For about five years, Microsoft has been encouraging partners to develop their own intellectual property. Reston, Va.-based IOTAP took that advice to heart in a way that's already helping other partners struggling to overcome some of the difficulties inherent in being a Microsoft Cloud Solution Provider (CSP).
As a CSP itself, IOTAP had difficulty tracking licensing for CSP customers. Straightforward orders went fine. Things got complicated when customers wanted to add seats, change Office 365 or other Microsoft cloud product SKUs, or otherwise change orders during the middle of a billing period, to name a few of the many examples. When a customer wanted to know why their charges came in at a certain amount, it could be hard to find an answer.
IOTAP Co-CEO Ismail Nalwala recalls looking around the emerging ecosystem of CSP-related tools vendors for someone who could provide billing and invoicing for cloud and subscription services, customer service and incident management, self-service and automatic provisions, and e-commerce and payments.
"There's about six or seven folks that we looked at. Everybody had a SaaS-based app with some capabilities. You could build a portal, you can build some self-service, you can customize it, you can expose it out," Nalwala explained in describing solutions on the market. None of the products did everything IOTAP wanted, and what's more, IOTAP found a lack of another element that was important to it as a Dynamics partner.
"The reality was that all our data would be in a separate system, all our customer orders would be in separate systems -- cases, service tickets," he said. In other words, none of them were in Dynamics, which IOTAP used internally, leveraging its Internal Use Rights (IUR) as a Microsoft partner. "We didn't want to go outside and build integration back into Dynamics."
With that in mind, IOTAP started working on a system for internal use that would serve as a fully integrated customer experience platform that would be built on Dynamics 365. After all, said the co-CEO, who is a regular attendee at Washington, D.C., chapter meetings of the International Association of Microsoft Channel Partners (IAMCP), and whose company has held gold competencies from Microsoft for years, "Partners should be using Dynamics if they can to run their business."
IOTAP put its system into production internally in July 2017. "Toward the end of last year, we said, 'You know what, this is a pain point,'" Nalwala said. At that point, the company pivoted from maintaining an internal tool to creating a product that other partners could use.
After beta tests with a few partners early this year, IOTAP made its solution, Work 365, generally available last month.
At the time of the launch in early March, Nalwala described Work 365 this way in a statement: "This system was built to overcome the challenges that Microsoft CSP Partners face every day when handling customer billing, subscription, and service management. Our solution is built on Dynamics 365 using the partner's IURs, which allows the partner to keep ownership of all the data. Dynamics 365 is at the core of the digital transformation agenda and partners that use Dynamics 365 to run their business will be able to help their own customers with these initiatives."
One early adopter is Rosalyn Arntzen, president and CEO of Redmond, Wash.-based Amaxra, which has been using Work 365 to manage its business as an indirect CSP partner for a little over a month.
Arntzen, a 15-year Microsoft veteran before starting Amaxra in 2007, said Work 365 is helping her wrangle licensing. That task is complicated enough when it's just Microsoft, but her company has the added challenge of third-party licensing to manage through add-on solutions, such as ClickDimensions, for Amaxra's Dynamics customers.
"All of that needs to be tracked. With licensing, oh my, the spreadsheets you have to be tracking," exclaimed Arntzen, who added that one of her mottos is "anything done twice is once too often."
She's found herself as the bottleneck previously for the good reason that someone needed to make sure the company was profitable overall. "Nobody could really have a handle over the licensing because I had to keep it very close. You very quickly could leak money: $1 here, $5 here. Pretty soon you could be losing money," she said.
In two senses, Work 365 has been a help already for Amaxra. "It absolutely makes a huge difference because I now can have one place in my CRM that's tracking all of these, 'Hey, I need one more license, now I need an E3,' all of that history is there," she said. The second way it's helped is that questions can be better delegated and answered more quickly.
"If we get any questions, 'Hey you just billed me x dollars back to the first of the month, I don't think that's right,' I was about the only person that could answer the question," Arntzen said. "We've only been using Work 365 for about a month, but already [others] can go in, see the quotes, look what the client signed and get a lot further along and answer 80 percent of the questions."
