All posts by Keumars Afifi-Sabet

VMware sounds alarm over zero-day flaws in multiple products


Keumars Afifi-Sabet

24 Nov, 2020

VMware has warned its customers about a critical vulnerability present across several of its products, including Workspace One Access and Identity Manager, that could allow cyber criminals to take control of vulnerable machines.

The command injection flaw, tracked as CVE-2020-4006 and rated 9.1 on the CVSS threat severity scale, can be exploited in a host of VMware products, the company has warned. There’s currently no patch available, although the firm has issued a workaround that can be applied in some instances. There’s also no mention as to whether the flaw is being actively exploited in the wild or not.

Hackers armed with network access to the administrative configurator on port 8443 and a valid password to the admin account can exploit the flaw to execute commands with unrestricted privileges on the underlying operating system (OS)

The affected services include VMware Workspace One Access, Workspace One Access Connector, Identity Manager, Identity Manager Connector, Cloud Foundation and vRealize Suite Lifecycle Manager. 

The vulnerability can be exploited in some products hosted on Linux but not on Windows, and either operating system for other products. The full details on which software and OS configurations are affected are outlined on VMware’s security advisory.

Until a patch is released, VMware has outlined a workaround that can be applied to some product lines but not all. Customers using Workspace One Access, VMware Identity Manager, and VMware Identity Manager Connector can follow the detailed steps outlined here, relevant to the configurator hosted on port 8443. This involves running a set of commands for all affected products.  

The workaround isn’t compatible with other products beyond those three that may be affected, and customers will have to keep their eyes peeled for any news of a patch as and when one is released. 

News of this command injection vulnerability has arrived only days after VMware confirmed two critical flaws in its ESXi, Workstation, Fusion and Cloud Foundation products.

Microsoft expands Defender capabilities for Linux systems


Keumars Afifi-Sabet

18 Nov, 2020

Microsoft has rolled out the public preview for is Defender for Endpoint software on Linux systems, giving IT administrators outside of the Windows 10 ecosystem a comparable level of protection.

Defender for Endpoint customers can take advantage of endpoint detection and response (EDR) capabilities to detect advanced threats involving Linux servers, use data from endpoints to gain insights, and remediate attacks.

The software supports recent versions of the six most common Linux distributions, including RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS or higher, SLES 12+, Debian 9+ and Oracle Linux 7.2. 

This expansion builds on the company’s general release of Microsoft Defender Advanced Threat Protection (ATP) for Linux earlier this year. This is in addition to Microsoft bolstering security for Android and iOS platforms.

With the Defender ATP for Linux, which was made generally available from June 2020, enterprise customers were able to install a similar level of protection on their Linux systems as they could on Microsoft systems within their infrastructures.

Using Defender for Endpoint EDR, users can immediately begin benefiting from three new feature areas including a rich investigative experience, optimised performance, and in-context threat detection. 

Features for the first category comprise a machine timeline, process creation, file creation, network connections, login events and advanced hunting. Optimised performance entails enhancing CPU utilisation in compilation procedures as well as large software deployments. In-context antivirus detections, meanwhile, gives users insight as to where a threat came from and how the malicious process or activity was created.

Users can engage in the public preview by configuring some of their Linux servers to Preview mode if they’re already running Microsoft Defender for Endpoint on Linux. Customers are also being encouraged to test out a simulated attack tool, in which Linux EDR can simulate a detection on a server, and trigger an investigation of the case. 

Cisco patch notes ‘left out’ details of RCE flaws


Keumars Afifi-Sabet

17 Nov, 2020

The recently patched Cisco Security Manager (CSM) platform did not initially include details of 12 severe security vulnerabilities that could, if exploited, lead to remote code execution (RCE).

Although these 12 flaws in CSM, an enterprise-class management console that offers insight into the control of Cisco security and network devices, were recently fixed, its developers failed to mention these at all, according to security researcher Florian Hauser

Hauser claims to have reported these 12 bugs to the networking giant in July this year and was under the impression they were due to be fixed when CSM was updated to version 4.22 earlier this month.

The researcher claims, however, that despite patching the vulnerabilities last week, the company didn’t mention them at all in the release notes for CSM and did not issue security advisories for businesses that may be potentially affected.

As a result, Hauser has published the proof-of-concept for all 12 flaws that he submitted via GitHub, including a host of RCE exploits that cyber criminals could use if targeting an unpatched system. 

