Reconnect Series: Maxi Accotto

by Scott Muniz | Sep 9, 2020 | Uncategorized

This article is contributed. See the original author and article here.

Ready or not, it is time once more to Reconnect! This week we are joined by 14-time Data Platform MVP Maxi Accotto! 

Hailing from the Adrogue province of Buenos Aires, Argentina, Maxi’s passion for all things tech dates back to his young teenage years. Starting with SQL Server in version 4.2, Maxi soon embarked on a tech career by studying programming while simultaneously working as an electronics and communications technician.

Maxi has been regularly rewarded with the Data Platform MVP title since 2005 thanks to his deep understanding of the relational database engine as well as big data, machine learning, business intelligence, PowerBI, and Azure.

Today, Maxi is the managing partner and principal architect at Triggerdb Consulting SRL, an Argentine certified Microsoft partner company which provides qualified consulting services, support and training to more than 300 companies in the region.

Maxi remains a frequent speaker for different community and Microsoft events with participation in more than 500 conferences over the years. For example, Maxi remains an active and engaged member of SQLPass Argentina, Power BI Argentina, and SQL Server Performance Spanish. 

Now in his first year of Reconnect, Maxi says it is both personally and professionally exciting to keep in contact with other former titleholders. Meanwhile, the Argentine tech expert says he looks forward to seeing the next generation of Microsoft professionals come through the ranks, encouraging new MVPs to “do and talk about what your communities need” rather than focusing on “the technological trends that are not always the things that the community needs.”

Maxi says he looks forward to the coming years doing what he always did: “teaching what I know and learning what I do not!”

For more on Maxi, check out his blog and Twitter @maxiaccotto.

Back to school 2020 – Microsoft Forms for effective remote learning

by Scott Muniz | Sep 9, 2020 | Uncategorized

This article is contributed. See the original author and article here.

[Note: this blog is a partnership between Microsoft Forms and West Ada School District from Idaho, USA]

Microsoft Forms can be used standalone, but also supports a number of powerful integrations such as Forms within Stream, Teams, OneNote, PowerPoint, and more.  If you missed the blog earlier this year for educators and students, start here: Sample forms to help educators and students shift to online learning

Regardless of your data collection needs, Microsoft Forms is ready to make you even more productive in the school year.  Let’s look at 2 scenarios and show you some of the newer Features in Microsoft Forms:

Scenario 1: Using Quiz in Teams assignment to assess students, collect their work, and provide feedback with their grades.

Quiz creation – Microsoft Forms provides a breath of question types and options so you can build an assessment that meets your needs.

• File upload question – use this question type to allow students to upload a file at response time.  You can configure the allowable size, number of files, and file types.  Quizzes with file upload questions are also now fully supported for use in Teams Assignments. – Learn more
• Half points – Quiz now allows you to set half points, giving you more flexibility on your scoring system.

   

• Printing – if you have any students who require an offline copy or your school has a compliance requirement to store a printed copy, now you can easily print the blank form or quiz via the “…”  Note: if you don’t see it yet, this is rolling out for users in September.

• Sections – If your quiz or form is longer, it may make sense to break it up into sections, which will appear as different pages to the student while taking the quiz. – Learn more

Quizzes in Teams Assignments – Microsoft Forms Quizzes can become even more powerful when used in Teams Assignments.  This allows you easily distribute the quiz to students.

• Clearer interface within Teams assignments – Quiz Assignments will now show you only Quizzes and you can use the New Quiz button to go directly to a new Quiz.  Note: if you want to assign a Form, choose New -> Assignment instead of New -> Quiz – Learn more

   

Student response – New features allow students to use Quizzes even better.

• Immersive reader – allows for a more accessible and inclusive environment in your classroom.  Immersive reader is a full screen reading experience to increase readability of content in Microsoft Forms desktop/mobile view.  Previously only available for EDU users, immersive reader in Forms is now also available to Microsoft Account (MSA) users.  Learn more

• Progress bar – allows your students to see a visual indicator of their progress through a form or quiz, helping them understand how much is remaining.  Note: if you don’t see it yet, this is rolling out for users in September.

Teacher grading – Microsoft Forms supports automatic grading.  However, you can also do manual grading and feedback before returning the quiz to the student when needed.

• Teams assignments data loss prevention – When you are manually grading or putting in comments, you will now be warned before leaving the page too early so you won’t lose any data.  Note: if you don’t see it yet, this is rolling out for users in September.

   

Scenario2: Using Forms to collect information from parents re: their student’s needs.

Form creation – Microsoft Forms continues to add additional features to enable you to collect data more efficiently and effectively.

