Cloud Native and Industry News — Week of March 30, 2022
Every Thursday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news.
This week they discussed:
- Log4j and other security news in the cloud native space
- Cybercrime in 2021
- Amazon and the Cloud ecosystem
- Legislation impacting cloud technology
- Developments in Go and Java
You can watch the full replay here.
To join Nick and Eric next Wednesday, April 6, at 1:00pm EST/10:00am PST, go here.
30% of Log4j security holes remain unpatched
Eric Gregory: A thousand years ago we spent several weeks talking about a series of critical vulnerabilities in Log4j and used phrases like “the Internet is on fire.” So…how’s that going?
According to the cloud security firm Qualys, about 70% of Log4j instances have been patched, while another 30% of those holes remain unplugged. Now, crucially, Qualys conducted this study among their own enterprise customer base, so this isn’t necessarily a comprehensive picture or a representative sample. But it does give us a picture of a large set of at least somewhat security-minded enterprises that are still struggling to keep up with Log4j vulnerability mitigation. So if patching Log4j is one of those new year's resolutions you haven’t quite gotten around to yet, maybe now’s a good time.
FCC adds Kaspersky to list of national security threats
According to the FCC, now is also a good time to delete Kaspersky antivirus, if you happen to have it installed. The FCC follows regulators in Germany in discouraging use of Kaspersky Labs products, citing the Russian organization as a national security risk and putting it in the company of Chinese businesses such as Huawei and ZTE.
This designation doesn’t preclude U.S. consumers from buying or using the products, but it does prohibit U.S. agencies from using federal funds to purchase them.
This move comes amid Russia’s ongoing war of aggression against Ukraine, but it’s not the first time Kaspersky has come under the scrutiny of the U.S. federal government. In 2017, reports in the Wall Street Journal and New York Times alleged that Russian spies used Kaspersky antivirus to steal classified NSA documents through installations on the personal computers of NSA contractors.
Hackers gaining power of attorney via fake emergency requests
Of course, not every cybersecurity breach is a matter of state-on-state espionage—sometimes it’s just a bit of good old-fashioned police impersonation. KrebsOnSecurity published a report yesterday on a wave of personal data thefts wherein attackers impersonate law enforcement—often using hacked emails—and then demand that a company provide a piece of sensitive personal information about a user account, citing a “life or death emergency.”
While most such requests in the U.S. require a court-ordered warrant, there are times when companies receive Emergency Data Requests, or EDRs, because hell is empty and all its acronyms are here. These new attacks are exploiting the EDR exemption, on the recognition that companies mostly don’t actually verify that the requests are legitimate. So it’s basically the cybersecurity equivalent of a bank robber dressing up as a cop, going to the bank, and saying, Hey, I need to pull some cash out of the vault, no time for questions, it’s a matter of life and death.
The consequences of these attacks, unfortunately, can be serious, with known cases of this attack taking personal data or internet history for doxxing and blackmail. Like many attack vectors, the fundamental problem here is as much social as technological—or more properly, it’s all about social technology. When a company receives a fraudulent EDR, especially from a seemingly authentic email address, it’s in a tough spot. If the request is real but they delay, they risk putting someone’s life at risk and failing to comply with law enforcement. If the request is fake, they might well do serious harm to someone who entrusted them with information. Indeed, Krebs notes that some of the hackers associated with these attacks have also been connected to swatting attacks that attempt to fraudulently deploy law enforcement with deadly force against unsuspecting victims. So the stakes are very high all around.
Nick Chase: Cybercrime was an extremely profitable business in 2021. According to the FBI's Internet Crime Complaint Center (IC3), 847,376 complaints resulted in losses of more than $6.9b. And by the way, that includes $347m in tech support scams, which target older people, so please train your parents in how to avoid getting taken in. They potty trained you, you owe it to them.
