WebProNews

Category: CloudSecurityUpdate

CloudSecurityUpdate

  • AMD and Google Cloud Deliver EPYC-Based Confidential Computing

    AMD and Google Cloud Deliver EPYC-Based Confidential Computing

    AMD and Google Cloud are expanding their partnership, applying the power of EPYC processors to confidential computing.

    Confidential computing is a vital aspect of cloud security, helping to secure data while it’s being used. The technology keeps the data sequestered within the a protected enclave of the CPU, with only authorized programs cleared to access it. AMD and Google Cloud have unveiled new confidential computing virtual machines (VMs) powered by AMD’s EPYC processors.

    AMD has worked collaboratively with Google Cloud and Google’s security experts to provide customers access to advanced security technology while still achieving high performance in their workloads,” said Lynn Comp, corporate vice president, Cloud Business Unit, AMD. “With 3rd Gen AMD EPYC processors powering the new confidential computing offerings from Google Cloud, customers can continue to enjoy the general purpose and compute optimized workload capabilities they’ve had from Google Cloud, all while feeling confident in the security of their data.”

    “By providing our customers with advanced security technology from 3rd Gen AMD EPYC processors, we’re not only delivering more performance, but also optimizing Confidential Computing for more types of workloads,” said Nelly Porter, Group Product Manager, Google Cloud. “At Google Cloud, we believe that continuously investing in emerging technologies like Confidential Computing with partners like AMD will help us address our customers’ most pressing privacy concerns.”

    The news is a big win for AMD as the company continues to eat into Intel’s lead in the server market. After three years of gains, AMD’s share recently came in at 11.6%, driven largely by the success of its EPYC line.

    AMD says the new confidential computing VMs are available in regions around the globe.

  • Oracle Releases Massive April 2022 Critical Patch Update

    Oracle Releases Massive April 2022 Critical Patch Update

    Oracle has released a major April 2022 Critical Patch Update, fixing a whopping 520 issues.

    Oracle regularly releases updates to its software and service. This update, however, is a large one, containing hundreds of fixes. The update also slightly changes the quarterly release schedule, making it easier to plan for future updates

    “With this Critical Patch Update release, Oracle is making a small adjustment to the Critical Patch Update release schedule,” Eric Maurise, Vice President of Security Assurance, wrote in a blog post. “Critical Patch Updates will no longer be released on the Tuesday closest to the 17th of the month of January, April, July, and October, but they will be released on the third Tuesday of January, April, July, and October. This minor adjustment will not affect the frequency of Critical Patch Update releases (still 4 times a year), but essentially, makes it easier to set calendar reminders and determine the date of future Critical Patch Update releases.”

  • Microsoft Says It Will Make Changes Over Anti-Competitive Cloud Concerns

    Microsoft Says It Will Make Changes Over Anti-Competitive Cloud Concerns

    Microsoft President Brad Smith has acknowledged concerns and vowed changes in response to complaints the tech giant is unfairly using its position to lock out cloud rivals.

    Microsoft has a long history of anti-competitive behavior, ultimately leading to its landmark anti-trust trial in 2001. Much of the company’s anti-competitive behavior came from it using its position in one market to gain an advantage in another. For example, the company used its Windows dominance to push Internet Explorer over Netscape. The company is now being accused of reverting to old habits, charging more for using Windows and Office with rival cloud platforms.

    If the allegations are true, it would be a departure from the company’s playbook in recent years. Under CEO Satya Nadella, the company has become far less concerned over forcing customers to use its platforms, instead focusing on making its software work on almost every major platform. To then turn around and penalize companies that use those other platforms seems antithetical to that philosophy.

    According to Bloomberg, company President Brad Smith has acknowledged the concerns, saying there is at least some cause for them.

    “There definitely are some valid concerns,” he said. “It’s very important for us to learn more and then make some changes.”

    Microsoft has so far managed to avoid the anti-trust scrutiny Amazon, Apple, Google, and Meta are currently under. The company would do well to voluntarily address these concerns before it finds itself in the crosshairs.

  • Experts Warn the EU’s DMA Will Break Encryption

    Experts Warn the EU’s DMA Will Break Encryption

    Another day, another attack on encryption, with security experts warning the EU’s DMA legislation will likely break, or severely weaken, encryption.

    The EU unveiled the Digital Markets Act (DMA) as its latest effort to crack down on Big Tech. In addition to severe fines, and even possible breakups, of companies that fail to abide by the legislation, the DMA calls for “gatekeeper companies” to make their services interoperable with smaller rivals.

