Tag Archives: users

Cloud App Discovery spotlights shadow IT users

Do you know what end users do with a company’s data? Do they use Dropbox to share documents with clients? Discuss…

“;
}
});

/**
* remove unnecessary class from ul
*/
$(“#inlineregform”).find( “ul” ).removeClass(“default-list”);

/**
* Replace “errorMessageInput” class with “sign-up-error-msg” class
*/
function renameErrorMsgClass() {
$(“.errorMessageInput”).each(function() {
if ($(this).hasClass(“hidden”)) {
$(this).removeClass(“errorMessageInput hidden”).addClass(“sign-up-error-msg hidden”);
} else {
$(this).removeClass(“errorMessageInput”).addClass(“sign-up-error-msg”);
}
});
}

/**
* when validation function is called, replace “errorMessageInput” with “sign-up-error-msg”
* before return
*/
function validateThis(v, form) {
var validateReturn = urValidation.validate(v, form);
renameErrorMsgClass();
return validateReturn;
}

/**
* DoC pop-up window js – included in moScripts.js which is not included in responsive page
*/
$(“#inlineRegistration”).on(“click”,”a.consentWindow”, function(e) {
window.open(this.href, “Consent”, “width=500,height=600,scrollbars=1”);
e.preventDefault();
});

trade secrets via Slack? Plan secret projects on Trello? The Cloud App Discovery feature in Office 365 reveals certain shadow IT practices admins need to know to secure the enterprise.

End users often enlist cloud services to perform their jobs, but the practice of introducing unsanctioned apps invites risk. It circumvents security practices, which potentially opens the company to an unexpected compliance issue or a cyberattack. Cloud App Discovery uncovers shadow IT without the need to implement agent-based software on users’ computers and mobile devices.

Here’s how to identify and monitor use of unauthorized cloud services within the organization — and what to do about it.

Find hidden app usage with Cloud App Discovery

Office 365’s E3 subscription includes Cloud App Discovery, a component of Cloud App Security. This service interprets log files from web proxy servers, firewalls and network devices, such as wireless access points and switches, to create a visual picture of the shadow IT services used in the organization.

Cloud App Security dashboard
Figure 1. The Discover tab in Office 365 Cloud App Security presents a visual summary of shadow IT services used in the organization.

The Office 365 version of Cloud App Discovery indicates services that have similar functions to Office 365 apps, especially productivity services. Therefore, the discovered apps section does not include nonproductivity applications. We’ll show how to uncover those later in this article.

Create reports of productivity apps

Cloud App Discovery uses logs taken from a network device that sits between end users and the internet. The Cloud App Discovery service supports common log file formats, such as those generated by Cisco access points, open source web proxy servers or third-party cloud services, such as Symantec Websense.

The admin then accesses the Cloud App Discovery feature from the Security & Compliance Center. Download a log file from the network device in a format that Cloud App Discovery supports, navigate to the main console and choose Discover > Create new snapshot report.

Search for and specify the log format from the list, then upload the log file. Office 365 takes up to 24 hours to process and display the results.

Log file upload
Figure 2. To create a new snapshot report, search for the log format you want to use, and upload the log file.

Navigate to Discover > Manage snapshot reports to see the uploaded file. Office 365 shows processed reports as Ready.

Manage snapshot reports
Figure 3. The snapshot reports section indicates when the admin uploaded the report and its status.

The report shows the productivity apps in use from the Office 365 platform and from other cloud services. Select an app to open an Excel spreadsheet for more details, such as how many users accessed the service, how many times users accessed it and the amount of traffic uploaded to and downloaded from the service.

Discovered apps
Figure 4. View the report to see the productivity apps that are in use and to see detailed information about each app.

Automate the log upload process

Organizations that subscribe to Enterprise Mobility and Security (EMS) E3 can extend Cloud App Discovery’s functionality in several powerful ways.

The continuous reports feature automates log uploads through a customized VM with a syslog server and an HTTPS uploader.

To configure continuous reports, use the Discover > Upload logs automatically option in Cloud App Security. The admin adds a data source, which replaces the uploaded log file. The admin then defines a log collector and links it to the data source, which generates the information to deploy the Hyper-V or VMware VM.

After the VM deploys, configure one or more network devices to send data to the log collector in the format that matches the defined data source. Figure 5 shows an example of a Cisco Meraki device set up to send URL data in syslog format to the log collector’s VM IP address.

Configure URL data
Figure 5. Configure a network device to send data to the VM IP address for the log collector.

After about 24 hours, results from logged data will appear in the Cloud App Discovery section. The admin accesses both real-time and historic information related to app usage.

Cloud App Discovery dashboard
Figure 6. The Cloud App Discovery dashboard shows current app usage statistics and provides access to historical information.

See the threat level of shadow IT services

Aside from productivity services — such as webmail, cloud storage and content sharing — Cloud App Discovery also provides visibility into other areas. The EMS-based version of the tool detects internet of things devices, cloud service use from providers such as Amazon Web Services and visits to websites.

Cloud App Discovery ranks the discovered services based on risk score from one to 10. A lower score indicates a more suspicious application. The Cloud Discovery service determines the rank through assessment of security policies, such as where the data resides, who has access, who has control and whether organizations can prevent unauthorized access.

Apps designed for enterprise use, such as Google’s G Suite, get good scores. Services that provide less organizational control, such as WhatsApp, receive poor grades.

WhatsApp is considered a risky service because no one has administrative control. For example, a financial advisor who communicates with a client over WhatsApp could breach regulations because the business cannot record the conversation for future discovery.

View the detailed report on each service, and decide whether to approve the cloud service.

Figure 7 lists the services with usage statistics and threat level:

Discovered apps tab
Figure 7. The Discovered apps tab lists the services used on the company network with details on the traffic used and the risk score.

Take action against shadow IT

Administrators should take action when armed with data from Cloud App Discovery. If workers use Trello, Slack and Box, then admins should deploy the corresponding Office 365 services — Planner, Teams and OneDrive for Business, respectively.

However, IT should still take action even if the business can’t make these Office 365 apps immediately available. In that case, let end users know that the company plans to roll out Microsoft services to replace shadow IT apps. Explain the benefits of the move, such as service integration across the Office 365 suite.

The EMS-integrated capabilities give admins a way to configure security alerts when workers use these unsanctioned apps. Part of the continuous reports feature partially controls the use of apps. For example, an admin creates a rule that identifies when a user downloads a lot of data from Office 365 and then uploads a lot of data to Dropbox. When the rule detects this activity, the admin gets an alert and notifies the security team to block that user’s access to Office 365.

Next Steps

Slack or Microsoft Teams: Which one makes more sense?

Shadow IT dangers present best opportunity to use cloud access security brokers

Regulate shadow IT to reduce risk

Box Skills, machine learning technology pique IT interest

SAN FRANCISCO — Box shops will be able to help users gain more intelligent insight into their content with new machine learning technology in the content management tool.

Box Skills, introduced here at the company’s annual BoxWorks conference, makes it easier to search for visual and audio content and view information about it. Box Feed uses machine learning to curate content for specific users. Plus, new features in Box Relay aim to improve employee workflows. These capabilities caught the interest of attendees at the show.

“It was kind of nice to see Box incorporating [AI] to start relaying things to certain people at the right time in the right place,” said Ryan Foltz, business systems engineer at Barnhardt Manufacturing Company in Charlotte, N.C.

How Box Skills works

Box Skills is a framework that serves as a layer of abstraction between the content organizations upload to Box and the machine learning. It focuses on three areas: Image Intelligence, Audio Intelligence and Video Intelligence.

With the Image Intelligence component, based on Google Cloud Platform technology, Box automatically tags aspects of an image such as the subject, colors and logos, as well as uploads any text from it. Users can click the tags to access other images with similar contents.

The whole workflow looks really nice.
Will Sheppardtechnical support specialist, The Enthusiast Network

Video Intelligence uses Microsoft Cognitive Services to provide facial recognition to identify people in a video. It also can show users where repeated phrases come up, and extracts a transcript of the video that users can apply as closed captioning. Audio Intelligence functions similarly, without the visual aspect, and is based on IBM Watson technology.

Using the new Box Skills Kit for developers, organizations can also customize what information within a file the machine learning technology tracks. The tool can track tone of voice in a phone conversation, for example, or pull out specific words a company is interested in and show within the Box content when those words were said. Developers can also customize information in documents such as invoices or contracts, and have Box extract information such as dates, signatures, payment amounts and vendor names. That not only extracts the data, but allows users to fill that information in automatically moving forward.

Image Intelligence is currently in beta, and Video Intelligence and Audio Intelligence will come to beta in 2018, Box said.

Box Feed puts relevant information in front of users

Box Feed, powered by Box Graph machine learning technology, was also previewed at the conference and will be available next year. This feature can help users find the content most relevant to them. It shows users active content — files they have been working on or are mentioned in — as well as other relevant content, which appears in a feed based on who is working on the file and what the content is. If a user generally collaborates with another user who is working on a document, for example, it will likely show up in the relevant section. It also shows trending files, or ones that many users throughout the organization are accessing. 

As interesting as these new features are, some companies might need some time to apply them. Barnhardt Manufacturing Company, for instance, is an old organization, but its leaders are getting more and more interested in business data intelligence, said Pete Chantry, application systems manager at the company.

 “We’ve got to allow a little bit of time for them to get accustomed to the basic [enterprise content management] features of Box,” Chantry said.

Updates to Box Relay

Box Relay for workflow automation, announced last year and generally available next month, will get some enhancements as well.

