Tag Archives: availability

[ISN] Which cloud providers had the best uptime last year?

http://www.networkworld.com/article/2866950/cloud-computing/which-cloud-providers-had-the-best-uptime-last-year.html By Brandon Butler Network World Jan 12, 2015 Amazon Web Services and Google Cloud Platform recorded impressive statistics for how reliable their public IaaS clouds were in 2014, with both providers approaching what some consider the Holy Grail of availability: five nines. Flash back just to 2012 and pundits bemoaned the cloud being plagued with outages – from one that brought down Reddit and many other sites to the Christmas eve fiasco that impacted Netflix. It was a different story last year. Website tracking firm CloudHarmony monitors how often more than four dozen cloud providers experience downtime. The company has a web server running in each of these vendors’ clouds and tracks when the service is unavailable, logging both the number and length of outages. The science is not perfect but it gives a good idea of how providers are doing. And overall, vendors are doing well and getting better. Amazon and Google shone in particular. Amazon’s Elastic Compute Cloud (EC2) recorded 2.41 hours of downtime across 20 outages in 2014, meaning it was up and running 99.9974% of the time. Given AWS’s scale – Gartner predicted last year that Amazon had a distributed system that’s five times larger than its competitors – those are impressive figures. […]




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Keurig 2.0 Genuine K-Cup Spoofing Vulnerability

http://seclists.org/fulldisclosure/2014/Dec/37 From: Kenneth Buckler *Overview* Keurig 2.0 Coffee Maker contains a vulnerability in which the authenticity of coffee pods, known as K-Cups, uses weak verification methods, which are subject to a spoofing attack through re-use of a previously verified K-Cup. *Impact* CVSS Base Score: 4.9 Impact Subscore: 6.9 Exploitability Subscore: 3.9 Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Complete Availability Impact: None *Vulnerable Versions* Keurig 2.0 Coffee Maker *Technical Details* Keurig 2.0 is designed to only use genuine Keurig approved coffee K-Cups. However, a flaw in the verification method allows an attacker to use unauthorized K-Cups. The Keurig 2.0 does verify that the K-Cup foil lid used for verification is not re-used. Step 1: Attacker uses a genuine K-Cup in the Keurig machine to brew coffee or hot chocolate. Step 2: After brewing is complete, attacker removes the genuine K-Cup from the Keurig and uses a knife or scissors to carefully remove the full foil lid from the K-Cup, ensuring to keep the full edges intact. Attacker keeps this for use in the attack. Step 3: Attacker inserts a non-genuine K-Cup in the Keurig, and closes the lid. Attacker should receive an “oops” error message stating that the K-Cup is not genuine. Step 4: Attacker opens the Keurig, leaving the non-genuine K-Cup in the Keurig, and carefully places the previously saved genuine K-Cup lid on top of the non-genuine K-Cup, lining up the puncture hole to keep the lid in place. Step 5: Attacker closes the Keurig, and is able to brew coffee using the non-genuine K-Cup. Since no fix is currently available, owners of Keurig 2.0 systems may wish to take additional steps to secure the device, such as keeping the device in a locked cabinet, or using a cable lock to prevent the device from being plugged in when not being used by an authorized user. Please note that a proof of concept is already available online. *Credit: * Proof of concept at http://www.keurighack.com/ Vulnerability Writeup by Ken Buckler, Caffeine Security http://caffeinesecurity.blogspot.com _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Offensive Cyber Operations in US Military Doctrine

http://fas.org/blogs/secrecy/2014/10/offensive-cyber/ By Steven Aftergood Federation of American Scientists Oct. 22, 2014 A newly disclosed Department of Defense doctrinal publication acknowledges the reality of offensive cyberspace operations, and provides a military perspective on their utility and their hazards. Attacks in cyberspace can be used “to degrade, disrupt, or destroy access to, operation of, or availability of a target by a specified level for a specified time.” Or they can be used “to control or change the adversary’s information, information systems, and/or networks in a manner that supports the commander’s objectives.” However, any offensive cyber operations (OCO) must be predicated on “careful consideration of projected effects” and “appropriate consideration of nonmilitary factors such as foreign policy implications.” “The growing reliance on cyberspace around the globe requires carefully controlling OCO, requiring national level approval,” according to the newly disclosed Cyberspace Operations, Joint Publication 3-12(R). […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Personal information of almost 100, 000 people exposed through flaw on site for transcripts

