Tag Archives: controversial

Microsoft wins $10 billion JEDI contract over AWS

Microsoft has been awarded the U.S. Department of Defense’s controversial JEDI contract over AWS in a surprise development that could be remembered as a watershed moment in the battle for market share among hyperscale cloud computing providers.

AWS had widely been expected to win the Joint Enterprise Defense Infrastructure contract, which was first announced in September 2017 and vigorously pursued by IBM, Oracle, Google and Microsoft. The DoD narrowed the field of candidates to AWS and Microsoft in April, and in July a judge tossed out a federal lawsuit brought by Oracle in protest of the process.

AWS had a perceived leg up on competitors for the JEDI contract, thanks not only to the breadth and depth of its cloud platform, but due to precedent. Several years ago, AWS landed a $600 million contract with the CIA centered on further development of the intelligence agency’s big data analytics capabilities.

Still, in May 2018, Microsoft said it had won a contract worth hundreds of millions of dollars that would see a panoply of U.S. intelligence agencies use its Azure Government service.

The DoD’s JEDI proposal, as laid out in a November 2017 memo, calls for a 10-year contract with a single provider to create a “highly available, exponentially elastic, secure, resilient cloud computing environment that seamlessly extends from the homefront to the tactical edge.”

The JEDI contract is worth up to $10 billion over the life of the agreement, but the base contract period is for just two years with $1 million guaranteed, according to the DoD.  About $210 million is expected to be spent during the initial two years, but the remainder of the contract is subject to rigorous ongoing reviews, the DoD said.

AWS could not immediately be reached for comment, but in published reports, a company spokesperson expressed surprise at the result.

“AWS is the clear leader in cloud computing, and a detailed assessment purely on the comparative offerings clearly lead to a different conclusion,” the company said.

The specter of presidential politics has loomed over the JEDI contract saga, with President Donald Trump – a harsh critic of Amazon CEO Jeff Bezos – saying in July that his administration planned to scrutinize Amazon’s JEDI bid in the wake of complaints about the award process from AWS competitors.

It isn’t immediately clear whether Amazon can or will pursue additional recourse following the JEDI contract award to Microsoft.

“All offerors were treated fairly and evaluated consistently with the solicitation’s stated evaluation criteria,” the DOD said in a statement. “Prior to the award, the department conferred with the DOD Inspector General, which informed the decision to proceed.”

While the Pentagon plans to eventually move 80% of its internal systems to the platform created by JEDI, it maintains many other cloud services. It also “continues to assess and pursue various cloud contracting opportunities,” according to a statement.

The cloud infrastructure market is worth about $100 billion at present, according to new numbers from Synergy Research. AWS has about 33.5% share of that market, with Microsoft at about 16.5%, Synergy reported.

AWS may still have a healthy lead over Microsoft, but the JEDI award gives the latter not only bragging rights but also a high-profile testimony to Azure’s readiness for the world’s most critical and sensitive workloads, which could prove quite valuable in negotiating other large-scale deals.

More details of the DoD’s decision-making process could be learned in coming days. In recent months, there had been some speculation the DoD would add an additional vendor to the JEDI contract after an initial award, both to hedge its strategic bets and mollify critics.

This is a breaking news story. More details to follow.

Go to Original Article

Multiple Intel firmware vulnerabilities in Management Engine

New research has uncovered five Intel firmware vulnerabilities related to the controversial Management Engine, leading one expert to question why the Intel ME cannot be disabled.

The research that led to finding the Intel firmware vulnerabilities was undertaken “in response to issues identified by external researchers,” according to Intel. This likely refers to a flaw in Intel Active Management Technology — part of the Intel ME — found in May 2017 and a supposed Intel ME kill switch found in September. Due to issues like these, Intel “performed an in-depth comprehensive security review of our Intel Management Engine (ME), Intel Server Platform Services (SPS), and Intel Trusted Execution Engine (TXE) with the objective of enhancing firmware resilience.”

In a post detailing the Intel firmware vulnerabilities, Intel said the flaws could allow an attacker to gain unauthorized access to a system, impersonate the ME/SPS/TXE, execute arbitrary code or cause a system crash.

Mark Ermolov and Maxim Goryachy, researchers at Positive Technologies Research, an enterprise security company based in Framingham, Mass., were credited with finding three Intel firmware vulnerabilities, one in each of Intel ME, SPS and TXE.

“Intel ME is at the heart of a vast number of devices worldwide, which is why we felt it important to assess its security status. It sits deep below the OS and has visibility of a range of data, everything from information on the hard drive to the microphone and USB,” Goryachy told SearchSecurity. “Given this privileged level of access, a hacker with malicious intent could also use it to attack a target below the radar of traditional software-based countermeasures such as anti-virus.”

How dangerous are Intel ME vulnerabilities

The Intel ME has been a controversial feature because of the highly-privileged level of access it has and the fact that it can continue to run even when the system is powered off. Some have even suggested it could be used as a backdoor to any systems running on Intel hardware.

Tod Beardsley, research director at Rapid7, said that given Intel ME’s “uniquely sensitive position on the network,” he’s happy the security review was done, but he had reservations.

Controlling privilege isn’t difficult to do, but it is key to securing systems.
James Maudesenior security engineer, Avecto

“It is frustrating that it’s difficult to impossible to completely disable this particular management application, even in sites where it’s entirely unused. The act of disabling it tends to require actually touching a keyboard connected to the affected machine,” Beardsley told SearchSecurity. “This doesn’t lend itself well to automation, which is a bummer for sites that have hundreds of affected devices whirring away in far-flung data centers. It’s also difficult to actually get a hold of firmware to fix these things for many affected IoT devices.”

James Maude, senior security engineer at Avecto Limited, an endpoint security software company based in the U.K., said that the Intel firmware vulnerabilities highlight the importance of controlling user privileges because some of the flaws require higher access to exploit.

“From hardware to software, admin accounts with wide-ranging privilege rights present a large attack surface. The fact that these critical security gaps have appeared in hardware that can be found in almost every organization globally demonstrates that all businesses need to bear this in mind,” Maude told SearchSecurity. “Controlling privilege isn’t difficult to do, but it is key to securing systems. It’s time for both enterprises and individual users to realize that they can’t rely solely on inbuilt security — they must also have robust security procedures in place.”

However, Beardsley noted all of the firmware vulnerabilities across the Intel products require physical access to the machine in order to exploit.

“For the majority of issues that require local access, the best advice is simply not to allow untrusted users physical access to the affected systems,” Beardsley said. “This is pretty easy for server farms, but can get trickier for things like point-of-sale systems, kiosks, and other computing objects where low-level employees or the public are expected to touch the machines. That said, it’s nothing a little epoxy in the USB port can’t solve.”