Expansion of FIDO standard and new updates for Microsoft passwordless solutions

Howdy folks, 

Happy World Password Day! Today, I’m super excited to share some great news with you: Together, with the FIDO Alliance and other major platforms, Microsoft has announced support for the expansion of a common passwordless standard created by the FIDO Alliance and the World Wide Web consortium. These multi-device FIDO credentials, sometimes referred to as passkeys, represent a monumental step toward a world without passwords. We also have some great updates coming to our passwordless solutions in Azure Active Directory (Azure AD) and Windows that will expand passwordless to more use cases. 

Passwords have never been less adequate for protecting our digital lives. As Vasu Jakkal reported earlier today, there are over 921 password attacks every second. Lots of attackers want your password and will keep trying to steal it from you. It’s better for everyone if we just cut off their supply. 

Replacing passwords with passkeys 

Passkeys are a safer, faster, easier replacement for your password. With passkeys, you can sign in to any supported website or application by simply verifying your face, fingerprint or using a device PIN. Passkeys are fast, phish-resistant, and will be supported across leading devices and platforms. Your biometric information never leaves the device and passkeys can even be synced across devices on the same platform – so you don’t need to enroll each device and you’re protected in case you upgrade or lose your device. You can use Windows Hello today to sign in to any site that supports passkeys, and in the near future, you’ll be able to sign in to your Microsoft account with a passkey from an Apple or Google device.  

We enthusiastically encourage website owners and app developers to join Microsoft, Apple, Google, and the FIDO Alliance to support passkeys and help realize our vision of a truly passwordless world.  

thumbnail image 1 of blog post titled
Expansion of FIDO standard and new updates for Microsoft passwordless solutions

Going passwordless 

We’re proud to have been one of the earliest supporters of the FIDO standards, including FIDO2 certification for Windows Hello. We’re thrilled to evolve the FIDO standards ecosystem to support passkeys and that passwordless authentication continues to gain momentum. 

Since we started introducing passwordless sign-in nearly 5 years ago, the number of people across Microsoft services signing in each month without using their password has reached more than 240 million. And in the last six months, over 330,000 people have taken the next step of removing the password from their Microsoft Account. After all, you’re completely safe from password-based attacks if you don’t have one. 

Today, we’re also announcing new capabilities that will make it easier for enterprises to go completely passwordless: 

Passwordless for Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure 

Now that remote or hybrid work is the new norm, lots more people are using a remote or virtualized desktop to get their work done. And now, we’ve added passwordless support for Windows 365, Azure Virtual Desktop, and Virtual Desktop Infrastructure. This is currently in preview with Windows 11 Insiders, and is on the way for Windows 10 as well.  

Windows Hello for Business Cloud Trust  

Windows Hello for Business Cloud Trust simplifies the deployment experience of Windows Hello for hybrid environments. This new deployment model removes previous requirements for public key infrastructure (PKI) and syncing public keys between Azure AD and on-premises domain controllers. This improvement eliminates delays between users provisioning Windows Hello for Business and being able to authenticate and makes it easier than ever to use Windows Hello for Business for accessing on-premises resources and applications. Cloud Trust is now available in preview for Windows 10 21H2 and Windows 11 21H2. 

Multiple passwordless accounts in Microsoft Authenticator 

When we first introduced passwordless sign-in for Azure AD (work or school accounts), Microsoft Authenticator could only support one passwordless account at a time. Now that limitation has been removed and you can have as many as you want. iOS users will start to see this capability later this month and the feature will be available on Android afterwards.  

thumbnail image 2 captioned Passwordless phone sign in experience in Microsoft Authenticator for Azure AD accounts.Passwordless phone sign in experience in Microsoft Authenticator for Azure AD accounts.

Temporary Access Pass in Azure AD 

Temporary Access Pass in Azure AD, a time-limited passcode, has been a huge hit with enterprises since the public preview, and we’ve been adding more ways to use it as we prepare to release the feature this summer. Lots of customers have told us they want to distribute Temporary Access Passes instead of passwords for setting up new Windows devices. You’ll be able to use a Temporary Access Pass to sign in for the first time, to configure Windows Hello, and to join a device to Azure AD. This update will be available next month. 

thumbnail image 3 captioned End user experience for Temporary Access Pass in Windows 11 onboarding.End user experience for Temporary Access Pass in Windows 11 onboarding.

Customers implementing passwordless today 

We already have several great examples of large Microsoft customers implementing passwordless solutions, including Avanade, who went passwordless with help from Feitian to protect their clients’ data against security breaches. Amedisys, a home healthcare and hospice care provider, went passwordless to keep patient personal information secured. Both organizations are committed to using passwordless authentication not only to strengthen security, but also to make the sign-in experience easier for end users. 

We’d love to hear your feedback, so please leave a comment, check out the documentation, and visit aka.ms/gopasswordless for more information. 

Best regards,  

Alex Simons (Twitter: @Alex_A_Simons

Corporate Vice President of Program Management 

Microsoft Identity Division 

Source :
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/expansion-of-fido-standard-and-new-updates-for-microsoft/ba-p/3290633

Secure access for a connected world meet Microsoft Entra

What could the world achieve if we had trust in every digital experience and interaction?

This question has inspired us to think differently about identity and access, and today, we’re announcing our expanded vision for how we will help provide secure access for our connected world.

Microsoft Entra is our new product family that encompasses all of Microsoft’s identity and access capabilities. The Entra family includes Microsoft Azure Active Directory (Azure AD), as well as two new product categories: Cloud Infrastructure Entitlement Management (CIEM) and decentralized identity. The products in the Entra family will help provide secure access to everything for everyone, by providing identity and access management, cloud infrastructure entitlement management, and identity verification.

The need for trust in a hyperconnected world 

Technology has transformed our lives in amazing ways. It’s reshaped how we interact with others, how we work, cultivate new skills, engage with brands, and take care of our health. It’s redefined how we do business by creating entirely new ways of serving existing needs while improving the experience, quality, speed, and cost management.

Behind the scenes of all this innovation, millions and millions of connections happen every second between people, machines, apps, and devices so that they can share and access data. These interactions create exciting opportunities for how we engage with technology and with each other—but they also create an ever-expanding attack surface with more and more vulnerabilities for people and data that need to be addressed.

It’s become increasingly important—and challenging—for organizations to address these risks as they advance their digital initiatives. They need to remove barriers to innovation, without the fear of being compromised. They need to instill trust, not only in their digital experiences and services, but in every digital interaction that powers them—every point of access between people, machines, microservices, and things.

Our expanded vision for identity and access

When the world was simpler, controlling digital access was relatively straightforward. It was just a matter of setting up the perimeter and letting only the right people in.

But that’s no longer sustainable. Organizations simply can’t put up gates around everything—their digital estates are growing, changing, and becoming boundaryless. It’s virtually impossible to anticipate and address the unlimited number of access scenarios that can occur across an organization and its supply chain, especially when it includes third-party systems, platforms, applications, and devices outside the organization’s control.

Identity is not just about directories, and access is not just about the network. Security challenges have become much broader, so we need broader solutions. We need to secure access for every customer, partner, and employee—and for every microservice, sensor, network, device, and database.

And doing this needs to be simple. Organizations don’t want to deal with incomplete and disjointed solutions that solve only one part of the problem, work in only a subset of environments, and require duct tape and bubble gum to work together. They need access decisions to be as granular as possible and to automatically adapt based on real-time assessment of risk. And they need this everywhere: on-premises, Azure AD, Amazon Web Services, Google Cloud Platform, apps, websites, devices, and whatever comes next.

This is our expanded vision for identity and access, and we will deliver it with our new product family, Microsoft Entra.

Vasu Jakkal and Joy Chik sit together and discuss new Microsoft Entra product family.

Video description: Vasu Jakkal, Corporate Vice President, Security, Compliance, Identity and Management, and Joy Chik, CVP of Identity, are unveiling Microsoft Entra, our new identity and access product family name, and are discussing the future of modern identity and access security.

Making the vision a reality: Identity as a trust fabric

To make this vision a reality, identity must evolve. Our interconnected world requires a flexible and agile model where people, organizations, apps, and even smart devices could confidently make real-time access decisions. We need to build upon and expand our capabilities to support all the scenarios that our customers are facing.

Moving forward, we’re expanding our identity and access solutions so that they can serve as a trust fabric for the entire digital ecosystem—now and long into the future.

Microsoft Entra will verify all types of identities and secure, manage, and govern their access to any resource. The new Microsoft Entra product family will:

  • Protect access to any app or resource for any user.
  • Secure and verify every identity across hybrid and multicloud environments.
  • Discover and govern permissions in multicloud environments.
  • Simplify the user experience with real-time intelligent access decisions.

This is an important step towards delivering a comprehensive set of products for identity and access needs, and we’ll continue to expand the Microsoft Entra product family.

“Identity is one of the cornerstones of our cybersecurity for the future.”

—Thomas Mueller-Lynch, Service Owner Lead for Digital Identity, Siemens

Microsoft Entra at a glance

Microsoft Azure AD, our hero identity and access management product, will be part of the Microsoft Entra family, and all its capabilities that our customers know and love, such as Conditional Access and passwordless authentication, remain unchanged. Azure AD External Identities continues to be our identity solution for customers and partners under the Microsoft Entra family.

Additionally, we are adding new solutions and announcing several product innovations as part of the Entra family.

Solutions under the Microsoft Entra product family including Microsoft Azure Active Directory, Permissions Management, and Verified ID.

Reduce access risk across clouds

The adoption of multicloud has led to a massive increase in identities, permissions, and resources across public cloud platforms. Most identities are over-provisioned, expanding organizations’ attack surface and increasing the risk of accidental or malicious permission misuse. Without visibility across cloud providers, or tools that provide a consistent experience, it’s become incredibly challenging for identity and security teams to manage permissions and enforce the principle of least privilege across their entire digital estate.

