Microsoft wouldn't be surprised if Google is using some sort of custom-built mystery software that automatically shifts workloads between its mega data centers. After all, Microsoft is doing much the same thing.
"We are at such an enormous scale. Think about this world where many data centers and hundreds of thousands of servers are running search and enterprise services and all sorts of services," Microsoft data center chief Arne Josefsberg tells The Reg.
"These infrastructures that we run - and that Google does too - are so large, you can't really rely on individuals to manually make these decisions on an application failing-over from one [data center] site to another. Essentially, it all has to be built into automation software that makes these types of decisions."
This summer, at a cloud-happy mini-conference in San Francisco, Google architecture guru/quip-meister Vijay Gill hinted that the Mountain View Chocolate Factory had developed some sort of back-end technology that automatically moves live compute loads to other locations when a data center verges on overheating.
"You have to have integration with everything right from the chillers down all the way to the CPU," Gill said. "Sometimes, there's a temperature excursion, and you might want to do a quick load-shedding to prevent a temperature excursion because, hey, you have a data center with no chillers. You want to move some load off. You want to cut some CPUs and some of the processes in RAM."
And, yes, he indicated the company has a way of redistributing these workloads (near-)instantly. "How do you manage the system and optimize it on a global-level? That is the interesting part," he continued. "What we’ve got here [with Google] is massive - like hundreds of thousands of variable linear programming problems that need to run in quasi-real-time. When the temperature starts to excurse in a data center, you don’t have the luxury to sitting around for a half an hour...You have on the order of seconds."
Apparently, that bit about the "data center with no chillers" was a reference to Google's new facility in Saint-Ghislain, Belgium. According to a report from Data Center Knowledge, the Belgium facility really does operate without chillers, using nothing but the outside Belgium air - aka "free-cooling" - to keep temperatures low in the server room.
And it seems that when the Belgium summer gets too hot, Google uses its mystery software platform to shift loads elsewhere. Though the company won't actually fess up. "I don't believe we have published any papers regarding that," uber-Googler Matt Cutts recently told The Reg.
A typically coy Google remark? Microsoft seems to think so.
Monday 12 October 2009
Zero-day fixes star in biggest ever Patch Tuesday
Microsoft is preparing its biggest ever Patch Tuesday update for next week.
The bumper batch of 13 bulletins collectively address 34 security flaws across a wide spectrum of Microsoft products. Eight of the baker's dozen bulletins earn the dread classification of critical, Microsoft's highest severity rating.
Two of these upcoming critical updates address the targets of active hacking attacks - a vulnerability in SMBv2 (Server Message Block, version 2) and a security flaw in the FTP component in Microsoft's IIS web server software.
Other patches cover IE, Office, developer tools, and SQL Server. All supported versions of Windows will need patching for one reason or another, including Windows 7. The operating system doesn't ship till 22 October but its RTM code needs patching ahead of that to defend against critical IE8-related security bugs.
The 13 bulletins compare with the previous high-water mark of 12, reached by Microsoft in February 2007 and equalled in October 2008.
Microsoft's pre-alert notice (which omits details pending the release of patches) can be found here. ®
New H@xFactor 2009 Government style Talent show
The UK government has launched plans to find the best young hackers through a talent competition.
Would-be cyberdefenders will be rated on their abilities to thwart attacks and hack into websites. Winners will be offered courses by the respected SANS Institute and assigned mentors.
University course and work placements also form part of the putative programme, due to take its first intake late next year, The Times reports.
Hack Idol may be a catchy concept, and it's easy to see how eccentric security minister Lord West - who famously reckons reformed naughty-boy hackers might play an important role in Britain's cyber-defence - might get sold on the idea.
In addition, there's a precedent from across the Atlantic. The UK scheme resembles the much larger US Cyber Challenge programme which is "looking for 10,000 young Americans with the skills to fill the ranks of cyber security practitioners, researchers, and warriors".
The winner of the first US Cyber Challenge was Michael Coppola, 17, of Connecticut, who gained plaudits for breaking into the scoring system and awarding himself extra points - a move straight out of cult haxploitation flick WarGames.
