All posts by Nicole Kobie

Google expands no-code tools and automation for “citizen developers”

Nicole Kobie

8 Sep, 2020

Google wants to make it easier to accelerate digital transformation by “citizen developers” with no-code business apps, automation and API management.

The Business Application Platform, announced today, builds on Google Cloud’s acquisition of Apigee API management, as well as its efforts in AppSheet no-code application development, said Amit Zavery, vice president of Business Application Platform at Google Cloud, in a blog post.

“We’ll be adding new features in these areas that leverage Google Cloud’s expertise in hybrid and multi cloud architectures, artificial intelligence and machine learning, lifecycle management, security, and productivity and collaboration,” said Zavery.

The first of three launches is a beta release of API Gateway, a managed service for Google Cloud workloads and serverless backends that includes authentication, key validation, and rate limiting.

“Serverless workloads are becoming more popular with developers, who are increasingly packaging their serverless applications as APIs, both to share them with other teams and to expose them publicly over the web,” said Zavery. “API Gateway lets developers secure and manage their APIs built on Compute Engine, GKE, App Engine, and serverless backends (Cloud Functions and Cloud Run), all without having to write code for different endpoints or worry about any of the infrastructure configuration or scaling.”

The second launch is an early access release for AppSheet Automation, a tool that lets non-technical users pull in data to automate processes, be they human centric, document based, or something else. Security is built in, and AppSheet Automaton uses natural language inputs and an intuitive interface so anyone in a business can automate a process.

“When business processes rely on manual actions, valuable time is often wasted updating systems instead of focusing on work that drives the enterprise forward,” Zavery said. “Moreover, opportunities for mistakes or communication lapses are abundant. Line-of-business workers are closest to these challenges, so empowering them to optimise and automate processes is an important area of enterprise innovation.”

Google also announced general availability of Apigee as a datasource for AppSheet, so users can pull in data from Apigee APIs for no-code apps. Google AppSheet lets businesses build applications without any coding — hence the name “no-code” — pulling in data from sources such as G Suite, mySQL and Salesforce.

That is now being expanded via a system called Data Source for AppSheet, which will let “citizen developers” pull in a wider range of information to automate business tasks, beginning with Apigee.

“By enabling employees to build apps that leverage Apigee APIs and require no coding, enterprises can both empower line-of-business employees without technical experience to create innovative apps and reduce traditional IT backlog,” said Zavery.

Google pointed to recent figures from analyst firm Gartner showing that by 2023 there will be four times as many active citizen developers at large enterprises than professional developers.

Amazon vows to continue JEDI fight after review backs Microsoft

Nicole Kobie

7 Sep, 2020

Microsoft has come out on top after a reevaluation of a US government cloud computing contract following a challenge from rival Amazon.

Following the decision, Amazon said it would “continue to protest this politically corrupted contract award”.

Microsoft was awarded the $10 billion Joint Enterprise Defense Infrastructure (JEDI) contract in October last year, which would see ageing computers at the Department of Defense replaced with cloud computing systems.

Amazon Web Services (AWS) filed a complaint in November saying the process should be reviewed, both due to concerns over how the prices were evaluated and potential political interference following reports of negative comments against Amazon from President Donald Trump.

In February, AWS won an injunction preventing work from starting on the contract, with the DoD saying it would review the contract awarding and consider any necessary corrective action. In April, that investigation concluded the contract was fairly awarded to Microsoft.

The Pentagon has now finished its latest review, finding that the Microsoft deal remains the best deal for the work. “The Department has completed its comprehensive re-evaluation of the JEDI Cloud proposals and determined that Microsoft‘s proposal continues to represent the best value to the Government,” the DoD said in a statement.

However, work on the contract won’t start yet as the injunction remains in place, the DoD said, adding it was “eager to begin delivering this capability to our men and women in uniform”.

Microsoft naturally welcomed the news. “We appreciate that after careful review, the DoD confirmed that we offered the right technology and the best value,” a spokesperson said. “We’re ready to get to work and make sure that those who serve our country have access to this much needed technology.”

In a post on its website, AWS said the review should have given the DoD an opportunity to address the evaluation errors raised by AWS. “Unfortunately, the DoD rejected that opportunity,” the statement says.

While the thrust of Amazon’s legal argument has centred on how the technology operates and the associated costs, AWS has also complained about political interference. “On JEDI, President Trump reportedly ordered former Secretary Mattis to ‘screw’ Amazon, blatantly interfered in an active procurement, directed his subordinate to conduct an unorthodox ‘review’ prior to a contract award announcement and then stonewalled an investigation into his own political interference,” AWS says.