With the acquisition of CloudKnox Security last year, we are now the first major cloud provider to offer a CIEM solution: Microsoft Entra Permissions Management. It provides comprehensive visibility into permissions for all identities (both user and workload), actions, and resources across multicloud infrastructures. Permissions Management helps detect, right-size, and monitor unused and excessive permissions, and mitigates the risk of data breaches by enforcing the principle of least privilege in Microsoft Azure, Amazon Web Services, and Google Cloud Platform. Microsoft Entra Permissions Management will be a standalone offering generally available worldwide this July 2022 and will be also integrated within the Microsoft Defender for Cloud dashboard, extending Defender for Cloud’s protection with CIEM.

Additionally, with the preview of workload identity management in Microsoft Entra, customers can assign and secure identities for any app or service hosted in Azure AD by extending the reach of access control and risk detection capabilities.

Enable secure digital interactions that respect privacy

At Microsoft, we deeply value, protect, and defend privacy, and nowhere is privacy more important than your personal identity. After several years of working alongside the decentralized identity community, we’re proud to announce a new product offering: Microsoft Entra Verified ID, based on decentralized identity standards. Verified ID implements the industry standards that make portable, self-owned identity possible. It represents our commitment to an open, trustworthy, interoperable, and standards-based decentralized identity future for individuals and organizations. Instead of granting broad consent to countless apps and services and spreading identity data across numerous providers, Verified ID allows individuals and organizations to decide what information they share, when they share it, with whom they share it, and—when necessary—take it back.

The potential scenarios for decentralized identity are endless. When we can verify the credentials of an organization in less than a second, we can conduct business-to-business and business-to-customer transactions with greater efficiency and confidence. Conducting background checks becomes faster and more reliable when individuals can digitally store and share their education and certification credentials. Managing our health becomes less stressful when both doctor and patient can verify each other’s identity and trust that their interactions are private and secure. Microsoft Entra Verified ID will be generally available in early August 2022.

“We thought, ‘Wouldn’t it be fantastic to take a world-leading technology like Microsoft Entra and implement Verified ID for employees in our own office environment?’ We easily identified business opportunities where it would help us work more efficiently.”

—Chris Tate, Chief Executive Officer, Condatis

Automate critical Identity Governance scenarios

Next, let’s focus on Identity Governance for employees and partners. It’s an enormous challenge for IT and security teams to provision new users and guest accounts and manage their access rights manually. This can have a negative impact on both IT and individual productivity. New employees often experience a slow ramp-up to full effectiveness while they wait for the access required for their jobs. Similar delays in granting necessary access to guest users undermine a smoothly functioning supply chain. Then, without formal or automated processes for reprovisioning or deactivating people’s accounts, their access rights may remain in place when they change roles or exit the organization.

Identity Governance addresses this with identity lifecycle management, which simplifies the processes for onboarding and offboarding users. Lifecycle workflows automate assigning and managing access rights, and monitoring and tracking access, as user attributes change. Lifecycle workflows in Identity Governance will enter public preview this July 2022.

“We were so reactive for so long with old technology, it was a struggle. [With Azure AD Identity Governance] we’re finally able to be proactive, and we can field some of those complex requests from the business side of our organization.”

—Sally Harrison, Workplace Modernization Consultant, Mississippi Division of Medicaid

Create possibilities, not barriers

Microsoft Entra embodies our vision for what modern secure access should be. Identity should be an entryway into a world of new possibilities, not a blockade restricting access, creating friction, and holding back innovation. We want people to explore, to collaborate, to experiment—not because they are reckless, but because they are fearless.

Visit the Microsoft Entra website to learn more about how Azure AD, Microsoft Entra Permissions Management, and Microsoft Entra Verified ID deliver secure access for our connected world.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Source :
https://www.microsoft.com/security/blog/2022/05/31/secure-access-for-a-connected-worldmeet-microsoft-entra/

Microsoft Edge really wants to import your data from Google Chrome more often

Microsoft has been quite aggressive in its moves to get people away from Google Chrome and over to its revamped Edge browser. In its latest move, Microsoft Edge is adding a feature that imports data from Google Chrome constantly.

As highlighted by the folks over at Windows Latest, Microsoft Edge has an option to automatically import data from another browser, specifically Google Chrome. The previous “import browser data” page in Edge’s Settings menu used to simply offer a one-time import option for your data, syncing over bookmarks, passwords, your browsing history, and more. Clicking the option to import browser data would simply open a menu for a one-time import from any other browser on your computer.

But now, Microsoft has been allowing users to import browser data from Google Chrome on every launch. From what we can tell, the feature has been available in some capacity for at least a few months, but went largely under the radar until now, even as it’s live on Edge 101. It seems that new updates may be putting more emphasis on the feature. u/Leopeva64 notes that Edge 104, now in the Canary channel, redesigns the import page with a new look for this tool that puts much more emphasis on this setting.

microsoft edge chrome import data
Edge 104

Chrome is, notably, the only option for this automatic import setting, with Mozilla Firefox not showing up as an option as it does on the manual import option. Microsoft explains the feature:

Import browser data on each launch

Always have access to your recent browsing data each time you browse on Microsoft Edge

Importing data from another browser on your computer isn’t a new idea, and it’s certainly something Edge is more than happy to do. This latest change will simply do that automatically, in what’s clearly a move to make it easier for Google Chrome users to use Edge more often.

There are also a couple of new options for this. Microsoft Edge can import data from Chrome as usual, with bookmarks (though not automatically, right now), passwords, browsing history, settings, saved passwords, personal information, and payment details. But now, Edge can also pull open tabs and extensions over from Chrome. This would effectively mean that Edge can pick up where Chrome left off. Extensions, though, are also not available automatically at this point.

Windows Latest notes that imported tabs are marked as such, and Microsoft mentions on a support page that it can import up to 50 tabs at once. Microsoft has yet to update that same page with this automatic import option.

9to5Google’s Take

Being able to use Microsoft Edge as a mirror of Google Chrome is a pretty great idea, admittedly. The idea of being able to use Chrome with a specific set of extensions, settings, and more while essentially having a backup of that data in Edge is nice. It removes a barrier from switching between the two.

However, it still feels like Microsoft is trying too hard – again. Edge is a great browser on its own, and tools like this are indeed very helpful. But is this targeted behavior really necessary? At a technical level, this might only be possible with Chrome, but it’s surely no coincidence that Microsoft is clearly marking the feature as something you can do only with Chrome. It wouldn’t be surprising if, in the future, Microsoft turned on this feature by default either during or after setup.

Source :
https://9to5google.com/2022/05/30/microsoft-edge-google-chrome-data/

Yoast SEO 19.0: Optimize crawling and Bing discoverability

One of the most important aspects of SEO is optimizing the crawlability of your site. Search engines have near-endless resources, so they have the power to crawl everything they find — and they will. But, that is not the way it should be. Almost every CMS outputs URLs that don’t make sense and that crawlers could safely skip. With Yoast SEO Premium 18.6, we’re starting a series of additions to clean up those unnecessary URLs, feeds, and assets so that the more critical stuff stands a better chance of being crawled.

Making your site easier to crawl

Google and other search engines crawl almost everything they can find — as Yoast founder Joost de Valk proves in a post on his site. But it can be hard to get them to crawl what you want them to crawl. Moreover, crawlers can come by many times each day and still not pick up the important stuff. There’s a lot to gain for every party involved — from the crawlers, site owners, and environment — to make this process more sensible. Yoast SEO Premium will help search engines crawl your site more efficiently.

In Yoast SEO Premium 18.6, we’re introducing the first addition to our crawl settings, allowing you to manage better what search engines can skip on your site. In this release, we’re starting with those RSS feeds of post comments in WordPress, but we have a long list of stuff that we want to help you manage.

Head over to our new Crawl settings section in the General settings of Yoast SEO Premium and activate the first addition to preventing search engines from crawling the post comment feeds.

From Yoast SEO Premium 18.6 on, the Crawl settings will host additional controls that impact crawling

This feature is available to all Yoast SEO Premium subscribers in beta form, and we’ve selected not to activate this for every site. In some cases, there still might be sites that use this in a way we can’t anticipate. We’re rolling out more crawling options — big and small — in the coming releases.

Let’s all start cleaning up the crawling on our sites — it’s better for you, your visitors, search engines, and the environment. All with a little help from Yoast SEO Premium. Let’s go!

Go Premium and get access to all our features!

Premium comes with lots of features and free access to our SEO courses!Get Yoast SEO Premium »Only €99 EUR / per year (ex VAT) for 1 site

Keeping Bing updated on your site

Yoast SEO 19.0 and Premium 18.6 also help Bing find your XML sitemaps. Last week, Bing changed the way they previously handled XML sitemaps. Before, we could submit sitemaps URLs anonymously using an HTTP request, but Bing found that spammers were misusing it thanks to this anonymity. You have two options to submit your sitemaps to Bing: a link in the robots.txt file or Bing Webmaster Tools.

To make your sitemaps available to Bing, we’ve updated Yoast SEO to add a link to your XML sitemap to your robots.txt file — if you want. This ensures that Bing can easily find your sitemap and keep updated on whatever you publish or change on your site. If you haven’t made a robots.txt file yourself, we’ll now add one with a link to your sitemap.xml file. You can add the link yourself via the file editor in Yoast SEO if you already have one.

Also, this might be an excellent opportunity to check out Bing Webmaster Tools — there are some great insights to be gained into your site’s performance on Bing.

An example from Bings homepage that shows the XML sitemaps properly links in the robots.txt

Other enhancements and fixes

Of course, we did another round of bug fixes and enhancements. There are two that we’d like to highlight here. We’ve enhanced the compatibility with Elementor, ensuring that our SEO analysis functions appropriately.

In addition, we enhanced our consecutive sentence assessment in the readability analysis. This threw warnings when you had multiple sentences starting with the same word in a list. We handle content in lists differently now, and having various instances with the same word should not throw a warning anymore.

