All posts by Keumars Afifi-Sabet

AWS CISO urges companies to adopt a zero-trust security approach


Keumars Afifi-Sabet

9 Dec, 2020

Organisations should embrace the philosophy and principles of zero-trust security to keep up to date with modern demands and security threats, AWS’ chief information security officer (CISO) Steve Schmidt has urged.

Adopting the core tenets of a zero-trust philosophy, including accessibility and usability, and ensuring you’re focusing on the core fundamentals of security, will ensure businesses can eliminate needless risks in their IT estates.

Doing so, however, isn’t as straightforward as businesses may hope, according to Schmidt. This is because the term ‘zero-trust’ can mean different things in different contexts, with this ambiguity the product of a diversity of use cases to which it applies.

“Zero-trust is, to me, a set of mechanisms that focus on providing security controls around digital access and assets while not solely depending on traditional network controls or network perimeters,” he explained, speaking at AWS re:Invent 2020. 

“In other words, we aren’t going to trust a user based only on their location within a traditional network. Instead, we want to augment network-centric models with additional techniques, which we would describe as identity-centric controls.”

An example of one such use case that he provided was human-to-application security, which is particularly relevant given the surge in people working from home in 2020. Traditionally, applications sat behind a virtual private network (VPN) front door, but these aren’t compatible with the diversity of devices that workers use to access work-related services. Applying zero-trust principles generates the objective to make the locks on applications effective enough that you can eliminate a VPN-based front door altogether.

Zero-trust principles have become far more popular across the industry of late, with a number of companies quick to adopt and promote this philosophy either as part of their own strategies or in their products. 

BlackBerry, for example, announced Persona Desktop in October, a security platform that uses artificial intelligence (AI) and machine learning to detect user and entity behaviour abnormalities. Persona Desktop works at the endpoint, and eliminates the need to share data back to the cloud before the system acts, and also aims to protect against stolen credentials, insider threats, and physical compromise.

Google, too, launched a zero-trust remote access service known as BeyondCorp Remote Access earlier this year that’s designed to give remote teams access to their internal applications without the need for a VPN.

As part of Schmidt’s outline of AWS’ security strategy, he also proposed a set of questions that businesses and IT administrators should ask about their organisation’s security configuration. Elements such as where the perimeter is, and how large it is, as well as how easy it might be to monitor and audit, should be considered. 

Schmidt also, by way of example, suggested that while VPNs are fine to use for network isolation, it would be best to make the implementation dynamic and hidden from the user experience. This might lead to users not even noticing that network boundaries are being created and torn down as required.

Russian hackers are exploiting critical VMware flaws


Keumars Afifi-Sabet

8 Dec, 2020

State-backed Russian cyber criminals are actively exploiting a recently-patched vulnerability in a series of VMware products in order to access sensitive corporate data.

VMware had previously warned its customers about a critical command injection flaw in a number of its products, including Workspace One Access and Identity Manager in late November. Although the bug was considered severe, with a rating of 9.1 on the CVSS threat severity scale, a patch wasn’t available at the time and was only released on 3 December. 

Hackers operating on behalf of the Russian state, however, have been actively exploiting the vulnerability to access data on targeted systems, according to an advisory issued by the US National Security Agency (NSA).

“The exploitation via command injection led to installation of a web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data,” the advisory said.

“It is critical when running products that perform authentication that the server and all the services that depend on it are properly configured for secure operation and integration. Otherwise, SAML assertions could be forged, granting access to numerous resources.”

Beyond the wider business community, the NSA has stressed the need for organisations involved in national defence and security to apply VMware’s patch as soon as possible, or implement workarounds until updates are feasible. The advisory also suggests that organisations review and harden their configurations as well as the monitoring of federated authentication providers.

Beyond Workspace One Access and Identity Manager, the products affected include Access Connector and Identity Manager Connector, with specific product versions outlined in VMware’s original security advisory.

The vulnerability, tagged CVE-2020-4006, essentially allows hackers to seize control of vulnerable machines. They would first need to be armed with network access to the administrative configurator on port 8443, as well as a valid password to the admin account.

