Risk
1/19/2010
11:45 AM
David Berlind
David Berlind
Commentary
Connect Directly
Facebook
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Was Novell Too Quick To Use China/Google Incident To Disparage Cloud Computing?

Had Novell's director of public relations Ian Bruce not responded to my blog post about Google's choice to change Gmail's default transmission mode from the less secure HTTP (Web) to the more secure and encrypted HTTPS (Secure Web), I would have never seen his own blog post on Novell's Web site entitled On Google, e-mail security, and cloud. But I'm gla

Had Novell's director of public relations Ian Bruce not responded to my blog post about Google's choice to change Gmail's default transmission mode from the less secure HTTP (Web) to the more secure and encrypted HTTPS (Secure Web), I would have never seen his own blog post on Novell's Web site entitled On Google, e-mail security, and cloud. But I'm glad I saw it. It's evidence of how some vendors might be too quick to throw fuel on the fire of misinformation in order to draw positive attention to themselves.Bruce made his post which raises "some old questions about the security of Gmail" on January 13th when so very little was known about the nature of the attack. In a phone call today, Bruce told me that, had he known about the actual nature of the attack (that it involved a zero-day vulnerability in Internet Explorer and that humans may have played a role as well), that he might have worded his post differently. As a result of my inquiry, Bruce said he plans to revise the post today.

In his original blog post, Bruce wrote:

The fact that Google was hacked by cybercriminals is hardly surprising. The fact that these criminals would go after email in the cloud is not surprising, either. After all, e-mail is the most visible, most popular and to many people, most important application running in the cloud today. The fact that Google would consider pulling its entire business out of China because of these hackers just emphasizes the importance of security in the cloud, while raising some old questions about the security of Gmail - issues we have discussed in the past.

However, today's news also carries a broader message for all IT vendors. As we increasingly move applications to the cloud, we have to focus on security. Until we can guarantee security of all applications in the cloud, adoption of cloud computing will continue to lag. Security is already the leading concern among IT executives considering cloud as part of their IT infrastructure, and the news from Google will only accentuate this concern. Identity and security management needs to be intrinsic to all applications deployed into the cloud. This is the premise behind Novell's approach to the emerging intelligent workload management market.

Novell's collaboration strategy is to ensure that our solutions are secure, regardless of whether they are running in the cloud or on-premise....

By leveraging the China/Google incident into a misguided yet derisive commentary on the state of cloud security, Bruce's post calls the trustworthiness of Novell's other messaging into question.

Yes, the email accounts that the Chinese government was hoping to compromise were hosted by Gmail. But as it turns out, the cloud-based nature of Gmail had nothing to do with the highly sophisticated attack that targeted not just Google but at least 32 other companies as well; many of which were not cloud computing companies. Two of those companies were apparently Adobe and Juniper Networks. Some of the companies were defense contractors (Northrup Grumman and Dow Chemical are rumored to have been hit) and others are rumored to be in the finance sector.

The assault was based on a zero-day vulnerability in Microsoft's Internet Explorer Web-browser that, when exploited (and in a fashion that's typical of many such attacks), basically gives the attacker the same access to the target PC's local and networked resources that the actual user of that PC has. The incident has prompted French and German governments to recommend not using Internet Explorer. Wisely however, those advisories make no such recommendation when it comes to cloud computing.

In the case of Google, the attack was apparently designed to gain access to another specific system behind Google's firewalls. The intrusion has led to further speculation (and an official Google investigation) that someone inside Google with knowledge of that system was collaborating with the Chinese.

Had the same highly-sophisticated attack involving an insider been perpetrated against a company running Lotus Notes, Microsoft Exchange, or Novell's Groupwise (and in those 32 other companies that were attacked, that was probably the case), the Internet Explorer-related nature of the vulnerability would have left those companies equally defenseless as well.

I mentioned to Bruce that his post and the way in which it connected the China/Google incident to a positive message about Novell left a bad taste in my mouth.

In reply, Bruce said "the leading disadvantage of cloud is perceived to be security and my point is that this incident is just going to reinforce that perception. We as an industry have work around the perception that cloud-based computing is inherently insecure. That was more of the point. There may be some security issues with Gmail."

Which is where I interrupted him and asked "But what security issues with Gmail?" Bruce then asked me what has been reported and I updated him on what is known about the attack.

In response, Bruce said "If people or the browser were involved, then I would revise my post. The main point however, whether real or imaginary, is that there's a perception that the cloud is insecure and as an industry, we have to correct that perception."

In response to our call, Bruce has so far replied in the comments area to my original post. In that reply Bruce wrote:

I agree we're still learning what was at the root of the security breach - when I wrote my 1/13 post the details were very sketchy. The latest news suggest IE and not PDF vulnerabilities, and the WSJ reports Google is investigating its Chinese staff, but the picture is still incomplete.

My intention in my post was to point out that whatever the cause, the news from Google will only exacerbate existing concerns about cloud security overall, and this will slow adoption.

In a follow up email, Bruce said to expect a revision to his original blog post on Novell's Web site.

Dark Reading has published a new report on building a layered defense against unknown threats. Download the report now (registration required).

Also, I'm attending Black Hat. Maybe I'll see you there....

Register now for Black Hat DC, the largest and the most important security conference series in the world. It happens Jan. 31-Feb. 3, 2010, in Arlington, Va. Find out more and register.

David Berlind is the chief content officer of TechWeb and editor-in-chief of TechWeb.com. David likes to write about emerging tech, new and social media, mobile tech, and things that go wrong and welcomes comments, both for and against anything he writes. He can be reached at dberlind@techweb.com and you also can find him on Twitter and other social networks (see the list below). David doesn't own any tech stocks. But, if he did, he'd probably buy some Salesforce.com and Amazon, given his belief in the principles of cloud computing.

Twitter: (@dberlind) My Facebook Page Flickr (davidberlind) YouTube (TechWebTV) FriendFeed (davidberlind) Del.icio.us (dberlind ) Me on LinkedIn Plaxo (davidberlind) Disqus (DavidBerlind) myGoogle Profile (David.Berlind)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-4720
Published: 2014-12-27
Hillstone HS TFTP Server 1.3.2 allows remote attackers to cause a denial of service (daemon crash) via a long filename in a (1) RRQ or (2) WRQ operation.

CVE-2012-1203
Published: 2014-12-27
Cross-site request forgery (CSRF) vulnerability in starnet/index.php in SyndeoCMS 3.0 and earlier allows remote attackers to hijack the authentication of administrators for requests that add user accounts via a save_user action.

CVE-2013-4663
Published: 2014-12-27
git_http_controller.rb in the redmine_git_hosting plugin for Redmine allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the service parameter to info/refs, related to the get_info_refs function or (2) the reqfile argument to the file_exists function.

CVE-2013-4793
Published: 2014-12-27
The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS before 6.0.4 does not require authentication, which allows remote attackers to execute arbitrary ASP.NET code via a crafted SOAP request.

CVE-2013-5958
Published: 2014-12-27
The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a si...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.