I found this great podcast on the network world site today from Andreas Antonopoulos. Things like Web 2.0 and unified communication applications as well as virtualization all make securing an enterprise network more difficult. Nemertes’ Andreas Antonopoulos explains how security policies and systems need to become more flexible to fit the new ways we work.
Yeah, Everyone does these. Top 10 – etc.
I thought about it. Techmeme did a nice job of the biggest stories. Thanks end the end-of-year read. So, I’ll analyze it.
Wasn’t there an Olympics or something? What about LinkedIn? I’ve been on that for maybe 2/3 years now, but it seems to really have blown up now. Facebook anyone? Twitter? Not really news, but their influence and presence has grown..
Microsoft is now shedding a little more light on the zero-day XML vulnerability. It seems some Hong Kong-based pornography sites are dropping the trojans Trojan:Win32/VB.IQ.dr and Trojan:Win32/VB.IQ on unsuspecting PC users. This in addition to exploits discovered on a popular Taiwan search engine. The details are here. A release to patch this vulnerability is to be released today.
(BTW I wonder what that job is like – “Just checking on potential viruses chief”) I digress – really I appreciate all the MS team does to keep us in the dark keep us up to date on this serious security flaw in every instance of that little blue E on all the desktops in the world. I mean if Hong Kong porn is not safe, then who is…?
All kidding aside can we stop the Patch Tuesday nonsense? We now have a second “out of band” update this year. Hackers are now celebrating “Exploit Wednesday” - look it up. Some environments take weeks to approve these type of updates, even emergency ones. I bet there are plenty of steamed folks out there about this little escapade. Reports say this XML exploit started the day after the last regular patch.
I know things get exploited – fine. And don’t start with the Mac and Linux tripe. It’s just a fact that everything can be pwned. I just have issues with the notification and resolution. How you deal with it is what really determines how protected an organization is. Patch Tuesday must die. It’s like putting a sign on your lawn that says, “I am not home from the hours of 8am-530pm”. Let’s put the call out today to put a nail in this thing. Stop Patch Tuesday. We need updates as they happen. 30 days is too long think about it. Think about all the little vulnerabilities that don’t get the press. Hacker releases exploit on Wednesday, if it gets found, it might make the next round of patches. IT gets the update, tests on systems, releases to production – That could be 6 weeks of password-stealing, PC Zombie fun.
NOTE: I know there are crews at MS that have busted to get this thing identified and fixed – Thank you. Again, I just don’t think the announcement strategy is working. I know I will get some flames for this and some people who agree. If someone has a better way, then speak up.
The Zero-day XML vulnerabilities once reported to only be affecting IE7 targets are now prompting warning from Microsoft to its customers across all supported versions of its Internet Explorer Web Browser.
http://www.microsoft.com/technet/security/advisory/961051.mspx
Workaround centers on setting Internet security settings to high and disabling the Ole32db.dll via ACL - not an end user-friendly operation. Apparently the noted attacks have predominantly been noted against IE7 and on Chinese sites. It exploits the way IE handles XML. The exploit could potentially be used to access several types of sensitive data, however thus far it is only reported to be stealing passwords for computer games.
There are reports that Microsoft is considering fixing the flaw through an emergency software patch outside of the standard “Patch Tuesday”.
Now is a good time to give Google Chrome a try.
Yahoo was hit by a massive DNS problem today reported by GigaOm.
Some are saying quietly that there was a DNS cache poisining that effected Yahoo’s main DNS nameservers. Yahoo is not talking to me about this. Of course I’m interested in this because of all the recent DNS security risks which have been well documented by the DNS industry leading company Infoblox.
I will try to dig into this and see if Dan Kaminsky has any insight into this.
DNS problems went mainstream after I started reporting about it here and then John Markoff reported about it on the NYTimes.
Some more info here
Top-line results indicate that despite the fact that most organizations are running recent versions of BIND and no longer using Microsoft DNS Servers for their external DNS servers, many organizations have not taken the necessary precautions to limit access to recursion or secure zone transfers. In addition, many still have not upgraded to the latest DNS software to protect against the recently discovered Kaminsky vulnerability and associated risk of DNS cache poisoning.
