Good Morning,
We had a very interesting week. We all I think learned a lot about Google Cloud. I know I really learned a bunch about pros and cons. One large pro for me was the speed of building computers; a con was the ability for me to use the OS of my choice. This week I really would like to change what we talk about and go over two or three pros and cons each person got from using google cloud. If you are not able to we can also find something interesting you have found in security from our normal places.
Here are the condensed slide for week 12: Week_12
Also I have shared the videos for installing Debian on Owl Box.
Frederic D Rohrer says
Here are my personal pros and cons of Google Cloud:
Pros:
– the price is comparable to other Cloud providers and there is no minimum contract length.
– you can actually figure out how much your instance will cost (looking at you AWS…)
– lots of options (hardware, networking, security etc)
– quick provisioning
– Load-balanced instance groups are great
– you can really push the price down by using preemptible instances and all ephemeral settings
Cons:
– the external IP is ephemeral by default, meaning if your instance is migrated you lose it. You can make it static but its not that way by default
– External egress traffic costs $0.12/GB for the first 1000, then less and less but some other providers only charge for total bandwidth available
– there is no alternative to RDP on Windows instances, you can lock-yourself out completely (first hand experience)
Brock Donnelly says
Flaw in Emergency Alert Systems Could Allow Hackers to Trigger False Alarms
Look, more legacy systems with vulnerabilities. I don’t know if you remember a back in January Dallas had 156 emergency sirens turned on for about 2 hours. It caused widespread panic. As everyone thought it was caused by a computer networking weakness was actually caused by radio frequencies. As it turns out the Bastille security firm has discovered a similar vulnerability in San Fransisco’s emergency alert systems. Dubbed the ”SirenJack Attack,” all you need is a $30 handheld radio, a computer and relative proximity. There is no encryption. There is no mitigation. As for San Fransisco’s ATI Systems alert system, ATI is creating a patch BUT guess what… patching isn’t as easy as it sounds. Each system has a bit of specific propriety. I guess if your city or college, military facilities, and industrial sites have an Emergency Alert System it is time to contact your manufacturer. This is just another example of systems long forgotten about systems many people rely upon. A siren is minor… what if this negligence fell upon our water treatment and utility services?
Vince Kelly says
I never had the opportunity to use GCP before, so my opinions on its pros and cons are definitely biased and come completely from the perspective of an uninformed/unfamiliar user. That being said:
Pros:
– Speaking NOT from my own personal experience – GCE apparently is more price competitive than either AWS or Azure.
– Speaking FROM my own personal experience – Kubernetes is the hands down de facto standard for container orchestration, (something that would have been useful if the activity had involved building massive container clusters – maybe next time;)
Cons:
– Personal opinion – I absolutely hated the UI
– The GCE VM import process was a complete mess and, as unbelievable as this may sound, even more convoluted than whatever Temples Magazine Pro Community page/Blackboard/Canvas/TUportal tool de jure is! ;););)
– AWS has had a significant head start and as a result seems to be more feature rich (again just my opinion and certainly not relevant for our particular activity last week).
I think AWS offers more features and services, both vertically;
IaaS (compute images, network, storage and database,etc., etc.),
PaaS (Platform Middleware), and
SaaS (Cross Services, Tools),
as well as horizontally;
PaaS( MapReduce for Big Data, Content/CloudForm, Messaging/SQS and SNS, etc., etc),
and
SaaS (Monitoring/CloudWatch, DevOps Automation/Elastic Beanstalk, Lambda, etc.)
– Again, AWS had a significant head start but the OpenStack open source private cloud architecture API is completely compatible with AWS EC2 API even to the point where it supports the basic cURL command line interface
Vince Kelly says
Tech industry completes its standards for banishing passwords
https://www.engadget.com/2014/12/09/fido-alliance-publishes-specs/
The FIDO Alliance (Google, Microsoft, PayPal, and others) have just published a ‘password free’ standard that works with both single and two-factor authentication and relys on the use of sign-in methods other than passwords, (e.g., some fingerprint readers, USB dongles, etc.). It may take some time before it becomes accepted as a practical alternative to using passwords because it doesn’t support existing authentication mechanisms like Apple’s Touch ID fingerprint system or Bluetooth.
