Tag Archives: feature

What we can learn from the current school closures about how to support remote learning | | Microsoft EDU

From time to time, we feature guest blogs from educators who are making a difference in the lives of young people and who are eager to share their success with the Microsoft Education community. These  Changemakers, as we call them, offer insights into the effective use of classroom resources, how to prepare today’s youth for the jobs of tomorrow, and ways that technology can personalize instruction and empower students to lead in their learning. Today’s Changemaker blog was written by Meredith Roe, virtual school program manager for Catholic Education Western Australia. 

The global COVID-19 outbreak is challenging the continuity of learning for schools and other education institutions. Whether you’re at a school that has experience with remote learning, or one that’s learning how to implement it in the moment, there are resources available to help. I’ve found Microsoft Office 365 tools can be especially useful for remote learning. 

The learning opportunity 

Events that close schools can leave us with a sense of loss, sadness and worry, and going remote can come with negative connotations or be considered a second-rate option. However, if we try to see the current crisis, hard as it might be, as a chance for reflection and staff and student skill development, then remote learning seems like less of a burden. Let’s be clear, though, there are important conditions that must be met for remote learning to succeed. I’ve listed the ones that I believe are critical here. 

Staff professional development  

Developing teacher skills ought to be a top priority for any school or system. We can ensure quality learning continues if we prepare teachers through strategic planning and meaningful professional learning opportunities. 

There lots of options for delivering high-quality professional learning. Here are some examples, all of which should be possible to try even during a closure. 

  • Online courses through the Microsoft Educator Community
  • School- or system-led webinars delivered via Teams
  • Access to existing resources in a OneNote or a SharePoint site or many of the other resources that Microsoft have created specifically for remote learning. 

Remember, Teams and OneNote, along with other Office 365 tools, can provide a platform for easy collaboration and communication and access to resources.  

Spending time to skill up for distance learning during ordinary times is worthwhile. If a school ends up not needing to close in the event of an emergency, it will simply have had an opportunity to engage staff in learning that helps integrate technology into the curriculum. It’s hard to argue against that! 

One great resource is the Network of Microsoft Authorized Global Training Partners, which is available to help schools develop a comprehensive professional development plan and staff training. 

Student skill development  

Experience with remote learning can help students gain the skills needed to transition to post-secondary settings, such as college and the workforce. Among other things, it can build resilience and the ability to collaborate and problem solve.

Students need to be given some independence and taught technical skills to be ready for distance learning. Here are some ideas: 

  • Use the Praise app in Microsoft Teams as a badging system and feedback tool when working on skills development.
  • Involve students in your remote learning planning by using Polly, a way to conduct polls in Teams, to determine structure of the class team. 
  • Through Flipgrid you can gather student voice, such as what they perceive as challenges and opportunities during remote learning days. 
  • Microsoft Forms is terrific for feedback, including after a school-closure event is over. 

During the school year, it’s a good idea to promote remote learning as it will provide parents with a springboard for conversations with their children about the importance of keeping learning going.  

Clear expectations  

Clear expectations are essential to make remote learning work. These should include expectations around: 

  • Educator and staff availability
  • Communication tools and strategies 
  • The completion of student work
  • Staff response time to student questions

Ensuring everyone understands these expectations prior to starting remote learning will avoid rash decisions during an emergency. While these plans can be documented in a text-based tool, consider also recording a message in Flipgrid or Stream so staff can access those during the remote learning period if clarification is needed. Also add them to a OneNote document, as a tab in a staff team, for easy access.  

Communication strategy 

During an event that requires schools to move to distance learning, school and system leaders have to communicate regularly with key stakeholders including parents, students, staff, and the relevant authorities. Teams can be a huge help. 

Creating a staff Team will help school leaders and teaching staff remain connected, enable easy sharing of resources, and contribute to a supportive community.  Asking staff to ‘like’ your posts in Teams is an easy way for administrators to make sure all parties are seeing what you’re communicating. And adding the Insights app as a tab in your team will also give you detailed data on staff activity in Posts.  

