Android Support Added to Workplace Join in Azure Active Directory

Microsoft added the ability to allow Android devices to register in Azure Active Directory.  This also allows them to take advantage of SSO for apps that use Active Directory Auth Library to AD.  In the article is also states that policy support for all Azure AD connected apps is in the works which then allows IT to setup conditional access across all devices.

Orchestrator Runbooks SMART Documentation and Conversion Helper 2.0

SMART Documentation and Conversion Helper 2.0 is a tool to help you document your Orc runbooks in Visio and Word.  Built from PowerShell.  You can read more about it here or download it directly here.

Updated tool : SMART Documentation and Conversion Helper for your Orchestrator Runbooks - Building Clouds Blog - Site Home - TechNet Blogs

Azure Active Directory Basic Available Now

Microsoft announced today the Azure AD Basic is available.  It includes four additional features not available in Azure AD Free version.

Company branding to match your internal LAN’s styling and logo.

Group-based application access for your cloud hosted apps.  With the ability to query your own directory to build and populate groups or build them in Azure.

Self-service password reset to allow users the ability to reset their own passwords without contacting IT.

SLA 99.9% (3 Nines) guaranteed uptime of 99.9%.  That equals: 1m 26.4s/day or 10m 4.8s/w or 43m 49.7s/mo or 8h 45m 57s/y.

Azure Active Directory Basic is now GA! - Active Directory Blog - Site Home - TechNet Blogs

Apple Pay – Great New Feature or Future Nightmare?

Apple Plays

Apple introduced the iPhone 6’s this week and spent time talking about the size, display and CPU speed but it also spent an exorbitant amount of time, marketing dollars  and effort to push a new feature most people could really care less about, Apple Pay.

What is Apple Pay?

Apple Pay is a payment service on the iPhone that stores and transmits your credit card information.  Let that sink in before moving on.


Apple has not released much in the way of details yet on exactly how Apple Pay works to the public and the media has several different guesses of how it thinks the system will work.  Gartner claims no credit card information will be stored on the phone, using your iTunes credit card information, others including Apple say your card details will be stored on the phone.  The Washington Post writer assures his readers that by using the iPhone finger print reader no one else will be able to make purchases with your phone.  He doesn’t bother to mention how the fingerprint reader was also hacked, in less than two days after it was released.  And that  virtual card numbers are what will be sent to the merchant from your phone instead of your actual card number.

Using the docs from, a third party offering an API to allow merchants to use Apple Pay without needing to do all the integration on their own it would seem that credit card information is stored on your iPhone and depending on the merchant you are using you will be sending them your card number, CVC code, name, expiration date and billing address, all information that they can choose to store for later use if they decide they want to.’s documentation includes frightening phrases including “Make sure any communication with your server is SSL secured to prevent eavesdropping.”  Shouldn’t Apple Pay force SSL communication?

This is all speculation at this point but I think likely has better information than the Washington Post and Gartner at this point.

However, I couldn’t leave out this little gem out from as they stay in lock step with the party line claiming anyone who doesn’t fully embrace Apples latest feature as the greatest change to the monetary system since the advent of coins is a lunatic alien abductee.

“Those of you reaching for your tinfoil hats will be relieved to hear the usual security and privacy spiel from such an announcement involving sensitive financial data. Merchants cannot see card numbers, Apple cannot tell what you are buying, and if you lose your phone, you can simply suspend the service using Find My iPhone.”

All but the last part about using Find My iPhone is incorrect, but it doesn’t matter because they don’t address the real security concerns.

Update: According to Nerd Wallet, Apple will get 0.15% of each transaction paid to them by the bank issuing the credit card.  This new additional fee on top of the regular fees paid per transaction for the convenience of using a card instead of cash will unwittingly be paid for by consumer.  When you think about the concept of paying a company to lend you your own money with interest and fees added on to it you may begin to understand that using cash and living within a realistic budget is better than using Apple or any credit card company.

The Real Point Please?

Here is the main problem with what Gartner, WAPO all of the internet sites claiming there is nothing to worry about.  They all talk about how the transaction is secure, how the merchant doesn’t actually get your card details, how a random number or one time token is going to keep your purchase secure.  Great.  But what about the phone?  How secure is the device where you are storing the cards?  With all the information needed to use each one of your cards.  I don’t recall Apple talking about how secure their phone and new OS are, none of the websites fighting for your precious monetized clicks talk about how secure the platform storing all your data is.  Instead they make claims to ensure you that Apple has it all figured out, after all it’s Apple! They never have security problems, just ask Kate Upton, Kirsten Dunst, Jennifer Lawrence or Jonathan Zdziarski.  Jonathan is the researcher that presented a paper recently on how every iOS device is running hidden and undocumented services that allow access to phone data even the ability to bypass the iTunes backups encryption all without needing physical access to your phone.  Which it doesn’t take much thought to figure out exactly how someone could get at all the photos of all celebrities, your spouse or your own photos stored in iCloud.

