12 sep

Vulnerability found in WordPress 3.6 and lower: Upgrade necessary

One of the most popular CMS'es around the world is WordPress, a powerful PHP-based blogplatform. This popularity comes at a price however: WordPress is a popular choice for abuse and exploits.

The most recent version 3.6 was released last August, but contains a vulnerability allowing hackers in certain circumstances to gain unauthorised access to the system. A couple of weeks ago there was a storm of brute force attacks on the WP password page, now a vulnerability is discovered that exploits on of its plugins.

The vulnerability itself is not directly exploitable; lax user input checking in plugins however does allow this vulnerability to be exploited.

At least one popular plugin exists that elevates this vulnerability to Remote Command Execution. The name of the plugin is unknown and will not be disclosed at this time, as there are too many vulnerable WordPress installations online.

However, it is just a matter of time before the vulnerability can be exploited, so upgrading WordPress to version 3.6.1 is highly advisable.

More information and technical details regarding this vulnerability can be found here: http://vagosec.org/2013/09/wordpress-php-object-injection/

If you have any questions regarding this posting or would like additional support from us, please send an e-mail to support@.

23 aug

WordPress sites vulnerable to bruteforce attack

Sites around the world based on WordPress, one of the most successful Open Source CMSes, are currently experiencing abuse in the form of a bruteforce attack on the login page.

This attack consists of an overload of login attempts on the site, thereby slowing down or even disabling the site under attack.

In order to prevent your site from becoming unavailable we strongly advise you to pay attention to good security measures such as keeping up with WordPress updates as well as theme updates and plugin updates.

Next to keeping up with updates we would like to advise you to look into additional measures for improving security such as deploying plugins like Better WordPress Security, which can be found on http://wordpress.org/plugins/better-wp-security/

A temporary measure to reduce the risk level straightaway is to limit the addresses from where the loginpage can be reached to only your own IP-addres or IP-addresses.

For setups using the Apache webserver one would edit the file .htaccess which can be found in the root folder of the WordPress install and add the following lines:

<Files ~ “^wp-login.php”>
Order Deny,Allow
Deny from all
Allow from 172.16.12.1
</Files>

The line 'Allow from 172.16.12.1' indicates the address from which it is possible to reach the login page, all other addresses will be denied access. Multiple lines are allowed, one for each address you wish to grant access.

Please note: Replace the IP-address in the above example with your own when copying these lines.

If you're unsure what your current IP-address is please visit http://www.whatismyipaddress.com/. This page will show you your current IP-address.

If you have any questions regarding this posting or would like additional support from us, please send an e-mail to [email protected].

15 aug

Groupon’s new cloud platform at CloudVPS – Case Study

Groupon, the multinational company that brings potential customers and local businesses together with daily deals, chose for CloudVPS in order to migrate its services to a flexible cloud platform. To the great satisfaction of all the parties involved*.

What does Groupon do?

Since November 2008, Groupon has been offering daily deals on the best things to do, eat or buy. They now do this in 48 countries and the number keeps on growing. Groupon employs around 10,000 people, working at its Headquarters in Chicago, a growing office in Palo Alto (California) plus in local markets in North America and around the world. The company’s philosophy is simple: treat the customer as you would like to be treated yourself. This of course calls for rapid service and response times, as many millions of people look at these offers each day.

The Challenge: A flexible cloud with increased capacity

Partners and customers use a CRM system to manage the Groupon deals they have offered or purchased. In the Benelux this CRM software was designed by Neacon and optimized by SupportDesk. This is an important system, that has already processed more than five million orders by more than a million customers. One of the improvements that Groupon still needed to implement was a migration to a fast and flexible cloud platform. The solution that they had used up to that point did not offer sufficient flexibility or capacity. Groupon also felt that there was significant room for improvement in the levels of service and support that their then current partner was offering.

“We were chosen as their cloud provider for this project because multiple tests had shown that CloudVPS offered good performance and support. Groupon had initially ordered products from various different providers anonymously in order to make a fair assessment of both performance and support. In setting up the required infrastructure we faced a major challenge, as external circumstances meant that the system’s migration had to be carried out in just a few days. We are proud to be able to say that we set up a complex environment in a single day, meaning the migration could be carried out quickly and with minimal downtime,” explained Lennard Zwart, Managing Director of CloudVPS.