Update now to Yoast SEO 19.0 & Premium 18.6

In this release, we’re introducing more ways to control crawling on your site. For Yoast SEO Premium, we’re starting with a small addition to manage post comment feeds, but we’re expanding that in the coming releases. The feature is in beta, so we welcome your feedback!

In addition, we’ve also made sure that Bing can still find your XML sitemap, and we’ve fixed a couple of bugs with Elementor and our readability analyses.

Source :
https://yoast.com/yoast-seo-may-31-2022/

Anatomy of a DDoS amplification attack

Amplification attacks are one of the most common distributed denial of service (DDoS) attack vectors. These attacks are typically categorized as flooding or volumetric attacks, where the attacker succeeds in generating more traffic than the target can process, resulting in exhausting its resources due to the amount of traffic it receives. 

In this blog, we start by surveying the anatomy and landscape of amplification attacks, while providing statistics from Azure on most common attack vectors, volumes, and distribution. We then describe some of the countermeasures taken in Azure to mitigate amplification attacks. 

DDoS amplification attacks, what are they? 

Reflection attacks involve three parties: an attacker, a reflector, and a target. The attacker spoofs the IP address of the target to send a request to a reflector (e.g., open server, middlebox) that responds to the target, a virtual machine (VM) in this case. For the attack to be amplified the response should be larger than the request, resulting in a reflected amplification attack. The attacker’s motivation is to create the largest reflection out of the smallest requests. Attackers achieve this goal by finding many reflectors and crafting the requests that result in the highest amplification. 

The diagram illustrates how the attacker pushes a reflection attack to a target virtual machine that is hosted in Azure.
Figure 1. Reflected amplification attack

The root cause for reflected amplification attacks is that an attacker can force reflectors to respond to targets by spoofing the source IP address. If spoofing was not possible, this attack vector would be mitigated. Lots of effort has thus been made on disabling IP source address spoofing, and many organizations prevent spoofing nowadays so that attackers cannot leverage their networks for amplification attacks. Unfortunately, a significant number of organizations still allow source spoofing. The Spoofer project shows that a third of the IPv4 autonomous systems allow or partially allow spoofing.  

UDP and TCP amplification attacks 

Most attackers utilize UDP to launch amplification attacks since reflection of traffic with spoofed IP source address is possible due to the lack of proper handshake.  

While UDP makes it easy to launch reflected amplification attacks, TCP has a 3-way handshake that complicates spoofing attacks. As a result, IP source address spoofing is restricted to the start of the handshake. Although the TCP handshake allows for reflection, it does not allow for easy amplification since TCP SYN+ACK response is not larger than TCP SYN. Moreover, since the TCP SYN+ACK response is sent to the target, the attacker never receives it and can’t learn critical information contained in the TCP SYN+ACK needed to complete the 3-way handshake successfully to continue making requests on behalf of the target. 

The diagram illustrates how an attacker conducts a reflection attack in TCP. The attacker sends through SYN, then the reflector reflects packets restransmitted through SYN + ACK combination, which then sends an out-of-state SYN + ACK attack to the target virtual device.
Figure 2. Reflection attack in TCP 

In recent years, however, reflection and amplification attacks based on TCP have started emerging.  

Independent research found newer TCP reflected amplification vectors that utilize middleboxes, such as nation-state censorship firewalls and other deep packet inspection devices, to launch volumetric floods. Middleboxes devices may be deployed in asymmetric routing environments, where they only see one side of the TCP connection (e.g., packets from clients to servers). To overcome this asymmetry, such middleboxes often implement non-compliant TCP stack. Attackers take advantage of this misbehavior – they do not need to complete the 3-way handshake. They can generate a sequence of requests that elicit amplified responses from middleboxes and can reach infinite amplification in some cases. The industry has started witnessing these kinds of attacks from censorship and enterprise middle boxes, such as firewalls and IDPS devices, and we expect to see this trend growing as attackers look for more ways to create havoc utilizing DDoS as a primary weapon.  

Carpet bombing is another example of a reflected amplification attack. It often utilizes UDP reflection, and in recent years TCP reflection as well. With carpet bombing, instead of focusing the attack on a single or few destinations, the attacker attacks many destinations within a specific subnet or classless inter-domain routing (CIDR) block (for example /22). This will make it more difficult to detect the attack and to mitigate it, since such attacks can fly below prevalent baseline-based detection mechanisms. 

This diagram shows how an attacker uses reflectors to send spoofed packets to many target devices within a specific subnet hosted in Azure.
Figure 3. Carpet bombing attack 

One example of TCP carpet bombing is TCP SYN+ACK reflection, where attacker sends spoofed SYN to a wide range of random or pre-selected reflectors. In this attack, amplification is a result of reflectors that retransmit the TCP SYN+ACK when they do not get a response. The amplification of the TCP SYN+ACK response itself may not be large, and it depends on the number of retransmissions sent by the reflector. In Figure 3, the reflected attack traffic towards each of the target virtual machines (VMs) may not be enough to bring them down, however, collectively, the traffic may well overwhelm the targets’ network. 

UDP and TCP amplification attacks in Azure 

In Azure, we continuously work to mitigate inbound (from internet to Azure) and outbound (from Azure to internet) amplification attacks. In the last 12 months, we mitigated approximately 175,000 UDP reflected amplification attacks. We monitored more than 10 attack vectors, where the most common ones are NTP with 49,700 attacks, DNS with 42,600 attacks, SSDP with 27,100 attacks, and Memcached with 18,200 attacks. These protocols can demonstrate amplification factors of up to x4,670, x98, x76 and x9,000 respectively. 

This pie chart shows the volume of UDP- reflected amplification attacks observed in Azure from April 1, 2021, to March 31, 2022. The highest volume observed is 28% through NTP, while the least volume observed is 2% through Open VPN.
Figure 4. UDP reflected amplification attacks observed from April 1, 2021, to March 31, 2022

We measured the maximum attack throughput in packets per second for a single attack across all attack vectors. The highest throughput was a 58 million packets per second (pps) SSDP flood in August last year, in a short attack campaign that lasted 20 minutes on a single resource in Azure. 

This bar chart shows the packets per second flooding observed from April 1, 2021, to March 31, 2022 in Azure. The tallest bar represents the maximum observed throughput of 58 million packets per second SSDP flooding, while the shortest bar represents below 10M packets per second CharGEN flooding.
Figure 5. Maximum pps recorded for a single attack observed from April 1, 2021, to March 31, 2022 

TCP reflected amplification attacks are becoming more prevalent, with new attack vectors discovered. We encounter these attacks on Azure resources utilizing diverse types of reflectors and attack vectors. 

One such example is a TCP reflected amplification attack of TCP SYN+ACK on an Azure resource in Asia. Attack reached 30 million pps and lasted 15 minutes. Attack throughput was not high, however there were approximately 900 reflectors involved, each with retransmissions, resulting in a high pps rate that can bring down the host and other network infrastructure elements. 

This line chart shows the TCP SYN+ACK amplification attack volume on a single resource as seen on Azure. The line chart shows a spike reaching 30 million packets per second with a 15 minute duration. The 15-minute window illustrates the packets per second volume going down in the middle of the 15-minute window, and tapers off abruptly at the end of the 15-minute window.
Figure 6. TCP SYN+ACK amplification attack volume on an Azure resource in Asia

We see many TCP SYN+ACK retransmissions associated with the reflector that doesn’t get the ACK response from the spoofed source. Here is an example of such a retransmission: 

This screenshot shows a TCP SYN+ACK retransmission that doesn't get the ACK response. The screenshot highlights the information from source to destination and through which protocol it passes.

The retransmitted packet was sent 60 seconds after the first. 

Mitigating amplification attacks in Azure 

Reflected amplification attacks are here to stay and pose a serious challenge for the internet community. They continue to evolve and exploit new vulnerabilities in protocols and software implementations to bypass conventional countermeasures. Amplification attacks require collaboration across the industry to minimize their effect. It is not enough to mitigate such attacks at a certain location, with a pinpoint mitigation strategy. It requires intertwining of network and DDoS mitigation capabilities. 

Azure’s network is one of the largest on the globe. We combine multiple DDoS strategies across our network and DDoS mitigation pipeline to combat reflected amplification DDOS attacks.  

On the network side, we continuously optimize and implement various traffic monitoring, traffic engineering and quality of service (QoS) techniques to block reflected amplification attacks right at the routing infrastructure. We implement these mechanisms at the edge and core of our wide area networks (WAN) network, as well as within the data centers. For inbound traffic (from the Internet), it allows us to mitigate attacks right at the edge of our network. Similarly, outbound attacks (those that originate from within our network) will be blocked right at the data center, without exhausting our WAN and leaving our network. 

On top of that, our dedicated DDoS mitigation pipeline continuously evolves to offer advanced mitigation techniques against such attacks. This mitigation pipeline offers another layer of protection, on top of our DDoS networking strategies. Together, these two protection layers provide comprehensive coverage against the largest and most sophisticated reflected amplification attacks.  

Since reflected amplification attacks are typically volumetric, it is not only enough to implement advanced mitigation strategies, but also to maintain a highly scalable mitigation pipeline to be able to cope with the largest attacks. Our mitigation pipeline can mitigate more than 60Tbps globally, and we continue to evolve it by adding mitigation capacity across all network layers.  

Different attack vectors require different treatment 

UDP-based reflected amplification attacks are tracked, monitored, detected, and mitigated for all attack vectors. There are various mitigation techniques to combat these attacks, including anomaly detection across attacked IP addresses, L4 protocols, and tracking of spoofed source IPs. Since UDP reflected amplification attacks often create fragmented packets, we monitor IP fragments to mitigate them successfully.  

