Archive for 'Cloud Security'

Way cool ! HTTP Session Hijacking can’t be made simpler than using Firesheep. Couple of days ago, a friend of mine suggested me to login a most popular website and he demonstrated how he took control and accessed my user session in less than a minute. First, I thought he used a network protocol analyser tool such as Wireshark or sniffer to access my session information…but I was a bit surprised to see he used a simple and user friendly Firefox plugin (Firesheep) to steal and access my session information. Believe it or not – in an unsecured network,  Firesheep can easily capture active user session information exchanged with a Website that uses clear-text/unencrypted HTTP communication and session ID cookies irrespective of their underlying Operating System and user’s Browser. Ofcourse sending and receiving clear-text over HTTP has always posed a huge risk and compromising the session cookie allows impersonation….. interestingly majority of us don’t care much till we become a victim  of a data loss !  Even the many popular social network websites still uses clear-text over HTTP.



With my first experience, Firesheep worked well on my Mac… capturing my Facebook and WordPress sessions running on a PC… so quick ! Not just Facebook sessions – if you are using an unsecured/clear network and accessing any unsecured web site (without SSL), Firesheep can act as a “Man-in-the-Middle” attacker who can comfortably capture, hijack and obtain unauthorized access to the currently active user’s HTTP session. Unfortunately, there is no silver bullet to thwart these attacks unless you are aware and avoid the risks of using unsecured networks and clear-text communication.




Thwarting Firesheep !

If you are concerned about Firesheep attacks on the client side (user’s browser) then make sure to use a Secured VPN or Secure Shell (SSH) or IPSec or Encrypted WiFi (ex.WPA2) connection for accessing unsecured web applications. In case of accessing from unsecured networks, you may use Blacksheep tool which helps to find out whether your user session is currently being captured by a rogue Firesheep user on the network. In case of accessing Facebook, you may consider using HTTPS Everywhere a firefox extension that allows to rewrite Facebook requests and other HTTPS supported Websites.

On the server-side, if you are curious about securing your web application and user sessions from prying eyes….here is some best practices that can help thwarting similar session hijacking attacks:

  1. Use SSL/TLS communication to ensure encrypted transport between the user’s client and Web server.
  2. Use encrypted session cookies and use encrypt/decryption mechanisms for setting and getting of cookie data.
  3. Enable Hostname/IP address verification for all critical requests,  identify and compare the current user’s host with the originating user’s host in the user’s session cookie.

If you are concerned about SSL/TLS overheads and looking for high-performance SSL/TLS acceleration solutions then refer to my previous entries..that would able to help you.



Goodluck.

Onlinerel Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google Yahoo Buzz StumbleUpon

Absolutely…Security cannot be an afterthought when it comes to hosting on Cloud.

Onlinerel Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google Yahoo Buzz StumbleUpon

Dilbert on Cloud Computing :-)

That’s is the true reality of real-world adoption of Cloud….

Onlinerel Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google Yahoo Buzz StumbleUpon

Jim Seward (@VersionOne) asked me to take a look at this research study (by Version One, UK) about the confusion surrounding cloud computing amongst senior IT professionalsI’m not sure it includes your boss !  This high-level study was conducted with a group of 60 Senior IT professionals at UK….. has revealed some interesting findings.

  1.  41% of senior IT professionals admit that they “don’t know” what cloud computing is !
  2.  59% of IT professionals who profess to know what cloud computing, that include:
  • 17% of these understand cloud computing to be internet-based computing
  • 11% believe it is a combination of internet-based computing, software as a service (SAAS), software on demand, an outsourced or managed service and a hosted software service
  • The remaining respondents understand cloud computing to be a mixture of the above.

More interesting to note, Only 2% of respondents mentioned that their company is “definitely” going to invest in cloud computing in the next 12 months…. I would suggest you to read the complete study visiting VersionOne and their findings are right here.

