Tag Archives: availability

[ISN] How to secure containers and microservices

www.infoworld.com/article/3029772/cloud-computing/how-to-secure-containers-and-microservices.html By Jim Reno InfoWorld.com Feb 4, 2016 A few weeks ago on a Saturday morning I tried to pay a medical bill online and received the following message: Sorry! In order to serve you better, our website will be down for scheduled maintenance from Friday 6:00 PM to Sunday 6:00 PM. OK, I get it. Stuff happens. However, the following week I was greeted with the same message. Two weekends in a row means 48 hours of downtime over two weeks. Even if that’s the only downtime for the year, that means an availability of 98.9 percent




Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] The Next Wave of Cyberattacks Won’t Steal Data — They’ll Change It

http://www.defenseone.com/threats/2015/09/next-wave-cyberattacks-wont-steal-data-theyll-change-it/120701/ By Patrick Tucker DefenseOne.com September 10, 2015 The big attacks that have been disclosed so far in 2015 involved the theft of data, and a lot of it. Some 21 million personnel records were taken from the Office of Personnel Management, likely by China, while 4,000 records, some with “sensitive” information, were stolen from the Joint Chiefs civilian email system, a theft blamed on Russia. But America’s top spies say the attacks that worry them don’t involve the theft of data, but the direct manipulation of it, changing perceptions of what is real and what is not. Director of National Intelligence James Clapper spelled out his concerns in written testimony presented to the House Subcommittee on Intelligence today. “Most of the public discussion regarding cyber threats has focused on the confidentiality and availability of information; cyber espionage undermines confidentiality, whereas denial of service operations and data deletion attacks undermine availability,” he wrote. “In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e., accuracy and reliability) instead of deleting it or disrupting access to it.” […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Which cloud providers had the best uptime last year?

http://www.networkworld.com/article/2866950/cloud-computing/which-cloud-providers-had-the-best-uptime-last-year.html By Brandon Butler Network World Jan 12, 2015 Amazon Web Services and Google Cloud Platform recorded impressive statistics for how reliable their public IaaS clouds were in 2014, with both providers approaching what some consider the Holy Grail of availability: five nines. Flash back just to 2012 and pundits bemoaned the cloud being plagued with outages – from one that brought down Reddit and many other sites to the Christmas eve fiasco that impacted Netflix. It was a different story last year. Website tracking firm CloudHarmony monitors how often more than four dozen cloud providers experience downtime. The company has a web server running in each of these vendors’ clouds and tracks when the service is unavailable, logging both the number and length of outages. The science is not perfect but it gives a good idea of how providers are doing. And overall, vendors are doing well and getting better. Amazon and Google shone in particular. Amazon’s Elastic Compute Cloud (EC2) recorded 2.41 hours of downtime across 20 outages in 2014, meaning it was up and running 99.9974% of the time. Given AWS’s scale – Gartner predicted last year that Amazon had a distributed system that’s five times larger than its competitors – those are impressive figures. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Keurig 2.0 Genuine K-Cup Spoofing Vulnerability

http://seclists.org/fulldisclosure/2014/Dec/37 From: Kenneth Buckler *Overview* Keurig 2.0 Coffee Maker contains a vulnerability in which the authenticity of coffee pods, known as K-Cups, uses weak verification methods, which are subject to a spoofing attack through re-use of a previously verified K-Cup. *Impact* CVSS Base Score: 4.9 Impact Subscore: 6.9 Exploitability Subscore: 3.9 Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Complete Availability Impact: None *Vulnerable Versions* Keurig 2.0 Coffee Maker *Technical Details* Keurig 2.0 is designed to only use genuine Keurig approved coffee K-Cups. However, a flaw in the verification method allows an attacker to use unauthorized K-Cups. The Keurig 2.0 does verify that the K-Cup foil lid used for verification is not re-used. Step 1: Attacker uses a genuine K-Cup in the Keurig machine to brew coffee or hot chocolate. Step 2: After brewing is complete, attacker removes the genuine K-Cup from the Keurig and uses a knife or scissors to carefully remove the full foil lid from the K-Cup, ensuring to keep the full edges intact. Attacker keeps this for use in the attack. Step 3: Attacker inserts a non-genuine K-Cup in the Keurig, and closes the lid. Attacker should receive an “oops” error message stating that the K-Cup is not genuine. Step 4: Attacker opens the Keurig, leaving the non-genuine K-Cup in the Keurig, and carefully places the previously saved genuine K-Cup lid on top of the non-genuine K-Cup, lining up the puncture hole to keep the lid in place. Step 5: Attacker closes the Keurig, and is able to brew coffee using the non-genuine K-Cup. Since no fix is currently available, owners of Keurig 2.0 systems may wish to take additional steps to secure the device, such as keeping the device in a locked cabinet, or using a cable lock to prevent the device from being plugged in when not being used by an authorized user. Please note that a proof of concept is already available online. *Credit: * Proof of concept at http://www.keurighack.com/ Vulnerability Writeup by Ken Buckler, Caffeine Security http://caffeinesecurity.blogspot.com _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Offensive Cyber Operations in US Military Doctrine