http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/21/personal-information-of-almost-100000-people-exposed-through-flaw-on-site-for-transcripts/ By Ashkan Soltani, Julie Tate and Ellen Nakashima The Washington Post October 21, 2014 The personal information of almost 100,000 people seeking their high school transcripts was recently exposed on a Web site that helps students obtain their records. The site, NeedMyTranscript.com, facilitates requests from all 50 states and covers more than 18,000 high schools around the country, according to its Web site and company chief executive officer. The data included names, addresses, e-mail addresses, phone numbers, dates of birth, mothers’ maiden names and the last four digits of the users’ Social Security numbers. Although there is no evidence the data were stolen, privacy advocates say the availability of such basic personal information heightens the risk of identity theft. The availability of the data appears to be the result of a flaw in the way the two-year-old site was designed. It highlights how easily sensitive personal information can be exposed with the proliferation of online businesses and services – many of which do not employ adequate security practices. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Fixing HealthCare.gov security

http://www.csoonline.com/article/2685234/data-protection/fixing-healthcare-gov-security.html By Antone Gonsalves CSO Sep 17, 2014 While the security weaknesses found in HealthCare.gov by a U.S. government watchdog need to be addressed, they are not unusual for sites as complex as the federal insurance exchange, experts say. In a report released Tuesday, the Government Accountability Office found problems in the “technical controls protecting the confidentiality, integrity and availability” of the federally facilitated marketplace (FFM), which is the area of the site to buy health insurance. Specifically, the GAO faulted the site’s operator for failing to require and enforce strong passwords, to adequately restrict access to the Internet by systems supporting the FFM, to consistently implement software patches, and to properly configure the administrative network for the FFM. The Centers for Medicare & Medicaid Services (CMS), an agency of the Department of Health and Human Services (HHS), is responsible for HealthCare.gov. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Things Can Go Kaboom When a Defense Contractor’s 3-D Printer Gets Hacked

http://www.nextgov.com/cybersecurity/2014/09/heres-why-you-dont-want-your-3-d-printer-get-hacked/93923/ By Aliya Sternstein Nextgov.com September 11, 2014 Defense companies that manufacture parts with three-dimensional printers using metal powders might want to heed forthcoming government-issued standards for preventing hacks. Not only can attackers steal proprietary designs by breaching the machines’ data files – but they can also cause physical damage to production plants and employees. “A compromise may affect the confidentiality, integrity or availability of both the device and the information it processes,” state National Institute of Standards and Technology draft guidelines for avoiding 3-D printer breaches. Military contractors increasingly are using the machines to mass-produce components for weapons systems, vehicles and other hardware to save time and money. 3-D printing, also called additive manufacturing, creates solid objects by layering thin sheets of material following the instructions of a digital computer file. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Hilton Turns Smartphones Into Room Keys

http://www.informationweek.com/mobile/mobile-business/hilton-turns-smartphones-into-room-keys/d/d-id/1297618 By Thomas Claburn InformationWeek.com 7/29/2014 Hilton Worldwide plans to allow guests to check-in and choose their rooms using mobile devices, and even to unlock their hotel rooms. By the end of the year, Hilton says it will offer digital check-in and room selection at 11 of its brands, across more 4,000 properties. The service will be available to Hilton HHonors members in more than 80 countries, the company said. “We analyzed data and feedback from more than 40 million HHonors members, as well as guest surveys, social media posts, and review sites, and it’s clear that guests want greater choice and control,” said Geraldine Calpin, SVP and global head of digital at Hilton Worldwide, in a statement. Calpin cited a company-commissioned study conducted by Edelman Berland that indicates some 84% of business travelers want the ability to choose their own room. Calpin said Hilton is enabling guests to select rooms, room types, and room numbers, subject to availability, using mobile devices. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Public or Private Cloud? The Decision Comes Down to Risk, DISA CIO Says

http://www.nextgov.com/cloud-computing/2014/04/public-or-private-cloud-your-agency-decision-comes-down-risk-disa-cio-says/82114/ By Frank Konkel Nextgov.com April 8, 2014 For federal agencies, deciding whether information, data or applications belong in a public or private government cloud or a hybrid combination of the two is no easy feat. Myriad factors play into these decisions – projected cost savings, information sensitivity and availability, to name a few – but according to U.S. Defense Information Systems Agency Chief Information Officer David Bennett, the single most important element continues to be risk. DISA recently rolled out a government-operated cloud computing services portfolio called milCloud that was designed to attract Defense Department customers who seek the cloud’s promise of cost reductions combined with increased control, flexibility and mission security necessary for classified and controlled unclassified information. “You have to understand risk and the data you’re dealing with,” said Bennett, speaking at a Nextgov event Tuesday. “As you look at those things, you have to ask questions like, ‘What controls do I have in place?’ We want to leverage commercial opportunities and reap the benefits of doing that, but we also want to verify and make certain what’s out there and that we’re able to understand and monitor that.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail