Risk
1/19/2010
11:45 AM
David Berlind
David Berlind
Commentary
Connect Directly
Facebook
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Was Novell Too Quick To Use China/Google Incident To Disparage Cloud Computing?

Had Novell's director of public relations Ian Bruce not responded to my blog post about Google's choice to change Gmail's default transmission mode from the less secure HTTP (Web) to the more secure and encrypted HTTPS (Secure Web), I would have never seen his own blog post on Novell's Web site entitled On Google, e-mail security, and cloud. But I'm gla

Had Novell's director of public relations Ian Bruce not responded to my blog post about Google's choice to change Gmail's default transmission mode from the less secure HTTP (Web) to the more secure and encrypted HTTPS (Secure Web), I would have never seen his own blog post on Novell's Web site entitled On Google, e-mail security, and cloud. But I'm glad I saw it. It's evidence of how some vendors might be too quick to throw fuel on the fire of misinformation in order to draw positive attention to themselves.Bruce made his post which raises "some old questions about the security of Gmail" on January 13th when so very little was known about the nature of the attack. In a phone call today, Bruce told me that, had he known about the actual nature of the attack (that it involved a zero-day vulnerability in Internet Explorer and that humans may have played a role as well), that he might have worded his post differently. As a result of my inquiry, Bruce said he plans to revise the post today.

In his original blog post, Bruce wrote:

The fact that Google was hacked by cybercriminals is hardly surprising. The fact that these criminals would go after email in the cloud is not surprising, either. After all, e-mail is the most visible, most popular and to many people, most important application running in the cloud today. The fact that Google would consider pulling its entire business out of China because of these hackers just emphasizes the importance of security in the cloud, while raising some old questions about the security of Gmail - issues we have discussed in the past.

However, today's news also carries a broader message for all IT vendors. As we increasingly move applications to the cloud, we have to focus on security. Until we can guarantee security of all applications in the cloud, adoption of cloud computing will continue to lag. Security is already the leading concern among IT executives considering cloud as part of their IT infrastructure, and the news from Google will only accentuate this concern. Identity and security management needs to be intrinsic to all applications deployed into the cloud. This is the premise behind Novell's approach to the emerging intelligent workload management market.

Novell's collaboration strategy is to ensure that our solutions are secure, regardless of whether they are running in the cloud or on-premise....

By leveraging the China/Google incident into a misguided yet derisive commentary on the state of cloud security, Bruce's post calls the trustworthiness of Novell's other messaging into question.

Yes, the email accounts that the Chinese government was hoping to compromise were hosted by Gmail. But as it turns out, the cloud-based nature of Gmail had nothing to do with the highly sophisticated attack that targeted not just Google but at least 32 other companies as well; many of which were not cloud computing companies. Two of those companies were apparently Adobe and Juniper Networks. Some of the companies were defense contractors (Northrup Grumman and Dow Chemical are rumored to have been hit) and others are rumored to be in the finance sector.

The assault was based on a zero-day vulnerability in Microsoft's Internet Explorer Web-browser that, when exploited (and in a fashion that's typical of many such attacks), basically gives the attacker the same access to the target PC's local and networked resources that the actual user of that PC has. The incident has prompted French and German governments to recommend not using Internet Explorer. Wisely however, those advisories make no such recommendation when it comes to cloud computing.

In the case of Google, the attack was apparently designed to gain access to another specific system behind Google's firewalls. The intrusion has led to further speculation (and an official Google investigation) that someone inside Google with knowledge of that system was collaborating with the Chinese.

Had the same highly-sophisticated attack involving an insider been perpetrated against a company running Lotus Notes, Microsoft Exchange, or Novell's Groupwise (and in those 32 other companies that were attacked, that was probably the case), the Internet Explorer-related nature of the vulnerability would have left those companies equally defenseless as well.

I mentioned to Bruce that his post and the way in which it connected the China/Google incident to a positive message about Novell left a bad taste in my mouth.

In reply, Bruce said "the leading disadvantage of cloud is perceived to be security and my point is that this incident is just going to reinforce that perception. We as an industry have work around the perception that cloud-based computing is inherently insecure. That was more of the point. There may be some security issues with Gmail."

Which is where I interrupted him and asked "But what security issues with Gmail?" Bruce then asked me what has been reported and I updated him on what is known about the attack.

In response, Bruce said "If people or the browser were involved, then I would revise my post. The main point however, whether real or imaginary, is that there's a perception that the cloud is insecure and as an industry, we have to correct that perception."

In response to our call, Bruce has so far replied in the comments area to my original post. In that reply Bruce wrote:

I agree we're still learning what was at the root of the security breach - when I wrote my 1/13 post the details were very sketchy. The latest news suggest IE and not PDF vulnerabilities, and the WSJ reports Google is investigating its Chinese staff, but the picture is still incomplete.

My intention in my post was to point out that whatever the cause, the news from Google will only exacerbate existing concerns about cloud security overall, and this will slow adoption.

In a follow up email, Bruce said to expect a revision to his original blog post on Novell's Web site.

Dark Reading has published a new report on building a layered defense against unknown threats. Download the report now (registration required).

Also, I'm attending Black Hat. Maybe I'll see you there....

Register now for Black Hat DC, the largest and the most important security conference series in the world. It happens Jan. 31-Feb. 3, 2010, in Arlington, Va. Find out more and register.

David Berlind is the chief content officer of TechWeb and editor-in-chief of TechWeb.com. David likes to write about emerging tech, new and social media, mobile tech, and things that go wrong and welcomes comments, both for and against anything he writes. He can be reached at dberlind@techweb.com and you also can find him on Twitter and other social networks (see the list below). David doesn't own any tech stocks. But, if he did, he'd probably buy some Salesforce.com and Amazon, given his belief in the principles of cloud computing.

Twitter: (@dberlind) My Facebook Page Flickr (davidberlind) YouTube (TechWebTV) FriendFeed (davidberlind) Del.icio.us (dberlind ) Me on LinkedIn Plaxo (davidberlind) Disqus (DavidBerlind) myGoogle Profile (David.Berlind)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.