• Multilingual forms – if you are a multilingual district, you no longer need to create separate forms for different languages, send out different links, and manually merge data for analysis.  You can use a single form, add multiple languages, and Forms will use the responders browser language to show them the correct Form.  They can also change it manually via the drop down.  – Learn more

• Branching– allows you to create customized routing logic in your form or quiz.  Many teachers use this for personalized learning, leading students who get a question incorrect down a path for extra practice questions, vs students who get it correct can jump to the next section.  For this form, if a parent indicates their student requires a device, the form will then show additional questions to determine pickup logistics  – Learn more

   

• Question intelligence can pop up questions from your previous forms, recommend questions based on various standard templates, recommend themes, and much more.  This allows you to create a high quality form even faster – Learn more

Analysis – forms allows you to make better decisions using data.  We continuously add features to provide more meaningful insights so you can get more out of data.

• Excel Data sync – For Group Forms, Forms created in One drive for business/SharePoint/Excel online, Forms will sync results with an online Excel file.  This allows you to use the same online Excel for your analysis instead of having to download a new Excel file each time.  – Learn more

   

Microsoft Forms and West Ada School District are confident you and your school can have more effective teaching and learning by utilizing powerful Microsoft tools, such as Microsoft Forms. 

Get started with Microsoft Forms here.

We listen to our users very closely. Please visit our UserVoice site to submit new feature ideas or vote on existing ones. You can also engage with us and other users right here on Tech Community, where we’ll continue to announce the latest releases.

TeamTNT activity targets Weave Scope deployments

by Scott Muniz | Sep 9, 2020 | Uncategorized

This article is contributed. See the original author and article here.

Yossi Weizman, Security Researcher, Azure Security Center
Ross Bevington, Principal Software Engineer, Microsoft Threat Intelligence Center

The cybercrime group TeamTNT has been tracked by various research groups for a while now, with several articles that were written about their activity that is focused on Docker workloads. In May, TrendMicro research team described the group’s attempts to spread cryptocurrency miners via exposed Docker API servers. In August, Aqua Security released an analysis of several images that are stored under TeamTNT’s Dockerhub account: hildeteamtnt. In this blog we will share new details about this group and elaborate about another, an unknown, access vector that the group uses in addition to exposed Docker API servers.

Azure Security Center leverages data that is collected by Microsoft Threat Intelligence Center’s sensor network. In mid-August, several deployments of the image hildeteamtnt/pause-amd64:3.4 were observed in our sensor network. This repository hasn’t been seen in previous known attacks of this group. Another image from that repository, pause-amd64:3.3, was seen as well. In this blog post, we’ll focus on the first image, pause-amd64:3.4, which has more functionality. Microsoft’s sensor network exposes an open Docker API server and tracks the connection to this service. The attackers tried to deploy their images via this service, which is consistent with the known behavior of TeamTNT group, that spread their malware in this method.

This image has been deployed also on several Kubernetes clusters. Azure Kubernetes Service (AKS) is a managed Kubernetes service that allows customers to easily deploy a Kubernetes cluster in Azure. Azure Security Center monitors the behavior of the AKS management layer as well as the behavior of the containers themselves to find malicious activity.  AKS clusters, as managed services, should not expose Docker API externally. The fact that several clusters were infected by this image might imply that there is additional access vector that is used by the group for spreading their malware. And indeed, we discovered an additional access vector that is used by this group which we will describe later.

The image pause-amd64:3.4 has a similar functionality to other images that are used by this group and is focused on running cryptocurrency mining and spreading the malware to other machines.

The entry point of the image is /root/pause which is a shell script.

The script starts with downloading the main payload: Coin miner (packed with UPX) that is downloaded from: hxxp[://]85.214.149.236:443/sugarcrm/themes/default/images/default.jpg. This server, located in Germany, contains large number binaries and malicious scripts that are used by this group. Some of them were observed in previous campaigns of this group and were analyzed before.

The miner is saved on the host as /usr/sbin/docker-update and executed after allowing its execution and changing its attributes to immutable:

The attackers use a service called iplogger.org which allows them to track the number of infected hosts and get their details:

The script enters a loop, in which in every iteration it invokes the function pwn() five times; each invocation differs in the second parameter, which is a destination port:

The function itself, which a very similar version of it also seen on previous malware of the group as described by TrendMicro,  retrieves an IP range from the server (first parameter) which returns a different range in every request. The function scans that range for open Docker API endpoints with the open-source tool masscan. The scanned port is passed as a parameter to the function. The scanned ports are 2375, 2376, 2377, 4243 and 4244. On each exposed endpoint that is found, the script deploys the same image (pause-amd64:3.4) using the exposed TCP socket. In addition, the script attempts to kill competitor images using docker rm commands.

