Researchers have uncovered thousands of misconfigured Amazon S3 storage buckets, making it possible to obtain access to potentially highly sensitive company data.

In the tests, penetration testing firm Rapid 7 was able to access personal photos from a social media service, a car dealership’s sales records and account information, firms’ employee records as well as unprotected database backups containing site data and encrypted password.

According to Will Vandevanter, senior security consultant at Rapid 7, the firm was able to access the information having identified more than a thousand publicly accessible Amazon S3 storage buckets.

Firms typically use Amazon’s S3 system to store static content such as server backups, company documents, web logs, and publicly visible content such as website images. The files in S3 are then organised into so-called buckets.

“Although a file might be listed in a bucket it does not necessarily mean that it can be downloaded. Buckets and objects have their own access control lists,” Vandevanter wrote on a company blog.

Firms that had stored their data insecurely in S3 could be set for a rude awakening, he warned.

“Much of the data could be used to stage a network attack, compromise users accounts, or to sell on the black market.”

Typically, Amazon would make S3 buckets private, so the public ones are likely to be the results of users misconfiguration, said Vandevanter. 

Nonetheless, Amazon Web Services makes it easier for would-be hackers by using a URL structure that is easy to guess, making it child’s play to access public buckets.

“Checking if a bucket is public or private is easy. All buckets have a predictable and publicly accessible URL,” he added.

Having identified hundreds of public buckets, Vandevanter and his colleagues took a random sample to check which buckets had accessible content.

They discovered more than five million accessible text documents, many of which where marked ‘private’ or confidential.

AWS told V3 there were many legitimate reasons users might choose to leave buckets open, but in cases where customers were unsure, it did its utmost to work with them to secure their data.

“AWS Support staff regularly reach out to customers who may have potential configuration issues with AWS, to assist those customers with achieving better efficiency, reduced costs, or in some cases, to remedy their security configuration and posture, for S3 and other services,” a company spokesman told V3.

Amazon has unveiled a security platform aimed at improving protections for its AWS cloud computing platform.

The company said that the CloudHSM platform would allow users to purchase use of dedicated security modules which can encrypt AWS instances to prevent unauthorised access.

Under the CloudHSM plan, customers can purchase use of the hardware modules which generate and store encryption keys. The keys are then used to encode and decrypt the data stored in AWS instances. The keys themselves will only be available to the users, providing additional protections.

Amazon said that while it works to secure every AWS instances, some customers have sought out additional protections. To provide more security and to comply with certain regulations regarding data storage and security, the company said that it needs to offer the heightened protections of a service such as CloudHSM.

“Until now, organizations’ only options were to maintain data in on-premises datacentres or deploy local HSMs to protect encrypted data in the cloud,” Amazon said in announcing its new service.

“Unfortunately, those options either prevented customers from migrating their most sensitive data to the cloud or significantly slowed application performance.”

Security worries have long plagued the adoption of cloud computing services. While vendors themselves have sought to dismiss such concerns, many organisations have listed fears of data breach and unauthorised access among their chief concerns for cloud migration.

Oracle continues to struggle to sale servers. Earlier this month the firm reported that third quarter revenue for its servers were down 23 percent year-over-year. Overall the company failed to compete with competitors with only a four percent market share.

The Larry Ellison led company has failed to find the secret sauce necessary to interest firms in its line of hardware. Oracle inability to compete with rivals has really hurt the company’s bottom line over the past few years.

While the company recently launched a new line of Sparc T5 and M5 servers, it is yet to be seen if that will be enough. Even if the servers turn out to be amazing, Oracle’s real problem is its strategy of designing entire systems for only Oracle gear.

The firm runs on the idea that by doing it all themselves they can create the best systems. Not to mention, build out platforms that require all-Oracle software and hardware.

Unfortunately, for Oracle the hardware industry no longer works without some form of corporation. Take HP for example, its Pathfinder program sees the firm working with other tech firms to create ARM servers for its Project Moonshot program.

