Cloud Security

Bad news for GoGrid customers as today we received the following breach notification by email…

Dear Valued Customer:

In the normal process of reviewing our system activity, our Security Team discovered that an unauthorized third party may have viewed your account information, including payment card data. We immediately took action to protect our customers, including notifying federal law enforcement authorities, who have since seized the computing equipment and records of the single individual suspected of this misconduct. The criminal investigation is ongoing, and we will continue to assist the authorities in working toward a successful prosecution.

The security and reliability of our platform is fundamental to our business, as is the trust and faith that our customers place in us. We have completed a rigorous audit conducted by a leading security firm. There were three important findings that lead us to believe the situation has been contained:

1. The method utilized by the suspect to gain access has been identified and remediated.
2. It appears that the suspect’s sole motive was to acquire free services from us. We have no evidence suggesting that the suspect was targeting customer infrastructure or payment cards.
3. We have no indication that any customer information was shared with any other unauthorized parties or that there has been unauthorized use of any cardholder’s data.

In addition, we are instituting a series of new measures designed to further enhance security. Any information that you may need in order to comply with these measures will be communicated through the user portal and the support ticketing system. As an added precaution, affected cardholders will receive a letter in the mail offering credit monitoring services at our expense.

Client privacy, confidentiality and security are central to us. We greatly value your business and apologize for any inconvenience this causes. If you have any questions related to any of the above, please contact our Customer Service Team at 1-866-310-8477 or 1-415-963-9955 or via email at gogridteam@gogrid.com.

Sincerely,
John Keagy, Chief Executive Officer, and the GoGrid Team

This email was sent by:GoGrid

360 Spear Street, Suite 200 San Francisco, CA, 94105, USA

Anyone know any details of the case?

The Brucon multimedia people recently posted the video of all the Brucon 2010 talks.

Here’s a video of my Project Skylab talk [1 hour / 120MB AVI] hosted by the Corelan team (thanks guys!). The first half is mostly a “call to action” for security practitioners, the second half covers Skylab components, architecture and plans.

I plan to post a demo video of Skylab in late January/early Febuary, so if you’re looking for that, hold tight.

For those that want to peruse the slidedeck and speaker notes, here’s the Slideshare powered preso:

Brucon remains one of my favourite infosec conferences – its relaxed, friendly and has consistently good talks. As with many non-profit conferences, it relies very much on the goodwill and sweat of a volunteer crew and I’d like to say a special thankyou to all those that lent a helping hand.

Few things inspire a blogger to write blog posts than appealing to their ego and sense of humour. Despite concerted appearances to the contrary, it appears I too am susceptible.

Here we take a lesson in marketing brilliance from Novell…as they “take the drama out of Cloud Computing”…by bringing a slightly surreal blog post I wrote to the small stage/screen:

If the above doesn’t display for you, click An interpretation from the blog post: Are You Trying to Pin the Tail on the Cloud Donkey? by Craig Balding

Thanks to the actors for giving me a laugh out loud moment – commanding performances gents! :)

Cheers,
Craig

P.S For more hilarity, check out their Vimeo channel

Last week I attended SecureCloud 2010 in Barcelona, a conference dedicated to cloud computing and security, organised by the Cloud Security Alliance, ENISA, ISACA and IEEE.

This proved to be an excellent opportunity for deep dive conversations with others heavily involved with cloud security, both providers and users.

The conference was well run – particularly for a first time out. The presentations were a mixed bunch, which I felt reflected:

• the on-going open interpretation of the term “cloud” (and a few who insisted on muddying the waters by referring to traditional web hosting providers as “cloud providers” – eek!)
• the different stages that people are at with their understanding of cloud computing and security and
• the wide diversity of speakers present (a healthy thing in my book)..

I’m very glad I attended and was able to present the kick-off to Project Skylab.

A number of readers asked if the presentations would be recorded and made available to non-attendees. Unfortunately, they were not, so I’ve recorded the “home edition” version of my talk and make it available here.

The Skylab Project is aimed at IT and IT security professionals that are “cloud curious” and want to get their hands dirty in a relatively safe way (i.e. no business data involved). You could say its for the hobbyist security geek. This talk sets out the concept, design goals and plans for Project Skylab. Hence, this presentation is not about “cloud security” per se or “securing the cloud”. At most its about delivering a security related service (an demand security test lab) from the cloud. Check out my other cloud computing and security presentations if you’re looking for coverage of cloud security challenges.

Important notes:

• this is the “kick-off” of Skylab – not the “solution” stage (!)
• if you’re an old hand with IaaS services (including cloud overlay networks), I doubt you’ll learn anything new about cloud.

I plan to develop Skylab on an on-going basis. I’m also encouraging others to contibute their ideas (with full credit of course).

Finally, I’ve applied to speak at Brucon 2010 in September. If my application is successful I will present the first tried and tested incarnation of Skylab.

Please let me know if you enjoy this video (or not!) as this is the first time I’ve tried this. I welcome your feedback.

I’d like to thank Jim Reavis and his team for the excellent logistical support throughout the conference, along with the SecureCloud presentation committee for inviting me to speak.

Cheers,
Craig

P.S cloudsecurity.org now has a forum dedicated to discussions about cloud computing and security. There is also a dedicated board for Project Skylab communication.

Next Tueday and Wednesday I’ll be attending SecureCloud 2010 in Barcelona, Spain. This looks to be a very promising conference, totally focused on cloud computing and security. Admission is free, and the event is organised by the Cloud Security Alliance, ENISA, ISACA and IEEE.

On Wednesday, I’ll present “Skylab: How To Create A Simple Security Test Lab With No Hardware”. Here’s the blurb:

This presentation will be technical in nature and focus on how
security practitioners can leverage public IaaS clouds today, to create
an ad-hoc security test lab for both offensive and defensive security
research. We’ll explore prior use cases of cloud by security
researchers, define a simple test lab network architecture and
associated requirements, get an overview of existing IaaS capabilities
and the challenges you’ll face when replicating even relatively simple
network topologies (along with some workarounds). At the end of this
presentation, attendees will know how to build their own virtual skylab.

When I get back, I’ll upload my slides and explain more about Skylab.

If you’re attending, definitely come up and say hello.

Cheers,

Craig