TCP-based reflected amplification attacks take advantage of poor TCP stack implementations, and large set of reflectors and targets, to launch such attacks. We adopt our mitigation strategies to be able to detect and block attacks from attackers and reflectors. We employ a set of mitigations to address TCP SYN, TCP SYN+ACK, TCP ACK, and other TCP-based attacks. Mitigation combines TCP authentication mechanisms that identify spoofed packets, as well as anomaly detection to block attack traffic when data is appended to TCP packets to trigger amplification with reflectors.  

The diagram shows how Azure uses mechanisms to stop amplification attacks as soon as a packet leaves a reflector or an attacker. Azure stops spoofed attacks in the following areas: 1. Attacks coming from an attacker-controlled reflector or direct from the attacker that is located outside Azure-protected space, with the attacks going to a target virtual machine or a reflector located inside a Azure; 2. Attacks coming from an attacker located within the Azure-protected space, and the attack is going to the reflector device outside of Azure, or an attack going through a reflector device to target another virtual machine.
Figure 7. Amplification attack detection 

Get started with Azure DDoS Protection to protect against amplification attacks 

Azure’s DDoS mitigation platform mitigated the largest ever DDoS attacks in history by employing a globally distributed DDoS protection platform that scales beyond 60Tbps. We ensure our platform and customers’ workloads are always protected against DDoS attacks. To enhance our DDoS posture, we continuously collaborate with other industry players to fight reflected amplification attacks. 

Azure customers are protected against Layer 3 and Layer 4 DDoS attacks as part of protecting our infrastructure and cloud platform. However, Azure DDoS Protection Standard provides comprehensive protection for customers by auto-tuning the detection policy to the specific traffic patterns of the protected application. This ensures that whenever there are changes in traffic patterns, such as in the case of flash crowd event, the DDoS policy is automatically updated to reflect those changes for optimal protection. When a reflected amplification attack is launched against a protected application, our detection pipeline detects it automatically based on the auto-tuned policy. The mitigation policy, that is automatically set for customers, without their need to manually configure or change it, includes the needed countermeasures to block reflected amplification attacks. 

Protection is simple to enable on any new or existing virtual network and does not require any application or resource changes. Our recently released Azure built-in policies allow for better management of network security compliance by providing great ease of onboarding across all your virtual network resources and configuration of logs. 

To strengthen the security posture of applications, Azure’s network security services can work in tandem to secure your workloads, where DDoS protection is one of the tools we provide. Organizations that pursue zero trust architecture can benefit from our services to achieve better protection. 

Learn more about Azure DDoS Protection Standard 

Amir Dahan and Syed Pasha
Azure Networking Team


Source :
https://www.microsoft.com/security/blog/2022/05/23/anatomy-of-ddos-amplification-attacks/

Android apps with millions of downloads exposed to high-severity vulnerabilities

Microsoft uncovered high-severity vulnerabilities in a mobile framework owned by mce Systems and used by multiple large mobile service providers in pre-installed Android System apps that potentially exposed users to remote (albeit complex) or local attacks. The vulnerabilities, which affected apps with millions of downloads, have been fixed by all involved parties. Coupled with the extensive system privileges that pre-installed apps have, these vulnerabilities could have been attack vectors for attackers to access system configuration and sensitive information.

As it is with many of pre-installed or default applications that most Android devices come with these days, some of the affected apps cannot be fully uninstalled or disabled without gaining root access to the device. We worked with mce Systems, the developer of the framework, and the affected mobile service providers to solve these issues. We commend the quick and professional resolution from the mce Systems engineering teams, as well as the relevant providers in fixing each of these issues, ensuring that users can continue using such a crucial framework.

Collaboration among security researchers, software vendors, and the security community is important to continuously improve defenses for the larger ecosystem. As the threat and computing landscape continues to evolve, vulnerability discoveries, coordinated response, and other forms of threat intelligence sharing are paramount to protecting customers against present and future threats, regardless of the platform or device they are using.

Uncovering the vulnerabilities

Our research on the framework vulnerabilities began while trying to better understand how a pre-installed System application could affect the overall security of mobile devices. We discovered that the framework, which is used by numerous apps, had a “BROWSABLE” service activity that an attacker could remotely invoke to exploit several vulnerabilities that could allow adversaries to implant a persistent backdoor or take substantial control over the device.

The framework seemed to be designed to offer self-diagnostic mechanisms to identify and resolve issues impacting the Android device, indicating its permissions were inherently broad with access to valuable resources. For example, the framework was authorized to access system resources and perform system-related tasks, like adjusting the device’s audio, camera, power, and storage controls. Moreover, we found that the framework was being used by default system applications to leverage its self-diagnostic capabilities, demonstrating that the affiliated apps also included extensive device privileges that could be exploited via the vulnerable framework.

According to mce Systems, some of these vulnerabilities also affected other apps on both Android and iOS devices. Moreover, the vulnerable framework and affiliated apps were found on devices from large international mobile service providers. mce Systems, which offers “Mobile Device Lifecycle and Automation Technologies,” also permitted providers to customize and brand their respective mobile apps and frameworks. Pre-installed frameworks and mobile apps such as mce Systems’ are beneficial to users and providers in areas like simplifying the device activation process, troubleshooting device issues, and optimizing performance. However, their extensive control over the device to deliver these kinds of services could also make them an attractive target for attackers. 

Our analysis further found that the apps were embedded in the devices’ system image, suggesting that they were default applications installed by phone providers. All of the apps are available on the Google Play Store where they go through Google Play Protect’s automatic safety checks, but these checks previously did not scan for these types of issues. As part of our effort to help ensure broad protection against these issues, we shared our research with Google, and Google Play Protect now identifies these types of vulnerabilities.

We initially discovered the vulnerabilities in September 2021 and shared our findings with mce Systems and affected mobile service providers through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). We worked closely with mce Systems’ security and engineering teams to mitigate these vulnerabilities, which included mce Systems sending an urgent framework update to the impacted providers and releasing fixes for the issues. At the time of publication, there have been no reported signs of these vulnerabilities being exploited in the wild.

The high-severity vulnerabilities, which have a Common Vulnerability Scoring System (CVSS) score of 7.0-8.9, are now identified as CVE-2021-42598CVE-2021-42599CVE-2021-42600, and CVE-2021-42601. We want to thank mce Systems’ engineering teams for collaborating quickly and efficiently in resolving these issues as well as to AT&T for proactively working with Microsoft to ensure customers can safely continue to use the framework.

Several other mobile service providers were found using the vulnerable framework with their respective apps, suggesting that there could be additional providers still undiscovered that may be impacted. The affected providers linked below have made updated app versions available to users before this disclosure, ensuring devices can be protected before these vulnerabilities could be exploited. We encourage these providers’ customers to update to the latest versions of these apps from the Google Play store, which include but are not limited to: com.telus.checkupcom.att.dhcom.fivemobile.myaccountcom.freedom.mlp,uat, and com.ca.bell.contenttransfer.

Additionally, the package com.mce.mceiotraceagent might be installed by several mobile phone repair shops. Mobile users are advised to look for that app name and remove it from their phone, if found.

Analyzing apps that use the mce framework

App manifest and permissions

When analyzing an Android application, the first thing that comes to mind is checking its manifest, maintained under the AndroidManifest.xml file. The manifest describes the application itself and its components, such as the following:

  • Permissions (for example, camera access, internet access, and others)
  • Activities and how they respond to Intents sent to them
  • Content providers
  • Receivers and the kind of content they expect to receive
  • Services

Checking the manifest of an app affiliated with mce Systems’ framework shed light on some of its features and capabilities but did not immediately indicate that any vulnerabilities or security issues were present. Therefore, further research into the app’s functionality was needed by understanding its permissions.

Analysis of the app’s permissions on the mobile device revealed authorizations that could lead to powerful access and capabilities for an attacker. Those permissions included control over the following:

  • Networking: access the internet, modify Wi-Fi state, network state, NFC, and Bluetooth
  • File access: read and write to the external storage
  • Peripherals: access the camera, record audio, get fingerprint information, and get the device’s physical location
  • Private information: read phone numbers, account information, and contacts
  • Management: install apps and modify device settings

With access to these valuable resources, the app could be abused by an attacker to implant a persistent backdoor on the device.

BROWSABLE activities

The “Activities” section of the app’s manifest detailed that the Intent-filter element included activities with a “BROWSABLE” category. While most Intents do not require a category, category strings detail the components that should handle the Intent. In particular, the BROWSABLE category allows the target Activity to be triggered from a web browser to display data referenced by a link, like an image. BROWSABLE activities appeal to attackers as the latter can exploit them via malicious web pages and other Intent-based attacks.

Figure 1:  BROWSABLE Activity with the “mcedigital://” scheme

The Intent-filter element in the manifest dictates how the Activity can be triggered. In the app’s case, the Activity could be triggered by simply clicking a link with the “mcedigital://” scheme. This would start the com.mce.sdk.AppActivity Activity with an Intent with arbitrary data (besides the scheme).

Digging deeper: Reviewing the mce framework’s main functionality

We reviewed the effects of triggering the com.mce.sdk.AppActivity. Also known as appActivity, this Activity refers to the different functionalities provided by the app. AppActivity extends Activity and therefore has an onCreate method, which traditionally handles the creating Intent.

AppActivity

Here’s a brief description of AppActivity:

  1. AppActivity has a member called “webView” and type “JarvisWebView,” a specialized class that extends WebView.
  2. Upon creation, AppActivity has some optional display choices from the Intent (if they exist) and then loads a predefined web page to the WebView. That predefined page can get arbitrary query parameters from the Intent’s data; that is, everything after a “\?” will be added to the web page.

Thus, if a user clicks this:

mcedigital://ignored\?arbitrary_params

The App’s WebView loads the following web page:

file:///android_asset/applications/user/reflow-container-bundled/index.html?arbitrary_params

The app’s index.html web page (which is an asset built into the Android app) loads two JavaScript files:

  • config.js: a nonexistent file
  • bundle.js: contains much of the app’s logic

Since we wanted to understand the interplay between bundle.js (JarvisJSInterface) and the WebView (JarvisWebView), we analyzed both.