Collaboration with SupportDesk and Neacon

The configuration was done in collaboration with SupportDesk. This is a partner that CloudVPS works with regularly to optimize important sites and applications. Many improvements were implemented at this stage. For the web server, Apache was replaced with nginx, an open source, high performance HTTP server. Using PHP-FPM, web server processes were also separated from the application-related processes, which helped to increase performance further. The MySQL configuration on the database servers was also optimized.

Neacon subsequently performed the migration in under three days. CloudVPS made its engineers available at all times throughout the process in order to help with any problems. In the end the total downtime was limited to a single hour on Easter Sunday.

Speed and flexibility

The migration went smoothly and all the parties involved are satisfied with the quick and professional way this complex process was executed. Since Groupon’s CRM cluster moved to CloudVPS, its pages now load 3 to 4 times faster. The daily occurrence of unavailability during peak-times is a thing of the past.

Joris Vanderlinden, Groupon Benelux Project Manager says of the process: “Since the Groupon CRM cluster moved to CloudVPS, the system has become noticeably faster and more flexible, which has directly resulted in an improved service for our customers. CloudVPS is also a very proactive partner for our engineers and the external parties involved to work with.”

The future

The new cluster is now significantly faster and more stable than the previous solution, but the developments don’t stop there. We have now created a stable base on which to build further improvements. Extra redundancy will be built into the system and message queueing will be included in the cluster, probably using Redis. Message queueing allows activities to be processed whenever a specific server or service has time to do so. This makes it harder for servers or services to become overloaded and therefore makes them more stable. Redis is a key-value store, meaning data can be easily stored until it needs to be used.

== Parties involved ==

Groupon

Since November 2008, Groupon has been offering daily deals on the best things to do, eat or buy. They now do this in 48 countries and the number keeps on growing. Groupon employs around 10,000 people, working at its Headquarters in Chicago, a growing office in Palo Alto (California) plus in local markets in North America and regional offices in Europe, Latin America and around the world. The company’s philosophy is simple: treat the customer as you would like to be treated yourself. http://www.groupon.com

CloudVPS

CloudVPS is one of the top cloud providers in the Netherlands. Its network is spread across three Class A data centres and serves a range of demanding, high profile clients. CloudVPS has a large public cloud providing users with flexible capacity. A large number of private clouds and customized clusters have also been implemented. CloudVPS leads the pack in cloud-related certification and open source cloud technologies such as Open Stack. http://www.cloudvps.com

Neacon

Neacon makes made-to-measure software, guided at all times by the business procedures that the company aims to achieve. Neacon first looks at the existing procedures and formulates a strategy on that basis: the process is mapped out, interdependences flagged, and whenever possible the return on investment is calculated. Neacon is convinced that automation only makes sense if it is beneficial to the efficiency of operations and makes employees’ work easier. This approach has been seen to work particularly well with companies that have complex processes in logistics and other areas. http://www.neacon.eu (Dutch)

SupportDesk B.V.

SupportDesk BV provides professional support for the Magento and Joomla! platforms. They use standardisation and consolidated workflows to help clients support, maintain, and optimize their Magento webshop or Joomla! website. SupportDesk also offers a lot of Magento and Joomla!-related training. In addition to their specialism in Magento and Joomla!, they can also provide bespoke advice on complex set-ups. SupportDesk is the ideal partner for website owners, system administrators, web hosts, web designers and programmers. http://www.supportdesk.nu (Dutch)

25 jul

Sneak Preview CloudVPS OpenStack Interface

We are working hard on our new OpenStack based cloud platform. OpenStack will allow us to offer you a host of new products and functionalities. In order to allow our customers to control all of this we are currently building an easy web-interface for our OpenStack offering. We believe the standard OpenStack interface, called Horizon, does not yet offer the functionality and ease of use our customers deserve.

In order to give you an impression of this new interface our developers have produced a cool preview. It shows how easy it will be to create and manage servers, snapshots, images and disk volumes.

We will keep you up to date with respect to our OpenStack project. We expect to start beta testing shortly after the summer.

 

24 jun

CloudVPS – PW Webdevelopment Case Study: Object Store S3 emulation for Django

PW Webdevelopement's first project with the CloudVPS Object Store was a web application for the distribution and modification of price cards for airport shops in different international airports. PW Webdevelopment has been using an object store to store media files of their applications for a couple of years now.

