Nextcloud Planet

Welcome to Nextcloud News, our contributor blog roll. Nextcloud contributors should ask to get added!

Opinions are the responsibility of those who express them. See our privacy policy.

If you'd like to stay up to date with Nextcloud news you could also subscribe to our newsletter! A RSS feed with only release updates can be found here

Nextcloud
Open ID SSO by Gluu: oxd is now integrated in Nextcloud
March 24, 2017


We are happy to welcome Gluu and their Open ID SSO app in our App store!

What is Gluu?

Gluu provides open source Enterprise Grade Identity and Access Management Software. Their software helps reduce password proliferation and delivers a more secure user experience across all your applications. The company recently released an Open ID SSO app which is now available in Nextcloud App Store.

Gluu’s OpenID Connect Single Sign-On (SSO) NextCloud APP will enable you to authenticate users against any standard OpenID Connect Provider (OP). If you don’t already have an OpenID Provider you can use for example Google or deploy the free and open source Gluu Server.

What is it for?

This OpenID SSO app provides a secure single sign-on (SSO) for all your web applications using the oxd server. oxd provides API’s that can be called by a web application that are easier than directly calling the API’s of an OpenID Connect Provider (OP) or an UMA Authorization Server (AS).

Have a look and let us know what you think about it! You can find a full manual for integrating Gluu SSO in Nextcloud on their website.

read more



Nextcloud
Where should healthcare data be stored?
March 23, 2017

Healthcare data: a special nightmare to deal with

According to the Information Commissioner’s Office in the UK, healthcare data breaches accounted for 40% of late 2016 security incidents. This type of information is a special nightmare to deal with. On the one hand, the data is obviously highly sensitive, on the other hand, accessing up-to-date medical data without delay can be a matter of life and death for patients. Black hat hackers are very conscious of these facts; they know medical organizations are very likely to pay any ransom if their patients’ lives are at risk.

Digitization raises security issues

With medical processes generating a huge amount of paperwork, no wonder the healthcare sector is pushing towards digitization. Benefits are manifest: medical information can be transmitted easily from one organization to another, patients can have better access to their medical records. But it raises questions: where and how to store the information properly and securely? Each organization which needs access to the data has different governance, management and rules, and it is hard to implement consistent data security policies and training to educate staff on keeping data safe with all the different requirements. Cédric Cartau, Chief Information Security Officer at Nantes University Hospital notes:

In the next 5 to 10 years, we can expect far more security issues, which will require bigger budgets, more staff and teaching best practices.

And what do you do if you are confident in your security policy but you know that this or that hospital you have to share with is not as sophisticated with regards to digital hygiene? Consistent governance is hard: the mix of private and public organizations in most countries like the UK, France, Germany and the US makes unified protocols and policies difficult.

Expensive chaos

Today, the situation is chaotic at best with PBS asking if health care hacking has become an epidemic. Healthcare data can leak from everywhere: according to this report from the U.S. Department of Health and Human Services, the health care industry has averaged close to four data breaches per week in 2016. Patients also carry these vulnerabilities with them, in the form of minimally secured smartphone health apps. And this data is worth a lot of money!

Electronic health records are 100 times more valuable than stolen credit cards

said James Scott, co-founder and senior fellow at the Institute for Critical Infrastructure Technology (ICIT) in Washington D.C.

Public clouds: no solution

IT teams do not have a substantial budget dedicated to security concerns. And when you are attacked every seven seconds on average like the Beth Israel Deaconess Hospital you have a real problem. Some health care organizations made a surprising move: put their data into the Public Cloud. In terms of security, it is indeed a better alternative than building your own system on a shoestring budget. Microsoft, Google and Dropbox spend millions on security. Their teams patch security issues in no time and their core business is making data accessible whenever and wherever it’s needed.

But Public Clouds are not set up very well for handling healthcare data. First of all, using Public Clouds raises privacy concerns, which is particularly worrying when it comes to dealing with such sensitive data. Second, Public Clouds don’t really solve the security issues! Due to the typical consumer-focused nature of of Public Clouds, IT teams have to rely on third-party tools to ensure that only the right people have access to medical data and to enforce the secure use of those clouds. These tools for example provide Identity as a Service (IaaS) and help manage staff-owned devices and sharing. But this is only moving the problem. Using several tools layered on each other multiplies complexity and increases the opportunities for costly mistakes as well as the surface of attack. Now, a breach on several levels and in a variety of tools can leak data!

