Archive for March, 2011


Europe and U.S. converging on Internet privacy

March 30, 2011

Few topics are more sensitive for Web users, or more likely to raise concerns in the corridors of Facebook or Google, than how to regulate privacy.

For years the United States and Europe, with around 700 million Internet users between them, have diverged in their approach to policing the Web.

But the two sides are converging in their Web privacy positions, partly through intensive meetings in recent months between regulators from Washington and Brussels.

There are still many specifics to be worked out — final legislative proposals are not expected from the European Union until later this year and the United States in June or July — but officials are confident about steadily narrowing the gap.

Read More,0,2048935.story

Visit us at


Data Protection Laws In India

March 30, 2011

With issues like cloud computing and m-governance the things have become even more complicated. The real problem is that India does not have any dedicated Privacy Law, Data Protection Law and Legal Enablement of M-Governance in India informs Praveen Dalal, a Supreme Court Lawyer and leading Techno Legal expert of India. With the proposed use of Cloud Computing, Software as a Service (SaaS) and M-Governance by Indian Government, more “Privacy Violations”, “Cyber Security” and many more “Regulatory Issues” would arise in future. These “Initiatives” cannot succeed in India in the absence of adequate and strong Laws in this regard, informs Dalal. With the proposed Draft Electronic Delivery of Services Bill 2011 (EDS Bill 2011) things would even become more complicated. When most of the public services would be delivered through Mandatory E-Governance Model, a very strong Data Protection Regime and Privacy Protection Regulatory Framework would be required, opines Dalal.

Read More

Vist us at


Security: The Biggest Holdup to Cloud Computing

March 28, 2011

A lack of understanding of security risks is hampering cloud computing adoption. Virtual machine launched attacks, multi-tenancy risks and hypervisor vulnerabilities all challenge cloud computing security. Datamation looks at the five biggest overlooked threats to cloud computing.

A lack of understanding about security risks is one of the key factors holding back cloud computing.

Report after report after report harps on security as the main speed bump slowing the pace of cloud adoption. But what tends to be overlooked, even by cloud advocates, is that overall security threats are changing as organizations move from physical environments to virtual ones and on to cloud-based ones.

Viruses, malware and phishing are still concerns, but issues like virtual-machine-launched attacks, multi-tenancy risks and hypervisor vulnerabilities will challenge even the most up-to-date security administrator. Here are 5 overlooked threats that could put your cloud computing efforts at risk.

1. DIY Security

The days of security through obscurity are over. In the past, if you were an anonymous SMB, the threats you worried about were the typical consumer ones: viruses, phishing and, say, Nigerian 419 scams. Hackers didn’t have enough to gain to focus their energy on penetrating your network, and you didn’t have to worry about things like DDoS attacks – those were a service provider problem.

Remember the old New Yorker cartoon: “on the Internet no one knows you’re a dog“? Well, in the cloud, no one knows you’re an SMB.

“Being a small site no longer protects you,” said Marisa S. Viveros, VP of IBM Security Services. “Threats come from everywhere. Being in the U.S. doesn’t mean you’ll only be exposed to U.S.-based attacks. You — and everyone — are threatened from attackers from everywhere, China, Russia, Somalia.”

To a degree, that’s been the case for a while, but even targeted attacks are global now, and if you share an infrastructure with a higher-profile organization, you may also be seen as the beachhead that attackers can use to go after your bigger neighbors.

In other words, the next time China or Russia hacks a major cloud provider, you may end up as collateral damage. What this all adds up to is that in the cloud, DIY security no longer cuts it. Also, having an overworked general IT person coordinating your security efforts is a terrible idea.

As more and more companies move to cloud-based infrastructure, only the biggest companies with the deepest pockets will be able to handle security on their own. Everyone else will need to start thinking of security as a service, and, perhaps, eventually even a utility.

2. Private clouds that aren’t.

One way that security-wary companies get their feet wet in the cloud is by adopting private clouds. It’s not uncommon for enterprises to deploy private clouds to try to have it both ways. They get the cost and efficiency benefits of the cloud but avoid the perceived security risks of public cloud projects.