“‘Corrective action’ was used as a way to halt our litigation, delay further investigations and incorrectly give the appearance that only one issue needed to be fixed while giving the impression that the DoD was actually going to fix something.”

The post added: “The question we continue to ask ourselves is whether the President of the United States should be allowed to use the budget of the Department of Defense to pursue his own personal and political ends?”

AWS said that not all the information around the case has yet been made public, saying it would continue with legal action. “Throughout our protest, we’ve been clear that we won’t allow blatant political interference, or inferior technology, to become an acceptable standard,” the statement continues. “Although these are not easy decisions to make, and we do not take them lightly, we will not back down in the face of targeted political cronyism or illusory corrective actions, and we will continue pursuing a fair, objective, and impartial review.”

The massive contract was subject to intense lobbying from IT industry suppliers — including a lawsuit from IBM and Oracle alleging conflicts of interest between Amazon Web Services (AWS) and the Pentagon.

Oracle also filed suit after being removed from the running over its data centre capabilities, though the court last week found “no reversible error”. Google dropped out of the running before the final winner was announced.

Check Point spots two flaws in Microsoft Azure

Nicole Kobie

30 Jan, 2020

Check Point security researchers spotted flaws in Microsoft Azure that could have let hackers take control over the cloud servers.

The work was part of a wider project looking at cloud infrastructure, dubbed “Attack the Cloud”, in which Check Point wants to “break the assumption that cloud infrastructures are secure”.

With Microsoft Azure, the researchers spotted two flaws. The first was in Azure Stack, and could have let criminals take screenshots or see other sensitive information by taking advantage of a vulnerability in the “DataService” function, which didn’t require authentication.

“This security flaw would enable a hacker to get sensitive information of any business that has its machine running on Azure,” the researchers said. “In order to execute the exploitation, a hacker would first gain access to the Azure Stack Portal, enabling that person to send unauthenticated HTTP requests that provide screenshots and information about tenants and infrastructure machines.”

The second flaw was in the Azure App Service, where businesses provision and deploy apps and business processes, and could have allowed hackers to take control of a server.

“The end result would be that a hacker could potentially take control over the entire Azure server, and consequently take control over all your business code,” the researchers said.

The researchers could get into applications, see data and take over accounts by creating a free user in Azure Cloud and running malicious functions.

“Exploiting this vulnerability in all of the plans could allow us to compromise Microsoft’s App Service infrastructure,” the researchers explain. “However, exploiting it specifically on a Free/Shared plan could also allow compromising other tenant apps, data, and account.”

Check Point disclosed the findings to Microsoft in January and June last year, with patches for both issued at the end of 2019. The first flaw was awarded $5,000 from Microsoft’s bug bounty programme; the second earned $40,000.

The researchers emphasised in a report on the second flaw that while the cloud is “considered safe”, it can still have vulnerabilities: “The cloud is not a magical place.”

Google demos real-time speech to text translation

Nicole Kobie

29 Jan, 2020

Google has demonstrated a real time translation and transcription tool powered by AI, that will take lectures and other long-form voice in one language and output it in another. 

Part of Google Translate, the tool will let a smartphone act as interpreter, listening to speech via the microphone and transcribing translated text in real time. So far, the system only supports a few languages, including English, French, German and Spanish. The demo showed English being translated to Spanish. 

“With this, your Android mobile phone will effectively turn into an almost real time translator device for long-form speech,” Google said at the demonstration according to reports, adding it could “unlock continuous speech translations in this world at scale” in the longer term.

However, the transcription and translation won’t happen on your device. Instead, the audio recording will be uploaded to Google’s servers – so you’ll need a decent Wi-Fi connection or solid data package, as well as a willingness to share the audio with Google, to use this tool. 

Google didn’t say when the feature would arrive. 

The Google Translate tool was unveiled as part of a showcase of Google’s AI projects at its San Francisco office, which also included a neural network used to track and monitor whales using underwater microphones, which is now being used in Canada.  

“With this information, marine mammal managers can monitor and treat whales that are injured, sick or distressed,” said Julie Cattiau, product manager for Google AI, in a blog post. “In case of an oil spill, the detection system can allow experts to locate the animals and use specialised equipment to alter the direction of travel of the orcas to prevent exposure.” 