Posted by Scott Bekker on April 20, 2018 at 8:50 AM0 comments
Fresh from announcing a plan to invest $5 billion in Internet of Things (IoT) initiatives over the next four years, Microsoft this week took its IoT push even further with the launch of a major new security vision.
Brad Smith, Microsoft president and chief legal officer, unveiled Azure Sphere on Monday during a security news briefing in San Francisco timed to coincide with the start of the 2018 RSA Conference. Azure Sphere aims to secure the billions of IoT devices, from device hardware to software to cloud -- and gives Microsoft a central role.
"It is an end-to-end IoT solution. It goes where...no company has gone before," Smith said.
The Azure Sphere solution has three parts: Azure Sphere MCUs, the Azure Sphere OS and the Azure Sphere Security Service.
Azure Sphere MCUs: The first part is a microcontroller unit (MCU), the chips that power IoT devices. Microsoft has developed a new class of MCUs, which it also calls the Azure Sphere MCU or Azure Sphere chip. Microsoft plans to license the intellectual property of the new MCUs royalty-free for silicon partners interested in developing and manufacturing Azure Sphere chips. A major element of the chips is the Microsoft Pluton Security Subsystem for creating a hardware root of trust, storing private keys and executing cryptographic operations. Other elements of the chips include network connectivity, Microsoft I/O firewalls, an application processor, a real-time processor, flash memory, SRAM and multi-plexed IO, according to a diagram.
Azure Sphere OS: The second part is an operating system for IoT devices built on a Linux kernel, the first time Microsoft has released an OS built on Linux. According to Microsoft, the Azure Sphere OS will offer a trustworthy, defense-in-depth platform via secured application containers and a security monitor.
Azure Sphere Security Service: The cloud component is the Azure Sphere Security Service, which Microsoft describes as a turnkey cloud security service. Elements include certificate-based authentication for all communication, device authenticity checks, device status and health monitoring, automated updates of the Azure Sphere OS, and device software deployment services. The security protections through the service are designed to last for a 10-year device lifetime.
Currently, Azure Sphere is in a private preview, and Microsoft is working with select hardware providers. The first Azure Sphere chip is being developed by MediaTek Inc., which built the MT3620 as a reference architecture for Azure Sphere with Microsoft and is now sampling the chip with some customers. The company expects broad public availability for the MT3620 in the third quarter of this year.
"MediaTek has a long history of working with Microsoft on specific SoC [system on a chip] designs that meet demanding connectivity needs," said Jerry Yu, MediaTek corporate vice president and general manager of the Intelligent Devices Business Group, in a statement Tuesday. "On top of our close ties with Microsoft and design expertise, Microsoft had a vision we also believed in."
According to a blog by Galen Hunt, partner managing director at Microsoft for Azure Sphere, a first wave of Azure Sphere devices will be "on shelves" by the end of 2018. He also promised universally available dev kits by mid-2018.
Arm Ltd. was also another early partner, working closely with Microsoft to incorporate its Cortex-A application processors into Azure Sphere MCUs, according to a Microsoft page detailing the Azure Sphere silicon ecosystem. Other partners represented on that page include Hilscher, LitePoint, LongSys, Nordic, Nuvoton, NXP, Qualcomm, Seeed Studio, Silicon Labs, ST Micro, Toshiba and VeriSilicon.
During the briefing, Smith suggested why Microsoft thinks the time is right to roll out a significant IoT security initiative.
"There are going to be 9 billion of these MCU-based devices shipped this year. Think about that. For every person on the planet, there will be more than one of these MCU devices shipped. They literally will be in the toys of our children, they literally will be in our kitchens and our refrigerators, they will be in every room in our house," Smith said. "Today, fewer than 1 percent of those MCUs are connected to a network or the Internet. But that is changing, and it's going to continue to change. And what it fundamentally means is that our homes and our offices and the infrastructure of the future will literally be only as secure as the weakest link."
Smith also cited the Mirai botnet as a harbinger of the types of security threats that will become more common as IoT expands, and as a reason that a holistic security approach is needed.
"It was in 2016 that the Mirai attack basically enabled hackers to take control of 100,000 devices and use it to launch a DDoS attack by turning those devices into part of a botnet. It was an attack that, on a single day, basically took the East Coast of the United States off of the Internet," he said, reinforcing an idea that he discussed earlier in his talk and in a related blog post. The idea is that Microsoft and others in the tech sector have the first responsibility to address security issues.
