Wednesday, April 7, 2010

Making the Cloud Trustworthy


Yet another Cloud Security initiative, http://www.trusted-cloud.com/ is an initiative by pioneer computer networking company Novell.

"Mission Statement: To Promote Education, Research and Certification of Secure and Interoperable Identity in the Cloud

The Trusted Cloud Initiative will help cloud providers develop industry-recommended, secure and interoperable identity, access and compliance management configurations, and practices. We well develop reference models, education, certification criteria and a cloud provider self-certification toolset in 2010. This will be developed in a vendor-neutral manner, inclusive of all CSA members and affiliates who wish to participate."

Trusted Cloud focuses on the notion that eventually it will be us users and the industry itself, that will make the Cloud more secure and trustworthy. We need to start trusting the Cloud, we need to start educating users what to and what not to expect when they join the bandwagon of Cloud Computing, we need to reiterate to users that the Cloud is not the solution for the recession, and finally, we need to let them know that Cloud Computing services, may it be Software-as-a-Service (SaaS), Platform-as-A-Service (PaaS) and Infrastructure-as-a-Service (IaaS) is now a mature and capable platform that promotes business and IT objectives alignment. Trusting the Cloud is a win-win situation, but of course with a few caveats.

We just don't have the solid security framework yet to manage and implement effective IT controls. Which is what the guys at http://www.cloudaudit.org/ and http://cloudsecurityalliance.org/ is working on. It might be early, but I would like to thank these guys for driving the Cloud Computing community to the right path of security with a common sense in mind, and not completely reliant on well-known IT controls and "best practices" which does not really scale and apply well to Cloud Computing.

Onwards,
Ron

Sunday, April 4, 2010

Jolicloud OS for pen tests works, at least for me


Yet another lightweight, built-for-the-web OS, Jolicloud OS works well with my pen testing ways, at least for me. Why does it work for me you ask?

It detects my netbook's native Wi-Fi card out of the box. And I love that feature alone.

After playing around with the standard apps that comes with it, the next logical step is for me to install my security apps, and being a Gnome-based Linux distro, this is super-easy to accomplish.

Fire up the Terminal app located at the Accessories menu and apt-get install away:

sudo apt-get install wireshark
sudo apt-get install zenmap

And to install Metasploit, you need a couple of things to do, which is beautifully covered step-by-step by this guide:

Why not use BT4 instead? Installing a persistent BT4 is a little bit cumbersome for script kiddies like me. BT4 is awesome, everything is in there, but most of the time I will only use a couple of the tools there. For a sniffer learning the hacker ways like me, that will be Wireshark, NMAP and Metasploit. And I would like to thank Carlos "dark0perator" Perez for this excellent piece of advice he gave on a previous episode of the multi-awarded Podcast Pauldotcom.com Security Weekly. If you want to learn the craft, don't use an all-in-one distro. Download and install Ubuntu, and work your way there. This has been my mantra for the past two years.

If I were to market the hacker ways to the public, I would pre-package these tools on social-networking centric, lightweight OS like the Jolicloud. My security apps icons are right next to my Facebook, Gmail, and Pidgin IM app, and that adds a little bit of a cool factor and a political statement that we are indeed in the age of point and click hacking.

Play safe kidz.





A playground for network security enthusiasts, innovators and early adoptors


Welcome to my blog, this is me thinking out loud about Voice over IP security (VoIP), managing and optimizing converged networks, Metasploit Framework, Cloud Computing, general security and privacy concerns, grappling adventures, and tuning my MKIV VW Jetta.

All inputs, feedbacks and violent reactions are welcome.

Packet Boy Perseus
Helping spread a positive image why we hack things.

About Me

I am an InfoSec Innovator, a Blue Ocean Seafarer and a Paul Graham Pupil.