Tag Archives: concept

Clariba partners with SAP clients for intelligent enterprise

At its recent user conference, SAP made a case for its vision of the intelligent enterprise, but the concept still lacks clarity for many customers.

SAP defines the intelligent enterprise as a digital transformation, or the digitizing of existing processes and business models to enable the new processes and systems. The overhaul emphasizes analytics, data-driven decision-making and cloud-based technologies, and it enables companies to develop business models that monetize data in new ways.

For companies to undertake such a transformation, SAP will need help from its partners, said Marc Haberland, founder and managing director at Clariba, an SAP partner. Clariba has engaged in its own digital transformation and now develops applications and methods for SAP customers to do the same.

Clariba, based in Barcelona and Dubai, is a 20-year-old firm that started out as a consultancy for BusinessObjects, business intelligence platform technology that SAP acquired in 2007. In addition, Clariba is focused on SAP’s vision of an intelligent enterprise and is developing data-driven intelligent enterprise applications, including one currently being used by the Italian National Football Federation.

In this Q&A, Haberland discusses how and why SAP customers need to move to the intelligent enterprise.

Why did Clariba begin to undergo its digital transformation?

Marc Haberland: We found about four years ago, when we were developing our solutions with customers, that the customers wanted more. They wanted not only the bread-and-butter analytics and executive dashboards with self-service capabilities, but they also wanted to interact with these dashboards. They wanted the ability to write back into the database and potentially trigger a process in a transactional system, such as creating a ticket in Microsoft Dynamics or an SAP back-end ERP system based on the data they have inside the dashboard.

What was a use case for this approach?

Marc Haberland, founder and managing director, ClaribaMarc Haberland

Haberland: The most pronounced project was one we had for the Aspire Academy in Qatar [a youth football and sports academy] after Qatar won the 2022 FIFA World Cup. We won the project to build a repository for data from different data sources on the football pitch — technical, tactical, testing performance — all the data that you would generate in the course of training for football games that then provides data back into one system.

How did this transform into an intelligent enterprise project?

Haberland: At first, this was a traditional project. It was an on-premises SAP HANA enterprise data integrator with SAP BusinessObjects. We built a data repository in SAP HANA, which is what it was meant to do, but we began to push the limits of BusinessObjects. So, we had to get SAP engineers involved to look at the technology that SAP uses to see if the engineers could improve the routines to make the dashboard faster. On the back of that, we won a project for the Italian National Football Federation. The idea was the same for them, but it was a bigger end-to-end solution. We decided we can’t go the traditional route and we have to go cloud with SAP Cloud Platform, leveraging HANA, and we’d build our own mobile application and not use BusinessObjects technology.

This shows the Clariba Act-In Football analysis application, which provides a variety of data about player performance.
The Clariba Act-In Football analysis application provides a variety of data about player performance.

How does the application work?

Haberland: We really jumped into SAP Cloud Platform when we started this project. It’s a massive project, with 12 integrated data sources from the GPS sensors that players wear during the training to the master data to the external data sources that feed data from the matches. The data sources are fed into one centralized sports performance repository, upon which sits an application that provides coaches, players, medical staff and nutritional staff — a 360-degree view of their players. The performance and match analysis data are combined with subjective information about how the players are feeling, so it’s really about combining sensor data with master data with subjective experience data.

Does this typify the new landscape for SAP technology?

Haberland: It’s really a shift to building applications that not only visualize data for better decision-making, but actually create solutions where data is entered and decisions are recorded back into the system, which is what data-driven digital transformation is all about. To help companies become intelligent enterprises, you have to co-innovate with them to digitize their processes. Data is always front and center for that.

Are there tools that you use to help the intelligent enterprise development?

Haberland: The reality now — especially with COVID — is that customers need to build new business processes, they need to be agile, we need to be able to innovate together with customers and come up with solutions relatively fast. We’ve created building blocks that we call Act-In frameworks of what customers require to build mobile applications and digitize processes. For example, one of these frameworks is active connectors that provide the ability to connect to back-end systems, like S/4HANA, SAP SuccessFactors or the GPS systems. There are also mobile frameworks because consumers are used to using mobile devices and that expectation is now there in the business world. Every application today needs to have a single sign-on, it needs to have a menu structure, it might need to be multilingual, it will have some kind of forms, it will have potentially charts and graphs. So, there will be different components, and we basically are packaging that in what we call the Act-In mobile framework.

Why is this flexibility important for SAP and its partners and customers?

