Prosecutor: Cloud computing is security's frontier

FORT BAKER, Calif.--As data moves to the cloud, attackers and thieves will follow, a federal prosecutor said on Friday.

Matthew Parrella, assistant U.S. attorney

(Credit: Elinor Mills/CNET News)

The days of tracking down software counterfeiters in other countries who are selling pirated CDs are numbered as companies increasingly distribute software and store data online via hosted computing services, Matthew Parrella, an assistant U.S. attorney based in San Jose, Calif., said at Symantec's Norton Cyber Crime Day.

"That model of importation of software is becoming obsolete because we're seeing on the horizon cloud computing where so many of these operations are pushed from a user's PC or a user's computer onto Google Docs or Salesforce.com," he said.

Looking ahead five years, "I'm thinking the attack is going to be on cloud computing centers," said Parrella, chief of the computer hacking and intellectual property unit at the U.S. Attorney's Office.

The immediate threat will be attacks to steal data from the servers they are stored on, either remotely or by an insider or someone who gains access to the data center, he said. Later on it's likely any stolen data could be pirated, he said.

Parrella spends a lot of time prosecuting counterfeit software cases, as well as trade secret theft, he said.

His office also has been tracking a botnet for a long time that has grown to include 100,000 or so compromised computers.

"We don't know what it does," he said. "That's the type of threat we're looking to prosecute...malware that may lead to distributed denial of service attacks."

Parella declined to comment on the most recent DDOS attacks that have targeted Web sites in the U.S. and South Korea since the July 4 weekend.

FBI agent Donna Peterson said her office had seen a "tremendous uptick in large-scale, fairly devastating data breaches," with the biggest heist being close to $10 million stolen in 24 hours.

Cyberthieves "are getting more organized and their technical sophistication is better," she said. "They do what they need to get the job done...if they can use a 5-year-old exploit in conjunction with an exploit that they paid a programmer in another country $60,000 to (write), they will do it."

Cybercriminals can spend anywhere from two weeks to six weeks to completely own a corporate target's computer system so completely that "you won't even know that they're there," she said.

Businesses have opened on a Monday morning only to discover that so much money has been stolen since employees went home on Friday that they are no longer solvent and there is no record on their systems of the activity, Peterson said.

Also on the cybercrime panel was San Jose Police Sergeant Edward Schroder, who talked about how he spends his time investigating fraud related to sites like eBay and Craigslist, Nigerian or lottery scams, and money mule or work-from-home scams.

Schroder also said he gets a fair share of cases involving phishing attempts and e-mail extortion cases in which someone's life is threatened if someone don't pay the hired killer money.

[cloudunioncn]

China cloud union is opened,
welcome http://bbs.cloudunion.cn

[Lerianis3]

No record of the activity? HELL NO! Frankly, banks have double and even TRIPLE backed up records of activity. I can state that myself, because I thought that something on my bank card was a 'fraudulent charge' one time..... nope, just was something I had bought billed under an obfuscated name, and that's when they informed me that they keep METICULOUS records of where things go to.

Really, for ANY withdrawal or charge over 2000 dollars that isn't for a paycheck given to someone and deposited in a personal account IN THE SAME COUNTRY as the business in question..... the banks should automatically call the person in question to ask them "Did you approve this?" at the number on record.
Sure, businesses would have to keep records and have a few people ON CALL AT ALL TIMES to do this...... but it's better than losing a million dollars.

[WhistlingPig]

A phone call for every intra-national transaction over 2000 dollars, plus the storage structures needed for their record-keeping, and the salary and benefit packages for the thousands of people needed to be on call at all times...

... it might actually be bettter to lose a million dollars.

[sparcdr1]

This guy is an attorney, what the he*l does he know? Amazon and the lot keep tabs on customer activity like this, and immediately suspend and investigate internal issues... and the public attack vector is quite small because of how services are obscured through their internal NAT with all services except 1 (SSH on UNIX, RDP on Windows) on each instance a default setting.

Real crime organizations would pool a cluster of PS3 units together to perform distributed guessing of plausible credit card and account numbers, which they use a mule to move around the data like drugs. You ever seen Johnny Mnemonic? It's not quite there yet, at least not literally, but you get the point. Get your head out of the cloud, and stay on the ground where all the roaches really are.

[monkeyfun14]

Why spend all that money when you can write a program and take over machines for free?