Archive for the ‘security’ Category

Hyper-V3 may give VMWare a run for its money this year

 

VMware has the quality, market share, and price-point of a high-end IT industry leader.  It also sits in between the hardware layer and the OS layer, a position that our friends in Redmond do not like to share with anyone if they can help it.   Looks like 2012 may be the year that Microsoft gets serious about competition in this space with HyperV3.  Some good technical stuff from Julio Urquidi  here.  Also see this good piece from Beth Pariseau for some insight into the details below.

 

 

 

 

 

 

Virtualization 2012: Hyper-V 3 vs. vSphere 5 showdown looms

Beth Pariseau, Senior News Writer, SearchServerVirtualization.com

Microsoft’s Hyper-V has been making steady progress catching up to VMware for years, but as IT pros look ahead into 2012, they see the battle between these two virtualization vendors heating up like never before.

In one corner: VMware vSphere 5, made generally available in August, and capable of supporting up to 1 TB of RAM and 32 virtual CPUs per virtual machine (VM). Other new features include Auto Deploy, which can automatically provision hosts according to user-defined rules; overhauled High Availability (rechristened Fault Domain Manager); policy-driven storage provisioning; and Storage Distributed Resource Scheduler.

In the other corner: Microsoft Hyper-V 3.0, still at the developer preview stage. If released as planned before the end of 2012, however, it will contain several key features to bring it into closer competition with vSphere. Those features include a new extensible virtual switch (which has received Cisco’s pledge of support), true live storage migration, shared-nothing live migration, and new scalability with up to 32 virtual CPUs and 512 GB of memory — up from a limit of 4 vCPUs and 64 GB of RAM.

Read the full story here.

This entry was posted on Thursday, January 5th, 2012 at 9:05 am and is filed under application virtualization, Cisco, cloud, cool & from redmound, Cost Cutting, desktop virtualization, Disaster Recovery, Hyper-V, security, Standards, VDI, virtualization, VMware, Xen. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Why Implementing End-to-End PCI Security is a Good Idea: The Subway Franchise Caper

Three lessons jump out at me from this story:

  1. If you are dealing with credit card data, actually getting the PCI done end-to-end seems like a very good idea.  Don’t forget the field offices, Jarad!
  2. No remote access software tools anywhere near servers that house credit card data (part of PCI)
  3. Using easy-to-guess passwords is still the #1 dumb thing to do in data security, and one of the easiest to fix (also in PCI, and see my recent post here as well).

Check out the excerpted story from Gallagher below, and read it in full at:  http://arstechnica.com/business/news/2011/12/how-hackers-gave-subway-a-30-million-lesson-in-point-of-sale-security.ars

——————

 

How hackers gave Subway a $3 million lesson in point-of-sale security

By Sean Gallagher | Ars Technica

… In a scheme dating back at least to 2008, a band of Romanian hackers is alleged to have stolen payment card data from the point-of-sale (POS) systems of hundreds of small businesses, including more than 150 Subway restaurant franchises and at least 50 other small retailers. And those retailers made it possible by practically leaving their cash drawers open to the Internet, letting the hackers ring up over $3 million in fraudulent charges.

The tools used in the crime are widely available on the Internet for anyone willing to take the risks, and small businesses’ generally poor security practices and reliance on common, inexpensive software packages to run their operations makes them easy pickings for large-scale scams like this one, Marcus said.

… the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them. The software provided a ready-made back door for the hackers to gain entry to the POS systems—which is why remote access software is banned from systems that handle payment cards by the PCI Security Standards Council, which governs credit card and debit card payment systems security.

“… the hackers gained access to the remote desktop software by guessing or “cracking” the passwords they were configured with. Fellmann isn’t surprised, based on his experience with retailers. Weak passwords, such as “password,” are one of the most common things he discovers during POS penetration testing, he said. “Some people, you tell them what’s required, and they’d rather not do it. They had the tools, and could have easily blocked [the attack]. If they were using a validated POS application, the vendor should provide an implementation plan, which would have included making sure you have a firewall in place. ” But, he said, “these people weren’t thinking about point of sale security—they were just thinking about making a sandwich…”

Read the full story here.

