How Many Hours In A Month?

When estimating the monthly cost of a per hour service, over the course of a year, you need to know how many hours in a month. For some reason a simple “average hours in a month” Google Search yields unhelpful results.

730.5 AVERAGE HOURS IN A MONTH

There are 365.25 Julian calendar days per year (366 days in a leap year), 24 hours in a day and 12 months.

365.25 days X 24 hours / 12 months = 730.5 hours

So now you can estimate monthly cost for hourly services, such as Cloud Services.

example: $.10/hr * 730.5 = $73.05 average cost per month over a year

SQL Server Agent Jobs on AWS RDS Multi-AZ

When running AWS RDS Microsoft SQL Server you may run into a configuration issue that may trip you up either during failover or instance upgrades.

This is taken from the Microsoft SQL Server Multi-AZ Deployment Notes and Recommendations section under the “Multi-AZ Deployments for Microsoft SQL Server with Database Mirroring” document:

If you have SQL Server Agent jobs, you need to recreate them in the secondary, as these jobs are stored in the msdb database, and this database can’t be replicated via Mirroring. Create the jobs first in the original primary, then fail over, and create the same jobs in the new primary.

This is one of the weaknesses in the Multi-AZ for RDS Server Server service.

They use mirroring to keep two RDS instances loaded with identical user table data, but they can’t mirror MSDB because it’s a system database.

One of the reasons jobs are so confusing on Multi-AZ SQL Server is, if you start off as Single-AZ, and move to Multi-AZ, all of your jobs are copied as part of the move to Multi-AZ. That’s because AWS takes a snapshot of all your data (including MSDB) and recreates it on the mirrored instance. This is where it can get confusing: people who look at a multi-AZ instance, and at a “was Single-AZ, now is Multi-AZ” and see inconsistent behavior in the jobs. But it can all be understood if you apply two rules:

  1. Jobs created when you’re Single-AZ will be copied when you move to Multi-AZ, because AWS takes a snapshot of all databases (including MSDB), but
  2. Other than that, no changes to jobs will ever be copied to the mirror unless the changes are done manually on both servers.

Continue reading

AWS Database Migration Service Endpoint Connection Issue

When setting up an AWS Database Migration Service (DMS) endpoint to an EC2 instance, within your VPC, you may get the error stating the connection could not be established and there’s a login timeout.

Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to connect Network error has occurred, Application-Detailed-Message: RetCode: SQL_ERROR SqlState: HYT00 NativeError: 0 Message: [unixODBC][Microsoft][ODBC Driver 13 for SQL Server]Login timeout expired ODBC general error.

This may be due to lack of ingress into your EC2 instance. Create a security group that allows the appropriate port into your EC2 instance, for example 1433 for SQL Server, limited to the private IP address of the DNS instance. Then attach that security group to the EC2 endpoint (database).

That’s the easy part. But how do you find the private IP? It’s not listed anywhere in the DMS console.

  1. Go to your DNS Replication Instance and copy the VPC and public IP address listed.
  2. Go to Network Interfaces inside your EC2 console.
  3. Look for the network interface with the copied public IPv4 address and VPC ID.
  4. Copy the Primary Private IPv4 IP.
  5. Go to Security Groups.
  6. Select or create on that is associated with your database endpoint instance.
  7. Add the copied IP into the source field of an inbound rule.

Elon Musk on The Joe Rogan Experience

Elon Musk is one of my favorite people to follow. I’d love to own a Tesla as well. From SpaceX to The Boring Company to Tesla, I find them all interesting.

Here’s some pretty interesting insight into Elon’s mind.

ColdFusion Docker Image Released

CFDockerTweet

On April 25, 2018, Adobe released the long awaited, official, Docker Image for ColdFusion 2016! ColdFusion 2018’s image is in the works.

I am excited about this primarily for two reasons:

#1 Development: we can create a docker image that can possibly be passed around to developers either as general use or specific to a customer’s setup. This has the potential to speed up “ramp-up time” for developers when beginning a new client workload.

#2 Fix AWS AMI’s: The current AMI solution on AWS is bleak. You’re limited to operating systems that are either the wrong flavor of Linux for you or an outdated Windows Server version. You are also stuck with the inability to upgrade the OS or ColdFusion. I’m hoping this makes its way into the AWS container library that you can lease month-to-month, both in the Standard and Enterprise flavors.

docker-cloud-serversAdobe choose the JFrog container repository over Docker Hub “due to licencing and distribution issues”. This seems to be a common theme with Adobe, but at least it’s out there. You can find these repos at https://bintray.com/eaps/coldfusion.