http://fas.org/blogs/secrecy/2014/10/offensive-cyber/ By Steven Aftergood Federation of American Scientists Oct. 22, 2014 A newly disclosed Department of Defense doctrinal publication acknowledges the reality of offensive cyberspace operations, and provides a military perspective on their utility and their hazards. Attacks in cyberspace can be used “to degrade, disrupt, or destroy access to, operation of, or availability of a target by a specified level for a specified time.” Or they can be used “to control or change the adversary’s information, information systems, and/or networks in a manner that supports the commander’s objectives.” However, any offensive cyber operations (OCO) must be predicated on “careful consideration of projected effects” and “appropriate consideration of nonmilitary factors such as foreign policy implications.” “The growing reliance on cyberspace around the globe requires carefully controlling OCO, requiring national level approval,” according to the newly disclosed Cyberspace Operations, Joint Publication 3-12(R). […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Personal information of almost 100, 000 people exposed through flaw on site for transcripts

http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/21/personal-information-of-almost-100000-people-exposed-through-flaw-on-site-for-transcripts/ By Ashkan Soltani, Julie Tate and Ellen Nakashima The Washington Post October 21, 2014 The personal information of almost 100,000 people seeking their high school transcripts was recently exposed on a Web site that helps students obtain their records. The site, NeedMyTranscript.com, facilitates requests from all 50 states and covers more than 18,000 high schools around the country, according to its Web site and company chief executive officer. The data included names, addresses, e-mail addresses, phone numbers, dates of birth, mothers’ maiden names and the last four digits of the users’ Social Security numbers. Although there is no evidence the data were stolen, privacy advocates say the availability of such basic personal information heightens the risk of identity theft. The availability of the data appears to be the result of a flaw in the way the two-year-old site was designed. It highlights how easily sensitive personal information can be exposed with the proliferation of online businesses and services – many of which do not employ adequate security practices. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Fixing HealthCare.gov security

http://www.csoonline.com/article/2685234/data-protection/fixing-healthcare-gov-security.html By Antone Gonsalves CSO Sep 17, 2014 While the security weaknesses found in HealthCare.gov by a U.S. government watchdog need to be addressed, they are not unusual for sites as complex as the federal insurance exchange, experts say. In a report released Tuesday, the Government Accountability Office found problems in the “technical controls protecting the confidentiality, integrity and availability” of the federally facilitated marketplace (FFM), which is the area of the site to buy health insurance. Specifically, the GAO faulted the site’s operator for failing to require and enforce strong passwords, to adequately restrict access to the Internet by systems supporting the FFM, to consistently implement software patches, and to properly configure the administrative network for the FFM. The Centers for Medicare & Medicaid Services (CMS), an agency of the Department of Health and Human Services (HHS), is responsible for HealthCare.gov. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail

[ISN] Things Can Go Kaboom When a Defense Contractor’s 3-D Printer Gets Hacked

http://www.nextgov.com/cybersecurity/2014/09/heres-why-you-dont-want-your-3-d-printer-get-hacked/93923/ By Aliya Sternstein Nextgov.com September 11, 2014 Defense companies that manufacture parts with three-dimensional printers using metal powders might want to heed forthcoming government-issued standards for preventing hacks. Not only can attackers steal proprietary designs by breaching the machines’ data files – but they can also cause physical damage to production plants and employees. “A compromise may affect the confidentiality, integrity or availability of both the device and the information it processes,” state National Institute of Standards and Technology draft guidelines for avoiding 3-D printer breaches. Military contractors increasingly are using the machines to mass-produce components for weapons systems, vehicles and other hardware to save time and money. 3-D printing, also called additive manufacturing, creates solid objects by layering thin sheets of material following the instructions of a digital computer file. […]


Facebooktwittergoogle_plusredditpinterestlinkedinmail