New Internet Explorer Zero-Day Exploited in Watering Hole Attack Campaign

May 7, 2013

Attackers are targeting a zero-day vulnerability in Microsoft Internet Explorer in a campaign that has hit as many as 10 different websites, including the U.S. Department of Labor site.

Originally thought to be exploiting CVE-2012-4792, the attackers are now known to be targeting a previously unknown vulnerability in certain versions of IE. According to Microsoft, the vulnerability affects Internet Explorer 8, and IE 6, 7, 9 and 10 are not impacted.

“This is a remote code execution vulnerability,” Microsoft explained in an advisory. “The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.”

“On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs,” according to the advisory.

According to AlienVault, the list of affected sites spans from the Department of Labor site to sites belonging to several non-profit groups and institutes as well as a European company involved in the aerospace, defense and security industries.

Researchers from CrowdStrike said the attack campaign may have begun in mid-March. Their analysis of logs from the malicious infrastructure used in this campaign showed the IP addresses of the visitors to the compromised sites belonged to 37 different countries.

“The legitimate sites compromised to deliver malicious code in this campaign give an indication into targets of interest,” blogged Matt Dahl, senior threat researcher at CrowdStrike. “The specific Department of Labor website that was compromised provides information on a compensation program for energy workers who were exposed to uranium. Likely targets of interest for this site include energy-related US government entities, energy companies, and possibly companies in the extractive sector.”

“Based on the other compromised sites other targeted entities are likely to include those interested in labor, international health and political issues, as well as entities in the defense sector,” he blogged.

Microsoft urged anyone worried about the attack to upgrade to the most current versions of the browser, which are not vulnerable to the attack.

“We also encourage folks to exercise caution when visiting websites and avoid clicking suspicious links, or opening email messages from unfamiliar senders,” blogged Dustin Childs, group manager for response communications for trustworthy computing at Microsoft.

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

TRUST, Can You Put a Price On It?

April 29, 2013

The Ponemon Institute recently published the first-ever research on the cost of losing control of trust—that is, losing control of the cryptographic keys and digital certificates that underlie trust for all transactions in our digital age. How intertwined are these encryption assets and trust? Consider two major exploits of this year alone: the Bit9 certificate theft and the DigiCert compromise. In both cases, hackers managed to obtain legitimate certificates to sign their malware. Their malware perfectly masqueraded as legitimate software because to users’ systems, which rely on certificates to determine whether to throw up system warnings or automatically install software, the malware was legitimate. The financial impact of such an exploit can hardly be exaggerated.

The cyber-criminals behind these exploits understand that each cryptographic key and certificate deployed in an organization is a valuable asset ripe for exploitation. Yet according to the findings, 51 percent of organizations don’t know the most fundamental facts about their own keys and certificates: they don’t know how many keys and certificates the organization has, where they are deployed, what they are protecting, or who has access to them.

It’s not that IT security professionals are simply falling down on the job. In many organizations, policies quite properly require the deployment of keys and certificates for just about every service. As a result, the average enterprise has more than 17,000 of them. No IT staff can manage such a large volume of keys and certificates manually without errors and oversights that completely undermine the supposed value of the mission-critical security and authentication instruments. Yet more than 60 percent of global 2000 organizations do manage their encryption assets manually; we’re talking about spreadsheets that list whatever keys and certificates application admins happen to report and not much more. IT security professionals know things can’t go on like this. Like coal miners listening to the timbers creak and watching the ceilings bulge, they know disaster looms, but their reports to the surface often go unheeded by management.

Too many business executives, locked in yesterday’s security constructs of armed guards, gates and cameras, think of this issue—if they think of it at all—as an annoying management problem for IT security teams to handle. They think the organization is simply losing track of assets that remain intrinsically valuable. They fail to understand that the assets’ value is trust. Lose track of the certificates and keys, and you can no longer trust them. Their value—and the trust that makes all other IT assets valuable—simply evaporates. Worse, compromised assets become liabilities, weapons to be used against the organization.

McAfee recently learned this lesson the hard way. One of their digital certificates was revoked, trust broke down, and Mac users could no longer determine when an application could be trusted or not–to the detriment of the McAfee brand.

The average organization can expect to learn the hard way too:

• The threats are likely—One in five organizations expects failures in key and certificate management to lead to exploits and infiltrations.

• The costs will be high—The average global 2000 organization can expect an estimated $U.S. 124 million in cost exposure from a server cryptographic theft incident. And such an incident is just one of the many that could occur.