Staff support 

Remote learning can feel isolating, but with Teams, educators can remain connected to their department leaders, school leaders, and each other. School leaders also need to be visible during remote learning, which can mean: 

  • Being an active member of the team – liking staff posts (emoji’s)
  • Posting a daily staff message of encouragement (announcements)
  • Sharing best practices (through a collaboration space in a Class Notebook, embedded in the Team)
  • Showcasing examples of great work by staff (using the praise tool in Teams)
  • And encouraging the usual banter that would occur in the school corridors and staffroom (gifs, memes).  

Don’t miss the opportunity to also connect and share via Teams calls, which you can record for staff unable to attend the live call, or a Flipgrid video. 

Backup plan 

As educators we know, there will always be a need for a backup plan. It’s true when physically in the classroom, and its true with remote learning. A staff member or student might be without internet, for example. Keep in mind that if students sync their OneNote/Class Notebook before leaving school at the point of closure, they can continue to work offline.   

The more opportunities students and staff are given to use the tools needed to make distance learning a success, the smoother the transition to this type of learning will be. In an ideal world, such a transition would be seamless and the disruption to learning limited. I think that’s achievable with Teams, OneNote, and other Office 365 tools but, going forward, planning and preparation are the key to making this possible! 

Go to Original Article
Author: Microsoft News Center

January Patch Tuesday fixes cryptography bug found by NSA

Microsoft closed a flaw in a key cryptographic feature it discovered with help from the National Security Agency as part of the January Patch Tuesday security updates.

Microsoft issued fixes for Windows, Internet Explorer, Office, several .NET technologies, OneDrive for Android and Microsoft Dynamics for January Patch Tuesday to close 49 unique vulnerabilities, with eight rated as critical. Microsoft said there were no exploited or publicly disclosed vulnerabilities. This month’s updates were the last free security fixes for Windows 7 and Windows Server 2008/2008 R2 as those operating systems left extended support.

Windows cryptographic library flaw fixed

The bug that drew the most attention from various security researchers on January Patch Tuesday is a spoofing vulnerability (CVE-2020-0601), rated important, that affects Windows 10 and Windows Server 2016 and 2019 systems. The NSA uncovered a flaw in the crypt32.dll file that handles certificate and cryptographic messaging functions in the Windows CryptoAPI. The bug would allow an attacker to produce a malicious program that appears to have an authenticated signature from a trusted source.

A successful exploit using a spoofed certificate could be used to launch several types of attacks, such as deliver a malicious file that appears trustworthy, perform man-in-the-middle campaigns and decode sensitive data. An unpatched system could be particularly susceptible because the malicious file could appear legitimate and even skirt Microsoft’s AppLocker protection.

“The guidance from us would be, regardless of Microsoft’s ‘important’ classification, to treat this as a priority one and get the patch pushed out,” said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah.

Goettl noted that companies might not be directly attacked with exploits that use the CryptoAPI bug, but could be at risk from attacks on the back-end system of a vendor or another outside entity, such as when attackers embedded the NotPetya ransomware in tax software to slip past defenses.

Chris Goettl, director of product management and security, IvantiChris Goettl

“It’s not a very common occurrence because good code-signing certificates can establish a level of trust, while this [vulnerability] invalidates that trust and allows an attacker to try and spoof that. It introduces a lot of potential for risk, so we recommend people close [CVE-2020-0601] down as quickly as possible,” he said.

Bugs in Windows remote connection technology patched

January Patch Tuesday also closed three vulnerabilities related to Remote Desktop Services rated critical.

CVE-2020-0609 and CVE-2020-0610 are both remote code execution vulnerabilities in the Remote Desktop Gateway that affect server operating systems on Windows Server 2012 and newer. Microsoft said both CVEs can be exploited pre-authentication without any interaction from the user. Attackers who use the exploit can run arbitrary code on the target system, then perform other tasks, including install programs, delete data or add a new account with full user rights.