Haberland: In this journey, the football application is a good story, but underlying this is a very important shift, especially for SAP. As everything moves to the cloud, as SAP is selling more in the cloud, they need to innovate with partners, and those partners need to have the ability to rapidly engage with customers, to innovate with customers, and then to build those solutions on SAP Cloud Platform. Ultimately, it’s very clear the money is in the intellectual property and in having recurring revenue streams from cloud-based or cloud-enabled applications. The reality is that if you go to any customer, and they want to digitize a process, build a new capability, or build a new business model, they don’t have the answers yet. It hasn’t been done before, so you need to co-create together with these customers. Also, the innovation on top of the SAP Cloud Platform — that’s what SAP is looking to do, which enables its partners to create IP and rapidly bring out data-driven applications.

Go to Original Article

Empowering employees with disabilities – Microsoft Accessibility Blog

We Are All Advocates

There is a simple concept in the world of accessibility and disability inclusion if you don’t know, ask‘. If you don’t know what resources are available in your workplace, raise the question. If you are unsure of what responsibilities your organization has to help empower employees with disabilities, seek out the information. The more we ask questions and have a willingness to learn and grow, the better off we will all be. 

Microsoft President Brad Smith recently spoke at the National Federation of the Blind 2019 National Convention about why we can’t just focus on technology, we need to put people first. He underscored that we need to look beyond the products and features that everyone uses today and fundamentally ask ourselves, “How can we imagine new technology that can fundamentally improve people’s lives in ways they haven’t yet experienced?” Over the summer, Microsoft Chief Marketing Officer Chris Capossela attended the Disability:IN Annual Conference and Expo and represented Microsoft, where he accepted the Marketplace Innovator of the Year Award on behalf of the company. Reflecting on his experience at the conference, he noted that, “including people with disabilities in our organizations pays off in multiple ways. At Microsoft, inclusion is at the core of our mission.” 

This gets to the heart of what we do every day at Microsoft and how we can empower people with disabilities around the world. We are all on a journey together. Building partnerships, listening, asking, and learning can net results for your organization. We don’t have all the answers, but if we work together, we can create positive change for everyone.  

I also think it is incredibly important to try new things and ask ourselves, “what more can we do to empower our employees and the broader disability community?” For example, we have been working with BraunAbility, a leading manufacturer of wheelchair accessible vehicles and other mobility transportation solutions, to test a new 3-D graphic for ADA Parking spaces at the Living Well Health Center on our Redmond Campus. Our goal is to help drivers and passengers get in and out of their vehicle safely and to help deter misuse of the accessible spaces and access aisles. This is part of BraunAbility’s Drive for Inclusion initiative and we are getting great feedback from employees. Creating an inclusive culture is so much more than just adhering to laws (which is important!), but really focusing on everything we can do to build an environment where everyone can thrive. 

Tune in throughout the month as we share more stories, demos, and ways to get involved in the movement.  

Go to Original Article
Author: Microsoft News Center

RAMpage attack unlikely to pose real-world risk says expert

A group of researchers developed a proof of concept for a variant of the Rowhammer exploit against Android devices and proved that Google’s protections aren’t enough, but one expert said the RAMpage attack is unlikely to pose a real-world threat.

A team of researchers from Vrije Universiteit Amsterdam, the University of California at Santa Barbara, Amrita University of Coimbatore, India and EURECOM — including many of the researchers behind the Drammer PoC attack upon which RAMpage was built — and created both the RAMpage attack against ARM-based Android devices and a practical mitigation, called GuardION.

According to the researchers, the most likely method for attacking a Rowhammer vulnerability on a mobile device is through a direct memory access (DMA) based attack.

As such, they developed the RAMpage attack, “a set of DMA-based Rowhammer attacks against the latest Android OS, consisting of (1) a root exploit, and (2) a series of app-to-app exploit scenarios that bypass all defenses,” researchers wrote in their research paper. “To mitigate Rowhammer exploitation on ARM, we propose GuardION, a lightweight defense that prevents DMA-based attacks — the main attack vector on mobile devices — by isolating DMA buffers with guard rows.”

The researchers said a successful RAMpage attack could allow a malicious app to gain unauthorized access to the device and read secret data from other apps, potentially including “passwords stored in a password manager or browser, personal photos, emails, instant messages and even business-critical documents.” However, lead researcher Victor van der Veen was careful to note it is unclear how many devices are at risk because of differences in software.

“With RAMpage, we show that the software defenses that were deployed to stop Drammer attacks are not sufficient. This means that the only remaining requirement is having buggy hardware. Since we have seen bit flips on devices with LPDDR2, LPDDR3, and LPDDR4 memory, we state that all these devices may be affected, although it is uncertain how many,” van der Veen wrote via email. “Local access is required. This means that the attacker must find a way to run code (e.g., an app) on the victim’s device. A second requirement is that the device needs to be vulnerable for the Rowhammer bug: it is unclear what percentage of devices expose this issue.”

In a statement, Google downplayed the dangers of the RAMpage attack: “We have worked closely with the team from Vrije Universiteit and though this vulnerability isn’t a practical concern for the overwhelming majority of users, we appreciate any effort to protect them and advance the field of security research. While we recognize the theoretical proof of concept from the researchers, we are not aware of any exploit against Android devices.”

Google also asserted that newer devices include protections against Rowhammer attacks and “the researcher proof of concept for this issue does not work on any currently supported Google Android devices,” though Google did not specify what qualified as a “currently supported Google Android device.” 

Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, said this could mean “that ‘currently supported devices’ refers to Android builds to which Google still issues security patches, which means that Android Marshmallow (6.0.) and above may not be susceptible” to the RAMpage attack. According to Google’s latest platform numbers, more than 62% of Android devices in the wild are above this threshold.

However, van der Veen thought Google might be referring to its own handsets.

“I believe they hint at the devices that fall under their Android Reward program, which is basically the Pixel and Pixel 2. We did manage to flip bits on a Pixel, and I think that it is likely that there are Pixel phones out there on which the attack will work,” van der Veen wrote. “I don’t see criminals exploiting the Rowhammer bug in a large-scale fashion. It is more likely to be used in a targeted attack. I do think that Google can do a bit more though.”

Arsene agreed that the RAMpage attack does appear “very difficult and unlikely to happen on a mass scale.”

“Attackers would have to know in advance the type of device the target owns, because some manufacturers and OS builds implement different row sizes (e.g. 32KB, 64KB, 128KB), making the attack significantly more complex and less reliable,” Arsene wrote via email. “Google may be right in saying the attack should not be of concern to average users, but it could be used in highly targeted attacks that involve stealthily compromising the device of a high priority individual. For mass exploitation of Android devices there are likely other, less sophisticated methods, for compromise. Attackers will often go for the path of least resistance that involves maximum efficiency and minimum effort to develop and deploy.”

GuardION defense

Despite the relatively low likelihood of the RAMpage attack being used in the wild, researchers developed a mitigation based on protecting Google’s ION DMA buffer management APIs, which were originally added to Android 4.0.

“The main reason for which defenses fail in practice is because they aim to protect all sensitive information by making sure that they are not affected by Rowhammer bit flips. Hence, they are either impractical or they miss cases,” the researchers wrote in their paper. “Instead of trying to protect all physical memory, we focus on limiting the capabilities of an attacker’s uncached allocations. This enforces a strict containment policy in which bit flips that are triggered by reading from uncached memory cannot occur outside the boundaries of that DMA buffer. In effect, this design defends against Rowhammer by eradicating the ability of the attacker to inject bit flips in sensitive data.”

I think they main message should be that Rowhammer-based exploits are still possible, despite Google’s efforts.
Victor van der VeenPhD candidate in the VUSec group at Vrije Universiteit Amsterdam

Van der Veen added via email, “I think they main message should be that Rowhammer-based exploits are still possible, despite Google’s efforts. I think there is also (scientific) value in our breakdown of other proposed mitigation techniques and how they apply to mobile devices, plus our proposed defense, GuardION.”

GuardION may not be real-world ready either though. The researchers noted that Google said the mitigation technique resulted in too much “performance overhead” in apps, but they continue to work with the Android security team “to figure out what a real-world benchmark looks like so that we can hopefully improve our implementation.”

Arsene said “the existence of security research that exploits hardware vulnerabilities does not necessarily mean that users will be more at risk than before.”

“Some of it is purely academic and the practical applications of weaponizing this type research may never become a reality for the masses,” Arsene wrote. “However, users should realize that unpatched, outdated, and unsupported devices and operating systems will always involve significant security risks to their privacy and data.”

Under the sea, Microsoft tests a datacenter that’s quick to deploy, could provide internet connectivity for years | Stories

Datacenter and submarine synergy

Phase 1 of Project Natick showed the underwater datacenter concept is feasible; Phase 2 is focused on researching whether the concept is logistically, environmentally and economically practical.