“Given the heightened awareness of DNS server vulnerabilities due to the recent Kaminsky discovery, it is surprising to see how many organizations are still leaving their DNS systems as potential victims of attack,” commented Cricket Liu, Vice President of Architecture at Infoblox and author of O’Reilly & Associates’ DNS and BIND, DNS & BIND Cookbook, and DNS on Windows Server 2003. “Even if an enterprise has gone to the trouble of patching against the Kaminsky vulnerability, there are many other aspects of configuration, like recursion and open zone transfers, that should also be secured. If not, organizations are essentially locking their door to their house, but leaving the windows wide open. Organizations clearly need to pay more attention to configurations and deployment architectures that are leaving their DNS infrastructures vulnerable to attacks and outages.”
DNS servers are essential network infrastructure that map domain names (e.g., yahoo.com) to IP addresses (e.g., 66.94.234.13), directing Internet inquiries to the appropriate location. Domain name resolution conducted by these servers is required to perform any Internet-related request, whether for Web browsing, email, ecommerce, or cloud computing. Should an enterprise or organization’s DNS systems become compromised by attacks, the results can be devastating, ranging from loss of a company’s Web presence, inability of employees to access any outside Web services, and perhaps most damaging, redirection of Web and email traffic to bogus sites, resulting in data loss, identity theft, ecommerce fraud and more.
Following are the key 2008 DNS survey results, which are based on a sample that included 5 percent of the IPv4 address space, nearly 80 million addresses.
GOOD NEWS
-- 90% of name servers that run BIND run one of the most recent versions
of BIND 9; a small but significant number of administrators continue to run
older versions of BIND on Internet-facing name servers, putting their
organizations at risk.
-- Only .17% still rely on Microsoft DNS Server, down from 2.7% (2007);
usage of unsecure Microsoft DNS Servers connected to the Internet is
vanishing.
-- Support for Sender Protection Framework (SPF) within DNS for spam
reduction increased from 12.6% of zones sampled to 16.7%; despite the
complexity of SPF configuration, validating email senders is increasing in
importance and organizations are taking email fraud seriously.
BAD NEWS
-- One in four DNS servers does not perform source port randomization --
the "patch" for "the Kaminsky vulnerability"; the effort by vendors and the
Internet's DNS community to encourage administrators to upgrade their name
servers after the announcement of the Kaminsky vulnerability paid off;
however, a surprising number have not been upgraded and are very vulnerable
to cache poisoning.
-- More than 40% of Internet name servers allow recursive queries; there
are still millions of open recursors on the Internet, a danger both to
themselves and others -- they are vulnerable to cache poisoning and
Distributed Denial of Service attacks.
-- 30% of DNS servers surveyed allow zone transfers to arbitrary
requestors; this leaves servers as easy targets for denial-of-service
attacks.
-- Only .002% of DNS zones tested support DNSSEC; administrators have not
been convinced of its importance -- perhaps intimidated by its complexity
-- but new mandates could mean a significant change in the near future.
MISC.
-- Usage of IPv6 name servers continues to increase from .27% to .44%;
while enterprises are investigating IPv6 and concerned about increasingly
scarce IPv4 address space, adoption of IPv6 is still low -- address
scarcity isn't yet considered a serious concern and they feel no urgency to
adopt IPv6.
Call to Action
Based on these statistics, there are some clear calls to action for organizations with external DNS servers. Instead of waiting until they are attacked, all organizations should assess their DNS infrastructure and immediately take the necessary steps to make them more reliable and secure. Infoblox provides a number of free, automated tools that enable organizations to test their DNS infrastructure and identify weaknesses and vulnerabilities.
The CTO of Amazon is blogging the new service from Amazon called CloudFront. I love this approach for obvious reasons but the question remains about reliability and security. In talking to Mendal Rosenblum this past weekend he and I both agreed that many are afraid of pushing information in the cloud. Mendal is the leader in pushing large scale computing and his observations ring true for many corporate enterprises. No doubt Amazon is great for startups but the open question remains for reliability and security.
