I saw this this morning – have a great weekend:

Roger

It is not really surprising that the criminals will leverage the economy of Cloud Computing for their illegal purposes. Especially activities, which consume a lot of processor power will be moved to the Cloud – like any other business.

Some way back, there were discussions on how to leverage GPUs to crack passwords: Graphics Cards – The Next Big Thing for Password Cracking? – that was back in 2007. Then in 2009 there were discussions on how to misuse Amazon EC2 to crack passwords: Using Cloud Computing To Crack Passwords – Amazon’s EC2. Now, there are announcements that it will become public knowledge how to use Amazon’s EC2 GPU to combine both – announced at BlackHat DC: Cloud-Based Crypto-Cracking Tool To Be Unleashed At Black Hat DC.

This development cannot be surprising. Crime is a business - illegal but following the same rules as any other business. If somebody is conducting illegal activities on a Cloud infrastructure, I expect every cloud provider to do their best to fight that. But it is close to impossible. Let’s assume you are a mathematician at a University doing crypto research. Part of your job is trying to understand how vulnerable the mathematical models for crypto are and how you can improve them. So, cracking crypto is a legitimate part of your job. Putting such work in the Cloud might make sense. How can you distinguish such use of a Cloud infrastructure from an illegal activity? Even worse: In Amazon EC2, you just rent an infrastructure, without Amazon knowing what is going on in the virtual machine. As a customer of Amazon, I would definitely not want them to look into my VMs – that’s my business.

How can we now make sure, that the criminals are not misusing a Cloud infrastructure but still retain confidentially? This will be a huge challenge.

Roger

That the attacks move up the stack is really nothing new. However, it increases the challenge to secure your environment as you have to take Patch Management all the way. I blogged on that several times already e.g.:

• Patch Management, a key step towards compliance!
• Patch Management – Cover the whole 9 yards

It is obvious as well that applications that are wide-spread are likely targets for the attackers. Adobe is one of these targets and it is getting worse: PDFs are now No. 1 vehicle for web-based attacks – therefore, make sure that you patch all your applications. We are already working closely with Adobe: Microsoft and Adobe: Collaboration Against Threats

Roger

I told you that I will attend the UNODC: Open Ended Expert Group on Cybercrime, which is now slowly coming to an end. Let me draw a few conclusions on the meeting.

It was not the first UN meeting I attended and – depending on the audience – the discussion can easily result an long political debates, which hardly lead to direct results. I guess that these debates are important and necessary to get people on board but I am neither a diplomat nor a politician .

The participants came from all across the different UN countries, academia, a few inter-governmental organizations like Council of Europe, OSCE, EU and the private sector – which leads me to the first real complaint: I know that UNODC invited an extensive list of private sector companies but it seems that the interest to work with governments and the UN on constructive solutions is not really existing if not direct business is involved. The private sector was represented only by Microsoft.

My key and high-level conclusions listening to the debates are:

• There was a great willingness expressed by the delegations to cooperate combating cybercrime
• This collaboration is needed and is probably one of the most important and most pressing issue
• The collaboration has to be not only between countries but between the public and the private sector as well
• Legislation has to be harmonized at least on a level which allows this collaboration
• Cybercrime has to be criminalized all across the whole chain

And now my conclusion: We need pragmatic solutions as if there is really the intent to either redesign the Budapest Convention by the Council of Europe or even develop a new convention, this will simply take way too long (some people were talking of 2020). We cannot wait that long! It will only serve the criminals and the private sector needs a certain level of stability and safety how the law will be applied and that laws in different countries are not contradicting

Roger

Quite a while ago, I started a second blog outside our technet site. One of the reasons was that I realized that a lot of people who are interested in the policy, political, process dimension of security do not read a blog on technet as it is the environment for technical people.

At the moment I am running two blogs with the same content. If you read my blog here and want to continue reading my posts, I would like you to move over to http://www.halbheer.info/security

Thank you

Roger