    Messaging, in particular, is one of the most obvious areas impacted by this clause, with services like WhatsApp, Facebook Messenger, and Apple’s iMessage likely forced to open up and work with competitors. Unfortunately, since all of these services provide end-to-end encryption (E2EE), experts warn there is no easy way for the the services to work with each and still maintain the level of security and privacy they currently offer.

    In speaking with The Verge, one expert used a very low-tech example to illustrate the issues, especially with compatibility and accountability between various services.

    “If you went into a McDonald’s and said, ‘In the interest of breaking corporate monopolies, I demand that you include a sushi platter from some other restaurant with my order,’ they would rightly just stare at you,” Alec Muffett, former Facebook engineer and internet security expert, said. “What happens when the requested sushi arrives by courier at McDonald’s from the ostensibly requested sushi restaurant? Can and should McDonald’s serve that sushi to the customer? Was the courier legitimate? Was it prepared safely?”

    Similar questions plague potential implementation of the DMA. How will messages be securely sent across various platforms? If two different services use two different types of encryption, which company will modify its service to be compatible with the other? Will services opt to simply drop encryption when sending messages across services? Or will companies adopt some method of decrypting and re-encrypting as the message is passed from one service to another, making the communication vulnerable to interception, and thereby compromising privacy and security?

    Unfortunately, as has been stated time and time again, the encryption protocols people, companies, and governments rely on for privacy and security are not created, managed, or dictated by policies. They are, instead, bound and constrained by basic mathematics.

    Unfortunately for privacy and security, the mathematics of the DMA don’t quite add up.

  • Smaller ISPs the Weak Link in Cybersecurity War

    Smaller ISPs the Weak Link in Cybersecurity War

    Everyone uses an internet service provider (ISPs) to connect to the internet, but not all ISPs are created equal when it comes to security.

    Cybersecurity has become a major focus, for private companies and government agencies alike. Recent ransomware attacks have illustrated the vulnerabilities of software, services, and cloud options. Supply chain attacks, where bad actors compromise a commonly-used software component, have become a major attack vector.

    Another, often-overlooked, possible avenue of attack are ISPs. Unfortunately, the playing field isn’t always a fair one, according to Gustavas Davidavicius, Abuse Prevention Team Lead at IPXO. While larger ISPs have the IP and human resources needed to response swiftly to threats, smaller ISPs often can’t compete.

    Davidavicius used the example of a recent DDoS attack against Vocus NZ, New Zealand’s third-largest ISP.

    “The pressures of having to make swift decisions can have a significant impact when managing security breaches. In this case, it seems that a few unfortunate decisions led to filtering out tons of legitimate traffic for all, leaving users without an Internet connection,” Davidavicius explained.

    “Cyber resilience has always been one of the top priorities, however, there is no single best solution that could address all the issues. As with all internet-related activities, the best way to protect yourself varies based on use cases and scope,” he continued.

    Unfortunately, until smaller ISPs are able to address their limitations, they will continue to be a weak link that hackers can exploit, leading to further internet outages.

  • Microsoft Warns of Phishing Attack ‘Targeting Hundreds of Orgs’

    Microsoft Warns of Phishing Attack ‘Targeting Hundreds of Orgs’

    Microsoft is warning of a new phishing attack that is abusing OAuth request links and “targeting hundreds of orgs.”

    OAuth is an open standard designed to allow services, apps, or websites access to an individual or organization’s information on other services, without the need to provide a password and full access.

    Unfortunately, it appears bad actors are using OAuth request links in a phishing attempt to gain access to users’ email. The bad actors are then able to set up filters to forward emails to another account, with experts warning this may be an attempt to acquire sensitive information.

    Microsoft warned about the issue on Microsoft Security Intelligence Twitter account:

    Microsoft is tracking a recent consent phishing campaign, reported by @ffforward, that abuses OAuth request links to trick users into granting consent to an app named ‘Upgrade’. The app governance feature in Microsoft Defender for Cloud Apps flagged the app’s unusual behavior.=

    The phishing messages mislead users into granting the app permissions that could allow attackers to create inbox rules, read and write emails and calendar items, and read contacts. Microsoft has deactivated the app in Azure AD and has notified affected customers.

    We’re seeing the campaign targeting hundreds of orgs. Microsoft Defender for Cloud Apps, Azure AD, and Defender for Office 365 can help protect against similar attacks by blocking the OAuth consent links or flagging unusual behavior of users or cloud apps.

    — Microsoft Security Intelligence (@MsftSecIntel), January 21, 2022