“120 days ago, I disclosed 12 vulnerabilities to Cisco affecting the web interface of Cisco Security Manager. All unauthenticated, almost all directly giving RCE,” Hauser posted on Twitter on 11 November, following this up overnight with: “Since Cisco PSIRT became unresponsive and the published release 4.22 still doesn’t mention any of the vulnerabilities, here are 12 PoCs in 1 gist.”

The CSM 4.22 release notes outlined several improvements to security and functionality, including support for AnyConnect Web Security WSO. The company has subsequently released advisories for three vulnerabilities that were reported in July, crediting Florian Hauser for discovery.

The first, a path traversal vulnerability, tagged CVE-2020-27130 and assigned a CVSS score of 9.1, could allow an unauthenticated remote attacker to gain access to sensitive information, upon successful exploitation. This is due to improper validation of traversal character sequences within requests to affected devices.

The second, a Java deserialisation flaw, is tagged CVE-2020-27131 and assigned a severity score of 8.1, could also allow a remote attacker to execute arbitrary commands on an affected device. The final flaw, a static credential vulnerability tagged CVE-2020-27125 and assigned a severity score of 7.4, could also allow a remote attacker to access sensitive information on a targeted system.

IT Pro approached Cisco to clarify why it had first failed to mention these flaws in the patch notes for CSM version 4.22.

Google slashes free Drive storage to 15GB


Keumars Afifi-Sabet

12 Nov, 2020

Google will restrict the online cloud storage capacity for high-quality photos and videos to 15GB from next year as the firm looks to capitalise on the millions of users who have come to rely on the service.

From June 2021, new high-quality content uploaded to Google Photos will count towards a free 15GB storage capacity, with the company making several pricing tiers available to those who need to store more data. The limit will also apply to files that users keep on Drive, specifically Google Docs, Sheets, Slides, Drawings, Forms, and Jamboard files.

Google is framing these plans as a way to be able to continue to provide everybody with a great storage experience while keeping pace with the growing demand for its free services.

Currently, files created through Google’s productivity apps, as well as photos smaller than 2,048 x 2,048 pixels, and videos shorter than 15 minutes, don’t count towards the cap. High quality, under the new storage calculations, will include photos larger than 16Mp or videos larger than 1080p, all of which will be optionally compressed.

“For many, this will come as a disappointment. We know. We wrestled with this decision for a long time, but we think it’s the right one to make,” said the firm’s product lead for Google Photos, David Lieb.

“Since so many of you rely on Google Photos as the home of your life’s memories, we believe it’s important that it’s not just a great product, but that it is able to serve you over the long haul. To ensure this is possible not just now, but for the long term, we’ve decided to align the primary cost of providing the service (storage of your content) with the primary value users enjoy (having a universally accessible and useful record of your life).”

More than one billion people rely on Google Photos and Google Drive, Lieb added, uploading more than 28 billion photos and videos every week on top of more than four trillion already uploaded onto the service.

The change will only apply to newly uploaded content staring on 1 June next year, with all existing high-quality content remaining exempt from the storage quota. This includes all content uploaded between now and then.

Users who wish to upgrade to a larger storage plan will have to sign up to the company’s paid-for cloud storage platform Google One, with packages beginning at 100GB, alongside other features including access to Google experts and shared family plans.

Currently, Google One is priced at $1.99 per month for 100GB of storage, $2.99 per month for 200GB, and $9.99 per month for 1TB.

Google is also rolling out of a host of new tools, which the firm hopes will go towards justifying the additional cost for those who need to pay for a higher tier.

Among these tools is software that can make it easier to identify and delete unwanted content, such as blurry photos and long videos, though the firm is set to make more announcements in the coming months. Google has in the last few years leant on AI to improve the functionality of its flagship products, including Gmail and Google Docs.

The firm is also introducing new policies for users who are inactive or over their storage limit across Google’s cloud-based services. Those who are inactive in one or more of these services for two years may see their content deleted in those specific products, while users over their storage limit for two years may see their content deleted across the board.

AWS is the latest cloud giant to sign MoU with UK government


Keumars Afifi-Sabet

2 Nov, 2020

Amazon Web Services (AWS) has struck an agreement with the UK government to accelerate the public sector’s digital transformation drive, boost digital skills and raise the level of participation among smaller cloud providers.

The ‘One Government Value Agreement (OGVA)’ is a three-year memorandum of understanding (MoU) between AWS and the Crown Commerical Service (CCS) that spans two tiers for both smaller and larger organisations. 

Cloud services will become available to the public sector as a single client, offering more cost savings for deployment against organisation-by-organisation deals. AWS will also establish a digital skills fund, which will train more than 6,000 civil servants in cloud computing free of charge.

The first tier supports organisations at the beginning of their cloud journeys, allowing them to conduct their first cloud projects with support such as bespoke training, workshops, and “cloud credits” for new research projects. The second tier, aimed at larger organisations already well underway in terms of using cloud services, offers various additional services they can take up and advantageous pricing structures. 

“CCS provides commercial agreements which help organisations across the entire public sector save time and money on buying everyday goods and services,” said chief executive of the Crown Commercial Service, Simon Tse. 

“This agreement with AWS demonstrates excellent value for the public sector organisations we serve, and supports them in their drive to improve services for citizens across the UK.”

This is an agreement in the same mould as those struck earlier this year between the government and major cloud providers such as UKCloudGoogle Cloud, and Oracle.

IBM, for example, struck an agreement that would allow public sector organisations to benefit from ‘preferential commercial terms’ when moving their workloads to the cloud. HPE, meanwhile, struck a deal with the UK government to provide hybrid cloud services on a pay-per-use model. 

In addition to the skills find, the AWS agreement specifically contains an element that hopes to encourage the uptake of services by smaller cloud providers and AWS partners. More than 150 members of the AWS Partner Network would be able to pitch their own services to public sector organisations, including many cloud-based small and medium-sized businesses (SMBs). 

Microsoft partners with Adobe and c3.ai to launch Salesforce rival


Keumars Afifi-Sabet

27 Oct, 2020

Microsoft has pledged to ‘re-invent’ customer relationship management (CRM) software after partnering with Adobe and enterprise AI company c3.ai to launch a new platform to take on the market dominance of Salesforce. 

C3 AI CRM is powered by the core functionality of Dynamics 365 and is combined with Adobe’s real-time customer profiles and journey management, as well as c3.ai’s industry-specific AI capabilities

The AI-driven CRM platform is purpose-built for specific industries and uses data from any source to produce meaningful business insights. The collective claims that conventional CRM is not sufficient for the modern age, given that AI can’t be used to analyse much of the data because they weren’t built with the appropriate architectures.

The three-way partnership represents a major challenge to Salesforce, which enjoys dominance in the CRM segment, and follows reports last week that Microsoft was making CRM a “priority”. SAP and Oracle are also big players in the CRM space, with Adobe and Microsoft following the pack with conventionally only a fraction of the market share.

“C3.ai, Microsoft, and Adobe bring together the perfect combination of technology, industry, and domain expertise to address the requirements for a new generation of CRM,” said c3.ai CEO Ed Abbo.

“Importantly, in addition to this combination of leading technologies and expertise, we share a common vision with our partners of an AI-first, industry-specific approach to delivering a new generation of AI CRM solutions.”

The announcement builds on a pre-existing partnership between the enterprise AI firm and Microsoft, with c3.ai also contributing its technology to Microsoft Dynamics 365 and Microsoft Teams earlier this year.

The three companies claim that C3 AI CRM will allow clients to better anticipate their customers’ needs and deliver more satisfying and personalised user journeys. The level of intelligence brought on by AI functionality, for example, could allow for more accurate forecasts, for example. Massive amounts of data can also be analysed to augment human agents or trigger automated processes in the CRM platform.

Microsoft claims that its technology has an expansive and unmatched footprint, combining Dynamics 365 business applications with LinkedIn Sales Navigator and Microsoft Power Platform, powered by Azure. Microsoft hopes that when combined with Adobe’s speciality in the digital customer experience, and the AI capabilities of c3.ai, the combined system will offer customers a powerful alternative to the biggest players. 

Oracle expands cloud availability for UK public sector


Keumars Afifi-Sabet

26 Oct, 2020

Oracle has launched its next-gen dual-region government cloud for use by UK public sector organisations and their partners, including a host of cloud-based services such as Oracle Cloud VMWare and Kubernetes.

The dual-region infrastructure, comprising two separate sites in London and Wales connected by Oracle Cloud’s high-speed network backbone, will allow public sector bodies to deploy cloud services in multiple regions with ease. 

Bodies can use Oracle’s infrastructure to deploy not just disaster recovery services, but cloud hosting and storage of data from within the region.