The program sees HP co-developing servers with hardware and software vendors. HP’s approach is different from Oracle’s in that it aims to build servers that are not so closed and proprietary.

Oracle still exists on an old way of thinking. The firm believes that a business can get away with offering a proprietary system. But in today’s infrastructure that is not true. Users want choice and the ability to not be bogged down by a single option.

HP will need to focus on open platforms if it wants to turn things around. And under Meg Whitman it looks like its going that way. Project Moonshot is a good example of a new paradigm that HP is creating. Overtime that paradigm shift could mean big things for the firms ability to take some of Oracle’s business.

Things at HP and Oracle are both quite bumpy at the moment. But one firm is making the smart move (at least when it comes to servers). HP sees a future more in line with what smaller firms like Salesforce are doing. Oracle, however, is struggling to adapt.

The idea that Oracle doesn’t “get it” isn’t necessarily anything new. Salesforce chief executive and Larry Elision’s mortal enemy Marc Benioff said something similar back in 2011. But Ellison and Oracle still don’t get it.

HP is adapting, even IBM is adapting, but Oracle just doesn’t get it.

27 Mar 2013

Microsoft has rolled out a series of updates to its Mail, People and Calendar applications, which will bring new features to its communications and scheduling platforms, allowing users to better manage content through multiple accounts.

The update will include cosmetic changes to the applications and add new features designed to improve organisation and productivity.

“These apps are designed to manage communication seamlessly on Windows PCs and tablets across multiple accounts — Outlook.com, Exchange, and others,” wrote Microsoft communications manager Brandon LeBlanc in a company blog post.

“We know our customers typically have two or more email accounts for personal use and work use, they use these accounts throughout the day, and they have a large volume of email they’re continuously managing.”

Among the features in the Mail update will be new menu and presentation options which can allow users to view messages from multiple accounts and toggle between multiple work and personal email accounts within the application.

The company is also adding new style options for hyperlinks and bulleted lists in the new message composition window.

For Calendar, the update will bring the ability to use the Exchange Scheduling Assistant tool for business users and will change the presentation of the calendar to show events as outlined boxes rather than solid blocks. Microsoft claimed the changes will improve the look and feel of Calendar.

The People application, meanwhile, will be enhanced with a number of new navigation options which can be triggered via a right mouse click or by a swiping gesture on touch-enabled PCs. The social networking tool will also add new filter options to the news feed screen.

Microsoft said that users can obtain the update through the Updates screen within the apps or by downloading the latest version of the applications from the Windows Store service.

Cisco has moved to boost its cloud computing offerings by purchasing an Austrian firm SolveDirect that provides tools to join and manage disparate IT systems together in a single system.

The firm announced the deal on Monday and said that it would help it further boost its offering to customers by enabling it to keep pace with the changing face of enterprise IT management.

“The move towards multi-sourcing and cloud services is accelerating the development of large ecosystems of companies – from enterprise IT and manufacturing, to SaaS providers – that need to share data in a secure and scalable way,” wrote Hilton Romanski, vice president of corporate business development.

“SolveDirect’s cloud-based solutions offer enterprises and service providers a flexible way to integrate with service partners, and automate sharing of processes, data, and workflows in real-time by eliminating manual practices and bottlenecks, driving significant operational efficiencies.”

On its website SolveDirect boasts of having over 200 customers using its product to bring all their IT systems into one single cloud-based management portal.

“The SolveDirect acquisition provides customers, vendors and partners an automated – “connect once, connect to all” – way to exchange data and work flows to improve economies of scale as the ecosystem grows,” the firm said on its website confirming the deal.

“Combining Cisco’s existing support ecosystem of customers, partners and resellers with SolveDirect’s real-time cloud-based architecture, will help solve the need for smart and connected IT services.”

Financial details of the deal were not disclosed but the firm will acquire all the firm’s shares and executive leadership and is expected to close by the fourth quarter of 2013.