JarvisWebView and JarvisJSInterface

The main features of the WebView, JarvisWebView class, are the following:

A JavaScript Interface is a conspicuous target to look for security issues, as it uses a JavaScript Bridge to allow invoking specific methods inside an Android app. In the case of JarvisJSInterface, three methods are exported:

  • init(String): takes a string that will be used as a JavaScript callback method; in our case, it will always be window.AndroidCallback
  • windowClose(): runs a callback registered by the Android app
  • request(String): sends a service request from the JavaScript client to the server (Android app)

The request method is by far the most interesting, as it performs the following:

  1. Interprets the given string as a JSON object
  2. Extracts the following pieces from the JSON object:
    • Context: a random GUID generated by the client, used to link requests and responses
    • Service: the service we are about to call to
    • Command: an integer
    • Data: optional parameters sent to the service call
  3. Invokes the method serviceCall, which finds the registered service, gets the method based on the command number, and eventually invokes that method using Java reflection
Figure 2: Service::callServiceMethod

The serviceCall is a powerful method, as it allows the WebView to invoke “services” freely. But what are these services, exactly?

Services offered by the mce framework

After we examined the services offered by this framework per the app manifest, we then obtained a list of services that practically give the WebView complete control over the device. The most notable services include:

  • Audio: access and manipulate volume levels, as well as play a tone with a given duration and frequency
  • Camera: take a silent snapshot
  • Connectivity: control and obtain valuable information from NFC, Wi-Fi, and Bluetooth
  • Device: includes various device controlling mechanisms like battery drainage, performing a factory reset, and obtaining information on apps, addresses, sensor data, and much more
  • Discovery: set the device to discoverable
  • Location: obtain the location in various modes and set the location state
  • PackageManager: acquire package info and silently install a new app
  • Power: obtain charging state
  • Sensor: acquire sensor data such as barometer data, light data, proximity data, and whether fingerprinting is working
  • Storage: obtain content such as documents, media, images, and videos

These services inherit from a base class named “Service” and implement two methods:

  • setServiceName: for service identification purposes
  • setServiceMethodMap: for setting up the mapping between the command integer and the method name, argument names, and argument types

For example, here is the Camera service setting its methods:

  • Method 0 is “getCameraList” and expects no arguments.
  • Method 1 is “captureStillImageNoPreview” and expects one String argument.
Figure 3: The Camera service setting its methods

Vulnerability findings

Based on our analysis of the mce framework, we discovered several vulnerabilities. It should be noted that while mobile service providers can customize their apps respective to mce framework so as not to be identical, the vulnerabilities we discovered can all be exploited in the same manner—by injecting code into the web view. Nonetheless, as their apps and framework customization use different configurations and versions, not all providers are necessarily vulnerable to all the discovered vulnerabilities.

Outdated command-injection vulnerability (CVE-2021-42599)

We found a command-injection vulnerability, tracked as CVE-2021-42599, in the Device service mentioned in the previous section. This service offers rich functionality, including the capability to stop activities of a given package. The client fully controls the argument “value,” and simply runs the following command:

am force-stop "value"

Since the argument is not sanitized, an attacker could add backticks or quotation marks to run arbitrary code, like the following:

am force-stop "a"; command-to-run; echo "a"
Figure 4: Command injection proof-of-concept (POC) exploit code implemented in the Device service

According to mce Systems, they have since removed the functionality behind this vulnerability and it is no longer present in more advanced framework versions.

Exploitation by JavaScript injection with PiTM in certain apps

The services offered by the mce framework further indicated that the following vulnerability resided in the logic of the JavaScript client for apps that are configured to enable plaintext communications such as the app that we initially analyzed. Interestingly, the code for the client is a heavily-obfuscated dynamic JavaScript code that is implemented over several files, mainly bundle.js. Due to the blind trust between the JavaScript client and the JarvisJSInterface server, an attacker who could inject JavaScript contents into the WebView would inherit the permissions that the app already has.

We conceived two injection strategies most likely to be leveraged by attackers:

  1. Affect the JavaScript client behavior by supplying specific GET parameters from the BROWSABLE Intent.
  2. Trigger an app with the BROWSABLE Intent to become a person-in-the-middle (PiTM) and view the device’s entire traffic. Inject JavaScript code if the client ever tries to fetch external content and interpret it as a script or HTML.

Once we reverse-engineered the client’s obfuscated code, we discovered that it could not inject JavaScript from the GET parameters. The only capability permitted was to affect some of the client’s self-tests upon initialization, such as a battery-draining test or a Wi-Fi connectivity test. However, the WebView-fetched plaintext pages that we discovered could be injected into with a PiTM attack.

Our proof-of-concept (POC) exploit code was therefore:

  1. Perform a PiTM for the target device and lure the user into clicking a link with the “mcesystems://” schema.
  2. Inject JavaScript into one of the plaintext page responses that does the following:
    • Hijack the JavaScript interface by calling init with our callback method
    • Use the JavaScript interface request method to get servicing
    • Send the data to our server for information gathering using XHR (XMLHttpRequest)
Figure 5: Injecting a similar JavaScript code to the WebView could allow an attacker to call arbitrary services and methods

Local elevation of privilege with deserialization followed by injection (CVE-2021-42601)  

Some of the apps we analyzed did not pull plaintext pages. Thus, we looked for a local elevation of privilege vulnerability, allowing a malicious app to gain the system apps’ privileges, tracked as CVE-2021-42601.

In the apps mentioned above, we discovered that the main Activity attempted to handle a deep link (a link that launches an app instead of a browser on click) with Google Firebase. Interestingly, this deep-link handling tried to deserialize a structure called PendingDynamicLinkData (representing a link) from an Intent Extra byte array with the key com.google.firebase.dynamiclinks.DYNAMIC_LINK_DATA. This structure was used later by the mce framework to generate various JSON Objects that might contain data from a categoryId query parameter in the original link, and eventually ended up in the member mFlowSDKInput to be injected into the JarvisWebView instance in an unsafe way:

Figure 6: Unsanitized JavaScript loading allowed arbitrary code injection to the WebView

Since the categoryId query parameter might contain apostrophes, one could inject arbitrary JavaScript code into the WebView. We decided to inject a code that would reach out to a server and load a second-stage code, which was the exact one we used for our PiTM scenario.

Figure 7: Local injection POC exploit

Software design against JavaScript injection vulnerabilities

We worked closely with the mce Systems engineering team and discovered that the reason for unsafe loadUrl invocations with JavaScript injections was that the framework used an asynchronous model of operation. When the JavaScript client performs a request, it expects to be notified later when there are results. Since Android JavaScript Bridge only allows primitive types to be sent (for example, Strings), the mce framework notified the JavaScript client by injecting JavaScript with potentially unsafe arguments (the results themselves).

We offered mce Systems a slightly different software design that prevents unsafe JavaScript injection. The description of the flow of information in our proposal is as follows:

  1. The JavaScript client invokes the request method on the Android JavaScript Bridge, supplying the request itself along with a request ID.
  2. The Java server performs the request and stores the result in a cache. The said cache then maps request IDs to results.
  3. The Java server notifies the client by carefully injecting the JavaScript loadUrl(“javascript:window.onMceResult(<requestID>);”) into the WebView. Note that the only non-constant string is the request ID, which can easily be sanitized. This method “wakes the client up”
  4. The JavaScript client implementation of onMceResult invokes the Android JavaScript Bridge with the method String fetchResult(String requestId). Note that this method returns a string (which contains the result).

This way, the JavaScript client does not need to poll for asynchronous results while data is safely transferred between the client and the server.

Interestingly, Google AndroidX offers a very similar API: webMessageListener. While the said API works quite similarly to our suggestion, it only supports Android versions greater than Lollipop. Thus, the new mce framework now checks the Android version and uses this new Google API if supported or our offered solution for older devices.

The above is just one example of our collaboration to help secure our cross-platform ecosystem. According to mce Systems, all of our reported vulnerabilities were addressed.

Improving security for all through threat intelligence sharing and research-driven protections

Microsoft strives to continuously improve security by collaborating with customers, partners, and industry experts. Responding to the evolving threat landscape requires us to expand our capabilities into other devices and non-Windows platforms in addition to further coordinating research and threat intelligence sharing among the larger security community. This case highlighted the need for expert, cross-industry collaboration to effectively mitigate issues.

Moreover, collaborative research such as this informs our seamless protection capabilities across platforms. For example, intelligence from this analysis helped us ensure that Microsoft Defender Vulnerability Management can identify and remediate devices that have these vulnerabilities, providing security operations teams with comprehensive visibility into their organizational exposure and enabling them to reduce the attack surface. In addition, while we’re not aware of any active exploitation of these mobile vulnerabilities in the wild, Microsoft Defender for Endpoint’s mobile threat defense capabilities significantly improve security on mobile devices by detecting potential exploits, malware, and post-exploitation activity.

We will continue to work with the security community to share intelligence about threats and build better protection for all. Microsoft security researchers continually work to discover new vulnerabilities and threats, turning a variety of wide-reaching issues into tangible results and improved solutions that protect users and organizations across platforms every single day. Similarly inquisitive individuals are encouraged to check opportunities to join the Microsoft research team here: https://careers.microsoft.com/.  

Jonathan Bar Or, Sang Shin Jung, Michael Peck, Joe Mansour, and Apurva Kumar
Microsoft 365 Defender Research Team

Source :
https://www.microsoft.com/security/blog/2022/05/27/android-apps-with-millions-of-downloads-exposed-to-high-severity-vulnerabilities/

Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild

Cybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems.

The vulnerability came to light after an independent cybersecurity research team known as nao_sec uncovered a Word document (“05-2022-0438.doc“) that was uploaded to VirusTotal from an IP address in Belarus.

“It uses Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code,” the researchers noted in a series of tweets last week.

