Will The Drupal Flaw Be Catastrophic?

The Drupal web content management system has been exposed as having backdoor access that could deliver your site to hackers.

The problem is not particularly new. Drupal warned about it earlier this month, but it still needs tackling as millions of websites may be at risk.

Drupal said that sites running version 7 really ought to have upgraded to 7.32 by now, because not doing so leaves them as open as a torn tea bag.

Initially the alert was about the threat, but the firm has updated its earlier advice and is now warning of in-the-wild attacks.

That earlier advice was about a problem in a database API. “A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution,” warned Drupal in a security alert.

“Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users.”

More recent information from the firm points users toward the released upgrade, and informs them that attacks started not long after the initial announcement.

“You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is seven hours after the announcement,” it said, adding that, even when updated, sites will have some cleaning up to do.

“If you have not updated or applied this patch, do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website,” it explains.

“If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.”

Gavin Millard, EMEA technical director at Tenable Network Security, advised people to follow Drupal’s advice.

“The so-called ‘Drupageddon’ vulnerability could have easily led to exploitation of any systems running the vulnerable code. With such an easy to exploit flaw, the chance of exfiltration of data or further exploitation are high,” he said.

“For those who have good security controls, reviewing of logs and traffic directed at the sites following the vulnerability being announced and the patch applied is common sense and highly advisable, with appropriate action taken if indicators of compromise are found.

“For those who don’t have such a good level of security or visibility into the logs, the advice from the Drupal team should be heeded. If you don’t know if you were exploited you should assume that you have been.”

Source

IBM And Tencent Team Up

Tencent Holdings Ltd announced that it would be teaming up with International Business Machines Corp (IBM) on a new cloud software business for corporate customers, a marked departure for one of the dominant forces in China’s consumer Internet industry.

Best known for its popular WeChat messaging app and its online games rather than business software, Tencent said its cloud unit would now target small and medium enterprises in the healthcare and “smart city” industries.

Many technology firms are jockeying for a slice of China’s enterprise software market, which promises to grow sharply in coming years as businesses modernize their IT operations and move data onto the cloud.

Tencent’s alliance with IBM, which has deep experience providing computing and consulting services to corporate clients, provides the Shenzhen company a competitive answer to its Chinese rival Alibaba Group Holding Ltd’s nascent cloud efforts.

An e-commerce giant, Alibaba has been slowly building its cloud unit, which recorded just $38 million in revenue in the three months ended June 30.

Tencent said it would tap IBM for its “industry expertise and enterprise reach” but did not disclose financial terms of the deal.

For IBM, the Tencent deal is just the latest in a recent spate of new software partnerships in China, where its hardware sales have been sliding.

IBM announced a deal earlier this year to install its cutting-edge DB2 database software on Chinese rival Inspur International Ltd’s machines. Big Blue also agreed to license its database and big data technology to Chinese software vendor Yonyou Software Co Ltd.

Source

HP’s Helion Goes Commercial

HP has announced general availability of its Helion OpenStack cloud platform and Helion Development Platform based on Cloud Foundry.

The Helion portfolio was announced by HP earlier this year, when the firm disclosed that it was backing the OpenStack project as the foundation piece for its cloud strategy.

At the time, HP issued the HP Helion OpenStack Community edition for pilot deployments, and promised a full commercial release to follow, along with a developer platform based on the Cloud Foundry code.

HP revealed today that the commercial release of HP Helion OpenStack is now available as a fully supported product for customers looking to build their own on-premise infrastructure-as-a-service cloud, along with the HP Helion Development platform-as-a-service designed to run on top of it.

“We’ve now gone GA [general availability] on our first full commercial OpenStack product and actually started shipping it a couple of weeks ago, so we’re now open for business and we already have a number of customers that are using it for proof of concept,” HP’s CloudSystem director for EMEA, Paul Morgan said.

Like other OpenStack vendors, HP is offering more than just the bare OpenStack code. Its distribution is underpinned by a hardened version of HP Linux, and is integrated with other HP infrastructure and management tools, Morgan said.

“We’ve put in a ton of HP value add, so there’s a common look and feel across the different management layers, and we are supporting other elements of our cloud infrastructure software today, things like HP OneView, things like our Cloud Service Automation in CloudSystem,” he added.

The commercial Helion build has also been updated to include Juno, the latest version of the OpenStack framework released last week.