When those two issues are lock solid then the era of cloud computing will be mainstream.
Here is the information on Amazon CloudFront.
Hello Amazon CloudFront, the new Amazon Web Service for content delivery. It integrates seamlessly with Amazon S3 to provide low-latency distribution of content with high data transfer speeds through a world-wide network of edge locations. It requires no upfront commitments and is a pay-as-you-go service in the same style as the other Amazon Web Services.
Amazon CloudFront has been designed to be fast; the service will cache copies of the content in edge locations close to the end-user’s location, significantly lowering the access latency to the content. High sustainable data transfer rates can be achieved with the service especially when distributing larger objects.
Amazon CloudFront will be useful for many different application scenarios such as giving your customers low-latency access to popular objects and protecting your site from popularity surges; other popular examples are low-cost delivery of rich media and sustainable fast transfer rates for software distributions.
See also the posting on the AWS Developer weblog and at Rightscale.
Amazon has seen success with the scalability, reliability and cost-effectiveness of Amazon S3 and now with the integration with Amazon EC2 it is easy to distribute Amazon S3 content world-wide. The combination of the two services is really powerful: Amazon S3 will give you durable storage of your data, and the network of edge locations on three continents used by the Amazon CloudFront will deliver the content with low latency from the most appropriate location.
The network of edge locations
To ensure low-latency delivery, Amazon CloudFront uses a network of edge locations world-wide:
These edge locations work together to direct customers’ requests to the edge location that can provide the response with the lowest latency.
Simplicity
Because Amazon CloudFront follows the core principles of all Amazon Web Services it is a unique content delivery service. The simplicity in getting started has been described by many of our early customers as a very important feature.
Using Amazon CloudFront is dead simple:
The second Amazon Web Services principle that sets Amazon CloudFront apart is that no upfront commitments are necessary and you only pay for what you have used. There are no upfront fees or high volume requirements and no negotiations are necessary because we have published low prices from the start. This brings content delivery in the hands of all businesses, and you can exploit the benefits of Amazon’s world-wide network of edge locations, regardless of whether you are a highly popular website, a small blog, a complex enterprise application or a developer doing some prototyping.
A core distributed systems component
It is not uncommon to think about a service for content delivery such as Amazon CloudFront only in the context of media distribution for web sites, but it actually plays a more fundamental role.
There are two main technology components to such a service; the first is intelligent request routing, which routes requests to the location that can best serve the user given a series of requirements and the status of the network. The second technology component is that of object caching, which is a fundamental building block in both operating systems and in distributed systems.
Caching is an essential technique that is used to make sure that components can operate at the fastest speed possible, to overcome the performance differences that exist in systems. For example CPU’s have caches that are much faster than memory, memory works as caches for disks, local disks can function as caches for remote disks, etc.
In distributed systems caching is primarily used to provide fast access to popular objects that are located in remote storage servers. These systems of caching servers often cooperate to create massive aggregate world-wide capacity to provide low latency access. And by using globally decentralized cache servers for distribution, very high data transfer speed can be achieved.
Caching technology has long been the center piece of computer systems research and in Amazon CloudFront we use the type of highly advanced algorithms for reliability and scale that you have come to expect from our Amazon services.
While cruising through the feed-reader, I came upon Eric Sieberts recent post regarding the release of the Payment Card Industry’s Data Security Standard (PCI-DSS), version 1.2. Eric notes that “… the specification dictates what must be done to secure a server that may store or process cardholder data, but if that server happened to be a virtual guest the host server would not be considered in the scope of the specification.” He then wonders (out loud) what could be the cause for this lack of attention (see quote below).
This post reminded me of a conversation I had in August with Scott Loftesness of Glenbrook Partners, who arguably knows more about technology and the payment card industry than any five persons on the face of the planet. He pointed me to this article as to why failure of PCI DSS 1.2 to address virtualization won’t matter. The author, David Taylor, is certainly no slacker. He’s the VP Data Security Strategies at Protegrity , as well as the founder of the PCI Knowledge Base, Research Director of the PCI Alliance, and a former E-Commerce & Security analyst with Gartner. He takes a pragmatic approach, urging the reader to not wait for standards, and is pretty clear that he’s a believer in the value of virtualization. But there still seems to be some “buck passing.” He seems to be saying to the merchants who are subject to the PCI DSS standards:
To the first point, it seems to me that best practices, standards and compliance tools or other means by which assessors can address the issue with uniformity are necessary. There are a number of security specifications for virtual hosts (one of which Eric Siebert references in his post), which, if adopted, would be a reasonably objective basis for the standards and best practices.
