It’s the new frontier. It’s like the “Wild West” meets the “Barbary Coast”, with hostile Indians and pirates all rolled into one. And like those places, lawless entrepreneurialism a major part of the economy. That was the impression I got reading Robert Mullins’ The biggest cloud on the planet is owned by … the crooks. He examines the resources under the control of Conficker-based worms and compares them to the legitimate cloud providers. I liked his post, as considering botnets in terms of their position as cloud computing leaders (by resources under management) is a startling concept. Realizing that botnets offer 18 times the computational power of Google and over 100 times Amazon Web Services is astounding. It’s fascinating to see how the shady and downright criminal have embraced technology – and in many cases drive innovation. I would also be interested in comparing total revenue and profitability between, say, AWS and a botnet. We can’t, naturally, as we don’t really know the amount of revenue spam and bank fraud yield. Plus the business models are different and botnets provide abnormally low overhead – but I am willing to bet criminals are much more efficient than Amazon or Google.
It’s fascinating to see the shady and downright criminal have embraced the model so effectively. I feel like I am watching a Battlestar Galatica rerun, where the humans can’t use networked computers, as the Cylons hack into them as fast as they find them. And the sheer numbers of hacked systems support that image. I thought it was apropos that Andy the IT Guy asked Should small businesses quit using online banking, which is very relevant. Unfortunately the answer is yes. It’s just not safe for most merchants who do not – and who do not want to – have a deep understanding of computer security. Nobody really wants to go back to the old model where they drive to the bank once or twice a week and wait in line for half an hour, just so the new teller can totally screw up your deposit. Nor do they want to buy dedicated computers just to do online banking, but that may be what it comes down to, as Internet banking is just not safe for novices. Yet we keep pushing onward with more and more Internet services, and we are encouraged by so many businesses to do more of our business online (saving their processing costs). Don’t believe me? Go to your bank, and they will ask you to please use their online systems. Fun times.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- On that note, Rich on Protecting your online banking.
- Living with Windows: security. Rich wrote this up for Macworld.
- Insiders Not the Real Database Threat.
- RSA Video: Enterprise Database Security.
Favorite Securosis Posts
- Rich: Help a Reader: PCI Edition. Real world problem from a reader caught between a rock and an assessor.
- Mike Rothman: How Much Is Your Organization Telling Google? Yes, they are the 21st century Borg. But it’s always interesting to see how much the Google is really seeing.
- David Mortman: FireStarter: Nasty or Not, Jericho is Irrelevant.
- Adrian Lane: Hit the Snooze Button on Lancope’s Data Loss Alarms. Freakin’ Unicorns.
Other Securosis Posts
- Endpoint Security Fundamentals: Introduction.
- Database Security Fundamentals: Configuration.
- Incite 3/31/2010: Attitude Is Everything.
- Security Innovation Redux: Missing the Forest for the Trees.
- Hello World. Meet Pwn2Own.
Favorite Outside Posts
- Rich: Is Compliance Stifling Security Innovation? Alex over at Verizon manages to tie metrics to security innovation. Why am I not surprised? 🙂
- Mike Rothman: Is it time for small businesses to quit using online banking? Andy the IT Guy spews some heresy here. But there is definitely logic to at least asking the question.
- David Mortman: Side-Channel Leaks in Web Applications.
- Adrian: A nice salute to April 1 from Amrit: Chinese Government to Ban All US Technology.
Project Quant Posts
Research Reports and Presentations
- The short version of the RSA Video presentation on Enterprise Database Security.
- Report: Database Assessment.
Top News and Posts
- Great interview with security researcher Charlie Miller. Especially the last couple of paragraphs.
- Man fleeing police runs into prison yard.
- Google’s own glitch causes blockage in China.
- Senate Passes Cybersecurity Act. Not a law yet.
- Nick Selby on the recent NJ privacy in the workplace lawsuit.
- Microsoft runs fuzzing botnet, finds 1800 bugs.
- Key Logger Attacks on the Rise.
- Content Spoofing – Not Just an April Fool’s Day Attack.
- JC Penny and Wet Seal named as breached firms.
- Nice discussion: Mozilla Plans Fix for CSS History Hack. Original Mozilla announcement here.
- Microsoft SDL version 5.
Blog Comment of the Week
Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Martin McKeay, for offering practical advice in response to Help a Reader: PCI Edition.
Unluckily, there isn’t a third party you can appeal to, at least as far as I know. My suggestion would be to get both your Approved Scanning Vendor and your hosting provider on the same phone call and have the ASV explain in detail to the hosting provider the specifics of vulnerabilities that have been found on the host. Your hosting provider may be scanning your site with a different ASV or not at all and receiving different information than your seeing. Or it may be that they’re in compliance and that your ASV is generating false positives in your report. Either way, it’s going to be far easier for them to communicate directly at a technical level than for you to try and act as an intermediary between the two.
I’d also politely point out to your host that their lack of communication is costing you money and if it continues you may have to take your business elsewhere. If they’re not willing to support you, you should continue to pay them money. Explore your contract, you may have the option of subtracting the amount of the fines from your payment to them. Money always get’s their attention.
There are too many variables involved for there to be a solid answer to this, these are just my suggestions. If you have a relationship with a QSA I’d strongly suggest you get them involved as well.
Comments