Saturday, December 25, 2010

Sunday, December 19, 2010

17 Dec Security Roundup on the week that was

Symantec, a leading security product vendor released the Global Intelligence Quarterly for June-Sept 10. There were two findings of special interest. The first was on the brands affected by phishing attacks. Phishing attacks are attempts to spoof company websites to fool consumers into entering their identity and authentication credentials such as banking and credit card details, which can later be used to make fraudulent purchases or transactions. At the top of the list, 73% of phishing attacks were directed towards financial institutions such as banks. What caught my attention was the number 2 position, which at 11% was taken up by ISP’s. This statistic attains great significance as ISP credentials provide access to an email account, which may in turn expose a wide range of other social networking, and financial accounts. All a hacker needs to do is to click on the “forgot” password option on company websites, which in turn conveniently mails a temporary password to the compromised email account.
The second was the report that 38% of data loss is caused due to theft of computers or flash drives (also commonly known as USB drives or pen drives). Annually, around 500 million external and internal hard drives and 300 million flash drives are sold each year.
How many of us actually remember where all our flash drives are and what information is on them?
Flash drives are very susceptible to theft, disposure without or with simple content deletion and inadvertent loss due to misplacement. Information on these flash drives may find their way to media, competitors or criminals. An important point to be aware of is that the use of the “Empty Recycle bin” functionality in Windows or deleting files using the 'Delete' button, doesn't really delete files from your computer, removable disks, USB-flash drives, memory sticks, or flash memory cards. The operation just removes the reference to the file but the file still exists and can be recovered with off the shelf software.
Besides theft, hard drives that contain an even greater amount of data are normally not properly erased before disposal. Disposal mechanism normally includes donation, and sale resulting in easy access to these drives. There is a much publicized BBC news report about NASA selling shuttle PC’s without wiping top secret data. An investigation unveiled 10 cases where PCs were sold despite failing data removal procedures and another four PCs - which were about to be sold - were found to contain data restricted under arms control rules. Many organizations do not have properly implemented hard disk disposal policies. For less than 100 dollars, one can purchase data recovery software, which recovers corporate and individual information from inadequately erased hard disks sold on auction sites.

Recommendations


Phishing attacks can be mitigated through self awareness. After all, it’s the user who loses the money. The simplest method is to verify websites is through the SSL certificate, seen as a lock icon in the browser bar and additional site authentication certificates like VeriSign Secured Seal A user needs to click on the browser icon or VeriSign Secured seal to verify the site url they authenticate. This is vital to the verification process.

Handle USB’s carefully, prevent misplacement, and securely erase all files prior to disposal. To securely erase a flash drive you may need to procure special purpose wiping software or you could exhaust the USB memory by copying non essential log data or large commonly available files downloaded from the Internet onto it. This process will make it quite difficult to recover over written data, but will become tedious as flash memory sizes increase.

