top curve
Oracle licensing consultants

Ethical Hackers Find Oracle Vulnerability

Sep 30 2014: Published by under Database security,Risk,Security Assessments,Security Risk

Data security is always an issue, especially as more and more of our lives exist online.

CNN recently interviewed two hackers Bryan Seely and Ben Caudill, who discovered an unsettling security hole, uncovering intimate details like children’s school records, including detailed bus route information; arrest and prosecution information from a major Midwestern city; and the real names and numbers of intelligence agents visiting a major American port.

Seely and Caudill “ethical hackers.” Seely and Caudill – along with Rhino Security Labs’ lead researcher Dana Taylor – found that a weakness software giant Oracle discovered in 2012 – and provided a fix for – remains a huge vulnerability to any customer that missed or ignored the fix.

Oracle issued a response to the issue:
“We identified this issue two years ago. It was not a product coding defect allowing hackers to bypass security mechanisms. Instead, the product included a configuration setting allowing customers to disable security checks. Oracle identified that customers were leaving this setting open and immediately issued a patch that made the default setting for customers secure. This patch was issued as part of our regularly scheduled Critical Patch Update customers know to apply every quarter. Oracle notified all of our customers directly that they should apply patch. This process is commonplace in the industry,” said Oracle spokesperson Deborah Hellinger.

What’s the moral of the story here? You can’t wait for your software provider to contact YOU about these things – you need to be on top of security updates/fixes/patches, etc. so that your organization is not vulnerable. Being proactive versus reactive will allow you to come out on top!

mini technorati logo Bookmark with Technorati
AddThis Social Bookmark Button AddThis Feed Button
Share

Guest Blog: Paul Vallee, Pythian on Bash

Sep 29 2014: Published by under Miro News

A new vulnerability in a utility called “Bash”, a commonly-installed command execution shell, was discovered yesterday. This vulnerability has been termed “SHELLSHOCK” by the media. Pythian’s systems were patched overnight and are no longer vulnerable.

This vulnerability only affects Linux systems, so if you are not running Linux on your data center servers this vulnerability does not apply to you.

What is Bash?
Bash is a “shell”—a basic component that enables interaction between a human and an operating system, in this case Linux. It is responsible for running all common commands such as directory listings, moving, or copying files, etc.
What is the vulnerability in Bash?
The vulnerability allows someone to run any arbitrary code on an affected machine. If this was only due to human interaction, we can assume the user will be logged in and already have permissions to run that code, so what is the big deal? The issue arises because Bash is commonly called by lots of other code as part of their execution that may not necessarily be a human logged in. For instance, certain web servers call bash, so anybody who has access to your web pages could “inject” and run unauthorized code on your servers to take them over, serve malicious code, or even steal confidential data. More information is available here: CVE-2014-6271.
What should you do?
Patches are available from all major Linux vendors such as Redhat, Debian and Oracle for their versions of Linux. Most Web Application Firewalls (WAFs) have been updated to guard against this exploit.

Notice to clients who use Amazon/AWS

Amazon is going to be proactively rebooting ALL AWS instances between September 26, 2014, at 2:00 UTC/GMT (September 25, 2014, at 7:00 PM PDT) and September 30, 2014, at 23:59 UTC/GMT (September 30, 2014, at 4:59 PM PDT). They have not stated what ‘bug’ they are fixing at this point and do not intend to do so until all of the reboots have been completed. This is a very large scale effort, and one Amazon has decided is necessary due to the severity of the bug.

Reports indicate all instances will be affected with the the exception of T1, T2, M2, R3, and HS1 instance types are not affected.

For more information see below, and also notices should be visible within your AWS Console

http://www.zdnet.com/aws-users-fret-over-downtime-ahead-of-amazons-massive-ec2-reboot-7000034041/

http://www.networkworld.com/article/2687974/cloud-computing/amazon-readies-for-major-reboot.html

• If you are a Pythian client, please contact your team lead immediately to co-ordinate patching your systems.
• If you are not a Pythian client: Pythian offers a rapid response team that can rectify these sorts of situations and can help harden your systems to prevent exploits. To engage Pythian, please email info@pythian.com.

