VMware has the quality, market share, and price-point of a high-end IT industry leader.  It also sits in between the hardware layer and the OS layer, a position that our friends in Redmond do not like to share with anyone if they can help it.   Looks like 2012 may be the year that Microsoft gets serious about competition in this space with HyperV3.  Some good technical stuff from Julio Urquidi  here.  Also see this good piece from Beth Pariseau for some insight into the details below.

Virtualization 2012: Hyper-V 3 vs. vSphere 5 showdown looms

Beth Pariseau, Senior News Writer, SearchServerVirtualization.com

Microsoft’s Hyper-V has been making steady progress catching up to VMware for years, but as IT pros look ahead into 2012, they see the battle between these two virtualization vendors heating up like never before.

In one corner: VMware vSphere 5, made generally available in August, and capable of supporting up to 1 TB of RAM and 32 virtual CPUs per virtual machine (VM). Other new features include Auto Deploy, which can automatically provision hosts according to user-defined rules; overhauled High Availability (rechristened Fault Domain Manager); policy-driven storage provisioning; and Storage Distributed Resource Scheduler.

In the other corner: Microsoft Hyper-V 3.0, still at the developer preview stage. If released as planned before the end of 2012, however, it will contain several key features to bring it into closer competition with vSphere. Those features include a new extensible virtual switch (which has received Cisco’s pledge of support), true live storage migration, shared-nothing live migration, and new scalability with up to 32 virtual CPUs and 512 GB of memory — up from a limit of 4 vCPUs and 64 GB of RAM.

…

Read the full story here.

Three lessons jump out at me from this story:

1. If you are dealing with credit card data, actually getting the PCI done end-to-end seems like a very good idea.  Don’t forget the field offices, Jarad!
2. No remote access software tools anywhere near servers that house credit card data (part of PCI)
3. Using easy-to-guess passwords is still the #1 dumb thing to do in data security, and one of the easiest to fix (also in PCI, and see my recent post here as well).

Check out the excerpted story from Gallagher below, and read it in full at:  http://arstechnica.com/business/news/2011/12/how-hackers-gave-subway-a-30-million-lesson-in-point-of-sale-security.ars

——————

How hackers gave Subway a $3 million lesson in point-of-sale security

By Sean Gallagher | Ars Technica

… In a scheme dating back at least to 2008, a band of Romanian hackers is alleged to have stolen payment card data from the point-of-sale (POS) systems of hundreds of small businesses, including more than 150 Subway restaurant franchises and at least 50 other small retailers. And those retailers made it possible by practically leaving their cash drawers open to the Internet, letting the hackers ring up over $3 million in fraudulent charges.

…

The tools used in the crime are widely available on the Internet for anyone willing to take the risks, and small businesses’ generally poor security practices and reliance on common, inexpensive software packages to run their operations makes them easy pickings for large-scale scams like this one, Marcus said.

… the systems attacked were discovered through a targeted port scan of blocks of IP addresses to detect systems with a specific type of remote desktop access software running on them. The software provided a ready-made back door for the hackers to gain entry to the POS systems—which is why remote access software is banned from systems that handle payment cards by the PCI Security Standards Council, which governs credit card and debit card payment systems security.

“… the hackers gained access to the remote desktop software by guessing or “cracking” the passwords they were configured with. Fellmann isn’t surprised, based on his experience with retailers. Weak passwords, such as “password,” are one of the most common things he discovers during POS penetration testing, he said. “Some people, you tell them what’s required, and they’d rather not do it. They had the tools, and could have easily blocked [the attack]. If they were using a validated POS application, the vendor should provide an implementation plan, which would have included making sure you have a firewall in place. ” But, he said, “these people weren’t thinking about point of sale security—they were just thinking about making a sandwich…”

Read the full story here.

SplashData put out there “worst password of 2011” report, based on a blind review of their database of common passwords.  If you use any of these on any accounts you wish to protect, clearly a good idea to think about changing them soon.

• password
• 123456
• 12345678
• qwerty
• abc123
• monkey
• 1234567
• letmein
• trustno1
• dragon
• baseball
• 111111
• iloveyou
• master
• sunshine
• ashley
• bailey
• passw0rd
• shadow
• 123123
• 654321
• superman
• qazwsx
• michael
• football

A few simple guidelines for good passwords, from around the web:

• Use at least eight characters
• Use a random mixture of characters, upper and lower case, numbers, punctuation, spaces and symbols.
• Don’t use a word found in any dictionary, English or foreign.

Stuff that just doesn’t work well, at least not anymore, because common hacker tools know them well:

• Don’t merely add a single digit or symbol before or after a word. e.g. “password1″
• Don’t double a single word. e.g. “kittykitty”
• Don’t just reverse a word. e.g. “drowssap”, or just remove the vowels. e.g. “psswrd”
• Avoid Keyboard sequences that can easily be repeated. e.g. “qwerty”,”zxcvf” etc.
• Don’t garble letters into numbers as the only thing between you and the dictionary, e.g. converting e to 3, L or i to 1, o to 0. as in “z3r0-10v3″

Read more about the Splashdata report in full here: http://splashdata.com/splashid/worst-passwords/index.htm

eWeek.com did a nice piece, quoting extensively from recent NSA public statements, on how both cloud and data security strategies in general are starting to move into extended pilot modes.  Here is a link to the General’s presentation - below is an except from the eWeek summary.