At the outset of Phase 2, the Microsoft team knew that scalable manufacture of submarine-like datacenters would require outside expertise. That’s why Microsoft chose to work with Naval Group, a 400-year old France-based company with global expertise in engineering, manufacturing and maintaining military-grade ships and submarines as well as marine energy technologies.

The Microsoft team presented Naval Group with general specifications for the underwater datacenter and let the company take the lead on the design and manufacture of the vessel deployed in Scotland.

“At the first look, we thought there is a big gap between datacenters and submarines, but in fact they have a lot of synergies,” said Eric Papin, senior vice president, chief technical officer and director of innovation for Naval Group.

Submarines, he noted, are essentially big pressure vessels that house complex data management and processing infrastructure for ship management and other systems integrated according to stringent requirements on electricity, volume, weight, thermal balance and cooling.

Engineers slide racks of Microsoft servers and associated cooling system infrastructure into Project Natick’s Northern Isles datacenter at a Naval Group facility in Brest, France. The datacenter has about the same dimensions as a 40-foot long ISO shipping container seen on ships, trains and trucks. Photo by Frank

Submarine technology

In fact, Naval Group adapted a heat-exchange process commonly used for cooling submarines to the underwater datacenter. The system pipes seawater directly through the radiators on the back of each of the 12 server racks and back out into the ocean. Findings from phase 1 of Project Natick indicate water from the datacenter rapidly mixes and dissipates in the surrounding currents.

Spencer Fowers, a senior member of technical staff for Microsoft’s special projects research group, said one key design specification was for the vessel itself to have roughly the dimensions of a standard cargo container used to move supplies on ships, trains and trucks to optimize the existing logistics supply chain.

Once the datacenter was bolted shut and all systems checked out in France, the team loaded the datacenter onto the back of an 18-wheel truck and drove it to the Orkney Islands, ferry crossings included. In Scotland, the vessel was secured to the ballast-filled triangular base and towed out to sea for deployment from the gantry barge

“Like any new car, we will kick the tires and run the engine in different speeds to make sure everything works well,” Fowers said. “Then, once we are completely ready to go, we will grab one or two of our clients and hand them over the keys and let them start deploying jobs onto our system.”

Spencer Fowers, senior member of technical staff for Microsoft’s special projects research group, prepares Project Natick’s Northern Isles datacenter for deployment off the coast of the Orkney Islands in Scotland. The datacenter is secured to a ballast-filled triangular base that rests on the seafloor. Photo by Scott Eklund/Red Box Pictures

AVGater abuses antivirus software for local system takeover

Security researchers described a proof of concept exploit that affects multiple antivirus products and can lead to a full system takeover.

Florian Bogner, a security researcher based in Vienna, Austria, disclosed the issue and named it AVGater because, as Bogner wrote in his blog post, “every new vulnerability needs its own name and logo.”

Bogner said AVGater works by “manipulating the restore process from the virus quarantine.”

“By abusing NTFS directory junctions, the AV quarantine restore process can be manipulated, so that previously quarantined files can be written to arbitrary file system locations,” Bogner wrote in his blog post. “By restoring the previously quarantined file, the SYSTEM permissions of the AV Windows user mode service are misused, and the malicious library is placed in a folder where the currently signed in user is unable to write to under normal conditions.”

According to Bogner, he disclosed the AVGater vulnerability to Trend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Check Point and Ikarus Security Software, and all of those vendors have released patches for affected products.

Bogner did not specifically mention Symantec or McAfee in his post and neither company responded to questions at the time of this article.

Bogner suggested that keeping software up-to-date is a good way to mitigate the risk of AVGater, but also noted there are limitations to the exploit.

“As AVGator can only be exploited if the user is allowed to restore previously quarantined files, I recommend everyone within a corporate environment to block normal users from restoring identified threats,” Bogner wrote. “This is wise in any way.”

Hackers are relentless and will inevitably find clever ways to bypass perimeter security.
Satya Guptafounder and CTO at Virsec

Satya Gupta, founder and CTO at Virsec Systems, an application threat software company based in San Jose, Calif., said AVGater is yet another way an attacker could manipulate “legitimate processes to launch malicious code or scripts.”

“It’s also another nail in the coffin for conventional signature-based antivirus solutions. We’ve known for a while that fileless and memory-based exploits fly under the radar of most AV systems, but now hackers can use AV tools to essentially disable themselves,” Gupta told SearchSecurity. “Hackers are relentless and will inevitably find clever ways to bypass perimeter security. The battle has to move to protecting the integrity of applications for process and memory exploits.”