Saturday, December 11, 2010

3rd Dec Security Round up the week that was

This week will go down in cyber history as the first cyber war, brought about by the attempt to shut down Wikileaks and arrest Julian Assange unleashed angry protests and retaliatory responses on organizations that denied Wikileaks hosting, funds transfer or domain registration. 
Retaliatory responses were in the form of a distributed denial of service (DDOS) attack, in which hundreds of computers sent traffic towards a particular web domain choking bandwidth, exhausting site compute power and preventing access to customers through severely degraded services or site unavailability. For the record, all targeted sites stuttered and eventually went offline for several hours even though many belonged to organizations with massive redundant IT infrastructure.
These DDOS attacks were set-up using over 30,000 computers in a sustained and coordinated attack. Interestingly, while the modus operandi was the same, the attack came in two flavors, a volunteer and a non volunteered initiated attack. The non volunteered attack used a network of malware infected desktops firing traffic bursts without the owner’s knowledge. Technically called a botnet, it is a group of bots which act in a master slave fashion. The master initiates an attack sequence and the bot fires a traffic burst. A bot is a malware downloaded unknowingly while surfing malicious websites, downloading movies, music and documents or using seemingly innocuous programs on social networks and mobile application stores.
What fascinated me most was the volunteer based attack, where over 43,000 volunteers downloaded a modified stress testing program called the low orbit ion cannon (LOIC) and clicked a button to become part of a network that fired traffic bursts at targeted sites. This activity is reminiscent of mob mentality, wherein normally rational individuals engaged in crowd fueled mania, end up committing acts unimaginable in normal circumstances.  What is frightfully evident is the success of the volunteer approach, in convincing people to willingly download a malicious program (in this case a modified opensource application) from an unknown underground organization unmindful of the consequences of punishment under cyber laws or disguised malware.
In the real world when right groups or unions rise up in protest, they block roads, sabotage machinery, and prevent employees from entering factory premises. Today’s cyber protest targeting online properties could become a trend or a new reality. Employees who know of vulnerable spots in an organisations online infrastructure can be exceedingly destructive in compromising data and infrastructure assets.  The impact may be severe as normally reserved employees, their friends and communities may be encouraged to participate, as in this form of protest there are no victims or physical damages and hence few moral repercussions.  
Recommendations: 
Businesses should evaluate the consequence and risk of online cyber reprisal from citizens or employees in protest of their actions or policies. I believe this may become a reality in the future. Besides the embarrassing consequence such protests bring about, it would be difficult to prosecute protesting citizens and employees.


Wednesday, December 8, 2010

Arrest of Julian Assange, the Wikileaks founder starts the first war in Cyber Space

The first war of the cyber world is taking place and it is not between two nations, but the angry uprising of Hackers or Hacktivists who believe in free speech on the Internet. Triggered by the arrest of Julian Assange, counter strikes have been initiated against all sites that refused Wikileaks hosting, DNS, and payment services and websites of government officials and departments that tried to stop the redistribution of Wikileaks content.

Wikileaks has released an insurance file probably to protect the life of Julian Assange and other Wikileaks members. The huge file, posted on the Afghan War page at the Wikileaks site, is 1.4 GB and is encrypted with AES256. No one knows what the file contains in it.

This event demonstrates the idealism which hackers had in the late 90’s, in reinforcing the importance of free speech, adequately priced services and liberty, is alive and much more powerful. The attack power used is a fraction of the immense potential that can be unleashed if malware unconsciously downloaded by millions of users is activated by their controllers. Such power could cripple the online economy of a country not just a site.

Recommendation:

Popular news events are exploited by hackers to trick people into downloading malware onto their computers. People are lured to fictitious news sites or may be sent mails with a save Wikileaks campaigns or even offered modified copies of the insurance file.

 I would recommend reading WiKiLeaks news on reputed websites, not opening any Internet campaign attachment (there is no such official campaign yet) and not to download the Wikileaks file from any site. If you must, get the file from the official site, it may be safer.

Saturday, December 4, 2010

26th Nov 10 Security round up of the week that was

Dangers of Social Networking

A news report blamed Face book and Twitter for 1 in 5 divorces in US as there is a spike in the number of cases that use tweets, posts, pictures from these sites as evidence against cheating. Privacy in social networks has always been a concern given inadequate privacy settings, technical glitches and advertising interests. Increasingly with over 500 million users social networking sites are a defacto social meeting place, so much so that dating activity on dating sites has started to drop.

Recommendation: - Limit information on social networks and ensure that privacy settings are set knowingly. Social networks are safe if used carefully.

Speaking of dating, there is always a hidden danger in a face to face meeting with a person you met online. The outcome may always be risky as the anonymity behind social networks mask criminals and antisocial elements behind plagiarized images of pretty faces. In two separate instances these turned perilous when boys who went for face to face meetings with girls they met online, ended up in the clutches of criminals. One boy was drugged, robbed of all valuables and end up in an intensive care unit and the other robbed and beaten severely.

