All posts by Connor Jones

Microsoft Exchange servers break thanks to ‘Y2K22’ bug


Connor Jones

4 Jan, 2022

Microsoft has released an emergency patch for a flaw in Microsoft Exchange that prevented emails from sending at the turn of the new year.

Businesses running on-premise Microsoft Exchange environments reported encountering issues whereby emails were stuck in a queue instead of sending after the yearly date changed to 2022.

The issue has been attributed to Exchange’s malware scanning engine which manages dates in the form of 32-bit variables. The variable’s maximum integer value is 2,147,483,647 but a variable of 2,201,010,001 is required to display the date as 1 January 2022 – a value that exceeds the maximum and caused the engine to crash.

Microsoft said the situation is not caused by a fault in either Exchange or its malware-scanning engine that affects the effective running of the products, but rather the engine’s date-checking process. Microsoft also said this is not a cyber security issue.

Customers can check if the issue is affecting their on-premise solutions by checking the Application event log on the Exchange Server for the following errors, specifically event 5300 and 1106 (FIPFS).

Microsoft Exchange customers will need to intervene and apply the patch themselves in order to restore smooth email functionality. Microsoft detailed the step-by-step process customers can follow if they wish to patch manually, and also supplied a downloadable script for customers who want to take the automated solution. 

The script “will take some time to make the necessary changes, download the updated files, and clear the transport queues,” Microsoft said. Whether customers choose the automated or manual steps towards remediation, they must be carried out on every on-premises Exchange 2016 and Exchange 2019 server. The automated script can run on multiple servers in parallel.

Members of the IT community have dubbed the issue the ‘Y2K22’ bug for its similarity between it and the issue that threatened to break all computers at the turn of the millennium. 

Both issues are based on the way computers handle dates and it required millions in investment and lots of work to combat the original Y2K bug.

Meta expands bug bounty programme to cover data scraping


Connor Jones

16 Dec, 2021

Meta has expanded its bug bounty programme to include flaws that lead to data scraping in a move it’s describing as an industry-first.

The programme will now cover database scraping and also offer rewards for researchers who can simply show novel methods of scraping on its products – the latter of which is a first-of-its-kind programme, according to the newly rebranded parent company of Facebook.

It will begin as a private programme only available to Meta’s Gold+ HackerPlus security researchers – a title for researchers who have reported at least five valid bugs to the company – and will offer rewards to those who show how data scraping can be achieved, regardless of the degree of impact on the product.

Researchers can submit methods even if the data is public and Meta said it’s particularly looking for reports regarding logic bypass issues – flaws that permit access to data via unintended mechanisms.

Data scraping can be achieved using specially crafted scripts, often using the Python programming language, which are designed to lift the data from any given web page. These scripts can be designed to grab specific information, depending on the target and the purpose of the activity.

“We know that automated activity designed to scrape people’s public and private data targets every website or service,” said Meta in an announcement.

“We also know that it is a highly adversarial space where scrapers – be it malicious apps, websites or scripts – constantly adapt their tactics to evade detection in response to the defences we build and improve. As part of our larger security strategy to make scraping harder and more costly for the attackers, today we are beginning to reward valid reports of scraping bugs in our platform.”

The move comes more than two years after the company formerly known as Facebook first identified an issue that allowed users to scrape data of 533 million of its users. The data was leaked online, in full, by a hacker earlier this year after they ran an underground business that saw people pay small sums to access and retrieve information such as users’ phone numbers.

Meta has said it will also reward researchers who can demonstrate they can scrape datasets containing at least 100,000 Facebook user records, starting today.

To be eligible for a reward, the dataset must be unique and unknown to Meta, and contain personally identifiable information (PII) such as email addresses, phone numbers, physical addresses, or religious or political affiliations.

“If we confirm that user PII was scraped and is now available online on a non-Meta site, we will work to take appropriate measures, which may include working with the relevant entity to remove the dataset or seeking legal means to help ensure the issue is addressed,” the company said.

The maximum reward for the programme is not disclosed by Meta, but it said each successful, eligible disclosure will be rewarded with the bare minimum of $500 (£376).

Database scraping is often confused with a data breach and it represents an interesting differentiation of the two terms, despite the outcome largely being the same – user data falling into the hands of those with whom the user did not explicitly share.

Unlike data breaches, which fall under the Computer Misuse Act, there is no specific law against data scraping in the UK. However, sites can take action against individuals if the data scraping results in an infringement of intellectual property or breaches the site’s terms of service.