When Target and the other retailers had their POS systems hacked, they did not attack the individual payments, they wanted the card data so they could sell the cards on the market and then those who bought the cards would use them to make fraudulent purchases, clean out accounts or worse.  Talking about how a single transaction is secure is only interesting if you are a merchant, bank, card processing company or Apple.  The consumer loses nothing if a retailer or bank doesn’t secure their transaction because they are covered.  But if the consumer has their savings account drained to $0, well they are just out all of their savings.  The banks, card processor and retailer will happily take that stolen money.

One Last Thing

Apple Pay uses NFC to transmit your purchase details.  In 2012, 2013 and 2014 there have been demonstrations on how to hack NFC to take advantage of payment systems to steal data, send payments and transfer funds.  It’s unfortunate that Apple and the media won’t spend the 30 seconds it takes to Google NFC credit card hack and watch the videos, read the conference notes and articles on how insecure NFC really is.

Apps use NFC technology to hack Credit Card credentials
Oct 16, 2013 – After months Google still hasn’t fixed the issue letting Apps from the Play Store use NFC technology to steal Credit Card credentials.
[PDF] NFC Hacking: The Easy Way – Def Con…/DEFCON-20-Lee-NFC-Hacking.pdf

by E Lee – ‎Cited by 5 – ‎Related articles

NFC Hacking: The Easy Way. DEFCON 20 … between chipped credit cards and POS terminals … Contactless Credit card reader (e.g. VivoPay, Verifone).
[PDF]Hacking the NFC credit cards for fun and debit – Hackito …
Apr 3, 2012 – Hackito Ergo Sum 2012 – April 12,13,14 – Paris, France. 4. How to recognize an NFC-enabled credit card? ○. Small wave logo printed on the  …

How NFC phones can steal your credit card info. – YouTube
Jan 27, 2012 – Uploaded by Id Stronghold

How NFC phones can steal your credit card info. … Building a RFID Zapper – Hacking a Disposable Camera by Tobias Othmar Hermann  …

Hacking the NFC credit cards for fun and debit by … – YouTube
Jul 24, 2012 – Uploaded by Shakacon LLC

Hacking the NFC credit cards for fun and debit by Renaud Lifithitz … The way of do business very much easy using NFC business card..

[NFC HACK] : Use Pass Snow card or transport card with
Mar 8, 2013 – Uploaded by iHeathOfficial
[NFC HACK] : Use Pass Snow card or transport card with your … Cloning Credit Cards: Pre-play and downgrade attack (full length) by Michael  …

Android NFC hack lets subway riders evade fares | Naked ……/android-nfc-hack-lets-subway-rider…
Sep 24, 2012 – Android NFC hack lets subway riders evade fares … Benninger said during his talk that he could replenish his card endlessly, according to Computerworld: “I can do …. Carwash POS systems hacked, credit card data drained.

Credit Card stealing Apps from NFC cards – Latest News ……/credit-card-stealing-apps-from-nfc-cards/
Apr 29, 2013 – This report in Mashable and CBS reports that there’s app’s now available to read and hack the NFC data on credit cards with the purpose of  …

The Perfect Hack for Enabling NFC Credit Card Payments ……
Business Insider
Aug 3, 2011 – Remember the good ol’ days when you actually had to swipe your credit or debit card to make a pay…

Hacking the NFC Credit Cards for Fun and Debit by Renaud ……/hacking-the-nfc-credit-cards-for-fun-and-debit-by…
Jul 2, 2012 – Small wave logo printed on the card: “Hacking the NFC credit cards for fun and debit ;)” Renaud Lifchitz – BT 4 Shakacon 2012 – June 18-21  …

Data Protection Manager Now Available as Azure IaaS


Azure IaaS workload protection using Data Protection Manager - System Center: Data Protection Manager Engineering Team Blog - Site Home - TechNet Blogs

The supported configuration is illustrated in the above diagram. The DPM installation prerequisites remain the same, as described in the TechNet documentation.

  • DPM is supported on any Azure IaaS virtual machine that is size A2 or higher.
  • DPM can protect workloads that run across multiple Azure cloud services that have the same Azure virtual network and Azure subscription.
  • The number of disks that can be used for the target storage (DPM storage pool) is limited by the size of the virtual machine (maximum of 16). For more information about size limits, see Azure Virtual Machines.

via Azure IaaS workload protection using Data Protection Manager – System Center: Data Protection Manager Engineering Team Blog – Site Home – TechNet Blogs.


