All posts by Keumars Afifi-Sabet

Mozilla finally shuts down Firefox Send


Keumars Afifi-Sabet

18 Sep, 2020

Mozilla has discontinued its encrypted file-sharing service Firefox Send a couple of months after suspending the service after reports it was being abused to distribute malware and conduct spear-phishing attacks.

Send was initially rolled out in March 2019 as a free encrypted file-sharing platform that allowed individuals to share files from any browser without having to install third-party software and without fear of the files being intercepted.

However, developers were made aware in July of reports that Firefox Send was being used in a number of malware operations, prompting the company to suspended the service a little more than a year after it was first launched.

In practice, when somebody received a link to a file, they would simply need to click on it to start the download, without having to sign up to an account. They were also able to send supported files of up to 1GB without needing to sign up, or 2.5GB for those who had a Firefox account.

Originally, Mozilla said it would take Firefox Send offline on a temporary basis while improvements were made, although it now appears that effort was unsuccessful.

“Unfortunately, some abusive users were beginning to use Send to ship malware and conduct spear-phishing attacks,” Mozilla said in an update. “This summer we took Firefox Send offline to address this challenge.

Mozilla has also decommissioned its Firefox Notes service, which the organisation claims allowed it to experiment with new methods of encrypted data syncing. The Firefox Notes desktop browser will continue to be functional for all existing installs, although this will no longer be maintained from early November – when the service will be decommissioned.

MFA bypass allows hackers to infiltrate Microsoft 365


Keumars Afifi-Sabet

15 Sep, 2020

Critical vulnerabilities in multi-factor authentication (MFA) protocols based on the WS-Trust security standard could allow cyber criminals to access various cloud applications including core Microsoft services.

Microsoft 365 is the most notable cloud service that can be infiltrated in such a way due to the way the platform’s session login is designed, according to Proofpoint, with hackers able to gain full access to a target’s account. Information including emails, files, contacts, among other data points would be vulnerable to such an attack.

This is in addition to the MFA bypass granting access to a host of other cloud services, including production and development environments such as Microsoft Azure as well as Visual Studio.

The flaw lies in the implementation of the WS-Trust specification, an OASIS standard that is used for renewing and validating security tokens and establishing trusted connections. Proofpoint researchers claim that WS-Trust is inherently insecure and that Microsoft’s identity providers implemented the standard with a number of bugs.

These vulnerabilities can be exploited to allow an attacker, for example, to spoof their IP address to bypass MFA through a simple request header manipulation. Changing the user-agent header, in another example, may also cause the system to misidentify the protocol, and believe it to be using ‘modern authentication’. 

“Most likely, these vulnerabilities have existed for years. We have tested several Identity Provider (IDP) solutions, identified those that were susceptible and resolved the security issues,” Proofpoint said.

“Vulnerabilities require research, but once discovered, they can be exploited in an automated fashion. They are hard to detect and may not even appear on event logs, leaving no trace or hint of their activity. Since MFA as a preventative measure can be bypassed, it becomes necessary to layer additional security measures in the form of account compromise detection and remediation.”

With MFA becoming an essential and more widely-adopted additional layer of security to reinforce username-and-password logins, cyber criminals are certainly more attracted to identifying and implementing bypasses.

This is particularly pertinent during the coronavirus crisis, where the mass shift to remote and home working meant critical apps and services were being accessed from insecure locations, with protocols such as MFA in place to bolster cyber security.

Red Hat and IBM launch OpenShift software marketplace


Keumars Afifi-Sabet

10 Sep, 2020

Red Hat and its parent company IBM have together launched a one-stop-shop marketplace for customers seeking to run OpenShift enterprise applications on their hybrid cloud infrastructures.

Red Hat Marketplace offers a broad catalogue of more than 50 open-source software, across a dozen categories, available for enterprises to purchase and deploy, including apps in the areas of AI and machine learning, security, and big data, among others.

The marketplace aims to deliver an ecosystem of software from independent vendors so enterprise customers can easily deploy new tools on their hybrid cloud infrastructures, based on Red Hat OpenShift’s container platform. Some of the vendors whose tools are available include CognitiveScale, MongoDB and StorageOS.

“We believe that removing the operational barriers to deploy and manage new tools and technologies can help organizations become more agile in hybrid multi-cloud environments,” said Red Hat’s senior director for technology partnerships, Lars Herrmann.

“The software available on Red Hat Marketplace is tested, certified and supported on Red Hat OpenShift to enable built-in management logic and streamline implementation processes. This helps customers run faster with automated deployments while enjoying the improved scalability, security, and orchestration capabilities of Kubernetes-native infrastructure.”

The companies have also launched a private form of the marketplace, dubbed Red Hat Marketplace Select, available at additional cost for enterprises that want more control and governance over purchases.