As of 4/26/2018, you will find the following images:

  • ColdFusion Server (2016)
  • ColdFusion Addons (2016)
  • ColdFusion API Manager (2016)
  • ColdFusion API Manager Addons (2016)

The “ColdFusion Server” contains the “barebones” only. It runs the bundled “built-in” web server (normally port 8500).

You’d then normally want to connect Apache or IIS to ColdFusion using wsconfig. However that’s not possible, in the common sense, here. The reason being is that you’re in a container that has no real access to the outside space, including your webserver services.

So in this case you’ll need to treat this as a distributed setup. You’ll need to copy some files, including wsconfig, onto your Apache file system – likely in another container. From there you’ll run wsconfig and connect it to the “remote” ColdFusion instance. There are some basic instructions at http://blogs.coldfusion.com/setting-up-coldfusion-in-distributed-envionment/ and Adobe says they will work on an official instruction set. I also plan on posting my own instructions. I don’t think this will work with IIS without a hack, but this is definitely something I’d want. The majority of web servers we maintain are IIS.

When you run the ColdFusion container, you are able to pass in a limited set of environment variables. They range include items such as password, secure profile, external session info, addons, and a startup script.

The setup script will be a .CFM file that calls the admin object. Here you will script items such as datasources. However, as far as I know, not all admin functions are available via the API. One of the major benefits of running containers is to have a disposable environment that can easily be recreated. In order to do this, you must be able to script out all your configuration. I would also like to see all settings be available in the environment variables as that’s what it’s intended for. Using a script is more or less a hack that needs additional maintenance.

Another method is mounting a volume for configuration files such as JVM.config and neo-*.xml files. I have to experiment with this to figure out how that would work.

The third method would be to mount a directory that has CAR archives into “/data” and configurations in the archive would be automatically imported during container setup. However this is a rather static method and not easy to manage. However according to Immanual Noel, on 4/27/2018, Adobe is having an issue importing DSN’s and scheduled tasks in this fashion and are currently working on this issue.

The final method would be to use Ortus’s CFConfig CLI. You could pass in a JSON string and let it build out the configuration. This might actually be one of the best ways to do it. I’m hoping Adobe’s implementation catches up to this quickly though. Ortus has great open source products for ColdFusion, but this shouldn’t be required.

The “ColdFusion Addons” container runs SOLR and PDF services. The “.NET” service will not exist as it is a Linux container. I would have preferred separating out the services though due to the container pattern of one service per container. This extends the ColdFusion container.

According to Adobe, they are not going to create a Windows container at this point due to performance issues they saw. But the great thing about Docker on Windows is that it’s capable of running both Windows and Linux containers. It’s very rare that I need to run .NET, however that does leave my 2 points out in the cold if a customer uses it.

In conclusion, I look forward to testing this out and perhaps implementing this solution where it makes sense.

Other resources to read:

  • https://www.cutterscrossing.com/index.cfm/2018/4/18/Adventures-in-Docker-Land

Password Spraying

In a statement release by Homeland Security yesterday, TA18-086A: Brute Force Attacks Conducted by Cyber Actors, they indicate that brute force attacks using a “password spraying method” is increasing. Here’s a copy:


National Cyber Awareness System:

 

TA18-086A: Brute Force Attacks Conducted by Cyber Actors

03/27/2018 06:00 PM EDT

 

Original release date: March 27, 2018

Systems Affected

Networked systems

Overview

According to information derived from FBI investigations, malicious cyber actors are increasingly using a style of brute force attack known as password spraying against organizations in the United States and abroad.

On February 2018, the Department of Justice in the Southern District of New York, indicted nine Iranian nationals who were associated with the Mabna Institute for computer intrusion offenses related to activity described in this report. The techniques and activity described herein, while characteristic of Mabna actors, are not limited solely to use by this group.

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) are releasing this Alert to provide further information on this activity.

Description

In a traditional brute-force attack, a malicious actor attempts to gain unauthorized access to a single account by guessing the password. This can quickly result in a targeted account getting locked-out, as commonly used account-lockout policies allow 3-to-5 bad attempts during a set period of time. During a password-spray attack (also known as the “low-and-slow” method), the malicious actor attempts a single password against many accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts.

Password spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols.  An actor may target this specific protocol because federated authentication can help mask malicious traffic.  Additionally, by targeting SSO applications, malicious actors hope to maximize access to intellectual property during a successful compromise.