Recommendation: - Online chatting though it may seem harmless can result in physical dangers during face to face contact. Teenagers are most susceptible. Such contact may also result in cyber harassment, blackmail and bullying. Social networks are safe if used carefully.

Loose Talk

Talking in the GYM has become life threatening. Conversations between groups of Builders and Jewelers in a Mumbai GYM were reportedly picked up by the underworld through a network of GYM Trainers who listened in. The underworld issued extortion demands, which if not met, resulted in physical threats, intimidation through random firing outside builder’s offices or in some cases assassination.

Recommendation: Ensure that confidential matters are discussed in closed rooms and not open places. One does not know who maybe listening. Tone down any tendency to be loud on phones or to discuss confidential issues in public places

Legal Interception and Privacy

In the Indian 2G Telecom scam, spectrum was allegedly sold to unqualified buyers at a low price resulting in an enormous loss to the exchequer. Taped conversations between a political lobbyist and industrialists, media and politicians intercepted by investigators were released on You Tube and via the media. Out of 5000 recordings a newspaper report stated 104 were out in public. The recordings damaged the reputation of top industrialists, telecom firms, journalists and politicians as many conversations leaked were unrelated to the scam. .
The interception of the lobbyist’s phone calls was legally done by the investigation body under Section 5 of the Indian Telegraph Act. But several questions arise.
• How did these leaks occur?
• Did they occur through the investigation agency or the service provider where the calls were intercepted?
• Were the conversation leaked to fuel media pressure or to damage the reputation of firms and its senior employees?
• Are our procedures for protecting intercepted information adequate or in need of an overhaul?
• Do we have a process for background checks of people doing the interceptions?
• How limited is the role of the telecom service provider given the lack of technical knowhow on the systems used for interception by the investigators?
• Are there third parties other than the investigators and service provider who may have access to these tapes?
A leading industrialist has filed a plea for privacy in the Supreme Court and investigations are on into the source of the leaks. I hope that we have enforcement of laws that punishes such acts in India.

Recommendation: - Phone conversations may not be as secure as one imagines them to be. Increasingly new technology is being made available where hackers can intercept calls over the air. The protocols used by GSM networks are old and proprietary.

WikiLeaks – The Saga continues

Julian Assange is on the run. Equipped with a laptop and a cell connection he continues to manage his Wikileaks empire even with an Interpol Red Alert on him, and a massive site denial of service attack by Jester, a so called political hacker. This has not stopped the distribution of a new round of documents on US policy. Amazon the cloud based service provider which hosted WikiLeaks has taken down the site from its US servers, perhaps under pressure from the government to curb distribution.
A CNN news statement titled, “Government Agencies warn employees not to look at WikiLeaks” stated that the White House Office of Management and Budget sent a memo Friday afternoon forbidding federal government employees and contractors from accessing classified documents publicly available on WikiLeaks and other websites using computers or devices like BlackBerrys and smart phones. The memo, explains that the publishing by WikiLeaks does "not alter the documents' classified status or automatically result in declassification of the documents.

Speak about closing the coop once the birds have flown.

Recommendation: The US and perhaps other governments are vigorously attempting to curb the leaks. In today’s Internet age, even with vast resources at their disposal, shutting up WikiLeaks has not been successful. Governments will need to enhance their information classification policies and back them up with technical security controls to prevent leaks occurring rather than control them later. I trust this incident does not affect Internet free speech and give added impetuous to governments imposing regulations on its use.


A biography from Julian will be a best seller or a sensational movie.

