Episode Transcript
[00:00:02] Speaker A: Hi, everyone, and welcome to another episode of Cloud tech tv podcast. This episode was recorded at the end of June 2024.
And how are you, Raz?
[00:00:14] Speaker B: I'm doing well, thank you. Real. How are you?
[00:00:18] Speaker A: I'm great. Excited to record another chapter in the weekly news. In the monthly news.
[00:00:24] Speaker B: Yeah, I'm excited as well. You know, cyber doesn't stop, man. I'm a show for cloud as well.
[00:00:31] Speaker A: As someone working in the industry for more than 20 years. Yeah, I know. I read the blog post and news on almost on a daily basis.
It's kindly horrifying when you read all the news about the new attacks, new ransomware, but it's something we need to learn how to live with. We need to engage with our customers, with our organizations to see what we can do better, to do the security posture much better.
So if you're already talking about security, would you like to begin with the security related news?
[00:01:12] Speaker B: Yeah, let's do that. You know what? I'm ready. Yeah. So let's have it. One more thing I want to say before we're going to just jump into the news.
We always need to manage the risk. Yeah. Because the attack's going to be there all the time. They're going to wait for us, they're going to be sophisticated, but we need to understand that the risk is basically fit to the threat that we are facing. So let's jump to the first one.
You're not going to believe it, but today I merge cybersecurity attacks together with cloud services. I'm not going to take your headlines, but the attackers, surprise, surprise. They know to use the cloud.
So recently what the Faultynet guys found that they not just know how to use the cloud, they actually leverage it. They created their c two cloud, which is the command and control for DDoS attack, to leverage bots. They use the cloud mechanism in order to spread the malwares control and be able to do it globally. And this is something that in our back of our mind we say, yeah, they can do that for sure. But now it's very operational and it's in the news. Are you surprised? Real?
[00:02:50] Speaker A: No, it's part of the evolution, the technology evolution, the security evolution, even the cloud security evolution.
[00:02:59] Speaker B: Yeah, yeah. Shift and lift. No, let's move on. So move on to move it.
Surprise, surprise. And I would say it again, move it. Have another vulnerability. So we thought we are behind that. We thought that they are already resilient to another vulnerabilities that hit the world, but they are back again. What is different from previous time. Now we have fixes. We have fixes that can be updated, their software and all of you that they are using, move it. Especially big companies, global companies, for SFTP, for any other file transfer, do the update. If you didn't do that today, should be yesterday.
[00:03:52] Speaker A: Part of the supply chain attack.
[00:03:56] Speaker B: This is exactly the point. Thank you for mentioning that, Ayal. Supply chain attack. Just for the audience that are not aware with what is supply chain attack, it's actually using and leveraging kind of transport capabilities in order to move a product, a file, an artifact, to make the entire pipeline be executed or delivered to the relevant customers, the relevant company, internal, external.
But yeah, the moment you have a vulnerability inside your supply chain attack, have higher distribution.
And this is the key element.
[00:04:44] Speaker A: Yeah, it's like any product that have an automatic update capability is basically vulnerable to this. And this is something that on one side, from a customer point of view, we somehow need to trust the vendors, but from the vendor side, they need to hire the bar in terms of reviewing which packages they're using their entire software development cycle. So to make sure that when they're developing, when they're pushing code that eventually will impact customer, they need to be aware of it before just clicking and update and notify customer there's a new page.
[00:05:26] Speaker B: So, yeah, you're absolutely right.
And I like to use a sentence that I use in one of the big enterprises that I was working for, not just trust, also trust and verify. And this is exactly what you are referring to, I think.
And this is what we need to do as practitioners is what we need to do as professionals. And this is what we need to do for people actually have the accountability to make sure we are secure. So thank you for pointing out that one. So we spoke globally, but you know, Ital, but not sure everybody know it. I'm in the other side of the world. I'm in Southeast Asia. And I wanted to bring news from this part of the world because we usually speak about the US. Us, China, Russia, but I want to speak Europe.