• It’s already happening—In the last 24 months, organizations have experienced at least one of these trust exploits due to their key and certificate management failures:

• IT security will continue to fall behind, especially in the cloud—The risks of manual key and certificate management will only multiply as businesses continue to seek the benefits of cloud computing.

Most cloud systems, including Amazon’s and Microsoft’s solutions, rely on SSH to establish secure channels through untrusted networks. SSH provides managers with remote root access to a server and its shell services. It also provides servers with such access to each other. This level of access lets the cloud solution do powerful things, but the more power you give admins and computer systems, the more you must trust them.

Yet SSH has no equivalent to a CA to tell systems which SSH keys to trust. IT staff must manage these trust relationships on their own. To ensure the integrity of the system, the staff should rotate keys often; Amazon Web Services recommends a 90-day period.

Already overburdened IT staff must rotate thousands of keys every 90 days. Is that going to happen? Not manually.

Trust is the foundation of all relationships: trust between admins and servers, between servers and users, between servers and other servers—and between enterprises and the markets they serve. As our world becomes more connected and more dependent on cloud and mobile technologies, CEOs, CIOs, CISOs and IT security managers must make it their top priority to maintain control over trust by managing keys and certificates. When trust is compromised, business stops.

Our hope is that the Ponemon Institute Cost of Failed Trust Report validates the many IT security professionals who already suspect the risks of losing control of trust and that the report better quantifies the costs for them. We also hope that the report motivates business and IT executives to look beyond the problem toward solutions. You can take action to guarantee the hundreds of millions of dollars at risk: make sure your organization has control over trust by implementing a full key and certificate lifecycle management solution.

Via SecurityWeek

Related articles

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Data-as-a-Service (DaaS)

March 19, 2013

by Ravi Kalakota (thanks to practical analytics)

CIO request — “I want to build a data as a service offering for my data” to the rest of the organization.

Underutilization and the complexity of managing growing data sprawl have motivated several trends during the last several years. Data-as-a-Service (DaaS) represents an opportunity  improving IT efficiency and performance through centralization of resources. DaaS strategies have increased dramatically in the last few years with the maturation of technologies such as data virtualization, data integration, SOA, BPM  and Platform-as-a-service.

These questions are accelerating the Data-as-a-Service (DaaS) trend:  How to deliver the right data to the right place at the right time? How to “virtualize” the data often trapped inside applications? How to support changing business requirements (analytics, reporting, and performance management) in spite of ever changing data volumes and complexity.

Enterprise DaaS strategy & Infrastructure is core focus area for business unit and enterprise CIOs.  

  • Enterprise Datawarehouse (EDW) strategies are increasingly moving to cross enterprise Data-as-a-Service (DaaS) strategies.
  • Structured and unstructured data growth force the evolution to DaaS
  • As Data in app silos moves to a centralized corporate/enterprise asset – DaaS infrastructure becomes critical.
  • To do any form of enterprise analytics you need DaaS in place first.

In the early years of this market, most DaaS was focused primarily on the financial services, telecom, and government sectors. However, in the past 24 months, we have seen a significant increase in adoption in the healthcare, insurance, retail, manufacturing, eCommerce, and media/entertainment sectors.

Data as a Service (DaaS) Use Cases

Data as a Service (DaaS) is based on the concept that the transaction, product, customer data can be provided on demand to the user regardless of geographic or organizational separation of provider and consumer. Additionally, the emergence of PaaS and service-oriented architecture (SOA) has rendered the actual platform on which the data resides also irrelevant.

Data as a Service (DaaS) has many use cases:

  1. providing a single version of the truth;
  2. enabling real-time business intelligence (BI),
  3. high-performance scalable transaction processing;
  4. exposing big-data analytics;
  5. federating views across multiple domains;
  6. improving security and access;
  7. integrating with cloud and partner data and social media;
  8. delivering information to mobile apps
  9. enterprisewide search,

Organizations are looking to solve tough data and process integration challenges as they once again begin to invest in new business capabilities.

What is Data-as-a-Service (DaaS)?

Data as a Service (DaaS) brings the notion that data related services can happen in a centralized place – aggregation, quality, cleansing and enriching data and offering it to different systems, applications or mobile users, irrespective of where they were. As such, DaaS solutions provide the following advantages:

  • Agility (and Time to Market) – Customers can move quickly due to the consolidation of data access and the fact that they don’t need extensive knowledge of the underlying data. If customers require a slightly different data structure or has location specific requirements, the implementation is easy because the changes are minimal.
  • Cost-effectiveness – Providers can build the base with the data experts and outsource the presentation layer, which makes for very cost-effective report and dashboard user interfaces and makes change requests at the presentation layer much more feasible.
  • Data quality – Access to the data is controlled via data services, which tends to improve data quality, as there is a single point for updates. Once those services are tested thoroughly, they only need to be regression tested, if they remain unchanged for the next deployment.
  • Cloud like Efficiency,  High availability and Elastic capacity. These benefits derive from the virtualization foundation —one gets efficiency from the high utilization of sharing physical servers, availability from clustering across multiple physical servers, and elastic capacity from the ability to dynamically resize clusters and/or migrate live cluster nodes to different physical servers.

