5 Tips from Hackers on Cloud Computing

While many companies are considering moving applications to the cloud, the security of the third-party services still leaves much to be desired, security experts warned attendees at last week's Black Hat Security Conference.

The current economic downturn has made cloud computing a hot issue, with startups and smaller firms rushing to save money using virtual machines on the Internet and larger firms pushing applications such as customer relationship management to the likes of Salesforce.com. Yet, companies need to be more wary of the security pitfalls in moving their infrastructure to the cloud, experts say.

"Guys at the low end are using (cloud infrastructure) to save money, but the danger is that the guys at the top end start to use it without any auditing," says Haroon Meer, technical director at security firm SensePost, who discussed his team's research into some aspects of Amazon's Elastic Compute Cloud (EC2) at the Black Hat security conference.

[ For timely data center news and expert advice on data center strategy, see CIO.com's Data Center Drilldown section. ]

Their experiments showed that companies frequently do not scan the third-party machine instances available from some providers. A malicious instance could easily be created as a Trojan horse to gain access to a company's internal network, Meer said.

5 Lessons of Cloud Computing

With those pitfalls in mind, here are five lessons from the presentations at Black Hat.

1. Cloud offers less legal protection Companies need to realize that data in the cloud is subject to a lower legal standard in terms of search and seizure. The government, or an attorney focused on discovery, may be able to subpoena the data without a search warrant.

Cloud providers are more concerned with protecting themselves and not the client, says Alex Stamos, a principal security consultant at iSec Partners, so don't expect the legalese in service agreements to favor your company.

"All of these (cloud-services) companies have very active and very well-trained legal departments," Stamos said. "And as a result, the agreements you agree to when you sign up for these services, basically promise you absolutely nothing."

If someone breaks in because of the provider's mistake, the client agrees not to hold the firm responsible. If there is a data loss because of a data center failure, the provider are not obligated to do anything for you, Stamos says.

It would be nice, he adds, if there were language that said they will attempt to help you.

"It would be nice if they had language in there that said if there is a security breach, we will try to give you a hand up," he says. "This seems to be where there is a disconnect between the cold heartless world of the lawyers, and the nice warm security (ethics) of the company."

2. You don't own the hardware Companies who want to audit their providers and do their own testing need to remember that they don't own the hardware. Conducting a vulnerability scan or a penetration test requires the explicit permission of the cloud-service provider, Stamos warns. Otherwise, the client is hacking the providers' systems.

While some service agreements, such as Amazon's, specify that the client can conduct testing of their software running on the provider's systems, getting explicit permission is key, he says.

"The recommendation ... is that, if you are asked to pen-test applications in the cloud, they (the legal experts) recommend that you get permission from someone at the company," he said. "Because certainly, by the letter of the law the legal ownership of those machines is very important."

3. Strong policies and user education required While cloud computing offers companies immense benefits, such as allow access to data from anywhere and removing maintenance headaches from the IT staff, the always-on service also means that phishing attacks that hit workers at home could threaten the company.

Thus, educating users about the dangers, not only to themselves but to their company, is key, said iSEC's Stamos.

"It is very difficult to teach all the non-technical users in your company about how to not be phished, but the fact of the matter is, with software-as-a-service, phishing attacks are going to be something that stops being a personal issue and starts becoming a enterprise-wide security issues," he said.

4. Don't trust machine instances When using a virtual machine from a provider, such as the third-party instances created on Amazon's Elastic Cloud Computing (EC2) infrastructure, companies should never trust the system, says SensePost's Meer.

The company's researchers scanned a number of pre-configured instances and found authentication keys in the caches, credit-card data and the potential for malicious code to be hidden within the system. Yet, they found most of their customers did not consider the security implications of using a machine image created by the third-party developer.

"Some customers have based an entire authentication server off of pre-configured images," SensePost's Meer said.

Companies should either create their own images for internal use, or protect themselves technically and legally from potentially malicious third-party developers, Meer says.

5. Rethink your assumptions In all cases, when considering security, corporate information-technology managers need to reconsider their assumptions in the cloud.

For example, when deploying an application to run on a computing instance in a virtualized data center, features that rely on random number generation will not necessarily work as expected. The problem is that virtual systems have much less entropy than physical ones, so random numbers could be guessable, iSEC's Stamos says.

"You need to consider the non-obvious," he says.

Facebook Should Skip Google Challenge, FriendFeed Or Not

Speculation that Facebook is on its way to becoming a full-fledged search engine is, well, odd. Merely buying four former top Google engineers when acquiring FriendFeed does not a new search engine make. And it's a bad idea, besides.

What's more, Facebook has too much work to do on its core social networking platform to also build a next-generation search engine. Better to cut a deal with Bing, I think, if a general-purpose search engine is what Facebook wants.

The new search features on Facebook, allowing you to see in real-time what at least some users are posting on their FB pages, don't much interest me, but succeeds in making the service all the more Twitter-like. That seems to have been an important goal at Facebook and I hope they now will move on.

Purchasing FriendFeed, which seemed to be going nowhere, seems like an enlightened act of charity. The four previously mentioned former Google stars that founded the company get a graceful exit from FriendFeed and an excuse when the service eventually shuts down.

Facebook might benefit from some of Friendfeed's functionality, which was essentially as an aggregator of a user's various social network feeds. I have a FriendFeed account but never used it because I had better things to do than approve the same friends a second time and interact with another service.

Adding FriendFeed to Facebook would solve that problem and make the service easier to use, sitting as it would on many people's primary social network. It demonstrates that just because a company has created something more akin to a product feature than a full-fledged product doesn't means it won't eventually find a good home.

The real value of the new FB search tool will blossom only once the service's 250 million users start using the service's new privacy features to make their status updates viewable (and searchable) by everyone.

Mine is already set that way, because my Facebook page is in some ways an extension of this blog--but be warned it's very political.

Most people, I think, consider Facebook's ability to limit the reach of their postings to be more of a benefit than a hassle. That works against the value of a systemwide Facebook search capability.

Circling back, I think the only value of adding a Google-like total Internet search to Facebook would be its ability to generate revenue in amounts that have eluded FB thus far. But, as I said, this can be done quite effectively though a search partnership that avoids FB having to create an entirely new technology platform.

Top 10 Must-Have iPhone Business Apps

Need to edit an Excel file on the fly? Want to update your Web site via FTP while crammed on a subway car? These 10 essential business apps for your iPhone will help you run your business from your back pocket.

Daniel Ionescu, PC World

Get Work Done With These iPhone Business Apps

After throwing your laptop, charger, and spare battery into your travel bag as you head out the door, suddenly you don’t feel so mobile anymore. One solution is to rely more on your iPhone for basic business tasks, such as grabbing data from your company’s computer systems, managing a Web site, and even viewing, editing, and storing Word and Excel files.

For road warriors, the iPhone isn’t just about games--it can be a powerful business tool. With Apple’s release of the iPhone 3GS, the handset gains better security and improved real-time e-mail delivery, both appealing features for business users and their companies' IT departments.

Need to keep track of invoices, manage your eBay storefront, or log your mileage? "Yep, there's an app for that!" After consulting with mobile business experts, we collected the best business apps that the iPhone has to offer.

Who knows--maybe on your next business trip you’ll be able to leave that hulking ultraportable laptop behind.

Want to take a break from work? Other iPhone apps can keep you challenged, entertained, and dreaming of summer vacation. For more, see the slide shows below. And to read descriptions and reviews of thousands of iPhone apps, be sure to visit PC World's brand-new App Guide.