Network World
- Newsletters
- Videos
- Events
- Resources
- Communities
- The Challenges of OS Migration
- Citrix's Mobile Enterprise 360
- Cloud Powered Work
- The Essential Guide to Managing Power
- Get an Integrated Approach to Data Management
- Oracle Cloud KnowledgeVault
- Virtualization Boosts SMBs
- Your IT Journey — Your Way
- Research
- Aruba Networks Bring Your Own Device
- BlackBerry: Build up your BlackBerry® 10 knowledge
- CA Technologies Transform Your IT Strategy
- HP + Microsoft Data Management Appliances & Architectures
- Network World Data Center Challenge 2012
- Riverbed Accelerate Business Performance Solution Center
- Riverbed Cascade® Solution Center
- View all Solution Centers
- Insider
- More
- Linked In
Blaming the NASDAQ Hack on Open Source
Some are looking to lay the blame at the feet of open source and the cloud
By Alan Shimel on Thu, 02/10/11 - 10:46pm.The news is again alive with reports of hacking and breaches. The latest is operation "Night Dragon", involving the breaching of several large energy companies. Right before that came word that the NASDAQ exchange might have suffered a hacking attack on some of their systems, but on the exchange system itself. Maybe it is because the annual RSA Conference is next week (I will have open source coverage from the show) or not, but security is in the headlines again. But when I see supposedly intelligent people blaming open source for simple SQL injections I see red. Can you spell F-ear U-ncertainty and D-oubt?
That is exactly what the Aite Group appears to be doing. In a report on Wall Streety & Technology on the recent NASDAQ hacking incident, a managing partner of Aite is quoted saying,
"[The use of cloud computing and open source] have been relegated by firms to areas that are not core businesses. But after this incident, all the main businesses may look at whether or not that type of open source environment has made it easier for people to hack into. It may not be the case. As far as I understand it, if hackers put in the hours, they can hack into [any] system. But has open source made it easier? Firms will be looking into that."
Are you kidding me? A simple SQL Injection and you are going to blame open source and the cloud for this? Really? The article says these were similar to the Operation Aurora attacks against Google last year. Wrong again. The Aurora affair was about Advanced Persistent Attacks or APT. What happened in the NASDAQ case is much more garden variety web application security.
But I may be boring some of you with the security details here. The point is that fear mongering like, casting asperstions on both open source and cloud computing, when neither likely bears any blame here does us all a disservice. It also flies in the face of recent reports and surveys.
For instance Gartner recently released a survey that showed that enterprises using open source to gain competitive advantages. Another survey from last August shows that up to 98% of enterprises are using some open source software. Accenture's recent survey showed that two thirds of enterprises were increasing their bet on open source.
So lets be clear. Software is software. Given enough time and resources just about anything can be hacked. Usually the weakest link is the human behind the keyboard. But open source is no more to blame than sunspots are. Spreading FUD in the face of the facts is no way to make friends with this open source blogger!
Recent Blog Posts
- About Open Source Fact and Fiction
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.
-
-
Most Discussed Posts
- Blog Roll
-
Network World, Inc
The Connected Enterprise