But it seems like this is almost a prestige business at this point. In past weeks we were hearing all about the inner workings of a group of individuals called the Conti ransomware affiliate, but now the new hotness so to speak appears to be the Lapsus$ gang. In the last couple of weeks it seems like they're everywhere. At the end of February the group, which specializes in stealing a company's data and threatening to release it unless a ransom is paid, broke into Nvidia's systems and demanded that Nvidia issue firmware updates to remove safeguards that were meant to keep their series 30 graphics cards from being used for cryptomining so that gamers could get their hands on the cards.
The gang has also hit identity as a service provider Okta, which unfortunately has been a case study in how NOT to handle a situation like this, first saying that there had not been a breach, then that there had but that customer data hadn't been affected, then that a few customers - that is, about 375 - may have been affected, and now that well, they're still investigating. And by the way, those 375 customers potentially include some pretty big companies such as Amazon, Apple, and Microsoft, so there could be tens of thousands of users affected.
And Microsoft was also hit by Lapsus$ directly, with the gang posting screenshots of internal code repositories and claiming to have stolen Microsoft source code. For its part, Microsoft said in a blog that "Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk."
So how does Lapsus$ do all this? I mean, don't all of these companies use Multi-Factor Authentication? Well, yes, but apparently they rely on a number of different tactics. For example, they may steal your phone number. To do that they might call up your carrier and tell them that they're you and that they've lost their phone, and they need the number switched over to a new phone. Or they might call a help desk and talk them into switching a password. Or they might steal your personal email information and use that to change a password. Or if all that fails, they may just pay off someone in the company to give them access.
They've also hit Vodafone, Samsung, and other targets.
So pretty glamorous, right? Well, maybe not. You see, there is, apparently, no honor among thieves, so to speak. Late last year the group's leader apparently had a falling out with his business partners, which led to a doxxing, which is when a private person has their information leaked online.
So why hasn't law enforcement picked him up? Well, allegedly they have. British police have arrested seven people who were allegedly part of this gang, including the alleged leader, who had made about $14m in Bitcoin from his exploits. Allegedly.
His father told the BBC "He's never talked about any hacking, but he is very good on computers and spends a lot of time on the computer. I always thought he was playing games."
In fact, all 7 people arrested were between 16 and 21.
- Cybercriminals rmade almost $7bn in 2021: FBI | The Register
- Details of Conti ransomware affiliate released | ComputerWeekly
- Okta authentication company’s customer data targeted by the Lapsus$ gang | TechRepublic
- Authentication oufit Okta investigating Lapsus$ breach report | The Register
- Okta now says: Lapsus$ may in fact have accessed customer info | The Register
- Okta acknowledges 'mistake' in handling of Lapsus$ attack | The Register
- Microsoft confirms breach, attributes attack to Lapsus$ | TechTarget
- Microsoft warns of destructive attacks by Lapsus$ cybercrime group | TechRepublic
- British cops arrest seven in Lapsus$ crime gang probe | The Register
Containers are big business at AWS, but the competition is fierce
Eric Gregory: In cloud ecosystem news, Protocol ran a feature on adoption of container services at AWS this week, and while it didn’t include any blockbuster revelations, you can read between the lines to identify some notable trends. Some of the more interesting tidbits came from AWS customers quoted in the piece.
- First, we see that some customers are leaving the proprietary elastic container services (ECS) in favor of open source. Eric Drobisewski, senior enterprise architect at insurance provider Liberty Mutual, says his company is weaning itself from ECS on account of its proprietary model. He says, “The code for [ECS] is kind of closed off to Amazon in terms of how it’s implemented, how it’s developed,” Drobisewski said. “It’s got its own orchestration model that they built — it is not Kubernetes-based. It does support open standards in terms of the artifacts you can push in … but the operations model around it is really unique to it. Things that you might want to plug in — service mesh gets a lot of attention and things nowadays with Istio and Linkerd — a lot of those weren’t necessarily built as well to work in an ECS model.”
- EKS provides open source tooling, but there’s still heavy lifting involved for operations. Drobisewski went on to say, “My opinion with EKS is that there’s this false kind of belief that there’s no operations involved with it, which is absolutely not true.”
- AWS is still reluctant to embrace multi-cloud. Last year, Amazon launched ECS Anywhere and EKS Anywhere, which they position as a way to run ECS or EKS (elastic Kubernetes service) on-prem. Theoretically you could run them on another cloud, too, but Amazon doesn’t really want to talk about that, and they haven’t made it the smoothest experience in the world. Jason Gregson, an operations head at DoiT International, told Protocol that ECS Anywhere and EKS Anywhere don’t really allow for true cloud-neutral functionality. “It's more of an enabler than it is really a set of tooling to actually allow you to do vendor-agnostic cloud computing … around containers. The compute element that's running the software — yeah, absolutely that's agnostic. The part that actually allows customers to use it — no. Fundamentally, the architecture around it changes. It will run the application, but you've still got to do the embedding, and you've still got to do the integration. [You] still need to be able to allow customers to come in, talk to that web service and get the data they need to come out. That part changes everywhere.”
So what can we take from all this? The historical dominance of AWS puts it in an awkward position. So much of the movement in the cloud native space is toward multi-cloud architectures, toward interoperability and portability. In a very real sense, this is tooling built with AWS in mind; many users don’t want to be locked in to a single cloud provider, and that’s applying pressure on AWS, dragging them, kind of kicking and screaming, into providing tools like ECS and EKS Anywhere in order to compete with Microsoft and Google, even though those tools are in tension with Amazon’s “always own everything everywhere and make it cheaper” philosophy. A diversified cloud marketplace is a resource they just can’t own, and it’ll be interesting to watch how they continue to position themselves in the container space.
SEC proposes new climate change disaster planning rules
Nick Chase: This week in the US, the Securities and Exchange Commission proposed a new rule that would require companies to bake climate change into their disaster planning. So companies would have to consider severe weather, flooding, wildfires, and so on when putting together their Business Continuity Management plans. The idea is that by requiring all publicly traded companies to do this, they're putting all of these companies on a level playing field. But it can't be bad for the environment, either.
CLOUD Act and law enforcement data
Also on this side of the ocean, the US and Canada are discussing law enforcement data access under the Clarifying Lawful Overseas Use of Data Act, or the CLOUD Act. Don't you just love when they do that? I mean, somebody in Congress has to take the time to try and come up with a suitable acronym for all these things.
Anyway, the CLOUD Act governs how countries can get access to information stored in US servers for law enforcement purposes. According to the US Justice Department, "The Act permits our foreign partners that have robust protections for privacy and civil liberties to enter into executive agreements with the United States to use their own legal authorities to access electronic evidence in order to fight serious crime and terrorism."
And that "robust protections for privacy and civil liberties" is why countries have to be approved on an individual basis. The idea is to not approve authoritarian governments that can then use the CLOUD act to spy on political adversaries. The US currently has agreements with Australia and the UK, but ironically agreements with the EU are being held up because the EU doesn't think the US's privacy protections are strong enough.
Digital Markets Act and competition in tech
But the real EU legislative news is the Digital Markets Act, which has the real potential to change the way a company - or at least its software - is structured. The law, the text of which is currently being finalized, seeks to rein in so-called gatekeepers - that is, the big companies such as Amazon, Apple, Meta, Google, and Microsoft, or any company that has a market capitalisation of at least €75b and least 45m monthly users, as well as a social network or search engine.
So what does it do? Well, a bunch of stuff. First, it requires that third parties should be able to interoperate with their services, for one thing. So a third party messaging service would be able to exchange messages with Facebook Messenger. Also users should be able to choose what software they want on their platforms, like choosing what browser you want to use on your iPhone. So Europe is really trying to break down these monopolies.
And we're already seeing some movement in that direction. We talked a week or so ago about a report recommending that Google and Apple enable third party payment, well, while Apple seems to be content to pay out fines almost as a cost of doing business, Google is starting an experiment by enabling Spotify to try out third party payment processors in some countries.
Though it should be pointed out that this is partly due to legislation in South Korea requiring it. Man, I would hate to have to figure all of these things out on a global scale.
- EU law threatening 'commercially painful changes' for tech out tonight | The Register
- Microsoft, Cisco, Zoom pledge conference room compatibility | TechTarget
Changes to app store fees
Apple is also doing something slightly similar, in that dating apps, rather than paying the 30% cut that Apple takes when using them as a payment processor, can pay Apple a flat fee in order to use a third party. Of course that flat fee is 27%, so I think we can see where that's going.
Generics added to Go
Eric Gregory: Earlier this month, the official blog for the Go programming language announced that as of version 1.18, Go supports generics. This is a long-awaited update, since generics are a useful and subtly powerful tool for developers to have in their toolbelts.
The name “generics” refers to the classes you can create using this functionality. With generics, you can create a single class and then, for a given instance of the class, specify a datatype for the class to use. So, for a super simple example, maybe this instance uses Booleans and that instance uses strings. This means you haven’t duplicated code by creating multiple different classes, and you’ve made your class reusable and sort of future-proof–if people need to use the class with different datatypes later on, including custom types that might not even exist yet, then hey, no problem.
Better yet, when you specify a type, the compiler is going to be able to verify that a function is indeed using that type and produce an error if not, so this is a nice boon for testability.
One drawback is that constraining the type on a function can also limit the methods you can apply. The implementation of generics in Go leaves a lot of method functionality intact, but this is still a tool devs will want to apply on a case-by-case basis. The big takeaway here, I think, is that this is a big step forward into maturity for Go and should be a real boon for large codebases written in Go. Like, oh, say, Kubernetes.
Source: An Introduction To Generics | Go
Oracle and Java
Nick Chase: Oracle has started auditing companies for their use of Java. The programming language was developed by James Gosling and his team way back in 1996, when dinosaurs apparently roamed the earth and Gosling worked for Sun Microsystems. The idea was to create a language that would be Write Once, Run Anywhere, remember that?
Well, it was free, and it became pretty pervasive. I mean, it was everywhere, especially after it was incorporated into the Netscape browser. Then eventually, when Oracle bought Sun Microsystems in 2009, they thought, hmm, look at all of those people using our software for free. We can't have that. So they instituted a program where if you're using the Java Runtime Environment, you have to have an annual support subscription so that you can download updates and so on.
So all of this has led to a lot of confusion. The Register quotes Craig Guarente, Palisade Compliance founder and CEO as explaining that Oracle is cross referencing other compliance audits to find undeclared Java installs. For example, “Companies declaring 5,000 database licenses might get a knock on the door from a Java sales rep, saying, ‘We heard your environment is 5,000 CPUs: we don't see Java licenses for that.' You can be giving Oracle information one week in one area that's being used in a completely different area,” he said.
And then, as if this wasn't confusing enough, not only does this requirement apply even to older versions of Java, it actually applies only to the Java Runtime Engine, and not to the Java Software Development Kit.
So what do you do? Well, for many companies, it's hard to say, because often companies don't even know where Java is running, it's that pervasive. Scott Jensen, Oracle practice lead, told The Register “I've seen Fortune 500 organizations who basically uninstall Java overnight and then said, ‘Well, we'll see what breaks and, and if it breaks, then we'll put Java back’. But many organizations have sort of done a rip and replace taking out Oracle Java and replacing it with Open JDK or other equivalents."
Which is another option; there are open source versions of Java. But it's a mess. The moral of the story is that if you think you might be using Java, you need to start getting your house in order and figuring out what you've got running where, which isn't a bad thing in the first place.
To join Nick and Eric next Wednesday, April 6, at 1:00pm EST/10:00am PST, register here.