That machine-learning system was trained on 1,800 hours of underwater audio recordings that were labelled and supplied by Fisheries and Oceans Canada. 

The AI demonstrations come a week after Google CEO Sundar Pichai wrote a column urging sensible regulation of artificial intelligence to avoid misuse of the technology. 

Avast expands opt-out after data-sharing investigation

Nicole Kobie

28 Jan, 2020

Avast has been caught up in yet another privacy scandal, with a joint investigation by PC Mag and Motherboard revealing the extent to which the security firm is collecting user browser histories and selling the data on to third parties. 

Last year, Avast browser extensions were spotted collecting browsing data to sell to advertising firms, sparking Chrome, Opera and Firefox to pull the add-ons from their marketplaces, though some have since returned.

Avast said at the time that it removed any identifying information from the browsing history. The PC Mag and Motherboard investigation suggested it’s possible to re-identify that data once it’s in the hands of marketers. 

The investigation revealed that Avast sells the collected data via its Jumpshot division to third parties such as marketing companies. The browsing history being collected includes every click, keyword search, and entered URLs, harvested not only from browser extensions but also from users of Avast’s free antivirus software. 

The collected data is “de-identified” by stripping out personal details, and tagged with an identifying code. However, research casts doubt on whether any large sample of user data can be truly anonymised. Jumpshot’s data does not directly identify any specific individual, but when it is combined with other data, it’s simple to see who is clicking what, the investigation claims. 

For example, if a data harvesting company or marketer bought data from Avast and also from a website you’re logged into (for example Amazon), the information provided would make it possible to link the Avast data to your Amazon account, therefore revealing your identity, and tying it to your entire browsing history. The data seen by the investigators includes searches, GPS coordinates on maps, visits to social media accounts, and even what video was watched on a porn site. 

The investigation showed Jumpshot was selling that data to companies that aggregate such information, with customers buying access to that “all clicks feed” for millions of dollars. 

Avast stopped sharing such data collected via extensions after the revelations last year, and in July 2019 started asking users for permission before sharing their browsing data with Jumpshot. It will now also ask all existing users of its free antivirus to opt-in to data sharing in February. 

An Avast spokesperson said the company stopped sharing browser extension data with Jumpshot in December, only using collected information for core security tasks.

“We ensure that Jumpshot does not acquire personal identification information, including name, email address or contact details,” the spokesperson added.

Avast also noted that users have always had the ability to opt out of such data sharing: “As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020.”

The spokesperson added: “We have a long track record of protecting users’ devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data for our core security products.”

This isn’t the first data privacy scandal to hit Avast: in 2018, Avast pulled an update to its CCleaner tool over data collection concerns

NHS shifts two national services to the cloud

Nicole Kobie

28 Jan, 2020

The NHS has migrated two of its national services to the cloud, hoping to cut costs while improving security and efficiency of services.

The NHS e-Referral Service (e-RS) and NHS 111 Directory of Services (DoS) are the first major NHS systems to make the migration under the government’s cloud-first policy, with both using AWS.

The aim is to cut costs at both services, but there are other benefits, says Neil Bennett, director of services at NHS Digital. “Costs are lowered, reducing pressure on the public purse, there is better security and reliability, as well as greater flexibility, performance, scalability and availability, to name a few,” he said.

The e-RS is a booking service that handles 18 million referrals annually, letting patients from more than 1,100 GP practices choose clinics, hospitals and dates and times for appointments. It’s now enabled for booking and managing such appointments via the internet, but that won’t be available until later this year when NHS Identity takes over authentication, the NHS said in a statement.

The DoS helps connect patients to the appropriate service for the health concerns, helping relieve pressure on urgent and emergency care. It handles 16 million searches annually.

Migrating such important services without disrupting patient care was key, explained Bennett: “This was a tremendous collaborative effort across many different teams here and with external partners, to migrate such large systems with a minimum of disruption to users, in a reasonably short timescale.” 

Alongside cutting costs and improving services for patients, the migration to cloud is a key part of the NHS’ sustainability strategy, said Ben Tongue, sustainability manager at NHS Digital.

“Large cloud operators like AWS provide significant energy and carbon savings against enterprise and legacy systems,” he said. “We are working with AWS to achieve full transparency on the energy use and carbon impact of the contract, so that we can continue to focus on ensuring that our storage systems are as energy efficient as possible, reducing carbon emissions and minimising environmental impact.”

