Archives for August 9, 2018

?Prometheus, Kubernetes and system monitoring, reaches maturity

Video: What is Kubernetes?

Prometheus, the open-source systems monitoring toolkit usually used with Kubernetes, has graduated from the Cloud Native Computing Foundation (CNCF). To move from incubation to graduation, projects must demonstrate thriving adoption, a documented, structured governance process, and a strong commitment to community sustainability and inclusivity. Prometheus has made the grade.

Also: What Kubernetes really is

First built at SoundCloud in 2012, Prometheus became a standalone open-source project and joined the CNCF in 2016 as the second hosted project, after Kubernetes. This systems and service monitoring system collects metrics from configured targets at given intervals, evaluates rule expressions, displays the results, and can trigger alerts if some condition is observed to be true. When used with Kubernetes Prometheus supports service discovery and monitoring of dynamically scheduled services. It’s licensed under theApache 2.

Prometheus boasts the following features.

  • A multi-dimensional data model with time series data identified by metric name and key/value pairs
  • A flexible query language to leverage this dimensionality
  • No reliance on distributed storage; single server nodes are autonomous
  • Time series collection happens via a pull model over HTTP
  • Pushing time series is supported via an intermediary gateway
  • Targets are discovered via service discovery or static configuration
  • Multiple modes of graphing and dashboarding support

This sounds complex, but as Frederic Branczyk, a Red Hat Principal Software Engineer, wrote in a blog posting, “Prometheus is easy to set up as a single, statically linked binary that can be downloaded and started with a single command. In tandem with this simplicity, it scales to hundreds of thousands of samples per second ingested on modern commodity hardware. Prometheus’ architecture is well suited for dynamic environments in which containers start and stop frequently, instead of requiring manual re-configuration. We specifically re-implemented the time-series database to accommodate high churn use cases with short lived time-series, while retaining and improving query latency and resource usage.”

In short, Prometheus is a powerful, open-source system for collecting server metrics. It then stores them in a searchable database. With a highly dimensional data model, you can run queries to slice and dice a collected series of data to generate ad-hoc graphs, tables, and alerts, You can also integrate Prometheus allows with third-party data exporters, such as for Docker, HAProxy, and StatsD.

Also: How to install the Prometheus monitoring system TechRepublic

Branczyk continued, “Nearly as important as the software itself is Prometheus’ low barrier to entry into monitoring, helping to define a new era of monitoring culture. Multiple books have been written by both users as well as maintainers of Prometheus highlighting this shift towards usability, and even the new Google SRE workbook uses Prometheus in its example queries and alerts.” Chris Aniszczyk, CNCF’s COO added, “Since its inception in 2012, Prometheus has grown to become one of the top open-source monitoring tools of choice for enterprises building modern cloud native applications.”

While it’s best known for its use with Kubernetes to monitor containers and microservices on clouds, that’s far from Prometheus only use. For example, Uber uses Prometheus with its newly open-sourced M3 large-scale data metrics program,

Since Prometheus became a CNCF incubation program, its developers have completely rewritten its storage back-end to support high churn and been made more stable. The Prometheus team has also started a documentation push to make it easier to adopt.

“Since becoming part of CNCF, Prometheus has become an incremental piece in modern infrastructure stacks and helped shape the way organizations monitor critical applications,” said Julius Volz, Co-founder of the Prometheus project. “We are incredibly proud to have Prometheus graduate, and we look forward to working with CNCF to sustain and grow our community.”

Related Stories:

Bugs in Mobile Credit Card Readers Could Expose Buyers

The tiny, portable credit card readers you use to pay at farmer’s markets, bake sales, and smoothie shops are convenient for consumers and merchants alike. But while more and more transactions are passing through them, devices from four of the leading companies in the space—Square, SumUp, iZettle, and PayPal—turn out to have a variety of concerning security flaws.

Leigh-Anne Galloway and Tim Yunusov from the security firm Positive Technologies looked at seven mobile point of sale devices in all. What they found wasn’t pretty: bugs that allowed them to manipulate commands using Bluetooth or mobile apps, modify payment amounts in magstripe swipe transactions, and even gain full remote control of a point of sale device.

“The very simple question that we had was how much security can be embedded in a device that costs less than $50?” Galloway says. “With that in mind we started off quite small by looking at two vendors and two card readers, but it quickly grew to become a much bigger project.”

All four manufacturers are addressing the issue, and not all models were vulnerable to all of the bugs. The researchers are presenting their findings Thursday at the Black Hat security conference.

The researchers found that they could exploit bugs in Bluetooth and mobile app connectivity to the devices to intercept transactions or modify commands. The flaws could allow an attacker to disable chip-based transactions, forcing customers to use a less secure magstrip swipe, and making it easier to steal data and clone customer cards.

Alternatively, a rogue merchant could make the mPOS device appear to decline a transaction to get a user to repeat it multiple times, or to change the total of a magstripe transaction up to the $50,000 limit. By intercepting the traffic and clandestinely modifying the value of the payment, an attacker could get a customer to approve a normal-looking transaction that is really worth much more. In these types of frauds, customers rely on their banks and credit card issuers to insure their losses, but magstripe is a deprecated protocol, and businesses who continue to use it now hold the liability.

The researchers also reported issues with firmware validation and downgrading that could allow an attacker to install old or tainted firmware versions, further exposing the devices.

The researchers found that in the Miura M010 Reader, which Square and Paypal formerly sold as a third-party device, they could exploit connectivity flaws to gain full remote code execution and file system access in the reader. Galloway notes that a third-party attacker might particularly want to use this control to change the mode of a PIN pad from encrypted to plaintext, known as “command mode,” to observe and collect customer PIN numbers.

The researchers evaluated accounts and devices used in the US and European regions, since they’re configured differently in each place. And while all of the terminals the researchers tested contained at least some vulnerabilities, the worst of it was limited to just a few of them.

“The Miura M010 Reader is a third-party credit card chip reader that we initially offered as a stopgap and today is used by only a few hundred Square sellers. As soon as we became aware of a vulnerability affecting the Miura Reader, we accelerated existing plans to drop support for the M010 Reader,” a Square spokesperson told WIRED. “Today it is no longer possible to use the Miura Reader on the Square ecosystem.”

“SumUp can confirm that there has never been any fraud attempted through its terminals using the magnetic stripe-based method outlined in this report,” said a SumUp spokesperson. “All the same, as soon as the researchers contacted us, our team successfully removed any possibility of such an attempt at fraud in the future.”

“We recognize the important role that researchers and our user community play in helping to keep PayPal secure,” a spokesperson said in a statement. “PayPal’s systems were not impacted and our teams have remediated the issues.”

iZettle did not return a request from WIRED for comment, but the researchers say that the company is remediating its bugs as well.

Galloway and Yunusov were happy with the proactive response from vendors. They hope, though, that their findings will raise awareness about the broader issue of making security a development priority for low cost embedded devices.

“The kind of issues we see with this market base you can see applying more broadly to IoT,” Galloway says. “With something like a card reader you would have an expectation of a certain level of security as a consumer or a business owner. But many of these companies haven’t been around for that long and the products themselves aren’t very mature. Security isn’t necessarily going to be embedded into the development process.”


More Great WIRED Stories