First, the add-on will allow workflows to launch automatically, so if a user uploads a resume of a prospective employee for example, the workflow associated with that kind of document will start automatically. Box also plans to release APIs so IT can integrate Relay with existing third-party applications and automated processes. In addition, users will be able to e-sign documents directly in Box. Finally, a new dashboard will let users manage multiple workflows at the same time by showing every active workflow and what step it is on.   

“I like the way that all ties together,” said Will Sheppard, technical support specialist at The Enthusiast Network based in Los Angeles. “The whole workflow looks really nice.”

Other new features in Box Relay include the ability to invite other users to edit a document and assign them tasks with due dates within the document. There is also a new annotation tool that allows users to write a comment on a specific aspect of a document and tag other users to look at that exact area.

In addition, users no longer have to download previous versions of a document; they can preview them with a single click. Plus, when a user accesses a document, Box will highlight any changes that other users have made since the last time he was in it, and show which user made the edits. Finally, users can thread comments and mark them as resolved.   

Like Box Skills, Relay presents some enticing features for IT, but those at Barnhardt Manufacturing Company are unsure of how to apply Relay immediately.

“I don’t know how often we’d use it, but if we had it, it’d certainly be a nice feature for us,” Foltz said.

Enterprises weigh VMware Cloud on AWS, as vendors pivot cloud strategies

LAS VEGAS — The much anticipated VMware Cloud on AWS is finally available. For potential users, now comes the hard part.

The service that brings the leading private cloud provider’s environments to the leading public cloud provider’s platform has generated a lot of buzz, but the lack of details has kept many potential users on the fence. Important information about pricing and capabilities were disclosed Monday here at VMworld, and now VMware customers must decide if it’s worth it to make the leap.

“I don’t think the customer interest is fully baked,” said David Lucky, director of product management for Datapipe, a managed cloud services provider in Jersey City, N.J. that works closely with AWS and VMware. “But it’s getting a lot of attention from our customers.”

Part of the allure of this deal is the ability to put VMware environments next to AWS services such as DynamoDB and RDS. There are fast, private networks connecting the two services, but there are still functionality limitations.

“It’s separate really,” Lucky said. “It’s got its own portal; its own billing and pricing. You do link your AWS account into it and connect it, but I could see there’s a lot more opportunity to build on that.”

Pricing for the VMware-sold product is complex, and deviates in some important ways from the standard AWS model. Purchases are made on a per-host basis, and can be billed by the hour, or in reserved capacity on one- and three-year contracts.

The three-year contract costs $109,366 per host, which would save about 50% compared to the on-demand hourly billing rate, according to VMware. Another program can cut costs by up 25% based on their on-premises VMware product licenses, as long as those on-premises products remain active.

There are separate charges for IP and data transfers, as the standard AWS egress fees still apply. Each host has 2 CPUs, 36 cores, 72 hyper-threads, 512 GiB RAM and local flash storage.

If a company goes with the three-year contract, the estimated total cost of ownership for VMware Cloud on AWS is up to $0.09 per VM per hour, according to VMware. That’s comparable to native cloud instances costs and a savings of up to $0.08 cheaper per VM per hour than the traditional on-premises set up.

Stay or go?

Whether the move is worth the cost will depend on an organization’s in-house environments — those that are less efficient or bloated are the best candidates, said Kyle Hilgendorf, a Gartner analyst.

Erik Anderson, a senior network engineer at a Midwest healthcare company, said his team works entirely on-premises, but is looking at the public cloud to localize workloads in other parts of the globe. Where those workloads will land will depend on cost and other factors, but those decisions won’t be made any time soon, he said.

“If it turns out the stuff that VMware and AWS is doing reduces operational expenses and administrative headaches, that would be the ideal choice” Anderson said.

The service is built on bare metal, and VMware will carve out capacity within AWS data centers to then provide scalable infrastructure to its customers. It’s the first time bare metal has been sold on AWS and VMware’s SSD architecture is different from AWS’, but executives for both companies don’t foresee capacity issues beyond what users typically find when requesting resources on AWS.

For customers, adding VMware Cloud capacity as part of the service will be no different than any of the other instance types they sell, said AWS CEO Andy Jassy.

The service may even accelerate adoption among companies that already have a footprint in both environments, said Peter Scott, COO of DivvyCloud, a multicloud automation and management company in Arlington, Va., that is among the partner ecosystem for VMware Cloud on AWS.

IT shops, however, are wary to move some workloads to the public cloud that are built on a different operating model and aren’t easily or flexibly scalable, he said.

“You’re essentially taking a whole lot of legacy workloads and sticking them in public cloud, which is ephemeral and by its very definition is very different,” Scott said. “If you’re going to take this stuff and put it in the public cloud that runs 24/7, 365 days a year, you’d be better off back in your data center.”

There are limitations to the new capabilities. Customers can bring applications back and forth, but they will still have to pay the standard AWS egress fees. Amazon doesn’t charge customers to bring data into the cloud, but the cost to pull data out is prohibitive for most users, and is a main reason the public cloud is criticized for workload lock in. Also, the VMware Cloud on AWS service is currently limited to the AWS U.S. West (Oregon) region, and won’t be available in other regions until 2018.

About-face, march

AWS and VMware executives said this is just the first step in the partnership, and though they didn’t provide specifics about future services, they listed tighter integration and migration assistance as items to improve.

“I definitely sense Amazon sees a lot of opportunity and investing more of their time going forward,” Datapipe’s Lucky said.

AWS and VMware executives went out of their way to characterize the partnership as more than just marketing, and observers say the product is surprisingly mature, despite the early limitations and the lengthy wait to bring to market.

And though the deal has publicly discussed for nine months, the actual product release culminates a shifted cloud strategy for both companies. AWS was once borderline dismissive about the future of hybrid cloud, and VMware initially sought to build its own public cloud to usurp AWS and keep everything within its own ecosystem. Officials for both companies, however, effusively praised each other and cited huge potential to extend these capabilities to thousands of customers in the years ahead.

And now that some of the critical information about the service is public – particular the pricing – customers will ultimately decide if the adoption will meet the hype.

“Without knowing the price, how attractive it is is relative, and we got a lot of questions about that,” Lucky said. “Now at least it’s out there so the conversation can move past that.”

Juniper adding microsegmentation to Contrail cloud

Juniper Networks Inc. has added tools for network microsegmentation in Contrail — an important feature for users of the software-defined networking controller, but a capability that’s unlikely to reverse Juniper’s decline in security revenues.

Juniper introduced the capability this week, along with other security features the company labeled as Juniper Contrail Security. In general, Juniper is focusing its latest stab at strengthening its security portfolio on companies with multiple data center environments in a Contrail cloud.

Microsegmentation tools, which have become a popular way to contain malware in the data center, allow corporate IT staff to build a zero-trust security zone around a set of resources, such as network segments and workloads. In network virtualization within SDN, microsegmentation adds firewall capabilities to east-west traffic.

VMware and Cisco have had microsegmentation capabilities in their SDN products, NSX and Application Centric Infrastructure (ACI), respectively, for several years. NSX has outpaced ACI deployments in the data center, primarily because microsegmentation has become its leading use case for protecting applications that run on top of VMware’s ubiquitous server virtualization products.

Contrail cloud use case

Companies use Juniper Contrail and vRouter — the vendor’s virtualized router software — to create a network overlay that extends across cloud-based environments in multiple data centers. The core users of Contrail and Juniper switches include cloud companies that provide infrastructure, platform or software as a service. Others include large financial institutions.

With the latest release, companies can use the Contrail cloud console to carve up their data center LAN and intradata-center WAN, and then create and distribute policies that establish restrictions on communications between network microsegments. Also, Juniper is providing tools that give companies the option of using third-party firewalls for policy enforcement.

The capability is available for cloud environments using bare-metal servers, Linux containers built and managed through the Kubernetes system, and OpenStack — the modular architecture for creating and managing large groups of virtual private servers. Kubernetes and OpenStack are open source technologies.

 Juniper has contributed Contrail’s source code to the open source community through an initiative called OpenContrail. Contrail is a Juniper-supported binary version of OpenContrail, which is available under the Apache 2.0 license.

Juniper has contributed the source code of its latest security features to the OpenContrail community, said Pratik Roychowdhury, the product manager for Contrail. The site GitHub is the online repository for OpenContrail.

“Everything that I’m talking about in Contrail Security is out there [on GitHub],” Roychowdhury said. “Anyone can essentially go and take a look at the source code.”

Other Contrail cloud security features

Besides microsegmentation, Juniper has added other features to the Contrail console. They include a visual depiction of interactions between applications in hybrid cloud environments and analytics that detect anomalies and suggest corrective actions.

The latest features are useful to companies using Juniper switches or its SRX firewalls running alongside other vendors’ switches, said Lee Doyle, an analyst at Doyle Research and a TechTarget contributor. Either scenario would be helpful to Contrail adoption.

“Contrail is one of many SDN controllers that has struggled to break through [a competitive market],” Doyle said. “It’s not contributing a huge amount of revenue.”

What is contributing a growing share of Juniper’s revenue is switching. In the quarter ended June 30, revenue grew nearly 32% year over year to $276 million. However, the company’s overall market share is small at 3.4%, according to stock research firm Trefis.

Security, on the other hand, remains a weak spot in Juniper’s portfolio. Revenue has fallen from $670 million in 2012 to $318 million last year, according to Trefis. In the June quarter, revenue fell 12% to $68.7 million.

“Quite frankly, the focus right now on security has been on achieving stability and returning to growth,” Juniper CEO Rami Rahim said in an online transcript of the July earnings call with financial analysts. The transcript is available on the financial site Seeking Alpha.

Azure Monitor now available in Azure Government

Getting ahead of issues before they impact end users is a key goal of any IT organization. One important tool in this process is the use of monitoring and analytics services, which help ensure that you get up-to-date information on the overall health of your cloud environment. We are happy to announce that we have expanded the portfolio of management services with the general availability of Azure Monitor in Azure Government.

With Azure Monitor, you can now consume monitoring metrics and logs within the portal and via APIs in near real-time and gain more visibility into the state and performance of your resources. Azure Monitor provides you the ability to configure alert rules to get notified or to take automated actions on issues impacting your resources. Azure Monitor enables analytics, troubleshooting, and a unified dashboarding experience within the portal, in addition to enabling a wide range of product integrations via APIs and data export options. All of this has now been enabled for Azure Government.

image

With this release, we are also providing new alerting and notification options including custom email and webhooks. This allows you to enable notification on specific Azure services and receive service health notifications. 

Azure Monitor is not just useful for the administration of your Azure resources. The centralized logging and alerting helps achieve compliance with many NIST SP 800-53 security controls that support CJIS, FedRAMP, and the DoD compliance requirements. The data from Azure Monitor can be queried, archived, or analyzed to provide an audit trail and meet key monitoring controls.

Learn more about Azure Monitor by visiting the documentation page. For a detailed list of Azure Monitor features available in the different Azure Government datacenter regions, visit the Azure Government Monitoring + Management page.

Hijacked Chrome extensions infect millions of users

New research shows millions of Google Chrome users have been hit with malware through eight hijacked Chrome extensions.

According to threat protection vendor Proofpoint, the eight compromised Chrome browser extensions include two that were hijacked earlier this month — Copyfish and Web Developer. According to the Proofpoint researcher known as Kafeine, the other six compromised extensions are Chrometana, Infinity New Tab, Web Paint, Social Fixer, TouchVPN and Betternet VPN. From downloads of all eight hijacked Chrome extensions, nearly 4.8 million users received malicious code from the attackers.

“At the end of July and beginning of August, several Chrome Extensions were compromised after their author’s Google Account credentials were stolen via a phishing scheme,” Kafeine wrote in a blog post. “This resulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft.”

Targeted users were shown a JavaScript alert that said their PC needed to be repaired and were then directed to pay for the false repairs, enabling the attackers to profit from this scheme.

According to Kafeine, the attackers “are leveraging compromised Chrome extensions to hijack traffic and substitute advertisements on victims’ browsers. Once they obtain developer credentials through emailed phishing campaigns, they can publish malicious versions of legitimate extensions.”

However, Kafeine also noted that, “in addition to hijacking traffic and driving users to questionable affiliate programs, we have also observed them gathering and exfiltrating Cloudflare credentials, providing the actors with new means of potential future attacks.”

There is no proof yet that all of the hijacked Chrome extensions were targeted by the same hacker or hacking group, though the compromises all happened in the same time frame.

Google has dealt with security issues surrounding Chrome browser extensions in the past. In 2015, the company implemented a policy that requires all Windows and Mac users and developers to install extensions only from the Chrome Web Store. This change was spurred by concerns about extensions that enabled the download of malware. The policy update also included a feature called Enhanced Item Validation, which runs additional checks on extensions before they are published in the Chrome Web Store.

In other news

  • DNS provider Cloudflare terminated the account of neo-Nazi website the Daily Stormer. In an official statement, the company’s co-founder and CEO Matthew Prince wrote: “Our terms of service reserve the right for us to terminate users of our network at our sole discretion. The tipping point for us making this decision was that the team behind Daily Stormer made the claim that we were secretly supporters of their ideology.” However, in a candid internal notice to Cloudflare employees, Prince said the decision was personal. “I woke up this morning in a bad mood and decided to kick them off the Internet,” he wrote. While the company has previously maintained content neutrality, Prince said Cloudflare still received requests to terminate its distributed denial-of-service (DDoS) attack protection services of the site. “The initial requests we received to terminate their service came from hackers who literally said: ‘Get out of the way so we can DDoS this site off the Internet,'” wrote Prince. In the official statement, he went on to acknowledge his decision is “dangerous,” but argued it likely won’t set a precedent. The Electronic Frontier Foundation (EFF), however, issued a statement that expressed concern over Cloudflare’s decision, arguing that “because Internet intermediaries, especially those with few competitors, control so much online speech, the consequences of their decisions have far-reaching impacts on speech around the world. And at EFF we see the consequences first hand: every time a company throws a vile neo-Nazi site off the Net, thousands of less visible decisions are made by companies with little oversight or transparency. Precedents being set now can shift the justice of those removals.” While the EFF is clear that it disagrees with the content on the Daily Stormer, the group said it defends “the right of anyone to choose what speech they provide online; platforms have a First Amendment right to decide what speech does and does not appear on their platforms.”
  • A Venafi survey found that 72% of security professionals don’t believe that encryption backdoors would make a nation safer from terrorists. Venafi surveyed over 290 attendees of the Black Hat USA conference in July and found that “the majority of industry professionals believe encryption backdoors are ineffective and potentially dangerous.” In a blog post, Venafi wrote that, “it is widely acknowledged that backdoors into encryption technology create vulnerabilities that can be exploited by a wide range of malicious actors, including hostile or abusive government agencies,” and despite the danger, many government officials advocate for encryption backdoors to “strengthen national security and hinder terrorism.” Respondents of the survey disagree — 91% of them said cybercriminals could take advantage of encryption backdoors that are government mandated. Another notable finding is that 81% of respondents said they believe that governments should not have the ability to force technology companies to give them access to encrypted user data.
  • VMware patched an important denial-of-service vulnerability in its NSX-V Edge products. The vulnerability, according to VMware’s advisory, is that the “VMware NSX-V implementation of the OSPF protocol doesn’t correctly handle the link-state advertisement (LSA). A rogue LSA may exploit this issue resulting in continuous sending of LSAs between two routers eventually going in loop or loss of connectivity.” VMware also noted that the vulnerability, classified as CVE-2017-4920, is tough to exploit because an attacker would need local access to the targeted system in order for an exploit to be possible. Security researchers Adi Sosnovich, Orna Grumberg and Gabi Nakibly first reported the vulnerability to VMware. Patches are now available for all affected products, which could be running on any platform.

LinkedIn is rolling out a free service to pair users with mentors

LinkedIn, the Microsoft-owned social network for the working world with over 500 million users, has put a lot of effort into new areas of business like content, education and bringing on new users in emerging markets; but today it’s embarking on the roll out of a new service that plays squarely into the bread and butter of its business: looking for work.

Today, the company is debuting a new service that identifies potential mentors and people who might be looking for mentorship in a specific area, and then helps match them to each other. The service (which started with a small test last month) is free and will be available first to users in San Francisco and Australia, Hari Srinivasan, Head of Identity Products at LinkedIn, tells me.

Initially, LinkedIn has tapped a hand-selected list of potential mentors, who will come up as a list, Tinder-style, to people who indicate that they are interested in getting some mentoring, so that a match might get made. Mentors are given options about who they would prefer to mentor, be it people in their first- and second-degree networks, in their region or their former school. Over time, Srinivasan said that the option to become a mentor will be open to everyone, which makes sense: we call could stand to learn something from everyone.

On the mentee side, after you indicate that you are interested in getting some advice or feedback on a particular topic, LinkedIn then gives you your own potential parameters to narrow down your search (again, initially these are whether you want people near you, or from your alma mater), or if you potentially want a list of potential mentors that is as wide as LinkedIn’s user base.

Once you match, you can then message each other, and either side can terminate the communication at any point.

LinkedIn is hoping to tap into what appears to be a gap in the market: career mentoring is a simple enough thing to have when you happen to have chanced upon someone in the same field as you are, either by working with that person or knowing him or her through other channels. It’s a lot harder if you haven’t found that person, or if you are thinking of something less linear, like a career change.

There are career coaching services — for example, the venture-backed startups BetterUp and Everwise — but these can be more formal and come at a price. Out of Office Hours, which was created out of a ‘give something back’ effort over a holiday period, currently focuses on tech careers in Silicon Valley. Notably, LinkedIn’s service (for now) is free, and has the potential to cover as many jobs as there are people registered on the platform.

There are some obvious benefits to LinkedIn with a launch of a service like this. It will give the company one more service to spur engagement on its platform, and this time the new engagement effort directly relates to how most people tend to use LinkedIn already.

It’s also a potential segue into using other services on LinkedIn, including additional training (via Lynda.com or LinkedIn Learning); job searches; and potentially paying for a more tradition career coach that you might just find through ProFinder, LinkedIn’s freelancer marketplace, where LinkedIn tells me career coaching is “one of the most sought after categories on the platform.”

That highlights what might be some of the benefits but also potential pitfalls of this new career matching service. It’s free; generally great that there could be people at the other end of a message who are willing to lend you a helping hand; and it is a cool use of LinkedIn’s network effect to offer a route for those who want to contribute some time to mentors to be able to do so. LinkedIn’s Srinivasan said that this idea wasn’t pulled out of thin air.

“We have done research and found that among the senior ranks of our user base, nine out of 10 people have said they want to give back,” he said. “Paying it forward is a powerful force. All of them received help on the way up and now want to find a way to give that help back to others.”

But on the other hand, there are potential snagging points here, too: how much help is too much to be asking of people who are offering their services for free; and how does LinkedIn make sure that it has enough mentors (or for that matter people wanting to reach out to mentors) across different fields? Will LinkedIn have to eventually introduce other elements to the platform to encourage more usage, like payments or credits for premium features? Keeping the service free and limited in its initial roll out as LinkedIn figures more answers out is one way of holding too many demands of it at bay.

Powered by WPeMatico

Continue on PC, Timeline features raise Windows 10 security concerns

New Windows 10 syncing features should be popular among users but could lead to IT security risks.