"We operate the platform. We unfortunately are the battlefield in many ways," he said.
Posted by Scott Bekker on April 17, 2018 at 10:54 AM0 comments
Microsoft's ongoing courtship of Linux reached a new milestone this week when the company unveiled a brand-new operating system product with a Linux kernel.
The product is Azure Sphere OS, and it's part of Microsoft's ambitious effort to place itself at the center of the emerging swarm of Internet of Things (IoT) with Azure Sphere, a combination of a reference architecture for microcontroller units (MCUs), operating systems for the devices themselves, and a cloud-based Azure Sphere Security Service to manage and secure them all. The broader Azure Sphere initiative is expected to result in shipping products by the end of the year.
In announcing Azure Sphere during a security news briefing on Monday, Microsoft President and Chief Legal Officer Brad Smith took a moment to acknowledge the significance of the Linux component.
"For anybody who has been following Microsoft, I'm sure you'll recognize that after 43 years, this is the first day that we're announcing that we'll be distributing a custom Linux kernel," Smith said. "It's an important step for us, it's an important step I think for the industry, and it will enable us to stand behind the technology the way I believe the world needs, because what we will do is ensure that these devices are secured throughout their 10-year lifetime with the continuing improvements and updating to the Azure Sphere operating system."
Microsoft describes the Azure Sphere OS as a trustworthy, defense-in-depth operating system. The OS has five layers, with OS Layer 0 interacting with the hardware, OS Layer 1 running a security monitor, OS Layer 2 hosting the custom Linux kernel, OS Layer 3 covering on-chip connectivity services, and OS Layer 4 sporting app containers for compute and real-time I/O.
Microsoft is not conceding defeat here to Linux, with which Windows has fought for decades, but more of a tactical cooperation with the open source community that Microsoft has increasingly worked with for the last several years.
Microsoft is still sprinkling the operating system with Windows features, and recognizing that Linux has a more efficient kernel for the limited devices of IoT.
"This is a new operating system. It's based on a custom Linux kernel -- a custom Linux kernel that has really been optimized for an IoT environment and is reworked with security innovations pioneered in Windows," Smith said. "Of course, we are a Windows company, but what we've recognized is the best solution for a computer of this size in a toy is not a full-blown version of Windows. It is what we are creating here. It is a custom Linux kernel, complemented by the kinds of advances that we have created in Windows itself."
Even with those caveats, this is a significant step for Microsoft. This is a company that always saw Windows as the answer to any operating system question -- from Windows Datacenter Server in the largest use case to the recent Windows IoT Core for the very smallest.
The new days at Microsoft just keep on coming.
Posted by Scott Bekker on April 17, 2018 at 10:52 AM0 comments
It's a tale of two PC markets this week, with Gartner and IDC each releasing their latest reports on worldwide PC shipments, but neither story is particularly positive.
The less-negative news comes from IDC, which found evidence of a flat market. That's right, this was the good news.
IDC reported that worldwide there were some 60.4 million PCs sold in the January-to-March period, amounting to 0.0 percent growth over the year-ago quarter. The reason that's good news is that IDC had previously forecast a drop of 1.5 percent, so flat is better than declining.
IDC also found some green shoots related to Windows 10. In its discussion of the quarter, IDC noted that businesses are moving to Windows 10 at a steady clip.
Speaking of the U.S. market, Neha Mahajan, senior research analyst for Devices & Displays at IDC, stated, "The year kicked off with optimism returning to the U.S. PC market, especially on the notebook side. A likely rise in commercial activity amidst a positive economic environment is expected to further strengthen demand."
Overall, Jay Chou, research manager of IDC's Personal Computing Device Tracker, called the path that PCs are on "resilient" and predicted "modest commercial momentum through 2020."
Even that modest optimism was not evident in an assessment released on the same day by Gartner. Gartner, while calling the market as slightly larger at 61.7 million unit shipments for the quarter, reported a 1.4 percent decline in PC shipments for Q1.
Gartner Principal Analyst Mikako Kitagawa affixed the blame primarily to the Chinese market. "The major contributor to the decline came from China, where unit shipments declined 5.7 percent year over year," Kitagawa said in a statement. "This was driven by China's business market, where some state-owned and large enterprises postponed new purchases or upgrades, awaiting new policies and officials' reassignments after the session of the National People's Congress in early March."
Where IDC saw some modest improvements in the U.S. market, Gartner found red ink there, too, reporting a 2.9 percent decline in U.S. PC shipments from Q1 2017 to Q1 2018. In all, Gartner declared Q1 2018 the 14th consecutive quarter of decline going all the way back to the second quarter of 2012.
Posted by Scott Bekker on April 13, 2018 at 1:36 PM0 comments
Mimecast on Tuesday unveiled a revamped partner program newly organized to offer a consistent global experience and three new channel executive appointments.
Major updates from the old Mimecast channel programs for the new Mimecast Global Partner Program include:
- restructured discounts and rewards to better align with motions that attract new clients or deepen existing engagements,
- new training programs, especially to cover Mimecast's integrated cloud suite,
- partner access to account resources like partner account managers, sales engineers and marketing managers, and
- a new partner dashboard.
Julian Martin, a 10-year Mimecast veteran, is now the vice president for global channel and operations.
Martin described the old channel structure as having developed differently in different regions of the world over the last 10 years for Mimecast, which specializes in e-mail and data security products and does a substantial portion of its business with Office 365 customers.
"As we have continued to engage with our rapidly expanding ecosystem of resellers globally, we developed a stronger global strategy," Martin said in a statement. "Simplicity is a core value of the new program and we want to ensure our joint engagements with resellers are easy and rewarding for everyone involved as we service our customers together."
Other new channel appointments announced Tuesday include Shawn Pearson, a former Hewlett-Packard vice president of inside sales, who is now vice president of channel sales for North America at Mimecast; and Rema Lolas, who is taking over as channel director in Australia and New Zealand.
The changes come as Mimecast says it is driving toward a primarily channel-focused business. In the company's Q3 earnings call in February, Chairman and CEO Peter Bauer said the range of business coming in from the channel is approaching 75 percent of new sales. At the time, he telegraphed the investments in channel that Mimecast announced Tuesday, and also made clear where Mimecast sees its biggest opportunities geographically.
"North America and continental Europe are two real focus areas for us [in] building out our channel practice even further over the next year," Bauer said on the investment call.
Posted by Scott Bekker on April 10, 2018 at 12:39 PM0 comments
Cryptomining leapfrogged almost all other forms of malware detected in the first quarter of 2018, according to a new security report from Malwarebytes Labs.
"Cryptomining has just gone insane," said Adam Kujawa, director of Malwarebytes, in an interview about the report. "It's all over the place. We've never seen a mass migration to the use of one particular type of threat so fast by so much of the cybercrime community as we have seen with cryptominers."
Malwarebytes on Monday released "Cybercrime tactics and techniques: Q1 2018," the latest in its quarterly series of reports based on telemetry from its business and consumer products.
There are legitimate miners that get a user's consent before repurposing all or most of their CPU capacity toward mining for cryptocurrencies. Malwarebytes' report focuses on the other kinds -- malware-based miners that are often delivered via existing malware families and browser-based miners that hijack a victim's processor through drive-by attacks or malicious browser extensions.
The company found that cryptomining detections were way up in the quarter for consumers, with Android miners in particular surging to 40 times more detections this quarter than last. There was also a boom in March in Mac-based detections of malware-based miners, browser extensions and cryptomining apps, the company found.
For now, it's mainly a consumer problem. Business customers saw a 27 percent increase in cryptomining -- a significant jump to be sure, but nowhere near the levels on the consumer side.
This security report is a trailing indicator given that it covers the first three months of the year. Yet the cryptomining spike documented by Malwarebytes is tracking a little behind the price movement on the flagship cryptocurrency, Bitcoin, which had a recent peak in December but has been mostly falling from those highs over the last quarter.
Damages from cryptomining are squishy for businesses to calculate. A drive-by, browser-based attack, for example, can sometimes be stopped by simply shutting down the offending tab. Other types of cryptomining malware can be much more insidious.