Kronos services knocked offline by ransomware attack


Connor Jones

14 Dec, 2021

Kronos, a provider of human resources (HR) products, has confirmed its Kronos Private Cloud has been hit with ransomware that has knocked some of its services offline.

The global supplier of business software for tasks such as timekeeping said Kronos UKG Workforce Central, UKG TeleStaff, and Banking Scheduling Solutions services – products relating to employee management, emergency services scheduling, and staff scheduling for banks and credit unions respectively – are all said to be affected.

Communicating to customers through the company’s online community and help centre platform, Kronos officials said on-premise environments are unaffected and there is no impact to UKG Pro, UKG Dimensions, or UKG Ready.

Bob Hughes, executive vice president at Kronos addressed customers on Monday confirming the incident was indeed ransomware-related.

Hughes also said “it may take up to several weeks to restore system availability” and that customers should take additional measures to ensure the smooth running of their business while the outage persists.

“We are working with leading cyber security experts to assess and resolve the situation, and have notified the authorities,” said Hughes. “The investigation remains ongoing, as we work to determine the nature and scope of the incident.

“We deeply regret the impact this is having on you, and we are continuing to take all appropriate actions to remediate the situation. We recognise the seriousness of this issue and will provide another update within the next 24 hours.”

IT Pro contacted Kronos for further details, including if the company still has access to emails, but it did not reply at the time of publication. It’s also unclear at this time if the ransomware attack was launched via the recently discovered and widely feared Log4Shell Java vulnerability.

According to a Kronos customer success manager replying to a customer in the company’s online help centre, there is currently no indication that any customer data has been compromised in the attack and it has “all available resources deployed to mitigate any loss or access to companies personal data”.

Kronos customers have been contacting the company in droves seeking help on business continuity issues. Common issues involve customers not being able to export employee timesheet data, manually pulling employee timekeeping information, and seeking help to get set up on-premises.

Experts have said the incident should serve as a reminder to all business owners and decision-makers that ransomware attacks such as the one sustained by Kronos must be accounted for when devising a business continuity strategy.

“Whether your workforce management solution is hosted in-house, or externally delivered from the cloud, if you have determined that solution is mission-critical for your day-to-day operations, you need to include scenarios just like this ransomware attack as part of your broader business continuity planning,” said Ben Smith, field CTO at NetWitness, to IT Pro.

“What’s your backup plan if that platform is suddenly unavailable? Do you have alternate processes in place you can spin up temporarily while your vendor gets back on its feet? Even if this means some possibly painful manual work for you and your team, it’s better to have those processes and procedures ready to go, versus not having that backup plan at all.”

Microsoft launches Secured-core servers to combat ransomware


Connor Jones

8 Dec, 2021

Microsoft has expanded its Secured-core PC initiative to its server products in a bid to combat ransomware attacks on infrastructure.

Secured-core will now be expanded to reach Windows Server, Microsoft Azure Stack HCI, and Azure-certified IoT devices.

Businesses can search for Secured-core servers in the Azure Stack HCI and Windows Server online catalogues. There are currently four all-HPE products that run Azure Stack HCI and 42 options from a variety of vendors that meet the Windows Server spec.

All servers come “fully equipped with industry-leading security mitigations built into the hardware, firmware, and the operating system to help thwart some of the most advanced attack vectors,” Microsoft said.

Secured-core servers are built around three distinct security pillars:

  1. To protect the server infrastructure with a hardware-based root of trust
  2. To defend sensitive workloads against firmware-level attacks
  3. To prevent access and the execution of unverified code on the systems

“Partnering with leading original equipment manufacturers (OEMs) and silicon vendors, Secured-core servers use industry-standard hardware-based root of trust coupled with security capabilities built into today’s modern central processing units (CPUs),” said Microsoft in a blog post

“Secured-core servers use the Trusted Platform Module 2.0 and Secure boot to ensure that only trusted components load in the boot path.”

It’s thought the new hardware will help tackle specific parts of ransomware attacks and help detect intrusions earlier, with the hope that attacks can be mitigated before any real damage is done.

Microsoft used a typical REvil ransomware kill chain as an example. REvil was one of the most prolific ransomware gangs of 2021 before it shuttered following a string of arrests of alleged REvil associates

Using the kill chain used by REvil on Kaseya earlier this year, Microsoft explained that certain features in Secured-core servers like Hypervisor-protected Code Integrity (HVCI) can block drivers that tamper with the kernel, like with Mimikatz, via a code integrity security policy.

By preventing credential theft, an early stage of the ransomware kill chain, Microsoft said Secured-core server can make it very difficult for attackers to move laterally around a potential victim’s network.

