All posts by Danny Bradbury

Cisco patches critical bugs in collaboration products

Danny Bradbury

4 Mar, 2022

Cisco has patched two critical bugs that could allow attackers to write files and run arbitrary code on its video conferencing and collaboration products.

Each bug affects the company’s Cisco Expressway series of collaboration servers and its TelePresence Video Communication Server (VCS).

The first vulnerability, CVE-2022-20754, allows a remote attacker to write files to the system. It lies in the products’ cluster database API, which doesn’t properly validate user input. This enables attackers to authenticate as an administrative user and then submit malicious input via a directory traversal attack. They could then write their own files with root privileges, including overwriting existing operating system files.

The second flaw, CVE-2022-20755, allows an attacker to execute arbitrary code by exploiting the products’ web management interface. An attacker could log in as an admin and then craft malicious input that would let them run their own code as root.

These vulnerabilities, each of which has a 9.0 CVSS score, do not depend on each other, Cisco said in its advisory. with customers being told to install both patches to protect their systems.

Cisco Expressway is a series of devices supporting collaboration with users outside of a company’s firewall. The system, which operates without the need for a VPN client, supports video, voice, and instant messaging. Users can also see each others’ presence information.

The TelePresence VCS is a server for managing video conferencing sessions. It works as an appliance on a customer’s premises or in the cloud, and supports communication between different video conferencing platforms.

TelePresence VCS has not been sold since December 2020. Cisco will stop issuing software maintenance patches for this product on December 29 this year and will stop providing support entirely at the end of 2023.

Google brings Privacy Sandbox initiative to Android

Danny Bradbury

17 Feb, 2022

Google has announced plans to bring its Privacy Sandbox anti-tracking initiative to the Android operating system.

The move, floated in a blog post on Wednesday, will be part of a multi-year effort, which will see Google build measures into the OS that will limit the ability of applications to share user data with third parties.

The privacy sandbox will also force apps to operate without cross-app identifiers, making it harder for developers to track individuals across different applications.

In Android 13, it plans to introduce a separate runtime environment for the advertising software development kits (SDKs) that serve up ads to app users. Currently, these SDKs run inside the host app’s sandbox, which Google says risks covert data collection and sharing.

Google has published its initial design proposals for the Android version of its Privacy Sandbox. It will release developer previews in the coming months and will have a beta release by the end of the year.

The company is inviting developer feedback on proposed solutions including FLEDGE for Android, which Google says uses audience segmentation information stored on the user’s device to deliver relevant ads via an API.

Launched in 2019, the Privacy Sandbox initiative is Google’s attempt to reduce unauthorized third-party tracking while still supporting advertisers. It hopes to eliminate cookies and fingerprinting.

As part of the initiative, Google replaced third-party cookies with its Federated Learning of Cohorts (FLoC) technology, which tracked people in aggregate, classifying them by their interests. This generated controversy in the industry, drawing an antitrust complaint from several states and causing several other browsers and online services to decline support for it.

Google abandoned FLoC last month in favour of its Topics API for interest-based advertising. It has also used the Android Privacy Sandbox initial proposals page to solicit feedback from developers on this approach.

Microsoft Teams is getting a new LinkedIn integration

Danny Bradbury

9 Feb, 2022

Microsoft Teams is getting a new LinkedIn integration that will give users access to colleagues’ profiles on the professional social networking site. 

According to the company’s roadmap for Microsoft 365, users will be able to see their colleagues’ LinkedIn profiles when in a one-on-one chat. 

Microsoft added the feature to the road map last week, and it will enter general availability in March.

This addition follows enhancements to Microsoft Teams in public preview, including a compact chat option that lets users select a view displaying more chat messages and the ability to promote invitees to co-organizers.

Microsoft has been tying Teams more closely to its other products of late. It included tighter Teams integration with Windows 11 by displaying Teams contacts directly on the Windows taskbar for Teams personal users.

LinkedIn isn’t the only online service integrating with Teams. In November Microsoft also announced an integration deal with Meta’s rival Workplace collaboration service. This will enable the two services exchange content with each other so that Teams video will live stream directly into Workplace groups.

LinkedIn, which Microsoft acquired in 2016, has not always been happy with people accessing its data. hiQ Labs sued the professional social network, forcing it to allow access to its user-generated data. It won on appeal in 2019 but last year the Supreme Court vacated the decision, referring it once again to the ninth circuit court.