Likewise, the HP Helion Development Platform takes the open source Cloud Foundry platform and integrates it with HP’s OpenStack release to provide an environment for developers to build and deploy cloud-based applications and services.

HP also announced an optimised reference model for building a scalable object storage platform based on its OpenStack release.

HP Helion Content Depot is essentially a blueprint to allow organisations or service providers to put together a highly available, secure storage solution using HP ProLiant servers and HP Networking hardware, with access to storage provided via the standard OpenStack Swift application programming interfaces.

Morgan said that the most interest in this solution is likely to come from service providers looking to offer a cloud-based storage service, although enterprise customers may also deploy it internally.

“It’s completely customisable, so you might start off with half a petabyte, with the need to scale to maybe 2PB per year, and it is a certified and fully tested solution that takes all of the guesswork out of setting up this type of service,” he said.

Content Depot joins the recently announced HP Helion Continuity Services as one of the growing number of solutions that the firm aims to offer around its Helion platform, he explained. These will include point solutions aimed at solving specific customer needs.

The firm also last month started up its HP Helion OpenStack Professional Services division to help customers with consulting and deployment services to implement an OpenStack-based private cloud.

Pricing for HP Helion OpenStack comes in at $1,200 per server with 9×5 support for one year. Pricing for 24×7 support will be $2,200 per server per year.

“We see that is very competitively priced compared with what else is already out there,” Morgan said.

Source

Twitter To Allow Monet Tweets

One of France’s largest banks is partnering with social network Twitter Inc. to allow its customers to transfer money via tweets.

The move by Groupe BPCE, France’s second largest bank by customers, coincides with Twitter’s own foray into the world of online payments as the social network seeks new sources of revenue beyond advertising.

Twitter is racing other tech giants Apple  and Facebook to get a foothold in new payment services for mobile phones or apps. They are collaborating and, in some cases, competing with banks and credit card issuers that have run the business for decades.

The bank said last month it was prepared to offer simple person-to-person money transfers via Twitter to French consumers, regardless of what bank they use, and without requiring the sender know the recipient’s banking details.

“(S-Money) offers Twitter users in France a new way to send each other money, irrespective of their bank and without having to enter the beneficiary’s bank details, with a simple tweet,” Nicolas Chatillon, chief executive of S-Money,  BPCE’s mobile payments unit, said in the statement.

Payment by tweets will be managed via the bank’s S-Money service, which allows money transfers via text message and relies on the credit-card industry’s data security standards.

BPCE and Twitter declined to provide further details ahead of a news conference in Paris later today to unveil the service.

Last month, Twitter started trials of its own new service, dubbed “Twitter Buy”,  to allow consumers to find and buy products on its social network.

The service embeds a “Twitter Buy” button inside tweets posted by more than two dozen stores, music artists and non-profits. Burberry, Home Depot, and musicians such as Pharrell and Megadeth are among the early vendors.

Twitter’s role to date has been to connect customers rather than processing payments or checking their identities.

Source

Bitcoin Use Growing

Bitcoin is gaing greater acceptance at U.S. online merchants including Overstock.com and Expedia, as customers use a digital currency that just a few years ago was virtually unknown but is now showing some staying power.

Though sales paid for in bitcoin so far at vendors interviewed for this article have been a fraction of one percent, they expect that as acceptance grows, the online currency will one day be as ubiquitous as the internet.

“Bitcoin isn’t going anywhere; it’s here to stay,” said Michael Gulmann, vice president of global products at Expedia Inc. in Seattle, the largest online travel agent. “We want to be there from the beginning.” Expedia started accepting bitcoin payments for hotel bookings on July 11.

Until recently a niche alternative currency touted by a fervent group of followers, bitcoin has evolved into a software-based payment online system. Bitcoins are stored in a wallet with a unique identification number and companies like Coinbase and Blockchain can hold the currency for the user.

When buying an item from a merchant’s website, a customer simply clicks on the bitcoin option and a pop-in window appears where he can type in his wallet ID number.

Still, broad-based adoption of bitcoin is at least five years away because most consumers still prefer to use credit cards, analysts said.

“Bitcoin is a new way of making payments, but it’s not solving a problem that’s broken,” said George Peabody, payments consultant at Glenbrook Partners in Menlo Park, California. “Retail payments aren’t broken.”