According to security researcher Kevin Beaumont, who dubbed the flaw “Follina,” the maldoc leverages Word’s remote template feature to fetch an HTML file from a server, which then makes use of the “ms-msdt://” URI scheme to run the malicious payload.

The shortcoming has been so named because the malicious sample references 0438, which is the area code of Follina, a municipality in the Italian city of Treviso.

MSDT is short for Microsoft Support Diagnostics Tool, a utility that’s used to troubleshoot and collect diagnostic data for analysis by support professionals to resolve a problem.https://www.youtube.com/embed/GybD70_rZDs

“There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled,” Beaumont explained.

Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,” the researcher added.

In a standalone analysis, cybersecurity company Huntress Labs detailed the attack flow, noting the HTML file (“RDF842l.html”) that triggers the exploit originated from a now-unreachable domain named “xmlformats[.]com.”

“A Rich Text Format file (.RTF) could trigger the invocation of this exploit with just the Preview Pane within Windows Explorer,” Huntress Labs’ John Hammond said. “Much like CVE-2021-40444, this extends the severity of this threat by not just ‘single-click’ to exploit, but potentially with a ‘zero-click’ trigger.”

Multiple Microsoft Office versions, including Office, Office 2016, and Office 2021, are said to be affected, although other versions are expected to be vulnerable as well.

What’s more, Richard Warren of NCC Group managed to demonstrate an exploit on Office Professional Pro with April 2022 patches running on an up-to-date Windows 11 machine with the preview pane enabled.

“Microsoft are going to need to patch it across all the different product offerings, and security vendors will need robust detection and blocking,” Beaumont said. We have reached out to Microsoft for comment, and we’ll update the story once we hear back.

Source :
https://thehackernews.com/2022/05/watch-out-researchers-spot-new.html

Best Active Directory Management Tools

IT teams rely on Active Directory (AD) to keep networks secure and maintain user accounts — but they often need to adhere to strict budget limitations when it comes to selecting software to help. That’s why we’ve put together this list of the top free Active Directory management tools.

Our picks focus on AD tools that will help you complete routine AD management tasks much faster so your team has time to focus on other priorities. We’ve grouped these free Active Directory tools into three categories:

Active Directory Reporting, Monitoring and Auditing Tools

Microsoft Active Directory Explorer

Microsoft Active Directory Explorer is an advanced administration tool that makes it easy to search for, view and edit extended information about AD objects. It is similar to AD Users and Computers but has at least one key additional benefit — it allows you to view object properties and attributes without opening additional dialog boxes.

AD Explorer also enables you to save snapshots of an AD database for offline viewing and database version comparisons. When you load a saved snapshot, you can work with it as you would use a live database.

Other features include:

  • Defining favorite locations
  • Editing permissions
  • Viewing an object’s scheme
  • Executing sophisticated searches that you can save and re-execute

Handpicked related content:

Netwrix Auditor for Active Directory

Netwrix Auditor for Active Directory (free community edition) gives you visibility into what’s happening inside domains while eliminating the time-consuming tasks of analyzing endless native logs. Netwrix Auditor tracks logons and all changes to Active Directory users, groups, organizational units and Group Policy. It generates a daily activity summary that details all changes and logon activity that occurred during the previous 24 hours, including the before and after values for each modification.

Netwrix Account Lockout Examiner

Netwrix Account Lockout Examiner is well known as one of the best Active Directory tools for quickly resolving one of the most pressing issues with AD: account lockouts. It enables you to identify the root cause of lockouts in a single keystroke, slashing troubleshooting time by up to 90 percent. This lightweight and intuitive tool empowers you to investigate issues like why the same account repeatedly locks out without having to slog through a mountain of cryptic event logs — just enter the username and click a button.

Netwrix Effective Permissions Reporting Tool

Netwrix Effective Permissions Reporting Tool simplifies auditing of access permissions in Active Directory. You can view a user’s account group membership, the permissions the account has to every AD object and how those permissions are granted. It also shows file and folder effective permissions, so you can determine who has access to your data and how their access was gained. You can export this information to an HTML file.

Netwrix Bulk Password Reset

Netwrix Bulk Password Reset enables you to reset local admin and user passwords across multiple workstations at once, remotely, without actually logging into them. This functionality enhances Windows Server security.

Netwrix Inactive User Tracker

Netwrix Inactive User Tracker provides insight into stale Active Directory user accounts so you can disable or delete unneeded accounts before malicious actors can exploit them to gain access to resources and services on your network.

Netwrix Password Expiration Notifier

Netwrix Password Expiration Notifier automatically sends notifications about upcoming AD password expiration to users and their managers. This proactive approach enables you to remain in compliance with password security best practices without sacrificing user productivity or increasing helpdesk workload.

Cjwdev Active Directory Info

Cjwdev Active Directory Info is a free Active Directory reporting and analysis tool that enables you to review the configuration settings of AD objects. You can quickly generate CSV, HTML or TXT reports to gain insight into things like:

  • Locked accounts
  • Users who have never logged on
  • Users with the “password never expires” flag
  • Enabled and disabled users
  • Deleted groups
  • Computers deleted in the last 30 days
  • Group Policy objects modified in the last 30 days

Cjwdev Active Directory Permissions Reporter

Cjwdev Active Directory Permissions Reporter extracts all permissions for every object in your domain. Note that the free edition of Cjwdev AD Permissions Reporter does not support the command line and you cannot filter or export results.

ENow Compass

ENow Compass provides real-time network monitoring to help you identify issues that could evolve into bigger problems. ENow Compass is a powerful toolset, but the company does not offer a free version. Users can start with a 14-day free trial with registration.

MaxPowerSoft Active Directory Reports Lite

MaxPowerSoft Active Directory Reports Lite allows you to load up to 200 objects from Active Directory and generate auditing reports on users, groups, organizational units, computers and GPOs. The paid version of grants access to more reports and many more features.

Active Directory FastReporter

Active Directory FastReporter generates a variety of predefined reports on your AD infrastructure. The free version doesn’t allow you to create custom reports, export reports or use automation features.

LDAPSoft Active Directory Browser

LDAPSoft Active Directory Browser simplifies SSL communication and streamlines the process of browsing your AD hierarchy. You can search for entries, view all available attributes and run SQL-LDAP statements.

Softerra Browser for LDAP

Softerra Browser for LDAP is a lightweight tool that allows you to view, browse, search and export information from LDAP. It is free to use for 30 days — you’ll need to register a paid account to use it past this point.

WiseSoft Password Control

WiseSoft Password Control can reset user passwords in bulk, which saves time and effort when managing service account passwords. It also includes the ability to make other bulk changes, such as enabling and disabling user accounts, group membership functions, descriptions and departments.Handpicked related content:

Active Directory Management Tools

Albus Bit Active Directory Administrator

Albus Bit Active Directory Administrator enables you to manage user and computer accounts across your Active Directory domain from a single interface. You can use the  built-in search templates or create your own, and use the results to disable inactive accounts, move accounts to different organizational units or remove users from groups.

CjWdev Active Directory Tidy

CjWdev Active Directory Tidy allows you to easily manage your AD accounts in bulk. For example, you can add multiple accounts to a specific security group, or set random passwords or a particular expiry date for a set of accounts.

The tool’s filtering functionality makes it easy to clean up your AD. For example, you can filter by last login date to find all inactive user and computer accounts to determine whether you should remove them from your domain. The paid version of this tool also enables you to export AD settings to XML.

Spiceworks People View

Spiceworks People View allows you to view and update AD user account properties, such as email, phone number, title and department. You can also add devices to user profiles to monitor installed software programs and update it when needed. You can also reset passwords and enable or disable user accounts. The tool also offers self-administered password and user profile management on a self-service web portal, and real-time status monitoring of all your devices.

Spiceworks offers other useful tools. For example, Network Monitor performs real-time status monitoring of all your devices.

Microsoft AdRestore

Microsoft AdRestore is a single-task tool that enumerates all tombstoned objects in your AD domain and enables you to restore them individually as needed.

Windows PowerShell

Windows PowerShell is undoubtedly the most powerful Active Directory tool. However, it can be challenging to use because it lacks a graphical interface. To accomplish your tasks, you’ll need to use cmdlets and scripts like the following:

  • Disable a user account: Disable-ADAccount username
  • Enable a user account: Enable-ADAccount username
  • Unlock a user account: Unlock-ADAccount username
  • Delete a user account: Remove-ADUser username
  • Find all empty groups: Get-adgroup -filter * | where {-Not ($_ | get-adgroupmember)} | Select Name
  • Add a member to a group: Add-adgroupmember “groupname” –username
  • Enumerate the members of a group: Get-ADGroupMember “groupname
  • See what groups a user account is a member of: Get-aduser username -property Memberof | Select -ExpandProperty memberOf
  • Disable a computer account: Disable-ADAccount -Identity “computername
  • Find computers by type: Get-ADComputer -Filter * -Properties OperatingSystem | Select OperatingSystem -unique | Sort OperatingSystem
  • Create an organizational unit: New-ADOrganizationalUnit -Name OUname -Path “dc=domainname,dc=com”
  • Create a computer account: New-ADComputer -Name username -Path “ou=OUname,dc=DCname,dc=com”
  • Create a user account: New-ADUser -Name username -Path “ou=OUname,dc=DCname,dc=com”

Adaxes

Adaxes streamlines routine management functions in Active Directory, Microsoft Exchange and Microsoft 365 environments. You can use it to delegate privileges, control authorizations and stay in compliance with data mandates. Softerra offers a 30-day free trial.

CENTREL Solutions XIA Automation

CENTREL Solutions XIA Automation helps you automate IT management tasks, such as account provisioning, user management and password changes. It includes time-saving features like bulk provisioning of accounts from CSV to AD, Exchange, Google or Office 365.

Dameware Remote Everywhere

Dameware Remote Everywhere is a pricey commercial-grade tool at $540 (and up), but it is notable for its powerful functionality — especially for enterprise-level network needs.

