Smart city development firm Connexin has announced plans to expand its Internet of Things (IoT) network across the entirety of the UK, with all local authorities and regions now able to link up with the company’s flagship platform.

Such a universal carrier-grade roaming long ranger wide area network (LoRaWAN) aims to lower the barriers to entry for regional governments hoping to launch their own smart city projects. This also eases the process for all organisations hoping to adopt IoT products.

This national rollout is the first of its kind in the UK and has started following successful regional deployments in Yorkshire, with organisations such as Yorkshire Water, Hull City Council and Amey among those which are already using the system.

Using the LoRaWAN network can allow any organisation in public service, from councils to utility firms, deploy IoT products without having to build their own network as they can tap into Connexin’s universal system.

“With a low-cost wide-area networking solution becoming available to all organisations across the UK, it opens up opportunities for those looking to deploy IoT solutions for a fraction of the cost of existing cellular infrastructure solutions,” said the founder and CEO of Connexin, Furqan Alamgir. 

“Not only does this promote the development of new IoT-based technology but it allows existing solutions to be rolled out nationwide to encourage further adoption and will allow more people to utilise and benefit from affordable, carrier-grade IoT connectivity.”

This news builds on an £80 million fundraising effort in September, with the company aiming to become the UK’s chief smart cities provider following successful regional deployments in Sheffield, Hull, and the South Coast. The expansion of its national IoT network to cover all areas of the UK is now underway.

The presence of a national IoT network may help to kickstart smart city projects across the UK, with only limited implementation and success to date. Many projects are either small in scale, or in the pipeline for future development, such as the government’s £90 million cash injection to build ‘future transport zones’. These will be located in the West of England Combined Authority, Portsmouth and Southampton, and Derby and Nottingham.

UK mobile network operator Giffgaff has outlined plans to shift its entire IT infrastructure and operations to Amazon Web Services (AWS), completing its migration from on-premise data centres by the end of the year.

Giffgaff will opt into more than 60 of AWS’ 175 cloud services, the company announced, including compute, analytics, storage, databases, containers and machine learning. In doing so, the firm will become the first European mobile virtual network operator (MVNO) to be powered by AWS in its entirety. 

The company will have shifted its IT infrastructure and application development operations to AWS by 2021, as it aims to become more capable of experimenting at pace, and speeding up a host of internal processes. The company claims to have already transformed its development lifecycle from a complex and monolithic approach to a modern, microservices-based architecture that’s enabled fast-paced development.

“We started out with a traditional, on-premises infrastructure, but the need for ongoing maintenance made this model overwhelming for our technical team. For example, it used to take us up to two weeks to provision a new server,” said chief operating and technical officer at Giffgaff, Steve MacDonald. 

“When we began to adopt AWS, we were able to turbocharge our development lifecycle by focusing on innovation rather than wasting time on maintenance. It’s such a powerful capability for a digital-native business like ours.”

While the announcement is still fresh, the firm has been partnering with AWS for some time already, using AWS analytics and machine learning services, for example, to understand members’ network experiences.

Aggregating and analysing data across all cases helped the company create an early warning system for network incidents. Prior to moving to AWS, too, it could take Giffgaff up to two weeks to provision a server, which can now be done within a matter of minutes.

Adopting a continuous delivery approach, and moving containerised workloads to the fully managed Amazon Elastic Kubernetes Service (Amazon EKS), meanwhile, has freed up 3,000 days of engineering and development time, according to Giffgaff.

This is equivalent to refocusing up to 15 people on innovation, and has allowed them to devote more resources to creating new apps for members.

Cisco has acquired audience interaction company Slido in efforts to enhance the Webex video conferencing user experience and stay relevant with the likes of Zoom, Teams and Google Meet enjoying a surge in popularity.

The firm is hoping to integrate Slido’s audience interaction and engagement features, such as polls and Q&As, into the Webex platform to improve the quality of the product and make it more appealing for users. 

The acquisition will pave the way for meeting owners to create engaging content such as infographics, get real-time insights as well as obtain feedback. This is in addition to Slido’s inbuilt functionality to support virtual conferences and massive events.​

«Slido technology enables higher levels of user engagement―before, during and after meetings and events,» said Abhay Kulkarni, Cisco’s VP and GM for Webex Meetings. “The Slido technology will be part of the Cisco Webex platform and enhance Cisco’s ability to offer new levels of inclusive audience engagement across both in-person and virtual experiences.

“In the massive shift to “virtual everything,” remote meetings and events have become the lifeblood for connecting people in all aspects of their lives – from friends to family to work colleagues.

“Slido has over seven million participants monthly and provides its customers with an inclusive audience engagement platform that enables real-time feedback and insight before, during and after any meeting or event via dynamic polls, Q&A, quizzes, word clouds, surveys and more.”

Bundling such features into the meetings experience is something that Cisco is hoping can keep Webex relevant at a time where its industry rivals such as Microsoft Teams and Zoom are enjoying rampant success.

This isn’t to say, however, that Cisco’s enterprise collaboration platform hasn’t enjoyed a surge in popularity itself, recording 590 million meeting participants in September, for example, according to Reuters. Zoom, however, boasted a staggering 300 million daily meeting participants during the height of the pandemic in April. 

The company describes its goal as delivering experiences that are 10x better than in-person interactions, which the integration of Slido’s audience engagement tools will help to contribute to. Cisco will also hope to integrate further insights into the broader Webex platform, with a view to raising productivity while workers are still based remotely.

This isn’t the first recent acquisition that Cisco has made squarely with the view to enhance the Webex experience, having previously acquired BabbleLabs earlier this year. The previous deal saw the firm seek to integrate AI processing technology into meetings in order to suppress background noise and enhance speech clarity. 

Organisations should embrace the philosophy and principles of zero-trust security to keep up to date with modern demands and security threats, AWS’ chief information security officer (CISO) Steve Schmidt has urged.

Adopting the core tenets of a zero-trust philosophy, including accessibility and usability, and ensuring you’re focusing on the core fundamentals of security, will ensure businesses can eliminate needless risks in their IT estates.

Doing so, however, isn’t as straightforward as businesses may hope, according to Schmidt. This is because the term ‘zero-trust’ can mean different things in different contexts, with this ambiguity the product of a diversity of use cases to which it applies.

“Zero-trust is, to me, a set of mechanisms that focus on providing security controls around digital access and assets while not solely depending on traditional network controls or network perimeters,” he explained, speaking at AWS re:Invent 2020. 

“In other words, we aren’t going to trust a user based only on their location within a traditional network. Instead, we want to augment network-centric models with additional techniques, which we would describe as identity-centric controls.”

An example of one such use case that he provided was human-to-application security, which is particularly relevant given the surge in people working from home in 2020. Traditionally, applications sat behind a virtual private network (VPN) front door, but these aren’t compatible with the diversity of devices that workers use to access work-related services. Applying zero-trust principles generates the objective to make the locks on applications effective enough that you can eliminate a VPN-based front door altogether.

Zero-trust principles have become far more popular across the industry of late, with a number of companies quick to adopt and promote this philosophy either as part of their own strategies or in their products. 

BlackBerry, for example, announced Persona Desktop in October, a security platform that uses artificial intelligence (AI) and machine learning to detect user and entity behaviour abnormalities. Persona Desktop works at the endpoint, and eliminates the need to share data back to the cloud before the system acts, and also aims to protect against stolen credentials, insider threats, and physical compromise.

Google, too, launched a zero-trust remote access service known as BeyondCorp Remote Access earlier this year that’s designed to give remote teams access to their internal applications without the need for a VPN.

As part of Schmidt’s outline of AWS’ security strategy, he also proposed a set of questions that businesses and IT administrators should ask about their organisation’s security configuration. Elements such as where the perimeter is, and how large it is, as well as how easy it might be to monitor and audit, should be considered. 

Schmidt also, by way of example, suggested that while VPNs are fine to use for network isolation, it would be best to make the implementation dynamic and hidden from the user experience. This might lead to users not even noticing that network boundaries are being created and torn down as required.

State-backed Russian cyber criminals are actively exploiting a recently-patched vulnerability in a series of VMware products in order to access sensitive corporate data.

VMware had previously warned its customers about a critical command injection flaw in a number of its products, including Workspace One Access and Identity Manager in late November. Although the bug was considered severe, with a rating of 9.1 on the CVSS threat severity scale, a patch wasn’t available at the time and was only released on 3 December. 

Hackers operating on behalf of the Russian state, however, have been actively exploiting the vulnerability to access data on targeted systems, according to an advisory issued by the US National Security Agency (NSA).

“The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data,” the advisory said.

“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources.”

Beyond the wider business community, the NSA has stressed the need for organisations involved in national defence and security to apply VMware’s patch as soon as possible, or implement workarounds until updates are feasible. The advisory also suggests that organisations review and harden their configurations as well as the monitoring of federated authentication providers.

