Tag Archives: computing

IT security problems shift to the cloud

The internet "cloud" has created a new range of security issues, experts say.

The internet "cloud" is the hottest topic in computing but the trend has created a new range of security issues.

The cloud is associated with things like personal emails and music which can be accessed on computers and a range of mobile devices.

But US military and government agencies from the CIA to the Federal Aviation Administration also use cloud systems to allow data to be accessed anywhere in the world and save money – and, ostensibly, to enhance security.

Microsoft, Google, Amazon and others are major players in the cloud, which seeks to transfer some of the data storage issues to more sophisticated data centres.

Firms like Oracle, SAP and Salesforce.com offer cloud services for business.

Strategy Analytics forecasts US spending on cloud services to grow from $US31 billion in 2011 to $US82 billion by 2016.

But some experts say the security implications of the cloud have not been fully analysed and the cloud may open new vulnerabilities and problems.

"I don’t think any system is absolutely secure," said Stelios Sidiroglou-Douskos, a research scientist at the Massachusetts Institute of Technology’s Computer Science and Artificial Intelligence Laboratory.

"The analogy most people give is having a lock on your door.

"It’s not a guarantee no one will break in but it’s a question of how much time it will take, and if your lock is better than your neighbour’s."

In a cloud environment, "this makes the job of the attacker so much harder, which means the amateur hacker might be obsolete," said the scientist, who is working on a US government-funded research project to develop "self-healing" clouds.

But if a system is breached, analysts say, the amount of information lost could be far greater than what is in a single computer or cluster.

"You can have better defences" in the cloud, "but if an attack happens, it’s highly amplified," says Sidiroglou-Douskos.

The four-year MIT project funded by the US Defense Advanced Research Projects Agency seeks to develop systems that automatically fix data breaches in a manner similar to "human immunology," says the researcher.

A number of cloud security breaches have raised concerns, including attacks on the Sony PlayStation Network, LinkedIn and Google’s Gmail service.

One hacker recently claimed to have stolen credit card numbers from 79 major banks.

"Crimes target sources of value. Large company networks offer more targets to hackers," says Nir Kshetri, a professor of economics who studies cybercrime at the University of North Carolina at Greensboro.

"Information stored in clouds is a potential gold mine for cybercriminals."

Kshetri said in a paper submitted to the journal Telecommunications Policy that when questions come up, "the cloud industry’s response has been: Clouds are more secure than whatever you’re using now. But many users do not agree."

Marcus Sachs, former director of the Sans Technology Institute’s Internet Storm Center, said the cloud may be more secure but it also creates new questions.

"In the cloud, you don’t necessarily know where your data sits," Sachs told AFP.

"That doesn’t make it less vulnerable to attack, but there are questions when it comes to (an) audit, or if you want to take the data back or destroy it, how do you know you’ve erased it?"

Sachs said that analysts have also discovered "fake clouds" which are offered as low-cost alternatives but are in fact operated by "criminal groups which monitor and steal the data."

"We have seen instances of this not in the US, but in the former Soviet Union and in China," he said.

Still, the cloud market is growing rapidly, with companies and government agencies moving to either "public" clouds that are easily accessed or so-called "private clouds" that are segregated from the internet.

Some analysts say other issues need to be resolved about cloud computing, such as who is liable if data is lost, and how data can be accessed for government investigations.

Outages have recently affected Apple’s and Amazon’s cloud services, causing some websites to be affected.

"Privacy, security and ownership issues in the cloud fall into legally grey areas," Kshetri says.

Sidiroglou-Douskos says there is no single answer for people or companies choosing between cloud systems and holding the data themselves.

"If you are trying to protect yourself from the government, then having it in the public cloud makes it easier for them to get it," he said.

"If your main worry is a hacker in Russia, maybe (cloud) infrastructure is better for your own security."

Source:

http://www.sbs.com.au/news/article/1662840/IT-security-problems-shift-to-the-cloud

Did you like this? Share it:

Cloud security testing strategies

Many companies are hesitant to move applications to the public cloud or use Software as a Service (SaaS) cloud applications, for fear of not being able to implement or test appropriately.

While much of that fear is based on the unknown, there are strategy changes companies should take to ensure their cloud application is properly security tested. In this expert response I will outline a few of those cloud security testing strategy changes.

Before you do anything, review the contract signed with your hosting company. Many hosting contracts require notification prior to security testing. Be clear with your company and your hosting company prior to performing any testing – outline the scope, tools involved, anticipated network load (if any), types of attacks you expect to perform, etc. If your company, or the hosting provider, has IDS or IPS technologies in place, you will need to agree on a window during which those tools will need different monitoring thresholds. Err on the side of over-communicating to avoid the element of surprise.