Sounds like good fun, but the idea of taking the now-ubiquitous TV talent show/glorified karaoke concept and applying it to computer security to find the next Neo sounds more than a little wrong-headed.
Chris Boyd (aka Paperghost), a security researcher at FaceTime, responded to the idea by saying the UK might just as well use a "complex system of water divining, Pagan ritual and astronomy to find the best hackers". ®
Hotmails most used passwords iRemove.nl
Data from the Hotmail phishing attack proves that consumer password security remains pants.
The most common single password in the sample of 10,000 purloined Live ID login credentials posted as a text file to developer site PasteBin.com was "123456", something only marginally more secure than the traditional favourite "password".
Neil O'Neil, a digital forensics investigator at secure payments firm The Logic Group, found that "123456" cropped up on the list 64 times. There were 18 uses of the second most popular password, "123456789", in the list.
Although PasteBin's owners had taken down the list the information was still easily retrievable by security researchers, such as O'Neil, and (undoubtedly) hackers who cared to hunt it down.
O'Neil subsequently analysed the list, with the aim of turning the analysis into a presentation on password security for corporate clients.
The list of Live ID login credentials and associated data was posted as a text file to PasteBin. A large number of spelling mistakes in the secondary data (such as email addresses) available alongside the password data points to the source as a phishing attack.
The information bears all the hallmarks of a raw data dump from Hotmail account holders induced to fill out forms on hacker-controlled websites under the guise of a security check or similar.
O'Neil's analysis of the passwords reveals common themes in their makeup. For example, the security researcher noticed that a significant percentage were dates of birth, an inherently weak password. Other passwords spotted in the sample include "ibelongtogod" (Is Real Madrid's Kaka on Hotmail?) and, perhaps by way of cosmic balance, "666666".
Nearly half (42 per cent) of the passwords used only lowercase letters, 19 per cent were purely numeric and only six per cent mixed up alpha-numeric and other characters, according to a separate analysis of the data by web application security firm Acunetix. Many of the top 20 most frequent passwords in the featured given names common in Spanish speaking countries, such as Alejandra and Alberto. This provides circumstantial evidence that the data was harvested at least in part from a Spanish language phishing message.
iloveyou and (the Spanish equivalent) tequiero both appeared in the top 20 list compiled by Acunetix. O'Neil speculates the list might have been posted as part of an online spat between hackers.
Time to change up
Since an estimated two in five users make use of the same password across multiple accounts, the Hotmail password phishing attack gives hackers a head start in attacking more financially sensitive accounts. "People tend to have the same password across many accounts - so there is a good chance that individuals have also compromised the integrity of their eBay or PayPal accounts too," O'Neil commented.
The security researcher reckons it's time to re-evaluate traditional advice on how to choose passwords. "It used to be that the best security advice was to never write down your password," he said. "Today's advice however is to choose complex passwords, write them down and then put them in your wallet.
"You know when your wallet is lost or stolen and therefore that you need to change your passwords. Three initials from your name and postcode will do the trick and will take a hacker weeks to crack. Using an old postcode adds another layer of protection."
News of a second dump of at least 30,000 webmail login credentials also dumped onto PasteBin broke on Tuesday. This list contained apparent password and username details for accounts with a wider range of webmail providers, including Gmail and Yahoo!.
Security researchers are yet to analyse the list, which early indications suggest may involve a greater percentage of abandoned or fake accounts. ®
When talking about wired security, enterprise IT administrators talk about multiple layers of defense such as internet firewalls, VPNs, admission control, email filtering, content filtering, web application scanning and many others. It is like a hacker has to peel multiple layers of an onion before getting to the core. Each layer of security is independent and is preferably sourced from different vendors. Each layer compounds the amount of work that a hacker has to perform to get in.
