Security Advisor

Cloud Security Debate Continues

A strong focus of this year's BlackHat conference will be on the growing adoption of the cloud, and what enterprises can do to stay safe. Plus: Researcher warns that Skype may be a large target for hackers; Symantec reports that mobile hackers are becoming more sophisticated.

• By Jabulani Leffall
• 07/18/2011

As the IT security community prepares for the annual BlackHat confab in Las Vegas, Microsoft prepares to expand its widening reach into cloud security.

Going into the convention the software giant has already outlined strategy for resolving cloud integrity challenges in the enterprise space. The overlying message, Windows IT security gadflies say, will be an increasing reliance on channel partners to play a collaborative role in the formulation of tailored approaches to cloud security.

Microsoft is especially interested in identity management in the cloud, which could be streamlined with the use of security parameters being packaged with Intune, Microsoft's cloud-based service for managing Windows clients on PCs, browsers and mobile devices.

In this way, channel partners could consider rolling out Bitlocker or BitLocker to Go consultative frameworks for clients depending on the processing environment and overall reliance on the cloud as a central focus. In that vein, data encryption will be key.

That is why Thomas Roth's Black Hat presentation, tentatively titled "Breaking encryption in the cloud," will be a welcome complement to that discussion.

Elsewhere at the event, Cesar Cerrudo will outline quick and easy ways to hunt for vulnerabilities in the Windows environment. That, along with TCP/IP presentations by Dan Kaminsky, round out the varied fare at the conference.

It's always interesting to see what products make the grade, and what hackers will have on their minds as a result. All in all, attendees can look forward to healthy debate and discourse on growing Web threats, vulnerable Web components, data integrity and, of course, a forward look on making the cloud safer for computing.

Researcher: Skype Under Attack
As Microsoft integrates Skype into its larger strategy, security will likely be at the forefront of that melding of minds, technology and the corporate culture.

Berlin-based security researcher Levent Kayan seems to think that Skype, the Web-based video conferencing, Web telephony and webcasting service application, is vulnerable to emerging threats.

He said in this blog post that Skype "suffers from a persistent Cross-Site Scripting (XSS) vulnerability due to a lack of input validation and output sanitization of the 'mobile phone' profile entry," and that other input fields may also be affected.

Specifically, the weakness is in the data field where users fill in their phone numbers. Also, problem could extend in the future to other fields where personal identifiable info (PII) can trigger an exploit when hackers insert JavaScript into the relevant fields in the user profile.

For his part, Kayan contacted Skype late last week and as of this post, he said he has yet to hear back from the company.

Symantec: Mobile Security Concerns Abound
For a couple of years now IT security theorists have issued warnings about the rise of mobile malware  with little effect or fanfare. But Symantec says the title of the "year of mobile malware," that evaded 2009 and 2011 could fit this year.

The antivirus software and security research giant says that in "just the first half of 2011, the growth of mobile malware and the increasing boldness and strategy behind the threats are startling."

Symantec uses a recent analysis of the security features of Apple's iOS and Google's Android platforms to make its case. To further solidify that notion, Symantec on Monday posted this blog item illustrating the growth of Trojans and other malware configured specifically for mobile devices.

"We are seeing increasing attempts to complicate the infection vectors of mobile malware to the point where a simple uninstall is insufficient," the post's author Irfan Asrar wrote.

Although Symantec has publicly noted areas of strength and weakness in both in Apple and Google mobile platforms, the jury appears to be still out on the Windows Phone 7 platform. This is nonetheless a clue for Redmond to look at the growing trend of mobile malware with inquisitive and serious eyes.

As Symantec points out, hackers have borrowed the staged downloader strategy from their traditional PC cousins in an attempt to "complicate infection to the point where simple uninstalls of the malicious apps are insufficient."