There are also worries about bitcoin’s volatility: its price in U.S. dollars changes every day.

That risk is borne by the consumer and the bitcoin payment processor, such as Coinbase or Bitpay, not the retailer. The vendor doesn’t hold the bitcoin and is paid in U.S. dollars. As soon as a customer pays in bitcoin, the digital currency goes to the payment processor and the processor immediately pays the merchant, for a fee of less than 1 percent.

“We don’t have to deal with the actual holding of the bitcoin: it’s the payment processor that takes the currency risk for us,” said Bernie Han, chief operating officer at Dish Network Corp, in Englewood, Colorado. “That’s what makes it appealing for us and I guess for other merchants as well.”

Source

Rackspace Goes Onmetal

Rackspace has launched Onmetal Cloud Servers, a service that combines the on-demand nature and scalability of cloud servers with the performance and total control of bare-metal servers.

The Onmetal Cloud Servers service will be available from July, initially at Rackspace’s Northern Virginia data centre only, but is expected to roll out internationally during 2015.

The service brings all the power and flexibility of cloud computing to applications previously considered unsuitable to run in a virtualised environment, according to the firm. It is an API-driven, single-tenant infrastructure-as-a-service (IaaS) offering that enables customers to provision dedicated servers with whatever operating system and services stack they require.

Rackspace has been looking at bare-metal provisioning since at least last year, when the firm introduced its Performance Cloud Servers tier for customers with more demanding workloads. However, there has been growing interest in the ability to own the entire server, according to the firm, because of the “noisy neighbour” problem in multi-tenant environments, where another workload on the same host may degrade network latency, disk input/output (I/O) and compute processing power.

Rackspace president Taylor Rhodes said, “Virtualisation and sharing a physical machine are fantastic tools for specific workloads at certain scale; however, we’ve learned that the one-size-fits-all approach to multi-tenancy just doesn’t work once you become successful, so we created Onmetal to simplify scaling for customers to stay lean and fast with a laser-sharp focus on building out their product.”

Onmetal Cloud Servers make use of the Ironic Bare Metal Provisioning project in the Openstack cloud computing framework. This is still in incubation rather than a full core part of Openstack, but Rackspace has a policy of introducing cutting-edge features in its cloud services.

The physical hardware itself is compliant with Open Compute Project specifications, and available in three different tiers aimed at specific workloads.

These comprise a compute-optimised configuration for application servers supporting 20 threads and 32GB memory, while a memory-optimised configuration for tasks such as in-memory analytics supports 24 threads and 512GB.

An I/O-optimized configuration supports 40 threads with 128GB memory and a 3.2TB PCI Express flash drive. The latter is best for traditional databases, NoSQL and online transaction-processing applications, Rackspace said.

Pricing has not been disclosed, but Rackspace said customers will be able to pay by the minute, with utility-style billing only for the resources they use.

Source

Oracle Takes A Fall

Oracle posted fiscal fourth-quarter results that were just horrible for investors looking for more progress in web-based services, sending its shares lower.

The company had been expected to report a pickup in its software business and progress in cloud computing, shares of Oracle had gained 10 percent over the past three months. However yesterday it was clear that Oracle is getting a kicking from the competition like Salesforce.com and Workday which have been offering competitive software and Internet-based products at prices that often undercut Oracle.

Tech spending is likely to fall as more companies move to the cloud. Oracle has been rolling out its own cloud-based products but they remain under five percent of its overall revenue. For the fiscal first quarter, Oracle expects software and cloud revenue to grow between 6 percent and 8 percent. That forecast includes expectations for software- and platform-related cloud services to grow between 25 percent and 35 percent.

Oracle said it expects its hardware system revenue to be in a range of down 1 percent to up 3 percent.

For its latest fourth quarter, Oracle said overall revenue rose 3 percent to $11.3 billion. That was less than the $11.48 billion analysts had expected on average. Net income fell 4 percent to $3.6 billion.

Revenue from Oracle’s hardware systems products grew 2 percent to $870 million.

Source

Is China Hurting U.S. Vendors?

Shipments of servers from Chinese vendors grew at a rapid pace while the top server vendors in the U.S. declined during the first quarter of this year.

Worldwide server shipments were 2.3 million units during the first quarter, growing by just 1.4 percent compared to the same quarter last year, according to Gartner.