With these standards in place, there seems little reason why the application vendors could not address the issues of security with respect to the use of virtualized infrastructure (the hosts and networks) as well as the virtualization of the applications themselves.
This same tale is going to be told multiple times. It’s not just about PCI, but also will impact a standards and regulations like Sarbanes-Oxley, as well as (here it comes) the standards for data security and processing security in SaaS and IaaS environments … Yes, I mean “cloud computing.” The PCI industry has a chance to do this right up front, without the buck passing. I think I’m with Eric on this one.
Update:
Seems that while I was heads-down with a product launch, I missed Christofer Hoff’s post on PCI, virtualization and clouds .
Just to be clear — I agree with most of the points that David Taylor has made, but to follow along with this reference to the OSI standards vs the TCP/IP development of standards … what we’re missing today is the moral equivalent of the TCP/IP definitions of best practice and standard. If the PCI DSS folks won’t step up to it, let’s figure out who will.
And, in another interesting addition to the conversation, VMware has joined PCI. We’ll now see whether (and how) they can improve the situation.
VMware makes the case for PCI DSS compliance
…Today, with a nod to millions of merchants worldwide that accept credit card payments, VMware Inc. announced that it has joined the Payment Card Industry Security Standards Council (PCI SSC) to incorporate awareness of virtualization into forthcoming versions of PCI regulations.
The company has also launched the VMware Compliance Center, a website dedicated to educating merchants and auditors about compliance in a virtualized environments, and the resource includes links to relevant white papers and webcasts. …
I am puzzled as to why they would continue to ignore virtualization. After all, isn’t just about every company virtualizing in some fashion these days? Are the people that write the specification parameters just ignorant of what virtualization is, and that it has a direct impact on their regulations? Or are they just trusting that we are all securing our virtual hosts properly and there is no need to address them? If that’s the case then they have misplaced a critical amount of trust as I am sure there are a great many virtual environments that are not properly secured. Likewise, ignoring virtualization completely greatly reduces the effectiveness of their efforts to secure environments that deal with cardholder data. It’s essentially fortifying everything within a castle, but leaving the front gate open.
StorefrontBacktalk - Why PCI 1.2 Ignoring Virtualization Won’t Matter
… The issue is more than just PCI compliance. It’s about reliability, performance and data integrity. The point is that deciding whether to deploy virtualized servers broadly throughout the enterprise should not hinge on PCI compliance. Once the larger application and management issues are addressed to the satisfaction of the head of IT infrastructure, and the controls documentation is put in place, then PCI compliance becomes a minor issue by comparison.
Betsy Frost Webb, General Mgr of the Microsoft Unified Communications group, is giving the keynote here at VoiceCon San Francisco 2008. I am interested in the presentation from Microsoft because there are rumors floating around this morning that later in the week Microsoft will do a “GodFather” deal with IBM to team up on a joint Unified Communications solution. This would be a direct move against Cisco. I’ve also heard rumors that I’ve posted here that Cisco has been in conflict with IBM over their recent moves into the compute sector.
I came in a bit late but she is touting the awards and customers that are using Microsoft’s Unified Communications products. I see a video guy so I’ll keep the blogging short since a video from TechWeb will come out later.
Communication Server will come out in February 2009. She is introducing Eric Swift now. Eric is giving a demo. Demo of UC is showing the collaboration workflow of handling a basic conference call. Authentication is handled by Active Directory. They are adding IM capability into the conference call in context. Now Eric is adding video live as well in addition to the conference call. I really like how you an mute individual participants who are in noisy environments.
