From: Bernardo Lopez (SAL-LA)
Sent: Monday, August 30, 2010 9:35:25 AM
Subject: Vast Scale of cloud hacking claimed in DEF CON survey
Auto forwarded by a Rule
Vast scale of cloud hacking claimed in DEF CON survey
25 August, 2010
An in-depth survey carried out amongst 100 of the elite IT professionals attending this year's DEF CON 2010 Hacker conference in Las Vegas recently has revealed that hackers view the cloud as having a silver lining for them -- as well as a gold, platinum and diamond one. An overwhelming 96 percent of the respondents to the Fortify Software-sponsored poll said they believed the cloud would open up more hacking opportunities for them.
This is being driven, says Barmak Meftah, chief products officer with Fortify, by the belief from the hackers, that cloud vendors are not doing enough to address the security issues of their services.
"89 percent of respondents said they believed this was the case and, when you analyze this overwhelming response in the light of the fact that 45 percent of hackers said they had already tried to exploit vulnerabilities in the cloud, you begin to see the scale of the problem," Meftah said.
"While 'only' 12 percent said they hacked cloud systems for financial gain, that still means a sizeable headache for any IT manager planning to migrate their IT resources into the cloud," he added.
According to Meftah, when you factor in the prediction from numerous analysts that at the start of 2010 20 percent of businesses would have their IT resources in the cloud within four years, you begin to appreciate the potential scale and complexity of the security issues involved.
In the many predictions, he explained, 20 per cent of organizations would own no appreciable IT assets, but would instead rely on cloud computing resources - the same resources that 45 percent of the DEF CON 2010 attendees in the survey cheerfully admitted to already having tried to hack.
Breaking down the survey responses, 21 percent believe that Software-as-a-Service (SaaS) cloud systems are viewed as being the most vulnerable, with 33 percent of the hackers having discovered public DNS vulnerabilities, followed by log files (16 per cent) and communication profiles (12 per cent) in their cloud travels.
Remember, says Meftah, we are talking about hackers having DISCOVERED these types of vulnerabilities in the cloud, rather than merely making an observation.
DEF CON has evolved considerably since the first event was held way back in 1993, and the hackerfest in the last couple of years has attracted 8,500 of the world's top hackers and IT security researchers. "Anecdotal evidence suggests this year's Las Vegas event was even more successful, meaning that our survey results highlight the very real security challenges that lie ahead for cloud vendors and security defense professionals," he said.
"More than anything, this research confirms our ongoing observations that cloud vendors - as well as the IT software industry as a whole - need to redouble their governance and security assurance strategies when developing solutions, whether cloud-based or not, as all IT systems will eventually have to support a cloud resource," he added.