Read my earlier blog post debating the ethical angle of hacktivism

Wednesday, November 24, 2010

A Mole in the Closet! Steps CEOs can take to protect their firms

MHA Mole sought  Cash, Sex as Bribe’. It did not strike me as unusual when I saw  this morning’s headline in the Times of India.  The mole in the Ministry of Home Affairs, in a responsible position in the dept of internal security was alleged to have leaked information on the progress and methods to obtain security clearance in sensitive areas like telecom and mining, (mis)using  his position to pass on favorable information to facilitate clearance of such applications. The reward was sex and money. Code words used were software for women, hardware for hotels & venues and laddu (an Indian sweet) for money.
But, obviously, this is not the only closet. Every corporate organisation has them. In fact, most employees may be tempted to get converted into moles through three primary ways. First, by exploiting their lack of security awareness to download malware on to their computers, second through sexual blackmail, exploitation of their need for a job or taking advantage of their disgruntlement and third by buying them using money or sex. These moles can have a damaging impact on business by leaking out crucial information such as business plans or product designs to competitors or even through deliberate sabotage. So do not find it unusual if you find out that a tender was lost due to a 5% price difference, or that a competitor launched a similar-looking product a few weeks earlier or that the organisation lost money because crucial billing records were deleted.  Corporate espionage can also take place through the use of professional agencies which deploy spying devices through compromised house-cleaning staff and hackers  this however is the subject of another blog post.
Employees who become moles have typically been in service for several years and have built personal equations & trust  in the organisation. Moles are also likely to be employees who have access to information of damaging value to the corporate. Less that 10% of the employees may fall in these categories though they may vary in grade from the CEO down to the office boy who handles business proposal documents.
Detecting corporate espionage is extremely difficult. Bear in mind that we all like to work for organisations which trust their employees. However, there are a few key measures that can be put in place, as listed below:
Top Management should keep their eyes open: - Instances such as bids lost by thin margins or leaked product designs are early-warning signals that no top management should ignore. To pick up these signals, it is important that the top management accepts the fact that corporate espionage is a reality.
Know what information is valuable: - Identifying valuable information and employees that have access to it is the first step in executing a proper corporate anti-espionage policy.
Establish a policy and a corporate anti-espionage team: - A formal corporate anti-espionage policy, processes and team should be put in place to develop controls, implement and monitor as mitigation to these types of threats.
Regular background checks and peer surveillance is a vital ingredient in preventing corporate espionage:- Team workers are best able to detect early signs of corporate espionage, in the form of an individual’s change in emotional behavior, interest in matters which do not concern the employee,  unusual browsing of files or even out-of-workplace signals such as gambling habits, excessive debt or even spending more money than would be expected. Most organisations conduct a background check during the joining process as a formality and do not repeat the process regularly.  This compromises its sanctity since employees can get converted into moles only once they occupy positions of trust.
Technology may not be the solution:- Corporate espionage results in the exposure of unstructured data such as proposals, business plans, product designs and prices. Information of this nature is difficult to monitor electronically. Checks like monitoring emails, restricting access to portable media and technologies like DLP may help but they can all be subverted with the help of a simple mobile phone camera.
People remain our best defense: - Employees should be trained on the role they need to play in the defense against moles.  Obviously the mole will attend your training program too.  Money could be a key factor in motivating moles. Building loyalty and paying key employees well can go a long way in reducing the probability of their conversion.
Set up a Confidential Reporting Channel:-There should be a system for employees to report if they are propositioned, an attempt is made to coerce them or to report the suspicious behavior of fellow employees, akin to a Whistleblower policy. This should be backed up by clear processes to give employees the confidence that their reporting will be treated in the right manner.
Industry Feedback: - What the market place says about an employee may provide an early warning signal. Several times rumors float on an employee’s integrity or, as in the case of the MHA mole, a complaint was raised by a customer due to a demand for a bribe. There should be a system to receive, examine and act on these feedbacks in a prompt & effective manner.

Wednesday, November 17, 2010

Employee welfare must be sacrificed for organizational data protection

An organization has two primary types of data within its premises, structured and unstructured. Structured data is stored in databases and primarily used through applications. Existing security mechanisms are well able to take care of data security threats to structured data, with penal legal provisions and strong enforcement through standards like PCI.