Agility (and Time to Market) is the important driver for DaaS probably more than cost and data quality is a metric needed to show value to the technology team.

Data-as-a-Service (DaaS) Elements

Client need — “I want to build a data as a service offering for my data” to the rest of the organization.

Components to enable this are as follows:

1)      Data acquisition – can come from any source….datawarehouses, emails, portals, third party data sources

2)      Data stewardship and standardization — boil it down to a standard manually or automatically

3)      Data aggregate – Stick build data warehouse for acquisition.  This has a strong service and technology driven quality control mechanism.  Different than let’s write 100 etl programs.

4)      Data servicing:  via web services, extracts, reports etc…  Make it easy to consume for the end user either machine to machine or directly via reporting universe.  It’s probably a while before we move up market to reporting but machine to machine consumption is in our wheelhouse.

All these capabilities come together around the data logistics chain.  The last few decades have seen a dramatic shift  in how data is handled in companies.   Firms are shifting away from from a hierarchical, one-dimensional enterprise data warehouse (EDW) initiative (with fixed data sources) to a fragmented network in favor of strategic partnerships with external data sources. This phenomenon causes ripple effects throughout the old data logistics network.  Data-as-a-Service (DaaS) at its core is way to address this problem of fragmentation.

BigData Use Case - Data Logistics

Summary

Domain Knowledge, Application Knowledge, People/talent, Processes, Technology Platforms are key requirements of DaaS strategy.

Obviously, the market leaders want to position ourselves to become the experts in knowing the underlying data so everyone else in the organization does not have to….domain expertise becomes really important here.

Notes

1) Platform as a Service (PaaS) is being applied to Enterprise Data

2) Data Virtualizaiton is a pre-cursor to DaaS. Vendors include: Composite Software, Denodo Technologies, IBM, Informatica, Microsoft, Oracle, and Red Hat. Other vendors who fill pieces of the DaaS puzzle include Endeca Technologies, Gigaspaces, Ipedo, Memcached, Pentaho, Quest Software, Talend, and Terracotta.

3) A variety of technologies comprise the DaaS category including distributed data caching, search engines, elastic caches,  information lifecycle management (ILM) solutions, data replication, data quality, data transformation, content management, and data modeling.  

Leave a Comment » | Managed Service Hosting, Marketing | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Connecting the world a Microsoft documentary

February 14, 2013

This video documentary by Microsoft explores how digital and specifically, Interaction Design, is and will change our lives in an ever connect world. It’s 18 minutes long but well worth a watch. I thought I’d paraphrase a few of the most thought provoking comments from the documentary below:

“‘Without humans there’s nothing interesting to talk about.”

“We are in the phase where we are a little confused about what’s important in life.”

“It’s about understanding that ecosystem where the human is at the centre.”

“It’s about getting more of the physical world connected with the digital world.”

“What we design as a man-made object is only complete when there are people using it”

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , , , | Permalink
Posted by david ricketts

RUSSIAN SEARCH ENGINE YANDEX TAKING THE LEAD OVER BING, GOOGLE STILL ON TOP

February 11, 2013

Yandex, the Russian search engine is emerging as a leading search engine taking the lead over its counterparts such as Bing. Comscore analysis of statistics recorded for the worldwide search engine queries between November and December 2012 reveal that Microsoft websites processed 4.477 billion queries, while Yandex processed 4.844 billion.

Google was still miles ahead with 114.73 billion search queries and 65.2 percent market share. Second place belonged to Chinese search engine Baidu with 14.5 billion and 8.2 percent market share while Yahoo took the third place with 8.63 billion and 4.9 percent.

Although industry giants Microsoft are equipped with all the resources but still Yandex, whose marketing budget is not even close to that of Bing, turning out to be on top for global search queries.

Source: Michael Bonfils, The Inquirer

Related articles

Leave a Comment » | Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

8 Insights About The Coming Era Of Interactive Design

January 15, 2013

Connecting is a short documentary by Bassett & Partners and Microsoft that explores how our lives (and our gadgets) have and will change in a more connected world. It’s 18 minutes long but very worth the time, as it features interviews with designers from Method, Twitter, Arduino, Frog, Stamen, Microsoft, and Nokia. What’s crazy, even with the magic of editing, is that so many of these talented perspectives tend to finish one another’s sentences.

