OMIGOD: Cloud providers still using secret middleware • The Register

2022-06-15 17:15:51 By : Ms. Peng Sunny

RSA Conference in brief Researchers from Wiz, who previously found a series of four serious flaws in Azure's Open Management Infrastructure (OMI) agent dubbed "OMIGOD," presented some related news at RSA: Pretty much every cloud provider is installing similar software "without customer's awareness or explicit consent."

In a blog post accompanying the presentation, Wiz's Nir Ohfeld and Shir Tamari say that the agents are middleware that bridge customer VMs and the provider's other managed services. The agents are necessary to enable advanced VM features like log collection, automatic updating and configuration syncing, but they also add new potential attack surfaces that, because customers don't know about them, can't be defended against.

In the case of OMIGOD, that included a bug with a 9.8/10 CVSS score that would let an attacker escalate to root and remotely execute code. Microsoft patched the vulnerabilities, but most had to be applied manually.

Wiz has published a GitHub page with a list of 12 agents installed secretly, just like OMI, on Azure, AWS, and Google Cloud, and they're probably not all. "It is likely, based on our investigation, that there are more agents of which security researchers and cloud customers are unaware," Ohfeld and Tamari said. 

Survey results from Trend Micro indicate that, when it comes to organizations understanding their attack surfaces, most don't. 

In all, 73 percent of the 6,297 IT and business decision makers surveyed said they were worried about their growing attack vulnerability surface, which only 51 percent said they could fully define. 

Just over a third of respondents said that their security infrastructure was messy and constantly evolving, while 43 percent admitted their attack surface is "spiraling out of control," Trend Micro said. Cloud environments were cited as the most opaque, and with most providers installing secret middleware it's easy to understand why.

Bharat Mistry, technical director at Trend Micro, said that rapid IT modernization at the beginning of the COVID-19 pandemic is a large reason for current attack surface visibility problems. "In many cases [IT upgrades] unwittingly expanded the digital attack surface, giving threat actors more opportunities to compromise key assets," he said. 

The study also gives a variety of reasons for why visibility hasn't improved, like opaque supply chains, shadow IT services, remote employees and constant technical changes in vendor products, among others. 

Unfortunately, the top piece of advice that Trend Micro gives - "gain visibility" - is easier said than done. Unless you have the right tools, that is, which Trend Micro happens to be selling. 

A laundry list of private sector and cyber advocacy groups released a joint statement Tuesday arguing for "increased public private collaboration to improve the nation's cybersecurity readiness."

The signatories said that, while they think the Biden administration has taken steps to strengthen public-private cooperation, it hasn't done enough. The signatories said they will "actively seek to engage US government partners with ideas and initiatives to strengthen national cyber resilience," and put forward five proposals to that end:

The signatories are in luck: Leaders from CISA, the NSA, and National Cyber Directory Chris Inglis spoke at RSA, and made specific mention of the JCDC at their panel discussion this week. 

"We can't sustain the highest level of alert for an extensive period of time, which is why we're thinking about … that relationship that government needs to have with the private sector," CISA director Jen Easterly said at the panel. 

Single sign-on provider Xage claims to have made a new distributed, multi-layer multi-factor authentication (MFA) product that's capable of resisting prompt bombs like those that let Lapsus$ break into Okta earlier this year.

MFA bombing isn't so much a sophisticated hacking technique as it is a way to wear someone down by attempting to repeatedly log into one of their accounts that has MFA enabled. As the victim is bombarded with verification requests, the attacker sits back and hopes their flustered mark accidentally taps "Accept." One mistake, and the attacker has free rein to do whatever the victim's account has access to. 

What Xage is offering as a solution is, for all intents and purposes, a hybrid form of MFA and network segmentation: "Users reconfirm their identity as they are granted each layer of access privilege, allowing independent user verification at the level of a whole operation, a site, or even a single asset," Xage said in a press release. The unique selling point Xage is claiming is the use of different MFA methods at each layer of access.