“Remote Everywhere” refers to the tool’s cloud-based solutions. Users enjoy safe, remote support with advanced encryption and multifactor authentication, essential endpoint support for any computer or device, and a reporting engine that can handle virtually any reporting task. New users can get a fully functional version of Dameware Remote Everywhere for 14 days.

Active Directory Utility Tools

Microsoft Active Directory Replication Status (ADREPLSTATUS) Tool

Microsoft ADREPLSTATUS Tool is a single-purpose tool that helps you analyze the replication of domain controllers in your network.

Cjwdev Group Manager

Cjwdev Group Manager allows the manager of a group to manage roles and settings for the group, including adding and removing other users and exporting group members to a CSV file. The free edition enables you to manage only a single group, and you cannot or add new members from other domains.

Cjwdev Active Directory Photo Edit

Cjwdev Active Directory Photo Edit enables you to import and upload images to an AD attribute that can be displayed in Outlook 2010, Lync and SharePoint. The free edition can’t process pictures for users and contacts in bulk, but the paid version offers this feature.

Cjwdev Managed Service Accounts GUI

Cjwdev Managed Service Accounts GUI helps you configure managed service accounts using an intuitive GUI that eliminates the need for PowerShell commands.

Specops Password Auditor

Specops Password Auditor scans your Active Directory and identifies password-related vulnerabilities so you can reduce your attack surface and maintain compliance.

Specops Software Gpupdate

Specops Software Gpupdate enables remote administration of computers and organizational units. For example, you can refresh Group Policy or wake up, shut down or restart a PC remotely.

Specops Command

Specops Command is a PowerShell and VBScript interface that helps you automate many Active Directory administrative tasks.

Zohno Z-Hire and Z-Term

Zohno Z-Hire and Z-Term are single-task tools. Z-Hire speeds the user account creation process for new hires, while Z-Term helps with account removal when an employee leaves the organization.

SysOpsTools Active Directory Query

SysOpsTools Active Directory Query is a free executable tool — no installation required — that can be used to quickly search AD for information about a specific user or computer, including schema attributes that are normally not readable.

RIA-Media SysAdmin and SysAdmin Anywhere 

RIA-Media SysAdmin and RIA-Media SysAdmin Anywhere are helpful for facilitating a long list of activities:

  • Resetting user passwords
  • Adding, editing and deleting AD objects
  • Adding photos
  • Shutting down and restarting computers remotely
  • Checking for updates
  • Monitoring hardware and computers

SysAdmin and SysAdmin Anywhere both offer a free trial.

Codeplex ADModify.NET

Codeplex ADModify.NET is a single-use tool that allows you to modify multiple user attributes at once.

WiseSoft Bulk Password Control

WiseSoft Bulk Password Control enables you to change passwords on multiple accounts at the same time using the tool’s password generator feature. You can also enable, disable and unlock AD accounts in bulk.

Conclusion

With so many options to choose from, it can be challenging to find the right mix of AD management tools for your needs. The most effective way to make that choice is to install different tools and try them out in your AD environment. This will give you insight into how well they will work for your specific needs and preferences.

Source :
https://blog.netwrix.com/2021/03/10/active-directory-tools/

How IT executives are advancing sustainability with the cloud

Sustainability action is a necessity for organizations looking to satisfy stakeholders, prepare their business for the effects of climate change, and reduce their environmental impact. While more organizations are implementing environmental sustainability practices—such as using sustainable materials, becoming more energy efficient, and embedding sustainability into employee training—these efforts alone are not enough to eliminate waste and reach net zero. 

In a recent survey of executives, Deloitte found that more than a third of organizations are only implementing one out of five “needle-moving” sustainability actions. To begin moving the needle quickly, IT executives can help their organizations accelerate sustainability by reducing the environmental impact of IT, facilitating a more circular economy, working with sustainable partners, and leading efforts that support environmental, social, and governance (ESG) measurement and reporting.

Sustainability pressures are becoming policies 

The pressure for more transparent sustainability action is continuing to rise: For the first time, the US Securities and Exchange Commission has proposed a rule to make environmental reporting mandatory. The recently proposed rule would require public companies to disclose climate-related risk management as well as direct and indirect greenhouse gas emissions (scope 1 and 2), eventually phasing in reporting for material emissions from value chains (scope 3).

The EU has long been ahead of the US when it comes to requiring organizations to report on emissions. Last year, the European Commission adopted a proposal for a Corporate Sustainability Reporting Directive (CSRD), which extends the scope of the Non-Financial Reporting Directive (NFRD) adopted in 2014. The CSRD proposal expands the number of companies required to report, introduces an audit and more detailed reporting, and would require organizations to report according to EU sustainability reporting standards

88% of consumers want companies to help them be more sustainable (OnePulse)

Though policies and reporting requirements intensify the pressure for more corporate sustainability action, there is also pressure coming from consumers and employees. According to a PwC survey, 86% of employees prefer to work for organizations that share their values, and 76% of consumers would “discontinue [their] relationship with companies that treat the environment, employees, or the community in which they operate poorly.” This sentiment is matched by the results of a survey from OnePulse, which found that 88% of consumers want companies to help them be more sustainable. 

There’s a growing need for IT sustainability guidance

To address sustainability reporting requirements and demands from customers, employees, and boards, IT executives are stepping up. But amidst ever-changing guidelines and new climate data, knowing where and how to start implementing more sustainable IT practices remains challenging. Research from Capgemini found that only 18% of organizations have a defined sustainability strategy for IT.  

Nonprofits like SustainableIT.org are starting to fill the growing need for guidance by providing benchmarks for ESG measurements. Launched by CIOs and other tech leaders, the nonprofit plans to define sustainable digital transformation programs and provide best practices, education, and training for technology leaders that help support sustainable actions across their operations. 

IT executives can also look to research and consulting firms like Gartner, who recently released a report that provides a framework to help organizations plan for infrastructure and operations sustainability goals.

In addition to peer groups and research firms, IT executives can also use widely accepted measures provided by organizations such as: 

Cloud solutions help reduce the environmental impact of IT 

On-premises infrastructure often requires large amounts of power and additional physical materials to scale. According to estimates from Cloudscene, there are over 8,000 data centers worldwide and these data centers are estimated to account for nearly 1% of global energy consumption.

1 billion metric tons of CO2 can be prevented from entering the atmosphere between 2021-2024 with cloud computing (IDC)

IT leaders can reduce the carbon footprint of their computing infrastructure simply by moving to cloud systems. The cloud can help reduce greenhouse gas emissions, as cloud computing is more efficient than what organizations can achieve with on-premises infrastructure. Cloud data centers have higher utilization rates, use advanced cooling technologies that are more energy efficient, and are often powered by renewable energy. As more businesses migrate to the cloud, these efficiencies are estimated to potentially prevent more than 1 billion metric tons of CO2 from entering the atmosphere over the next few years.  

One customer case study found a 93% reduction in greenhouse gas emissions associated with migrating from a customer hosted Oracle ERP solution to Oracle ERP on Oracle Cloud Infrastructure. This included a 71% reduction in scope 1 emissions, 100% reduction in scope 2 emissions, and 84% reduction in scope 3 emissions (Figure 2). 

The cloud can also promote a more circular economy 

A key tenet of the circular economy is to decouple physical assets from the services they provide. This is exactly what the cloud provides. The cloud can contribute to a more eco-optimized supply chain by eliminating the need to procure and physically own your computing hardware.

Cloud computing can support a more circular economy

As organizations make the transition to cloud, they should also account for the impact that retired hardware has on the environment. To address this, IT executives can look to cloud providers that offer services like Oracle’s take back programs to help dispose of and recycle excess products in an environmentally responsible manner.

IT executives can accelerate sustainability with analytics

More transparency and better emissions data isn’t just about meeting reporting requirements—it’s also an essential component of reaching net zero. IT executives can help accelerate progress towards net zero by leading efforts to measure ESG performance. 

Deloitte found that “difficulty measuring environmental impact” was identified by executives as one of the five biggest obstacles to their sustainability efforts. By investing in cloud solutions and services such as integrated analytics platforms and IoT, AI and ML capabilities, IT executives can embed environmental-related data collection and reporting into the mainstream of business operations and associated IT infrastructure. 

30% of executives identify measuring environmental impact as a barrier to facilitating sustainability (Source: Deloitte)

At Oracle, we’ve been transforming our business operations to be more environmentally friendly by leveraging Oracle’s own innovative technology. Sustainability is now inherent in the way think about and approach nearly every aspect of our business, from operational efficiency, to product development and to employee engagement. We use our own technology because Oracle Cloud is the only end-to-end cloud platform that enables the cross-functional process flows required to increase sustainability.

Partners and providers should meet your sustainability requirements

Providers and partners play a pivotal role in reducing your environmental impact, either helping or hindering your ability to achieve sustainability goals. Ensuring that business partners and suppliers meet your sustainability requirements is one of the five key actions that businesses need to take to realize the benefits of sustainability, according to Deloitte’s 2022 CxO Sustainability Report

Beyond ensuring that your providers align with specific sustainability criteria, it’s also important to consider how they can contribute to changing business needs. As demands for greener products grow, IT executives should be primed to understand not only their risks, but also their ability to act on new opportunities. By partnering with cloud providers that offer advanced cloud technologies and a wide range of services and solutions, you can position your business to capture new value when it arises and do so quickly.

Take a step towards sustainability with Oracle Cloud Infrastructure

Oracle Cloud Infrastructure is a high-performance green cloud solution that provides customers with the opportunity to drive business value and reduce their environmental impact. Oracle data centers are 75% more energy efficient than a typical corporate data center. Because we design, build, deploy, and recycle our hardware, we are contributing to a more circular economy that minimizes waste, maximizes circularity, and helps achieve net-zero carbon. 

