Security

NIST SP800-144: Guidelines on Security and Privacy in Public Cloud Computing

Leave a comment

NIST has released as final their special publication 800-144 (SP800-144). Perhaps the single biggest takeaway from the guide is that risk management has not changed fundamentally from non-cloud environments, but the devil may be in the details.

It offers the following list of benefits from the transition to public cloud.

Benefits

  • Staff specialization
  • Platform strength
  • Resource availability
  • Backup and Recovery
  • Mobile endpoints
  • Data Concentration

You might read that list and want to ask “yes, but what about all the Amazon outages or the high-profile breaches like Dreamhost…,” which is why they also wrote a “Security and Privacy Downside”.

Risks

  • System complexity
  • Shared multi-tenant environment
  • Internet-facing services
  • Loss of control
Security

CVE-2011-3923: Apache Struts2

Leave a comment

o0o security research has posted a review of the SEC Consult Vulnerability Lab Security Advisory on Apache Struts2 along with a remote code execution exploit.

The problem, in brief, is that Struts2 fails to properly handle user input. A malicious user can elevate privileges by manipulating a design flaw in how HTTP parameter names are handled by Object-Graph Navigation Language (OGNL).

CVE-2011-3923 is the result of ParametersInterceptor allowing parentheses and thus allowing expression evaluation, which can be exploited as follows:

/myaction?foo=&(foo)('meh')=

and here’s what happens:

  1. Action attribute foo is set to the value of the foo HTTP parameter and will hold attacker’s OGNL statement
  2. Second HTTP parameter named (foo)('meh') will be evaluated as an expression evaluation OGNL statement and foo action attribute will be retrieved from the action (remember we control its value via HTTP parameter) and its value will be evaluated as another OGNL statement.

    3. Since attacker’s OGNL statement is in HTTP parameter value we bypass the regular expression and are allowed to use special symbols to modify OGNL context properties to allow method execution.

Energy, Security

Why the NYPD hates bicyclists

4 Comments

There is ample evidence that the NYPD harshly and regularly discriminates against bicyclists. In a city that would benefit immensely from alternative transportation one might conclude that the police would be spearheading a campaign to promote and protect cycling. They do the opposite instead.

A recent case adds a new twist to what is really happening on the streets; the police spent more resources on surveillance of those who suffered a loss than on the attacker who caused it.

Incredibly, there are no photos of the scene of the incident in the NYPD’s file because “the investigators’ camera was broken.” However, the file does contain “numerous” photos of the Lefevre family and their attorney, prompting Erika Lefevre to write, “Apparently, NYPD cares more about investigating our family’s efforts to get information from it, than about properly investigating Mathieu’s death.”

[…]

A description of surveillance video of the crash, as provided to Streetsblog, describes Mathieu being struck by the passenger side of the truck before being hit again by the driver’s side wheel. The footage makes the NYPD’s decision to not file criminal charges against Degianni all the more puzzling.

Camera broken? The police in New York City could not find a functioning camera?

The necessary change, if you agree with the risk thermostat theory I’ve written about before, is to get the police out of their tax-guzzling gasoline cars (you thought I would say doughnut shops, didn’t you) and onto bicycles. It would help if city officials also would ride, like Mayor Villaraigosa in Los Angeles.

The mayor was riding in the bicycle lane on Venice Boulevard in Mid-City at about 6:50 p.m. when a taxi abruptly pulled in front of him. The mayor hit his brakes and fell off the bike.

[…]

The mayor’s accident comes as bicyclists in the city have increasingly been complaining about safety issues and pressing city officials to do more to make cycling safe.

It is a sad fact that one incident in Los Angeles has a very different outcome than all the combined accidents in New York, yet that is just further evidence of how empathy plays a major factor in our risk thermostat.

Just one month after he was injured in a bicycle accident, Los Angeles Mayor Antonio Villaraigosa spearheaded a special bike summit on Monday morning, aimed at improving bicycle safety across the city.

Even if there are brush-ups between cyclists and the police, and a lack of training about why cyclists are safer and easier to deal with, the economical and logical fix is more police and officials riding cycles. That would generate empathy and dramatically shift their view of how incidents should be investigated.

Security

VMware Cloud Prediction Talk

Leave a comment

Chris Colotti and Massimo Re Ferre’ are hosting a #cloudtalk next week on cloud predictions for 2012. Please join to help flood them with questions about compliance and security:

In a recent Fortune article, Mathew Lodge predicted the hybrid cloud will continue to grow and that Platform-as-a-Service will win the hearts of developers. Do you agree or disagree? We want to hear your thoughts during our first #cloudtalk of 2012 on January 31st at 11am PT.