BF-SIRT Newsletter 2014-35

Welcome to the newsletter! This week’s top stories include how 220 million records were stolen in a South Korean data breach and about a Massive cyber attack on oil and energy industry in Norway.

Top 5 Security links
220 million records stolen, 16 arrested in massive South Korean data breach
Massive cyber attack on oil and energy industry in Norway
Duping the machine – the cunning malware that throws off researchers
Netflix open sources internal threat monitoring tools
Russia-based hackers prime suspects in JPMorgan mega-breach

Top 5 Business Intelligence links
Security spending gets boost from mobile, social and cloud, says Gartner
Attack targets firms from the automobile industry in Europe
Akamai warns: SMB security remains major risk
Why every security-conscious organization needs a honeypot
Nearly 70 percent of IT pros target of weekly phishing attacks, HP finds

BF-SIRT Newsletter 2014-09

The most talked about news this week were regarding Apple and how an Apple Encryption Mistake Puts Many Desktop Applications At Risk. Other interesting news are how the Source Code for Android Ibanking Bot Surfaces on Underground Forum, and how F1 team Marussia was hit by Trojan virus.

Top 5 Security links
Apple Encryption Mistake Puts Many Desktop Applications At Risk
South Korea plans Stuxnet-style cyber weapons to sabotage North’s nuclear program
New iOS Flaw Allows Malicious Apps to Record Touch Screen Presses
F1 team Marussia hit by Trojan virus
Source Code for Android Ibanking Bot Surfaces on Underground Forum

Top 5 Business Intelligence links
AT&T and IBM Cement Security Partnership
IE Zero-day Exploit Being Used in Widespread Attacks
Oracle Introduces Mobile Security Suite for Android and iOS
Third-party programs responsible for 76% of vulnerabilities in popular software
RSA’s Coviello: Historic shift in IT use is changing society and culture

Basefarm SIRT Posts
Apple Security Updates

BF-SIRT Newsletter 2013-50

This week, Brian Krebs have made a blog post where you can Meet Paunch: The Accused Author of the BlackHole Exploit Kit. It was also spotted that the French gov used fake Google certificate to read its workers’ traffic and how a Newly Patched Office 365 Vulnerability Used in “Ice Dagger” Targeted Attacks – Video.

As the Holiday season is coming closer and closer, the phishing mails also start to ramp up. Reading through how Popular holiday-themed phishing attacks works and how to avoid them is a good idea.

There are also vulnerabilities related to Solr, Ruby on Rails as well as the regular Patch Tuesday with patches from Adobe (related to Flash and Shockwave) and Microsoft.

Top 5 Security links
Four Arrested in the UK for Using Malware to Steal Money from Banks
Newly Patched Office 365 Vulnerability Used in “Ice Dagger” Targeted Attacks – Video
Meet Paunch: The Accused Author of the BlackHole Exploit Kit
DARPA Makes Finding Software Vulnerabilities Fun
Untouched P2P Communication Infrastructure Keeps ZeroAccess Up and Running

Top 5 Business Intelligence links
French gov used fake Google certificate to read its workers’ traffic
Popular holiday-themed phishing attacks
Russian-speaking Group Offers Bulletproof Hosting in Syria, Lebanon
Smarter cyber crime forces industry to change
Hackers infiltrate European ministry networks at G20 summit

BF-SIRT Posts
Patch Tuesday December 2013
Solr
Ruby on Rails vulnerability pre 3.2.16 and 4.0.2
December 13 – Improve your e-mail security
December 12 – Don’t enter your username and password on any computer you don’t control
December 11 – Learn to recognize the signs of malware
December 10 – Set up a Web Application Firewall
December 9 – Set up a separate log host
December 8 – Check your security on a regular basis
December 7 – Have an incident response plan in place

SQL Server setup fails due to partitioned network warnings from cluster service

I was building a new SQL Server 2008 R2 failover cluster recently and encountered a problem that I hadn’t seen before (which is rare as I’ve seen A LOT of cluster setup problems in my time!). This time it was strange as it was an error before setup actually ran, it was when I was going through the dialogue boxes to configure setup.

The scenario was this:

1. Cluster was fully built and validated at a windows level, all resources were up and OK
2. I was about to run SQL Setup when I noticed the network binding order was wrong
3. I changed this and then decided to reboot both nodes as I always do this before a cluster setup
4. The nodes came back online OK and all resources came up as well
5. I ran setup but when I got to the cluster network configuration dialog box, there were no networks to select from, so you couldn’t go forward.

My first thought was that I must have done something dumb when changing the network binding order but checks on the network adapters showed that they were all up. I then went back through a few other things and noticed that the cause of the error was actually that the cluster service was having issues with connecting to one of the networks. There were 2 types of error / warning in the cluster logs and the system event logs:

Error

Cluster network ‘xxxxx’ is partitioned. Some attached failover cluster nodes cannot communicate with each other over the network. The failover cluster was not able to determine the location of the failure. Run the Validate a Configuration wizard to check your network configuration. If the condition persists, check for hardware or software errors related to the network adapter. Also check for failures in any other network components to which the node is connected such as hubs, switches, or bridges.

Warning

Cluster network interface ‘xxxxx – xxxxx’ for cluster node ‘xxxxx’ on network ‘xxxxx’ is unreachable by at least one other cluster node attached to the network. The failover cluster was not able to determine the location of the failure. Run the Validate a Configuration wizard to check your network configuration. If the condition persists, check for hardware or software errors related to the network adapter. Also check for failures in any other network components to which the node is connected such as hubs, switches, or bridges.

I had to engage the help of some network specialists as I couldn’t get to the bottom of this on my own. The networks actually appeared up and we could connect to them and use them independently outside of the cluster, but the cluster was convinced that they were partitioned. To cut a long story short, after checking many things we realised that the problem was down to the fact that one of the networks was actually a teamed network implemented using BASP virtual adapters, and this network team was not coming up fast enough after the node rebooted, before the cluster service tried to bind it in as a resource.

The fix was simple, in that we set the cluster service to delayed start and then everything was fine. We didn’t need to make any configuration changes beyond this. Once the cluster service was happy that the network was OK, SQL Server setup was able to continue just fine.

Good luck with your cluster builds!

Kista Arbetsmarknadsdag – Basefarm Competition winner

For those of you who came to our stand at KTH earlier in the week you may have noticed (and entered) our competition to win some very cool wireless headphone by guessing the Basefarm bandwidth we serve from our Stockholm data center.

As with all such calculations there are slightly different ways to calculate it depending on how often your sample size is and what period you average over and things like that, but the network team tell me that the correct answer is 546 Gbps (averaged on a daily basis over the year).

The lucky winner was Jennie Johansson (who guessed closest with 500), so watch out for her wearing her nice new headphones in coming days. The prize is in the post Jennie.