The private marketplace allows clients to provide their teams with easy access to curated, pre-approved software, and also tracks usage and spending by departments of all software deployed across hybrid cloud environments.

The marketplace has been devised especially for companies building cloud-native infrastructure and supports the wider drive to cut down on vendor lock-in. Programmes can essentially be deployed across the open hybrid cloud and operate in any environment.

Deployment is automated, too, and purchases will be readily accessible on Red Hat OpenShift consoles, with customers also being offered 24/7 support.

Enterprise customers can access the collection of open-source tools in a metered, pay-per-hour, fashion, with the platform offering a granular understanding of usage and spending patterns. Red Hat claims this payment model allows customers to experiment with an array of tools in early-stage development projects, given there’s no need to commit to any lengthy subscriptions.

Data centre provider Equinix hit by ransomware


Keumars Afifi-Sabet

10 Sep, 2020

US data centre provider Equinix has been rocked by a major security incident, with some of its internal company systems compromised by ransomware.

The company revealed yesterday that its security teams took immediate action against the threat, notified law enforcement agencies, and are continuing to investigate the nature and scale of the infection.

The severity of the attack at this stage is unclear, with the company pledging to release further details soon. Thankfully for its customers, however, Equinix data centres and services, including its managed services, remained fully operational during the period of the attack, according to a statement released by the company.

“Equinix is currently investigating a security incident we detected that involves ransomware [on] some of our internal systems,” the company said.

“Note that as most customers operate their own equipment within Equinix data centers, this incident has had no impact on their operations or the data on their equipment at Equinix.”

Equinix provides an array of data centre and networking services for businesses, including data centre design, as well as colocation, which is the practice of housing privately-owned equipment in third-party data centres.

With internal systems kept separate from those that run many of the external services and from customers’ equipment housed in its data centres, the risk of the attack spilling over is said to be minimal, according to Equinix. Services are largely operating as normal at the time of writing.

There have been a number of high profile ransomware attacks in recent months, with a swathe of IT services companies similarly on the receiving end, in addition to high profile organisations like Canon and Honda.

Industry giant Cognizant, for example, recently experienced service disruptions for some of its clients. The IT services firm was targeted with Maze ransomware in April, with the incident costing the company around $70 million.

The attack on Equinix has similar hallmarks to one on CyrusOne in December 2019. In that instance, the company did sustain a degree of service disruption, with the attack affecting six customers served from one data centre based in New York.

Hackers abusing legitimate cloud monitoring tool to infiltrate Linux environments


Keumars Afifi-Sabet

9 Sep, 2020

Cyber criminals are abusing a trusted Docker and Kubernetes cloud monitoring tool to map the networks of their victims and execute system commands.

Having previously been known to use malicious Docker images to infect victims’ servers, TeamTNT has now been observed using Weave Scope as an effective backdoor into the cloud networking infrastructure of its targets, according to analysis by Intezer.

Weave Scope is a trusted tool that gives users full access to their cloud environment, and is integrated with Docker, Kubernetes, the Distributed Cloud Operating System (DC/OS) and the AWS Elastic Compute Cloud (ECS). Hackers, however, have illicitly deployed this tool to map out the environments of prospective victims, and execute system commands without the need to deploy malicious code. 

“To our knowledge, this is the first time attackers have been caught using legitimate third party software to target cloud infrastructure,” said Intezer security researcher Nicole Fishbein. “When abused, Weave Scope gives the attacker full visibility and control over all assets in the victim’s cloud environment, essentially functioning as a backdoor.”

“By installing a legitimate tool such as Weave Scope the attackers reap all the benefits as if they had installed a backdoor on the server, with significantly less effort and without needing to use malware,” she adds. 

The open-source tool, developed by Weave Works, providers monitoring and visualisation over Docker and Kubernetes servers, with users gaining full control over the infrastructure through a dashboard accessible through a web browser.

When successfully abused, attackers are granted access to all information about the server environment, in addition to the ability to install applications, establish connections between cloud workloads, and start or stop or open interactive shells in containers. 

This degree of functionality is equivalent to an attacker having installed a backdoor on the server, with significantly less effort and without needing to use malware, Fishbein added.

To install Weave Scope, a hacker would need to use an exposed Docker API port and create a new privileged container with a clean Ubuntu image. This container would then be configured to mount the file system of the container to the file system of the victim server, and therefore grant attackers access to all files on the server. 

The initial command, as observed by Intezer, was to download and execute several cryptominers. The attacker then attempted to gain root access to the server by setting up a local privileged user on the host server, using this to connect back via Secure Shell (SSH). The attackers subsequently downloaded and installed Weave Scope, which, once launched, connected the cyber criminals with the Weave Scope dashboard via HTTP on port 4040.

From this dashboard, the hackers can see a visual map of the Docker runtime cloud environment and give shell commands without deploying any backdoor. This is the first time that an attacker, to Intezer’s knowledge, has downloaded legitimate software to be used as an admin tool on the Linux operating system.

The cyber security firm has recommended that organisations close any exposed Docker API ports to prevent the initial infiltration, given this attack takes advantage of a common misconfiguration of the Docker API. All Docker API ports should, therefore, be either closed or contain restricted access policies in the firewall.

Organisations should also block incoming connections to port 4040 given Weave Scope uses this as a default to make the dashboard accessible. This port should also be closed or restricted by the firewall.

Ex-Cisco engineer charged with wiping WebEx Teams accounts


Keumars Afifi-Sabet

27 Aug, 2020

A former Cisco employee has pleaded guilty to damaging Cisco’s internal network in an incident during 2018, leading to the deletion of 16,000 Webex Teams accounts belonging to company employees.

Sudhish Kasaba Ramesh was charged with intentionally accessing a protected computer without authorisation and recklessly causing damage after he accessed Cisco’s cloud infrastructure and deleted 456 virtual machines (VMs).

Several months after resigning from the company in April 2018, he concsiously deployed a piece of code from his Google Cloud Project that destroyed these VMs in Cisco’s cloud infrastructure, hosted by Amazon Web Services (AWS)

These VMs hosted Cisco’ Webex Teams application, which meant that more than 16,000 employees lost access to video conferencing, video messaging, file sharing and other collaboration tools, as their accounts were wiped.

This shutdown lasted two weeks and caused Cisco to spend around $1.4 million in time to restore the damage, as well as more than $1 million in refunds to consumers. No customer data was compromised as a result of these actions, according to the US Attorney’s Office fo the Northern District of California.

“Cisco addressed the issue in September 2018 as quickly as possible, ensured no customer information was lost or compromised, and implemented additional safeguards,” a Cisco spokesperson told IT Pro

“We brought this issue directly to law enforcement and appreciate their partnership in bringing this person to justice. We are confident processes are in place to prevent a recurrence.”

Ramesh was charged on 13 July and pled guilty to the single count, admitting that he acted recklessly in deploying the code, and consciously disregarded the substantial risk of his actions harming Cisco. His hearing is scheduled for 9 December 2020. 

The maximum penalty for committing such an offence is five years imprisonment and a fine of $250,000, although Ramesh’s guilty plea is likely to mean the final sentence is much softer than this.

Cisco Webex tackles background noise with BabbleLabs acquisition


Keumars Afifi-Sabet

26 Aug, 2020

Cisco is planning to integrate artificial intelligence (AI) technology from BabbleLabs into its collaboration division to improve the audio quality of participants in Cisco Webex meetings and remove background noise.

BabbleLabs specialises in developing AI that can detect speech, distinguish this from background noise, and use speech enhancement tech to improve the quality and clarity of speech.

Microsoft courts foreign government contracts after JEDI win


Keumars Afifi-Sabet

24 Aug, 2020

Microsoft is pursuing major cloud deals with foreign governments in the mould of the highly lucrative Joint Enterprise Defense Infrastructure (JEDI) cloud infrastructure project that it secured last year.

Although elements of the contract in the JEDI cloud infrastructure project, worth $10 billion over ten years, are still not fully settled, the industry giant is increasingly keen to pursue similar deals outside of the US.

The company is indeed in the process of signing deals similar in shape to the cloud infrastructure project assembled for the US Department of Defense, according to people familiar with the matter speaking with CNBC.

This has come after overseas governments have begun to show an interest in replicating the type of relationship that Microsoft has formed with the Pentagon. Microsoft, specifically, has staffed the project with people who hold security clearances and has committed to delivering existing products and services, as opposed to specifically-built technologies at a customised price.

However, the company’s move to focus on more government contracts comes at a time when its JEDI contract work has been put on hold due to a legal challenge from Amazon. The rival cloud company is especially aggrieved as it feels the contract was awarded unfairly.

This conscious evolution in Microsoft’s cloud strategy will likely be formally announced later this year, a source told CNBC, with overseas intelligence agencies and militaries set to be key customers. Another source said the firm had already established JEDI-like cloud contracts with foreign governments, although it’s not clear which countries are the main focus.

“We’ve worked with governments around the world on a longstanding and reliable basis for four decades,” a Microsoft spokesperson told CNBC.

“We have government customers using our products to enhance their services with the latest in commercial innovations, deeply engage and connect with citizens in powerful ways, and empower government employees with the modern tools they need to be more efficient and effective, and to give them time back to focus on their agency mission.”

The JEDI work is currently on hold while the Pentagon re-examines elements of the contract, which Amazon said were ridden with errors and which a judge suggested may not comply with current standards. The Pentagon was due to finish the examination last week, on 17 August, although it requested a 30-day extension earlier in the month, according to Nextgov.

HPE signs landmark cloud deal with UK government


Keumars Afifi-Sabet

19 Aug, 2020

The UK government has established a Memorandum of Understanding (MoU) with HPE that will allow public sector organisations to adopt a pay-per-use model when acquiring hybrid cloud services for digital transformation.

The MoU, agreed between HPE and the government’s Crown Commercial Service (CCS), will allow to public sector bodies to take advantage of preferential rates when seeking a third-party provider for cloud services. 

“Despite the growth of cloud strategies in the public sector, many organizations have struggled to move business-critical applications to the public cloud, due to application entanglement, data gravity, security and compliance, and unpredictable costs,” said vice president and GM UK&A at HPE Pointnext Services, Sue Preston. 

“By leveraging HPE technologies, like HPE GreenLake, public sector organizations can reduce complexity, boost innovation and bring cost efficiency to their digital transformation efforts.”

Qualifying organisations can benefit from minimum agreed discounts on a range of HPE systems and platforms, including HPE GreenLake cloud services, Aruba enterprise networking and security products, as well as HPE’s storage and compute technology. 

The agreement also gives public sector bodies access to HPE’s pay-as-you-use cloud model in their own data centres, at the edge, as well as at facilities such as Crown Hosting Data Centres. Organisations can also use the full extent of GreenLake services, including its pre-integrated configurations of varying sizes.

“CCS provides commercial agreements which help organisations across the entire public sector save time and money on buying everyday goods and services,” said the chief executive of CCS, Simon Tse.

“This Memorandum of Understanding with HPE not only provides great value for public sector organisations, it also allows them to innovate more readily and improve services for the citizens they serve.”

This is the fourth such arrangement that the CCS has struck with cloud service providers over the last few months, as part of the One Government Cloud Strategy. This venture offers public sector bodies comprehensive guidance on pursuing cloud-powered digital transformation projects. 

MoUs have previously been established with Google Cloud, UKCloud, and most recently with IBM to give public sector bodies a number of options when looking for digital transformation services from a third-party provider.

AWS launches Amazon Braket quantum cloud service


Keumars Afifi-Sabet

17 Aug, 2020

Amazon Web Services (AWS) has made its Amazon Braket cloud-based quantum computing service generally available to all customers following a successful trial launch.

Quantum computing power provided by industry leaders including D-Wave, IonQ and Rigetti can be accessed through AWS, with customers able to experiment with quantum algorithms and advanced simulations.

Amazon Braket was first unveiled in December 2019 as the first of three new quantum computing services, with Braket giving scientists, researchers and developers the tools to experiment with quantum computers in a single environment.

Alongside Amazon Braket were the AWS Center for Quantum Computing, which brings together expertise from Amazon and academic institutions to collaborate on research, as well as Amazon Quantum Solutions Lab. This final stream is a programme that connects customers with quantum computing experts and consultants to identify practical uses for the technology.

“Last year I told you about Amazon Braket and explained the basics of quantum computing, starting from qubits and progressing to quantum circuits,” said chief evangelist for AWS, Jeff Barr. “During the preview, AWS customers such as Enel, Fidelity (Exploring Quantum Computing with Amazon Web Services), and Volkswagen have been using Amazon Braket to explore and gain experience with quantum computing.”

“I am happy to announce that Amazon Braket is now generally available and that you can now make use of both the classically-powered circuit simulator and quantum computers from D-Wave, IonQ, and Rigetti.”

Users can access Amazon Braket through a notebook-style user interface (UI), where they can create notebook instances to run processes using quantum hardware. Pricing will be based per-task, with an additional per-shot charge specific to the type of quantum hardware that users take advantage of. Use of the simulator also incurs an hourly charge, billed by the second, with a 15-second minimum. 

Quantum computing, heralded as a major technological breakthrough, is still in its early stages of development and therefore hasn’t yet delivered on its immense promise. The term for when quantum computing overtakes classical computing in terms of power is known as ‘quantum supremacy’, which Google claimed to have achieved earlier in the year.

The significant potential is anchored in the way it relies on qubits to make calculations. These are quantum bits that exist as neither 1 or 0 as in classical computing, but a ‘quantum superposition of 1 and 0’, existing in both states simultaneously. While two bits tied together take the form of 00,01, 10 or 11, two qubits exist in all four states simultaneously. 

Tying several hundreds, thousands, or even tens of thousands of qubits together could therefore offer the potential to perform calculations at lightning speeds, where it may previously have taken a long time.

One of the challenges in reaping the benefits of quantum computing is making it accessible to companies and developers, which is where services like Amazon Braket and IBM Quantum Cloud come in.