Unstructured data resides on employee desktops, laptops, mobile phones, portable drives, and pen drives. Unstructured data comprises of documents created by employees or are extracts in the form of reports or XL sheet from structured data repositories. Securing this data is far from easy, as the only mechanisms that can be applied are endpoint security mechanisms such as antivirus, personal firewalls and new technologies like DLP. DLP is template driven and has its own limitations.

Relying on employees to be security aware is not a situation that one can rely on. 70% of organizations only provide generic security awareness training and only 40% provide updates on new threats. The employee becomes a conduit for bringing BOT’s into the organization capable of stealing user data and becoming staging points for further attacks.

Bots usually use social engineering to draw users to malicious websites which then installs bots on the end users devices. The problem is quite acute. The McAfee Threat Report: Third Quarter 2010, has uncovered that average daily malware growth has reached its highest levels, with an average of 60,000 new pieces of malware identified per day, almost quadrupling since 2007. McAfee identified 14 million unique pieces of malware. The most dangerous were Zeus, Stuxnet and Cutwail.

Social trends like online shopping for Christmas are used to create fake online shopping sites to steal user identities and install BOT's (trojans).

The 2010 ISACA Shopping on the Job Survey: Online Holiday Shopping and Workplace Internet Safety—UK released in October clearly showed that organizations failed to consider the three most important tools available to protect against this threat due to concerns on employee welfare. In the report 58% of organizations do not prohibit employees from using a work email for online shopping. 43% allow the use of laptops for online shopping and 9% actually prohibited access to online shopping sites from the workplace.

I am of the opinion that employee welfare must be sacrificed until technology measures have been created to defend against all BOTs. There are also new technologies for disk encryption, application whitelisting, and operating system lockdown from security product companies like McAfee which are useful in mitigating these threats.

Thursday, November 11, 2010

Computer Hackers and We

The movies helped us conjure an image of a computer hacker as a shabbily dressed, nerdy, bespectacled individual surrounded by gizmos, perpetually looking into a computer screen surrounded by half eaten pizza and bottles of beer. Most hackers are in reality, passionate, well dressed, highly informed and delightful to talk too.
I have been fortunate to meet several hackers and found among them, a remarkable similarity in their desire to break into things and find out how to exploit them. Let me recount an incident, with a hacker colleague of mine who purchased an expensive newly launched smart phone.  Within two months he purchased a new phone as he broke the earlier phone when he tried modifying the operating system and firmware. I did not ask him why!
This thought brought me back to my childhood. I still remember the toys my father brought me and the urge I had to open them up to see how they worked. I always believed I could put them back together which unfortunately, was never the case. It however did not deter me from breaking the next toy that came my way.
I believe this to be a childhood event common to most of us. As we moved on in life we did not pursue this curiosity as a hacker did. In the past hackers were motivated by fun, fame, a form of protest, to save money or simply because they felt firms charged too much for goods and services such as telephone calls. Today, it’s for money, profit, a form of protest, or to become professional security consultants.

Saturday, November 6, 2010

Porn Surfing & Social Networking a Cyber Risk

The outer page of the Times of India Nov 6, 2010, in a sensational headline boldly proclaimed “Porn Surfing a cyber risk, babus told”. The article further went on to allege that several officials used official desktops to surf objectionable sites on the Internet and download material on to their desktops. Downloaded material may include harmful malware which is able to export key data from these desktops to foreign agencies thereby compromising government policy and national security.
In a similar incident, on 21 Jun 2010 the Washington times broke the story of the fictitious female nicknamed the cyber mata hari who created a fictional facebook page.  Robin Sage, according to her profiles on Facebook and other social-networking websites, was an attractive, flirtatious 25-year-old woman working as a "cyber threat analyst" at the U.S. Navy's Network Warfare Command. Within less than a month, she amassed nearly 300 social-network connections among security specialists, military personnel and staff at intelligence agencies and defense contractors. Robin did not exist. Her profile was a ruse set up by security consultant Thomas Ryan as part of an effort to expose weaknesses in the nation's defense and intelligence communities - what Mr. Ryan calls "an independent 'red team' exercise."
Both these examples highlight the susceptibility of senior officials to social engineering techniques due to their lack of security awareness, weak or inexistent corporate security policies, poor enforcement and the adequate investment in technical controls to prevent and monitor access to objectionable internet sites and download. Although the focus on the articles was on government and defense, the same holds true in the corporate world.

