In last week's news, Amazon Web Services vulnerabilities were found and fixed, but other cloud service providers are probably susceptible to similar problems discovered by a German research team at Ruhr University Bochum.
The research team used a variety of XML-based signature-wrapped attacks to gain administrative access of customer accounts, then created new instances of the customer's cloud. They also used cross-site scripting attacks against open source private-cloud framework Eucalyptus, and said the Amazon service was susceptible to cross-site scripting attacks, too. To its credit, Amazon is paying close attention to this research and has worked to correct problems.
MORE SECURITY: Got cyberinsurance?
Potential vulnerabilities in Facebook also got attention last week, with Symantec pointing to an attack technique called cross-site request forgery that allows the attacker to piggyback into an active session. Symantec said it's working with browser vendors on solutions to attacks of this style it's uncovered.
Separately, consultancy CDW posted a blog item about an alleged vulnerability in Facebook that would allow a hacker to send a potentially malicious file to anyone on Facebook. Facebook downplayed the risk.
Well, maybe all this interest in Facebook is due to the countdown to Nov. 5, the day celebrated as Guy Fawkes Day in England, which is the day on which the shadowy hacker group Anonymous last August said it would "destroy" Facebook. Yes, completely destroy. And that's next Saturday ...
Security-event management
Last week IBM officially completely its acquisition of Q1 Labs, and the IBM Security Systems Division is making it clear that the Q1 security information and event management (SIEM) technology will be the centerpiece for IBM security products going forward. The goal is to extend SIEM, which traditionally aggregated and correlated real-time data from security devices such as firewalls and intrusion-detection systems, in several ways, such as combining it with identity management data, as well as business intelligence analytics.