Microsoft is also planning some other feature enhancements for Office 365, including easy access to Teams files from its OneDrive storage service. This update, which will be available in April, will see the company add a ‘Your Teams’ section to OneDrive’s ‘More Places’ page.

Cisco launches suite of products aimed at improving enterprise campus networks

Danny Bradbury

4 Feb, 2022

Cisco has announced a range of services and products to support hybrid working, including a private 5G service for enterprises and new high-performance Wi-Fi access points tailored for enterprise campus environments.

The announcements focus on bolstering on-site enterprise networks to improve performance and accessibility for hybrid workers when they come to the office.

They target network infrastructures capable of supporting emerging business applications, including higher-resolution video traffic and immersive interfaces, Cisco said.

The private 5G service includes both 5G radio and Wi-Fi capabilities. Offered on a pay-as-you-go subscription model, the service is designed to minimize initial customer investment, and work is being done with third-party service providers to scope out customer environments and create tailored packages, Cisco explained.

Cisco will manage the cellular part of the solution, and customers use a cloud-based management portal to monitor and manage policy and enterprise networking devices, the vendor added. It also includes identity management, with secure access policies that allow users to access only the resources they need.

The company launched Wi-Fi 6E access points targeting hybrid business environments. Wi-Fi 6E extends Wi-FI 6 into the 6GHz radio spectrum for faster speed and reduces radio interference from other Wi-Fi devices. Cisco expects this to be useful for applications including augmented and virtual reality, which require high bandwidth and low latency.

The Meraki MR57 is a cloud-managed device featuring gigabit speeds. It offers radio optimization with multi-antenna MU-MIMO support and measures local metrics, including visit lengths and repeat visit rates so that administrators can measure performance across different campus locations over time.

Cisco also expanded its own line of silicon to power its Catalyst switches. Silicon One, its own ASIC architecture launched in December 2019, was its attempt to create a single silicon architecture that could be used in multiple products across the network. It was previously only available in service provider switches and routers, but now it will be available in its enterprise-class products, the company said.

This brings 400 Gbit capabilities into lower form-factor devices for enterprise campus environments with lower power demands, executives said.

The first products to get it are the Catalyst 9500X and 9600X switches, also announced on Thursday.

Cisco has already made forays into more immersive interfaces for hybrid workers. It recently announced plans for augmented reality capabilities in its Webex conferencing platform. Participants could see hologram-like video of each other using augmented reality headsets, it said.

Safari bug lets websites track browsing activity and unique identifiers

Danny Bradbury

18 Jan, 2022

Researchers have found a bug in Apple’s Safari browser that allows websites to track a user’s browsing activities across other sites.

The bug, discovered by browser fingerprinting service FingerprintJS, also exposes a user’s unique ID for some websites to other sites that they visit.

The flaw, found in Apple’s WebKit browser engine, affects Safari 15 on macOS and all browsers on iOS and iPadOS 15. It lies in WebKit’s implementation of the Indexed Database API, commonly called IndexedDB, a JavaScript API that browsers use to access a database of objects, and it frequently stores data generated while interacting with a web application. This includes a user’s unique ID for interacting with web applications, such as their Google ID.

When properly implemented, IndexedDB follows the same-origin principle. This ensures that information stored from a web page is only available to web pages from the same domain. It stops over-inquisitive web pages from accessing other domain’s stored information, which could include sensitive user or session data.

FingerprintJS found that WebKit’s IndexedDB implementation fails to observe the same-origin principle, instead making stored information available to web sites from other domains.

FingerprintJS called the bug a privacy violation. “It lets arbitrary websites learn what websites the user visits in different tabs or windows,” the company said in its analysis of the bug. “This is possible because database names are typically unique and website-specific.”

The company found some websites using user-specific IndexedDB data such as ID numbers in their IndexedDB database names, making it easy for any other website to find out a user’s ID on other sites. Using this ID to look up the user’s assets (such as profile pictures) could allow identification of the user, the company warned. Google websites store ID numbers in this way, making it possible for other sites to harvest Google IDs using the bug.

The bug affects all browsers on iOS 15 because Apple mandates the use of WebKit on this platform in its developer guidelines. Section 2.5.6 says “Apps that browse the web must use the appropriate WebKit framework and WebKit Javascript.”