The company’s partnership with the public sector has expanded in recent times to service organisations such as the Home Office and NHS Business Services Authority (NHSBSA), and local government organisations

The private dual-region cloud will also allow public sector customers to take up additional services, including Oracle Autonomous Database, Kubernetes, Oracle Cloud VMware Solution, and Oracle OCI services, as well as Oracle Fusion Cloud applications. 

“We’ve had a Government Cloud Region in the UK for several years, but today’s announcement really unlocks a completely new potential for all of our customers across the UK to take advantage of Oracle’s second-generation Cloud,” said Richard Petley, senior vice president with Oracle UK and Israel.

“This is a completely unique offering to the UK government – no other cloud provider offers the sovereignty and performance we are announcing today. We’ll be working with all aspects of government – both local and central – to help them understand how they make use of the cloud to deliver better services and value to the UK taxpayer.”

The platform has been designed in collaboration with several UK government and national defence organisations, and adheres to the security requirements set out by the National Cyber Security Centre (NCSC), Oracle claims. This allows various organisations to handle and transmit sensitive information through the private cloud network.

The company’s second-gen cloud is built specifically to help large organisations and enterprises run the most demanding workloads in a secure way and is built to run autonomous services. These include Oracle Autonomous Linux and oracle Autonomous Database.

Hybrid cloud is fuelling automation demand, says Puppet CTO


Keumars Afifi-Sabet

26 Oct, 2020

The increasing complexity of enterprise cloud environments and the rise of hybrid cloud is rapidly increasing IT workloads and fuelling a rising demand for automation, Puppet’s CTO has claimed.

During a time when many organisations are being asked to do more with less, the shift from mostly on-prem to a mixture of cloud environments in a relatively short space of time has radically complicated the workloads of CIOs. 

Speaking exclusively with CloudPro on the launch of Puppet’s automated Comply platform, Puppet CTO Abby Kearns suggested the increasing complexity of IT infrastructures over as little as the last five years is serving as the main element driving demand for automation.

“The hybrid cloud, and managing across hybrid environments, is the number one driver, honestly, because it’s so complex,” Kearns said. “So many companies started about five years ago to move workloads to the cloud, so we started to see that slow migration, but the cloud wasn’t really set up to mimic the way we were managing on-prem environments.” 

Enterprises now have an on-prem environment, a public cloud deployment or perhaps even multiple clouds, with different tools, different workloads and different approaches all in play. Businesses are also using more cloud-native applications and more microservices, so the landscape for IT standards compliance is becoming far more complex.

Puppet’s Comply automation platform is a system designed to cut out many of the traditionally manual processes IT teams and CIOs would manage when ensuring their hardware meets a range of compliance standards. 

The product, which will be offered in addition to a compliance automation consultancy service the company already markets, would allow customers to manage their own automation programmes across their IT estate.

Alex Hin, Puppet’s principal product manager, told CloudPro the platform will raise IT visibility, identify compliance shortcomings and remediate these issues.

He explained the need for such software comes from small teams of three to five people suddenly being tasked with making configuration changes on hundreds of thousands of nodes, either on-prem or on the public cloud. This becomes a high investment for the company, requiring a lot of spend and a lot of expertise for all environments to move into compliance.

“That’s really where it comes into play,” Kearns continued, “the idea that automation is really the only route to be able to do that. Because this isn’t just something where you can assign more people to the work. You can’t just throw more people at the problem, you’re going to have to figure out how to automate this as you start to get into the hundreds of thousands of workloads. It’s just a different kind of scale.”

Puppet\s Comply platform will launch in the coming weeks with pre-integrated compatibility with the CIS benchmarks, and further plans to integrate a number of other compliance standards in future. These will extend to include many common standards from DISA, FedRAMP, SOX, HIPAA, and PCI DSS.

The drive to automate, Puppet hopes, will begin to free up time for many organisations that are trying to do more with less, particularly as a result of economic pressures due to COVID-19. One example of a process that Comply will automate is the ‘desired state configuration’ feature. This essentially automatically reverts any configuration changes to a ‘desired state’ if the system detects that the change has led the system to deviate from the particular standard to which it’s adhering to. 

“For us, we’ve spent the last six months really investing in a platform-centric approach and the opportunity to really extend into compliance and really build on those capabilities are really powerful for us and our customers,” Kearns added. 