Scott Radaszkiewicz says
Very interesting Vince. I read about this before. With backers like Microsoft and Google, I’m curious to see how this is going to play out over the next year. It certainly is an interesting concept of a password free world.
Zirui You says
“Verizon report: Ransomware runs rampant, responsible for 39% of malware-caused breaches“
Ransomware was the most commonly detected malware in data breaches and related security incidents last year, climbing from fourth overall in 2016 and all the way from the 22nd spot five years ago, according to Verizon’s just released 2018 Data Breach Investigations Report. The malware was involved in a far smaller share of breaches this time around, compared to the previous year – 30 percent versus 51 percent, respectively – but when malware was found, ransomware was determined to be the culprit a leading 39 percent of the time. ” According to Verizon, in a typical organization, 78 percent of employees subjected to phishing simulations did not fail a phishing test all year, but an average of four percent of the workforce population would fall for any given test. Verizon also registered 2,216 data breaches over the past year’s worth of data collection, compared to 1,935 the previous year.
https://www.scmagazine.com/verizon-report-ransomware-runs-rampant-responsible-for-39-of-malware-caused-breaches/article/757535/
Shi Yu Dong says
“Finland’s 3rd Largest Data Breach Exposes 130,000 Users’ Plaintext Passwords”
Finland’s citizens had their credentials compromised in a large data breach. Hackers attacked a new Business Center in Helsinki, a company that provides business consulting and planning and stole over 130,000 user’s credentials which were stored website database in plain-text without using any cryptographic hash.
Take-away: As part of their Incident Response plan, they reported the incidence to Helsinki Police authorities and publicly responded with their comments and steps taken towards investigating this data breach.
Ref. Link:
https://thehackernews.com/2018/04/helsingin-uusyrityskeskus-hack.html
Donald Hoxhaj says
Shi,
Definitely a good article to read and ponder on the safety of passwords. This is bewildering to see the exposure of more than 130,000 passwords. What is not understood is that while companies do take a good amount of measure to inform the customers about the password breach, they fail to communicate on the future steps that it’s going to take to prevent such mishaps happening again.
Matt Roberts says
I think Google cloud can be very convenient for a number of uses. It has very rapid expandibility and a myriad of use options on server-class hardware. It’s also extremely economical as you only pay for what you use, when you use it. The Google cloud makes it incredibly easy to quickly spin up a server of any kind. However, not having physical access to the hardware comes with it’s own drawbacks. If you are storing your data in the cloud, you are entrusting much of your security to a third party, depending on the level of configuration control your organization has. In the end, you are sacrificing a certain amount of control for scalability and flexibility.
Patrick DeStefano (tuc50677) says
I completely agree. Everyone is looking to go to cloud computing these days for some of these reasons exactly. It’s extremely flexible with expandability and versatility. The third party security is what does open up some risks, however there are ways to mitigate this, especially if you’re a big enough customer such as a large corporate client. You can more easily gain access to cloud service representatives and have a custom contract and/or service created for your use.
Satwika Balakrishnan says
Here are my pros and cons of Google Cloud Platform:
Pros:
• It took much less time to build the machines and the time taken to reboot was also less compared to physical servers.
• You are billed only for what you use, and you get to see the usage reports which I felt was advantageous, especially if you need to estimate any future costs.
• Several users can collaborate and work together from different locations.
• The overhead of server maintenance is low.
• No hardware costs or maintenance.
Cons:
• Somehow, I found the UI very confusing.
• Security is a huge concern since the server itself is outsourced.
Donald Hoxhaj says
Satwika,
Pretty useful information on the pros and cons of Google Cloud platform. Certainly one can make use before hosting their services. The Cons are even more interesting because that is something that we don’t find on the internet very easily and hundreds of information only makes it more confusing. I feel Google Cloud is definitely trustworthy than other service providers in the market.
Scott Radaszkiewicz says
So this was my first foray into using Google Cloud Services. It was exciting to get to play with this new technology. In my brief experience with it so far, a few Pros and Cons jump out at me right away.
Some Pros:
-Quickly create a VM; a minute or two for a fully patched operational server.
-Not limited in resources, such as hard drive space, processor speed, network connections, etc. Only limitation is the cost for such a VM.
-Easily accessed and managed from any Internet Connection.
-Easily share management with other users
Some Cons:
-Access to the live VM is through RDP. Our original lockdown removed RDP access. Once the VM was up and running, we couldn’t connect to it. Couldn’t find another way, like a web interface to connect. It might exist.
-Having RDP available to the public, could be a security risk.
Brock Donnelly says
Here is something funny, A joke ransomware. It encrypts all your files until you play PlayerUnknown Battlegrounds for one hour. As it turns out you don’t even have to play. you just need a process call TslGame.exe for a minimum of 3 seconds. So you could rename any process for a few seconds and all your files we decrypt. Is this the first example of Spam-Ransomware?
https://www.bleepingcomputer.com/news/security/pubg-ransomware-decrypts-your-files-if-you-play-playerunknowns-battlegrounds/
Patrick DeStefano (tuc50677) says
This is the beginning of something truly annoying. I think this might just be the next ‘pop-up’ of the spamming world. Reminds me a bit of the show “Black Mirror”. In one of the episodes, the characters are forced to watch advertisements or pay to skip them. Even if they close their eyes during the ad, the ad pauses and waits for them to keep watching again. That’s almost what this is and can be for phones and other apps. Want to check your email, go shopping on ebay for 30 minutes before you are able to access Gmail. Welcome to the wave of future advertising folks.
Fraser G says
I enjoyed our experience over the past week with Google Cloud. Overall my pros and cons list includes:
Pros:
1) Great UI and UE, coming from ESXI experience it’s got way more functionality and ease of use.
2) Provisioning is super quick and easy. We had to recreate a MS Server as a host and it was up in less than 5 minutes ready to go.
Cons:
1) Had some trouble figuring out RDP solution. After locking ourselves out we had to recreate an instance. Good reminder that this cloud thing will always have a layer of separation from the screen.
2) Project management / deployment could be improved. Obviously everyone ran in to trouble, it wasn’t obvious who owned what and some people had trouble getting provisioned in the right groups.
Fred Zajac says
As compared to Azure and AWS, google is my least favorite and really couldn’t come up with any Pro’s vs the other two. Azure is my favorite and AWS is the most popular and almost impossible to get away from, so it is the “standard”.
Google cloud reminds me of the Microsoft Phone. Too little and too late. This was a secondary thing to your mission statement and it may be too late for you to convince the next generation not to use AWS or even Azure, which is gaining popularity but probably won’t touch AWS in cloud services.
I did come up with one pro…
It was free for us to use!!!!
Aside from that NONE.
When we finally got logged in, (CON) the single sign on was quite simple, and the add-on’s for google cloud were added to the favorites box in the upper right hand corner. You could quickly log into the console without having to sign back in. But… this would only be the case if I was always using gmail for email, which is not the case. Exchange is the standard, making Azure much more attractive (CON).
The GUI was also really bad in my option. The options on the right were confusing. The help was not very helpful. You were given so many different ways to do something. I guess this is because of “open source” tools??? Not sure, but a better help area would be nice. AWS is the best with the HELP. List step by step what to do and can quickly find what you are looking for, but AWS also offeres a lot of different solutions, so both AWS and Google take some time deciding how you want to do it.
The GUI menus were also a bit confusing. This may be because I am used to AWS and Azure, but I like the layout of Azure during configuration and the management options for AWS. Google Cloud is not even close in either area.
Single-sign on was nice, but only because Temple uses gmail. Most businesses are using exchange so this wouldn’t make a difference unless it is an option I didn’t notice.
