Amazon EC2, distributing malware, legal exposure
8 views
Skip to first unread message
ken_...@compuserve.com
Dec 12, 2009, 10:37:08 AM12/12/09
to cloud-c...@googlegroups.com
Amazon EC2 was recently found to be hosting a site that was the
distributor of a botnet. The Zeus bot is a keylogger that captures
banking information.
The FTC has gone after Internet providers to shut them down for hosting
sites that violated laws (such as child pornography). And recently
several restaurants have filed lawsuit against an ISV that sold them a
point-of-sale (POS) system that was easily breached by hackers who
installed a keylogger to capture credit card information.
Internet service providers have generally not been held liable for
distribution of copyrighted content, but distributing malware is a
different issue that could be tested in court.
In the restaurant lawsuit, there's been a dispute over whether the POS
system is actually compliant with PCI-DSS. I can see where it would be
in Amazon's best interest to require any of its users who advertise
they are compliant with PCI-DSS to submit to an external audit. But it
seems prudent that Amazon might also require some disclaimer in systems
it's hosting so that users know Amazon EC2 makes no guarantees of
PCI-DSS, FISMA or other compliance with security standards.
distributor of a botnet. The Zeus bot is a keylogger that captures
banking information.
The FTC has gone after Internet providers to shut them down for hosting
sites that violated laws (such as child pornography). And recently
several restaurants have filed lawsuit against an ISV that sold them a
point-of-sale (POS) system that was easily breached by hackers who
installed a keylogger to capture credit card information.
Internet service providers have generally not been held liable for
distribution of copyrighted content, but distributing malware is a
different issue that could be tested in court.
In the restaurant lawsuit, there's been a dispute over whether the POS
system is actually compliant with PCI-DSS. I can see where it would be
in Amazon's best interest to require any of its users who advertise
they are compliant with PCI-DSS to submit to an external audit. But it
seems prudent that Amazon might also require some disclaimer in systems
it's hosting so that users know Amazon EC2 makes no guarantees of
PCI-DSS, FISMA or other compliance with security standards.
Paola Garcia Juarez
Dec 12, 2009, 8:39:18 PM12/12/09
to cloud-c...@googlegroups.com
Hello Ken,
is there any article or site with more information about this topic?
I would like to read more about it.
thanks,
Paola
--
Eng. Paola Garcia Juarez
(55-21) 83291885
pgarc...@gmail.com
http://www.linkedin.com/in/pgarciaj
Twitter: pgarciaj13
is there any article or site with more information about this topic?
I would like to read more about it.
thanks,
Paola
2009/12/12 <ken_...@compuserve.com>
--
~~~~~
Register Today for Cloud Slam 2010 at http://cloudslam10.com
Posting guidelines: http://groups.google.ca/group/cloud-computing/web/frequently-asked-questions
Follow us on Twitter http://twitter.com/cloudcomp_group or @cloudcomp_group
Post Job/Resume at http://cloudjobs.net
Buy 88 conference sessions and panels on cloud computing on DVD at
http://www.amazon.com/gp/product/B002H07SEC, http://www.amazon.com/gp/product/B002H0IW1U or get instant access to downloadable versions at http://cloudslam09.com/content/registration-5.html
~~~~~
You received this message because you are subscribed to the Google Groups "Cloud Computing" group.
To post to this group, send email to cloud-c...@googlegroups.com
To unsubscribe from this group, send email to cloud-computi...@googlegroups.com
--
Eng. Paola Garcia Juarez
(55-21) 83291885
pgarc...@gmail.com
http://www.linkedin.com/in/pgarciaj
Twitter: pgarciaj13
ken_...@compuserve.com
Dec 15, 2009, 4:49:22 PM12/15/09
to cloud-c...@googlegroups.com
Paola Garcia Juarez wrote
This blog post over at the Dr. Dobbs' codetalk site has more detail:
"Data thieves exploiting flaws in retail systems and the public cloud"
http://dobbscodetalk.com/index.php?option=com_myblog&blogger=KNorth&Itemid=29
There are links to sources on the Web about PCI-DSS, the Amazon and
Google AppEngine botnet C&C computers and so on.
>> is there any article or site with more information about this topic?
Paola,
This blog post over at the Dr. Dobbs' codetalk site has more detail:
"Data thieves exploiting flaws in retail systems and the public cloud"
http://dobbscodetalk.com/index.php?option=com_myblog&blogger=KNorth&Itemid=29
There are links to sources on the Web about PCI-DSS, the Amazon and
Google AppEngine botnet C&C computers and so on.
LeanITmanager
Dec 17, 2009, 5:28:13 AM12/17/09
to Cloud Computing
If you’re interested in what happened at Amazon with the botnet, here
is a report by the people at CA (Computer Associates) who spotted the
intrusion and informed Amazon.
http://community.ca.com/blogs/securityadvisor/archive/2009/12/09/zeus-in-the-cloud.aspx
is a report by the people at CA (Computer Associates) who spotted the
intrusion and informed Amazon.
http://community.ca.com/blogs/securityadvisor/archive/2009/12/09/zeus-in-the-cloud.aspx
A more broad report on recent events at Amazon can be found at
http://news.cnet.com/8301-1009_3-10413951-83.html
PS It is a bit funny that Cloud Computing is often compared to IT as
easy and reliable as electricity out of a socket in the wall.
But the reported outage of Amazon's Cloud IT offering happened
because ..... there was a power failure.
Reply all
Reply to author
Forward
0 new messages