 

Tags: , , ,

This entry was posted on Wednesday, December 21st, 2011 at 11:39 am and is filed under IT Service Management, PCI, security, Standards. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Some really poor password choices…

For better or worse, passwords are the basis of much of the security we use in the cloud.

SplashData put out there “worst password of 2011” report, based on a blind review of their database of common passwords.  If you use any of these on any accounts you wish to protect, clearly a good idea to think about changing them soon.

  • password
  • 123456
  • 12345678
  • qwerty
  • abc123
  • monkey
  • 1234567
  • letmein
  • trustno1
  • dragon
  • baseball
  • 111111
  • iloveyou
  • master
  • sunshine
  • ashley
  • bailey
  • passw0rd
  • shadow
  • 123123
  • 654321
  • superman
  • qazwsx
  • michael
  • football

A few simple guidelines for good passwords, from around the web:

  • Use at least eight characters
  • Use a random mixture of characters, upper and lower case, numbers, punctuation, spaces and symbols.
  • Don’t use a word found in any dictionary, English or foreign.

 

Stuff that just doesn’t work well, at least not anymore, because common hacker tools know them well:

  • Don’t merely add a single digit or symbol before or after a word. e.g. “password1″
  • Don’t double a single word. e.g. “kittykitty”
  • Don’t just reverse a word. e.g. “drowssap”, or just remove the vowels. e.g. “psswrd”
  • Avoid Keyboard sequences that can easily be repeated. e.g. “qwerty”,”zxcvf” etc.
  • Don’t garble letters into numbers as the only thing between you and the dictionary, e.g. converting e to 3, L or i to 1, o to 0. as in “z3r0-10v3″

Read more about the Splashdata report in full here: http://splashdata.com/splashid/worst-passwords/index.htm

Tags: , , ,

This entry was posted on Wednesday, December 7th, 2011 at 9:58 am and is filed under cloud, privacy, Risk Management, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Cyber Security Gets the DOD Cloud Treatment

eWeek.com did a nice piece, quoting extensively from recent NSA public statements, on how both cloud and data security strategies in general are starting to move into extended pilot modes.  Here is a link to the General’s presentation - below is an except from the eWeek summary.

 

U.S. Counts on the Cloud to Boost Cyber–Security

 By: Fahmida Y. Rashid, eWeek.com

Army Gen. Keith Alexander, head of the National Security Agency (NSA), discussed the cloud and how to defend against increasingly sophisticated cyber-threats at a recent Information Systems Security Association conference in Baltimore and in a follow-up interview with eWEEK. As commander of U.S. Cyber Command, he also discussed rules of engagement for the military in cyberspace.

The cloud is a key part of the intelligence community’s IT strategy, Alexander said, because cloud computing gives defense and intelligence agencies more visibility over hackers who are trying to breach government networks.

Within the NSA and Department of Defense (DoD), there are more than 7 million pieces of IT infrastructure and systems and 15,000 different network enclaves, according to numbers provided by the general. With each enclave protected by its own firewall, network administrators have little to no insight into what is happening in isolated and segmented networks, he said.

“Collapsing the enclaves” would provide administrators with a better end-to-end view of their networks and situational awareness, said Alexander. He added that it’s not a perfect solution, but “it is more defensible.”

In a pilot program, the NSA has reduced the number of applications it is running from 5,000 to 250 cloud applications and slashed the number of help desks from 900 to 450, according to Alexander. The agency plans to keep shrinking the infrastructure to just two help desks and 20 data centers, as well as adopt more open-source software, he said, noting that the military is already using Apache Hadoop and OpenStack.

Read the full piece here.