As such the NSA has recommended that network administrators limit the accessibility of the management interface on servers to only a small set of known systems, and block it from direct internet access. Critical portions of this activity can also be blocked by disabling the firm’s configurator service.

Zero-click ‘wormable’ RCE flaw uncovered in Microsoft Teams


Keumars Afifi-Sabet

8 Dec, 2020

Hackers were able to exploit a serious vulnerability in Microsoft Teams desktop apps to execute arbitrary code remotely and spread infection across a company network by simply sending a specially-crafted message.

The zero-click flaw, which is wormable, can be triggered by cross-site scripting (XSS) injection in Teams, with hackers able to transmit a malicious message which will execute code without user interaction.

This remote code execution (RCE) flaw was first reported to Microsoft in August, with the company fixing the bugs in October 2020. However, security researcher Oskars Vegaris, who discovered the flaw,  has complained that the firm didn’t take his report as seriously as it should have, with Microsoft not even assigning the bug a CVE tag.

Microsoft considered the Teams vulnerability as ‘important’ although described its impact as ‘spoofing’ in its bug bounty programme. As for the CVE element, Microsoft doesn’t issue CVE tags on products that automatically update without user interaction.

“This report contains a new XSS vector and a novel RCE payload which are used together,” Vegaris wrote on GitHub. “It affects the chatting system within Microsoft Teams and can be used in e.g. direct messages, channels.”

In a technical breakdown of the vulnerability, the researcher highlighted how RCE can be achieved by chaining two flaws, including stored XSS in Teams chat functionality and a cross-platform JavaScript exploit for the Teams desktop client. 

The impact is seemingly alarming, with its wormable nature meaning the exploit payload can be spread across other users, channels and companies without any interaction. The execution of malicious code could also happen without any user interaction, given users need to only view the specially-crafted message. 

The consequences of infection range from complete loss of confidentiality and integrity for victims, to access to private communications, internal networks, private keys as well as personal data outside of Microsoft Teams.

Hackers can also gain access to single sign-on (SSO) tokens for other services, including Microsoft services such as Outlook or Microsoft 365. This will expose them to possible phishing attacks too, as well as keylogging with specially-crafted payloads, according to Vegaris.

IT Pro approached Microsoft for comment.

How can the cloud industry adapt to a post-COVID world?


Keumars Afifi-Sabet

3 Dec, 2020

One of the unexpected silver linings to the global coronavirus crisis has been the rapid growth the cloud industry has enjoyed. The shift to remote working during the various lockdowns that have taken place over the course of 2020, was largely, if not entirely, facilitated by cloud services. This has meant that while other sectors have struggled and there has been an overall economic downturn, cloud companies have performed relatively well financially. 

Although they wouldn’t want to characterise the past few months as profiting from the pandemic, the likes of Zoom and Microsoft Teams have surged in usage and revenue, with the latter surpassing 44 million users as early as March.  This period has also accelerated many digital transformation projects, with engineers more than capable of carrying out projects at pace and scale, including the traditionally lethargic public sector. This success, however, has been driven entirely by the effects of the pandemic, forcing the industry to question whether, and how, it can adapt once their services are no longer as highly sought after.

Shifting sands

While we all rejoiced at the news that a potential COVID-19 vaccine may be available for distribution before the end of the year, shares in a handful of companies dropped sharply in response, including at least 15% reduction in the valuation of Zoom. 

Whether things go back to the way they were, or cloud companies continue to play a more pivotal role than ever, is yet to be determined. For independent cloud consultant Danielle Royston, the goal of going ‘back to normality’ in 2021 is misplaced. “There’s no point wasting time and energy trying to return to the halcyon days of pre-COVID,” she says. “Let’s focus instead on some of the positive ‘disruptions’ we’ve seen this year. In all the companies I’ve been at, I’ve promoted – and in some cases fully converted to – remote working. I saw this as the inevitable direction that work and society was going, as the cloud computing tools were already there. And it makes sense: A better quality of life for employees, ease of collaboration, cutting the costs of business travel.”

