The Cloud. These days it seems all-encompassing and unescapable. Perhaps we should have called it 'fog computing' as it seems to have the ability to bamboozle and confuse non-techie types with promises of milk and honey for little or no effort. While it certainly has it's merits, a lack of true definition and standards show it's immaturity at present.

But even in world of magical clouds there's a darkside, for with a greater availability in cheap computing power comes the opportunity for shady-types or in this case, researchers, to use the 'power of the cloud' to crack WPA encryption. WPACracker allows you to run a 285 million word dictionary-based attack to crack WPA-PSK and ZIP file encryption. Purely for research purposes of course!

Using Clouds or 'cloud-like' constructs for crime is nothing new, shown by the prevelance of botnets such as the massive Conficker botnet (estimated at 10-15 million hosts) or the spam spewing Cutwail botnet that could blast out 74,000,000,000 spam messages a day (that's 51,000,000 a minute!).

While I'm on Cloud matters, I spotted a recent interesting little tidbit about personal cloud storage provider Evernote. It seems for their customers, security is an add-on extra that is only available to premium subscribers....

Apparently 'excellent security' means encrypting authentication information only with the remainder sent in the clear. Are we past the age of better security being basically a good idea or advertised as a lure for customers and it turning into a premium extra charge? I hope not.

(thanks for some of the info in the post above to a Circus contributor who must remain anonymous - you know who you are!)

So maybe I was a little harsh on singling out the Waikato District Health in an earlier post about a conficker outbreak, as it seems a couple of hospitals of the NHS (National Health System) in the UK have since suffered the same problem as have Manchester Police.

As much as Security pros may preach the message to end users about opening attachments from unknown senders or downloading software from dodgey sites can it be that we haven't been focusing enough on ensuring the IT Admins have heard the security message? There may be other circumstances, such as the usual under-resourcing (do more with less!) or management negligence, but surely patching and AV are the very basics that every admin understands?

Even if the worm was introduced via USB, which seems to be the case, other simple precautions such as disabling autorun can greatly limit your exposure. Going further, limiting the use of USB storage (both who has access and what type of drives can be used) provides further protection.

If businesses (and government bodies) haven't taken the basic steps to protect themselves from the most highly publicized virus/worm of recent years, it doesn't bode well for protecting against threats that aren't as highly visible in the mainstream media.

I came across an article recently that had me doing a double-take when I saw the date it was published. It seems the jokes we aussies like to tell about our neighbours 'over the ditch' being behind the times may be true, as in December the Waikato District Health Board over in Aotearoa was ground to a halt by.....conficker!

You read that right, December 2009. To refresh your memory, Conficker exploited a vulnerability that Microsoft released the MS08-067 patch for back in October 2008.

To put that in perspective, some other events from October 2008 were:

• Sarah Palin and Joe Biden have their only scheduled debate for the vice presidency of the United States
• U.S. President George W. Bush signs the US$ 700,000,000,000 bailout bill after it is passed by the House.
  
• Head of International Monetary Fund says the US Financial Crisis threatens to send the world into a recession.
  

All jokes aside, a virus outbreak affecting the information systems of multiple hospitals is a very serious matter. So is the almost crim­i­nal incom­pe­tence in the IT management/administration that allows 3000 desktops to lack up to date anti-virus and patches that were over a year out of date.
To make matters even worse (if that's possible) the NZ Ministry of Health was hit by Conficker 12 months earlier! Obviously there were no lessons learned from this earlier outbreak...

Good security is hard. It takes planning, organization and hard work. Unfortunately for the patients of the Waikato DHB, bad security is easy. It requires nothing more than apathy and ignorance. In this case it took not doing what even the most computer illiterate user knows are 'the basics' (patching and AV).

One can only hope that this is a wake up for organizations and Government departments, not only in NZ, but everywhere.