How much damage is really done? There's lost productivity for sure, but Kujawa argues the malware delivery vectors that brought the cryptomining malware to systems will represent a lasting problem, even if cryptocurrency values don't rebound quickly and attackers lose interest in the attacks.
"A miner may only cause minimal damage, but any infection that you don't want to be on your system can install different stuff," he said. "The attacker sends a message to the miner: 'Hey install some ransomware for me, worm, go back to the old tricks.' It's like keeping your back door unlocked."
Posted by Scott Bekker on April 09, 2018 at 1:22 PM0 comments
Longtime senior Microsoft channel executive Jenni Flinders has landed the channel chief role at VMware Inc.
Flinders' formal title at VMware is vice president, Worldwide Channels, and she reports to Brandon Sweeney, senior vice president, Worldwide Commercial and Channel Sales.
The Palo Alto, Calif.-based enterprise virtualization and cloud giant boasts an ecosystem of 75,000 partners.
Flinders left Microsoft in April 2015 after nearly 15 years with the company. She joined Microsoft in 2000 in marketing and sales roles in South Africa and later ran the midmarket business for Latin America out of Microsoft's Ft. Lauderdale, Fla. office before joining then-Microsoft worldwide channel chief Allison Watson's team in the Worldwide Partner Group as chief of staff.
From 2009 until her departure in 2015, she was channel chief for Microsoft's U.S. partners.
Since 2015, Flinders has been CEO of Daarlandt Partners, a channel strategy consulting practice.
Posted by Scott Bekker on April 05, 2018 at 10:26 AM0 comments
In the midst of a pivot from a WAN optimization business to an SD-WAN and cloud networking and application and network performance monitoring, Riverbed Technology is also changing CEOs.
Effective immediately, Paul Mountford, a four-year veteran at Riverbed, is taking over as CEO of the 16-year-old company from co-founder Jerry M. Kennelly, who will retire after he serves in an advisory role for the rest of the month. Mountford's appointment follows an internal and external search by the Riverbed board of directors.
Mountford was previously senior vice president and chief sales officer at Riverbed, which has undergone significant changes to the global sales organization and partner program during his time in the role. He spent 16 years in senior roles at Cisco and was CEO of the Web intelligence company Sentillian.
Riverbed has been both acquiring and organically developing products for software-defined solutions and managing application performance for the last few years. In addition to its business in SteelHead WAN optimization appliances, the company is now emphasizing its SteelCentral performance management platform and control suite and its SteelConnect SD-WAN solution, which includes optimization of Microsoft Azure and Amazon Web Services (AWS).
The company is in the midst of rolling out a new partner program called Riverbed Rise, in which partners earn dividends based on sales or training and that can be converted to rebates, market development funds or training vouchers. Riverbed will fully transition to Rise on Aug. 1.
Posted by Scott Bekker on April 05, 2018 at 9:16 AM0 comments
Microsoft got its legal wish.
That wish fulfillment in the form of the CLOUD Act came about in such a surprising fashion that it took Microsoft more than a week to release a full public response.
In a lengthy blog post Tuesday, Microsoft President and Chief Legal Officer Brad Smith admitted that passage of the CLOUD Act on March 23 was a "bit of a shock."
Congress slipped the CLOUD Act into a 2,000-plus-page omnibus bill that President Donald Trump signed after a brief show of protest. Trump had tweeted that he might veto the bill, although his objections to the $1.3 trillion bill that narrowly averted a government shutdown involved other aspects of the legislation, such as the level of border-wall spending and a lack of action on DACA. The CLOUD Act portion did not come up in most news coverage of the omnibus bill.
Microsoft has been lobbying hard for some time for the CLOUD Act, which stands for Clarifying Lawful Overseas Use of Data Act. The company urged the Supreme Court during oral arguments in the Microsoft warrant case in late February to wait for the CLOUD Act.
"This Court's job is to defer, to defer to Congress to take the path that is least likely to create international tensions. And if you try to tinker with this, without the tools that -- that only Congress has, you are as likely to break the cloud as you are to fix it," said Microsoft lawyer E. Joshua Roskenkranz in his closing statement in the case, which involved U.S. law enforcement efforts to obtain customer data stored by Microsoft in a datacenter in Ireland.
