Fortify has been doing surveys at conferences and claiming results as isolated. I thought it made more sense to put them together, or at least do a comparison of results. They had a survey at an InfoSec Europe conference, to start with, this past June that claimed IT Professionals Are Hacking Their Own Enterprises To Keep Intruders Out

Half of the respondents admitted to hacking, with 73% of these respondents doing so to test the strength of their own network’s defences, 13% for fun or out of curiosity, and 3% targeting their efforts at the competition.

This number of 50% was down significantly from a survey at the RSA North America conference in March

Eighty-eight percent of respondents admitted to doing some hacking themselves — mostly for work purposes, they said.

Thus, while half of the attendees at the first conference admit to hacking, the second conference has almost ninety percent. They just announced a new survey result, based on only 100 attendees at DefCon that pushes the number higher…as you might expect.

an overwhelming 96 percent of the respondents to the Fortify Software-sponsored poll said they believed the cloud would open up more hacking opportunities for them.

This is being driven, says Barmak Meftah, chief products officer with the software assurance specialist, by the belief from the hackers, that cloud vendors are not doing enough to address the security issues of their services.

“89 percent of respondents said they believed this was the case and, when you analyze this overwhelming response in the light of the fact that 45 percent of hackers said they had already tried to exploit vulnerabilities in the cloud, you begin to see the scale of the problem,” he said.

This is a good example of how the term “cloud” gets thrown into something IT related to generate interest. I am confident that if you survey attendees at any security conference anywhere they the vast majority are going to say not enough is being done to address security issues. That is not really a cloud point. The more interesting question would be what is lacking, since this would force a more thoughtful response and give some clues into what needs to be done. Even a multiple choice of what in security is lacking would get a more accurate response than just “is enough being done, yes/no”.

The DefCon survey also seems to ask more about future and potential opportunities rather than present hacking practices, found in the first two surveys. That slight change also pushes the percentage higher and makes results read differently.

That is why I say the headline is not so much about a giant new opportunity for hacking the cloud, given the past two surveys as reference, but instead about attendee attitudes at different conferences. More attendees at DefCon openly admit that they will hack, while attendees at other security conferences often (nearly 25%) refused to comment or refused to admit hacking in the past. The one problem with this theory is that only 45% at DefCon admitted to a past hack, about 5% lower than InfoSec Europe. Perhaps that gives us reason to say DefCon attendees are more hopeful to try and find an exploit in the future (they call them opportunities) but other conference attendees are more likely to be working on finding them now.

Here is the detail on my session at this year’s VMworld North America conference, in case you are interested in attending. I will join Jian Zhen, VMware Director of Cloud Solutions, to present on Compliance in the Cloud: Managing Risks and Addressing Concerns:

As more and more Enterprises consider Infrastructure as a Service (IaaS) as part of their overall IT strategy, questions around compliance and security in public clouds are often raised. Where does the data actually reside and how is it being protected? Has the service provider gone through specific compliance audit controls for their data center and infrastructure? How about control over access to my environment? How is role-based access managed? How are security and firewall policies managed? Join this session to learn about: – The current state of security and compliance within IaaS – What Enterprise customers are saying about their requirement needs for security and compliance in the cloud – What the industry is doing to address these needs.   – What to look for in a cloud provider to ensure that your compliance requirements are met.

Session ID: PC9920

• Tuesday, August 31, 12:30pm, Moscone West #2006
• Wednesday, September 1, 9:00am, Moscone West #2006

The Brazilian Embassy has this description posted on their home page:

III International Congress of Free Software and Government. CONSEGI is an important space to promote the exchange of experiences and information among Govemment Institutions, Society and representatives of partner countries. Lectures, panels and workshops will take place in the 2010 edition that will be marked by discussion on the topic “Cloud Computing”.

CONSEGI is held in Brasilia, Brazil each year (photo by me):

It would be an understatement to say I am super impressed with the energy, skill and expertise of computing in Brazil that was found at CONSEGI. Another American at the conference, who travels constantly for work, commented to me there that many in the US are unaware of many amazing developments happening outside our country. It is easy to see why he would say this. Surveys show technology adoption rates now skyrocketing in Africa and South America, yet it is Asia and Europe that still dominate the “international” section of tech news at home.

We should avoid thinking this as a language barrier. Portuguese may be less common but the CONSEGI conference ran smoothly with attendees speaking Spanish, English, French and even Korean. I found myself wondering why real-time multi-lingual translations are not an option at Black Hat or RSA. Have I missed something? CONSEGI offered it as standard and I was very grateful to be able to attend sessions with language options using some cool technology.

Paola Garcia Juarez presents in Portuguese, a mathematical model to estimate trust and security of Cloud Computing services (photo by me):

Actually, I was more than grateful. After I played around with a “translation box” I had a discussion at lunch with a brilliant executive from a major Linux distribution. We covered details of infrared wave technology, security and economics. It was a real change from the RFID focus (kind of like laser focus, but not) I usually find at conferences. Since US Army deployed massive amounts of RFID for military operations in 1992 (Somalia) it seems RFID has dominated the American perspective. That brings me to my second point.

We also should avoid thinking of this as a cultural barrier. Disparity in culture and aims actually is a benefit. The topic of the conference was Cloud Computing. A panel of eGovernment experts representing countries of the Southern Hemisphere (hint: there are five Portuguese-speaking countries in Africa) quickly brought to the table universal technology advantages and challenges, from very different perspectives. Ten minutes into just one of these sessions would probably blow the mind of most IT managers that are used to hearing only one perspective. The resourcefulness and creativity of people with diverse backgrounds working together created a rich source of new information.

The Cloud Camp was another highlight of the conference. Topics such as security of virtualization, best practices in cloud compute memory and storage management, and how to evaluate providers all were discussed in detail by attendees.

Technical labs were organized around the conference and it was cool to see them packed full of students learning their P’s (e.g. Postgress, Python, PHP, Perl).

Meetings and sessions ran smoothly, the weather was superb, live musicians were very talented and attendees represented a very wide range of ages and cultures. CONSEGI is a world-class event that should not be missed by anyone interested in global technology. I was honored to present this year on Digital Forensics and Investigations in the Cloud.

Amãpytuna? It is a word from the Tupi area of Brazil and the title of a book on cloud computing that came in the registration packet. Just one example of the many details not to be overlooked; keys from a wider perspective that could help find solutions in the future of information security.

The Register says at least 40 applications and the Windows operating system are vulnerable to remote-code execution. Here is the bit that caught my attention:

“Since Windows systems by default have the Web Client service running – which makes remote network shares accessible via WebDAV – the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet.”

This immediately reminded me of CVE-2010-2568, the recent and infamous Windows shell exploit that also relied on the WebClient based on Web Distributed Authoring and Versionsing (WebDAV). Could it be coincidence or was someone researching that exploit — they tried the same attack vector from the network — when they found this one? I know I was asking why a WebDAV exploit was used for the USB-based attack and whether it would work with a network share. That itch is now scratched.

I wrote earlier

WebClient is even disabled by default in server versions of Windows since 2003.

That contradicts The Register but it is true. I just checked again and as far as I can tell not all Windows systems have WebClient enabled. Many more should probably have it disabled by default.