As you watch, you’ll see a general consensus on a few really important points. They’d make a decent poster:

  1. Our phones demand too much attention, detracting from our real experiences.
  2. Analog metaphors are making less sense on digital devices.
  3. We’re waiting for new paradigms in experiencing media like text on screens.
  4. UX is a living, somewhat unpredictable thing. All experiences need to be fluid and flexible now.
  5. You shouldn’t just try to understand a product. You should try to understand its connected network.
  6. An “Internet of things”–countless connected sensors–is coming (and here).
  7. All of our information feeds into something larger than ourselves, a “superorganism” or “colony” of digital information.
  8. The hive mind got so big that greater Internet thought is now manifesting locally (think Egypt’s uprising or Occupy Wall Street).

http://www.fastcodesign.com/1671611/8-insights-about-the-coming-era-of-interactive-design

Leave a Comment » | Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

CES 2013: Crazy new technology from Microsoft and Samsung

January 11, 2013

There is some crazy awesome technology coming out of Las Vegas this week as the annual International Consumer Electronics Show takes over the Las Vegas Convention Center. And you though 3-D was the future. In a partnership between Samsung and Microsoft, a new awesome level of interactive living space is in the works. Microsoft calls it “Ilumiroom” and it works in concert with your Xbox Kinect.

Leave a Comment » | Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Hello, Hekaton! Microsoft Plans In-Memory OLTP SQL Server

November 28, 2012

In a keynote at SQL PASS Summit, Microsoft announced it is bringing In-Memory online transaction processing (OLTP) to the next major release of SQL Server, code named Hekaton. Twitter lit up with chatter about it, and at our booth at PASS, Hekaton was the topic du jour.

Our quick take on Hekaton is that even in-memory databases have transaction logs that are on persistent storage. By utilizing ioMemory as the persistent storage for transaction logs, we accelerate transaction processing, as the logs are being written to constantly. It’s faster to recover an in-memory database as well, because the transaction logs have to be read quickly to recover a database fast. Finally, the backup speed of in-memory databases gets faster if the backups reside on ioMemory.

Hekaton is all about efficiency and performance, the same ideals that drive innovation at Fusion-io. We think Hekaton sounds promising. Here’s to database acceleration!

Here are a few tidbits about Hekaton from around the web:

Hekaton is the Greek word for 100 times, and Microsoft says that’s the design goal for the peak performance improvements it’s expecting.” Doug Henschen, Informationweek

Hekaton is currently in private technology preview with a small set of customers, which company officials are planning to expand to 100 before the end of this calendar year.” Mary Jo Foley, ZDNet

The next version of SQL Server will feature the ability to host database tables or even entire databases within a server’s working memory.” Joab Jackson, Computerworld

Data has emerged as the new currency of business.” Ted Kummert, Corporate Vice President of Microsoft’s Business Platform Division, The Official Microsoft Blog

In a recent article in FX-MM, Steven Graves, CEO of McObject, reports on his experience with ioMemory and in-memory databases. Check out “Databases: Have your in-memory performance, and recoverability too.”

 

1 Comment | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Here’s what early reviews of Microsoft’s new Surface tablet are saying

October 24, 2012

Early reviews for Microsoft’s new Surface tablet have been released this evening, giving us a look at the company’s supposed “saving grace.” According to the pundits who got their hands on it early, things aren’t looking too good for Microsoft. Many are complaining about a lack of apps, awkwardness of the Windows 8 RT operating system, and a buggy platform. It sounds like the iPad will remain unchallenged by Microsoft…for now.

Leave a Comment » | Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Aiming to head off Apple, Microsoft shows off Xbox SmartGlass mobile app and Xbox dashboard update

October 23, 2012

Hoping to steal a little thunder from Apple’s expected iPad Mini announcement today, Microsoft announced details of its Xbox SmartGlass app, which extends your entertainment experience across the screens of the TV, tablet, phone, and PC.

Yusuf Mehdi, the chief marketing officer at Microsoft’s Interactive Entertainment Division, said in a blog post that the new app is part of why, as Microsoft chief executive Steve Ballmer promised, 2012 will be “the most epic year in Microsoft’s history.” On Friday, Microsoft is introducing its Windows 8 operating system and its Surface tablet.

1 Comment | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

« Previous Entries
Follow

Get every new post delivered to your Inbox.

Join 752 other followers