Tags: , , , , , ,

This entry was posted on Monday, November 28th, 2011 at 3:07 pm and is filed under Risk Management, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Small Businesses is Target For Hackers

Gerry Smith the digital affairs reporter for HuffPo wrote a nice piece on a new FCC tool out there to assist smaller business with security audits.  Here is a small piece of it:

A growing number of cyberattacks are targeting small businesses, from construction companies to local grocery stores, presenting an emerging threat that government officials are trying to combat.

While attacks against large corporations like Sony and Citigroup have garnered attention this year, experts are increasingly worried about the digital vulnerabilities of small businesses, who often lack the resources to invest in cybersecurity. Forty percent of all targeted cyberattacks are aimed at companies with less than 500 employees, according to the security firm Symantec.

“With larger companies increasing their protections, small businesses are now the low hanging fruit for cybercriminals,” FCC Chairman Julius Genachowski said Monday at a cybersecurity forum at the U.S. Chamber of Commerce.

Now, government officials are offering help.

On Monday, the FCC announced a new online tool, the “Small Biz Cyber Planner,” that allows small businesses to create customized cybersecurity strategies by answering questions like whether they handle credit card data or host a public website.

Read the rest of the story here.

Tags: , , , ,

This entry was posted on Tuesday, November 1st, 2011 at 10:18 am and is filed under Risk Management, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Google, Microsoft Suffer Cloud Computing Outages

Even the big guys have not get it down quite right yet at scale:

by Clint Boulton

Cloud Computing News

Google and Microsoft both watched their cloud computing systems choke this past week, with Google Docs going dark for an hour and Microsoft Hotmail, Office 365 and SkyDrive knocked offline for three hours.

Google Sept. 7 saw its Google Docs word collaboration application [act] up for one hour, shutting out millions of users from their document lists, documents, drawings and Apps Scripts. Microsoft, meanwhile, watched its online services, including Hotmail, SkyDrive and Office 365 software, go kaput for three hours Sept. 8.

Google’s outage was caused by a memory management bug software engineers triggered in a change designed to “improve real time collaboration within the document list,” the company explained in a corporate blog post.

Microsoft’s outage was more serious. Beginning around 9:30 PDT Sept. 8, the company’s Hotmail, SkyDrive and Office 365 services went down, owing to a Domain Name System (DNS) issue.

Read the rest at http://www.eweek.com/c/a/Cloud-Computing/Google-Microsoft-Weather-Cloud-Computing-Outages-779302

 

 

Tags: , , ,

This entry was posted on Monday, September 12th, 2011 at 10:25 am and is filed under cloud, Risk Management, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Feds idea seekers can advance their cloud stragegy with FedPlatform.org

The federal government continues to take a leading role in promoting and adopting cloud strategies.
Kevin L. Jackson did a nice blog piece of Fedplatform.org, worth a look here.  It’s a commercial site, but pulls together some useful pieces, like Amazon’s government specific cloud, the Federal Cloud Computing Strategy and the Federal CIO’s 25-Point Federal IT Reform Plan, and some other cool stuff

There will be lots more stuff out there, as the federal moves to the cloud continue, I suspect.

Tags: , , , , , ,

This entry was posted on Saturday, August 27th, 2011 at 4:00 pm and is filed under cloud, IT Service Management, Project Management, Risk Management, security, virtualization. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

How Private Clouds Can Ramp to Public Clouds

 

On-Premise Private Clouds: Effective On-Ramp to Cloud Computing Adoption

An Interview By: Elizabeth White of Cloud Computing Journal with Cloud Expo Conference Chair Jeremy Geelan

Apr. 6, 2011 10:38 AM

“Cloud computing has evolved from a point product solution that addressed a particular pain point (for example, high performance computing grids designed to analyze massive data sets) to an integrated and key component of a whole product solution designed to address a broad array of computing challenges for the enterprise,” noted Thomas Bryant, Director of Advanced Technology & Products for Quest Software, in this exclusive Q&A with Cloud Expo Conference Chair Jeremy Geelan. Bryant concluded that “The best of today’s cloud computing environments enable enterprises to leverage their existing infrastructure investments more efficiently and easily integrate with existing processes and management solutions.”