“And that’s something we’re going to spend the next several years really continuing to expand on, and really continuing to drive innovation from an automation standpoint, but also from a compliance standpoint as we see those things go hand-in-hand for our customers. “

Parallels Desktop brings Windows 10 apps to Chromebooks


Keumars Afifi-Sabet

21 Oct, 2020

Chromebook users are being offered the capacity to run Microsoft’s flagship Windows 10 operating system on their devices using software company Parallels’ newly released platform.

Parallels Desktop for Chromebook Enterprise is the culmination of a partnership between the firm and Google, and allows users to access full-featured Windows apps, including Microsoft Office, on their Chromebooks without necessarily needing a stable internet connection. 

The system is integrated with Chrome OS and the Google Admin console – and doesn’t require virtual desktop infrastructure to run or deploy, meaning IT administrators can set up parallel desktops on devices at relative ease. This builds on a recent partnership struck in June which allowed Windows applications to run natively on budget-friendly Chromebooks.

“Chrome OS is increasingly being chosen by modern enterprises, either for remote work, hybrid, or in the office,” said Google’s vice president of Chrome OS, John Solomon.

“We are thrilled to partner with Parallels to bring legacy and full-featured Windows applications support, through Parallels Desktop for Chromebook Enterprise, to help businesses easily transition to cloud-first devices and workflows.”

The platform will allow enterprise users to run multiple operating systems on their Chromebook devices simultaneously, with the company hoping it allows workers to raise their productivity. 

A number of features allow cross-talk between Windows 10 and Chrome OS, for example, copy-and-pasting text and graphics between the two operating systems, or printing from Windows apps via shared Chrome OS printers. Sharing features also extend to user profiles and custom folders, with documents and data seamlessly accessible by both platforms.

Windows 10 can also be used in full-screen mode on the Chromebook, or the operating system can be put on a separate Chrome OS virtual desktop, with users able to switch between the two with just a swipe.

There are already a number of devices supporting Windows 10 on Chrome OS, including the Google Pixelbook Go, the HP Elite c1030 Chromebook Enterprise, Acer Chromebook Spin 713, and Dell Latitude 5400 Chromebook Enterprise. There are 10 devices in total that support Parallels Desktop for Chromebook Enterprise, including units from Lenovo and ASUS in addition to the aforementioned devices.

The machines themselves require at least an Intel Core i5 or i7 processor, 16GB RAM, and storage capacity of at least 128GB SSD. 

IBM revenues fall for third quarter in a row despite cloud surge


Keumars Afifi-Sabet

20 Oct, 2020

The revenues of computing giant IBM declined by 2.6% year-on-year during the third quarter of 2020, with the company reporting $17.6 billion of income fuelled chiefly by a surge in cloud revenue.

This dip represented the third quarter of consecutive year-on-year revenue decline for the company, with IBM’s systems division, global business services and global technology services and global financing sector suffering over the last three months.

The positive trend in terms of the firm’s cloud business also continued, following a 30% spike in cloud revenue during the previous quarter, and 19% growth in the three months before that.

The company’s cloud computing divisions, particularly its cloud and data platforms division, led by Red Hat, grew by 7% year-on-year, bucking the wider business trend. Within this segment, cloud and data platforms grew 20%, while cognitive applications grew 1%. 

These financial results have emerged only days after the company announced it plans to divide its business in half, spinning its infrastructure services unit into a separate entity while going all-in on the cloud.

“The strong performance of our cloud business, led by Red Hat, underscores the growing client adoption of our open hybrid cloud platform,” said IBM CEO Arvind Krishna. 

“Separating the managed infrastructure services business creates a market-leading standalone company and further sharpens our focus on IBM’s open hybrid cloud platform and AI capabilities. This will accelerate our growth strategy and better position IBM to seize the $1 trillion hybrid cloud opportunity.”

The company’s plans to pour all its efforts into its cloud business will, on paper, be justified based on these most recent financial results, with the general health of cloud computing improving following the COVID-19 pandemic.

The firm’s global technology services division, which includes infrastructure and cloud services as well as technology support services, contracted by 4% year-on-year, with cloud revenue within this segment up 9%. 

The systems division, meanwhile, saw revenues of $1.3 billion, down 15%, driven by declines in IBM Z and Storage Systems. This is reflective of the impact of product cycle demands, the company said.

As part of the spin-off, IBM wants to create two separate companies by the end of 2021, with the to-be-cleaved infrastructure business, dubbed NewCo, making way for IBM to focus on AI capabilities and hybrid cloud.