Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/19/2010
11:45 AM
David Berlind
David Berlind
Commentary
Connect Directly
Facebook
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Was Novell Too Quick To Use China/Google Incident To Disparage Cloud Computing?

Had Novell's director of public relations Ian Bruce not responded to my blog post about Google's choice to change Gmail's default transmission mode from the less secure HTTP (Web) to the more secure and encrypted HTTPS (Secure Web), I would have never seen his own blog post on Novell's Web site entitled On Google, e-mail security, and cloud. But I'm gla

Had Novell's director of public relations Ian Bruce not responded to my blog post about Google's choice to change Gmail's default transmission mode from the less secure HTTP (Web) to the more secure and encrypted HTTPS (Secure Web), I would have never seen his own blog post on Novell's Web site entitled On Google, e-mail security, and cloud. But I'm glad I saw it. It's evidence of how some vendors might be too quick to throw fuel on the fire of misinformation in order to draw positive attention to themselves.Bruce made his post which raises "some old questions about the security of Gmail" on January 13th when so very little was known about the nature of the attack. In a phone call today, Bruce told me that, had he known about the actual nature of the attack (that it involved a zero-day vulnerability in Internet Explorer and that humans may have played a role as well), that he might have worded his post differently. As a result of my inquiry, Bruce said he plans to revise the post today.

In his original blog post, Bruce wrote:

The fact that Google was hacked by cybercriminals is hardly surprising. The fact that these criminals would go after email in the cloud is not surprising, either. After all, e-mail is the most visible, most popular and to many people, most important application running in the cloud today. The fact that Google would consider pulling its entire business out of China because of these hackers just emphasizes the importance of security in the cloud, while raising some old questions about the security of Gmail - issues we have discussed in the past.

However, today's news also carries a broader message for all IT vendors. As we increasingly move applications to the cloud, we have to focus on security. Until we can guarantee security of all applications in the cloud, adoption of cloud computing will continue to lag. Security is already the leading concern among IT executives considering cloud as part of their IT infrastructure, and the news from Google will only accentuate this concern. Identity and security management needs to be intrinsic to all applications deployed into the cloud. This is the premise behind Novell's approach to the emerging intelligent workload management market.

Novell's collaboration strategy is to ensure that our solutions are secure, regardless of whether they are running in the cloud or on-premise....

By leveraging the China/Google incident into a misguided yet derisive commentary on the state of cloud security, Bruce's post calls the trustworthiness of Novell's other messaging into question.

Yes, the email accounts that the Chinese government was hoping to compromise were hosted by Gmail. But as it turns out, the cloud-based nature of Gmail had nothing to do with the highly sophisticated attack that targeted not just Google but at least 32 other companies as well; many of which were not cloud computing companies. Two of those companies were apparently Adobe and Juniper Networks. Some of the companies were defense contractors (Northrup Grumman and Dow Chemical are rumored to have been hit) and others are rumored to be in the finance sector.

The assault was based on a zero-day vulnerability in Microsoft's Internet Explorer Web-browser that, when exploited (and in a fashion that's typical of many such attacks), basically gives the attacker the same access to the target PC's local and networked resources that the actual user of that PC has. The incident has prompted French and German governments to recommend not using Internet Explorer. Wisely however, those advisories make no such recommendation when it comes to cloud computing.

In the case of Google, the attack was apparently designed to gain access to another specific system behind Google's firewalls. The intrusion has led to further speculation (and an official Google investigation) that someone inside Google with knowledge of that system was collaborating with the Chinese.

Had the same highly-sophisticated attack involving an insider been perpetrated against a company running Lotus Notes, Microsoft Exchange, or Novell's Groupwise (and in those 32 other companies that were attacked, that was probably the case), the Internet Explorer-related nature of the vulnerability would have left those companies equally defenseless as well.

I mentioned to Bruce that his post and the way in which it connected the China/Google incident to a positive message about Novell left a bad taste in my mouth.

In reply, Bruce said "the leading disadvantage of cloud is perceived to be security and my point is that this incident is just going to reinforce that perception. We as an industry have work around the perception that cloud-based computing is inherently insecure. That was more of the point. There may be some security issues with Gmail."

Which is where I interrupted him and asked "But what security issues with Gmail?" Bruce then asked me what has been reported and I updated him on what is known about the attack.

In response, Bruce said "If people or the browser were involved, then I would revise my post. The main point however, whether real or imaginary, is that there's a perception that the cloud is insecure and as an industry, we have to correct that perception."

In response to our call, Bruce has so far replied in the comments area to my original post. In that reply Bruce wrote:

I agree we're still learning what was at the root of the security breach - when I wrote my 1/13 post the details were very sketchy. The latest news suggest IE and not PDF vulnerabilities, and the WSJ reports Google is investigating its Chinese staff, but the picture is still incomplete.

My intention in my post was to point out that whatever the cause, the news from Google will only exacerbate existing concerns about cloud security overall, and this will slow adoption.

In a follow up email, Bruce said to expect a revision to his original blog post on Novell's Web site.

Dark Reading has published a new report on building a layered defense against unknown threats. Download the report now (registration required).

Also, I'm attending Black Hat. Maybe I'll see you there....

Register now for Black Hat DC, the largest and the most important security conference series in the world. It happens Jan. 31-Feb. 3, 2010, in Arlington, Va. Find out more and register.

David Berlind is the chief content officer of TechWeb and editor-in-chief of TechWeb.com. David likes to write about emerging tech, new and social media, mobile tech, and things that go wrong and welcomes comments, both for and against anything he writes. He can be reached at [email protected] and you also can find him on Twitter and other social networks (see the list below). David doesn't own any tech stocks. But, if he did, he'd probably buy some Salesforce.com and Amazon, given his belief in the principles of cloud computing.

Twitter: (@dberlind) My Facebook Page Flickr (davidberlind) YouTube (TechWebTV) FriendFeed (davidberlind) Del.icio.us (dberlind ) Me on LinkedIn Plaxo (davidberlind) Disqus (DavidBerlind) myGoogle Profile (David.Berlind)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26244
PUBLISHED: 2020-12-02
Python oic is a Python OpenID Connect implementation. In Python oic before version 1.2.1, there are several related cryptographic issues affecting client implementations that use the library. The issues are: 1) The IdToken signature algorithm was not checked automatically, but only if the expecte...
CVE-2020-28206
PUBLISHED: 2020-12-02
An issue was discovered in Bitrix24 Bitrix Framework (1c site management) 20.0. An "User enumeration and Improper Restriction of Excessive Authentication Attempts" vulnerability exists in the admin login form, allowing a remote user to enumerate users in the administrator group. This also ...
CVE-2017-14451
PUBLISHED: 2020-12-02
An exploitable out-of-bounds read vulnerability exists in libevm (Ethereum Virtual Machine) of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read which can subsequently trigger an out-of-bounds write resulting in remote code execution. An attacker can create/send m...
CVE-2017-2910
PUBLISHED: 2020-12-02
An exploitable Out-of-bounds Write vulnerability exists in the xls_addCell function of libxls 2.0. A specially crafted xls file can cause a memory corruption resulting in remote code execution. An attacker can send malicious xls file to trigger this vulnerability.
CVE-2020-13493
PUBLISHED: 2020-12-02
A heap overflow vulnerability exists in Pixar OpenUSD 20.05 when the software parses compressed sections in binary USD files. A specially crafted USDC file format path jumps decompression heap overflow in a way path jumps are processed. To trigger this vulnerability, the victim needs to open an atta...