Last year, the NHS unveiled a cloud framework to simplify procurement, hoping to help migrate more services as part of the government’s cloud-first policy. Patient records stored by EMIS are already making the shift to AWS, while Barts Health NHS Trust is moving its IT estate to the cloud via Capgemini, but research suggests many NHS trusts remain wary of the cloud.

Twilio powers Be My Eyes app to aid the visually impaired

Nicole Kobie

23 Jan, 2020

Cloud communications platform Twilio has revealed it’s powering Be My Eyes, an app to help visually impaired and blind people make their way in the world.

Be My Eyes pairs cameras and video chat to help 178,000 visually impaired people get help from more than three million volunteers. For example, the camera can be pointed at a sign, document, or even food packaging, letting the remote volunteer read it out.

The chat function can also be used with specific companies that support the app, which include Microsoft, Google and Lloyds Banking, making it easier for visually impaired people to get specialist help using their services, be it for banking, shopping, or booking tickets.

“Relying on friends and family for everyday tasks can be taxing on relationships and prevent people with visual impairments from achieving true independence,” said Alexander Hauerslev Jensen, chief commercial officer of Be My Eyes.

The free app has been in use since 2015 across both iPhone and Android. Upon launch, it gained 10,000 volunteers and 1,000 users overnight, suggesting there could be high demand. And as the user base grew, so too did lags in connection time, making the app less useful for those who needed it most.

At the time, Be My Eyes was using multiple providers for video connectivity. Now, it’s switched to Twilio Programmable Video for more stability and higher quality connections, reducing connection times in half. Now, Be My Eyes aims to help everyone within a minute of a request, with 90% of connections made within 30 seconds.

“Be My Eyes is a Twilio-powered community support platform that solves a visually impaired person’s problem in a fraction of the time that it would take via audio,” said Jensen. “When you’re asking for help, a little bit of time can feel like an eternity. Every second we can shave off wait times means more trust, more engagement, and a stronger bond in our community. A 50% reduction in connection time can mean a world of difference for the user and the Twilio platform enables us to achieve this.”

The partnership comes under the remit of, the cloud company’s social enterprise division. “ was established to help social impact organisations use the power of communications to create positive change on a global scale, and it’s inspiring to see Be My Eyes doing just that,” said Erin Reilly, chief social impact officer of Twilio.

“Be My Eyes is enabling people with visual impairments to live independent lives, no matter where they reside in the world,” Reilly said. “Their innovative use of Twilio enables Be My Eyes to make sure that their users get help when they need it.”

FireEye expands cloud security with Cloudvisory acquisition

Nicole Kobie

22 Jan, 2020

Security firm FireEye has acquired Cloudvisory, aiming to bring cloud visibility tools to its offering.

The buyout was for an undisclosed sum and is FireEye’s seventh acquisition. Last year, the security firm bought Verodin for $250 million (£190.4 million) and in 2014 bought Mandiant for $1 billion.

“Customers need consistent visibility across their public and hybrid cloud environments, as well as containerised workloads,” said Grady Summers, Executive Vice President of Products and Customer Success at FireEye. “Cloudvisory delivers this visibility and allows FireEye to apply controls and best practices based on our frontline knowledge of how attackers operate.”

Cloudvisory’s system was created to provide visibility into network traffic, spot and fix misconfigurations, and keep an eye out for compliance issues. On the security front, it claims to detect, block and quarantine attacks.

Summers notes that’s key, as most companies see security as a leading concern with using the cloud. “Security is top of mind for almost all organisations as they migrate critical workloads to the cloud,” Summers adds. “With the addition of the Cloudvisory technology, FireEye is able to offer a comprehensive, intelligence-led solution to secure today’s hybrid, multi-platform environments.”

The acquisition will see Cloudvisory’s capabilities added to FireEye’s Helix, letting customers see all of their cloud environments from one single dashboard, expanding monitoring and compliance.

“Joining FireEye offers Cloudvisory a unique opportunity to combine our innovative approach to cloud visibility and FireEye’s unrivaled insights into the threat landscape,” said Lisun Kung, Cloudvisory co-founder and Chief Executive Officer prior to the acquisition. “We’re excited by the potential to quickly scale and help more organisations secure their cloud and container workloads.”

Alongside the acquisition, FireEye’s Mandiant division also unveiled a pair of new cloud-focused services.

The first is Cloud Security Assessments, available for Office 365, Azure, AWS and Google Cloud. These will look for common misconfigurations and other issues with cloud that attackers use to slip past security measures. “Through tactical coaching and comprehensive recommendations, organisations achieve increased risk visibility and enhanced functional capabilities,” the company said.