Beyond Workspace One Access and Identity Manager, the products affected include Access Connector and Identity Manager Connector, with specific product versions outlined in VMware’s original security advisory.

The vulnerability, tagged CVE-2020-4006, essentially allows hackers to seize control of vulnerable machines. They would first need to be armed with network access to the administrative configurator on port 8443, as well as a valid password to the admin account.

As such the NSA has recommended that network administrators limit the accessibility of the management interface on servers to only a small set of known systems, and block it from direct internet access. Critical portions of this activity can also be blocked by disabling the firm’s configurator service.

Hackers were able to exploit a serious vulnerability in Microsoft Teams desktop apps to execute arbitrary code remotely and spread infection across a company network by simply sending a specially-crafted message.

The zero-click flaw, which is wormable, can be triggered by cross-site scripting (XSS) injection in Teams, with hackers able to transmit a malicious message which will execute code without user interaction.

This remote code execution (RCE) flaw was first reported to Microsoft in August, with the company fixing the bugs in October 2020. However, security researcher Oskars Vegaris, who discovered the flaw,  has complained that the firm didn’t take his report as seriously as it should have, with Microsoft not even assigning the bug a CVE tag.

Microsoft considered the Teams vulnerability as ‘important’ although described its impact as ‘spoofing’ in its bug bounty programme. As for the CVE element, Microsoft doesn’t issue CVE tags on products that automatically update without user interaction.

“This report contains a new XSS vector and a novel RCE payload which are used together,” Vegaris wrote on GitHub. “It affects the chatting system within Microsoft Teams and can be used in e.g. direct messages, channels.”

In a technical breakdown of the vulnerability, the researcher highlighted how RCE can be achieved by chaining two flaws, including stored XSS in Teams chat functionality and a cross-platform JavaScript exploit for the Teams desktop client. 

The impact is seemingly alarming, with its wormable nature meaning the exploit payload can be spread across other users, channels and companies without any interaction. The execution of malicious code could also happen without any user interaction, given users need to only view the specially-crafted message. 

The consequences of infection range from complete loss of confidentiality and integrity for victims, to access to private communications, internal networks, private keys as well as personal data outside of Microsoft Teams.

Hackers can also gain access to single sign-on (SSO) tokens for other services, including Microsoft services such as Outlook or Microsoft 365. This will expose them to possible phishing attacks too, as well as keylogging with specially-crafted payloads, according to Vegaris.

IT Pro approached Microsoft for comment.

One of the unexpected silver linings to the global coronavirus crisis has been the rapid growth the cloud industry has enjoyed. The shift to remote working during the various lockdowns that have taken place over the course of 2020, was largely, if not entirely, facilitated by cloud services. This has meant that while other sectors have struggled and there has been an overall economic downturn, cloud companies have performed relatively well financially. 

Although they wouldn’t want to characterise the past few months as profiting from the pandemic, the likes of Zoom and Microsoft Teams have surged in usage and revenue, with the latter surpassing 44 million users as early as March.  This period has also accelerated many digital transformation projects, with engineers more than capable of carrying out projects at pace and scale, including the traditionally lethargic public sector. This success, however, has been driven entirely by the effects of the pandemic, forcing the industry to question whether, and how, it can adapt once their services are no longer as highly sought after.

Shifting sands

While we all rejoiced at the news that a potential COVID-19 vaccine may be available for distribution before the end of the year, shares in a handful of companies dropped sharply in response, including at least 15% reduction in the valuation of Zoom. 

Whether things go back to the way they were, or cloud companies continue to play a more pivotal role than ever, is yet to be determined. For independent cloud consultant Danielle Royston, the goal of going ‘back to normality’ in 2021 is misplaced. “There’s no point wasting time and energy trying to return to the halcyon days of pre-COVID,” she says. “Let’s focus instead on some of the positive ‘disruptions’ we’ve seen this year. In all the companies I’ve been at, I’ve promoted – and in some cases fully converted to – remote working. I saw this as the inevitable direction that work and society was going, as the cloud computing tools were already there. And it makes sense: A better quality of life for employees, ease of collaboration, cutting the costs of business travel.”

This is a trend that Tom Wrenn, cloud investment expert and partner at private equity firm ECI Partners, predicts will continue well into next year, telling Cloud Pro that COVID-19 forced many companies into rapidly adopting cloud-based operations. These, driven by government-enforced lockdowns, allowed them to continue operating remotely. “Now, having done a basic shift to cloud-based systems,” he adds, “2021 will be the year of full cloud adoption, with businesses starting to optimise all its benefits; for example, data analytics and AI. If rapid investment was needed in 2020, next year businesses will want to see a return on that investment and will expect to see more from their cloud computing providers.”