Paul Vallee, CEO – Pythian

mini technorati logo Bookmark with Technorati
AddThis Social Bookmark Button AddThis Feed Button
Share
Tags:

Oracle Board Appoints Larry Ellison Executive Chairman and CTO

Sep 20 2014: Published by under Oracle: News You Can Use

Well, its official! The Oracle Board of Directors elected Larry Ellison to Executive Chairman of the Board and appointed him the company’s CTO. Jeff Henley, who has served as Oracle’s Chairman for the last 10 years, was appointed Oracle’s Vice Chairman of the Board.

Both Safra Catz and Mark Hurd were named CEO. So, in a nutshell, Safra and Mark will now report to the Oracle Board rather than to Ellison.

Ellison has made it clear he doesn’t quite want out, but he has no interest in being CEO. This will be interesting to see the routes he takes and where his focus will land as CTO!

mini technorati logo Bookmark with Technorati
AddThis Social Bookmark Button AddThis Feed Button
Share

Microsoft licensing lessons learned – Mobility, BYOD and Desktop Virtualization?

Sep 08 2014: Published by under BYOD,Microsoft Enterprise Agreements,Microsoft Licensing Compliance,Microsoft Licensing Tip,Virtualization

Neither BYOD and/or desktop virtualization are inherently bad. If the funding is there for the correct licensing and the benefits of improved security and device and account management are realized, these approaches can be quite favorable to you.

Server virtualization is the generally accepted standard, the dominant model if you will. Today’s servers are far too massive, far too dense for single applications and perhaps more importantly, far too massive and dense for licensing.

Microsoft has moved towards its Core processor and Core licensing constructs for some of its products and the cost of licensing many of these very large servers is too cost prohibitive. Licensing just a few servers is not only more economical from a licensing perspective but also from a desire to maximally leverage the computing capability.

One of the best ways to do that is through virtualization and we have truly seen some sophisticated workload balancing schemes. In terms of Microsoft licensing on the desktop side especially, there seems to be a lot of confusion. Questions like: Is Software Assurance required? Or do we need other licensing like VDA or RDS? Or can employees use their own devices? The answer to all those questions is maybe. This may be the reason, in addition to cost, that desktop virtualization hasn’t quite hit its stride yet. In fact, some bloggers who have predicted its demise in favor of a migration to cloud and to Software as a Service models.

We know there are significant factors in play involving licensing a virtualized environment. These are based on architecture and license mobility among other things and we see companies struggling with achieving and maintaining the defensible license position as they try and interpret these licensing rules. We’ve also learned that BYOD and desktop virtualization can be more expensive than originally thought. We think that this stems from understanding the myriad rules around CAL licenses, VDA, subscription licenses, and Software Assurance benefits.

 

mini technorati logo Bookmark with Technorati
AddThis Social Bookmark Button AddThis Feed Button
Share

Managing Microsoft Inventory When Enterprise Edition Expires

Aug 18 2014: Published by under Microsoft Enterprise Agreements,Software Renewal

As your Microsoft Enterprise Agreement is set to expire, there’s a great deal to consider with your renewal options.

 

Some considerations when determining the next, best course of action:

  • current entitlements
  • expansion and consolidation
  • dynamics of the environment (e.g. remote users and access devices)
  • the company’s roadmap versus Microsoft’s roadmap
  • current license position
  • spending target

Every organization is unique and there is no clear cut answer to what is best. The products, the quantity, the license programs, the current state, the look forward, is all unique in every situation.