Oracle share prices dropped over nine percent following poor third-quarter earnings.

The firm’s total revenue was down one percent in Q3. Oracle missed expectations for the quarter. Company executives blame the poor showing on an influx in new sales staff that led to sales execution issues.

Oracle reported that total revenues for the quarter were down at just under $9bn. The company says it scored third quarter earnings of 65 cents a share. Analysts were expecting shares to gain slightly higher at 66 cents a share and revenues above $9bn for the quarter, according to Reuters.

Following the results, Oracle took a tumble on Wall Street. As of this writing company shares have dropped over nine percent. Shares are currently trading at $32.29.

During a call with investors, Oracle’ chief financial officer Safra Catz said the less than expected revenues were a result of a slew of recent hiring in Oracle’s sales division. According to Catz, new staff training required some of Oracle’s transactions to be pushed out into the next quarter.

Patrick Moorhead, principal analyst at Moor Insights and Strategy, disagrees with Catz assessment. Moorhead told V3 that Oracle’s biggest issue is its inability to compete in key markets.

“I don’t see Oracle’s Q3 issues stemming from sales execution. Oracle has two primary issues. First, they aren’t competitive with industry standard x86 servers” Moorhead said.

“Secondly, they came late to the cloud party where most of the growth is coming from. They have a lot of ground to cover in the next few years to catch up with HP.”

Oracle chief executive Larry Ellison famously dismissed cloud computing as a fad in the early days of the platform. The firm has been playing catch up in the market ever since Ellison’s statement.

In the server market, Oracle has also lagged behind its competitors over the past few years. According to a recent Gartner study, Oracle fails to match IBM, Dell, and HP in overall revenue from server sales.

Apple has added the option for two-factor authentication to its iCloud web services platform.

The company said in a post to its support site that users will now be able to voluntarily enable the security protections which combine the traditional username and password requirements with an additional four-digit randomly generated access code.

The platform will allow users to configure a trusted third device, such as a mobile phone, which will receive the code. Upon attempting to log in, users will give their name and passwords, then the code they received via SMS or Find My iPhone Notifications.

Apple is recommending that users enable the two-factor option in order to increase the security of their devices and prevent the loss of accounts due to password theft.

“Your Apple ID is the key to many important things you do with Apple, such as purchasing from the iTunes and App Stores, keeping personal information up-to-date across your devices with iCloud, and locating, locking, or wiping your devices,” Apple said.

“Two-step verification is a feature you can use to keep your Apple ID as secure as possible.”

Upon signing up, Apple said that it will also provide users with a 14-digit recovery code which can be used to reset the options should the user forget their password or lose their designated mobile device. Apple recommends that users print and store the code in a safe place.

The use of two-factor authentication has grown increasingly popular in recent years as cloud services and social networking sites have sought to provide additional protections beyond the username and password combinations which can often be guessed or obtained by hackers through phishing sites.

Companies including Facebook and Dropbox offer two-factor authentication options for users through mobile devices, while companies such as PayPal and Verisign have long-offered mobile and keyfob-based two-factor authentication to protect financial transactions.

About 75 percent of Apple facilities energy consumption comes from renewable resources, according to a company-issued sustainability report.

In the last two years Apple has increased its use of renewable energy by 50 percent, though the firm’s long-term goal is to run its facilities using 100 percent renewable resources.

Environmental advocates have praised the iPhone maker for its advancements towards green energies.

“Apple’s announcement shows that it has made real progress in its commitment to lead the way to a clean energy future,” said Greenpeace international senior IT analyst Gary Cook.

“Apple’s increased level of disclosure about its energy sources helps customers know that their iCloud will be powered by clean energy sources, not coal.”

Apple has reported that it has implemented a 100 percent renewable energy policy at its datacentres. The company currently has datacentres stationed in North Carolina, Oregon, Nevada, and California.

In April of last year, Greenpeace lambasted Apple for running its cloud storage datacentres in areas which rely heavily on coal power.