The details above refer to the image pause-amd:3.4. The image pause-amd:3.3, that was also seen in the honeypots, is very similar and contains the same reconnaissance and spreading phase. However, it does not include the execution of the miner itself. This image contains strings in German, which might, like the IP address of the payload server, point to the origin of the group.

As written above, that image was also observed on several AKS clusters, which are managed Kubernetes clusters. In such a scenario, it is less likely that Docker API service will be exposed to the Internet, as the AKS nodes are configured with the proper configuration of the Docker server. Therefore, we could assume that the attackers had a different access vector in those incidents.

When we looked for the common deployments of the various Kubernetes clusters that were infected by this image, we noticed that all of them have an open Weave Scope service. Weave Scope is a popular visualization and monitoring framework for containerized environments. Among other features, Weave Scope shows the running processes and the network connections of the various containers. In addition, Weave Scope allows users to run shell on the pods or nodes in the cluster (as root). Since Weave Scope does not use any authentication by default, exposure of this service to the Internet poses a severe security risk. And still, we see cluster administrators who enable public access to this interface, as well as other similar services. Attackers, including this group, take advantage of this misconfiguration and use the public access to compromise Kubernetes clusters.

This is not the first time that we detect a campaign that targets exposed sensitive interfaces to the Internet. In June, we revealed a large scale attack that exploited exposed Kubeflow dashboard. In both cases, a high impact service, that allows eventually code execution on the containers or underlying nodes is openly exposed to the Internet. Misconfigured services seem to be among the most popular and dangerous access vectors when it comes to attacks against Kubernetes clusters.

How Azure Security Center protects customers?

Azure Security Center (ASC) detects this attack, as well as similar attacks, both in the Kubernetes management layer and in the node-level:

Management Layer protection

1. ASC automatically detects sensitive services that are exposed to the Internet. In this incident, ASC detected the exposed Weave Scope service. Detecting exposure of such services immediately when they occur is crucial to prevent their exploitation.
2. ASC detects deployments of malicious containers in AKS clusters. The detection covers the images that were used in this attack. ASC uses the data from Microsoft Threat Intelligence Center’s sensor network to continuously expand its coverage and detect the recent attacks in the wild.

Node Level protection

1. ASC detects Docker API services that are openly accessible to the Internet.
2. ASC detects malicious behavior on the nodes, including cryptocurrency mining activity.

Recommendations

1. Azure Policy for Kubernetes can be used to restrict and audit sensitive actions in the cluster such as deploying images from public repositories, deployment of privileged containers etc. For more information see the documentation. Integration with Azure Security Center will be available soon. Policies such as the following can prevent similar incidents: “Privileged containers should be avoided” and “Container images should be deployed from trusted registries only”

IoCs

hxxp://85[.]214[.]149[.]236:443/sugarcrm/themes/default/images/default.jpg
hxxp://rhuancarlos[.]inforgeneses[.]inf[.]br/%20%20%20.%20%20%20.%20%20%20./index.php
hildeteamtnt/pause-amd64:3.4
hildeteamtnt/pause-amd64:3.3
sha256:c88b9f32c143ee78b215b106320dbe79e28d39603353b0b9af2c806bcb9eb7b6
sha256:340d9af58a3b3bedaae040ce9640dd3a9a8c30ddde2c85fb7aa28d2bff2d663e
sha256:139f393594aabb20543543bd7d3192422b886f58e04a910637b41f14d0cad375
sha256:68ad2df23712767361d17a55ee13a3b482bee5a07ea3f3741c057db24b36bfce

Windows Autopilot for HoloLens 2 and Tenant lock

by Scott Muniz | Sep 8, 2020 | Uncategorized

This article is contributed. See the original author and article here.

Few months back we have announced Windows Autopilot for HoloLens 2 devices in a private preview with Windows Holographic ver. 2004 (Build 19041.1103 or later). Windows Autopilot for HoloLens 2 with Microsoft Endpoint Manager (MEM) delivers efficiency, simplifies deployment, and streamlines device security and endpoint management, which drives significant cost and time savings for your organization.