For his part, Michael R. Dreeben, deputy solicitor general for the U.S. Department of Justice, was probably shocked by the timing, as well. Dreeben had argued that the high court, which is expected to rule on the case in June, shouldn't wait for Congress. "As to the question about the CLOUD Act, as it's called, it has been introduced. It's not been marked up by any committee. It has not been voted on by any committee. And it certainly has not yet been enacted into law," Dreeben said just a month before the act passed.
While the effect of the new law on the high court's ruling is hard to predict, Microsoft's Smith blogged this week that this update to the legal code written in the context of the existence of cloud computing will help U.S. cloud providers like Microsoft balance the requirements of cooperating with legitimate law enforcement requests while protecting the privacy rights of international customers.
The road forward from the passage of the law until it starts yielding evidence for U.S.-based law enforcement efforts could be somewhat long. The act calls on the executive branch to establish reciprocal international agreements allowing law enforcement in both countries to access data in each other's countries. Yet as a first step, the administration must also establish that each country with which it creates an agreement protects privacy and human rights. Congress also has 180 days to review the agreements.
Smith's interpretation is that the law leaves room for cloud providers to challenge law enforcement requests during the interim period. "The CLOUD Act both creates the foundation for a new generation of international agreements and preserves rights of cloud service providers like Microsoft to protect privacy rights until such agreements are in place," Smith said.
Unstated in Smith's blog entry is the sigh of relief. Right now, U.S.-based technology companies dominate the global cloud computing infrastructure market. But there is no iron law that this state of affairs must continue. The Edward Snowden revelations of 2013 marked a huge challenge to international businesses' and governments' trust in U.S.-based companies ability and willingness to protect their data from the U.S. government. Microsoft, Google and Amazon have been looking over their shoulders for potential new international competitors and contemplating a potentially fragmented global market where U.S.-based cloud providers could be shut out of some countries over data sovereignty and citizen privacy concerns.
Smith laid out that line of thinking in a February post about the Supreme Court case. "U.S. companies are leaders in cloud computing. This leadership is based on trust. If customers around the world believe that the U.S. Government has the power to unilaterally reach in to datacenters operated by American companies, without reference or notification to their own government, they won't trust this technology," Smith wrote.
The passage of the CLOUD Act gives Microsoft and its channel partners a much stronger privacy story for international customers and an opportunity, along with other U.S.-based cloud providers, to continue leading the global charge for cloud computing.
Posted by Scott Bekker on April 04, 2018 at 3:10 PM0 comments
Microsoft launched a new program on Monday to potentially train tens of thousands of people in artificial intelligence skills and concepts.
The Microsoft Professional Program for Artificial Intelligence will consist of 10 parts, each of which is supposed to take eight to 16 hours to complete. Attendees can either audit the courses or pay in order to get a certificate of completion.
In a feature-style article to announce the new track, Microsoft framed the program as a massive online open course (MOOC) that grew out of Microsoft's internal AI training initiatives, including one project-based, semester-style program called AI School 611.
"The program provides job-ready skills and real-world experience to engineers and others who are looking to improve their skills in AI and data science through a series of online courses that feature hands-on labs and expert instructors," Microsoft noted in the description of the new Microsoft Worldwide Learning Group program.
The nine courses include an intro to AI, using Python to work with data, using math and statistics techniques, considering ethics for AI, planning and conducting a data study, building machine learning tools, building reinforcement learning models, and developing applied AI solutions. The applied AI section has three options -- natural-language processing, speech-recognition systems, or computer vision and image analysis.
The track ends with a final project called the Microsoft Professional Capstone: Artificial Intelligence. Details of the capstone project are coming soon, according to Microsoft's Web site explaining the program.
Microsoft first unveiled the idea of broad-based courses in 2016 under the name Microsoft Professional Degree, and later renamed the idea as the Microsoft Professional Program.
The first track under the program was Data Science. Microsoft currently also offers Big Data, Front-End Web Development, Cloud Administration, DevOps, IT Support and Entry Level Software Development.
Posted by Scott Bekker on April 02, 2018 at 2:10 PM0 comments
Patches that were released in January to protect Windows 7 from the Meltdown flaw may have opened an even worse can of worms for the OS, according to one security researcher.