Peter Wiggers, founder of PW Webdevelopment: “The biggest advantages of using an object store for the meda files are scalability and the high level of built-in redundancy. The extra security compared to maintaining a separate file server also plays its part.”.

The media files related to this application were placed on Amazon S3 in the past. PW Webdevelopment recently decided to move their data to the CloudVPS Object Store, however.

Peter Wiggers: “Our customers have reported that the fact that the data is stored in the Netherlands is a big advantage. In the first place they have experienced a significant improvement in performance. Secondly, the larger degree of privacy protection is also perceived as very important.”.

The Application

Within the application pre-designed price cards are stored in the object store. These can be downloaded, adapted and printed by a large number of airport shops. The price cards are subsequently placed on shelves and display furniture.

The application is written in Python and uses the Django framework. The Django module that takes care of the connection with the object store is django-storages, which supports the S3 API. Because the CloudVPS Object Store emulates the S3 API, almost no code had to be adjusted.

Implementation CloudVPS Object Store S3 Emulation

The below instructions assume that a CloudVPS Object Store is available and that a container has been created in the account. We also asume that a S3-token has been generated in the CloudVPS Interface.

In order to integrate the CloudVPS Object Store in an existing Django web application, the following packages are required:

  • boto
  • python-dateutil (noodzakelijk voor collectstatic)
  • django-storages

The first two can be installed from PyPl's repositories, but this is not recommended for django-storages. In the version on PyPl the possibility to configure a custom host is not yet possible. Use Bitbucket to install the latest version:

pip install -e hg+https://bitbucket.org/david/django-storages#egg=storages

And add 'storages' to the INSTALLED_APPS tuple in the Django settings.

A large advantage of the CloudVPS Object Store is that it is largely S3 compatible. That is why the built in S3 libraries of boto and django-storages can be used and why it is easy to connect existing apps to the object store. Open the setting.py (or similar) and add the configuration below:

DEFAULT_FILE_STORAGE = 'storages.backends.s3boto.S3BotoStorage'
STATICFILES_STORAGE = 'storages.backends.s3boto.S3BotoStorage'
AWS_ACCESS_KEY_ID = '{input_objectstore_access_token}'
AWS_SECRET_ACCESS_KEY = '{input_objectstore_secret}'
AWS_STORAGE_BUCKET_NAME = '{input_objectstore_containernaam}'
AWS_S3_HOST = '{input_objectstore_id}.objectstore.eu'
AWS_S3_CUSTOM_DOMAIN = "%s/%s" % (AWS_S3_HOST, AWS_STORAGE_BUCKET_NAME)

All variables between brackets can be found in the CloudVPS Interface under object store > S3 API Tokens.

That's it! Your Django app now works with the CloudVPS Object Store!

In case you want to use the Swift backend for new Django apps: this has not yet been incorporated in django-storages. There is a fork of this package available that does support the Swift API however.


OpenStack and CloudVPS Object Store

CloudVPS aims to offer the best possibilities of the cloud to its customers. That is why we have decided to implement OpenStack across our entire infrastructure. OpenStack is a fast expanding collection of open source cloud infrastructure components that is supported by important players like HP, NASA and VMware. The use of OpenStack will yield our customers a lot of new functionality as well as a popular API that can be used to communicate with our infrastructure.

The first OpenStack-based product has already been launched: In april 2013 we launched the first object store in the Netherlands. The CloudVPS Object Store is a cheap, open and privacy-conscious alternative to first generation services like Amazon S3.

An object store is a modern way to serve files for an application or website. With an object store files can be stored, managed and requested in the cloud by easy API-calls or a URL. The technology is extremely suitable for larger files like images and other media types. Data is stored three times on three different machines in at least two different datacenters.

When you use an object store you only pay for the actual usage. This usage consists of the following elements: storage, outgoing traffic, heavy requests (like writes) and light requests (like reads). On our site you can find more information about the CloudVPS Object Store.

PW Webdevelopment

PW Webdevelopement is a young, dynamic company that develops web applications in order to help companies work more efficiently and more innovatively. The company exclusively works with motivated Master of Science (MSc.) students of the renowned University of Technology Delft. With 150 completed projects PW Webdevelopment is a reliable partner for every digital improvement. PW Webdevelopment is a one stop shop for its customers: From the first brainstorm session to the eventual maintenance and hosting of the custom-built web application.

www.pw-webdevelopment.nl (Dutch)

CloudVPS

CloudVPS is one of the top cloud providers in the Netherlands. From a network that is spread out over three tier-one datacenters they provide services to a large number of well-known and demanding customers. CloudVPS has a large public cloud that can be used to acquire flexible capacity. A lot of private cloud and custom solution experience is available as well.