This is a trend that Tom Wrenn, cloud investment expert and partner at private equity firm ECI Partners, predicts will continue well into next year, telling Cloud Pro that COVID-19 forced many companies into rapidly adopting cloud-based operations. These, driven by government-enforced lockdowns, allowed them to continue operating remotely. “Now, having done a basic shift to cloud-based systems,” he adds, “2021 will be the year of full cloud adoption, with businesses starting to optimise all its benefits; for example, data analytics and AI. If rapid investment was needed in 2020, next year businesses will want to see a return on that investment and will expect to see more from their cloud computing providers.”

Remoting-in

Although the recent transition to remote working is a trend sparked by COVID-19, the consensus is that it’s the beginning of a wider cultural shift. Former IBM boss Ginni Rometty is among the latest to suggest as much, claiming mass remote working will continue in some form as part of a broader hybrid model in future. This may involve companies keeping some physical presence while establishing the infrastructure and equipment to allow workers to work remotely as and when desired.

Cisco CTO for UK and Ireland, Chintan Patel, agrees, telling Cloud Pro that remote working gained widespread acceptance during COVID-19, even in organisations where it was unthinkable before. This means cloud and software as a service (SaaS) tools will continue to remain a crucial part of many setups, even though businesses will mostly return to a form of ‘hybrid’ model. “For remote working, cloud plays a central role; think secure cloud-based collaboration, accessing cloud-based business applications, and extending the security perimeter to thousands of devices,” he explains. “It’s important to note, though, that cloud-based consumption models are not limited to remote working only. As to those returning to the offices, we see technology can help make the workplace more secure and efficient. As and when companies prepare for a return to office, they also need to optimise their space, address worker concerns about sanitation and social distancing and plan how to communicate policies and information clearly.”

Technology will play a major part in instigating the changes needed in future, with a key role to play for many of the firms that have enjoyed success during the pandemic. While demand for software such as video conferencing platforms may not be as sky-high as it was at the beginning of the pandemic, Wrenn argues the next big step is how cloud companies can eat further into the market share enjoyed by the traditional telephone industry. “More and more businesses are using Microsoft Teams or Zoom to interact,” he explains, “when previously they would have used conference lines or even called a person directly due to it being more convenient. Cloud providers need to think about how they can make the most of this opportunity as the way in which people interact changes.”

To infinity and beyond

To some extent, we should all consider ourselves lucky the global pandemic happened when it did, given that cloud computing has only in recent recently become as advanced as it is now. Thus, rather than ‘profiting from the pandemic’, this period has been the making of the industry. After all, “cloud storage, processing, and compute facilities are already set up, and ready to expand easily and automatically, as and when enterprises need,” according to Royston, who claims this wouldn’t have been the case ten to 15 years go. “It would’ve been an epic failure and caused even more disruption and long-term damage to global economies. This year, white-collar workers being able to quickly adapt to working from home in their millions is part of what’s helped many sectors stay afloat.  And it’s because of the investment and ongoing work of hyperscalers over the past few years that’s meant businesses can support workers in doing this.”

Connectivity, too, will continue to grow as organisations’ reliance SaaS tools increases too, Patel adds, with firms expecting more from these companies beyond provision. With cloud infrastructures becoming increasingly diverse, especially with applications adding more layers of complexity, businesses will be looking to strengthen their infrastructure. This will be achieved by gaining deeper visibility across their IT estates, ensuring workloads have continuous access to required resources and running systems that connect and protect at scale – from on-prem to hybrid cloud configurations. This is in addition to using technologies such as machine learning to give customers tools to manage their ever-growing data lakes. This is where providers can step in to guide customers on their migration journeys.

As such, the greatest challenge facing cloud providers, in light of the above, will largely be customer retention, according to Tom Wrenn. “If we take online meeting services as an example, historically businesses would have had to invest in a service, such as [Cisco] WebEx, which is often costly and comes with a lot of equipment,” he says. “Today, however, businesses are using Zoom and Teams for this and can just turn services on and off with little upfront investment. This means that customers aren’t locked into providers in a way they once were. As a result, cloud computing providers will need to over-deliver for their clients, retaining a high level of customer service as well as ensuring that service levels don’t decline as they undergo a huge period of growth.”

VMware sounds alarm over zero-day flaws in multiple products


Keumars Afifi-Sabet

24 Nov, 2020

VMware has warned its customers about a critical vulnerability present across several of its products, including Workspace One Access and Identity Manager, that could allow cyber criminals to take control of vulnerable machines.