Plenty of private clouds, though, aren’t all that private. “Many ‘private’ cloud infrastructures are actually hosted by third parties, which still leaves them open to concerns of privileged insider access from the provider and a lack of transparency to security practices and risks,” said Geoff Webb, Director of Product Marketing for CREDANT Technologies, a data protection vendor.

Much of what you read about cloud security still treats it in outdated ways. At the recent RSA conference, I can’t tell you how many times people told me that the key to cloud security was to nail down solid SLAs that cover security in detail. If you delineate responsibilities and hold service providers accountable, you’re good to go.

There is some truth to that, but simply trusting a vendor to live up to SLAs is a sucker’s game. You – not the service provider – will be the one who gets blamed by your board or your customers when sensitive IP is stolen or customer records are exposed.

A service provider touting its security standards may not have paid very close attention to security. This is high-tech, after all, where security is almost always an afterthought.

3. Multi-tenancy risks in private and hybrid clouds.

Many companies, when building out their private or hybrid clouds, are hitting walls. The easy stuff has been virtualized, things like test development and file printing.

“A lot of companies have about 30 percent of their infrastructure virtualized. They’d like to get to 60-70 percent, but the low-hanging fruit has all been picked. They’re trying to hit mission-critical and compliance workloads, but that’s where security becomes a serious roadblock,” said Eric Chiu, President of virtualization and cloud security company HyTrust.

Multi-tenancy isn’t strictly a public cloud issue. Different business units – often with different security practices – may occupy the same infrastructure in private and hybrid clouds.

“The risk to systems owned by one business unit with good security practices may be undermined by the poor security practices of a sister business unit. Such things are extremely difficult to measure and account for, especially in large, multinational organizations,” Webb said.

Another issue is application tiers. In poorly designed private clouds, non-mission critical-apps often share the same resources as mission-critical ones. “How do most companies separate those?” asked Chiu.

“They air-gap it, so the biggest threat for most virtualization and private cloud environments is misconfiguration,” he said. “Eighty percent of downtime is caused by inappropriate administrative changes.”


4. Poorly secured hypervisors and overstressed IPS.

Every new technology brings with it new vulnerabilities, and a gaping cloud/virtualization vulnerability is the hypervisor.

“Many people are doing nothing at all to secure virtualized infrastructures. The hypervisor is essentially a network. You have whole network running inside these machines, yet most people have no idea what sort of traffic is in there,” Anthony said.

Buffer overflow attacks have been successful against hypervisors, and hypervisors are popping up in all sorts of devices that people wouldn’t think of as having them, including Xbox 360s.

Even when organizations believe that they have a handle on the traffic within their cloud environments, they may be fooling themselves, especially if they are relying on legacy security tools. Everyone knows that they need an IPS solution to protect their cloud deployments, but they have no idea what the actual scale of the problem is.

Moreover, many of these appliances have packet inspection settings that by default fail on. In other words, if the device is overwhelmed with, say, video traffic, the majority of traffic passes through as safe and only small samples are inspected for threats.

The IPS will typically trigger a low-level alarm or record this spike in a log, but how many IT units have time to look at logs unless they know they have a problem? Organizations are also slow to realize that they need an array of different protection in virtualized cloud environments than they had in traditional on-premise settings. Or they do realize this and are choosing to ignore it due to budget and time constraints.

The IBM security executives I talked to at RSA ticked off a number of security solutions they would recommend to better protect cloud environments, including IPS solutions with 20 GBps capabilities, DLP and application security. Much of what their advice boiled down to (see item #1 again) is that security is becoming too big of a problem to tackle for most organizations on their own.


5. Insider threats.

Are insider threats keeping you up at night now? Unfortunately, virtualization and the cloud ramp up the risk of insider threats – at least for the time being.

“A smaller number of administrators are now likely to have access to a greater amount of hosted data and systems than ever before, as the cloud systems are managed by a cloud infrastructure management team. This can leave sensitive data open to access by individuals who previously did not have access to it, eroding separation of duties and practices and raising the risk of insider attacks,” Webb said. The ability to walk off with key assets is also simply much easier to do, rights or not, in a virtualized environment than a physical one.

“When the banking restrictions came out, people were worried about someone walking into the physical data center and grabbing a rack of tapes and walking off with it,” Chiu said. Those fears spurred the much higher frequency of encrypting of data at rest.