By combining their own software with existing solutions CloudVPS is able to offer High Availability solutions at an attractive price level. CloudVPS has an international orientation and has a prominent position in the areas of cloud certification and cloud-related open source projects.

www.cloudvps.com

24 jun

CloudVPS – PW Webdevelopment Case Study: Object Store S3 emulation for Django

PW Webdevelopement's first project with the CloudVPS Object Store was a web application for the distribution and modification of price cards for airport shops in different international airports. PW Webdevelopment has been using an object store to store media files of their applications for a couple of years now.

Peter Wiggers, founder of PW Webdevelopment: “The biggest advantages of using an object store for the meda files are scalability and the high level of built-in redundancy. The extra security compared to maintaining a separate file server also plays its part.”.

The media files related to this application were placed on Amazon S3 in the past. PW Webdevelopment recently decided to move their data to the CloudVPS Object Store, however.

Peter Wiggers: “Our customers have reported that the fact that the data is stored in the Netherlands is a big advantage. In the first place they have experienced a significant improvement in performance. Secondly, the larger degree of privacy protection is also perceived as very important.”.

The Application

Within the application pre-designed price cards are stored in the object store. These can be downloaded, adapted and printed by a large number of airport shops. The price cards are subsequently placed on shelves and display furniture.

The application is written in Python and uses the Django framework. The Django module that takes care of the connection with the object store is django-storages, which supports the S3 API. Because the CloudVPS Object Store emulates the S3 API, almost no code had to be adjusted.

Implementation CloudVPS Object Store S3 Emulation

The below instructions assume that a CloudVPS Object Store is available and that a container has been created in the account. We also asume that a S3-token has been generated in the CloudVPS Interface.

In order to integrate the CloudVPS Object Store in an existing Django web application, the following packages are required:

  • boto
  • python-dateutil (noodzakelijk voor collectstatic)
  • django-storages

The first two can be installed from PyPl's repositories, but this is not recommended for django-storages. In the version on PyPl the possibility to configure a custom host is not yet possible. Use Bitbucket to install the latest version:

pip install -e hg+https://bitbucket.org/david/django-storages#egg=storages

And add 'storages' to the INSTALLED_APPS tuple in the Django settings.

A large advantage of the CloudVPS Object Store is that it is largely S3 compatible. That is why the built in S3 libraries of boto and django-storages can be used and why it is easy to connect existing apps to the object store. Open the setting.py (or similar) and add the configuration below:

DEFAULT_FILE_STORAGE = 'storages.backends.s3boto.S3BotoStorage'
STATICFILES_STORAGE = 'storages.backends.s3boto.S3BotoStorage'
AWS_ACCESS_KEY_ID = '{input_objectstore_access_token}'
AWS_SECRET_ACCESS_KEY = '{input_objectstore_secret}'
AWS_STORAGE_BUCKET_NAME = '{input_objectstore_containernaam}'
AWS_S3_HOST = '{input_objectstore_id}.objectstore.eu'
AWS_S3_CUSTOM_DOMAIN = "%s/%s" % (AWS_S3_HOST, AWS_STORAGE_BUCKET_NAME)

All variables between brackets can be found in the CloudVPS Interface under object store > S3 API Tokens.

That's it! Your Django app now works with the CloudVPS Object Store!

In case you want to use the Swift backend for new Django apps: this has not yet been incorporated in django-storages. There is a fork of this package available that does support the Swift API however.


OpenStack and CloudVPS Object Store

CloudVPS aims to offer the best possibilities of the cloud to its customers. That is why we have decided to implement OpenStack across our entire infrastructure. OpenStack is a fast expanding collection of open source cloud infrastructure components that is supported by important players like HP, NASA and VMware. The use of OpenStack will yield our customers a lot of new functionality as well as a popular API that can be used to communicate with our infrastructure.

The first OpenStack-based product has already been launched: In april 2013 we launched the first object store in the Netherlands. The CloudVPS Object Store is a cheap, open and privacy-conscious alternative to first generation services like Amazon S3.

