
Lori McVittie at DevCentral writes about a conversation she had with an Amzon EC2 representative concerning the botnet command and control running in EC2:
An e-mail exchange with Kay Kinton, a spokesperson for Amazon, on the subject of Amazon and its recent run-in with the Zeus botnet controller, raised two very interesting and valid points. First, there is a fine balance that must be maintained by providers – cloud or traditional hosting – regarding the privacy of applications and data deployed by customers and monitoring/security. Second, Kay points out that it’s easier in the EC2 environment, at least, to disable botnets once they are discovered.
The second point is one that appears on the surface to be true but I’m not entirely convinced. A cloud provider has complete control over its environment (even if you don’t, making this somewhat of a double-edged sword) and thus they can act immediately to terminate the offending application. True. But in any environment in which you have physical or management network access to an offending application/system it should be easy to terminate an offending application. Perhaps more important about this point is that a cloud computing provider can prevent the launch of another offending application, but again – I’m not sure it’s any easier or more difficult in a cloud computing environment than it would be in a traditional hosting or data center environment.
Now the first point is a bit more subtle and definitely deserves some attention as it potentially pits one customer’s privacy against one (or more) other customers’ security and raises some interesting questions regarding how deeply in the sand such a line should be drawn in a cloud computing environment.
The entire article is here
Virus Authors Use Amazon EC2 for Command & Control
Dec 12, 2009 Security News Leave a comment
Zbot (Zeus bot) is back again in another variation and is now taking advantage of Amazon EC2 for C&C.
Once a hapless attachment-clicker has opened the infected payload, such as the latest “xmas2.exe” or an infected website, code is injected into the victim’s system processes and then connects to the cloud to download it’s configuration (config.bin).
Read all the gory details here.
Words to the Wise
Nov 13, 2009 Opinion 2 Comments
Recently Dave from the DailyDave security mailing list said something very insightful that I wanted to re-post here:
When you go into security consulting engagements with a new business
unit you usually face a few questions from the developers and business
owners. “What is it exactly that you’re going to tell us?”We always answer this the same way: “Things that will surprise you.”
Most developers have read a lot about security these days – they
understand SQL Injection, Cross Site Scripting, access control, not to
use their own cryptographics, and all sorts of other security truisms.What they can’t possibly understand is how a hacker’s mind works, and
what they’re likely to find. Even security specialists who have only
worked defence often have never really seen a hacker go.Largely I think this is because there’s a difference between someone
playing cards with chips and someone with their house and life on the
line. People say penetration testing is a model of an attacker. But how
do you model obsession?- -dave
I totally agree. We can use the same tools, adopt the same techniques, but the mind of an intruder may be so completely alien to any defender that the yawning gulf of difference in mindsets that separates us prevents comprehension and hinders our efforts to combat them.
LogChaos – Challenges and Opportunities of Security Log Standardization
Oct 28, 2009 Security Tutorial Leave a comment