CVE-2020-0611 is a remote code execution vulnerability in the Remote Desktop Client that affects Windows 7 and newer on desktops, and Windows Server 2008 R2 and newer on server systems, when the attacker tricks a user to connect to a malicious server. The threat actor could then perform a range of actions, such as install programs, view or change data, or make a new account with full user rights.   

Legacy operating systems reach end-of-life

January Patch Tuesday marks the last time Microsoft will provide security updates and other fixes for the Windows 7, Windows Server 2008 and 2008 R2 operating systems unless customers pay to enter the Extended Security Updates (ESU) program. Companies must also have Software Assurance coverage or subscription licenses to purchase ESU keys for the server operating systems. Users will need to add the ESU key to systems they want to keep protected. ESU for those systems will end in three years.

Companies that plan to keep these legacy operating systems and have signed up for the ESU program should install the servicing stack updates Microsoft released for all three operating systems on January Patch Tuesday, Goettl said. Administrators also need to deploy and activate the ESU key using Microsoft’s instructions.

ESU is an expensive option. For on-premises server workloads, organizations will need either Software Assurance or a subscription license at a cost of about 75% of the license cost each year.  

ESU does not add new or updated features, just security fixes.

For organizations that plan to keep these operating systems running without the safety net of ESU, there are a few ways to minimize the risk around those workloads, including adding more security layers and removing the workload from a direct connection to the internet, Goettl said.

“If there’s an application or something that needs to run on Windows 7, then virtualize that environment. Get the users on the Windows 10 platform and have them connect into the Windows 7 environment to access that critical app. You will it spend more money doing it that way, but you will reduce your risk significantly,” he said.

Go to Original Article
Author:

Google Cloud networking BYOIP feature could ease migrations

Google hopes a new networking feature will spur more migrations to its cloud platform and make the process easier at the same time.

Customers can now bring their existing IP addresses to Google Cloud’s network infrastructure in all of its regions around the world. Those who do can speed up migrations, cut downtime and lower costs, Google said in a blog post.

“Each public cloud provider is looking to reduce the migration friction between them and the customer,” said Stephen Elliot, an analyst at IDC. “Networking is a big part of that equation and IP address management is a subset.”

Bitly, the popular hyperlink-shortening service, is an early user of Google Cloud bring your own IP (BYOIP).

Many Bitly customers have custom web domains that are attached to Bitly IP addresses and switching to ones on Google Cloud networking would have been highly disruptive, according to the blog. Bitly also saved money via BYOIP because it didn’t have to maintain a co-location facility for the domains tied to Bitly IPs.

BYOIP could help relieve cloud migration headaches

IP address management is a well-established discipline in enterprise IT. It is one that has become more burdensome over time, not only due to workload migrations to the cloud, but also the vast increase in internet-connected devices and web properties companies have to wrangle.

Stephen Elliot, IDCStephen Elliot

AWS offers BYOIP though its Virtual Private Cloud service but hasn’t rolled it out in every region. Microsoft has yet to create a formal BYOIP service, but customers who want to retain their IP addresses can achieve a workaround through Azure ExpressRoute, its service for making private connections between customer data centers and Azure infrastructure.

Each public cloud provider is looking to reduce the migration friction between them and the customer.
Stephen Elliot Analyst, IDC

Microsoft and AWS will surely come up to par with Google Cloud networking on BYOIP, eventually. But as the third-place contestant among hyperscale cloud providers, Google — which has long touted its networking chops as an advantage — could gain a competitive edge in the meantime.

IP address changes are a serious pain point for enterprise migrations of any sort, particularly in the cloud, said Eric Hanselman, chief analyst at 451 Research.

“Hard-coded addresses and address dependencies can be hard to find,” he added. “They wind up being the ticking time bomb in many applications. They’re hard to find beforehand, but able to cause outages during a migration that are problematic to troubleshoot.”