Delegating security policy also hampers your ability to adapt to changing situations and requirements:

  • Can you track (or limit!) the sharing or downloading of specific files if you need to for compliance requirements?
  • Can you change or adapt the whole process if new laws come into force?
  • Can you at least migrate part of all of your data out of the Cloud to another place if you need to, or is it too costly?

Vendor lock-in and lack of control, the simple fact that your patients’ medical data is intermingled with the data from countless other users in an unknown location, the chance of being part of massive data leaks like this one from Dropbox last year – the risks of the Public Cloud are countless while promised cost benefits usually fail to materialize.

Private cloud: stay in control

The most powerful and elegant solution to the security-vs-accessibility problem faced by the medical sector is implementing a Private Cloud solution. The existing data storage and access technologies, and more importantly, existing governance processes and tools, can be leveraged by software like Nextcloud, making the data caretakers need available easily and quickly while IT can stay in control. The flexible nature of Nextcloud enables deep integration in existing infrastructure.

  • Powerful File Access Control capabilities enable administrators to control, optimize and secure data flows through their cloud technology.
  • Ability to restrict and monitor access to data to a specific group of users and to set an expiration date when sharing files is a real need for medical organizations.
  • Encryption of data on storage allows medical organizations to optimize costs by taking advantage of Public Cloud storage while securing the data with encryption, keeping encryption keys on-premise.

Developed with verified, industry-leading security standards and offering unique tools to verify the security of Private Clouds, Nextcloud offers the most secure and cost-effective Private Cloud solution on the market.

read more



Nextcloud
DASEQ GmbH partners with Nextcloud
March 22, 2017

We’re happy to announce a strategic partnership between DASEQ and Nextcloud, with DASEQ delivering Nextcloud in the framework of their extensive offering of open source technology, services and training as well as security solutions. See our press release and the DASEQ press release here in German.

“We’re proud to partner with the experts from DASEQ in bringing data control back to customers. In these times of constant threats of corporate espionage, ransomware combined with increasing compliance requirements and issues, knowing where your data is has become a key requirement,” said Frank Karlitschek, Managing Director at Nextcloud. “There are also significant opportunities to monetize data directly or through improving processes and services giving rise to competitive advantages so more and more businesses search for self hosted solutions for business-critical data. With over 20 years experience in the Open Source business market, DASEQ is well positioned to assist customers in complicated deployments with high security and scalability requirements.”

“We’re excited about the partnership with Nextcloud. With a future proof business model and a large development team, Nextcloud is well positioned to deliver business customers a long-term solution with in-depth support.” Joachim Kunze (Manager Sales & Services at DASEQ) noted. “Nextcloud strategically fits in our portfolio. Nextcloud is quick and easy to deploy and integrate in infrastructures, irrespective of the size or environment of an enterprise. It offers our customers a scalable and secure data storage integrated with modern collaboration capabilities and mobile functionality which transcends the borders of organization.”

About DASEQ

DASEQ is a specialized provider of open source technologies, training and services, as well as security solutions. To ensure the efficient use of complex IT technologies, DASEQ supports national and international clients through the whole project period up to the maintenance of the solution in their customers’ IT environment and staff training. Their projects track record both in the Open Source and security area as well as the fine tuning of well-chosen components reduces the risks and expenditures for the implementation of their customers’ solutions.
Being one of the leading Red Hat training partners, DASEQ provides Red Hat Training courses, which are among the world-wide most highly regarded in the fields of Linux and open source. With many years of experience in delivering complex training programs DASEQ is passionate about helping organisations to get the maximum profit from their software investment.
For more information please visit their website or follow @Daseq on twitter.

read more



Nextcloud
Nextcloud partners with Stylez Corporation
March 21, 2017

Today, Nextcloud is proud to announce a new partner in Japan! Our goal is to provide business and individuals with the most secure solution for Enterprise Files Sync and Share. Stylez Corporation provides customers with open-source solutions to host and share their data. We are happy to welcome a new customer and we hope to see new users in Japan very soon!

About Stylez Corporation

Since their founding in 2003, Stylez Corporation has grown focusing on system integration and BPO (business process outsourcing) for the public. Today, they continue to give primary consideration to customer trust and product quality, while further expanding the scale and breadth of their business into areas such as cloud and open source-related services.