While a different type of MFA at each checkpoint definitely adds an additional layer of security, it's unknown how well users would adapt to the user experience friction created by needing a different form of MFA for each granular access request.

A flaw in a widely-used physical security system could let a successful attacker unlock any and all doors the software manages. 

Carrier's LenelS2 access control panels, which manage security door systems in facilities like hospitals, schools, transportation facilities and government offices, were found to have eight zero-day vulnerabilities when investigated by researchers from Trellix Threat Labs. 

The LenelS2 was chosen specifically because it's widely used, and while the team expected to find some flaws, "we did not expect to find common, legacy software vulnerabilities in a relatively recent technology," they said. 

Physical security has been a hot topic recently, and while this vulnerability is frightening, it would be tricky to pull off, as physical access to the controller's debugging ports is required. With access to the ports and "utilizing hardware hacking techniques," the researchers were able to gain root access and pull a full copy of the device's firmware for emulation and vulnerability discovery. 

Armed with knowledge of the software, the team was able to chain a pair of vulnerabilities together to gain root access remotely. An injected program ran alogside the controller's software allowed the attackers to unlock doors and subvert monitoring software. 

To mitigate the issue, Carrier said it's necessary to disable web login for the LenelS2's web portal; Once disabled, a physical switch on the controller has to be flipped to re-enable it. While that may re-secure a previously-compromised controller, an attacker would with physical access could simply flip the switch back. 

As an additional mitigation method, consider a padlock. ®

DataStax, the database company based on the open-source Cassandra system, has secured $115 million in funding for a $1.6 billion valuation.

Led by the Growth Equity business within Goldman Sachs and backed by RCM Private Markets and EDB Investments, the latest round follows a strong first quarter based on the popularity of DataStax's Cassandra DBaaS Astra DB. Existing investors include Crosslink Capital, Meritech Capital Partners, OnePrime Capital, and others.

Cassandra is a distributed, wide-column store database suited to real-time use cases such as e-commerce and inventory management, personalization and recommendations, Internet of Things-related applications, and fraud detection. It is freely available on the Apache Version 2 license, although DataStax offers managed service Astra on a subscription model.

First-of-its-kind research on advanced driver assist systems (ADAS) involved in accidents found that one company dominated with nearly 70 percent of reported incidents: Tesla.

The data was presented by the US National Highway Traffic Safety Association (NHTSA), the conclusion of the first round of data it began gathering last year of vehicle crashes involving level 2 ADAS technology such as Tesla Autopilot. Of the 394 accidents analyzed, 270 involved Teslas with Autopilot engaged. 

"New vehicle technologies have the potential to help prevent crashes, reduce crash severity and save lives, and the Department is interested in fostering technologies that are proven to do so," said NHTSA administrator Dr Steven Cliff.

Microsoft has opened its wallet once more to pick up New York-based cyber-threat analyst Miburo.

Founded by Clint Watts in 2011, Miburo is all about the detection of and response to foreign (in the context of the US) information operations. The team is to be folded into Microsoft's Customer Security and Trust organization and the work of its analysts is to be fed into the Windows giants' threat detection and analysis capabilities.

"Miburo," said Microsoft, "has become a leading expert in identification of foreign information operations." Its research teams have hunted out some nasty influence campaigns over 16 languages.

The Floppotron computer hardware orchestra has reached version 3.0. The question is, where do you even find 512 floppy disk drives? Its creator, Paweł Zadrożniak, tells all.

The Floppotron is a marvellous bit of engineering. Its tones frequent many a YouTube video (this writer was rather taken by the rendition of "Take On Me" performed by the device's second iteration) and as a repurposing of obsolete hardware, it would be hard to come up with a more imaginative approach.

The first version made its debut in 2011 and consisted of a pair of floppy drives. The device's performance of the Imperial March has clocked up 6.7 million views at time of writing.

Hewlett Packard Enterprise must pay Oracle $30 million for copyright infringement after a jury found it guilty of providing customers with Solaris software updates without Big Red's permission.

The decision, which HPE may contest, is the culmination of a three-week trial in Oakland, California. However, the case was first raised years back when Oracle claimed HPE had offered illegal updates under a scheme devised by software support provider Terix, which settled its case in 2015 for almost $58 million.

In proceedings at the start of this week, Oracle’s lawyer, Christopher Yeates of Latham & Watkins LLP, pressed the eight-person jury to award his client $72 million for HPE using software not covered by a support contract, and for pinching clients, including Comcast.

Cloud data warehouse specialist Snowflake is broadening its toolset to allow devs to build applications inside its platform, while providing a new row-based storage engine to support analytics on transactional data.

Launched at its annual conference this week, the features are part of a plan to encourage users – and investors – to no longer see it as a mere cloud data warehouse and to view it more as a platform for sharing data and data-analytics applications.

Snowflake is supporting new transactional workloads in something it calls Unistore, which is based on Hybrid Tables supported by a new row-based storage engine to better handle transactional data.

The European Commission's competition enforcer is being handed another defeat, with the EU General Court nullifying a $1.04 billion (€997 million) antitrust fine against Qualcomm.

The decision to reverse the fine is directed at the body's competition team, headed by Danish politico Margrethe Vestager, which the General Court said made "a number of procedural irregularities [which] affected Qualcomm's rights of defense and invalidate the Commission's analysis" of Qualcomm's conduct. 

At issue in the original case was a series of payments Qualcomm made to Apple between 2011 and 2016, which the competition enforcer had claimed were made in order to guarantee the iPhone maker exclusively used Qualcomm chips.

Concern is growing that a World Trade Organization (WTO) moratorium on cross-border tariffs covering data may not be extended, which would hit e-commerce if countries decide to introduce such tariffs.

Representatives of the WTO's 164 members are meeting in Geneva as part of a multi-day ministerial conference. June 15 was to be the final day but the trade organization today confirmed it is being extended until June 16, to facilitate outcomes on the main issues under discussion.

The current moratorium covering e-commerce tariffs was introduced in 1998, and so far the WTO has extended it at such meetings, which typically take place every two years.

A Linux distro for smartphones abandoned by their manufacturers, postmarketOS, has introduced in-place upgrades.

Alpine Linux is a very minimal general-purpose distro that runs well on low-end kit, as The Reg FOSS desk found when we looked at version 3.16 last month. postmarketOS's – pmOS for short – version 22.06 is based on the same version.

This itself is distinctive. Most other third-party smartphone OSes, such as LineageOS or GrapheneOS, or the former CyanogenMod, are based on the core of Android itself.

Lenovo has officially opened its first manufacturing facility in Europe, to locally build servers, storage systems and high-end PC workstations for customers across Europe, Middle East, and Africa.

Why build a cloud datacenter yourself, when you can rent one from Hewlett Packard Enterprise? It may seem unorthodox, but That’s exactly the approach Singapore-based private cloud provider Taeknizon is using to extend its private cloud offering to the United Arab Emirates (UAE).

Founded in 2012, Taeknizon offers a menagerie of services ranging from IoT, robotics, and AI to colocation and private cloud services, primarily in the Middle East and Asia. The company’s latest expansion in the UAE will see it lean on HPE GreenLake’s anything-as-a-service (XaaS) platform to meet growing demand from small-to-midsize enterprises for cloud services in the region.

“Today, 94% of companies operating in the UAE are SMEs," Ahmad AlKhallafi, UAE managing director at HPE, said in a statement. "Taeknizon’s as-a-service model caters to the requirements of SMEs and aligns with our vision to empower youth and the local startup community.”

The Register - Independent news and views for the tech community. Part of Situation Publishing

Biting the hand that feeds IT © 1998–2022