Sunday, October 31, 2010

I can spy on your mobile and read your SMSes

Yesterday, Oct 29th Google announced that a controversial application called Secret SMS replicator was pulled off the Android Market. The application secretly forwarded a copy of the SMSes received by the phone to another user. The company which developed the application marketed it as a spying tool and even gave the example of how it could be used to spy on a boyfriend. Today, there are over 500,000 applications available to mobile users. In the near future, there will be an increase in local applications providing services in the areas of social networking, sports, health, business, news, games, travel and education. Smart phones today, have become a handy tool to access mail, store contacts & documents and take pictures. They are a repository of corporate and personal data, any compromise of which may adversely affect the reputation of the user or cause financial loss. Today, the major threats are from spyware and viruses. Spyware accounts for 70% of the threat. This is set to increase as most mobile users are not security aware.

I ran a quick search and found that spying application were freely available since 2009! I inserted a copy of the spyware functionality as advertised online into my blog.

INTERCEPT SMS (TEXT) MESSAGES           
Read incoming & outgoing SMS messages sent & received from the target's iphone. This gives you the secret ability to spy on the iPhone user's entire SMS activity.
 
 
SECRETLY READ CALL LOGS
Spy on the Android phone's call history. You'll know the name (linked to the phone's address book) and number of all incoming & outgoing calls.


LOCATION TRACKING
This will enable you to spy on the Android phone's location by tracking the cell phone's ID location. This is definitely not as accurate as GPS tracking, but it will give you an approximate location.


My advice in bold letters, not rudely though is “THINK OF THE SECURITY RISK WHEN YOU DOWNLOAD. THERE IS A REASON WHY WE CALL THESE APPLICATIONS TROJANS. WHAT THE TROJAN HORSE DID TO TROY, IS WHAT THESE TROJANS DO TO YOUR MOBILE DATA AND REPUTATION”

Friday, October 29, 2010

Twitter, Firesheep and the Unsecured WIFI at Delhi Airport

Yesterday, I had a long wait in the beautiful and comfortable Delhi domestic airport terminal. It was crowded as many fliers like me rued the congestion that delayed several flights. I was surprised at the ratio of laptops per person. A laptop per head almost!

I turned on the laptop WIFI to see what connections were available. There were a few paid and free connections which were either unsecured or secured with WEP. WEP can be broken by a hacker in 10 minutes due to a design weakness in the algorithm, and is therefore considered to be weak from a security point of view. By walking around, I was able to determine that a large number of users were actually working on their web mails. Others may have been working on social networking sites like Twitter and FaceBook to name a few.

None seemed aware or concerned on the possibility of their unsecured connection being snooped on or sidejacked. Sidejacking is a method of hijacking an active connection to a website, on a unsecured network (Wired or WIFI), by another user using a normal FireFox browser with a Firesheep plug in. This enables a malicious user to take over your account, write as you, snoop on your private information, emails and so forth.

For most of us, free WIFI is a wonderful productivity tool and a great way to pass time in cafes or airports. Given this risk, safe use is important. We can use these connections for surfing and connecting to end to end ssl protected websites (you will see the lock symbol on the browser). Logging on the social networking sites or other sites where users have accounts and are not secured with SSL should be avoided in public places over unsecured WIFI.Corporate sites which do not provide SSL to their Internet sites should do so. The other way to ensure security is to use a VPN connection which is an encrypted tunnel to a remote server which then connects to the Internet.