Remember: you don’t own the infrastructure. Your cloud solution, whether hosted at your company or at a cloud provider, will be hosted in an environment you may not be familiar with. As such, keep in mind that your testing coverage will change. Whereas internal application security testing often stopped at the application boundaries, your cloud application testing will need to probe around the edges of those boundaries. Testing for network, logical and even architectural security risks will be a very important strategy. In a way, it is a benefit to you that you can’t depend on the same networking infrastructure as your intranet. This forces you to think outside the box and test more thoroughly.

Another consideration is the need to decide between whitebox or blackbox testing. In blackbox testing, the penetration tester knows as little about the system as a real-world hacker would know. This is advantageous because, as you discover and exploit vulnerabilities, no one can challenge your report by claiming “an attacker wouldn’t know to do that.” On the other hand, whitebox testing is advantageous in that it is much faster. Not only is reconnaissance and server discovery accelerated, it’s easier to prioritize test efforts.

A big challenge to cloud security testing can be the lack of application logging to aid in focusing and enhancing your test efforts. Performing security testing in an isolated development environment means you will be able to tail logs and see evidence of your attacks’ outcomes. In a cloud environment, you will rarely be grated this level of access. Therefore, you will only be able to gauge attack success by the application’s behavior. Some tests are such that providing input into control A on screen Z will result in invalid data on page P. Be familiar with the data flow within your app and expect to have to poke all around the app to complete your testing.

In conclusion, security testing in the cloud does change things, but it’s not impossible. It’s important to plan ahead, to communicate the changes in your test strategy, and to set appropriate expectations with your management. Above all, it is critical to communicate before and during your testing—primarily with your cloud provider, but also with your IT and security organizations.

Source:

http://searchcloudapplications.techtarget.com/answer/Cloud-security-testing-strategies

Did you like this? Share it:

Google Drive: Hybrid of Cloud Storage and Cloud Computing

Google last week announced its long-awaited Google Drive, which lets you store files on it servers, sync them to other PCs or Macs, and open them on Android devices and — soon — on iPhones and iPads.

It’s similar to services such as Dropbox, SugarSync and Trend Micro’s SafeSync, but it’s also integrated into what used to be called Google Docs, which makes Google Drive a hybrid between a cloud storage service and a cloud computing platform.

While other services mostly store your files, Google Drive — with some file types — also allows you to view and edit them because of the Google Docs integration. Google Docs was Google’s Web-based computing platform for creating, editing, storing and sharing documents, spreadsheets, presentations, drawings and forms.

This integration can lead to a bit of confusion. To the extent that Google provides cloud-based software for such tasks as word processing and spreadsheets, it’s actually functioning as a remote computer. But when it’s just storing files you create on your PC, it’s acting as a network storage device.

Just as with Dropbox and most competing products, Google Drive’s installation software creates a folder on your machine’s hard drive called Google Drive, and any files that you store in that folder are synced to Google’s servers. If you have Google Drive on more than one computer, the files are synced to that machine too.

To test it out, I started writing today’s column using Microsoft Word on my Mac. I saved the Word file to Google Drive and then walked over to my Windows PC where the file was already waiting for me in that machine’s Google Drive folder.

I then walked over to my wife’s PC, which doesn’t have Google Drive software installed, and accessed the file by logging into the Google Drive website. I was immediately able to read the file. But to make changes, I needed to either export it into a Google document or download it to her PC to open with Microsoft Word. Either way, I had immediate access to the file, but the process was far from seamless because now I had two files — the original Word file and the Google document that I had just edited.

Read More:

http://www.huffingtonpost.com/larry-magid/google-drive-review_b_1471827.html

Did you like this? Share it:

McDonald’s to test cloud-based NFC payments in Austria

A Paybox NFC terminal

Austrian mobile network operatorA1, a subsidiary of Telekom Austria Group, has announced that fast food giant McDonald’s and supermarket chain Merkur have signed up to take part in the pilot testing of a new mobile payments service calledPaybox NFC.

Like many NFC payments services being rolled out in Europe, the new service enables payments of up to €25 to be made without the need to enter a PIN. Unlike most others, however, the service is not based on EMV ‘chip and pin’ technology and doesn’t use either Visa’s PayWave or MasterCard’s PayPass solutions.

Instead, Paybox NFC processes payments ‘in the cloud’ and merchants use a small Paybox NFC unit to handle mobile payments, rather than a contactless EMV point-of-sale terminal.

The service is offered by A1 in conjunction with Paybox Bank, a wholly owned subsidiary of Telekom Austria which holds a full Austrian banking license and already offers a range of non-NFC mobile payments services. The service works with both NFC phones and contactless stickers — A1 currently offers five models of NFC phone: the HTC One X, Sony Xperia S, BlackBerry Curve 9360, BlackBerry Curve 9380 and the BlackBerry Bold 9900.