Remoting-in

Although the recent transition to remote working is a trend sparked by COVID-19, the consensus is that it’s the beginning of a wider cultural shift. Former IBM boss Ginni Rometty is among the latest to suggest as much, claiming mass remote working will continue in some form as part of a broader hybrid model in future. This may involve companies keeping some physical presence while establishing the infrastructure and equipment to allow workers to work remotely as and when desired.

Cisco CTO for UK and Ireland, Chintan Patel, agrees, telling Cloud Pro that remote working gained widespread acceptance during COVID-19, even in organisations where it was unthinkable before. This means cloud and software as a service (SaaS) tools will continue to remain a crucial part of many setups, even though businesses will mostly return to a form of ‘hybrid’ model. “For remote working, cloud plays a central role; think secure cloud-based collaboration, accessing cloud-based business applications, and extending the security perimeter to thousands of devices,” he explains. “It’s important to note, though, that cloud-based consumption models are not limited to remote working only. As to those returning to the offices, we see technology can help make the workplace more secure and efficient. As and when companies prepare for a return to office, they also need to optimise their space, address worker concerns about sanitation and social distancing and plan how to communicate policies and information clearly.”

Technology will play a major part in instigating the changes needed in future, with a key role to play for many of the firms that have enjoyed success during the pandemic. While demand for software such as video conferencing platforms may not be as sky-high as it was at the beginning of the pandemic, Wrenn argues the next big step is how cloud companies can eat further into the market share enjoyed by the traditional telephone industry. “More and more businesses are using Microsoft Teams or Zoom to interact,” he explains, “when previously they would have used conference lines or even called a person directly due to it being more convenient. Cloud providers need to think about how they can make the most of this opportunity as the way in which people interact changes.”

To infinity and beyond

To some extent, we should all consider ourselves lucky the global pandemic happened when it did, given that cloud computing has only in recent recently become as advanced as it is now. Thus, rather than ‘profiting from the pandemic’, this period has been the making of the industry. After all, “cloud storage, processing, and compute facilities are already set up, and ready to expand easily and automatically, as and when enterprises need,” according to Royston, who claims this wouldn’t have been the case ten to 15 years go. “It would’ve been an epic failure and caused even more disruption and long-term damage to global economies. This year, white-collar workers being able to quickly adapt to working from home in their millions is part of what’s helped many sectors stay afloat.  And it’s because of the investment and ongoing work of hyperscalers over the past few years that’s meant businesses can support workers in doing this.”

Connectivity, too, will continue to grow as organisations’ reliance SaaS tools increases too, Patel adds, with firms expecting more from these companies beyond provision. With cloud infrastructures becoming increasingly diverse, especially with applications adding more layers of complexity, businesses will be looking to strengthen their infrastructure. This will be achieved by gaining deeper visibility across their IT estates, ensuring workloads have continuous access to required resources and running systems that connect and protect at scale – from on-prem to hybrid cloud configurations. This is in addition to using technologies such as machine learning to give customers tools to manage their ever-growing data lakes. This is where providers can step in to guide customers on their migration journeys.

As such, the greatest challenge facing cloud providers, in light of the above, will largely be customer retention, according to Tom Wrenn. “If we take online meeting services as an example, historically businesses would have had to invest in a service, such as [Cisco] WebEx, which is often costly and comes with a lot of equipment,” he says. “Today, however, businesses are using Zoom and Teams for this and can just turn services on and off with little upfront investment. This means that customers aren’t locked into providers in a way they once were. As a result, cloud computing providers will need to over-deliver for their clients, retaining a high level of customer service as well as ensuring that service levels don’t decline as they undergo a huge period of growth.”

VMware has warned its customers about a critical vulnerability present across several of its products, including Workspace One Access and Identity Manager, that could allow cyber criminals to take control of vulnerable machines.

The command injection flaw, tracked as CVE-2020-4006 and rated 9.1 on the CVSS threat severity scale, can be exploited in a host of VMware products, the company has warned. There’s currently no patch available, although the firm has issued a workaround that can be applied in some instances. There’s also no mention as to whether the flaw is being actively exploited in the wild or not.

Hackers armed with network access to the administrative configurator on port 8443 and a valid password to the admin account can exploit the flaw to execute commands with unrestricted privileges on the underlying operating system (OS). 

The affected services include VMware Workspace One Access, Workspace One Access Connector, Identity Manager, Identity Manager Connector, Cloud Foundation and vRealize Suite Lifecycle Manager. 