It can be impossibly complex to navigate this renewal process unless you understand a vendor’s specific licensing rules – in this case Microsoft – and can customize approaches that are most favorable to your organization.

mini technorati logo Bookmark with Technorati
AddThis Social Bookmark Button AddThis Feed Button
Share

Microsoft Windows Server 2012 R2 Licensing

Aug 11 2014: Published by under Microsoft,Microsoft Licensing Tip,Microsoft Windows

Microsoft Windows Server 2012 R2 comes with the availability of two primary editions – Standard and Datacenter. The versions are identical from a technical perspective with the only difference being virtualization rules. Both primary editions can only be licensed in the Processor Plus CAL metric . . .unlike the limited functionality editions for Windows Essentials and Window Foundation that are licensed by Server with CALs included.

So, which do you choose?

 

Since the functionality levels are equal, it’s something of an arithmetic issue.  The licensing for Datacenter Edition is about 5½ times that of Standard Edition. Keep that in mind as we walk through the example.

 

Microsoft requires all physical processors on the server be licensed. Let’s assume that we have a four-processor device. Each license covers up to two processors. For this server, for either edition, two licenses are required.  For Datacenter Edition, the number of virtual instances on this server would then be unlimited. It would also cost nearly $10,000 at a Select Plus Level A pricing without Software Assurance for those two licenses. It costs less than $2,000 to license it with Standard Edition, but we only get four virtual instances because with Microsoft’s Standard Edition you only get one physical instance and up to two virtual instances per license.

Now, in this example, we’re not talking about these huge servers so spinning up just four VMs might be all it can handle, but what if there was enough cycles,say, for two more?  The answer is simple. From a Microsoft perspective, you just stack licenses. What Microsoft allows you to do is allocate more licenses on Windows Standard on a device than it would otherwise call for simply for the purpose of adding more virtual instances.

With this third license on that server, two more VMs can be spun up and the cost is just another $900 or so. If you still have some more room, add another for another $900. For an investment of around $3,500, a total of eight virtual instances can be deployed on that server. If that is all you could ever be on that server, you made a really good decision about going with stacking the Standard Edition licenses.

mini technorati logo Bookmark with Technorati
AddThis Social Bookmark Button AddThis Feed Button
Share

The limitations of License Mobility

Aug 07 2014: Published by under Microsoft Licensing Compliance,Microsoft Licensing Tip,Microsoft Software Assurance,SQL

Microsoft’s Product Use Rights state very clearly that you may not reassign licenses on a short-term basis (within 90 days of the last assignment). However, licenses can be reassigned sooner if the licensed device or server is retired due to a permanent hardware failure. That’s a constraining and very strict rule that talks about when the 90-day time frame is set aside and it talks specifically about hardware failure.

Given the strictness of that rule, without License Mobility you could only move the licenses to a server every 90 days. What that means then is that in order to be properly licensed amongst the hosts in a cluster, you would have to have enough licenses assigned to each of those nodes to cover the peak number of virtual instances that could be moved to that server at any given time. While the licenses or environment may call for, say, half a dozen licenses, you might need 20 simply because you’ve moved these instances from physical node to physical node within the cluster.

Now, looking at SQL Server as an example, all of the cores on all the hosts in the cluster must be licensed and covered by Software Assurance. This now expands your rights to allow any number of instances of that software to run in any number of virtual machines within that farm. In the case of SQL Server that is not covered by Soft Assurance, you’re limited to the number of licenses that you’re actually running (core licenses). If you have a total of 16 cores within that cluster, License Mobility rules without Software Assurance state that you can only have 16 instances of support SQL Server.

It’s complex and easily misconstrued but it’s a trend that we’re seeing over and over again. Microsoft is associating Software Assurance to many, many new benefits – License Mobility is just one of them.

 

mini technorati logo Bookmark with Technorati
AddThis Social Bookmark Button AddThis Feed Button
Share

Microsoft Audits – What is worth fighting for?