The command injection flaw, tracked as CVE-2020-4006 and rated 9.1 on the CVSS threat severity scale, can be exploited in a host of VMware products, the company has warned. There’s currently no patch available, although the firm has issued a workaround that can be applied in some instances. There’s also no mention as to whether the flaw is being actively exploited in the wild or not.

Hackers armed with network access to the administrative configurator on port 8443 and a valid password to the admin account can exploit the flaw to execute commands with unrestricted privileges on the underlying operating system (OS)

The affected services include VMware Workspace One Access, Workspace One Access Connector, Identity Manager, Identity Manager Connector, Cloud Foundation and vRealize Suite Lifecycle Manager. 

The vulnerability can be exploited in some products hosted on Linux but not on Windows, and either operating system for other products. The full details on which software and OS configurations are affected are outlined on VMware’s security advisory.

Until a patch is released, VMware has outlined a workaround that can be applied to some product lines but not all. Customers using Workspace One Access, VMware Identity Manager, and VMware Identity Manager Connector can follow the detailed steps outlined here, relevant to the configurator hosted on port 8443. This involves running a set of commands for all affected products.  

The workaround isn’t compatible with other products beyond those three that may be affected, and customers will have to keep their eyes peeled for any news of a patch as and when one is released. 

News of this command injection vulnerability has arrived only days after VMware confirmed two critical flaws in its ESXi, Workstation, Fusion and Cloud Foundation products.

Microsoft expands Defender capabilities for Linux systems


Keumars Afifi-Sabet

18 Nov, 2020

Microsoft has rolled out the public preview for is Defender for Endpoint software on Linux systems, giving IT administrators outside of the Windows 10 ecosystem a comparable level of protection.

Defender for Endpoint customers can take advantage of endpoint detection and response (EDR) capabilities to detect advanced threats involving Linux servers, use data from endpoints to gain insights, and remediate attacks.

The software supports recent versions of the six most common Linux distributions, including RHEL 7.2+, CentOS Linux 7.2+, Ubuntu 16 LTS or higher, SLES 12+, Debian 9+ and Oracle Linux 7.2. 

This expansion builds on the company’s general release of Microsoft Defender Advanced Threat Protection (ATP) for Linux earlier this year. This is in addition to Microsoft bolstering security for Android and iOS platforms.

With the Defender ATP for Linux, which was made generally available from June 2020, enterprise customers were able to install a similar level of protection on their Linux systems as they could on Microsoft systems within their infrastructures.

Using Defender for Endpoint EDR, users can immediately begin benefiting from three new feature areas including a rich investigative experience, optimised performance, and in-context threat detection. 

Features for the first category comprise a machine timeline, process creation, file creation, network connections, login events and advanced hunting. Optimised performance entails enhancing CPU utilisation in compilation procedures as well as large software deployments. In-context antivirus detections, meanwhile, gives users insight as to where a threat came from and how the malicious process or activity was created.

Users can engage in the public preview by configuring some of their Linux servers to Preview mode if they’re already running Microsoft Defender for Endpoint on Linux. Customers are also being encouraged to test out a simulated attack tool, in which Linux EDR can simulate a detection on a server, and trigger an investigation of the case. 

Cisco patch notes ‘left out’ details of RCE flaws


Keumars Afifi-Sabet

17 Nov, 2020

The recently patched Cisco Security Manager (CSM) platform did not initially include details of 12 severe security vulnerabilities that could, if exploited, lead to remote code execution (RCE).

Although these 12 flaws in CSM, an enterprise-class management console that offers insight into the control of Cisco security and network devices, were recently fixed, its developers failed to mention these at all, according to security researcher Florian Hauser

Hauser claims to have reported these 12 bugs to the networking giant in July this year and was under the impression they were due to be fixed when CSM was updated to version 4.22 earlier this month.

The researcher claims, however, that despite patching the vulnerabilities last week, the company didn’t mention them at all in the release notes for CSM and did not issue security advisories for businesses that may be potentially affected.