Deepak Mohan, IDCDeepak Mohan

Overall, the BYOIP concept provides a huge benefit, particularly for large over-the-internet services, according to Deepak Mohan, another analyst at IDC.

“They often have IPs whitelisted at multiple points in the delivery and the ability to retain IP greatly simplifies the peripheral updates needed for a migration to a new back-end location,” Mohan said.

Go to Original Article
Author:

Box security gets a boost with built-in Shield

SAN FRANCISCO — Box shops will have the ability to get granular with a new built-in Box security feature, but organizations will have to find a role for the tool alongside their other security platforms.

Box Shield, which was introduced at the file-sharing company’s annual conference, BoxWorks, will detect anomalies and risky user behavior within Box. Experts here discussed the potential behind Box Shield and how it might integrate with existing security and identity management tools within businesses.

“Security is such a tough problem,” said James Sinur, vice president at Aragon Research, based in Morgan Hill, Calif. “I haven’t found any security software that covers all aspects of it.”

How Box Shield works

Box Shield has three main functionalities: smart access, anomaly detection and a content firewall.

Where I think [Box] will make their contribution is by adjusting policies.
James Sinurvice president at Aragon Research

Smart access enables end users and IT admins to classify Box files according to their level of confidentiality. Then, IT admins can apply policies based on those classifications.

Anomaly detection helps IT to discover compromised accounts and identify access abuse. For example, if an end user accesses Box from Guatemala and downloads large amounts of data, Box Shield will flag that as risky behavior.

The content firewall feature can go beyond two-factor authentication to verify external users and check the security of devices.

IT can also use Box Shield to uncover historical data about a user’s activity and access analytics about their behavior.

Box Shield tries to play nice with other security

Sinur said he expects customers to use Box Shield in conjunction with other security platforms.

“Where I think [Box] will make their contribution is by adjusting policies that govern those pieces of [content],” he said.

Box is well-known for a plethora of integrations with third-party platforms — from Google and Slack to Microsoft and Okta. The company is already identifying places where Box Shield would integrate with other cloud access security broker (CASB) services, CEO Aaron Levie said in a press conference. Customers with an existing security information management tool, for example, would be able to use Box Shield in conjunction with it, he said.

An IT security analyst at a financial institution who wanted to remain anonymous was very interested in the new tool. His company already has several security technologies in place, such as Symantec and Okta, and would use Box Shield in addition to those services, he said.

“From a nonmanaged versus managed device, it would help us keep track of what’s going in and what’s going out based off of the device control,” he added.

Box Shield, however, would potentially replace the company’s current mobile device management platform, MobileIron.

“It would frequently push certificates out and start managing our CASBs,” he said. “We would use Box to help identify patterns in data movement.”

Pricing concerns

Pricing details aren’t yet released, but organizations will have to pay an additional cost for Box Shield, according to the vendor.

Pencils of Promise, a nonprofit organization in New York, is interested in Box Shield — but only at an affordable cost, said Ben Bromberg, senior manager of data systems at the nonprofit.

“It does seem like the sort of thing that an organization like mine would appreciate, but I have a suspicion that it would be at a price point that would be out of our reach,” he said.  

Box Shield will be available in private beta later this year, the company said.

LinkedIn Sales Navigator refresh adds deals pipeline

A LinkedIn Sales Navigator refresh adds a deals management feature, smoother search experience and mobile deal pages to the social media giant’s social sales platform.

The revamp injects an array of new ways to search, manipulate and process LinkedIn’s vast troves of personal and consumer data and data from CRM systems and puts LinkedIn in a better position to monetize the information — coming off a hot quarter for LinkedIn, which reported June quarter earnings of $1.46 billion, up 37% from Q2 2017.

These upgraded features represent the next step in AI-assisted sales and marketing campaigns in which B2B companies mash up their own customer data with information on LinkedIn.