Europe, yeah. Ukraine, Indonesia. Yeah. Most of us that listening say, oh, I know Indonesia because I heard about Bali. Yeah, it's a diving spot. But this time Indonesia got hit by, and they are not different from others. Lockbeat hit again.
Some people will say, hey, it's not, the Americans already blocked these guys. So lockbeat, we call it a franchise attack. Actors, tomorrow morning we're gonna have. Today it's Lockbeat 3.0 that used the ransomware against Indonesia. And this time they had no mercy.
They attack 200 government services, disrupted airport immigrations, any other activity in the country. Imagine how much disruption a ransomware can influence a country, not just a small business or medium business or enterprise, a country.
And for what? They asked for $8 million for a country.
And guess what? Indonesia currently refused to pay them. So this one was reported two days ago by Reuters. And we will see. We will see what's going on.
I will look very closely. It's in my morning news over here in my side of the world.
[00:08:09] Speaker A: Are there any rumors or assumption about who's behind it?
Countries?
[00:08:18] Speaker B: There are rumors.
I can say that most of the time, God forbid. I don't want them to think that I'm like, racist, something. But most of the actors in this side of the world are either north Korean or Chinese. Yeah. And they like to attack this region different ways, sometimes for business perspective, and sometimes they just want to try new tools, and it's kind of a game for them.
They do.
[00:08:51] Speaker A: They're using Indonesia as a playground.
[00:08:54] Speaker B: As a test bed. Exactly. As a playground, because next time they're going to eat something bigger. Maybe Saudi Arabia. Yeah, maybe Aramco again. Yeah.
But, yeah, it's absolutely a playground.
And unfortunately, not all the security capabilities and the maturity that we see there in Israel or the US or other countries, they are not always mature in these locations. So, yeah, I hope for them the thing is gonna be, be better.
But yeah.
Let's move to our next one, which is Red Juliet.
Some of the funny names that I like to catch during me looking at blogs, and I look at this one and say, okay, what's now? What's going on right now? And we spoke about the Chinese, and this is an espionage crime group that targeting Taiwan.
And I'm sure all of us know why it's happening. And if not, Taiwan and China have macro conflicts for many, many years. And now it's like even going to different directions.
And China want leverage it. Yeah, they want to have to exploit vulnerabilities. They want to do a test. They want to be ready for the next cyber, maybe cyber war, maybe yes, maybe no. But they use a significant types of tool to exploit firewall, VPN's, different techniques in SQL.
They try to use some open source vulnerabilities and web shells, and it's working for them.
No serious damage so far, but it's been discovered.
So I hope Taiwan will be stronger. Are you worried about the semiconductor?
[00:11:09] Speaker A: Stay tuned. What's coming next?
[00:11:13] Speaker B: Yeah, I'm most worried about the semiconductor industries over there. You know, is the main industry for entire world we look at Spoiler. We're going to speak about Nvidia today, but without them, Nvidia gonna have lots of challenges.
So it's not just gonna affect Taiwan, it's gonna be a global impact on lots of technologies and also our iPhone. Yeah, I don't know if you have.
[00:11:50] Speaker A: An iPhone, so if you're looking for your next brand new iPhone or maybe Android phones, stay tuned because you may have shortage in processors.
[00:12:02] Speaker B: Yeah, yeah.
From Taiwan and Southeast Asia, I'm taking a fast rapid jump back to new York where New York Times got hacked and following other hacks that I saw since the beginning of 2024. Maybe it's the fourth one GitHub becoming to be the place where you can get token if you are attacker.
This is the place. It used to be other locations, but now GitHub is coming, coming to be the king of, hey, I want to have like how the coded tokens in the code, I want to have credentials, I want to have any type of secrets that I can maybe exploit other companies, other software. You know where I'm going to go? I'm going to go to GitHub.
So unfortunately New York Times got hit and they say that and it's so surprising. They are just throwing the ball on GitHub and say the stolen data, including the IT documents and the infrastructure of the source code are happened. All the stolen, it's because of the repositories in GitHub, because some credentials and tokens were unsecure.