As a result, Hauser has published the proof-of-concept for all 12 flaws that he submitted via GitHub, including a host of RCE exploits that cyber criminals could use if targeting an unpatched system. 

“120 days ago, I disclosed 12 vulnerabilities to Cisco affecting the web interface of Cisco Security Manager. All unauthenticated, almost all directly giving RCE,” Hauser posted on Twitter on 11 November, following this up overnight with: “Since Cisco PSIRT became unresponsive and the published release 4.22 still doesn’t mention any of the vulnerabilities, here are 12 PoCs in 1 gist.”

The CSM 4.22 release notes outlined several improvements to security and functionality, including support for AnyConnect Web Security WSO. The company has subsequently released advisories for three vulnerabilities that were reported in July, crediting Florian Hauser for discovery.

The first, a path traversal vulnerability, tagged CVE-2020-27130 and assigned a CVSS score of 9.1, could allow an unauthenticated remote attacker to gain access to sensitive information, upon successful exploitation. This is due to improper validation of traversal character sequences within requests to affected devices.

The second, a Java deserialisation flaw, is tagged CVE-2020-27131 and assigned a severity score of 8.1, could also allow a remote attacker to execute arbitrary commands on an affected device. The final flaw, a static credential vulnerability tagged CVE-2020-27125 and assigned a severity score of 7.4, could also allow a remote attacker to access sensitive information on a targeted system.

IT Pro approached Cisco to clarify why it had first failed to mention these flaws in the patch notes for CSM version 4.22.

Google slashes free Drive storage to 15GB


Keumars Afifi-Sabet

12 Nov, 2020

Google will restrict the online cloud storage capacity for high-quality photos and videos to 15GB from next year as the firm looks to capitalise on the millions of users who have come to rely on the service.

From June 2021, new high-quality content uploaded to Google Photos will count towards a free 15GB storage capacity, with the company making several pricing tiers available to those who need to store more data. The limit will also apply to files that users keep on Drive, specifically Google Docs, Sheets, Slides, Drawings, Forms, and Jamboard files.

Google is framing these plans as a way to be able to continue to provide everybody with a great storage experience while keeping pace with the growing demand for its free services.

Currently, files created through Google’s productivity apps, as well as photos smaller than 2,048 x 2,048 pixels, and videos shorter than 15 minutes, don’t count towards the cap. High quality, under the new storage calculations, will include photos larger than 16Mp or videos larger than 1080p, all of which will be optionally compressed.

“For many, this will come as a disappointment. We know. We wrestled with this decision for a long time, but we think it’s the right one to make,” said the firm’s product lead for Google Photos, David Lieb.

“Since so many of you rely on Google Photos as the home of your life’s memories, we believe it’s important that it’s not just a great product, but that it is able to serve you over the long haul. To ensure this is possible not just now, but for the long term, we’ve decided to align the primary cost of providing the service (storage of your content) with the primary value users enjoy (having a universally accessible and useful record of your life).”

More than one billion people rely on Google Photos and Google Drive, Lieb added, uploading more than 28 billion photos and videos every week on top of more than four trillion already uploaded onto the service.

The change will only apply to newly uploaded content staring on 1 June next year, with all existing high-quality content remaining exempt from the storage quota. This includes all content uploaded between now and then.

Users who wish to upgrade to a larger storage plan will have to sign up to the company’s paid-for cloud storage platform Google One, with packages beginning at 100GB, alongside other features including access to Google experts and shared family plans.

Currently, Google One is priced at $1.99 per month for 100GB of storage, $2.99 per month for 200GB, and $9.99 per month for 1TB.

Google is also rolling out of a host of new tools, which the firm hopes will go towards justifying the additional cost for those who need to pay for a higher tier.

Among these tools is software that can make it easier to identify and delete unwanted content, such as blurry photos and long videos, though the firm is set to make more announcements in the coming months. Google has in the last few years leant on AI to improve the functionality of its flagship products, including Gmail and Google Docs.

The firm is also introducing new policies for users who are inactive or over their storage limit across Google’s cloud-based services. Those who are inactive in one or more of these services for two years may see their content deleted in those specific products, while users over their storage limit for two years may see their content deleted across the board.