To ensure Windows Autopilot and Microsoft Endpoint Manager provide that streamlined device endpoint management capability, we are announcing two new Autopilot features which are currently available through Windows Holographic Insider preview:

1. Windows Autopilot Tenant lock for HoloLens 2 device. This feature is currently available with Windows Holographic Insider Preview (Build 19041.1366 and above)
2. Autopilot deployment using Wi-Fi connection. This feature is currently available with Windows Holographic Insider Preview (Build 19041.1364 and above)

Windows Autopilot Tenant lock for HoloLens 2 

Windows Autopilot Tenant lock capability would allow your organization to enforce the device to be always bound to your Tenant and managed by your organization after initial enrollment. This feature will ensure that your device is always deployed by Windows Autopilot and managed by Microsoft Endpoint Manager in case of OS updates, accidental or intentional resets or wipes.
When your organization deploys HoloLens 2 devices with Windows Autopilot, you can setup a specific policy which will be deployed post enrollment to enforce:

1. Mandatory network connection during device setup process and consecutive device reset
2. Always enforces Autopilot deployment and requires deployment profile from Autopilot service
3. Prevents local user creation during device setup
4. Prevents all other escape hatches during device setup process that could result in a non-managed state
5. Prevent any device ownership during device setup process other than your organization Tenant it is registered to with Windows Autopilot

Setup Tenant lock custom policy using Microsoft Endpoint Manager

Windows Autopilot Tenant lockdown features uses TenantLockdown CSP behind the scene to enforce this feature along with some OS level changes. Your organization can setup this policy through Microsoft Endpoint Manager device configuration by setting up RequireNetworkInOOBE to True.  Setting up this custom policy would look like this:

1. Sign in to the Microsoft Endpoint Manager admin center
2. From navigation pane, select Devices > Configuration profiles > Create profile
3. Enter following properties and select Create
   • Platform: Windows 10 and later
   • Profile: Custom
4. Enter rest of the information
5. In Configuration settings, enter following
   • Name: pick a name of your custom settings
   • Description: provide description of your custom settings
   • OMA-URI: ./Vendor/MSFT/TenantLockdown/RequireNetworkInOOBE
   • Data type: Boolean
   • Value: True
6. Complete rest of the setup steps for this custom OMA URI
7. Assign this device configuration profile to HoloLens 2 device group that are getting deployed with Autopilot

Learn more on custom configuration settings through MEM

Make sure your HoloLens 2 devices are member of this group and verify that device configuration has been successfully applied. Once this device configuration is successfully applied on the HoloLens 2 devices during Autopilot deployment, TenantLockdown will be active and enforced on future device reset, wipes or reimage.

Unset Tenant lock custom policy using Microsoft Endpoint Manager

To remove Tenant lock enforcement, remove the device from the device group to which the device configuration is created and assigned or create a similar custom OMA-URI settings with RequireNetworkInOOBE to False and assign to the device group you do not want this to be enforced.  

One important thing to remember is when you retire, recycle or device is sent back for repair, you must un-enroll the device from original tenant and unset the custom TenantLockdown policy.

HoloLens 2 device setup/OOBE experience

After this policy is enforce the device, tenant lock will be active and enforced on future device reset or wipes. During next device setup/OOBE experience, device would force the user to get connected to the internet and look for Autopilot profile. Without any connectivity end user would not be able to proceed through OOBE. When connected device would get Autopilot self-deployment profile and automatically complete device provisioning to organization Tenant with close to zero touch.

Using Autopilot with Wi-Fi connection

As part of Insider Preview (Build 19041.1364 or above), Windows Autopilot Deployment for HoloLens 2 supports Wi-Fi connection in addition to the ethernet based connection. In other words, you do not need to use ethernet to USB C or Wi-Fi to USB C adapter, instead you can connect the device to your available Wi-Fi internet network and deploy the device with Windows Autopilot. 

Learn more about Insider Preview for Microsoft HoloLens and other available features.

We look forward to hearing your feedback on these two Insiders preview features and thank you in advance for your interest and participation!

[Mentorship Spotlight] Community Mentoring: Paula & Kelvin

by Scott Muniz | Sep 8, 2020 | Uncategorized

This article is contributed. See the original author and article here.

This month, we’re thrilled to kick off a new Mentorship spotlight series. We interviewed Paula Sillars, a network administrator and infrastructure tech support professional in Australia who shared about her mentorship experience with Singapore-based mentee Kelvin Chua via the Humans of IT Community Mentors mobile app. Stay tuned for our next post to hear Kelvin’s perspective as a mentee on the app.

Meet our featured mentor from Australia, Paula Sillars:

Q: Tell us a little about yourself.

A: I am a network administrator and infrastructure tech support professional. I have been working on it pretty much since I left school. I was a bit of a computer geek at school, so I ended up working at a University in the library systems department and that was sort of my first real job. From there I moved into managed services probably about 20 years ago. Now, I am an IT Manager based in Gold Coast, Australia.

Q: What does mentoring mean to you?

