Daily Archives: 05/18/2017

The Virtual World

Lessons From the “Wannacry” Debacle!

The ransomeware attack called “Wannacry” has effectively shut down many businesses, and cost tons of money. What can we learn from this attack?

The Fallout and Lessons from WannaCry

Virtualization Review – By Trevor Pott – “On May 12, 2017, a new strain of ransomware called WannaCry began circling the globe. This ransomware attack has proven to be efficient and effective, earning WannaCry worldwide media coverage. Unfortunately, attempts to explain the details of the attack have not always been accurate.

My touchstone for discussing media inaccuracies is The New York Times article ‘Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool.’ In this article, The New York Times tries to convey the complexity of the WannaCry ransomware event to a non-technical audience.

The New York Times is one of the most important publications in the world. What it writes matters, and it helps set the tone for media reporting around the world. I feel that there are nuances missed in the reporting that are important, especially if we are to finally engage in the global discussion about IT security that we’ve needed to have for more than a decade.

WannaCry Basics

The most important thing to understand about the WannaCry ransomware is that little about it is novel. WannaCry is not some technological terror lovingly crafted by a mad genius. Instead, it is an assemblage of parts, each of which are reasonably mundane, simple and well-tested.
The WannaCry ransomware incorporates numerous elements to assist its spread. The fact that it’s largely built of previously tested components has allowed its authors to regularly adapt the ransomware to overcome efforts to eliminate it. This sort of cat-and-mouse game is a normal and everyday part of the IT security world.

For ransomware to work, three basic elements are required. First, there must be a mechanism of initial infection. Second, there must be an encryption mechanism that prevents users from accessing their files. Third, there must be a demand for payment along with a means of making payment. Traditionally, ransomware authors will decrypt files if payment is made; however, in recent months there have been increasing strains of ransomware where payment does not result in decryption of files.

WannaCry adds a fourth element to the traditional ransomware cocktail: It uses a Windows vulnerability to spread beyond the initial infected computer. The result of this is that on improperly designed or improperly secured networks, one infected computer can infect many others.

WannaCry Detection and Prevention

WannaCry’s mechanism of initial infection relies on what’s known as phishing. In essence, these are scam e-mails that either contain a file that can infect your computer or entice you to click on links in the e-mail to take you to a Web site that will infect your computer. The most common versions of WannaCry are reported to use an encrypted file contained in a phishing e-mail.

Some media reports claim that the use of encrypted files makes WannaCry undetectable. This is false. Encrypted files of this nature are detectable, even with freely available e-mail filtering applications such as the eFa project’s Email Filter Appliance (hence, eFa).

These sorts of e-mail filters can be set to block all mail with encrypted files, block it only from likely spam sources or only allow encrypted mail from known trusted sources. These scanners can also be configured to allow end users to access the encrypted files, but only after reading a warning about the potential dangers. They can also be configured to send this type of mail to a systems administrator for assessment before release.

While open source solutions like the one made available by the eFa Project are somewhat cumbersome to deploy and use, commercially supported e-mail filters exist that are far more friendly. Many of today’s e-mail filtering solutions are perfectly capable of blocking even unknown threats.

That WannaCry malware even made it into user mailboxes to be opened means that e-mail administrators made a choice to allow these types of files through without adequate protections. Alternately, e-mail administrators were inadequately resourced and relying on e-mail filtering technologies that are years — or even decades — old.

Solutions also exist to ensure that malicious e-mails, once opened, cannot infect vulnerable computers. Bromium is considered the industry leader in this area, and had its technology been deployed on relevant networks, WannaCry wouldn’t have made headlines.

WannaCry Mitigation

Modern IT security procedures and solutions, including network microsegmentation, core resource isolation and automated incident response, could each have been used to prevent the spread of infection. Had networks been properly designed, resourced and secured, any systems that did manage to become infected would only have been able to infect a limited number of others.
The technologies needed to prevent, detect and contain these outbreaks are new, but they’re no longer the bleeding edge. They are well within the capabilities of health care, government and enterprise IT departments.