Aug 04 2014: Published by under Microsoft,Microsoft Audit,Software audit,software license

Most common questions we get during a Microsoft Audit:

  • What are the primary points to negotiate with the supplier or their agent when an audit notice is received?
  • What are the points to fight for?
  • What are the points that are most important?  

There are many, many moving parts involved in a Microsoft audit because of the many and varied products, license metrics, volume license programs, and Software Assurance considerations.

There is a central set of principles in responding to audits that have been blogged about and spoken about and presented about from many software asset management professionals. They involve communication protocols, date of delivery, settlement, negotiation, etc.; and these are well known; but to these, we can add or perhaps maybe just reemphasize some other points.

Ensure that the audit scope is explicit and written. The auditor will prefer to dictate schedules and priorities and it’s important that you, as a representative of the organization, control that process.

Scrutinize the findings. Understand that the findings, especially the initial findings, are going to require some adjustment and warn your teams not to take any action based on the initial findings.

Data from automated tools is only as good as the interpretation. The audit scripts and SAM tools gather the deployment information. The Microsoft license statement details the entitlements and the comparison between them is not simple arithmetic. There is a big chasm that exists between these two data points and it needs to be accurately and very effectively navigated.

Buyer Beware. Another point to mention is that your reseller (now referred to as a License Solutions Provider or “LSP”) may offer this service for free, but be aware that there is an incentive for them to complete a licensing transaction.

mini technorati logo Bookmark with Technorati
AddThis Social Bookmark Button AddThis Feed Button
Share

What is License Mobility – Microsoft’s “reassignment rule”

Aug 04 2014: Published by under Microsoft,Microsoft Licensing Compliance,Microsoft Software Assurance

License Mobility refers to the ability to move virtual instances from host to host and between server farms without the constraints of Microsoft’s license reassignment rule. Microsoft restricts reassigning a license from one server to another or from one device to another more frequently than every 90 days (This is often referred to as Microsoft’s “reassignment rule”). License Mobility is a Software Assurance benefit.

mini technorati logo Bookmark with Technorati
AddThis Social Bookmark Button AddThis Feed Button
Share

ILMT – IBM Licensing Metric Tool

Jul 29 2014: Published by under IBM,software asset management,software license

To license IBM software by subcapacity, the IBM subcapacity licensing terms under Passport Advantage require customers to install and run ILMT (IBM Licensing Metric Tool). A customer may substitute another IBM tool such as TAD4d (Tivoli Asset Discovery for distributed) instead of ILMT.

IBM lists exceptions. Currently ILMT is not required if:
• Less than 1000 PVUs physical capacity in global environment.
• Less than 1000 employees, including contractors and seasonal help.
• Current hardware not supported by ILMT.
• Current virtualization method not support by ILMT.

As soon as something changes – let’s say you had 800 employees and then acquired another company with 250 employees – you need to install ILMT and begin running quarterly reports.

When none of these exceptions apply, if you fail to install ILMT or another IBM tool, run reports at least quarterly, and keep less than 2 years of verified reports on hand, you would need to license to the full physical capacity of the server. IBM’s initial tolerance for lack of ILMT use has faded over the years.

However, other exceptions are possible. The purpose of IBM’s licensing tools is not to grind your production machines to a halt. With your free ILMT license also comes free IBM support. Utilize their resources, and if you can build a case to prove that ILMT is not working, ask for an exception. With the exception request there must be an alternate plan suggested. What will you utilize as a software asset management tool in place of ILMT?

IBM’s tools are the only ones certified by IBM. With the breadth of IBM software available, other software vendors cannot maintain a complete library of software signatures as well as IBM. Although ILMT or other IBM tools need an investment of time and resources to set up, an IBM-heavy environment can make good use of the free ILMT tool from IBM. In a mixed environment or one that favors another vendor’s software, ILMT’s usefulness is limited.

mini technorati logo Bookmark with Technorati
AddThis Social Bookmark Button AddThis Feed Button
Share

Next »

bottom curve