Hey, take responsibility.
It's your company, you have customers, you have employees.
Never put the responsibility on your vendor.
You will never going to do the security as you can do as a company, as an enterprise, or any medium or small medium business.
And don't leave your secrets at the code.
[00:13:58] Speaker A: So after, so after, I don't know how many years of we heard the news about companies making a mistake leaving an s three, an Amazon s three bucket exposed to the public Internet and information was stolen from it. In this case we have GitHub repositories which were, I'm guessing configured to be a public one.
Unfortunately, it's a lot of the things we see in modern application which are using repository source code repositories such as GitHub.
I don't know, one day we need to record a session about SDLC, but specifically the focus of modern applications, so maybe we'll be able to share some insights about it. Is the best practices how to secure your code?
[00:14:50] Speaker B: Yeah, absolutely. Right. And one of the things that I want to share is that today the challenge is even bigger. So I'm not saying that New York Times even took their accountability or I hope they have the SDLC processes and policies in place and governance. But today, because of the surge of AI applications and how many different types of applications speak with another application, workloads with workloads. And we have like a very complex infrastructure when we need to make sure there is authentication between machine to machine. So the old traditional ways, when you put your secrets or your keys or your tokens in excel sheets or inside the code or in a key management.
[00:15:44] Speaker A: Or in the same folder where your.
[00:15:46] Speaker B: Application actually runs, it's not operational anymore, cannot work.
[00:15:54] Speaker A: It's not scaled, it's not secured, it's not. It's far away from best practice. Yeah, I totally agree with you.
[00:16:00] Speaker B: Yeah. And thank you, bleeping computer, for, you know, for bringing this, this news to us. And the last one for me today, and I promise to speak about Nvidia. I don't know, y'all. Do you have stocks in Nvidia?
[00:16:19] Speaker A: I refuse to comment.
[00:16:21] Speaker B: Okay.
[00:16:24] Speaker A: But anyone else in the industry or around the globe, I see the stock market goes up and down. When you go this high, when you hear so much revenue, one day you're up, one day you're down. I'm hoping for their sake that the situation in Taiwan won't impact them, but in any way, the demand for their new GPU's, the latest GPU's, is huge around all cloud providers, around many, many companies who are actually trying to consume that do the best out of generative AI applications. So we still need Nvidia at least a couple more years with us.
[00:17:13] Speaker B: Yeah. And that's for sure. You know why I ask you? I ask you because you were the one that refused to comment. But if you were Jensen Hank, the CEO of Nvidia, we sure have lots of stocks over there.
And one thing we both of us can agree, because they became the most valuable company in the world right now there is a huge target on them.
Remember how many attacks have been against Microsoft and Apple and what's going to go up next because of the popularity.
[00:17:52] Speaker A: Yeah, yeah, I agree.
[00:17:54] Speaker B: Polarity, the evaluation, the money stream that they have, they put a target on their back and they need to be ready. That's. That's what I want to say. Do you agree?
[00:18:10] Speaker A: And they have enough resources to either recruit the best security expert in the industry just to protect because their intellectual property is worth tons of money.
[00:18:25] Speaker B: You just.
[00:18:26] Speaker A: I mean, they can't really live without it. And basically at the moment, there's a perception in the global industry for anyone who would just like to think about generative AI. The next thing he thinks about is, okay, how do, how do I get Nvidia GPU's? It comes together. It's not that they don't have competitors, but they are. Most of the industry belongs to Nvidia's GPU's.
[00:18:56] Speaker B: Yeah. Yeah. So, yeah, that was my last one. I'm bringing back to you, Yan. Thank you.
[00:19:05] Speaker A: Okay. Thank you so much for me. I learned a lot. Okay, so let's begin with some cloud related news from June.
