IT monitoring company clashes with a security consultancy
Share on Twitter.
Get the most reliable SMTP service for your business. You wished you got it sooner!
March 12, 2013
The GroundWork Group, an open-source IT monitoring software company has clashed with a security consultancy over the
seriousness of a security hole in its technology.
GroundWork's technology provides a platform for IT operations management, network monitoring, system control, application
authentication and cloud delivery services that is used by enterprise customers including Hitachi Data Systems, the Royal Bank
of Canada, NATO, National Australia Bank, Siemens and Tivo, among many others.
Security staff at SEC Consult last week published an advisory warning of "multiple critical security vulnerabilities" in
the GroundWork Monitor Enterprise platform.
The security consultancy said that many of the holes cover authentication problems and claimed that they are so serious
that customers ought to avoid using the technology completely until the multiple security bugs are patched.
The Austrian security firm also published a separate bulletin warning of other "high risk" security flaws. In response,
GroundWork said that its users were looking for "ease of use" rather than "maximum security". It didn't release a patch and
told its users that tightening up settings was optional.
GroundWork uses the JBoss Portal’s Single Sign-On technology to restrict access to GroundWork components and improve many
of their own security capabilities. Most GroundWork customers have expressed a preference for ease of use rather than maximum
security, and the default settings reflect those wishes.
Those are suggestions and not mandatory for a GroundWork Monitor installation. Johannes Greil, the security researcher at
SEC Consult who discovered the flaws in GroundWork's software, strongly disagreed with this assessment.
"The identified security vulnerabilities have nothing to do with 'maximum security' but rather conforming to web application
security standards and guidelines such as OWASP Top 10," he said.
"Furthermore, GroundWork isn't going to repair the security vulnerabilities within the source code, but will only add an
authentication layer and implement some changes in authorization roles through an optional technical bulletin," Greil added in
We put Greil's allegations to GroundWork last week but have yet to hear back. Greil added that he is also frustrated by
GroundWork's lack of urgency about issues first reported to it two months ago.
"The very slow response and insufficient measures by Groundwork are not a responsible way to react for a vendor who supplies
software for government agencies and large data centers," he said.
"An attacker who is easily able to take over this monitoring software is, for example, able to gain access to plaintext
passwords of the monitored systems and spread the attack within the internal network," Greil claimed.
"In order to mitigate this security risk, the vulnerabilities have to be fixed within the source code. In secure environments,
such as operating data centers where this software is for instance used, it is highly undesirable to use insecure applications.
Furthermore, we advise against using this software in the current state of security," he added.
"We have identified multiple different critical vulnerabilities with different impacts. The most severe security issues are
that an unauthenticated attacker is able to elevate his privileges (admin access), execute arbitrary operating system commands,
take over the whole monitoring system and gain access to sensitive configuration files with clear text passwords of the monitored
systems," he added.
"An attacker is therefore easily able to spread the attack within the internal network," Greil added. SEC Consult's previous
research includes the discovery of undocumented backdoors in data centre equipment from Barracuda Networks. We will keep you
posted on this important development as well as others as they happen.
In other IT news
An Alcatel-Lucent funded study suggests that the IT industry needs to work on improving power efficiency to help reduce
its unrelenting demand for electricity.
The report says that even if it does, by 2020 it will still be responsible for about four percent of the world's greenhouse
The assessment, conducted by BIO Intelligence Services, reveals that the four percent outcome is something of a best case
scenario. Its sobering disclosure is that without better efficiency measures, the IT and communications sectors would generate
nearly 330 gigatonnes of Co2 emissions by 2020.
With improved efficiency measures instead, output would rather be 1.43 gigatonnes of Co2, a compounded annual growth rate of
just six per cent, which is well below the adoption of IT and the rate of growth of Internet traffic on a global basis.
As the study points out, 330 Gt worth of greenhouse gas emissions would have the technology sector generating seven times
the global greenhouse emission target for 2020.
It's more than ten times the 2010 emissions from energy consumption as documented at the U.S. Energy Information Administration.
In other words, the IT sector has to find new ways to reduce its carbon footprint, if for no other reason than continuing
to follow its current trajectory would make the availability of energy, not just emissions, a growth constraint.
The worst case scenario is based on a high-end network traffic report by Bell Labs, in which 2020's total global telecommunications
traffic would reach 400 times its level in 2007, and an absolute growth in power per user to more than 100 watts.
If the study is accurate, achieving these necessary power efficiencies will be a challenge-- “The improvements that are
possible in current technologies are expected to slow and then stop by the year 2017”, the report suggests, which means that
new technologies and efficiencies will soon be needed.
But rest assured, it's not all that gloomy: if the technology sector can stay within the “four percent of greenhouse emissions”
target, the study's authors believe that IT and communications will ultimately save more emissions than they contribute.
However, not all of the energy efficiencies need new technologies, the paper states. For example, infrastructure sharing –
anathema to many mobile carriers, and in fact only common under either financial or regulatory pressure – is an obvious way to
Cloud computing is also treated favourably by the study, which says that it can reduce Co2 emissions by up to 90 percent
for small deployments, falling to a best-case scenario of 60 percent for deployments in the 10,000-seat range.
Source: SEC Consult.
Get the most dependable SMTP server for your company. You will congratulate yourself!
Share on Twitter.
Need to know more about the cloud? Sign up for your free Cloud Hosting White Paper.