Read the whole interview here: http://www.sys-con.com/node/1783287

 

 


Tags: , ,

This entry was posted on Wednesday, April 6th, 2011 at 1:31 am and is filed under cloud, Open Source, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Briefing the CEO About Cloud Computing: Some CIO Guidelines

Getting the upstream message right is a big part of the CIO’s job description.

Jeanne Harris and Allan Alter of the Accenture Institute for High Performance do a nice job in this piece describing some of the key things to focus on, especially when it comes to ROI analysis.

Excerpt below.

 

 

What You Should Tell Your CEO About Cloud Computing

By Jeanne G. Harris, Allan E. Alter
2011-03-28

…At a time when companies’ use of clouds is just getting started, the chief information officer’s judgment and store of knowledge are invaluable assets. These are especially important when the CIO sets out to educate that most important stakeholder of all, the chief executive officer.

First Requirement: Master the Facts

One place where you can begin this all-important dialogue is by demonstrating a balanced, clear-minded understanding of the business case for cloud computing. That includes a realistic view of the savings from clouds. Moving to the cloud always means automatic savings. In fact, one study of those who adopt software-as-a-service found that only about half get a positive return on their investment; a quarter end up spending more than they expect.

A discussion like this with the CEO has the advantage of signaling that you are attuned to business issues and of demonstrating a predisposition to facts over hype.

Indeed, if the CIO is to be the IT person who leads the cloud charge at a company, this is really the first requirement: Knowing the facts.

Knowing the facts means developing a dossier about what some leading companies are doing with the cloud. The activities of competitors and business partners should be included as part of that intelligence…

Read the whole piece here: http://www.cioinsight.com/c/a/Expert-Voices/What-You-Should-Tell-Your-CEO-About-Cloud-Computing-795154/

 

About the authors

Jeanne G. Harris is a senior executive research fellow with the Accenture Institute for High Performance, and is based in Chicago. Allan E. Alter is a research fellow with the Accenture Institute for High Performance and a former executive editor of CIO Insight.  He is based in Boston.

Tags: , , , , , ,

This entry was posted on Wednesday, March 30th, 2011 at 6:24 pm and is filed under cloud, IT Service Management, security, virtualization. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

IBM making moves towards private cloud with Tivoli Updates

Carl Brooks of searchCloudComputing.com just put out an interesting piece on IBM’s updating as Tivoli as a complement and perhaps a replacement for VMware in the building of private clouds. The industry seems to be taking some notice of IBM’s approach to the cloud, finally.

IBM

 

Did IBM just change the game in private cloud?

By Carl Brooks, Senior Technology Writer

02 Mar 2011 | searchCloudComputing.com

Does IBM have the wherewithal to compete in the commodity hardware cloud?

Say “IBM” and “cloud computing” in the same breath and many IT managers will roll their eyes. The IT leader’s cloud strategy has been seen by many as a mess.

But that may be about to change. IBM recently revealed a beta program of updates to its Tivoli software that may breathe new life into the company’s private cloud ambitions.

The new capabilities include support for VMware’s VIM APIs in a variety of Tivoli tools, including image repositories, automated provisioning, application deployment and Tivoli Storage Manager (integrating TSM and VMware heretofore has not been pretty). Enhancements to Tivoli Provisioning Manager may include booting VMware images directly from block storage instead of having them preloaded into memory. IBM claims that images can be booted in seconds.

Read the rest here.

Carl Brooks is the Senior Technology Writer for SearchCloudComputing.com. Contact him at cbrooks@techtarget.com.

 

Tags: , , , , , , ,

This entry was posted on Thursday, March 10th, 2011 at 1:17 am and is filed under application virtualization, cloud, Linux, Open Source, security, virtualization, VMware. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.