The vulnerability can be exploited in some products hosted on Linux but not on Windows, and either operating system for other products. The full details on which software and OS configurations are affected are outlined on VMware’s security advisory.

Until a patch is released, VMware has outlined a workaround that can be applied to some product lines but not all. Customers using Workspace One Access, VMware Identity Manager, and VMware Identity Manager Connector can follow the detailed steps outlined here, relevant to the configurator hosted on port 8443. This involves running a set of commands for all affected products.  

The workaround isn’t compatible with other products beyond those three that may be affected, and customers will have to keep their eyes peeled for any news of a patch as and when one is released. 

News of this command injection vulnerability has arrived only days after VMware confirmed two critical flaws in its ESXi, Workstation, Fusion and Cloud Foundation products.

Microsoft has rolled out the public preview for is Defender for Endpoint software on Linux systems, giving IT administrators outside of the Windows 10 ecosystem a comparable level of protection.

Defender for Endpoint customers can take advantage of endpoint detection and response (EDR) capabilities to detect advanced threats involving Linux servers, use data from endpoints to gain insights, and remediate attacks.

The software supports recent versions of the six most common Linux distributions, including RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS or higher, SLES 12+, Debian 9+ and Oracle Linux 7.2. 

This expansion builds on the company’s general release of Microsoft Defender Advanced Threat Protection (ATP) for Linux earlier this year. This is in addition to Microsoft bolstering security for Android and iOS platforms.

With the Defender ATP for Linux, which was made generally available from June 2020, enterprise customers were able to install a similar level of protection on their Linux systems as they could on Microsoft systems within their infrastructures.

Using Defender for Endpoint EDR, users can immediately begin benefiting from three new feature areas including a rich investigative experience, optimised performance, and in-context threat detection. 

Features for the first category comprise a machine timeline, process creation, file creation, network connections, login events and advanced hunting. Optimised performance entails enhancing CPU utilisation in compilation procedures as well as large software deployments. In-context antivirus detections, meanwhile, gives users insight as to where a threat came from and how the malicious process or activity was created.

Users can engage in the public preview by configuring some of their Linux servers to Preview mode if they’re already running Microsoft Defender for Endpoint on Linux. Customers are also being encouraged to test out a simulated attack tool, in which Linux EDR can simulate a detection on a server, and trigger an investigation of the case. 

The recently patched Cisco Security Manager (CSM) platform did not initially include details of 12 severe security vulnerabilities that could, if exploited, lead to remote code execution (RCE).

Although these 12 flaws in CSM, an enterprise-class management console that offers insight into the control of Cisco security and network devices, were recently fixed, its developers failed to mention these at all, according to security researcher Florian Hauser. 

Hauser claims to have reported these 12 bugs to the networking giant in July this year and was under the impression they were due to be fixed when CSM was updated to version 4.22 earlier this month.

The researcher claims, however, that despite patching the vulnerabilities last week, the company didn’t mention them at all in the release notes for CSM and did not issue security advisories for businesses that may be potentially affected.

As a result, Hauser has published the proof-of-concept for all 12 flaws that he submitted via GitHub, including a host of RCE exploits that cyber criminals could use if targeting an unpatched system. 

“120 days ago, I disclosed 12 vulnerabilities to Cisco affecting the web interface of Cisco Security Manager. All unauthenticated, almost all directly giving RCE,” Hauser posted on Twitter on 11 November, following this up overnight with: “Since Cisco PSIRT became unresponsive and the published release 4.22 still doesn’t mention any of the vulnerabilities, here are 12 PoCs in 1 gist.”

The CSM 4.22 release notes outlined several improvements to security and functionality, including support for AnyConnect Web Security WSO. The company has subsequently released advisories for three vulnerabilities that were reported in July, crediting Florian Hauser for discovery.

The first, a path traversal vulnerability, tagged CVE-2020-27130 and assigned a CVSS score of 9.1, could allow an unauthenticated remote attacker to gain access to sensitive information, upon successful exploitation. This is due to improper validation of traversal character sequences within requests to affected devices.

The second, a Java deserialisation flaw, is tagged CVE-2020-27131 and assigned a severity score of 8.1, could also allow a remote attacker to execute arbitrary commands on an affected device. The final flaw, a static credential vulnerability tagged CVE-2020-27125 and assigned a severity score of 7.4, could also allow a remote attacker to access sensitive information on a targeted system.

IT Pro approached Cisco to clarify why it had first failed to mention these flaws in the patch notes for CSM version 4.22.