To use the service, consumers will need an account with Paybox and to designate a bank account from which payments will be deducted. The customer’s Paybox account number and their mobile phone number are then coupled together in the back office and the consumer downloads the Paybox app to their mobile phone — no other identifying data, such as their bank account or mobile phone number, is stored in either the contactless sticker or the secure element on their NFC phone.

Payments made with Paybox NFC are deducted a "few days later" directly from the bank account designated by the consumer when they opened their Paybox account. All data transmitted is encrypted, purchases are limited to an overall daily total of €50 and small purchases can be ‘rolled up’ so that one debit from their bank account is made for multiple transactions. Each payment take just half a second to process and customers receive a text message after each purchase, to confirm the amount charged.

Read More:

http://www.nfcworld.com/2012/04/24/315260/mcdonalds-to-test-cloud-based-nfc-payments-in-austria/

Did you like this? Share it:

Cloud Computing Use Case: Development & Test Environments

A recent article “Put Your Test Lab In The Cloud” outlined the pros, cons and considerations you must take into account when talking about hosting test labs in the cloud. Using the cloud for this purpose is not necessarily a new idea, and it’s one that certainly makes a lot of sense; Replication of test results depends upon consistency across all variables, and putting a test lab in the cloud allows you to do that from anywhere or for anyone who needs to use it.

Indeed, the use of private or public cloud services, like Amazon Web Services, as a platform for software development and testing, is common practice for some businesses already. The benefits of using the cloud for this include the general positives of cloud, such as cost savings (in terms of the lack of start up cost as well as hardware upgrades, maintenance etc. coming out of the equation), but also extend to specific benefits, like increased control over projects, quick duplication of environments (especially when compared to “tin” set ups), speed of deployment, ease of collaboration, and the ability for testers and developers to access environments on demand, removing a barrier to efficiency. It’s not hard to see why the practice it growing in popularity along with other cloud services.

To best understand the benefits of cloud computing in software development and test environments, it’s useful to see the process in action. We recently hosted a webinar showing the process in detail, from configuring a template for the environment, to launching and connecting remotely to the machine image. In our example, we used Amazon Web Services with a custom management tool, but the process is fairly standard.

Read More:

http://www.sys-con.com/node/2243223

Did you like this? Share it:

Cloud Performance Testing Tool Launched by Impetus

Impetus Technologies announced the release of SandStorm CE (SandStorm CloudEdition), a cloud-enabled version of its performance testing tool. SandStorm CE helps in saving the license and hardware provisioning costs, as well as offers affordable performance testing, with a ‘pay-as-you-go’ model.

With the release of SandStorm CE, Impetus provides its customers, enterprises, start-ups and ISVs an easy provisioning to load test their software at hugely reduced costs. It also reduces the customers’ CAPEX by automatically provisioning a cluster of servers and machines on the cloud, as and when needed. This helps customers test their applications against a concurrency of 50 – 200,000 users, with the same ease.

SandStorm CE helps test the performance of applications hosted in customers’ DMZ, datacenter or the cloud, seamlessly. The solution offers a ‘ready to use environment,’ and provides realistic test conditions across the application’s entire delivery chain from different parts of the globe.

SandStorm quickly identifies application bottlenecks and helps predict its reliability, scalability and performance issues. SandStorm is the only tool to provide multi-protocol support in a single package with easy parameterization of FLEX, AJAX, Silverlight and Applet based applications. Its integrated resource monitoring and intuitive real time status reporting enables high-end analytics and extract capabilities.

It helps reduce the performance engineering costs by at least 30%, vis-à-vis other popular load testing tools. Impetus offers comprehensive services around performance engineering, including performance testing and sizing, system diagnostics, performance tuning and optimization and capacity planning, among others.

Read More:

http://www.cloudcomputingdevelopment.net/cloud-performance-testing-tool-launched-by-impetus/

Did you like this? Share it:

Automating embedded software testing with Electric Cloud

The 2012 UBM Survey showed that, for the first time, QA engineers are becoming a significant portion of embedded software teams, and there is less concern about the quality of debugging tools for those teams,  However, the size of those teams is, in general, dropping and concern for tool quality is still number one, all of which makes hitting schedules on time the greatest challenge for those teams.

According to Dax Harfang at Electric Cloud, those pressures are even greater in hardware-centric companies who would rather not make a large investment in software QA, especially smaller companies that may be using resources around the world.  Farhang stated that “homegrown” approaches are hard to manage, can be very slow, and often lack documentation that a distributed team can access.  “Development teams need to address “back end” software production processes to save time, improve product quality and deliver software to market faster.”  New Tech Press talked with Harfang about meeting automating embedded test at the 2012 Design West Conference in San Jose.

Read More:

http://www.newtechpress.net/2012/04/10/automating-embedded-software-testing-with-electric-cloud/

Did you like this? Share it: