Radio Cloud Native – Week of May 18, 2022
Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news.
This week they discussed:
…and more. You can watch the full replay below:
To join Nick and Eric next Wednesday, May 18, at 1:00pm EST/10:00am PST, follow Mirantis on LinkedIn to receive our announcement of next week’s topics.
Google Cloud’s Assured Open Source Software and Supply Chain Security
Eric Gregory: At Google Cloud’s annual Security Summit this week, the company announced a new initiative to address software supply chain security.
The Assured Open Source Software service is a program to provide enterprise and government users with scanned and Google-signed open source packages from Google’s secure registry. At first, they’re focusing on Java and Python packages, since those have, quote, “particularly high risk profiles,” as Google Cloud Cloud VP and GM Sunil Potti told The Register. A big part of the effort seems to spinning out Google’s internal processes into a customer-facing service – packages are subject to a compliance standard based on Binary Authorization for Borg, the internal standard used for all production workloads at Google.
In an interview with Protocol, Google Cloud’s chief information security officer, Phil Venables noted that the Assured Open Source Software offering would be available to customers running on other platforms. Quote, “It is a Google Cloud-delivered product. But we’re not just going to do this for things that run on Google Cloud. It could be for any software that enterprises consume into their on-premises systems, or in fact, other clouds.” Elsewhere, he says, “To just focus on Google Cloud, we wouldn’t be serving our customers. Our customers’ reality is a hybrid, multicloud environment.”
Sources: The Register and Protocol
Costa Rican government systems downed by ransomware
Nick Chase: Lots of ransomware news this week, including the closure of Lincoln University after 157 years due to an attack that originated in Iran destroyed its recruiting, retention, and fundraising systems. But the big news is the state of emergency declared by Costa Rica.
On April 17, the Russian-speaking Conti ransomware organization targeted the government of Costa Rica, attacking at least five different agencies and threatening to release information if the government didn’t pay $10 million in ransom. Trouble is that Costa Rica has laws that prohibit paying ransom, so Conti released about a terabyte of data, which it claimed to have gotten off something like 800 servers to which it had gained access. In particular, it released 900 gigabytes of data from the Tax Administration Portal, and claimed that it had implemented a large number of backdoors in various public ministries and private companies. They also said they would continue the attacks until they got paid.
Now, while this seems like a straight-up criminal attack, the outgoing Costa Rican president, Carlos Alvarado Quesada, gave a statement on April 22 that said the attack was aimed at destabilizing the country’s transition to its newly elected president, former World Bank official Rodrigo Chaves. And you can insert your own Presidential transition disruption joke here.
But it wasn’t that crazy a claim, because at that point the government was losing about $200 million a day because customs and other systems were still shut down.
Then on April 25, Conti encrypted all of the administrative systems of the government agency managing the electricity in Cartago, a town of 160,000 people, though power and internet were unaffected.
May 8 the new president took office and the first thing he did was to sign an order creating a state of emergency over the attack in order to give the government more agility in responding.
By this past Monday, the group was calling on the citizens of Costa Rica to overthrow the government and replace it with another more willing to pay them. Supposedly they had already released 97% of the data they had stolen, and some experts point to the call as a sign that the group was running low on incentive for Costa Rica to pay.
But then, they also doubled the ransom to $20 million dollars and threatened to delete the keys if that wasn’t paid by next Monday.
So who are these people?
According to ThreatPost, “Conti acts on a ransomware-as-a-service (RaaS) model, with a vast network of affiliates and access brokers at its disposal to do its dirty work. The group also is known for targeting organizations for which attacks could have life-threatening consequences, such as hospitals, emergency number dispatch carriers, emergency medical services and law-enforcement agencies.”
The FBI says that since they emerged in July of 2020, Conti has hit over 1000 victims, with over $150 million in payouts. The fact that they’re not afraid to go after governments is an interesting wrinkle; on April 27 they hit Peru’s intelligence agency. The United States government is offering a $10 million reward for information about any of the group’s leaders, with another $5 million reward for someone involved in any of their attacks.
But the most chilling thing is that on May 9 a hacker supposedly involved in the attack wrote, among other things, that “in the future I will definitely carry out attacks of a more serious format with a larger team, Costa Rica is a demo version.”
Kubernetes security survey
Eric Gregory: Red Hat released a Kubernetes security survey this week concluding that widespread human error is leading to security incidents with Kubernetes. Humans, man. Can’t live with ‘em, can’t live without ‘em. The sample in this survey is 300 professionals, but the big numbers on some answers are suggestive of some trends. 55 percent reported that they had to delay the debut of an app due to security concerns, and 93 percent reported a security incident in their Kubernetes clusters in the last year.
The report pointedly cites a World Economic Forum report claiming that “95 per cent of cybersecurity issues can be traced to human error.” (I should note here that the World Economic Forum doesn’t actually cite a source for that number at the end of the day, so, you know, be careful taking that to your next incident response meeting.)
Envoy Gateway Makes Using Envoy Proxy Easier for Developers
Nick Chase: Interesting development in the world of service mesh. Now, when you say “service mesh” the first thing that comes to mind is probably istio, but at the heart of Istio is a component called Envoy. Now members of the steering group for Envoy Gateway (EG), including Envoy creator Matt Klein and representatives from Ambassador Labs, Fidelity Investments, Tetrate, and VMware, Inc., have announced their joint commitment to the project, which launched on Monday at Kubecon under the auspices of the Cloud Native Computing Foundation. Envoy Gateway is a new effort within the Envoy proxy open source project to simplify Envoy use in cloud-native application development.
According to the announcement, Envoy Gateway will reduce existing, redundant efforts around Envoy and make it easier for application developers to use Envoy as a basic API gateway “out of the box” and as a Kubernetes Ingress controller. Exposing a simplified set of APIs, and implementing the Kubernetes Gateway API, EG makes it easier to extend Envoy. Developers will now have a cost-free, unfettered way to provide external access to their work in progress. At the same time, Envoy Gateway will not replace API management features currently found in commercial products.
Envoy is already widely used for traffic between separate services in a microservices application—that is, east-west traffic. With Envoy Gateway, Envoy will also be easy to use for north-south traffic—traffic between an application and the outside world, as with consumers of an application’s APIs.
Juniper Contrail goes cloud native
Nick Chase: Juniper has announced the release of Contrail Networking Cloud Native, or CN2. This new version of Contrail has been designed to be compliant with the Container Networking Interface, or CNI, so you can use it with Kubernetes as well as continuing its compatibility with OpenStack. It’s also designed to create a single unified networking environment for a multi-cluster or a hybrid environment.
In a blog post, the company also announced a new Contrail plugin for the Lens Kubernetes platform, as well as integration with all of the other Kubernetes tools we’re used to using to manage Kubernetes resources. Interestingly, that same blog post also casually mentions that “Additionally, CN2 was built privately as closed source. Instead of open sourcing as with previous versions 21.4 and prior, version 22.1 will mark CN2’s introduction – and those that want access can get free trial licenses from Juniper!”
In 2019, Juniper bought Mist Systems for $405 million. The company specializes in AI enabled networking, in other words what we’re now calling AIOps, and this week Juniper CEO Rami Rahim told the company’s Global Summit that he thinks artificial intelligence will be completely automating networks within five years.