AWS is the latest cloud giant to sign MoU with UK government


Keumars Afifi-Sabet

2 Nov, 2020

Amazon Web Services (AWS) has struck an agreement with the UK government to accelerate the public sector’s digital transformation drive, boost digital skills and raise the level of participation among smaller cloud providers.

The ‘One Government Value Agreement (OGVA)’ is a three-year memorandum of understanding (MoU) between AWS and the Crown Commerical Service (CCS) that spans two tiers for both smaller and larger organisations. 

Cloud services will become available to the public sector as a single client, offering more cost savings for deployment against organisation-by-organisation deals. AWS will also establish a digital skills fund, which will train more than 6,000 civil servants in cloud computing free of charge.

The first tier supports organisations at the beginning of their cloud journeys, allowing them to conduct their first cloud projects with support such as bespoke training, workshops, and “cloud credits” for new research projects. The second tier, aimed at larger organisations already well underway in terms of using cloud services, offers various additional services they can take up and advantageous pricing structures. 

“CCS provides commercial agreements which help organisations across the entire public sector save time and money on buying everyday goods and services,” said chief executive of the Crown Commercial Service, Simon Tse. 

“This agreement with AWS demonstrates excellent value for the public sector organisations we serve, and supports them in their drive to improve services for citizens across the UK.”

This is an agreement in the same mould as those struck earlier this year between the government and major cloud providers such as UKCloudGoogle Cloud, and Oracle.

IBM, for example, struck an agreement that would allow public sector organisations to benefit from ‘preferential commercial terms’ when moving their workloads to the cloud. HPE, meanwhile, struck a deal with the UK government to provide hybrid cloud services on a pay-per-use model. 

In addition to the skills find, the AWS agreement specifically contains an element that hopes to encourage the uptake of services by smaller cloud providers and AWS partners. More than 150 members of the AWS Partner Network would be able to pitch their own services to public sector organisations, including many cloud-based small and medium-sized businesses (SMBs). 

Microsoft partners with Adobe and c3.ai to launch Salesforce rival


Keumars Afifi-Sabet

27 Oct, 2020

Microsoft has pledged to ‘re-invent’ customer relationship management (CRM) software after partnering with Adobe and enterprise AI company c3.ai to launch a new platform to take on the market dominance of Salesforce. 

C3 AI CRM is powered by the core functionality of Dynamics 365 and is combined with Adobe’s real-time customer profiles and journey management, as well as c3.ai’s industry-specific AI capabilities

The AI-driven CRM platform is purpose-built for specific industries and uses data from any source to produce meaningful business insights. The collective claims that conventional CRM is not sufficient for the modern age, given that AI can’t be used to analyse much of the data because they weren’t built with the appropriate architectures.

The three-way partnership represents a major challenge to Salesforce, which enjoys dominance in the CRM segment, and follows reports last week that Microsoft was making CRM a “priority”. SAP and Oracle are also big players in the CRM space, with Adobe and Microsoft following the pack with conventionally only a fraction of the market share.

“C3.ai, Microsoft, and Adobe bring together the perfect combination of technology, industry, and domain expertise to address the requirements for a new generation of CRM,” said c3.ai CEO Ed Abbo.

“Importantly, in addition to this combination of leading technologies and expertise, we share a common vision with our partners of an AI-first, industry-specific approach to delivering a new generation of AI CRM solutions.”

The announcement builds on a pre-existing partnership between the enterprise AI firm and Microsoft, with c3.ai also contributing its technology to Microsoft Dynamics 365 and Microsoft Teams earlier this year.

The three companies claim that C3 AI CRM will allow clients to better anticipate their customers’ needs and deliver more satisfying and personalised user journeys. The level of intelligence brought on by AI functionality, for example, could allow for more accurate forecasts, for example. Massive amounts of data can also be analysed to augment human agents or trigger automated processes in the CRM platform.

Microsoft claims that its technology has an expansive and unmatched footprint, combining Dynamics 365 business applications with LinkedIn Sales Navigator and Microsoft Power Platform, powered by Azure. Microsoft hopes that when combined with Adobe’s speciality in the digital customer experience, and the AI capabilities of c3.ai, the combined system will offer customers a powerful alternative to the biggest players.