A: Sharing my knowledge and experience with others – but also opening someone up so they don’t feel like they are alone in their experience. You want to feel comfortable speaking with a person that is outside your normal work environment. Someone that you can bounce ideas off of and ask questions without fear of judgment from your colleagues. In some ways, it is like being a confidante, and a mentoring relationship should be a completely secure one. There is balance with having input from someone that is outside of your circle who can give you a different perspective. Maybe what I say will spark something new for this person.

Q: When did you first start as a mentor?

A: This is interesting because I always just shared my love and passion for tech with others and didn’t realize until speaking at the last Microsoft Ignite conference that others would find that valuable. I had always been fortunate to have many male allies at work that were supportive in teaching me and never making me feel alone that I didn’t realize other women could benefit from hearing my story and how I navigated my career over the last 20 years. When I discovered the Microsoft Humans of IT Community Mentors app, I knew that I wanted to get started. I think I’ve always naturally gravitated towards helping or mentoring others – even early on in my career I would take the junior engineers under my wing and help where I could. I always made myself available so people could have support whether it was “official” (i.e a formal mentorship) or not.

Q: What is the key to being an effective mentor?

A: Being empathetic – try to put yourself in that person’s position. The mentee doesn’t always know what they are asking. Don’t be judgmental. Keep the responses open so that the person can think about the response and come to their own conclusions, while you are more of a guide. The format that the Microsoft Humans of IT community uses works great because it gives you and the mentee time to absorb and ponder about the feedback. That helps me to be the most effective with the information I provide.

Q: What has inspired you to be a mentor?

A: Two years ago, I spoke at Microsoft Ignite and I was surprised by how many people were encouraged and interested in my story. That was what first inspired me to look for ways to share my story and help others. The Human of IT community and their free mentorship app made it so easy to get started!

Q: How did you get matched with each other?

A: Kelvin found my profile on the app and reached out to me – on the surface, it seemed like we really didn’t have much in common: Our backgrounds are different, we’re from different countries (Australia and Singapore) with very different cultures. However, our unique lived experiences actually worked out really well since we can share our diverse perspectives. Plus, logistically it was great because Kelvin was able to ask me questions through the app in his own time zone, and then when I had time during my break in my own time zone I then could read, think about and respond to his question.

Q: Tell us about your experience mentoring Kelvin?

A: It was really quite rewarding – while I do help other people at work, I don’t have any technical reports so working with Kelvin was amazing to have someone to share ideas with and formally mentor.

Q: What has been your experience with the app?

A: I am excited to do more – the process is not onerous; it was fast and convenient to interact when you have time. Plus, it was great to have something meaningful to do during my breaks!

What is your favorite feature?

A: The chat function – I used it the most, and it was the most helpful.

Note to readers: When you accept a mentorship request as a mentor, or have your mentorship requested by your mentor (if you’re a mentee), a private chat window will automatically open and remain open for 30 days so that you can conveniently communicate with your mentor. The duration of your mentorship can be extended for up to 90 days total if you and your mentor/mentee wish to continue communicating on the app beyond the initial 30 days.

Who is an example of a great mentor that inspired you?

A: I have a few in mind. Example 1: This isn’t necessarily a formal mentor, but I was working with a colleague, really looked up to him – a good bloke and a really smart guy. One time we were working at a data center and I didn’t think I could solve a particular issue and I blurted something like “Oh, I am not sure about that, I am not very technical”. He stopped me and said, “You’re out of your mind – you bring so much to the table and to the team – you’ve got amazing communication skills, you do the documentation, customers love you, so don’t put yourself down.” I was stunned because I was always working on teams that were specialized and I personally felt like I was never the most technical. This was the first time that someone that had no reason to tell me this actually said something, and it made me realize that I do bring a lot to the team that the others don’t have. After all these years, that has really stuck with me – it was so powerful that someone took the time to give me perspective and has greatly impacted my own outlook since.

Example 2: Early in my career, I was with a new customer – and he made totally inappropriate comments to me so I went back and told my boss. My boss called the customer and told him, “You made our associate so uncomfortable that we do not want to do business with you anymore.” My boss went to bat for me – that really made me feel important and that what I was doing was important. I so appreciate that I’ve had people help stand up for me in my career, and so I wanted to do the same for others.

Want to start your journey as a mentor and/or mentee? 

1. Download the Microsoft Community Mentors app (make sure you’re on the latest v3.0!)

2. Log in with your Tech Community credentials (Note: You will need to be a member of the Humans of IT Community). If you are not already a member, you will be prompted to complete your Tech Community registration and officially join the Humans of IT community.

3. Create your profile and look for your future mentor and/or mentee! 

Happy mentoring!

#HumansofIT 

#Mentorship 

#CommunityMentors