The second new service is Cyber Defense Operations, which offers hands-on support and training to help in-house detection and response take a step up. The process begins with an evaluation to highlight goals and capabilities, such as threat hunting.

Then Mandiant personnel will offer training, analysis and other support within the client’s environment. “Through this process, areas for maturation are identified and pursued, helping to identify and resolve visibility gaps and procedural issues,” the company says.

“Our Cloud Security Assessments and Cyber Defense Operations consulting services are two new offerings to help clients protect their key assets before, during and after an incident,” said Jurgen Kutscher, EVP of Service Delivery at FireEye.

Barts Health NHS Trust shifts to cloud with Capgemini

Nicole Kobie

21 Jan, 2020

Barts Health NHS Trust has turned to Capgemini to help modernise its ICT estate using the cloud.

The three-year agreement will see Capgemini work across all five hospitals in the Trust, rolling out end-to-end cloud services across sites in Central and East London. One of the largest in the country, the Trust manages hospitals in Mile End, Whipps Cross, and Newham, as well as the Royal London and St Bartholomew’s hospitals.

The aim is to modernise the Trust’s existing estate, shifting away from legacy systems in favour of cloud technologies. That includes the assessment and migration of mission-critical workloads to different cloud providers, as well as wider management tools and security systems, Capgemini said.

“As the largest NHS Trust, and one of the pioneers in taking a step towards modernising its IT infrastructure through migrating the services to the cloud, the Trust will benefit from a more secure, scalable and agile operating environment that is more cost effective than current legacy IT infrastructure,” said Matt Howell, head of Public Sector at Capgemini in the UK.

The move is part of wider plans to modernise Barts’ technology to benefit patients and staff, said Sarah Jensen, CIO of Barts Health Trust. “With their existing experience in providing cloud hosting services and digital transformation solutions to the NHS, we are excited about the journey we have started together and are confident our partnership will continue to add value in our ever-challenging environment which ultimately leads to better care for patients.”

The deal follows last year’s efforts to build a Cloud Solutions Framework to make it easier to find suppliers for NHS and other public-sector organisations; Capgemini UK is one of the suppliers listed in the framework. The framework has four different lots — covering everything from consultancy to end-to-end cloud — with a handful of suppliers in each.

“The result is a specialist pool of 24 leading suppliers, which provide the greatest expertise and value-for-money to the public sector,” said Phil Davies, procurement director at NHS Shared Business Services, at the time.

Exploited Internet Explorer flaw won’t be patched until next month

Nicole Kobie

20 Jan, 2020

Microsoft has warned that millions of people still using the Internet Explorer browser could be at risk from a zero-day flaw that is actively being exploited by hackers.

The flaw, which is in a scripting engine of the browser, makes use of memory corruption to execute code. “An attacker who successfully exploited the vulnerability could gain the same user rights as the current user,” Microsoft noted in its security guidance. “If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system.”

That could let attackers install programs, access data, or create new accounts, the company noted.

“One way in which the vulnerability could be exploited is via a web-based attack, where users could be lured into visiting a boobytrapped webpage – perhaps via a malicious link in an email,” security and industry analyst Graham Cluley noted in a blog post.

Cluley added that the flaw appeared to be related to a similar vulnerability in Mozilla Firefox spotted earlier this month. The discovery of both flaws was attributed to Qihoo 360, with the security firm tweeting last week as it reported the Firefox flaw that there was also an IE version.

Microsoft said it was aware of “limited targeted attacks” using the vulnerability. Microsoft said it was working on a fix, and suggested it would come with the next Patch Tuesday, which is due out on 11 February.

While users will have to wait for a patch, Microsoft noted that anyone running IE on various versions of Windows Server may be protected by default settings called Enhanced Security Configuration. Microsoft also suggested a workaround for other users, which involves restricting access to JScript.dll, though that will have to be undone when the update is issued.

“Blocking access to this library can prevent exploitation of this and similar vulnerabilities that may be present in this old technology,” notes guidance by the CERT coordination centre at Carnegie Mellon. “When Internet Explorer is used to browse the modern web, jscript9.dll is used by default.”

The best mitigation is to switch to a modern browser, with Microsoft referring to IE as a “compatibility solution” for older apps rather than a browser to push out widely to staff. However, according to Net Applications’ Market Share figures, 7.4% of web users are still on IE — two percentage points more than Microsoft’s Edge, which was first released in 2015.