By consolidating and optimizing our IT infrastructure while delivering advanced technologies, such as AI and blockchain, we help organizations reduce their environmental impact, measure progress, and achieve their sustainability goals.


Get started today for free. Learn more about Oracle Cloud sustainability and take a step towards sustainability with Oracle Cloud Free Tier.



1. OnePulse, 88% Of Consumers Want You To Help Them Make A Difference

2. IDC, Cloud Computing Could Eliminate a Billion Metric Tons of CO2 Emission Over the Next Four Years, and Possibly More, According to a New IDC Forecast

3. Deloitte, Deloitte 2022 CxO Sustainability Report

Source :
https://blogs.oracle.com/sustainability/post/how-it-executives-are-advancing-sustainability-with-the-cloud

How to dial in the one-page WordPress website 

If you’re looking to offer a more affordable (and easier to build) solution for a client’s business, online portfolio, and much more, you may want to consider a one-page WordPress website.

One-page websites are simple, popular and — when built on Managed WordPress — easy for nearly anyone to maintain.

However, dialing in the one-page design isn’t always a simple task for website designers, especially when you’re used to taking on larger or more complex projects. Luckily you’ve come to this post. Here, we look at tips to help create a solid one-page website design. Here’s what we’ll cover:

  1. Determine whether one page is enough
  2. Create a strategy for content
  3. Build an anchor menu for easy navigation
  4. Understand the audience
  5. Make scrolling easier
  6. Make the website mobile-friendly
  7. Develop strong CTAs
  8. Avoid large text blocks
  9. Optimize for search engines
  10. Include social media accounts
  11. Be creative with the contact block

Why a one-page WordPress website?

One-page website designs have gained increased popularity among business owners and web designers because they’re simple, easy and trendy. But while one-page websites are ideal for different types of business, they are not a one-fits-all solution.

Before settling on a one-page website, ensure it is ideal for your client. You may want to create a one-page website if they don’t have a lot of content or many different elements. A single-page website may be ideal for clients who:

  • Want to create an online portfolio or personal website
  • Sell a few products or services
  • Have one-time events such as conferences and weddings
  • Need a campaign-specific landing page

On the other hand, a one-page WordPress website may not be ideal, for example, if their content is complex or they sell lots of different products or services with tons of information.

Tips for creating a one-page WordPress website

Less is more in design, and web design is not an exception. After all, the fewer pages a site has, the more it will be appealing to visitors. A good one-page design will communicate a story effectively, promote a brand and drive conversions.

However, that doesn’t mean that creating a one-page WordPress website is a simple task. Without the right gameplan, you may end up with a single page that isn’t attractive and doesn’t serve your marketing purposes.

To that end, here are steps to follow for a perfect one-page website design:

Determine whether one page is enough

Before you take any step, it’s best to determine whether the situation calls for one page or a classic website. Depending on the type of client you’re helping, one kind of website might be better than another — you need to weigh the options to determine which type of website will work.

As stated earlier, a one-page WordPress website should have a simple yet robust design that is user friendly. It often displays only a small amount of text but more images.

Due to its long scrolling design, you have the option to be creative and decide the order in which content appears.

One-page website design offers a good user experience. Since the content appears in a linear fashion, visitors won’t get lost in multiple pages. These sites also render well on mobile and tablets, and are easy to maintain.

A classic website comes with a homepage alongside other pages, often services, a contact page, and FAQ. The main advantage of a classic web design over a one page is that it allows you to display tons of content about products or services.

With the classic design, you get the option to display each piece of content on a dedicated page, allowing more thorough descriptions. But if you decide that a one-page WordPress website is best, move to the next step.

Create a strategy for content

The first step to creating a one-page WordPress website is to plan out content. One page allows you to control the order in which content appears. The idea is to ensure the order is both logical and intuitive.

Be careful with what you place above the fold or what the visitor sees before scrolling down the site. Ideally, the main message should entice visitors.

Like any other website, a one-page WordPress website could include an about section, services and products, more about the offering, an FAQ section, CTAs, a photo gallery and contact information.

How you prioritize this content will determine how effective the one-page design will be. Remove unnecessary information to keep content as simple and organized as possible.

Build an anchor menu for easy navigation

Unlike a classic website (where each item links to a page of its own), a one-page WordPress website menu links to a different section of the same page. As a result, you need to build an anchor menu to link each section.

These are three important steps to help create an anchor menu for a good one-page design:

  • Create an anchor — An anchor will help users navigate to a particular part of your one-page design. While some templates come with built-in anchors, there’s usually an option to rename, move or delete them.
  • Link anchors to the menu — Linking the site’s menu to anchors makes it easier for visitors to go to a specific section. The idea is to select the corresponding section to attach an anchor to, which will help in the navigation.
  • Create a menu order — Linking the menu to anchors isn’t enough. You should ensure the order in the menu corresponds to the order of section. Single-page website designs involve a lot of scrolling. As such, ensure that the menu is always visible by freezing it. Fortunately, this is easily achievable via plugins such as WP Floating Menu.

Understand the audience

When it comes to a one-page WordPress website, you have only one page to display many sections. That’s why it is important to identify gaps in every section and fill those gaps to improve user experience and overall site performance.

Analyzing which sections have gaps and making the necessary changes is paramount. To achieve this, you need to group your visitors based on location, demographics, source, behaviors, devices they use, and other such criteria.

You can collect this data for clients if you install proper analytic tools like Google Analytics on the site. Ensure that you have everything set up to get required data and determine the metric to track.

Tracking user behavior for a classic website with multiple pages is straightforward. But things get rather complicated when it comes to a single-page website.

Luckily, free tools like Google Tag Manager will help track activities on a one-page website. This tool will enable you to track different actions on the site and provide more insights regarding the needs and expectations of a target audience.

Make scrolling easier

A one-page WordPress website involves a lot of scrolling. Don’t make visitors keep scrolling down the site to find what they are looking for — make it as simple as possible.

A scroll-top button (yep, there are plugins for that) and anchor links make navigation easier and fast. You may also want to use parallax scrolling (make the background move a different speed from the foreground content) to keep your users engaged when scrolling until they find what they are looking for.

No matter how creative you want to be with navigation, you shouldn’t ignore usability. After all, visitors are real humans, so ensure they can easily find the content they need.

Make the website mobile-friendly

People spend more time on smartphones or tablets than desktops. You may also have heard about mobile-first indexing, where Google considers the mobile version of the content for indexing and ranking.

As a result, ensure the website is functional and looks as good on mobile as desktop. Adapting to the mobile version shouldn’t cause headaches if you use a readymade CMS like WordPress.

Develop strong CTAs

Strong CTAs for the one-page WordPress website are essential. This command phrase, such as “Buy Now” or “Sign Up,” takes the form of a button or hyperlink to increase sales or conversion.

To get the most from a CTA, it needs to:

  • Be logical, intuitive and concise
  • Encourage visitors to take action
  • Unique from other graphical elements
  • Placed at strategic places for users’ view

Once you have CTA content, link the button to an anchor to make it easy for visitors to navigate a particular section.

Avoid large text blocks

Having too much text on one page can hurt conversions. After all, users expect as brief a chain of actions as possible (e.g. visit > see what you need > take the required action).

Imagine if, during the second step, there’s tons of text for the user to read.

Include only the information that directs users to a CTA, and presents it in a brief and straightforward manner. If you have a lot of information to share with users, create a separate blog and link it to a unique place on the website.

Optimize for search engines

The need for search engine optimization for any website cannot be overstated. When it comes to a one-page WordPress website, you only have one page to rank for several keywords, and you have fewer things to optimize than a classic website.

However, this doesn’t mean that you cannot optimize the single-page website. Yes, it may be a bit challenging, but it’s possible. That said, here are things to remember when optimizing a one-page website:

Improve page speed

Page speed refers to the time it takes to display a page content fully. In our case, this is the time it takes to display one page of website content.

A significant number of visitors will leave a page that takes more than three seconds to load.

And if your website loads slowly, Google and other search engines will consider it to have a bad user experience. That’s why you need to analyze your site loading speed and optimize it.

Luckily, Google has a free tool to help analyze your website speed. To analyze your website, go to PageSpeed Insights and enter the URL. This tool will help analyze how a site performs on both desktop and mobile devices.

Once you get insights into what is slowing down the website, try to resolve all errors to improve website speed.

Optimize each section for SEO

Treat each section of the one-pager as a separate page and optimize it for SEO. The idea here is to ensure that each section of your one-page website has a heading tag to tell what the section is all about.

Next, optimize each section for the primary and related keywords. You also need to optimize text blocks for those keywords and include alt texts in images.

Ensure content is fresh and relevant

Content is king, but only if it’s fresh and relevant for an audience and search engines. Content is not static. To keep up with the ever-changing Google algorithms, pitch content updates to your client so the website can rank higher on SERPs.

Include social media accounts

Social media can provide a perfect way to improve an online presence. As such, connect your client’s Instagram, Facebook, and LinkedIn profiles with their one-page WordPress website to help improve traffic to the site.

One way to achieve this is by adding an Instagram feed. Doing this will provide an opportunity to share the latest photos of your client’s business with visitors.

Another perfect way to incorporate social media profiles into the website is to place icons for all business social media accounts. Users will see these elements as they scroll the website, providing a perfect way to further interact with a business.

Be creative with the contact block

Last but not least, make sure visitors can easily find contact information on the site. That said, consider placing phone numbers, email addresses, blogs, and social media links in a separate block at the top of the site.

The idea is to ensure that users will not need to scroll to the bottom to see contact information. After all, this can be troublesome, especially if the site has many media components that can load slowly when there’s a poor internet connection.

Closing thoughts on the one-page WordPress website

Creating a one-page WordPress website has many benefits, including better SEO potential, it’s faster and easier to maintain, intuitive to use, and easy to organize. Once you determine that a single website is best for your client, the above tips will help you get a perfect one-pager going.

Source :
https://www.godaddy.com/garage/one-page-wordpress-website/