Microsoft Azure Versus VMware on Containers

Some basics if you are new to containers. CargoContainer Applications run inside containers.  Containers believe they are running on an independent operating system but in fact they are running in isolated partitions sharing a single operating system while other containers are also running other applications using the same operating system.  Where in traditional hypervisor virtualization a server will run several virtualized operating systems and applications.  Remember ESX?

Here is a popular graphic explaining the difference between the two types of virtualization.  The top of the graphic shows the hypervisor style of virtualizing and operating system an application while the lower portion shows a single operating system using Docker container software to virtualize the operating system while several instances use that one virtualized operating system.

Who cares?

Some companies think this is the future of virtualization, dismissing the traditional hypervisor model of virtulization as an archaic technology like the CD-ROM, good in its day but no longer needed. “Everything at Google runs in a container” according to Google.  Their entire cloud infrastructure is running on containers.  Also using another application to dynamically cluster containers known as Kubernetes. The most popular container software today is known as Docker, like the formerly popular OG pleated pants, still worn by some, minus the ess. San Francisco 49ers v Arizona Cardinals

Microsoft’s Approach

How has Microsoft and VMware reacted to this new (not really) virtualization technology?  Microsoft to its credit has worked to embrace the technology by allowing customers to use it within Microsoft Azure.  In fact I am going to quote their explanation of Docker and Kubernetes because they do such a nice job of explaining them. “Docker is an open-source engine that automates the deployment of any application as a portable, self-sufficient container that will run almost anywhere. Kubernetes is an open source cluster management tool, a declarative technology supporting orchestration and scheduling of Docker containers.” Here is what they have actually implemented of the two technologies into Azure.

The key features we have implemented are documented in the Kubernetes project and can be summarized as:

  • Build a container and publish it to Azure Storage
  • Deploy an Azure cluster using container images from Azure Storage or the Docker Hub
  • Configure an Azure cluster
  • Update the Kubernetes application on an existing cluster
  • Tear down an Azure cluster

Keeping in mind that containers run on *nix, this is quite a departure from the traditional Microsoft.  While adoption and continued development will demonstrate if Microsoft has really embraced the technology at this point it looks like they are living up to their announcement back in July where they stated they would support containers and were joining the opensource development project.


VMware’s Approach

VMware also announced their partnership with Google, Docker and Pivotal last week during VMworld.  Their approach is slight different but also similar to Microsoft.  The major difference in VMware’s approach is that they support containers on top of their hypervisor.  While Microsoft’s approach is more inline with the spirit of how the technology was intended to be used.  Based on what VMware has announced it seems more like they are taking the traditional defensive approach I would expected Microsoft to have taken in the past.  I am not faulting VMware for this and I am sure they are making the best decisions regarding the technology that they feel is best for their vision of the company.  Keep in mind that they have recently purchased Air-Watch and I believe that coupled with the fact that their parent company EMC (for now) is a storage company I believe they are planning to compete with AWS and Microsoft in the DaaS (Desktop as a Service) space.

I don’t think VMware is ready to compete with Microsoft in the DaaS space, they don’t have the same configmgr tools as Microsoft, they don’t own the operating system but they are getting there so it will be an interesting battle over the next decade.

Microsoft raises Azure availability, lowers prices

Microsoft has now promised to deliver a service-level agreement (SLA) of 99.99 percent availability, equivalent to a downtime of just 53 minutes per year.

This will come as a welcome increase from the 99.95 percent previously delivered, particularly given the number of Azure outages that have occurred in recent weeks.

Alongside this, the firm has introduced a new low cost performance level called S0, enabling more customers to benefit from features in the Standard Tier. The monthly cost of S0 will be $15 and will be available from November, when the new price scheme launches.

via Microsoft raises Azure availability, lowers prices.

Recovering Your Files from CryptoLocker Free Tool from FireEye

Your Locker of Information for CryptoLocker Decryption | FireEye Blog.

Kudo’s to FireEye for not only building and hosting this tool so consumers can get their files back but also for their effort to acquire a large number of the private keys that made this possible.  FireEye does some very great work and always acts honorably.

To help solve the problem of victims’ files still being encrypted, we leveraged our close partnership with Fox-IT. We developed a decryption assistance website and corresponding tool designed to help those afflicted with the original CryptoLocker malware.”

Azure Active Directory Sync – Beta 2 Details

Azure AD Sync Beta 2 includes new features, scenarios, troubleshooting tools and improves stability.

New in Beta 2

    • Selective synchronization which enables you to only sync attributes required for the services you want to enable
    • AD password reset with multi-forests
    • Exchange hybrid deployment in multi-forests environments which enables you to have mailboxes in Office 365 as well as in your on-premises exchange

Sign up for the beta here.

Azure AD Sync Optional Features
Azure AD Selective Sync












More details can be read in Alex Simons post on the TechNet Blog