by Jake Kouns, 2010-04-29 20:40:33 UTCIntroducing Cloutage

“A wise man changes his mind, a fool never.” - Spanish Proverb

Open Security Foundation is a 501(c)(3) non-profit public organization founded and operated by information security enthusiasts. OSF runs a project called OSVDB that provides accurate and unbiased information about security vulnerabilities in computerized equipment. From the creation of the project there was detailed conversation around what information should be included in the project and a specific topic that was a challenge to address was what we termed "Site Specific" vulnerabilities. Site specific vulnerabilities are those that are not detailing a weakness in a particular piece of software that a customer might download and install, but rather the exact location of an online service where that vulnerability exists. Instead of explaining how to pick a lock if you happened to find one, a site specific vulnerability would in theory direct you to someone's home and give you directions how to break in. OSF officers in January of 2006, explained publicly that the OSVDB project aimed to provide useful information to help improve the level of security for the community, and they believed that a site specific vulnerability did not fall in that category currently. The goal was not to provide the address of a single family home and provide information to help someone break the lock. If the vulnerability was in a company website or an online service which was not able to be downloaded and installed by an individual it was not deemed eligible for inclusion. While we still believe this was the right decision at the time it did not come without some pain as many OSF officers/contributors personally found it extremely interesting and believed that this data was extremely valuable.

We are now at a point where there is a real difference between Site Specific Vulnerabilities and Cloud Services. If we once again look at our real estate example; think of it this way, Site Specific vulnerabilities are those that are in single family homes and a Cloud Service are those that are multi-tenant. When multiple tenants rely on the security of one lock it changes the risk exposure entirely. With the increasing move to the Cloud it is critical to understand the risks and how Cloud Solution Providers are protecting their customers. With its distinct advantages, more and more organizations are relying on the Cloud and online services and will find great value in knowing about an issue with their provider. The fact that many businesses are putting their critical data and production services in the Cloud, suggests that vulnerabilities in the Cloud are just as dangerous as vulnerabilities in the software deployed on their own network.

OSF is now proud to introduce a new project called Cloutage (the site is located at cloutage.org) that will bring enhanced visibility and transparency to Cloud security.

Cloutage's goal is to provide unbiased knowledge and security resources on Cloud Computing so that organizations properly manage information security risks. Cloutage captures data about incidents affecting cloud services in several forms including vulnerabilities that affect the confidentiality and integrity of customer data, automatic update failures, data loss, hacks and outages that impact service availability. Data is acquired from verifiable media resources and is also open for community participation based on anonymous user submissions. Cloud Solution Providers are listed on the website and the community may provide comments and ratings based on their experiences. Cloutage also features an extensive news service, mailing lists and links to organizations focused on the secure advancement of cloud computing.

There are many new features in the works and we are actively looking for people that would like to blog about cloud security. If you are interested in helping the project please contact us at stewards at cloutage.org.

by Jake Kouns, 2010-08-12 06:19:12 UTCCloutage Outage - The Cloud Poked Back...

Our stated intention is that we want to implement the Cloutage project using 100% cloud-based services. Our goal is to document our efforts to migrate to the cloud and resulting service levels that we experience. So far, the project utilizes Amazon EC2 for hosting, Amazon EBS for storage and Intense Debate for comments -- all cloud services. The initial setup took a bit longer than we thought but all and all it was relatively painless and straight forward. However, today we had our first unexpected issue with Amazon EC2......

As you have read, we have been working hard to backfill past events while delivering the most current news on cloud security. Each time that we approve a news post or new incident we update the site, post it to our Twitter feed (@cloutage) and of course send it out to our mailing lists. Well, it appears that EC2 has a limit on the amount of mail sent out and if you exceed the limit, you receive this canned email:

--------------------------------------------------------------------------------------
Dear EC2 Customer,
You recently reached a limit on the volume of email you were able to send out of SMTP port 25 on your instance:

In order to maintain the quality of EC2 addresses for sending email, we enforce default limits on the amount of email that can be sent from EC2 accounts. If you wish to send larger amounts of email from EC2, you can apply to have these limits removed from your account by filling out our online request form.

If you are unaware of your instance having sent emails, we advise checking your instance application(s) to confirm that this activity was intended. It is your responsibility to ensure that your instances and all applications are secured against unauthorized use. For suggestions on securing your instances, reference this whitepaper: Tips for Securing Your EC2 Instance

Regards,
Your Amazon Web Services EC2 team
--------------------------------------------------------------------------------------

Its nice to see that it is our responsibility to secure our instances. It was also nice to see that we apparently sent out too many emails (our mailing lists are certainly growing) and they cut us off without a warning message or indication of what the limit is. Either we overlooked the information that explained this policy, which is entirely possible, or it wasn't posted. Since this is a volunteer run project we were not able to handle it as soon as this email came to us early in the morning. However, after getting home from the day job and spending some time with the family I saw the email and was able to log into our account to address the issue. I provided what I thought was a very simple but valid reason basically explaining that we have several mailing lists on the website and we need to have this limit removed if we are to continue hosting with EC2.

Once I submitted the reason in the online form we were redirected to a page that stated:

--------------------------------------------------------------------------------------
Request to Remove Email Sending Limitations Received

Thank you for submitting your request. It is our intention to meet your needs. We will review your use case and normally respond to requests within 2-3 business days.