Growth was driven by Chinese server vendors Huawei and Inspur Electronics, which were ranked fourth and fifth, respectively, behind the declining Hewlett-Packard, Dell and IBM.

Huawei has been in the top five for server shipments for more than a year, but Inspur Electronics is a new entrant. Inspur builds blade servers, rack servers and supercomputers, and is best known for being involved in the construction of China’s Tianhe-2, which is currently the world’s fastest supercomputer, according to Top500.org.

Chinese servers partly benefitted from the 18 percent shipment growth in the Asia-Pacific region, while shipments in other regions declined, Gartner said in a statement.

Server buying trends have changed in recent years. Companies like Facebook, Google and Amazon, which buy servers by the thousands, are bypassing established server makers and purchasing hardware directly from manufacturers like Quanta and Inventec. That trend in part led to the establishment of the Open Compute Project, a Facebook-led organization that provides server reference designs so companies can design data-center hardware in-house.

Similarly, Chinese cloud providers are building mega data centers and buying servers from local vendors instead of going to the big name brands, said Patrick Moorhead, analyst with Moor Insights and Strategy.

The trend of buying locally is partly due to the security tension between the U.S. and China, but servers from Chinese companies are also cheaper, Moorhead said.

The enterprise infrastructure is also being built out in China, resulting in a big demand for servers. There is also a growing demand for servers from little-known vendors based in Asia — also known as “white box” vendors — in other regions, Moorhead said.

Source

HP’s Z-station Goes Nvidia

HP has added its Z Workstation family with a solution that delivers access via a virtual desktop route to workstation applications hosted in the data center.

Set to be available from next month, the HP DL380z Virtual Workstation enables organisations to provide remote access to workstation-class applications, even those calling for heavy-duty graphics, which allows them to keep data stored securely in the data centre wherever employees might be based.

As its name suggests, the HP DL380z is based on the same hardware as HP’s ProLiant DL380p server, a 2U rack-mount two-socket system based on Intel’s Xeon E5-2600 processors, which allows it to slot right into existing data centre infrastructure.

Where the HP DL380z differs is that it can be configured with up to two Nvidia Grid K2 graphics cards supporting the graphics firm’s Grid GPU virtualisation technology. This enables up to eight users to be hosted on each system, each with access to a virtual machine with GPU acceleration capabilities.

Jeff Groudan, worldwide director for HP Thin Client and Virtual Workstations, said, “For employees who work from A to B and everywhere in between, the HP DL380z allows them to access data that is securely stored in the data centre. Furthermore, the powerful HP DL380z is an always-on workhorse that can be used by businesses when not in use for virtual workstation sessions.

Remote access is delivered either by operating Citrix’s XenServer with its HDX 3D Pro technology, which the HP DL380z is certified for, or by utilising HP’s own Remote Graphics Software (RGS). The latest HP RGS release 7 adds the ability to have true workstation productivity from a tablet while bringing intuitive touch controls to non-touch applications, according to HP.

Either way, customers can provide engineers or other professional users with access to workstation-class applications from a variety of devices, including thin clients, laptops or tablets.

Pricing for the HP DL380z has yet to be confirmed.

Source

HP & Foxcomm Head To The Cloud

HP and Foxcomm have announced a joint venture to create a line of cloud optimized servers for service providers.

The venture involving a non-equity, strategic commercial alliance will see the pair offering a range of products. Particulars and specifications are yet to be announced but the companies are aiming to target low total cost of ownership (TCO), scale and service.

This announcement is separate to the existing HP Proliant server portfolio, which includes the software defined server codenamed Moonshot.

HP CEO Meg Whitman said, “With the relentless demands for compute capabilities, customers and partners are rapidly moving to a New Style of IT that requires focused, scalable and high-volume system designs. [The partnership] will enable us to deliver a game-changing offering in infrastructure economics.”

News of the alliance will raise eyebrows at Apple, which reportedly returned an eight million unit shipment of iPhones to Foxconn last year, describing them as “dysfunctional” and “non-compliant”.

HP has had its own troubles recently, after settling two lawsuits this month, one to the former shareholders of Palm over its handling of WebOS, and another that revealed that HP executives were guilty of corruption in negotiations for lucrative contracts. Total payouts across the two settlements totaled $165m.

The HP joint venture with Foxconn will take effect from 1 May, when we hope to find out more details about what it will entail.

Source

« Previous Page — Next Page »