WIFI is inherently unsecure. When used in corporate offices we need to secure the wireless link through strong authentication and encryption such as the WPA standard. Strong encryption depends on the encryption standard and the complexity of the encryption key which is a user/administrator configurable parameter. Without this the WIFI is vulnerable.

I read a shocking statistic which stated that over 60% of WIFI networks at home or in small offices were unsecured or improperly secured. It is a cause of worry.

Saturday, October 23, 2010

WikiLeaks site under attack? Whistle blowers leaking confidential info?

Yesterday, there was a report of WikiLeaks site coming under attack from skilled hackers, a few days before the release of tens of thousands of classified IRAQ war documents. More can be read from http://blogs.forbes.com/andygreenberg/2010/10/22/wikileaks-hacked-by-very-skilled-attackers/. At the time of writing this blog, the site is experiencing heavy traffic and unable to respond. Perhaps under sustained attack!

We know for certain that this damages the reputation and military interests of NATO, and may put lives of people at stake. WikiLeaks also claims to sanitise documents to the extent possible. On the other side of the equation, there may be information that people need to know to ensure that atrocities committed are not repeated or kept hidden.

We have a site that is legitimately publishing documents critical to national or business interests which have been provided to it by obviously disgruntled employees or whistleblowers.

We are faced with a situation where a whistleblower is disclosing confidential information to a public forum (via WikiLeaks)as a means to obtain redressal, as the government is the entity against which the charges are leveled.

For a data security practitioner it is against the law? For a civil rights activist it is one step towards a better world?

You decide.

Perhaps your decision will be based on whether the contents of the documents reveal a cover up of atrocities or simply are sensational publication of classified war information.

Tuesday, October 19, 2010

CA Summit in Security Risks in the Cloud 19 Oct 2010

I attended the CA Summit on Security Risks of the Cloud today at the Westin Hotel. The focus of the seminar was on Identity and Access Management Solutions in the cloud. CA latest acquisition of Arcot Systems and its flagship Siteminder IAM product suite was show cased in a short case study.  CA demonstrated that it had or were working towards end to end  solutions TO, FOR and FROM the cloud. Geoff Charron VP, Software Engineering, CA spoke at the event.

TO the cloud are solutions for a user to access cloud based solutions such as SalesForce.com aswell as federate between an enterprise and cloud based applications.

FOR the cloud were solutions for building an identity and authentication framework solution for the hypervisor layer in cloud architectures

FROM the cloud were solutions from Arcot Systems for cloud based multifactor authentication using their soft PKI certificates.

The conference was well attended with a large number of delegates, who took a keen interest in the technical aspects of cloud based authentication. There were several questions on the types of threats faced by cloud based authentication, the time taken to deploy such a solution and the contractual agreement for its use.

I was very happy to see that the IT and Security teams in Mumbai are evaluating solutions that use the cloud. As business realise the immense savings that cloud based services can bring, the IT and Security teams need to be abreast with the technical and security risks behind cloud based deployment. A secure authentication mechanism, particularly the CA, TO the cloud solution will be most useful for first stage cloud movers.

The event closed with a lovely dinner.

Sunday, October 17, 2010

Chinese and Pakistani Hackers attack CWG website

Today, competitive politics and envy have reached levels where they mar the game of sport. I read with great disheartenment, at the attempts by Pakistani and Chinese youth hackers to bring down the common wealth games website, an event designed to unite a host of countries under a theme of friendship and peace. What more the newspapers seems to suggest that these attempts where tacitly supported by the government and military establishments in these countries. Isn't it time that atleast governments act responsibly and work to actively suppress this kind of activities?


When individuals are encouraged to develop hacking skills and technology, although it may serve a short term, narrow purpose however illconcieved, the experience gained will eventually turn against the government that supported it. We have seen evidence of this time and time again, when terrorist spawned returned to conquer, the very land that created the beast.


One of the achievement of the Indian Government and people that I am proud off, is that despite our considerable expertise and knowledge on Information Technology we do not retaliate or attempt to interfere with global or other country online economies.