Microsoft’s upcoming Windows 10 Fall Creators Update will include the Continue on PC feature, which allows users to start web browsing on their Apple iPhones or Google Android smartphones and then continuing where they left off on their PCs. A similar feature called Timeline, which will allow users to access some apps and documents across their smartphones and PCs, is also in the works. IT will have to pay close attention to both of these features, because linking PCs to other devices can threaten security.

“It does have the potential to be a real mess,” said Willem Bagchus, messaging and collaboration specialist at United Bank in Parkersburg, W.Va. “To pick up data on another device, you have to do it securely. This has to be properly protected.”

How Continue on PC works

Continue on PC syncs browser sessions through an app for iPhones and Android smartphones. Users must be logged into the same Microsoft account in the app and on their Windows 10 PC.

When on a webpage, smartphone users can select the Share option in the browser and choose Continue on PC, which syncs the browsing session through the app. The feature is currently available as part of a preview build leading up to the Windows 10 Fall Creators Update, and the iOS app is already available in the Apple App Store.

To pick up data on another device, you have to do it securely. This has to be properly protected.
Willem Bagchusmessaging and collaboration specialist, United Bank

Microsoft did not say if the feature will allow users to continue a browsing session on their smartphone that started on their PC. Apple’s Continuity feature offers this capability, and the Google Chrome browser lets users share tabs and browsing history across multiple devices as well.  

Continue on PC could expose sensitive data when sharing web applications through synced devices, said Jack Gold, founder and principal analyst of J. Gold Associates, a mobile analyst firm in Northborough, Mass.

For example, if a user’s personal laptop is stolen that is synced to a corporate phone, the thief could access business web apps through a synced browsing session, exposing company data. If the feature is expanded to share browsing sessions from a PC to a smartphone, all it would take is someone to steal a user’s smartphone to have access to the web apps the employee used on their PC.

“It could be something to worry about if a user loses their phone,” Gold said. “I can’t lose that device because it can sync to my PC.”

To avoid this problem, IT could use enterprise mobility management (EMM) software to blacklist the Continue on PC app altogether, or simply prevent users from sharing the browser session through the app.   

Timeline shares security issues

Originally, Timeline was supposed to be part of the Windows 10 Fall Creators Update, but now it will come out in a preview build shortly afterward, Microsoft said.

Timeline suggests recent documents and apps a user accessed on a synced smartphone and allows them to pull some of them up on their PC, and vice versa. Microsoft hasn’t disclosed which apps the feature will support.

This feature could also cause a security problem if a user loses their PC or smartphone and it gets in the wrong hands. Timeline is basically a dashboard displaying every app, document and webpage the user was in across multiple devices, so someone could access documents, apps and web apps that contain work data on the stolen device.

“Security is needed across the board,” said Bagchus, whose company plans to move to Windows 10 next year. “It absolutely has to be managed.”

EMM software should also come into play when managing this feature, he said.

IT needs to force users to have passwords on all PCs and mobile devices to protect from these instances, said Jim Davies, IT director at Ongweoweh Corp., a pallet and packing management company in Ithaca, N.Y.

“This is something that will be used by a lot of people in a lot of companies,” Davies said. “People won’t need to email themselves a link because this makes it simpler. That being said, your password is that much more important now.”

Ongweoweh Corp. plans to migrate to Windows 10 in the first quarter of 2018.

It is likely that these Windows 10 syncing features won’t be limited to smartphones, and iPads and Android tablets could gain this ability in the future, Bagchus said.

“This feature … makes productivity easier,” Bagchus said. “This will be huge.” 

Powered by WPeMatico

How can IT put PowerShell Integrated Scripting Environment to use?

PowerShell Integrated Scripting Environment is a tool that can benefit all levels of users, which is why many developers and administrators use it almost exclusively when working with PowerShell — often skipping the original console altogether.

With PowerShell ISE, which provides a graphical user interface (GUI) for writing and fixing PowerShell scripts, IT administrators and developers can write, edit and run PowerShell scripts and commands. It provides a more user-friendly way to work with the wide range of features available for creating and testing PowerShell codes.

For example, PowerShell ISE includes IntelliSense for autocompleting commands and for matching cmdlets, variables, parameters and other language elements. The GUI also provides quick access to a variety of snippets that make it easier to construct command logic, such as looping structures. In addition, admins get multiple execution environments, selective code execution and the ability to run commands from either the PowerShell script or the console pane.

What else can PowerShell ISE do?

PowerShell script development

PowerShell Integrated Scripting Environment provides many other features to support PowerShell script development, such as drag-and-drop editing, tab completion, block selection, syntax coloring, keyboard shortcuts and Unicode support. Plus, admins can open PowerShell script files by dragging them from Windows Explorer to the PowerShell ISE GUI. They can even extend the PowerShell Integrated Scripting Environment object model to customize the deployment and add functionality.