Ulf Frisk, a security researcher who specializes in direct memory access (DMA) attacks, described the problem this week in a blog post called "Total Meltdown?"
The January patch was intended to address the Meltdown flaw in Intel, IBM POWER and ARM-based processors that emerged in January and theoretically allows a rogue process to read all memory on a system.
"[The patch] stopped Meltdown but opened up a vulnerability way worse...It allowed any process to read the complete memory contents at gigabytes per second, oh -- it was possible to write to arbitrary memory as well," wrote Frisk, who is the author of the PCILeech memory access attack toolkit, and who described himself in a DEFCON 24 presentation in 2016 as a penetration tester specializing in online banking security and working in Stockholm, Sweden.
"No fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process. Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required -- just standard read and write," Frisk said.
The flaw does not affect Windows 10 or Windows 8, according to Frisk.
The problem appears to have been introduced by the Windows 7 patches released in January, during the industrywide scramble to address the Meltdown and related Spectre flaws whose existence was revealed slightly ahead of schedule. Some of the first-generation patches caused reboot and slowdown issues, among other problems.
Frisk said the subsequent March patch for Windows 7 fixed the flaw, and he discovered the problem after the March patch was released.
Posted by Scott Bekker on March 28, 2018 at 10:26 AM0 comments
Network managers need to be on the lookout for password-spray attacks, according to warnings from the FBI and U.S. Department of Homeland Security.
In a password-spray attack, a hacker tests a single password against multiple user accounts at an organization. The method often involves weak passwords, such as Winter2018 or Password123!, and can be an effective hacking technique against organizations that are using single sign-on (SSO) and federated authentication protocols, but that haven't deployed multifactor authentication.
By hitting multiple accounts, the method can test a lot of user names without triggering account-lockout protections that kick in when a single user account gets hit with multiple password attempts in a row.
"According to information derived from FBI investigations, malicious cyber actors are increasingly using a style of brute force attack known as password spraying against organizations in the United States and abroad," the agencies declared in a US-CERT technical alert issued Tuesday evening.
Prompting the alert was the disclosure last Friday of a federal indictment against nine Iranian nationals associated with the Mabna Institute, a private Iran-based company accused of hacking on behalf of the Iranian state. The main focus of that indictment was a massive, four-year spear-phishing campaign to steal credentials from thousands of university professors whose publications could allegedly advance Iranian research interests.
Also caught up in the alleged Iranian effort were 36 private companies in the United States, 11 companies in Europe and multiple U.S. government agencies and non-government organizations, and the method of attack for those organizations was password spraying.
According to the indictment:
In order to compromise accounts of private sector victims, members of the conspiracy used a technique known as 'password spraying,' whereby they first collected lists of names and email accounts associated with the intended victim company through open source Internet searches. Then, they attempted to gain access to those accounts with commonly-used passwords, such as frequently used default passwords, in order to attempt to obtain unauthorized access to as many accounts as possible.
Once they obtained access to the victim accounts, members of the conspiracy, among other things, exfiltrated entire email mailboxes from the victims. In addition, in many cases, the defendants established automated forwarding rules for compromised accounts that would prospectively forward new outgoing and incoming email messages from the compromised accounts to email accounts controlled by the conspiracy.
The US-CERT technical alert refers to the indictment as having been handed up in February, which could explain Microsoft's detailed guidance for deterring password-spray attacks in a high-profile blog post on March 5. In that post, Alex Simons, director of program management for the Microsoft Identity Division, called password spray "a common attack which has become MUCH more frequent recently," and declared, "Password spray is a serious threat to every service on the Internet that uses passwords." The new government alert linked back to the March 5 Microsoft post as a mitigation resource.
While the Mabna-related password spraying clearly has a lot to do with the new alert, US-CERT warned that others are currently using the attack. "The techniques and activity described herein, while characteristic of Mabna actors, are not limited solely to use by this group," the alert stated.
This is US-CERT's third technical alert this year. Previous alerts warned about the Meltdown and Spectre side-channel vulnerability and Russian government cyberactivity targeting critical U.S. infrastructure.
Posted by Scott Bekker on March 28, 2018 at 12:23 PM0 comments