Microsoft banking on LinkedIn revenue

Microsoft bought LinkedIn in June 2016 for $26.2 billion. While Microsoft doesn’t always announce how AI is assisting automation of sales-centric search tools in Sales Navigator, a premium LinkedIn feature that also integrates LinkedIn data to CRM platforms such as Salesforce and Dynamics CRM, some experts have noted how AI subtly manifests itself in the search. 

The LinkedIn Sales Navigator refresh was unveiled in a blog post by Doug Camplejohn, vice president of products for LinkedIn Sales Solutions.

The new “Deals” web interface extracts and imports sales pipeline data from the user’s CRM system and enables users to update pipelines considerably faster, Camplejohn said in the post about the LinkedIn Sales Navigator refresh.

“Reps can now update their entire pipeline in minutes, not hours,” he wrote.

Adobe Sign connector added

Meanwhile, a new feature in Deals, “Buyer’s Circle,” pulls in and displays opportunity role information to streamline the B2B buying process. Users can see if any “key players” such as decision-maker, influencer or evaluator, are missing from deals, according to LinkedIn.

We all live in email.
Doug Camplejohnvice president of products, LinkedIn

The vendor called another new function in the LinkedIn Sales Navigator refresh — Office 365 integration — “Sales Navigator in your inbox.”

“We all live in email,” the blog post said. “Now you can take Sales Navigator actions and see key insights without ever leaving your Outlook for Web Inbox. “

LinkedIn also touted what it called a “new search experience” in the Sales Navigator update, saying it redesigned the search function to surface search results pages faster and easier.

Also as part of the LinkedIn Sales Navigator refresh, LinkedIn added mobile-optimized lead pages for sales people working on mobile devices. LinkedIn also named Adobe Sign the fourth partner to its Sales Navigator Application Platform (SNAP). Other SNAP partners include Salesforce, Microsoft Dynamics and SalesLoft.

TLBleed attack can extract signing keys, but exploit is difficult

An interesting, new side-channel attack abuses the Hyper-Threading feature of Intel chips and can extract signing keys with near-perfect accuracy. But both the researchers and Intel downplayed the danger of the exploit.

Ben Gras, Kaveh Razavi, Herbert Bos and Cristiano Giuffrida, researchers at Vrije Universiteit’s systems and network security group in Amsterdam, said their attack, called TLBleed, takes advantage of the translation lookaside buffer cache of Intel chips. If exploited, TLBleed can allow an attacker to extract the secret 256-bit key used to sign programs, with a success rate of 99.8% on Intel Skylake and Coffee Lake processors and 98.2% accuracy on Broadwell Xeon chips.

However, Gras tweeted that users shouldn’t be too scared of TLBleed, because while it is “a cool attack, TLBleed is not the new Spectre.”

“The OpenBSD [Hyper-Threading] disable has generated interest in TLBleed,” Gras wrote on Twitter. “TLBleed is a new side-channel in that it shows that (a) cache side-channel protection isn’t enough: TLB still leaks information; (b) side-channel safe code that is constant only in the control flow and time but not data flow is unsafe; (c) coarse-grained access patterns leak more than was previously thought.”

Justin Jett, director of audit and compliance for Plixer LLC, a network traffic analysis company based in Kennebunk, Maine, said TLBleed is “fairly dangerous, given that the flaw allows for applications to gain access to sensitive memory information from other applications.” But he noted that exploiting the issue would prove challenging.

“The execution is fairly difficult, because a malicious actor would need to infect a machine that has an application installed that they want to exploit. Once the machine is infected, the malware would need to know when the application was executing code to be able to know which memory block the sensitive information is being stored in. Only then will the malware be able to attempt to retrieve the data,” Jett wrote via email. “This is particularly concerning for applications that generate encryption keys, because the level of security that the application is trying to create could effectively be reduced to zero if an attacker is able to decipher the private key.”

Intel also downplayed the dangers associated with TLBleed; the company has not assigned a CVE number and will not patch it.