Greenpeace says that in order for Apple to reach its goal of 100 percent renewable energy use it will need to work with power providers such as North Carolina’s Duke Energy to change the current dirty energy paradigm.

“As it keeps growing the cloud, Apple still has major roadblocks to meeting its 100 percent clean energy commitment in North Carolina, where renewable energy policies are under siege and electric utility Duke Energy is intent on blocking wind and solar energy from entering the grid,” continued Cook.

“To show how it can help remove those roadblocks, Apple should disclose more details about how it will push utilities and state governments to help it achieve its ambitious goal in all of its data center locations.”

Apple’s use of renewable energy comes following a pledge the firm made last year to increase its use of eco-friendly power. Last May, the firm started pushing to use more on-site power options at its corporate facilities.

Microsoft has released a transparency report which details law enforcement requests for consumer data in 2012.

The report comes following calls for transparency from online privacy advocates. According to the report, Microsoft and Skype received 75,378 requests for data last year. Redmond says the requests potentially affected 137,424 user accounts.

“We are providing information on the criminal law enforcement requests we receive for customer data,” wrote Microsoft in a blog post.

“Like others in the industry, we believe it is important for the public to have access to information about law enforcement access to customer data, particularly as customers are increasingly using technology to communicate and store private information.”

Microsoft’s transparency report comes following similar releases from the likes of Google and Twitter. Google released its report earlier this month. While Twitter launched its data request logs last January.

In January, 44 privacy groups pushed for Microsoft to display information on law enforcement requests for Skype user data.

Skype was acquired by Microsoft in 2011. Up until recently the firm did not disclose law enforcement requests for Skype user data in its transparency report.

According to the report, Microsoft disclosed customer content to law enforcement agencies about two percent of the time. The report also shows that the firm disclosed non-content information about 79 percent of the time.

Microsoft defines non-content information as basic user data such as last used IP address, customer names, and login names. Content information is considered data such as cloud stored documents and email text.

Along with general disclosure data, Microsoft also released information on requests made by National Security Letters (NSLs).

The letters are requests for non-content data that does not require a court order. Redmond is only allowed to share ballpark figures for the NSLs disclosures.

The report finds that Microsoft received 0-999 NSL requests in 2012. Until recently no information on NSL letters were allowed to be disclosed in transparency reports.

Open-Xchange has launched OX Documents, a web-based productivity suite that will eventually include word processor, spreadsheet and presentations tools that can be accessed via a browser using multiple platforms.

Released as open source, the platform could prove a rival for Google Docs or Microsoft’s Office 365 service, the latter of which provides access to Microsoft’s browser-based Office Web Apps.

Initially, OX Documents comprises just OX Text, an in-browser word processor, but this will be joined later in 2013 by Presentation and Spreadsheet apps to complete the Suite.

OX Documents is available separately or as an extension to Open-Xchange’s OX App Suite, a web platform offering email, calendar and contacts capabilities, plus file storage and collaboration.

The suite was developed by former members of the OpenOffice development team and intended as a web-based successor, using HTML5 and JavaScript to deliver a consistent user experience across a range of devices such as Apple’s iPhone and iPad (pictured).

Consequently, it natively supports Microsoft Office and OpenOffice / LibreOffice file formats, with what the company calls non-destructive support to preserve document fidelity.

“A crucial factor in the development of OX Text was not to introduce yet another proprietary file format to further add to the productivity compatibility jungle,” said Open-Xchange chief executive Rafael Laguna.

“It always keeps the original document format by not attempting to alter or convert non-compatible native formatting features. This means that when you reopen the document in Word it is formatted as originally intended,” he added.

A major feature of OX Text is that multiple users can view and edit the same document simultaneously, allowing for structured collaboration, according to the firm.

OX Text will be available from early April under the GNU General Public License (GPL) v2, as well as well as under commercial licenses that enable service providers to provide it to end users as a software-as-a-service (SaaS) cloud-hosted offering.