When considering the security of a wireless network, the same enterprise IT administrators are content with the basic security mechanisms integrated into the wireless LAN infrastructure by vendors such as Cisco Systems and Aruba Networks. IT departments have a hard time understanding why an inner layer of defense for wireless network security is needed in the form of an advanced wireless intrusion prevention system (WIPS). The wireless network security posture of an organization is the weakest when the security integrated into wireless LAN infrastructure is the only layer protecting the core network. Without an inner WIPS layer, the core network is open to rogue APs, unauthorized client connections, ad-hoc networks, MAC spoofing and many other attacks that the wireless LAN infrastructure security cannot protect against.
The figure below shows how your core network can be exposed to wireless attacks when there is no WIPS layer.
There are two paradoxes about wireless security that puzzle me.
- First, while multiple layers of security are being built to protect attacks from the internet over the wired network, the wireless door is left relatively unsecured by relying on a single layer of protection provided by security integrated into the WLAN infrastructure (access points and controller).
- Second, if a wireless intrusion prevention system (WIPS) is considered, it is sourced from the same vendor that provides the WLAN infrastructure. While the concept of separating the “church” from the “state” has been considered a prudent practice for centuries, and is applied to wired network security, somehow, it is not applied to wireless network security. Thus, if a wireless intrusion prevention system (WIPS) is set up as a inner layer of defense for wireless networks, it is likely to have the same weaknesses as the first line of defense (i.e. the WLAN infrastructure) if both lines of defense are sourced from the same vendor, thus rendering WIPS defense as relatively useless.
The weakness of the outer layer of defense provided by wireless security integrated into the WLAN infrastructure has become even more glaring due to two recent developments:
- In Aug, 2009, AirMagnet revealed that a hacker could use Over-the-Air-Provisioning (OTAP) feature built into Cisco access points (APs) to gain control over that AP and hence, access to the network. Click here for details regarding this vulnerability. This vulnerability clearly demonstrates that though WLAN infrastructure vendors have traditionally denied it, the security provided by WLAN infrastructure is very basic and has serious holes.
- In Aug, 2009, Japanese researchers published their findings about how WPA could be cracked in one minute. Click here for details regarding this vulnerability. While this vulnerability is relatively hard to exploit, it still highlights the fact that there are cracks in the security built in to the WLAN infrastructure.
It is true that any network infrastructure has security holes, and wireless networks are not different. As the vulnerabilities are discovered, they will be patched and the holes will be filled. This is true in the evolution of any networking technology. However, there are two mistakes being made by IT administrators when dealing with the security of wireless networks.
- IT administrators assume that the security provided by WLAN infrastructure is “good enough”. They do not provision for an inner layer of defense such as a wireless intrusion prevention system (WIPS).
- If a wireless intrusion prevention system is considered, most IT administrators consider it “administratively convenient” to source the WIPS from the same vendor that provides WLAN infrastructure. This creates a second line of defense that has the “same” weaknesses as the outer layer of defense provided by security built into WLAN infrastructure. Hence, some attacks can still pass through the WIPS layer and reach the core network.
The figure below highlights how wireless attacks could reach the core network inspite of a WIPS layer, if IT administrators make the mistakes described above.
These mistakes must be corrected to ensure that the wireless “back-door” is as secure as the wired network “front-door” facing the internet. There are three things that IT administrators should consider to ensure total wireless security.
- Install a wireless intrusion prevention system (WIPS) as an inner layer of defense for your WLAN infrastructure. This enables zero-day protection even if the WLAN infrastructure security shows cracks. It also protects against many wireless attacks that the WLAN infrastructure security does not protect against.
- Consider installing a WIPS before installing the WLAN infrastructure. This guarantees higher levels of security against rogue wireless devices and other wireless attacks even before WLAN infrastructure is installed.
- Source WIPS and WLAN infrastructure from different vendors. This ensures that the two lines of defense have non-overlapping weaknesses, resulting in effective attack-blocking.
The figure below shows how building a two-layer defense against wireless attacks, with the WIPS layer and the WLAN security layer being sourced from different vendors can enable a strong wireless security posture for an organization.
Having multiple layers of defense sourced from different vendors has been considered prudent practice in wired network security. Is it not time to consider the same approach for wireless security?
Subscribe to:
Posts (Atom)