Eric is showing Firefox compatibility for non-Microsoft platforms. This is a must have feature for the world that is migrating over to cloud services and other non-Microsoft platforms. More impressive is the capability to mute land lines that integrate into Communicator. This is a pretty big deal to pull off and it makes the offering mainstream not a ’silo’d Microsoft’ offering - traditional telephony coming together with IP based software services.
Betsy is back on touting all the cost efficiencies that UC offers. She is talking about one open infrastructure to work well with existing systems. Betsy is asking for feedback and emails at voicecon@microsoft.com
She is talking about how the experience from the Office group and what they bring to the table in UC. Some have been saying that Office is dead and that cloud computing and things like Google Apps is killing Microsoft Office….(Hmmm this could be the cloud and edge based software model…hmmm more on that later).
Betsy admits there are implementation challenges. She is opening up and asking for input (very sales oriented). The major update is coming in February - Office Communications Serve 2007 R2 on February 3, 2009. (why is it called Office Communicator 2007 we are in 2009???)
I wonder if the all this open discussion will be related to the IBM rumors - I am trying to confirm that Microsoft is going to announce a deal with IBM on a common platform.
End of Microsoft Unified Communications Keynote
UPDATE: I spoke with Microsoft’s Betsy Frost Webb about the rumor that I heard this morning and she neither denied or admitted the ’so called’ deal with IBM which tell me that a pending deal is coming. A source told me that an announcement will come Thursday from Microsoft and IBM here at VoiceCon about a Unified Communication partnership. On Twitter Damien Mulley was saying that there was rumblings about a IBM and Microsoft ‘cloud deal’. I’m not sure this is the same thing.
Gloomy news in a down economy abound. Signs are everywhere in many sectors of the technology spectrum.
The Social Networking site Linkedin is laying off 10% of its workers. Dell has asked personnel to voluntarily take unpaid leave. Apple is supposedly scaling back its Iphone production. John Furrier earlier reported on Cisco’s earnings problems. Many mid-size companies have discovered placing their infrastructures in managed hosting environments has given them cost advantages. Other companies are pre-emptively behind-the-scenes cutting back, canceling planned expenses for the quarter, scaling back hiring goals, postponing projects, etc.
Plenty of the problems are based on uncertainty and faith in the economy in general. On the other hand plenty of companies survived or even thrived during past cycles. The difference is preaching value and advantage. We have before our eyes a number of bleeding-edge technologies that offer advantages to businesses large and small.
And this perspective is not exclusive of conservative budgets. The realization of value, effectiveness, and most importantly optimization is tantamount to those companies that look to tighten the belt in the technology realm.
Take some of the recent Microsoft news. They are now offering a program that allows for free software to start up businesses, and from the observer’s point of view to stave an exodus to open-source software in a capital and credit challenged environment. In the infrastructure realm, Microsoft is leveraging the realization of optimization of existing and breakthrough technologies to cut costs in terms of deployment, maintenance, and security. Part of this optimization path includes integrating layers of technology to satisfy technology initiatives like Unified Communications, Systems Manager and Sharepoint. Their strategy is to draw out an idealized spectrum of basic infrastructure implementation to the idealized dynamic configuration. That state in which return on infrastructure, messaging, and security is maximized.
As a VAR, consultancy, IT manager, whatever, ASK yourself: What do you offer, who do you offer it to and what is the return? What are my customers seeing? What is my customer’s satisfaction? Why would they choose me? Do I have confidence that our service is the best we can do for our customer?
There is plenty of hard data available that support the cost advantages. Sales teams tout these statistics freely. The key is to get the relationship, satisfaction of goals, and the technological foundation presented to the right people. That is where the renewed confidence in technology lies. On the front lines, people like us touting the advantages everyday. Managers pushing through contracts, enterprise aligning with blazing new technology, any company that chooses to advertise, small businesses realizing that technology can be the edge that gets them to profit. The businesses and people that come out on top make bold moves, correct moves in times of economic crisis. CHOOSE TO BE BOLD - and you will reap the benefits.
I definitely have continued thoughts to share on this and will post more on this matter.
One in Four Servers Still Unpatched for the Kaminsky Vulnerability and Many More Open to Recursion
The Measurement Factory, experts in performance testing and protocol compliance, today announced results from the fourth-annual survey of domain name servers on the public Internet.