Onlinerel Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google Yahoo Buzz StumbleUpon

I just had a chance to read this article at DarkReading….it enumerates the following six common security mistakes found with businesses while adopting to Cloud infrastructure based services :

  1. Mistake #1: Assuming the cloud is less secure than your data center.
  2. Mistake #2: Not verifying, testing, or auditing the security of your cloud-based service provider.
  3. Mistake #3: Failing to vet your cloud provider’s viability as a business.
  4. Mistake #4: Assuming you’re no longer responsible for securing data once it’s in the cloud.
  5. Mistake #5: Putting insecure apps in the cloud and expecting that to make them more secure.
  6. Mistake #6: Having no clue that your business units are already using some cloud-based services.

The list is very much focused to the business aspects of security not the technological pitfalls.  You may take a detailed look at the DarkReading post right here.

 

Coincidently, let’s not ignore the six “Dumbest Ideas in Computer Security” …it is right here.

Onlinerel Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google Yahoo Buzz StumbleUpon

Lately I’ve been franctically busy with couple of my ISVs and an SI helping them out on a Citizen-scale National Healthcare Identity Infrastructure solution pilot for one of the populous countries in the Atlantic region – Sorry I cannot disclose the country’s name to abide their privacy laws and to protect my job :-) . The solution aims to deliver an Unified Desktop/Voice Infrastructure via Sun Ray environment and fortified by Biometrics and Smartcard PKI based authentication to access the exposed services.  Using Smartcard/PKI and Biometrics for Sun Rays has been deployed in production (at few customers) and in practice for a while now… but in my current project the interesting thing is the complete Sun Ray solution will be hosted as a SaaS environment (~Private Cloud) and other complexities are related to legal/privacy issues with performing citizen’s biometric enrollment and storing the biometric information with a private organization  (Especially, when the Country’s privacy laws forbids storing citizen’s biometric samples). Keeping those nail biting legal issues aside, the Govt folks are still very enthusiastic and excited about adopting to Biometric authentication for Sun Ray based desktops to access their SaaS hosted Web-based healthcare applications.

 

Biometric Authentication for Sun Rays

Biometric Authentication on a Sun Ray environment

 

Looks cool, Is’nt it.  If you are curious to know the secret sauce of the Sun Ray biometric authentication solution, here is the bill of materials, to put together in place:

  1. Sun Ray Session Server 4.x or above
  2. Solaris 10 X64 or SPARC
  3. Sun OpenSSO (Biometric SSO for Web applications)
  4. Sun Identity Manager (Provisioning Biometric Samples during enrollment)
  5. Sun Directory Server
  6. Sun Secure Global Desktop (Support accessing Windows, Mac, Linux, Solaris Desktops)
  7. Oracle 11g or MySQL 5.x database
  8. BiObex Authentication Middleware (Advanced Biometric Controls)
  9. Hamster Plus – USB Biometric Scanner (SecuGen) – For supporting Desktop/Web authentication
  10. CrossMatch Verifier E – Biometric Scanner for supporting Biometric enrollment

Shortly, I will update this blog entry with a detailed architecture and deployment cheatsheet… as soon as I wrap up my current project deliverables.  If you are a Sun Ray enthusiast,  I know you will be having some burning questions ! Feel free to send them, I will try to answer them quick…. otherwise please stay tuned for my unofficial deployment guide.

 

This stateless infrastructure could be your next generation client for securely accessing your virtual desktops hosted on the cloud :-)

Onlinerel Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google Yahoo Buzz StumbleUpon

I did’nt get a chance to experience with Microsoft’s Cloud infrastructure….but it’s quite interesting to see Microsoft gone “proactive” on Security with its Cloud infrastrusture ! When everyone else is still itching the head with a burning stick ….Microsoft cloud users may breathe a sigh of relief :-)

Recently, Microsoft Cloud infrastructure team (Global Foundation Services division published a document on their security features which highlights Microsoft cloud obtaining ISO/IEC 27001:2005 certification and SAS 70 Type I and Type II attestations.  At the outset, it is an excellent document…especially who don’t realize the importance of Cloud Security (rather than an afterthought), read it for yourself…the document is right here .

Onlinerel Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google Yahoo Buzz StumbleUpon

Important Disclaimer:The information presented in this weblog is provided “AS IS” with no warranties, and confers no rights. It solely represents our opinions. This weblog does not represent the thoughts, intentions, plans or strategies of our employers.
.