So AWS had their annual security conference called AWS reinforce and this year it was hosted in Philadelphia. And personally I watched the keynote. It was streamed live a couple of weeks ago and most of the conversations were from the AWS CSO. He shared from his knowledge, he shared some of the, some of the best practices AWS are currently implementing, probably for a couple of years now. And there are a couple of announcements. So the first announcement is called Passkeys as second authentication, factor in AWS identity and access management. And in case you don't know, passkeys aim is to make sure that all your accounts are more secure using passwordless login in place of the traditional password, and it's been protected using digital key that can be reused.
Passkeys are based on the FIDO two authentication standard, which stores credentials based on public key cryptography. And you can see implementation of many of the latest browsers already supported and Apple supported and Google supported with their Android phones. So most of the industries is moving on in order to use Passkeys.
And basically the announcement, what the announcement means is that out of the list of supported multifactor authentication or second factor authentication that AWS IAM supports now, it also support passkeys. So this is the first announcement. And by the way, this is relevant for both Amazon root accounts and for the regular IAM users. So kudos to AWS for raising the bar in terms of security.
The second announcement, also pretty interesting, it is called Amazon Guard duty manual protection for Amazon S three.
Many organizations are using cloud services, specifically object storage services such as Amazon s three Azure blob storage, Google Cloud storage, and one of the issues with object storage, unlike regular storage, is that you can't really use the standard anti malware protection mechanism, at least for, let's call it signed attacks as we used to have antimalware for many, many years.
So this specific capability is part of the Amazon Guard duty service, which is a threat detection service that continuously monitor, analyze and process specific AWS data sources and logs inside the AWS environment.
It uses machine learning to identify unexpected and potential unauthorized activity in the AWS environment. And specifically for this announcement, malware protection for S three helps to detect potential presence of malware by scanning newly uploaded objects to the Amazon S three buckets. And when an s three object or a new version of an existing s three object get uploaded to a bucket, guardduty automatically start a malware scan.
So far, only a small number of anti malware vendors had an integration with object storage, but now it's fully integrated and built in capability inside of AWS ecosystem.
So these are the announcement for Amazon. Let's move on to Microsoft. So I was trying to look for new announcement or interesting stuff from Microsoft side and I found out two interesting documents. The first one is a white paper that's called GDPR and generative AI.
It's a document meant for organization in the EU that are using generative AI or deploying new application based on generative AI and needs to comply with the GDPR regulation.
Some of the key highlights from this specific white paper, and there are a couple of them, I'm just going to mention just three of them. Responsible AI it mentioned tool and resources developed by Microsoft to support responsible AI deployment.
The second thing is GDPR compliance framework for generative AI, which explains how GDPR principles apply to AI solution, focusing on data protection in the use of generating AI services.
And lastly, Azure OpenAI service, which is collaboration between Azure Services and OpenAI, which is now a fully managed service by Azure. And in the document itself, they offer information about how Azure OpenAI service, how it measures to prevent abuse and harmful content, and how it complies with privacy and security standards. So if you're developing new GenAI applications and need to comply with GDPR, I highly recommend that you read this document.
Another announcement, it was really an announcement I found on one of their blog posts. It's called controlling data egress in Azure.
As an architect, when we design secure architectures in the cloud, we need to consider scenarios such as traffic from private resources. It requires access to external resources. An example can be, I don't know, I have a virtual machine that need to consume an API from the public Internet. Or maybe I have a virtual machine or a container that needs to update the latest security pages, naturally from external resource.
So when we design the application, we need to understand what are the restrictions?
And why. I'm seeing restrictions is because in azure specific when we compare to other cloud vendors, by default, when you have internal resource, like a vm, like a container, like a function, when it needs access to external resources, by default, outbound access is unrestricted. And if you do want to restrict the access, to make sure that all, all communication happens internally inside your internal subnets, you need to configure what is called a user defined route.
By default, there is no user defined route, meaning you're going to the public Internet. If you do want to restrict it, like we used to do in the on Prem. With traditional firewalls, you need to either use the Azure firewall. This is a managed service that allows you to basically redirect all outbound traffic into this traditional firewall, even though it's a fully cloud and managed service.
