Information Technology News.

IT monitoring company clashes with a security consultancy

Share on Twitter.

Click here to order your new fully dedicated Plesk server with the Linux operating system.

Get the most reliable SMTP service for your business. You wished you got it sooner!

March 12, 2013

The GroundWork Group, an open-source IT monitoring software company has clashed with a security consultancy over the seriousness of a security hole in its technology.

GroundWork's technology provides a platform for IT operations management, network monitoring, system control, application authentication and cloud delivery services that is used by enterprise customers including Hitachi Data Systems, the Royal Bank of Canada, NATO, National Australia Bank, Siemens and Tivo, among many others.

Security staff at SEC Consult last week published an advisory warning of "multiple critical security vulnerabilities" in the GroundWork Monitor Enterprise platform.

The security consultancy said that many of the holes cover authentication problems and claimed that they are so serious that customers ought to avoid using the technology completely until the multiple security bugs are patched.

The Austrian security firm also published a separate bulletin warning of other "high risk" security flaws. In response, GroundWork said that its users were looking for "ease of use" rather than "maximum security". It didn't release a patch and told its users that tightening up settings was optional.

GroundWork uses the JBoss Portal’s Single Sign-On technology to restrict access to GroundWork components and improve many of their own security capabilities. Most GroundWork customers have expressed a preference for ease of use rather than maximum security, and the default settings reflect those wishes.

Those are suggestions and not mandatory for a GroundWork Monitor installation. Johannes Greil, the security researcher at SEC Consult who discovered the flaws in GroundWork's software, strongly disagreed with this assessment.

"The identified security vulnerabilities have nothing to do with 'maximum security' but rather conforming to web application security standards and guidelines such as OWASP Top 10," he said.

"Furthermore, GroundWork isn't going to repair the security vulnerabilities within the source code, but will only add an authentication layer and implement some changes in authorization roles through an optional technical bulletin," Greil added in an email.

We put Greil's allegations to GroundWork last week but have yet to hear back. Greil added that he is also frustrated by GroundWork's lack of urgency about issues first reported to it two months ago.

"The very slow response and insufficient measures by Groundwork are not a responsible way to react for a vendor who supplies software for government agencies and large data centers," he said.

"An attacker who is easily able to take over this monitoring software is, for example, able to gain access to plaintext passwords of the monitored systems and spread the attack within the internal network," Greil claimed.

"In order to mitigate this security risk, the vulnerabilities have to be fixed within the source code. In secure environments, such as operating data centers where this software is for instance used, it is highly undesirable to use insecure applications. Furthermore, we advise against using this software in the current state of security," he added.

"We have identified multiple different critical vulnerabilities with different impacts. The most severe security issues are that an unauthenticated attacker is able to elevate his privileges (admin access), execute arbitrary operating system commands, take over the whole monitoring system and gain access to sensitive configuration files with clear text passwords of the monitored systems," he added.

"An attacker is therefore easily able to spread the attack within the internal network," Greil added. SEC Consult's previous research includes the discovery of undocumented backdoors in data centre equipment from Barracuda Networks. We will keep you posted on this important development as well as others as they happen.

In other IT news

An Alcatel-Lucent funded study suggests that the IT industry needs to work on improving power efficiency to help reduce its unrelenting demand for electricity.

The report says that even if it does, by 2020 it will still be responsible for about four percent of the world's greenhouse gas output.

The assessment, conducted by BIO Intelligence Services, reveals that the four percent outcome is something of a best case scenario. Its sobering disclosure is that without better efficiency measures, the IT and communications sectors would generate nearly 330 gigatonnes of Co2 emissions by 2020.

With improved efficiency measures instead, output would rather be 1.43 gigatonnes of Co2, a compounded annual growth rate of just six per cent, which is well below the adoption of IT and the rate of growth of Internet traffic on a global basis.

As the study points out, 330 Gt worth of greenhouse gas emissions would have the technology sector generating seven times the global greenhouse emission target for 2020.

It's more than ten times the 2010 emissions from energy consumption as documented at the U.S. Energy Information Administration.

In other words, the IT sector has to find new ways to reduce its carbon footprint, if for no other reason than continuing to follow its current trajectory would make the availability of energy, not just emissions, a growth constraint.

The worst case scenario is based on a high-end network traffic report by Bell Labs, in which 2020's total global telecommunications traffic would reach 400 times its level in 2007, and an absolute growth in power per user to more than 100 watts.

If the study is accurate, achieving these necessary power efficiencies will be a challenge-- “The improvements that are possible in current technologies are expected to slow and then stop by the year 2017”, the report suggests, which means that new technologies and efficiencies will soon be needed.

But rest assured, it's not all that gloomy: if the technology sector can stay within the “four percent of greenhouse emissions” target, the study's authors believe that IT and communications will ultimately save more emissions than they contribute.

However, not all of the energy efficiencies need new technologies, the paper states. For example, infrastructure sharing – anathema to many mobile carriers, and in fact only common under either financial or regulatory pressure – is an obvious way to save power.

Cloud computing is also treated favourably by the study, which says that it can reduce Co2 emissions by up to 90 percent for small deployments, falling to a best-case scenario of 60 percent for deployments in the 10,000-seat range.

Source: SEC Consult.

Get the most dependable SMTP server for your company. You will congratulate yourself!

Share on Twitter.

Need to know more about the cloud? Sign up for your free Cloud Hosting White Paper.

IT News Archives | Site Search | Advertise on IT Direction | Contact | Home

All logos, trade marks or service marks on this site are the property of their respective owners.

Sponsored by Sun Hosting, by Sure Mail™, Avantex and
by Montreal Server Colocation.

       © IT Direction. All rights reserved.