Top-line results indicate that despite the fact that most organizations are running recent versions of BIND and no longer using Microsoft DNS Servers for their external DNS servers, many organizations have not taken the necessary precautions to limit access to recursion or secure zone transfers. In addition, many still have not upgraded to the latest DNS software to protect against the recently discovered Kaminsky vulnerability and associated risk of DNS cache poisoning.
“Given the heightened awareness of DNS server vulnerabilities due to the recent Kaminsky discovery, it is surprising to see how many organizations are still leaving their DNS systems as potential victims of attack,” commented Cricket Liu, Vice President of Architecture at Infoblox and author of O’Reilly & Associates’ DNS and BIND, DNS & BIND Cookbook, and DNS on Windows Server 2003. “Even if an enterprise has gone to the trouble of patching against the Kaminsky vulnerability, there are many other aspects of configuration, like recursion and open zone transfers, that should also be secured. If not, organizations are essentially locking their door to their house, but leaving the windows wide open. Organizations clearly need to pay more attention to configurations and deployment architectures that are leaving their DNS infrastructures vulnerable to attacks and outages.”
DNS servers are essential network infrastructure that map domain names (e.g., yahoo.com) to IP addresses (e.g., 66.94.234.13), directing Internet inquiries to the appropriate location. Domain name resolution conducted by these servers is required to perform any Internet-related request, whether for Web browsing, email, ecommerce, or cloud computing. Should an enterprise or organization’s DNS systems become compromised by attacks, the results can be devastating, ranging from loss of a company’s Web presence, inability of employees to access any outside Web services, and perhaps most damaging, redirection of Web and email traffic to bogus sites, resulting in data loss, identity theft, ecommerce fraud and more.
Following are the key 2008 DNS survey results, which are based on a sample that included 5 percent of the IPv4 address space, nearly 80 million addresses.
GOOD NEWS
-- 90% of name servers that run BIND run one of the most recent versions
of BIND 9; a small but significant number of administrators continue to run
older versions of BIND on Internet-facing name servers, putting their
organizations at risk.
-- Only .17% still rely on Microsoft DNS Server, down from 2.7% (2007);
usage of unsecure Microsoft DNS Servers connected to the Internet is
vanishing.
-- Support for Sender Protection Framework (SPF) within DNS for spam
reduction increased from 12.6% of zones sampled to 16.7%; despite the
complexity of SPF configuration, validating email senders is increasing in
importance and organizations are taking email fraud seriously.
BAD NEWS
-- One in four DNS servers does not perform source port randomization --
the "patch" for "the Kaminsky vulnerability"; the effort by vendors and the
Internet's DNS community to encourage administrators to upgrade their name
servers after the announcement of the Kaminsky vulnerability paid off;
however, a surprising number have not been upgraded and are very vulnerable
to cache poisoning.
-- More than 40% of Internet name servers allow recursive queries; there
are still millions of open recursors on the Internet, a danger both to
themselves and others -- they are vulnerable to cache poisoning and
Distributed Denial of Service attacks.
-- 30% of DNS servers surveyed allow zone transfers to arbitrary
requestors; this leaves servers as easy targets for denial-of-service
attacks.
-- Only .002% of DNS zones tested support DNSSEC; administrators have not
been convinced of its importance -- perhaps intimidated by its complexity
-- but new mandates could mean a significant change in the near future.
MISC.
-- Usage of IPv6 name servers continues to increase from .27% to .44%;
while enterprises are investigating IPv6 and concerned about increasingly
scarce IPv4 address space, adoption of IPv6 is still low -- address
scarcity isn't yet considered a serious concern and they feel no urgency to
adopt IPv6.
Call to Action
Based on these statistics, there are some clear calls to action for organizations with external DNS servers. Instead of waiting until they are attacked, all organizations should assess their DNS infrastructure and immediately take the necessary steps to make them more reliable and secure. Infoblox provides a number of free, automated tools that enable organizations to test their DNS infrastructure and identify weaknesses and vulnerabilities.
Powered by WordPress