U.S. Counts on the Cloud to Boost Cyber–Security

 By: Fahmida Y. Rashid, eWeek.com

Army Gen. Keith Alexander, head of the National Security Agency (NSA), discussed the cloud and how to defend against increasingly sophisticated cyber-threats at a recent Information Systems Security Association conference in Baltimore and in a follow-up interview with eWEEK. As commander of U.S. Cyber Command, he also discussed rules of engagement for the military in cyberspace.

The cloud is a key part of the intelligence community’s IT strategy, Alexander said, because cloud computing gives defense and intelligence agencies more visibility over hackers who are trying to breach government networks.

Within the NSA and Department of Defense (DoD), there are more than 7 million pieces of IT infrastructure and systems and 15,000 different network enclaves, according to numbers provided by the general. With each enclave protected by its own firewall, network administrators have little to no insight into what is happening in isolated and segmented networks, he said.

“Collapsing the enclaves” would provide administrators with a better end-to-end view of their networks and situational awareness, said Alexander. He added that it’s not a perfect solution, but “it is more defensible.”

In a pilot program, the NSA has reduced the number of applications it is running from 5,000 to 250 cloud applications and slashed the number of help desks from 900 to 450, according to Alexander. The agency plans to keep shrinking the infrastructure to just two help desks and 20 data centers, as well as adopt more open-source software, he said, noting that the military is already using Apache Hadoop and OpenStack.

Read the full piece here.

Gerry Smith the digital affairs reporter for HuffPo wrote a nice piece on a new FCC tool out there to assist smaller business with security audits.  Here is a small piece of it:

A growing number of cyberattacks are targeting small businesses, from construction companies to local grocery stores, presenting an emerging threat that government officials are trying to combat.

While attacks against large corporations like Sony and Citigroup have garnered attention this year, experts are increasingly worried about the digital vulnerabilities of small businesses, who often lack the resources to invest in cybersecurity. Forty percent of all targeted cyberattacks are aimed at companies with less than 500 employees, according to the security firm Symantec.

“With larger companies increasing their protections, small businesses are now the low hanging fruit for cybercriminals,” FCC Chairman Julius Genachowski said Monday at a cybersecurity forum at the U.S. Chamber of Commerce.

Now, government officials are offering help.

On Monday, the FCC announced a new online tool, the “Small Biz Cyber Planner,” that allows small businesses to create customized cybersecurity strategies by answering questions like whether they handle credit card data or host a public website.

Read the rest of the story here.

by Clint Boulton

Cloud Computing News

Google and Microsoft both watched their cloud computing systems choke this past week, with Google Docs going dark for an hour and Microsoft Hotmail, Office 365 and SkyDrive knocked offline for three hours.

Google Sept. 7 saw its Google Docs word collaboration application [act] up for one hour, shutting out millions of users from their document lists, documents, drawings and Apps Scripts. Microsoft, meanwhile, watched its online services, including Hotmail, SkyDrive and Office 365 software, go kaput for three hours Sept. 8.

Google’s outage was caused by a memory management bug software engineers triggered in a change designed to “improve real time collaboration within the document list,” the company explained in a corporate blog post.

…

Microsoft’s outage was more serious. Beginning around 9:30 PDT Sept. 8, the company’s Hotmail, SkyDrive and Office 365 services went down, owing to a Domain Name System (DNS) issue.

Read the rest at http://www.eweek.com/c/a/Cloud-Computing/Google-Microsoft-Weather-Cloud-Computing-Outages-779302

The federal government continues to take a leading role in promoting and adopting cloud strategies.
Kevin L. Jackson did a nice blog piece of Fedplatform.org, worth a look here.  It’s a commercial site, but pulls together some useful pieces, like Amazon’s government specific cloud, the Federal Cloud Computing Strategy and the Federal CIO’s 25-Point Federal IT Reform Plan, and some other cool stuff

There will be lots more stuff out there, as the federal moves to the cloud continue, I suspect.

One random item that impressed me was progress they’d made on public and private cloud integration with the high performance computing tools (Windows HPC Server 2008 R2).   Four things stood out.  First, was the ability to burst to Azure, now central to the product.  Second, was the ability to leverage unused Windows 7 desktop PC CPU power, which for an Enterprise or a University or some other facility with lots of systems that do little at night could be huge . Third, MSFT has tied HPC fully into Excel 2010, allowing the building of some impressive front ends with even more impressive backends.  Lastly, they had some algorithms to keep up with Mapreduce.

Here is a glimpse of the pieces and how they go together:

Days prior to Microsoft’s Office 365 launch, the first state government to drop its in-house software in favor of Google’s cloud-computing offering announced that all 10,000 employees have made the move.

By Elizabeth Montalbano InformationWeek

June 22, 2011 04:16 PM

Wyoming has completed a migration of 10,000 employees to Google Apps for Government for collaboration and unified communications, the first state government to drop its in-house software in favor of Google’s cloud-computing offering.

“Our entire state government has gone Google,” Wyoming Governor Matt Mead said in a guest appearance on the Google Enterprise Blog. “Wyoming is the first state in the country to make this transition.”

Read the full story here.