How do you steal those same assets in a virtual environment, where data encryption is often still an oversight?

“If you have administrative credentials, you pick the virtual machine you want, right click and copy it,” Chiu said. It’s not that hard to spot someone walking out of the building with a box of tapes. A virtual machine on a USB drive isn’t going to raise a single eyebrow.


Visit us at


Protect Your Privacy: What Happens to Your Data?

March 26, 2011

When criminals obtain your e-mail address, credit card, or Social Security Number, your information enters an underground economy where it’s sold, bought, and (maybe) eventually used in a crime.

As detailed throughout this series, your data can be harvested by a variety of means–malware, phishing, sniffing, and other attacks. The most common method today uses e-mail, Web, and social networking phishing to trick users into installing malware on vulnerable computers; that malware then links infected mashines together into a botnet. Those systems are scoured for any potentially valuable information, then used to attack others under the control of the botmaster. (Fortunately, such attacks are almost entirely targeted against Windows machines; attacks on Macs have been few and far between.)

However it has been obtained, stolen information is then aggregated and sold in online criminal marketplaces–called “carders”–which function much like eBay. For example, the ShadowCrew site that was busted in 2004 by the Secret Service had an estimated 4000 members and up to 8000 credit cards. Another,, was itself hacked last spring, but is still in operation.

    Different kinds of data have different values: a credit card number may be worth as little as a few cents; that same number with your name, address, and Social Security number could be worth $30. Such data can be used to perpetrate a full-on identity theft, which can enable the miscreants to take out a mortgage in your name. That can happen years after the theft, since–unlike credit card numbers–SSNs don’t expire until you do.

    Read More


    Survey: Only One-Fourth of K-12 Educators Teach Kids About Cyberbullying

    March 25, 2011

    Despite the media spotlight on cyberbullying, only 26 percent of K-12 teachers say they’ve taught kids how to handle online harassment over the past year, says a survey by the National Cyber Security Alliance (NCSA) and Microsoft.

    Read More


    America’s Perilous Patchwork of Privacy Laws

    March 24, 2011

    As a concept, the notion of online privacy seems to rank right up there with the Tooth Fairy. Facebook has declared that all posts by members on their walls are public property; Google (Nasdaq: GOOG) keeps getting into trouble with various governments over the data its Street View cars collect; and you can forget about your Tweets being private — the Library of Congress is recording them.

    “Consumers can’t expect much privacy in online services like Google, Facebook and Twitter,” Rainey Reitman, activism director at the Electronic Frontier Foundation, told TechNewsWorld. There are few laws protecting consumers on the Web, Reitman pointed out. Meanwhile, law enforcement “continues to seek ways to expand their online surveillance powers.”

    Read More


    India Issues Draft Privacy Rules

    March 23, 2011

    The Government of India’s Ministry of Communications & Information Technology has published three draft rules that would implement the Information Technology Act, 2000. These include: Reasonable Security Practices and Procedures and Sensitive Personal Information; Due Diligence Observed by Intermediaries Guidelines and Guidelines for Cyber Cafe. The first two of these rules could affect international companies that provide digital services or process data in India. The comment period on the rules ends February 28, 2011.

    The Reasonable Security Practices and Procedures and Sensitive Personal Information rules could impact all information processing and business processes outsourced to India. The draft rule covers user information that is processed in India no matter where that information was originally collected. The rule defines sensitive personal information broadly, and it prohibits the collection of sensitive information unless it is to be used for a lawful purpose. The rule requires adherence to traditional fair information practices related to notice, choice and access. The rule further requires that organizations implement reasonable security practices and procedures and that they document a security program to demonstrate that it includes managerial, technical, operational and physical security measures that are appropriate to the nature of the information. In the case of a data breach, the organization could be asked to demonstrate those procedures to the appropriate agency.

    The Due Diligence Observed by Intermediaries Guidelines require that an intermediary notify all users of computer resources of unethical and unsafe online activity that must be avoided, and police users that engage in such activity on sites the intermediary hosts. The Guidelines also require that intermediaries themselves refrain from such activity and provide information to government agencies related to prohibited behavior.

    Read More