An object store is a modern way to serve files for an application or website. With an object store files can be stored, managed and requested in the cloud by easy API-calls or a URL. The technology is extremely suitable for larger files like images and other media types. Data is stored three times on three different machines in at least two different datacenters.

When you use an object store you only pay for the actual usage. This usage consists of the following elements: storage, outgoing traffic, heavy requests (like writes) and light requests (like reads). On our site you can find more information about the CloudVPS Object Store.

PW Webdevelopment

PW Webdevelopement is a young, dynamic company that develops web applications in order to help companies work more efficiently and more innovatively. The company exclusively works with motivated Master of Science (MSc.) students of the renowned University of Technology Delft. With 150 completed projects PW Webdevelopment is a reliable partner for every digital improvement. PW Webdevelopment is a one stop shop for its customers: From the first brainstorm session to the eventual maintenance and hosting of the custom-built web application.

www.pw-webdevelopment.nl (Dutch)

CloudVPS

CloudVPS is one of the top cloud providers in the Netherlands. From a network that is spread out over three tier-one datacenters they provide services to a large number of well-known and demanding customers. CloudVPS has a large public cloud that can be used to acquire flexible capacity. A lot of private cloud and custom solution experience is available as well.

By combining their own software with existing solutions CloudVPS is able to offer High Availability solutions at an attractive price level. CloudVPS has an international orientation and has a prominent position in the areas of cloud certification and cloud-related open source projects.

www.cloudvps.com

14 jun

Privacy Issues for European Data because of NSA – PRISM Disclosures

Since last  week a lot of new questions have emerged regarding the protection of personal data by American companies.

It was first announced last Thursday that the American telecom provider Verizon provided the American intelligence agency NSA with enormous amounts of information on national and international phone calls. 

Not even a day later whistle-blower Edward Snowden revealed that nine major American Internet companies provide the NSA, the enormous American intelligence agency responsible for IT and communication based espionage, with structural access to tremendous amounts of data.

This involves such familiar names as Google, Microsoft, Facebook, Yahoo, Apple and Skype. Dropbox is expected to be added to the list shortly. This means that, if you store information in Google Apps, Windows 365, Hotmail, Facebook, etc., the NSA would be able to access it. You do not even have to know whether your data can be analysed, as a lot of information is stored in applications running on cloud infrastructure services like Microsoft’s Azure and Google Compute.

The now controversial NSA programme, called PRISM, provides the NSA with access to virtually all information from users of the services the nine companies are offering. This information can then be analysed in order to identify and monitor suspicious individuals and patterns. On Friday news broke that PRISM shares information with the English intelligence agency GCHQ. The Dutch AIVD also appears to be using the system as well.

Legal basis

The NSA’s right to collect and analyse information on not Americans is based on the FISA Amendment Act (FAA), a 2008 law that enables American government agencies to gather information on foreigners. This law allows for the collection and analysis of all communication and information of which the intelligence services can reasonably assume that one of the involved parties is located abroad. No warrant is needed for this.

For the nine companies involved this was apparently sufficient basis to give the NSA the possibility to directly collect information from their systems. It was not necessary to provide this easy access because the law does not require that companies make it easy to collect this data. Twitter seems to have refused cooperation for example.

Response by the nine companies involved

The American government has confirmed the programme in the meanwhile.  All the same, the companies involved emphatically deny involvement. This is not surprising since, up to now, these companies have defended online privacy. This reputation is an important condition for the storage of increasingly larger amounts of privacy-sensitive information with these companies.

If we consider the statements made, a number of matters are worth noting. Google, Facebook and most of the others only deny that the NSA has ‘direct access’ to their servers. The leaked NSA documents, however, refer to ‘direct access’ to the company servers. So it is probable that the NSA cannot log into the server, but that a portal function enables the NSA access to the desired information.

In general, it is worth noting the extent to which the communication from the American government differs from the claims made by the companies. But the American government has no reason to lie about having a large degree of access. In the time to come, more will probably come out about how exactly the NSA has access.

Damage to trust and image

The revelations made and those that are likely to follow, will probably lead to significant damage to international trust in the American Internet sector. The most important likely consequence is that statements made by these companies regarding privacy will no longer be considered believable.

And this while the American Internet sector has used such publications as the Google Transparency Report and initiatives like Microsoft’s 'Your Privacy is our Priority'  to build trust. Google has now publicly asked the US Ministry of Justice to be allowed to include the true numbers in the Google Transparancy Report.