“Continuing to raise the security bar for critical infrastructure against attackers makes it easier for organisations to meet that higher bar, which is an important priority for both customers and Microsoft,” said Microsoft. 

“Successfully protecting systems requires a holistic approach that builds security from the chip to the cloud across hardware, firmware, and the operating system.”

Microsoft debuted the Secured-core initiative in 2019 on Windows PCs which saw computers ship with enhanced security measures at the hardware level. 

The machines were designed for business use, with the financial services and healthcare industries targeted specifically, as well as anyone working in a high-value-data role such as in government. 

Microsoft 365 prices to soar by 20% for pay monthly subscribers


Connor Jones

7 Dec, 2021

Microsoft has told managed service providers (MSPs) that it will charge a 20% premium on Microsoft 365 products unless customers choose to be billed annually.

The news has angered many in the MSP community, saying they stand to lose out if a customer goes bankrupt or chooses to decrease the number of licenses they need, for example. In this case, the MSP will still have to pay Microsoft, regardless of the alterations or complexities on the customer side.

Month-to-month billing affords customers the flexibility they often need and in some cases allows MSPs to budget more efficiently with other month-to-month billing products in their stacks.

The news comes as prices for individual products are also set to be increased too by a margin of up to 15% each.

Recently delayed until 1 March 2022, Microsoft’s New Commerce Experience (NCE) will soon increase the prices of Microsoft 365 Business Basic, Microsoft 365 Business Premium, Office 365 E1, Office 365 E3, Office 365 E5, and Microsoft 365 E3.

First reported by CNBC, the move to force customers into either paying a higher price for flexibility or a lower price for a longer-term has not been greeted warmly and a Change.org petition protesting Microsoft’s decision has reached more than 1,000 signatures.

Discussions between MSPs have taken place on a Reddit thread where the feedback has been largely negative, though some recognised the move could provide some benefits to larger value-added resellers (VARs) but may hurt smaller businesses.

IT Pro contacted Microsoft for comment on the community’s reaction, but it did not reply at the time of publication.

The Pax8 reseller said the NCE can help businesses prepare for future growth “thanks to improved revenue predictability, reduced licensing complexity, multiple term options, and features that enable new sales capabilities and operational efficiencies.”

One of the key pushbacks MSPs are lobbying Microsoft to implement is for it to allow pooling of licenses.

In doing so, it will allow the partner to re-distribute a license should a tenant leave the company without having to pay Microsoft for an unused service after they leave during a one-year commitment period, for example.

Microsoft hit with formal complaint over “monopolistic” software bundling


Connor Jones

29 Nov, 2021

A coalition of EU-based tech firms has filed a formal complaint against Microsoft alleging anticompetitive conduct related to the bundling of its productivity apps with Windows.

German content collaboration platform Nextcloud is leading the complaint and is joined by nearly 30 additional companies in the software and cloud sectors.

The formal complaint has been filed to the European Commission’s Directorate-General for Competition and Nextcloud has also reported the coalition’s concerns to German antitrust authorities, the Bundeskartellamt.

The tech firms driving the complaint are against Microsoft’s “monopolistic” practice of bundling the likes of OneDrive, Teams, and other services with Windows 10 and Windows 11.

The companies claim the practice is pushing consumers to register for the services and hand their data over to Microsoft, stifling consumer choice and genuine market competition. 

The coalition said Microsoft has grown its market share to 66% of the EU market in the last few years while smaller vendors have seen their shares shrink by as much as 26%.

“This is quite similar to what Microsoft did when it killed competition in the browser market, stopping nearly all browser innovation for over a decade,” said Frank Karlitschek, CEO and founder of Nextcloud. “Copy an innovators’ product, bundle it with your own dominant product and kill their business, then stop innovating.

“This kind of behaviour is bad for the consumer, for the market and, of course, for local businesses in the EU,” he added. “Together with the other members of the coalition, we are asking the antitrust authorities in Europe to enforce a level playing field, giving customers a free choice and to give competition a fair chance.”

IT Pro contacted Microsoft for comment but it did not reply at the time of publication.

Microsoft is currently the subject of an EU probe into its alleged anti-competitive practices, first brought to the Bloc’s attention more than a year ago by workplace collaboration company Slack.

Slack originally complained of Teams, Microsoft’s own workplace platform, and how it is bundled with the market-dominant Office 365 productivity suite illegally forced its software on users

The complaint and resulting probe into Microsoft’s business is the latest development in a long-running feud between the two companies

Hacked Google Cloud Platform instances are riddled with cryptominers


Connor Jones

26 Nov, 2021

Google Cloud has revealed that 86% of hacked Google Cloud Platform (GCP) instances in 2021 led to cryptocurrency miners being dropped into customers’ environments.