Toshihisa Kajiwara, CEO of Stylez Corporation notes:

We are very excited to be partnering with Nextcloud. Nextcloud is a technology leader in open source file-sharing systems, and it is one of the most open and actively developed applications in the world.

Up until now, we have handled ownCloud as our open source file-sharing
system, but after receiving many requests from within Japan for
Nextcloud support, we signed an agreement to become partner to Nextcloud GmbH. in Japan. We are very pleased to be able to provide customers with Nextcloud in Japan.

We appreciate the convenience of Nextcloud’s various very powerful
features. I hope that the people of Japan will enjoy the various
convenient features of Nextcloud.

read more



Lukas Reschke
CSP, 'unsafe-eval' and jQuery
March 18, 2017

At Nextcloud we do employ a pretty strict Content-Security-Policy (CSP). In case you need a quick explanation what CSP is, I’d suggest reading this older blog post of mine.

One of the caveats with the implementation in Nextcloud is that we had to allow 'unsafe-eval' because of our historically grown code base. For example, we use handlebars.js for templating which requires either pre-compiled or 'unsafe-eval'. For us, keeping compatibility with older apps is a high priority and thus we couldn’t just migrate the core templates and break all potential existing apps out there.

So let’s evaluate the risk of 'unsafe-eval' in a Content-Security-Policy. What it effectively means is that your policy won’t be able to protect you against an XSS (Cross-Site-Scripting) vulnerability involving JavaScripts eval() function.

Assuming you have something like the following JavaScript code, CSP with 'unsafe-eval' won’t be able to protect you if an attackers gets the victim to open example.com/?alert(1):

var urlParameter = window.location.search.substr(1);
eval(urlParameter);

XSS with popup as proof of concept

Is this a real world issue at all?

However, passing user-content to eval is arguably a very rare edge case and is better avoided. So can we just stop here and keep 'unsafe-eval' as accepted risk?

Sadly, this would be ill-advised. There’s one major JavaScript framework out there that makes such issues more realistic in the real world: jQuery.

Meet jQuery.globalEval

One of the not so widely known facts of jQuery is that all DOM manipulations through jQuery are basically also passed through jQuery.globalEval which evaluates a script in a global context.

What this means is basically the following: If you do a DOM manipulation using functions such as .html(), then it’s passed through eval(). Thus bypassing the employed CSP.

Let’s take a look at an actual code sample, for a shorter demo I used a CSP nonce to embed the inline JavaScript code. Please note that this approach is entirely insecure and only done for demonstration purposes.

<?php
    header("Content-Security-Policy: default-src 'none'; script-src 'nonce-totally-insecure-nonce-for-demonstration' 'unsafe-eval' https://code.jquery.com")
?>
<html>
<head>
    <script src="https://code.jquery.com/jquery-3.2.0.min.js"></script>
    <script nonce="totally-insecure-nonce-for-demonstration">
        $(document).ready(function() {
            $('#name').html(decodeURIComponent(window.location.search.substr(1)));
        });
    </script>
</head>
<body>
Hello, <span id="name"></span>!
</body>
</html>

Opening that page with ?Lukas would display “Hello, Lukas!” but opening it with ?<script>alert(1)</script> would trigger a popup box:

XSS with popup as proof of concept

A small but useful hardening

To prevent that we can override the jQuery.globalEval. This is something that we have done in the current Nextcloud development branch and will be included in our next release. This is actually rather easy to accomplish, note the jQuery.globalEval = function(){}; in the following code block:

<?php
    header("Content-Security-Policy: default-src 'none'; script-src 'nonce-totally-insecure-nonce-for-demonstration' 'unsafe-eval' https://code.jquery.com")
?>
<html>
<head>
    <script src="https://code.jquery.com/jquery-3.2.0.min.js"></script>
    <script nonce="totally-insecure-nonce-for-demonstration">
        jQuery.globalEval = function(){};
        $(document).ready(function() {
            $('#name').html(decodeURIComponent(window.location.search.substr(1)));
        });
    </script>
</head>
<body>
Hello, <span id="name"></span>!
</body>
</html>

Opening that page now with ?<script>alert(1)</script> would trigger the following CSP warning:

XSS mitigated with CSP

I think that’s a pretty small and easy change that can largely reduce the risk of using 'unsafe-eval' with jQuery applications. Also since the number of developers intentionally using functions such as .html() to execute JavaScript seem marginal at best.

read more