No safe haven for European data

Regarding the storage and processing of personal data in Europe, American companies can conduct business under the Safe Harbor framework. This is an agreement between the EU and U.S. from the year 2000, in which American companies can state to adhere to seven privacy principles. Very little monitoring appears to take place of this self-regulation and the Safe Harbor framework has subsequently been under pressure for some time as a system that offers insufficient guarantees.

In spite of the limitations of the Safe Harbor framework, the revelation of a secret surveillance programme that has been concealed by the companies involved goes directly against three of the seven principles, namely the notice of information gathering (Notice), the choice of whether or not information may be gathered (Choice), and transfers to third parties that are only permitted if these parties also meet the requirements (Transfers to Third Parties).

In other words, the 9 parties mentioned most likely no longer comply with the Safe Harbor framework. Europeans need to take this into consideration when deciding whether to store their data with one of these parties.


What’s next?

In Europe, privacy is considered a universal right. Europeans are also less inclined to assume that the government, companies and individuals with access to privacy-sensitive information will always make the right decisions. A totally different approach to privacy is taken in America. Here safety is top priority, certainly after the War on Terror started in 2001. This means that the PRISM programme will probably remain intact.

Moreover, privacy protection in American legislation applies almost exclusively to protecting American citizens, while European legislation offers these rights to all individuals. This is also clear from the current discussion on PRISM taking place in America. The danger to the rights of American citizens is virtually the only concern.

This means that the ball is now primarily in the EU’s court. The EU will have to, at the very least, reconsider storing additional privacy-sensitive information (personal data) with American companies until the privacy situation with regard to this information is clarified. National governments should put pressure on the EU in this matter and, if this is to no avail, implement measures of its own.

Each party storing personal data also has a responsibility here. This applies as much to executives considering the use of Windows 365 as to a minister who wants to store electronic patient files with an American company. From now on, these decision makers need to assume that the American government can analyse this data.

The European Union is currently working on new privacy legislation: the General Data Protection Regulation, to become effective in 2014. These new rules will be more stringent and take such modern developments as social networks and cloud computing into account. American companies are lobbying hard to have the possibility to store and process sensitive information under these new, more stringent, rules. The European Union needs to establish firm requirements in this process that guarantee that Europeans receive the privacy protection they deserve.

The greatest challenge in all of this is that most large Internet companies are American. It is the responsibility of the still-fragmented European Internet sector to come up with alternatives to the services these companies offer. As long as the European parties do not allow themselves to be pressured into cooperating with programmes like PRISM, the European approach to privacy can even become a unique selling point.

06 jun

New Release CloudControls – Dutch Framework Available

CloudVPS believes cloud assurance and certification are very important in order to get serious parties comfortable with cloud-based solutions. This is why we took a leading role in the CloudControls project. The CloudControls are a series of measures that can be implemented by a cloud provider in order to mitigate cloud-specific risks for its customers. The controls are based on a comprehensive list of cloud-related risks that was defined together with KPMG in 2012. The framework also includes a list of questions that a cloud customer should ask their (prospective) provider.

 

We have implemented version 2.0 of the CloudControls which was released in September of 2012. In January of 2013 we successfully concluded auditing the CloudControls alongside our ISO 27002 audit. Now version 3.0 of the controls is available which we will use from now on. The CloudControls have also been translated into Dutch. You can now download a Dutch version of the cloud risks, questions for providers and the actual controls.

Scope of the CloudControls

 

The CloudControls aim to cover the cloud-specific risks related to outsourcing to an Infrastructure as a Service (IaaS) provider. This means the controls assume that the customer takes responsibility over the software configuration of its cloud environments and the connection to the cloud. In addition to this, the internal security policies and availability-enhancing measures of the cloud provider are also not considered cloud-specific risks because these risks also occur within in-house IT organisations. A lack of information regarding the security policies and the status of the infrastructure is considered to be a cloud specific risk however.

The controls are based on a comprehensive list of 61 cloud related risks. The CloudControls are the measures needed to control these risks. They consist of 39 controls related to the outsourcing risks and 5 controls for multi-tenancy risks.

Next Steps

 

We will continue to further improve the CloudControls as well as invite more parties to use them. We will also use the CloudControls as input for interesting developments in the field of cloud assurance. We intend to use them as input for the work we are doing with the NEN commission for Distributed Application Platforms and Services for example. This Dutch-based commission is part of the efforts the International Organization for Standardization (ISO) is currently undertaking in order to facilitate cloud standardisation. We expect to give you an update on these developments soon.