Cryptocurrency miners being installed in cloud instances was the leading issue facing GCP customers this year with 58% of compromised instances having cryptominers installed within just 22 seconds of attackers gaining access.

Google Cloud’s Threat Analysis Group (TAG) said this led it to believe the process was script-driven without requiring human intervention.

GCP customers were targeted heavily with attackers attempting to leverage the high levels of compute available to them, without having to foot the bill.

Google Cloud also revealed cloud instances have been compromised in as little as 30 minutes, with the majority taking just eight hours.

The TAG at Google’s cloud arm noticed attackers are monitoring the public IP address space for signs of unsecured GCP instances, knowing how quickly they can compromise each one. 

“Given that most instances were used for cryptocurrency mining rather than exfiltration of data, Google analysts concluded the Google Cloud IP address range was scanned rather than particular Google Cloud customers being targeted,” the report read.

“The amount of time from the launch of a vulnerable Google Cloud instance until compromise varied with the shortest amount of time being under 30 minutes.”

TAG researchers also noted that threat actors gained access to GCP instances through exploiting poor customer security practices in almost 75% of all cases.

Half of these cases were compromised because of attackers exploiting instances with weak or in some cases no passwords for user accounts or API connections.

This meant unsecured GCP instances could quite easily be scanned by attackers and brute-forced with minimal difficulty.

Google Cloud customers were also at fault in 26% of cases for installing third-party software in their instance which was then exploited to gain access.

Google Cloud’s basic recommended mitigations to the flaws allowing attackers into GCP instances include ensuring accounts always have strong passwords, updating third-party software before a cloud instance being exposed to the web, and not publishing credentials in GitHub projects

Container Analysis is also available to GCP customers to perform vulnerability scanning and metadata storage for containers, while the Web Security Scanner in the Security Command Center can identify security vulnerabilities in their App Engine, Google Kubernetes Engine, and Compute Engine web applications.

IBM unveils world-first machine learning training method for GDPR-compliance


Connor Jones

25 Nov, 2021

IBM researchers have unveiled a novel method of training machine learning (ML) models that minimises the amount of personal data required and preserves high levels of accuracy.

The research is thought to be a boon to businesses that need to stay compliant with data protection and data privacy laws such as the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA).

In both GDPR and CPRA, ‘data minimisation’ is a core component of the legislation but it’s been difficult for companies to determine what the minimal amount of personal data should be when training ML models.

It’s especially difficult when the goal of training ML models is usually to achieve the highest degree of accuracy in predictions or classifications, regardless of the amount of data used.

The findings from the study, thought to be a world-first development in the field of machine learning, showed that fewer data could be used in training datasets by undergoing a process of generalisation while preserving the same level of accuracy compared to larger ones.

At no point did researchers see a drop in prediction accuracy below 33% even when the entire dataset was generalised, preserving none of the original data. In some cases, the researchers were able to achieve 100% accuracy even with some generalisation.

In addition to adhering to the data minimisation principle of major data protection laws, researchers suggest that smaller data requirements could also lead to reduced costs in areas like data storage and management fees.

Data generalisation process

Businesses can become more compliant with data laws by removing or generalising some of the input features of runtime data, IBM researchers showed.

Generalisation involves taking a feature value and breaking it down into specific values and generalised values. For a numerical feature ‘age’, the specific values of which could be 37 or 39, a possible generalised value range could be 36-40.

A categorical feature of ‘marital status’ could have the specific values ‘married, ‘never married’, and ‘divorced’. A generalisation of these could be ‘never married’ and ‘divorced’ which eliminates one value, decreasing specificity, but still provides a degree of accuracy as ‘divorced’ implies that an individual has, at one point, been married.

The numerical features are less specific, adding three additional values, while the categorical feature is less detailed. The quality of these generalisations is then analysed using a metric. IBM chose to use the NCP metric over others in consideration as it lent itself best to the purposes of data privacy.

Credit
IBM

Researchers then selected a dataset and trained one or more target models on it to create a baseline. Generalisation was then applied, the accuracy was calculated and re-calculated (see diagram above) until the final generalisation was ready to be compared to the baseline.

Credit
IBM

The accuracy of the target model is calculated using decision trees (see above) which are gradually trimmed from the bottom upwards, taking note of any significant decreases in accuracy.

If accuracy is maintained or meets the acceptable threshold after generalised data is applied, the researchers then work to improve the generalisation by gradually trimming the decision tree from the bottom upwards, increasing the generalised range of a given feature, until the final optimised generalisation is made.