--------------------------------------------------------------------------------------

So...... we started to get worried that anyone on our mailing lists wouldn't get our updates for several days and there was nothing we could do about it. Then we thought, hopefully people will continue to check out the website and follow us on Twitter so it wouldn't be that big of an impact. But wait, if we were hosting at EC2 and this was critical to our business could we get this resolved immediately? We started to look around the support pages and couldn't find any number to call and in fact it wasn't very clear how to escalate the issue. The only thing that looked reasonable was to fill out another form for additional inquiries... so that is what we did. Would this help speed up the process?

Just when we started to think it would be another couple days before we heard back we received an email that stated:

--------------------------------------------------------------------------------------

Hello,

We've reviewed and approved your request for the removal of the EC2 e-mail sending limitations on your Amazon Web Services account. There are no longer limitations on your account for any IPs and instances under your account. If you requested removal of e-mail sending limits on Amazon Elastic IPs, they've also been removed.

Thank you for your recent inquiry. Did I solve your problem?

--------------------------------------------------------------------------------------

So here is the bottom line: The bad news was that they shut off our ability to send outbound email without any notice or warning. Our own total "cloutage" was approximately 21 hours but the good news was that once we contacted support via the support form they were responsive. The initial scare of having to wait 2 to 3 business days really amounted to approximately 3 hours before they replied and removed the limitations on the account.

If you are thinking of using EC2 for sending emails please keep this in mind and we would suggest you proactively contact them to get an exception. You should be able to use this link: http://aws.amazon.com/contact-us/ec2-email-limit-request/

As always if you are interested in getting involved with or sponsoring the project please contact us as stewards@cloutage.org.

by Jake Kouns, 2010-09-08 03:58:35 UTCOpen Security Foundation Announces New Advisory Board

As security vulnerabilities and data loss incidents become a regular occurrence, the Open Security Foundation has grown from supporting a single project in 2004 to a leading provider of filtering through security information and providing notifications and aggregation for data for data loss and cloud security incidents.

The Open Security Foundation has evolved into one of the most utilized resources in providing security information, and as a 501c3 non-profit organization relies heavily on public contributions, volunteer effort and corporate sponsorships.

The growing demand for information to provide proper risk management has led to additional projects and now the introduction of an advisory board consisting of industry professionals to lend their expertise in areas to keep OSF moving in a positive direction and to be the first line of access to all that require their service.

Open Security Foundation CEO and founder Jake Kouns stated, “This is a very important step in shaping the future of the Open Security Foundation.” “OSF has reached a point in growth that requires a strategic move to provide longevity and sustainability. It has always been a goal of this organization to provide our work to the broadest audience and the introduction of the advisory board will contribute to that objective. I am extremely proud to be part of such an amazing organization that has built a reputation of excellence and serves a very important function,” adds Kouns. “We put out a call for qualified individuals that could provide guidance and insight to keep OSF a leader in the security information arena. The results of our search far exceeded our highest expectations; it’s not only provides us with confidence in our direction, but the impact OSF has had on the industry.”

The new advisory board members comprises of an array of specific industries that understand the importance of OSF resources. Each member was chosen for a specific contribution to ultimately achieve the objective and mission of this foundation and capable of providing broad based perspective on information security, business management and fundraising.

Tom Srail, Senior VP Willis Group provides 19 years of experience in the insurance industry with an expertise in risk consulting, professional liabilities, network security risks, intellectual property and technology professional risks.

Shawn Andreas, VP Marketing Guard Dog Inc.(GRDO.PK) will contribute his 20 years of experience in marketing and brand awareness to remake OSF to be more consumer and market friendly focusing on fundraising and sponsorships opportunities. His expertise in marketing spans over diverse markets and includes opportunities working with some of the country’s top companies including GM, Apple, Viacom and more.

Jim Hietala VP, Security for a leading IT standards organization, manages all security and risk management programs. Mr. Hietala is a frequent speaker at industry conferences. In addition he has published numerous articles on information security, risk management and compliance topics.

Daniel E. Geer, Jr. Sc.D. Chief Information security officer In-Q-Tel Washington. Mr. Geer has a list of accomplishments including participation in government advisory roles for the Federal Trade Commission, the Departments of Justice and Treasury, the National Academy of Sciences, the National Science Foundation, the US Secret Service, the Department of Homeland Security, and the Commonwealth of Massachusetts.

Andrew Lewman, Executive Director The Tor Project, Inc. Andrew Lewman is the Executive Director of The Tor Project, a non-profit organization. Mr. Lewman worked on projects with the National Science Foundation, Internews Network, Freedom House, Google, Broadcasting Board of Governors, National Network to End Domestic Violence, and the US State Department.

In addition to the advisory board, OSF also announces new leadership positions with the organization. We are pleased to announce that Becky Chickering and Corey Quinn are now curators for the DataLossDB project. We want to thank everyone that contacted OSF to volunteer their time and skills for the advisory board and flexibility as we went through this process. During our conversations with potential members we spoke with several passionate individuals that have a great deal to offer OSF. We plan to continue to expand our leadership team and are always looking for volunteers to help the organization.