“TLBleed uses the translation lookaside buffer, a cache common to many high-performance microprocessors that stores recent address translations from virtual memory to physical memory. Software or software libraries such as Intel Integrated Performance Primitives Cryptography version U3.1 — written to ensure constant execution time and data independent cache traces should be immune to TLBleed,” Intel wrote in a statement via email. “Protecting our customers’ data and ensuring the security of our products is a top priority for Intel, and we will continue to work with customers, partners and researchers to understand and mitigate any vulnerabilities that are identified.”

Jett noted that even if Intel isn’t planning a patch, it should do more to alert customers to the dangers of TLBleed.

“Intel’s decision to not release a CVE number is odd at best. While Intel doesn’t plan to patch the vulnerability, a CVE number should have been requested so that organizations could be updated on the vulnerability and software developers would know to write their software in a way that may avoid exploitation,” Jett wrote. “Without a CVE number, many organizations will remain unaware of the flaw.”

The researchers plan to release the full paper this week. And, in August, Gras will present on the topic at Black Hat 2018 in Las Vegas.

Apple iOS 12 USB Restricted Mode to foil thieves, law enforcement

A security feature that had popped up in beta versions of Apple’s iOS software appears to be coming in earnest as part of iOS 12, and it will protect devices against anyone trying to unlock them via USB.

USB Restricted Mode is described in the iOS 12 settings as the option to enable or deny the ability to “unlock [an] iPhone to allow USB accessories to connect when it has been more than an hour since your iPhone was locked.” In practice, this means a device will require a passcode unlock in order to connect any Lightning-to-USB accessory after the one-hour time limit has passed.

Apple didn’t mention USB Restricted Mode during the keynote at its Worldwide Developers Conference on Monday, but developers saw it in the iOS 12 preview, which was released that same day. The setting is on by default and covers any type of security on an iOS device — Touch ID, Face ID and passcode.

Experts noted USB Restricted Mode will protect users’ data if a device is stolen, but it will also deny law enforcement from using unlocking services from companies like GrayKey and Cellebrite — the latter of which was rumored to have helped the FBI unlock the San Bernardino, Calif., shooter’s iPhone.

Earlier tests of USB Restricted Mode had allowed for a one-week time limit, spurring GrayKey to reportedly alert customers of this feature when it surfaced in the iOS 11.3 beta, according to internal email messages obtained by Motherboard. A one-hour time limit could effectively make it impossible for customers to get the device to a company like GrayKey in time to gain brute-force access.

Rusty Carter, vice president of product management at Arxan, based in San Francisco, said USB Restricted Mode “is really about increasing the security of the device.”

If the device is vulnerable to brute-force attacks via wired connection, other security features, like being able to wipe the device after 10 unsuccessful authentication attempts, are rendered useless.
Rusty Cartervice president of product management at Arxan

“If the device is vulnerable to brute-force attacks via wired connection, other security features, like being able to wipe the device after 10 unsuccessful authentication attempts, are rendered useless … they are effectively a false sense of security,” Carter wrote via email. “Effectively, any data is vulnerable, unless the individual app developer has done the right thing both to secure and encrypt user data and require more than stored credentials or identity to access the data with their app, which is rarely the case today.”

John Callahan, CTO of Veridium, based in Quincy, Mass., said, as a developer, his initial reaction to USB Restricted Mode was, “Great, now I’ll have to unlock the phone every time I go to debug a mobile app with Xcode.” But he later realized it could have protected a lot of stolen devices if it had been implemented in an earlier version of iOS.

“USB Restricted Mode in iOS 12 a big win for users, because we are keeping more personally identifiable information on our mobile devices, including healthcare, identification and biometric data. Our phones have become our digital wallets, and we expect a maximum level of privacy and convenience,” Callahan wrote via email. “Android devices, ironically seen as less secure, have long required unlocking when connected in USB Debug mode. In many ways, Apple is playing catch-up with respect to physical device security.”