IBM launches its ‘most powerful’ quantum processor


Connor Jones

16 Nov, 2021

IBM has unveiled its latest and most powerful quantum computing chip to date, the 127-qubit Eagle processor.

Announcing the new piece of hardware at IBM Quantum Summit, it’s the first quantum chip developed by the company that surpasses 100 qubits.

Eagle is built using a new 3D packaging architecture developed by IBM which it says can support the development of future, more advanced quantum processors up to and including its proposed 1,126-qubit Condor chip, due for release in 2023.

The architecture is based on a heavy-hexagonal qubit layout – a setup that sees a qubit connecting to two or three neighbours. This configuration decreases the potential for errors caused by interacting neighbours and provides significant boosts in yielding functional processors, IBM said.

The architecture also places the qubits on a single layer while other components sit on different levels in a ‘stacked’ formation. 

The processor will be available to select members of the IBM Quantum Network starting in December.

The IBM Quantum Network is a collection of Fortune 500 companies, academic institutions, startups, and national research labs that work with IBM to advance the field of quantum computing. 

As part of IBM Quantum’s roadmap, Condor will mark a significant step in hardware advancements but further development depends on whether commercial dilution refrigerators can rise to the task of cooling such large, complex devices.

That said, the second announcement IBM made at its Quantum Summit may help towards that goal. The IBM Quantum System Two is designed to work with processors exceeding 1,000 qubits and will feature a more modular design with an overhauled cryogenic platform to optimise cooling performance.

IBM is on track to launch the system by 2023 which will help increase the scale of its chips.

The quantum computing capabilities of Eagle far exceed those of classical computers, Arvind Krishna, CEO at IBM, told HBO.

Classical computers encode information into bits represented as either a 1 or 0, while quantum computers encode information using a quantum superposition of a 1 and 0. This means information can be seen as representing a 1 or 0 – not both at the same time – a superposition is broken down to reveal a probability of revealing a 1 or 0.

The method of encoding allows quantum computers to process more complex tasks. Classical computers will work through problems in an order but quantum computers will approach problems differently, modelling all potential workloads and workstreams at once to generate answers much quicker. 

It makes quantum computing ideal for working through large data sets and for tasks such as cracking cryptographic keys, for example.

Apple unveils Business Essentials suite for small businesses


Connor Jones

11 Nov, 2021

Apple has unveiled a new package of support services designed to help small business IT teams manage their employee devices.

Providing businesses use Apple hardware, IT teams will now be able to manage all their employees’ technology needs using the new suite of tools aimed at assisting the onboarding of new team members and providing oversight on the workforce’s IT.

Dubbed Apple Business Essentials, the package includes is 24/7 phone support for IT managers and end-users, business iCloud storage, device management capabilities, and on-site repairs for businesses of 500 employees or fewer.

IT administrators are also able to bundle certain rules and required apps to different types of employees. For example, if the design team needs a specific suite of apps, they can be bundled into a ‘Collection’ and sent automatically to the team members’ devices.

Specific VPN and Wi-Fi access configurations can also be pre-determined and added to a collection to easily apply those settings to the employees who need them.

Smart user groups also allow IT teams to group employees based on factors like location, department, and job role, which can make applying these collections much easier.

For users being imported from Microsoft Azure Active Directory, they will also receive their apps and settings once added to a smart user group.

Business customers will also eventually receive priority AppleCare support to resolve any issues quickly, although they will need to specifically purchase a plan featuring AppleCare+ for Business Essentials in order to be eligible. Details for these plans will not be unveiled until spring 2022.

Apple is also touting onsite same-day repairs available to businesses in as little as 4 hours to minimise downtime. The caveat is that onsite repairs are only available on certain iPhone models, which haven’t been specified, and will be supported only in specific cities. Apple said each plan will only have two repairs available and these refresh annually.

The service is now available in beta before the full launch in spring 2022. Currently only available to US-based SMBs, plans start at $2.99 (£2.23) per month for a single device, $6.99 (£5.22) per month for a multi device plan, and $12.99 (£9.70) per month for a multi device plan with extra storage.

IT Pro contacted Apple for more information on when the UK can expect to see the service but it declined to offer any further information at this time.

“As your business grows, you may find yourself managing an increasing number of devices for your expanding team,” said Susan Prescott, vice president of enterprise and education marketing at Apple. “We understand that the IT needs of your employees, on top of everything else you’re already doing, is a lot to take on.

“To help you with that, we’re introducing a new service which brings together device management, storage, and support into one simple subscription for small businesses with up to 500 employees.”