But… It was Free for us so I loved it!! Thanks Alphabet!!!
Jason A Lindsley says
As discussed in class, below is the upcoming event that my company is sponsoring on April 18 in Wilmington, DE. Pre-registration is required at the Survey Monkey link below.
Cyber Security Networking Event
Join us for a powerful business networking event where we’ll spotlight our business leaders who will showcase TD’s exciting technology initiatives, and where we see ourselves future state. You’ll have a chance to connect with our leadership teams one on one from different sectors of cyber security including Threat Intelligence, Red Team Ops, CSOC, Malware and Analytics, among others. Network with other industry professionals about exciting projects and innovative ideas over bites and spirits.
DATE: Wednesday, April 18, 2018
TIME: 5:30 PM to 9:30 PM
COST: None
LOCATION: Hotel DuPont – du Barry Room
42 West 11th Street, Wilmington, DE 19801
Suitable for job seekers
Registration is required
Dress is business/casual
Heavy appetizers and spirits will be served
Pre-Registration is required. Please fill out the form below to RSVP for this exciting event! We welcome you to share this information with other colleagues and associates who would be interested in joining us.
https://www.surveymonkey.com/r/TDCyberEvent
Donald Hoxhaj says
In the news, Facebook collision course with EU over data protection?
http://www.euronews.com/2018/04/06/facebook-on-collision-course-with-eu-over-data-protection-
Before even the European Union’s data protection regulation light up, Facebook got into colliding with the terms. Recently the Facebook COO, Sheryl Sandberg claimed that the company has depended too much on the user’s data in fact before they’re informed that they can have a payment process to opt out of their data being used to target the advertisements. But later the company issued a statement that Sheryl was speaking about the Hypothetical terms and that it doesn’t offer a payment process to get users opt out of the situation.
“We have been complying with the current EU data protection law and will comply with the GDPR”, said the company, in a page dedicated to the GDPR. There was a late receiving of a letter by Sheryl on Friday which scheduled a telephone call between the Commissioner and the company for next week to further discuss about the data leak. Zuckerberg was also called by the European parliament to face the law on this issue.
Donald Hoxhaj says
Passwords of Some 3.3 Million Dutch on Online Search Engine
https://nltimes.nl/2018/03/30/passwords-33-million-dutch-online-search-engine
In a very bizarre incident, passwords of more than 3.3 million Dutch people have been found to be present on the internet. The victims of this include large corporations, government organizations, and companies. The database AD used basically scanned more than 1.4 billion email addresses and passwords and found this sensitive information to be leaked on the internet. Though many organizations usually inform the customers on password hacks so that they can change the passwords, but the database of passwords is a big menace as people reuse them. Herbert Bos, professor of Systems and Network Security at the VU University in Amsterdam says that People are registered on so many websites that they often have no idea how many, often with the same password
Since many people use their official email ids on the internet, it gets stored. Surprisingly, email address of many defense employees can also be found there. Even if people periodically change their passwords, it is often a variant of the previous password: for example with a 1 behind it. That means knowing a previous password makes it much easier for attackers to guess the rest of the password
Donald Hoxhaj says
Under Armour: 150 million MyFitnessPal accounts were hacked
https://www.digitaltrends.com/computing/under-armour-myfitnesspal-accounts-hacked/
Under Armour, a Maryland-based athletic company, announced that one of its apps titled MyFitnessPal was involved in a massive data breach. This breach has potentially led to information leak of more than 150 million user accounts and includes usernames, email addresses, and hashed passwords. The information about the breach was notified to Under Armour on the 25th March.
One good thing that the firm did was to immediately take steps to determine the nature and scope of the issue by notifying law enforcement, working with data firms to assist in the investigation, alerting its user base and asking for password changes, and monitoring any suspicious behaviour.
The statement issued by Under Armour says that Four days after learning of the issue, the company began notifying the MyFitnessPal community via email and through in-app messaging. The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information.