Will The Drupal Flaw Be Catastrophic?

The Drupal web content management system has been exposed as having backdoor access that could deliver your site to hackers.

The problem is not particularly new. Drupal warned about it earlier this month, but it still needs tackling as millions of websites may be at risk.

Drupal said that sites running version 7 really ought to have upgraded to 7.32 by now, because not doing so leaves them as open as a torn tea bag.

Initially the alert was about the threat, but the firm has updated its earlier advice and is now warning of in-the-wild attacks.

That earlier advice was about a problem in a database API. “A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution,” warned Drupal in a security alert.

“Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users.”

More recent information from the firm points users toward the released upgrade, and informs them that attacks started not long after the initial announcement.

“You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is seven hours after the announcement,” it said, adding that, even when updated, sites will have some cleaning up to do.

“If you have not updated or applied this patch, do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website,” it explains.

“If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.”

Gavin Millard, EMEA technical director at Tenable Network Security, advised people to follow Drupal’s advice.

“The so-called ‘Drupageddon’ vulnerability could have easily led to exploitation of any systems running the vulnerable code. With such an easy to exploit flaw, the chance of exfiltration of data or further exploitation are high,” he said.

“For those who have good security controls, reviewing of logs and traffic directed at the sites following the vulnerability being announced and the patch applied is common sense and highly advisable, with appropriate action taken if indicators of compromise are found.

“For those who don’t have such a good level of security or visibility into the logs, the advice from the Drupal team should be heeded. If you don’t know if you were exploited you should assume that you have been.”

Source

Dell’s Cloud Plans Falls Behind Schedule

Dell announced an aggressive schedule last year to roll out cloud-based application services, but it appears that the schedule was a little too aggressive.

Dell said last August that it planned to launch an online analytics service in the first half of this year for small and midsized businesses, but that service isn’t due now until early next year, a Dell executive said.

“Like a lot of development projects, it can take a bit longer than you think,” Paulette Altmaier, general manager of Dell’s Cloud Business Applications group, said in an interview Thursday.

Dell also said it would launch a platform-as-a-service offering this year based on Microsoft’s Azure platform. On Friday, a Dell spokeswoman said the company no longer has a delivery date for that service.

The delays are a setback for Dell, which is trying to reduce its dependence on PCs and build more profitable businesses in services and software. But a lot of companies are moving slowly to the cloud, so the hold-up isn’t a disaster, said Peter Ffoulkes, an industry analyst with 451 Research Group.

“The move to the cloud is not a fast journey and for most people it is still largely a future. I would not expect a quarter or two to make a big difference in practical terms,” he said.

Dell has also made a string of software acquisitions in the past year that might be causing it to rethink its software-as-a-service strategy. It updated press and analysts on its software plans Thursday.

When it does arrive, the analytics service will offer “cross-app” analytics, meaning customers will be able to import data from one or more applications to a data warehouse that Dell will host for them online, and then perform analysis on that data.

Source…

PayPal Wooing SMB’s With Payments Service

PayPal is focusing on small businesses, service providers, and casual sellers on the move with its new PayPal Here service which allows vendors to process a variety of payments including checks and cards using their mobile phones.

The new service unveiled Thursday includes a free app and encrypted thumb-sized card reader, which allows merchants with an iPhone, and later Android smartphones, to process payments.

Merchants can accept payments by swiping cards in the card reader, scanning cards and checks using their phone cameras, or by entering card information manually into the app, the eBay unit said. They can also send an invoice and set payment terms, and accept PayPal payments from the app. The check facility is however only available in the U.S.

An iPhone version of the card reader and merchant app is available from Thursday to select merchants in the U.S., Canada, Australia and Hong Kong, with general availability in those countries scheduled for April. PayPal also plans to have an Android version of the merchant app by then. It will announce the availability of the service in more countries soon, it said.

Merchants pay a flat rate of 2.7 percent for card swipes and PayPal payments, while checks will be processed free of charge. Scanning of cards or typing the card information will be charged extra. PayPal Here merchants will also receive a business debit card for access to cash and 1 percent cash-back on eligible purchases.

PayPal will be competing with mobile payment systems from other providers such as Square and Intuit.

The key differentiator for PayPal Here in comparison to other small business mobile payment services is that it comes from a trusted brand in the online payments industry, with more than 100 million customers globally, David Marcus, vice president of mobile at PayPal said in a blog post.