And then as any other firewall, you can configure what happens to the traffic, does it stay internally, does it go outside? You can control it. Your other option is to use network virtual appliance from any third party vendor that you can implement and on the same architecture fold all traffic into this appliance and then define rules for what would happen to traffic that needs to go outside.
Other than this. There are a lot of information inside this document we're going to share later on after this recording.
If you need to go outside, from internal resources to the public Internet, you need to use services like not gateways.
Maybe you need to assign public ips. There's a cost implication for this, but there are a couple of alternatives for designing applications that would either stay internally or if they need to have an external access to external resources. We need to understand what are our alternatives for configuring the right architecture.
So this is the news from Microsoft side. Let's move on to Google. So Google Cloud, they released a blog post, actually this month is the second one in a series relates to cloud financial operation or phenops.
So now it's called five more ways to save on compute cost. And as I said, it's the second part. The previous part was released in May 2024.
Some of the new recommendations for in this blog post, specifically for Google Compute engine, the virtual machines it's used when you don't use on virtual machines, when you don't use public ips, release them. You'll be able to save a lot of cost because the cost, there is a cost for assigning public ips.
Secondly, remember to turn off machines were not in use. I mean, logically it makes sense. And logically in production you won't be doing this but if you are having development environment, QA environment and you don't use them over the weekends because naturally your teams are not working, use scripts to automatically shut them down and maybe when the next week begins, automatically power them on and you'll be able to save cost on the resources or they are not using another option very famous in all cloud vendors is the use of spot Vmsheen, meaning use the extra capacity that the cloud vendor has in their data centers and temporarily list it in a much less expensive price out of the regular price.
So if you have a workload that is able to survive sudden disruption, like bed jobs for example, use spot images, spot vms, you will be able to save a lot of money on a monthly basis.
Probably the next one is the next recommendation from the document talks about compare the price between regions let's say you're a customer, you need to allow access to your resources from the public Internet, and you don't have specific restrictions from a specific regulation that says your data or your customer data needs to say in specific region, country, whatever.
If you don't have this kind of limitations, look at their official price list for the same product that you're trying to consume and pick the cheapest one. So very good recommendation. Not something new, but again, very good recommendation.
Lastly, and this is, I'm guessing because I never heard about it in other cloud vendors, is it's called automated time limits. Basically it allows us to configure when to turn off the vm for workload with predictable running times.
So again, another nice recommendation for saving cost when running applications in the cloud.
Another announcement that came to the market relates to generative AI because we can't have monthly news without talking about generative AI.
So one of the famous companies that are generating AI models is called entropy and entropy. Released this month, the Cloud 3.5 sonnet.
If you're not familiar with cloud, it's a generative AI model specially built for text generation vision analysis, like conversion from image to text, code generation such as HTML, CSS image to JSON, and more, and multilingual processing for language translation in real time.
Entropy says that cloud 3.5 sonnet will be far better at writing and translating code interrupt, interpreting charts and graphs, and transcribing text from images. This new and approved version of cloud is also apparently better at understanding humor and can write in a much more human way.
And lastly, following entropic announcement, currently Cloud 3.5 sonnet is available both for Amazon Bedrock and for Google Vertex AI.
So are you excited about having some human humor as part of genotype AI models?
[00:32:58] Speaker B: Absolutely. Because it finally, engineers can write a funny code.
[00:33:06] Speaker A: And not just coded when we're trying to do code review. Good luck at all.
[00:33:13] Speaker B: I love it. I love it. I think, I think. I think I will use it. This was so useful. Yeah. I learned so many new things. Thank you.
[00:33:25] Speaker A: Okay, so this is our recording for today.
As always, you're welcome to follow us on social media. We are global tech tv. Sometime with underscore at the end depends on the platform itself. Feel free to write to us, ask us questions, and suggest future topics that you want us to discuss about. So till next time, bye bye.
[00:33:51] Speaker B: Thank you.