Security threats for virtualisation and cloud are the same, says IDC

This is because the private cloud, rather than a public or hybrid cloud, bears the closest resemblance to the virtualised infrastructure that IT departments have implemented and where they are able to maintain control.

"The decision in the next year or two will only be about the private cloud," Eric Domage, programme manager for EMEA software and service group at IDC, told the analyst's Virtualisation and Cloud Security Conference in London.

"The bigger the company, the more they will consider the private cloud. The enterprise cloud is locked down and totally managed. It is the closest replication of virtualisation."

The lack of privacy in the public, cloud is a significant issue, Domage said, pointing out that most hacking incidents happen in the consumer cloud.

Domage could not say definitively if businesses should leverage virtualisation security for cloud computing, but he said: "We should give it a try."

He described virtualisation as "safe" and "compliant" and said that virtualisation security "should" ensure the adoption of cloud computing. However, IDC believes that there is a still a gap between the security many end-user organisations need and the vendors' ability to provide cloud security. "Today, there is no end-to-end encryption possible in the cloud," Domage said.

He urged delegates to the conference to "please consider more private cloud than public cloud."

According to Domage, businesses should try to apply the security principles they have used in virtualisation for their cloud operations. With cloud adoption often being driven by the business, rather than IT decision makers, and with cloud being used for small business processes or short term projects or workloads, it is important for IT to assert basic management and security principles, he added.

Makers Of Mac Defender Release New Malware

Apple has promised to take care of the Mac Defender malware that has spread across users' computers. But the makers of the original have created a new version that's even more of a threat as it doesn't require a password to install itself.

Intego, the security firm that found the first Mac Defender, identified the new malware, which, like the previous version tries to trick users into giving up their credit card information by presenting false antivirus software.

After a user visits an infected webpage, the computer automatically downloads a file that runs an installer for a program called MacGuard. The install does not require a username and password. Apple's instructions to prevent the Mac Defender attack asks users not to enter administrative passwords--but they are no longer necessary.

At this point, the false anti-virus software installs, and claims to find malware threats on the Mac, asking users to register. Here, the program then instructs users to give their credit card number to buy the program.

Intego gave the following information regarding protection against this malware:

The first thing to do is make sure that when seeing a web page that looks like a Finder window, and purports to be scanning your Mac, you know that this is bogus. Leave the page, and quit your web browser. If anything has downloaded, and the Installer application has opened, quit it right away; look in your Downloads folder for the file, then delete it. Next, users should uncheck the "Open 'safe' files after downloading" option in Safari's General preferences.

Apple has not yet responded to this new malware, though its next OS X update will resolve problems from the previous Mac Defender attack.

Capable of crippling key industrial controls.

Two security researchers, working at home in their spare time, have created a cyberweapon similar to the sophisticated Stuxnet computer worm that was discovered last year to have disrupted computer systems running Iran’s nuclear program.

The private efforts by Dillon Beresford and Brian Meixell are raising concerns among U.S. government officials that hackers will launch copycat cyber-attacks that could cripple computer controls at industrial sites such as refineries, dams and power plants.

Officials at the Department of Homeland Security were so distressed by the researchers’ findings that they asked the two men to cancel a planned presentation at a computer security conference in Dallas last week called TakeDownCon.

“They requested that I not share the data, but it was absolutely my decision to cancel,” Mr. Beresford told The Washington Times. Homeland Security “in no way tried to censor the presentation, and the conference organizers were very supportive. … We did the right thing.”

Initial analysis of the 2009 Stuxnet attack on Iran suggested that replicating it would require the resources of a nation-state or large organization and detailed information on how the target computer system was set up. The origin of Stuxnet has not been discovered.

But Mr. Beresford said he developed the cyberweapon “in my bedroom, on my laptop” in 2 1/2 months. The malicious software, or malware, was tested on equipment made by Siemens, the German-based industrial giant that makes the system that was attacked by the Stuxnet worm.

Siemens products - known as industrial control systems - are used in thousands of power stations, chemical plants and other industrial settings worldwide. Stuxnet was designed to make the machinery controlled by an industrial control system destroy itself.

Once Siemens saw Mr. Beresford’s presentation, the company renewed laboratory work on software patches for controllers that were developed after Stuxnet, Mr. Beresford said. He said he worked last week with officials from a special Homeland Security unit in charge of protecting industrial computer programs but was becoming impatient with Siemens‘ response.

“This is another egregious example of a vendor trying to minimize the impact of multiple security vulnerabilities in their products and being somewhat evasive about the truth,” he said, noting that the company tried to downplay concern in its public statements and had yet to publish a fix for the flaws he had found.

“The clock is ticking, and time is of the essence. I expect more from a company worth $80 billion, and so do [their] customers,” Mr. Beresford said.

Siemens spokesman Robert Bartels told The Times that the company is testing fixes and expects to release them “within the next few weeks.”

Homeland Security Department officials asked the researchers to delay their presentation until special repair measures aimed at patching security holes they identified are fully developed. They praised the researchers for postponing public release of data that hackers could use to attack computers that control critical infrastructure around the world.

“Responsible disclosure … does not encourage the release of sensitive vulnerability information without also validating and releasing a solution,” a Homeland Security official said in an email.

The disclosure that independent researchers could replicate Stuxnet - which security specialists said at the time likely required a large design team to produce and an industrial plant for testing - will increase concerns about the proliferation of advanced cyberweapons that could cause large-scale death and destruction if unleashed by terrorist groups, criminal gangs or foreign governments.

When using a Web browser, the phishing scheme redirects users to fake websites and claims their computer has a virus, according to an update on Apple's support website.

The user is then offered fake anti-virus software -- falling under names such as Mac Defender, MacProtector or MacSecurity -- and eventually prompted to offer credit card information to complete the "purchase."

The support page offers detailed instructions on how to remove the malware if it's installed to a Mac. Users can avoid the attack by force quitting their browsers if these phony notifications pop up.

Apple says in some cases, a browser may automatically download and launch the malware installer. If that happens, Apple says cancel the installation immediately, go to the Downloads folder and delete the installer.

A software update for Mac OS X will arrive soon that will automatically find and remove Mac Defender or any related malware.

The support statement from Apple comes several days after reports of malware attacks targeting Mac computers began surfacing on the Web.

The scams also raise arguments -- including this one from PC World -- about whether Apple computers aren't as secure as some users might believe.