FingerprintJS said that it had notified Apple of this bug on November 28 but Apple had not not patched it. Apple’s engineers began creating a patch on Sunday February 17, the day that FingerprintJS published details of the bug.

GoDaddy data breach exposes over 1.2 million customer details

Danny Bradbury

23 Nov, 2021

Hosting company GoDaddy has said that around 1.2 million users have been affected by a data breach on its managed WordPress hosting service.

The hack is said to have exposed email addresses, customer numbers, administrative login credentials, and in some cases SSL private keys.

The hosting company discovered that an intruder had gained access to its managed WordPress hosting environment on Nov 17, it said in a filing with the SEC. The intruder used a stolen password to access the provisioning system for the service.

Up to 1.2 million active and former users of the company’s managed service had their email addresses and customer numbers exposed, the company said, raising the possibility of further phishing attacks to come. The original administrative passwords for the managed WordPress accounts were also available to the hacker, putting the accounts themselves at risk if the credentials were still in use.

Also exposed were sFTP and database usernames and passwords, and an undisclosed number of users also had their SSL private keys exposed.

GoDaddy discovered that the intruder had been inside the system since September 6, meaning that the hacker has had access to the data for over two months. It worked with a forensics company upon discovering the incident, and has taken steps to safeguard its systems, including changing original administrative passwords that were still in use, resetting sFTP and database passwords, and installing new digital certificates for affected customers.

“We are sincerely sorry for this incident and the concern it causes for our customers,” the company said in its filing. “We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”

In 2017, the company revoked thousands of SSL certificates after issuing them without proper checks and authorization. In January 2019, an independent researcher found a vulnerability in its process for handling DNS change requests that enabled hackers to hijack domains and create phishing campaigns. It also notified customers of a hack that exposed SSH login details in the same year.

Supreme Court denies Oracle appeal over JEDI contract

Danny Bradbury

5 Oct, 2021

The US Supreme Court has denied Oracle‘s petition against the Pentagon’s vendor selection for the Joint Enterprise Defense Infrastructure (JEDI) contract. 

The petition, filed in January 2021, followed the failure of Oracle’s legal appeal in federal court. After Microsoft won the JEDI contract, Oracle argued the awarding of the contract to a single source was unlawful according to Congressional restrictions on single-source awards. 

The company also accused federal circuit courts of taking a hands-off approach when evaluating the complaint and said several Pentagon officials had conflicts of interest concerning Amazon, which also bid on the project. 

“Federal contracting is rife with potential corruption, and nowhere is that truer than in defense procurements,” its petition concluded. “Each year, billions of dollars of governmental contracts are tainted by the misconduct of agency personnel.” 

The rejection was a foregone conclusion given the Pentagon scrapped the $10bn project following another protracted legal fight. Amazon challenged the Microsoft win twice, alleging political interference by then-president Donald Trump, who had a long-standing grudge against Amazon’s CEO, Jeff Bezos. The contract was crippled after AWS won its legal battle. 

The Department of Defense decided to divide the work on future cloud computing systems between multiple bidders. Changing technical needs played a large part in the decision to scrap the project, said Pentagon officials in July, citing new initiatives like the Joint All-Domain Command and Control (JADC2), which will be a single network connecting sensors from all the military services. 

JEDI’s successor is the Joint Warfighter Cloud Capability (JWCC), which will involve multiple cloud service providers. The Pentagon will consider both AWS and Microsoft. It said these were the only two providers that could meet its requirements. 

The federal circuit court had said that the original decision to award JEDI to a single vendor had not affected Oracle, which would not have been considered under a multi-vendor award. 

Oracle launches free cloud training

Danny Bradbury

9 Sep, 2021

Oracle is offering free worldwide training and certification in its Oracle Cloud Infrastructure. Learners now have free access to the company’s entire learning curriculum across all skill levels. 

The training catalog includes courses at all levels across a range of IT roles, the company said. It includes preparation courses and practice exams to prepare people for testing and gives learners access to live sessions and personalised feedback. Career resources will also help people to secure jobs with their Oracle Cloud Infrastructure skills. 

The online courses are available on demand in 13 languages. They include hands-on labs so learners can test their skills in a simulated production environment. 