Email applications are also a target.  In those instances, malicious actors would have the ability to utilize inbox synchronization to (1) obtain unauthorized access to the organization’s email directly from the cloud, (2) subsequently download user mail to locally stored email files, (3) identify the entire company’s email address list, and/or (4) surreptitiously implements inbox rules for the forwarding of sent and received messages.

Technical Details

Traditional tactics, techniques, and procedures (TTP’s) for conducting the password-spray attacks are as follows:

  • Use social engineering tactics to perform online research (i.e., Google search, LinkedIn, etc.) to identify target organizations and specific user accounts for initial password spray
  • Using easy-to-guess passwords (e.g., “Winter2018”, “Password123!”) and publicly available tools, execute a password spray attack against targeted accounts by utilizing the identified SSO or web-based application and federated authentication method
  • Leveraging the initial group of compromised accounts, download the Global Address List (GAL) from a target’s email client, and perform a larger password spray against legitimate accounts
  • Using the compromised access, malicious actors attempt to expand laterally (e.g., via Remote Desktop Protocol) within the network, and perform mass data exfiltration using File Transfer Protocol tools such as FileZilla

Indicators of a password spray attack include:

  • A massive spike in attempted logons against the enterprise SSO Portal or web-based application. Using automated tools, malicious actors attempt thousands of logons, in rapid succession, against multiple user accounts at a victim enterprise, originating from a single IP address and computer (e.g., a common User Agent String). Attacks have been seen to run for over two hours
  • Employee logons from IP addresses resolving to locations inconsistent with their normal locations

Typical Victim Environment

The vast majority of known password spray victims share some of the following characteristics [1][2]:

  • Use SSO or web-based applications with federated authentication method
  • Lack multifactor authentication (MFA)
  • Allow easy-to-guess passwords (e.g., “Winter2018”, “Password123!”)
  • Use inbox synchronization allowing email to be pulled from cloud environments to remote devices
  • Allow email forwarding to be setup at the user level
  • Limited logging setup creating difficulty during post-event investigations

Impact

A successful network intrusion can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

  • Temporary or permanent loss of sensitive or proprietary information
  • Disruption to regular operations
  • Financial losses incurred to restore systems and files
  • Potential harm to an organization’s reputation

Solution

Recommended Mitigations

To help deter this style of attack, the following steps should be taken:

  • Enable MFA and review MFA settings to ensure coverage over all active, internet facing protocols
  • Review password policies to ensure they align with the latest NIST guidelines and deter the use of easy-to-guess passwords
  • Review IT Helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts. IT Helpdesk password procedures may not align to company policy, creating an exploitable security gap
  • In addition, many companies offer additional assistance and tools the can help detect and prevent password spray attacks, such as the Microsoft blog released on March 5, 2018 (link below):

https://cloudblogs.microsoft.com/enterprisemobility/2018/03/05/azure-ad-and-adfs-best-practices-defending-against-password-spray-attacks/

Reporting Notice

The FBI encourages recipients of this document to report information concerning suspicious or criminal activity to their local FBI field office or the FBI’s 24/7 Cyber Watch (CyWatch). Field office contacts can be identified at www.fbi.gov/contact-us/field. CyWatch can be contacted by phone at (855) 292-3937 or by e-mail at CyWatch@ic.fbi.gov. When available, each report submitted should include the date, time, location, type of activity, number of people, and type of equipment used for the activity, the name of the submitting company or organization, and a designated point of contact. Press inquiries should be directed to the FBI’s national Press Office at npo@ic.fbi.gov or (202) 324-3691.

References

ST05-12 – Supplementing Passwords

Heading to MuraCon

69EF409D-B9C9-4404-AE6152196A4E039D_W354_H295At CF Webtools we not only support customers that use Mura CMS but we use it ourselves on our website at cfwebtools.com.

This year CF Webtools is proud to sponsor MuraCon!

Nick Devre and myself will be attending both the “Pre-Con Content Manager’s Training” on April 4th and the conference on April 5th to the 6th.

We will have direct access to industry experts to talk to them about challenges that we have run into along with collaborating with other community professions. This will allow us to provide our customers with great support and integration for their companies.

The conference will focus on storytelling, flow and Docker (containers). Other topics include themes, CSS, JavaScript, API, Slatwall, React, Alexa, Rest, Swagger, OAuth, ColdFusion and more!

Add a comment if you’ll be there and be sure to say hi!