Troubleshooting

Admins can also use PowerShell Integrated Scripting Environment to troubleshoot and debug PowerShell scripts. Although this goes hand in hand with script development, sometimes admins must fix an existing script and want to use PowerShell ISE’s debugging capabilities. Not only do they get features such as selective execution and multiple execution environments, but they can also set up breakpoints, step through code, check variable values and display call stacks. In addition, PowerShell Integrated Scripting Environment displays parsing errors as admins type.

PowerShell Integrated Scripting Environment is also useful as a learning tool.

Running complicated commands

Admins might also use PowerShell Integrated Scripting Environment when they want to run complex ad hoc commands and prefer to avoid the inherent clunkiness of the PowerShell console. With PowerShell ISE, they can type all their code in the script pane and then, when they’re ready, run part or all of the code. This also makes it easier to tweak the script if admins need to run it multiple times, incorporating slight modifications with each execution.

Learning

PowerShell Integrated Scripting Environment is also useful as a learning tool. Someone new to PowerShell can benefit a great deal from built-in features, such as IntelliSense, snippet access and parse error displays.

Powered by WPeMatico

Stop an Outlook certificate error before serious trouble erupts

torrent of help desk tickets. It starts when the users open Outlook and get a message about a certificate error instead of their inbox. In most cases, users can click through the message and get on with their day, but there are more serious certificate errors that can cause trouble with the out of office assistant and free/busy information.

There are several problems that can cause Outlook to display a certificate error, but the three most common causes are:

Uncover invalid certificate names

An invalid certificate name error can occur if the subject name or SAN does not match the URL that Exchange uses. Most often, this issue happens either if there is a certificate misconfiguration or if there is a setup problem with the domain name system record for the Exchange Autodiscover service.

Outlook has a two-step process to locate the Autodiscover service for an organization’s Exchange Server deployment. First, it looks for the Autodiscover URL within the service connection point. Then, Outlook seeks a Host (A) record that matches the URL specified by the service connection point object.

This process will fail if the user does not use an internal connection. In that case, Outlook looks for an A record that matches the user’s Simple Mail Transfer Protocol (SMTP) domain. If that doesn’t work, Outlook will attach Autodiscover to the user’s SMTP domain name — Autodiscover..com — and then try to locate a matching A record.

If Outlook still can’t find a suitable A record, then it will use a service record (SRV) to locate the Autodiscover service. Outlook may locate the Autodiscover service through either an A record or an SRV. Check these records for proper configuration. There are a few ways to do this, but it is usually best to open a command prompt on the machine that runs the Outlook client. Next, enter these commands:

CD

CDWindowsSystem32

Nslookup

Set type=A

Autodiscover..com

Set type=SRV

_Autodiscover._tcp..com

This sequence will display the name server being queried, the Autodiscover URL and the Autodiscover IP address.

Now, open the Exchange Management Shell and enter the following command:

Get-ExchangeCertificate | Select-Object *

This command lists the certificates on the server and displays the attributes for each certificate, such as the certificate’s friendly name, subject name, enhanced key usage and services. Administrators can use this information to determine which certificate the Autodiscover service uses and whether they need to reissue a certificate to correct a mismatch.

Get-ExchangeCertificate command
Figure A: The Get-ExchangeCertificate command lists certificate details on the Exchange Server.

Check for expired certificates

An Outlook certificate error can occur if a certificate has expired. Open the server’s certificate store and check the certificate’s expiration date. Certificates usually reside in the Certificates Console at Certificates>Personal>Certificates. Double-click on the certificate to view its expiration date (Figure B). If the certificate has expired, renew it.

Certificate expiration date
Figure B: In the server’s certificate store, double-click on the certificate to check its expiration date.

Alternatively, admins can check for expired certificates with the following command in the Exchange Management Shell:

Get-ExchangeCertificate | Select-Object Subject, NotAfter

Exchange Management Shell certificate command
Figure C: The Get-ExchangeCertificate cmdlet displays certificate expiration dates.

Correct untrusted certificates

Another potential cause of an Outlook certificate error is the PC that runs Outlook does not trust the certificate authority. This shouldn’t be an issue if the certificate came from a well-known, commercial certificate authority. However, some organizations use an in-house enterprise certificate authority.

Windows servers configured to act as an enterprise certificate authority usually include a built-in web server to issue certificate requests. This same web server also contains an option to download a Certificate Authority (CA) certificate (Figure D).

Download a CA certificate.
Figure D: Windows-based enterprise certificate authorities give the option to download a CA certificate.

Admins can import this CA certificate into the client computer’s Trusted Root Certification Authorities store (Figure E). This allows the computer to trust the certificate authority that issued the certificate.

Trusted Root Certification Authority
Figure E: Import the CA certificate into the computer’s Trusted Root Certification Authorities store.

It takes quite a bit of work to correct an Outlook certificate error. In most cases, the error occurs because the certificate’s subject or subject alternate name is incorrect. In these cases, replacing the certificate should fix the problem.

Powered by WPeMatico