While the cloud training is available at no cost indefinitely, there is a time limit on the free certification. Learners can only get certified from the Oracle University for free until December 31. 

Launched in 2016, Oracle Cloud Infrastructure is the company’s cloud computing service. It offers infrastructure, platform, and software as a service (SaaS) options. It also offers Oracle Data Cloud, which offers analytics services. 

The company’s cloud service hasn’t seen the same traction as its competitors. Gartner placed the company in the “niche players” section of its latest public cloud infrastructure magic quadrant behind Alibaba Cloud. Google, Microsoft, and Amazon Web Services sat in the “leaders”’ section. Synergy Research Group placed the company eighth in market share terms based on its Q2 2021 research.

Oracle also lost its bid for the Pentagon’s since-disbanded JEDI cloud computing contract. 

Last year, German company Union Asset Management AG sued the software giant for allegedly misleading the market on its cloud revenues and bullying customers into cloud migrations with a strategy called Audit, Bargain, Close. 

This isn’t the first time Oracle has run free training. It also offered free Oracle cloud courses in spring 2020. 

IBM launches SASE services

Danny Bradbury

26 Aug, 2021

IBM has unveiled a set of secure access service edge (SASE) solutions to help customers secure complex distributed work environments. 

SASE is a concept first articulated by Gartner in a 2019 white paper. It combines security and SD-WAN in a cloud-based approach designed to embed security directly into the network. This enables companies to apply security policies in the cloud that govern users no matter where they are. 

Because the network and security are software-defined, administrators can manage them programmatically, making it easier to update these policies across the organisation. 

IBM Security Services for SASE is an end-to-end offering covering strategic consulting, design and integration, and application onboarding. It also encompasses a set of managed security services in the cloud to protect user sessions and data, such as secure web gateways, cloud-based firewalls, cloud access security broker services and data loss prevention. 

Zero-trust security is another big component of SASE. This part of the solution removes implicit trust for people that access the network and verifies their identity when accessing resources inside the company’s infrastructure. Zscaler, with which IBM partnered in May, will provide the zero-trust functionality for IBM’s SASE portfolio. 

IBM sees potential for its SASE services in areas such as hybrid workforce access, contractor and third-party access, and edge computing scenarios. It can also help to secure businesses undergoing mergers and acquisitions, the company said. 

IBM commissioned a study from Forrester to support its SASE roll-out, and it found 60% of companies lacked a clear security strategy spanning their entire cloud deployment.

Most companies (70%) found it challenging to implement centralised security controls across multi-cloud environments, while almost two-thirds found it difficult to secure their remote and in-office employees across multiple devices and locations. 

Managed edge services market primed for growth

Danny Bradbury

24 Aug, 2021

IDC has predicted a bright future for the managed edge computing services market as multiple drivers compel businesses to rethink their computing architectures. 

The market research company forecasts worldwide revenues of $445.3 million for the managed edge services market this year, up 43.5% compared to 2020. This positive trend will continue until at least 2025, with a compound annual growth rate of 55.1% during that period. 

Managed edge services are low-latency services that process data near the edge of a network, closer to where it is consumed and produced. Services in this emerging market range from content distribution through to edge application hosting and real-time data analytics

IDC has identified three types of managed edge services environments. On-premises or private deployments located at the customer’s facilities, such as production plants or health care facilities, will be the fastest-growing use case with a five-year CAGR of 74.5%. An example might be augmented reality services or industrial automation.

Service provider deployments in a public cloud service or telco’s premises will enjoy the second-fastest growth. IDC added that this use case will involve fixed and mobile deployments and would be significant for sector-specific applications. It expects a CAGR of 59.2%, making it the largest market segment by next year. 

Finally, IDC singled out content distribution network (CDN) services as a specific use case. CDNs will continue to refine their services with new edge technologies. IDC expects more personalized and interactive media experiences from the CDN managed edge services segment, enjoying a 41.9% CAGR over five years. 

A key driver for the deployment of managed edge services is the need for process efficiencies. Analysts also pointed to new consumer applications, such as augmented and virtual reality

Data sovereignty and security measures will also be big drivers as companies strive to maintain regulatory compliance while pursuing better customer experiences. 

5G will also play a big part in managed edge services, the company said. Cloud service providers will partner with 5G infrastructure companies — typically telcos. Data center operators will also be eager to participate, as will network equipment vendors and software companies.