19 apr

Plesk vulnerabilities found: Upgrade required

Plesk is one of the control panels that are used to manage a server through a graphic interface.

Recently a number of critical vulnerabilities have been found. Due to the fact that these vulnerabilities are currently actively being exploited an immediate upgrade is required.

Plesk environments which have not yet been upgraded to the latest version/patchlevel allo malicious users to control the server by gaining access privileges of authorised users. This vulnerability is present in at least Plesk 9, Plesk 10 and Plesk 11.

Do you have Plesk installed on your server? Then please install the relevant MicroUpdate for your platform:

* Plesk 11: fixed in MU#46 (shows up as a Security fix in red in all Plesk 11 versions)
* Plesk 10.4.4: Fixed in MU#49 (Shows up as an Update in Panel)
* Plesk 10.3.1: MicroUpdate MU#20
* Plesk 10.2.0: MicroUpdate MU#19
* Plesk 10.1.1: MicroUpdate MU#24
* Plesk 10.0.1: MicroUpdate MU#18
* Plesk 9.5.4: MicroUpdate MU#28

If you still use Plesk 8 please upgrade to a newer release. No fixes are available for Plesk 8.

And please check every so often for new releases or updates to be installed.

For more information on this vulnerability please see here:
http://kb.parallels.com/115942
http://www.kb.cert.org/vuls/id/310500

12 apr

CloudVPS Object Store Available: Scalable Cloud Storage!

As of today the CloudVPS Object Store is available. An object store can be used to easily store files in the cloud and make them available through an API or URL. This makes an object store ideal for images, movies, backups and many other types of files. The popularity of object stores is starting to grow rapidly now, especially with developers and parties that want to store large numbers of files.

Advantages of an object store:

  • You only pay for your usage of storage, traffic and the API.
  • Your data is stored three times within two datacenters.
  • Files will be available from multiple locations.
  • Enables API based programming.
Amazon S3 Alternative

A lot of object store users are using Amazon S3 at the moment. Our solution uses the popular OpenStack API which allows you to choose the provider you are doing business with. The CloudVPS Object Store is also significantly cheaper than Amazon S3. An other important advantage of our object store is that we are not subject to the US Patriot Act. This means US government services do not have access to your data and our solution can be used for privacy sensitive data.

For parties that are still using the S3 API exclusively, we have added an S3 emulation so you can use our object store with the S3 API.

Amazon does offer a global Content Delivery Network (CDN) option with its object store. This is relevant if data has to be available quickly in multiple continents. We will soon add CDN functionality ourselves.


Click to enlarge

Interface

We have added an object store section to the CloudVPS Interface. Here you can track your usage. You can also manage your object stores, containers and files.

OpenStack Swift

Our object store is based on OpenStack Swift. OpenStack is a fast growing collection of open source cloud infrastructure projects. This project has an enormous momentum with parties like VMware, NASA and HP contributing. We have decided to implement OpenStack for our entire infrastructure and the CloudVPS Object Store is just our first OpenStack based product.

We will be very active in adding functionality to OpenStack. We will contribute as many of our improvements to the object store as possible to the project. For instance, we have made it possible to use the Cyberduck client as a visual interface for the OpenStack object store. We are currently developing new authentication methods and are documenting and improving various SDKs (Software Development Kits).

Ordering and Paying

You can order the object store on our website. Your object store will be invoiced at the end of the month. If you are a new new customer you will have to pre-pay a one time sum of 10 Euros. If a lot of resources are being used during the first month an extra prepayment will have to be deposited. Customers with an existing invoicing relationship will not have to pre-pay when ordering an object store.

The cost of the object store depends on the storage used, the outgoing traffic and the API usage. Read more about the costs and invoicing of our object store in our knowledge base.

CloudVPS customers that also purchased a CloudVPS virtual server will be able to use the first 10 GB of object storage for free. For these customers 50,000 heavy API calls and 500,000 light API calls will also be available free of charge.

More Information

Some usefull links:
Object store page
Knowledge Base Introduction
Quickstart
GUI Clients
S3 Emulation
Pricing and Invoicing

Please contact sales if you have any questions regarding the possibilities of the CloudVPS Object Store.