Media reports typically focus on the patching of OSes and applications. Blame is laid on patching regimens because WannaCry used a previously patched Windows vulnerability to spread once established on a network. This is placing the blame where it doesn’t belong.

Even if an organization were to be keep all computers fully patched, this would not make those computers secure. While patching is important, perpetuating the idea that it will somehow save us is dangerous. There are dozens, if not hundreds, of unpatched vulnerabilities in the Windows OS alone. That doesn’t include the various applications that run on top of Windows.

Governments and hackers alike hoard these ‘zero-day’ vulnerabilities for use in espionage and cyber warfare. Zero-day vulnerabilities are considered precious, expensive knowledge and are used sparingly, but every now and again they find their way into some bit of malware and infect everyday systems.

Proper IT security no longer relies solely on patching computers in order to keep networks safe. ‘Eggshell security,’ in which a network has a relatively well-defended perimeter but is undefended inside that barrier, hasn’t been considered adequate for more than a decade.

Systems administrators have been encouraged for years to consider every single computer on a network as unpatched and vulnerable, and design their network accordingly. WannaCry isn’t the first piece of malware to spread from one initial point of infection across a network, and it won’t be the last.

Patching Things Up

Some media outlets have reported that large-scale patching against WannaCry isn’t possible. This is false. Patching computers in an automated fashion isn’t only possible, it’s considered one of the most basic activities a systems administrator engages in.

Windows computers can have their patches managed with Windows Server Update Services, a free feature in modern Windows Server OSes. Paid options made available by Microsoft include System Center Configuration Manager for larger deployments and Intune for smaller deployments.

Patch management isn’t limited to Windows. Linux has numerous patch management options, with Red Hat’s Satellite being the most popular. For those with mixed environments, an entire industry called ‘endpoint management’ has emerged around patching and securing computers. There are hundreds of vendors selling products to patch and manage Windows, Linux and smartphones.

Patching, however, isn’t straightforward. There’s a lot of oversimplification occurring in media reporting regarding the WannaCry ransomware attack. Systems administrators who hadn’t yet patched their systems had not necessarily ignored patches or warnings from Microsoft. Nor were they necessarily running unsupported software, even where Windows XP was still in use.

Patches themselves can — and sometimes do — cause computers to malfunction. A computer may work fine for years, but when a patch is applied some critical component of either the OS or an application ceases to function. Microsoft has had a number of these over the years, with several in the past several months affecting large enough numbers of people to gain media attention.

Systems administrators, especially those guarding life-critical IT, must test patches before deployment to ensure that patches don’t break anything. Unfortunately, Microsoft has jettisoned its traditional Security Bulletins, and has made it increasingly difficult to learn what patches are supposed to do.”

Published by:
The Virtual World

Security Issues in Virtualization

Security is more important than ever today; is a virtual environment more secure?

Security Shortcomings Remain Strong in the World of Virtualization

Serverwatch – By: Paul Rubens – Virtual machines (VMs) offer better isolation than containers: it’s one of those ‘known facts’ that most people never question, and one that server virtualization fans (and vendors) use as a key point in their arguments in favor of VMs and against containers.

It’s probably a fair point to make, because an application running in a virtual machine is isolated from apps running in other virtual machines on the same host, and indeed from much of the host itself.

It’s also true that applications running in containers are additionally isolated from applications running in other containers on the same container host, and indeed from the container host itself — but to a lesser degree. That’s because, the argument runs, containers share the host’s operating system kernel with each other and with the host. So if there’s a vulnerability in the kernel, this could provide a way into, or out of, the containers that are sharing it.

Of course, if there’s a vulnerability in a virtualization hypervisor the same could be true, but since a hypervisor provides far less functionality than a regular Linux kernel (which typically implements file systems, networking, application process controls and so on), it presents a much smaller attack surface.

But just because virtual machines are (arguably) better isolated from each other than containers, and despite a hypervisor having a smaller attack surface, that doesn’t mean escaping from this isolation can’t happen.

VM Escape Exploit Showcased at Pwn2Own Hacking Conference

This was proved last month at the Pwn2Own hacking conference in Vancouver, when one team showed off a VM escape: the Qihoo 360 security team chained together three exploits to get from Microsoft’s Edge browser running in a VMware virtual machine to pwning the underlying host.

To do it, they used a JavaScript bug in Edge to get code execution powers inside the Edge sandbox. From there they used a Windows 10 kernel error to escape from the Edge sandbox and pwn the whole VM.

And then, finally, the team exploited a hardware simulation bug in the VMware hypervisor to escape from the guest OS to the host OS. And this was all done by simply visiting a maliciously-designed web site where remote JavaScript code was executed.

Now that’s pretty scary: think of the number of applications running on virtual machines on shared hosts in cloud data centers where application owners have no idea who they are sharing the host hardware with.

No Need for Surprise When It Comes to VM Security Shortcomings

On the other hand, we shouldn’t be surprised, according to Dino Dai Zovi, a security expert quoted by Ars Technica. ‘A virtual machine hypervisor is just another software-based isolation layer that can have vulnerabilities in it that permit attacks to break through,’ he told the web site. ‘Isolation layers such as sandboxes, virtualization, and containerization all add more work for an attacker, but none is perfect. Defenders should always assume they can be broken through with enough work by an attacker.’

It seems that the problem in VMware’s software is not an isolated case, either. The company recently issued patches to its software to sort out a number of serious problems. The first two are a heap buffer overflow and an uninitialized stack memory usage in SVGA. ‘These issues may allow a guest to execute code on the host,’ VMware warns. Yikes!

Another is a bug in its XHCI controller, allowing uninitialized memory usage. ‘This issue may allow a guest to execute code on the host,’ says VMware. Double yikes!

Another case of uninitialized memory usage is less serious since it only offers the possibility of information leakage rather than a complete takeover of the host machine. Still, not ideal by any means.

At least one of these problems is linked to Qihoo 360’s Pwn 2Own hack, but the others? Who knows?

It just goes to show that virtual machines may be more secure than containers, but only by degree. There’s no room for complacency, and wrapping stuff up in a virtual machine — even a container — doesn’t guarantee security. It just helps a little, but if you end up getting pwned, that’s not really much help at all, is it?”

Published by:
The Virtual World

6600 to be Laid Off at Cisco

Many businesses use Cisco Networking and Servers, with their UCS technology, so this impacts virtualization in the Enterprise.

Cisco Ups Layoffs to 6,600 After Big Forecast Miss

Talkin’ Cloud – By: Aldrin Brown – “Cisco Systems said it would lay off 1,100 more employees than anticipated after reporting on Wednesday it expects to miss its fourth-quarter revenue target by as much as 6 percent, year over year.

The world’s largest network gear manufacturer had already announced 5,500 job cuts in August of 2016.

Cisco now plans to shed a total of 6,600 jobs as the company comes off its sixth straight quarter of declining revenue, amid a pivot from a focus on hardware to software products.

‘I am pleased with the progress we are making on the multi-year transformation of our business,’ Cisco CEO Chuck Robbins said.

‘The Network is becoming even more critical to business success as our customers add billions of new connections to their enterprises,’ the statement continued. ‘We are laser focused on delivering unparalleled value through highly secure, software-defined, automated and intelligent infrastructure.’

Cisco reported revenues of $11.9 billion for their third quarter – ended April 29 – down 1 percent from the same quarter in 2016.

Despite the air of gloom, net income was up 7 percent year over year, at $2.5 billion.

‘We executed well in Q3, delivering $11.9 billion in total revenue, while driving solid profitability and cash generation as we deliver on our strategic priorities,’ Cisco CFO Kelly Kramer said. ‘We will continue to invest in growth areas as we move the business toward more software and recurring revenue and return value to shareholders.’

For the coming quarter, however, Cisco said revenue could fall to just over $12 billion, for Q4, which ends Sept. 30.

Analysts had expected something closer to $12.5 billion.

On an earnings call today, Robbins attributed the revised revenue forecast, in part, to a 4 percent decline in public sector business, which is suffering because of political uncertainty in Washington, D.C.

‘It’s a pretty significant stall right now with the lack of budget visibility,’ the CEO said, according to Reuters.

Revenue for Cisco’s cybersecurity products business continued a positive trend, growing 9 percent to $527 million.

Still, even that business fell short of analysts’ expectations of more than $545 million.

The news sent Cisco shares plunging $1.4 percent today, to $33.83 per share, on a day when the broader Dow Jones Industrial Average fell 372.82 points.

Cisco stock fell another 7.7 percent in after-hours trading, to $31.22 per share.”

Published by:
The Virtual World

VMware Desktop-as-a-Service on Microsoft Azure

VMware will now offer DAAS on Microsoft Azure.

VMware To Offer Desktop-as-a-Service Infrastructure on Microsoft Azure

Virtualization Review – By: Keith Ward – “VMware, which last year announced a deal to integrate its infrastructure with Amazon’s public cloud, has entered into a deal with Amazon’s main competitor, Microsoft. This time it’s for delivery of virtualized desktops and apps on the Azure public cloud.

The announcement, which came as a surprise to many in the industry, means that VMware’s Horizon Cloud Desktop-as-a-Service (DaaS) infrastructure can be delivered via Azure. It will be called ‘VMware Horizon Cloud on Microsoft Azure.’

VMware’s press release announcing the deal quoted IDC’s Robert Young on the biggest potential benefit for VMware: ‘The addition of a major cloud platform such as Microsoft Azure has the potential to accelerate the adoption of VMware Horizon among customers searching for a different way to manage and deliver Windows 10 desktops and applications.’

One reason the partnership comes as a surprise is last October’s announcement of ‘VMware Cloud on AWS,’ which uses VMware’s plumbing technologies such as software-defined networking via NSX and software-defined storage via VSAN to undergird a hybrid cloud environment. At that time, AWS (Amazon Web Services) CEO Andy Jassy VMware said that AWS would be VMware’s primary public cloud infrastructure partner, and VMware would be AWS’s primary private cloud partner.

Jassy didn’t discuss DaaS, virtual desktop infrastructure (VDI) or endpoint management. Whether that was intentional or not, it appears that VMware has decided to significantly broaden its cloud partnerships to include the No. 2 public cloud provider in Microsoft.

As a strategy, it appears to make sense, as Azure is a rapidly-growing platform adding customers at a rapid rate. AWS continues to lead, but is seeing that lead shrinking as Azure catches up, especially in the enterprise. According to one survey, Azure has taken the lead in the enterprise space. Other studies have found Azure to be ahead of AWS — to the point of widening its lead — in the Infrastructure-as-a-Service (IaaS) segment of the market.

The Azure deal further solidifies VMware’s about-face on public cloud in general. At one time, both AWS and Azure were primary competition for VMware in its attempt to build its own public cloud platform, originally called vCloud Hybrid Services. It was eventually renamed vCloud Air.

Launched in August 2014, vCloud Air was an attempt to move VMware’s customers to the public cloud without ever leaving its proprietary infrastructure. But vCloud Air never took off, remaining more of an on-premises and hybrid cloud solution. Because of that failure, last month VMware sold off vCloud Air to the European hosting provider OVH.

VMware said that VMware Horizon Cloud on Microsoft Azure is expected to be available in the second half of 2017. Pricing details weren’t given, but Horizon Cloud now costs customers $16 per user, per month.”

Published by: