The content below is taken from the original (How virtualizing BLE Beacons will change the indoor mobile experience), to continue reading please visit the site. Remember to respect the Author & Copyright.

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.

Thanks to cellular GPS, the days of pulling your car over to ask for directions are long gone. It has never been easier to find your way from point A to B and to track down nearby points of interest like restaurants or gas stations.

But, what happens when you walk indoors? The “blue dot” navigation experience doesn’t exist. When inside a mall, conference center, or office complex, you are back to stopping and asking for turn-by-turn directions when needed. 

There is enormous demand for an indoor location experience that is on par with outdoor cellular GPS. Bluetooth Low Energy (BLE) is an exciting technology that promises to satisfy this demand. The major mobile device manufacturers have put their weight behind BLE beaconing standards and a robust BLE ecosystem has emerged to develop indoor location solutions. But two things have held BLE indoor location services back to date:

• The high cost of overlay networks.
• Complicated deployment and operations.

These issues have primarily been due to the fact that BLE location services require the deployment of battery-powered physical beacons, which are difficult to deploy and manage.  Fortunately, the recent introduction of new virtual beacon technology changes all that. With virtualization, BLE location services are finally ready for mass market adoption. Here’s how.

Simplified deployments using virtual beacons

BLE physical beacons are small battery operated devices that are attached to a wall or ceiling, usually about 30-50 feet apart. They broadcast BLE signals typically at -10dBm to 4bdBm of power at intervals typically ranging from .1 to 10 beacons per second. Each physical beacon must be configured and mounted manually, with extensive site surveys required for proper placement and calibration.

They are powered by batteries that can last from months to years depending on usage (stronger signals and more frequent intervals result in lower battery lives). When the battery dies on these devices, they must be found and replaced. In large venues, this can be a challenging and expensive feat, especially if beacons were lost or moved (intentionally or otherwise). For these reasons, many companies have shied away from using physical battery beacons, which has hampered the widespread deployment of BLE.

Converging BLE functionality into existing Wi-Fi networks and virtualizing the physical beacon functionality allows companies to bring indoor location functionality to their business and customers. In other words, BLE broadcast functions are moved into the standard IT infrastructure – i.e. BLE antenna are added to a Wi-Fi Access Point or deployed as a dedicated BLE-only “beacon point” that are mounted on the celling and powered via Ethernet, eliminating the need for wall-mounted beacons with batteries. These Access/Beacon Points leverage directional antennas powered by a single Bluetooth transmitter sending unique RF energy in multiple directions.

These beacon points create a flashlight-like beam with more energy pushed in front of the directional antenna than out the back or to the sides. The energy forms power distribution much like an ellipse. A probability weight is then assigned to each point in the location map. The further the expected signal strength from the measured signal strength, the lower the probability the device is at that location. By combining and then analyzing probability surfaces for every directional beam, the most likely location of a device is determined with exceptional accuracy.

Unsupervised machine learning in the cloud eliminates site surveys and ensures consistent user experience across mobile devices and space; the RF environment is constantly learned in real time. RF models (e.g. path loss formulas) are constantly updated in accordance with environmental changes, eliminating the need for site surveys and manual calibration while maximizing BLE performance.

With BLE broadcast functions moved into Access/Beacon Points and location services handled in the cloud, there is no longer a need for physical BLE beacons. Virtual beacons can be added and moved anywhere on a floor using a software UI or programmable workflows. Power and interval settings can be configured and adjusted remotely (see figure below). In addition, different organizations can manage and operate their own beacons in the same venue, with an unlimited number of beacons available for deployment.

MIST

In summary, virtual beacons offer many advantages over physical beacons, which include:

• No batteries.
• Beacons are easy to setup and move.
• No risk of loss or theft or movement from a beacon’s original position.
• Building aesthetics are not affected by the deployment of physical devices.
• Virtual beacons are stackable so different applications and tenants can get different messages.
• No site surveys or ongoing calibration required.

Do virtual beacons eliminate the need entirely for physical BLE beacons? While this is possible in theory, physical beacons still make sense in areas that are hard to reach from traditional WLAN access points. For example, rooms with high ceilings (like an atrium) still benefit form physical beacons, as do outdoor facilities or very high density environments that require accuracy within one to three meters.

BLE has the ability to deliver amazing new indoor location-based experiences that are on par with outdoor GPS. By converging it with Wi-Fi and using machine learning in the cloud to optimize location performance, BLE is easier than ever to deploy. In addition, beacons can now be virtualized for simple moves, adds and changes with no costly site surveys or manual calibration.

The world is ready for new indoor location experiences. With virtual BLE, mass market adoption is just a few clicks away.

Join the Network World communities on

Facebook

and

LinkedIn

to comment on topics that are top of mind.

The content below is taken from the original (Y’know CSS was to kill off HTML table layout? Well, second time’s a charm: Meet CSS Grid), to continue reading please visit the site. Remember to respect the Author & Copyright.

The content below is taken from the original (Forget robot overlords, humankind will get finished off by IoT), to continue reading please visit the site. Remember to respect the Author & Copyright.

The content below is taken from the original (G Suite vs. Office 365 cloud collaboration battle heats up), to continue reading please visit the site. Remember to respect the Author & Copyright.

The content below is taken from the original (How to leak data from an air-gapped PC – using, er, a humble scanner), to continue reading please visit the site. Remember to respect the Author & Copyright.

The content below is taken from the original (Solution guide: Archive your cold data to Google Cloud Storage with Komprise), to continue reading please visit the site. Remember to respect the Author & Copyright.

By Manvinder Singh, Strategic Technology Partnerships, Google Cloud

More than 56% of enterprises have more than half a petabyte of inactive data but this “cold” data often lives on expensive primary storage platforms. Google Cloud Storage provides an opportunity to store this data cost-effectively and achieve significant savings, but storage and IT admins often face the challenge of how to identify cold data and move it non-disruptively.

Komprise, a Google Cloud technology partner, provides software that analyzes data across NFS and SMB/CIFS storage to identify inactive/cold data, and moves the data transparently to Cloud Storage, which can help to cut costs significantly. Working with Komprise, we’ve prepared a full tutorial guide that describes how customers can understand data usage and growth in their storage environment, get a customized ROI analysis and move this data to Cloud Storage based on specific policies.

Cloud Storage provides excellent options to customers looking to store infrequently accessed data at low cost using Nearline or Coldline storage tiers. If and when access to this data is needed, there are no access time penalties; the data is available almost immediately. In addition, built-in object-level lifecycle management in Cloud Storage reduces the burden for admins by enabling policy-based movement of data across storage classes. With Komprise, customers can bring lifecycle management to their on-premise primary storage platforms and seamlessly move this data to the Cloud. Komprise deploys in under 15 minutes, works across NFS, SMB/CIFS and object storage without any storage agents, adapts to file-system and network loads to run non-intrusively in the background and scales out on-demand.

Teams can get started through this self-service tutorial or watch this on-demand webinar featuring Komprise’ COO Krishna Subramanian and Google Cloud Storage Product Manager Ben Chong. As always, don’t hesitate to reach out to us to explore which enterprise workloads make the most sense for your cloud initiatives.

The content below is taken from the original (Building a Location Beacon Using Microsoft Flow, Power BI, and Azure Functions), to continue reading please visit the site. Remember to respect the Author & Copyright.

Okay, I admit that the title of this post is a bit 1984’ish. Trust me, that is not the intention, so let me explain this a bit before showing you how to build a production-ready solution using Office 365 and Microsoft Azure for locating your dearest and nearest colleagues when you’re out and about.

The Premise

I run my own company, Onsight Helsinki, and we’re a team of about 30 people and counting. One of the major philosophies that I try to cultivate within our company culture is flexibility and freedom, along with the corresponding responsibility. What this boils down to is the fact that often our people are scattered around Finland and surrounding countries with their projects, classroom training, and those endless Skype conference calls.

We still have physical desks. Everybody has a dedicated desk because I felt it would make people feel more comfortable on those occasional days when they do visit the office.

So, the view when I (rarely) visit the office is something like in the picture below.

Where’s everybody? I can always check Skype for Business, but it doesn’t help me much.

Armed with this dilemma, I started building a solution that would allow me to provide a way for people to post their location, either semi-automatically or as a fully automated solution. You might call it a tracking solution, but I’d be inclined to call this a voluntary “hey, I’m currently here” location beacon. It could just be that a team member is currently staying in the same hotel as I am, unbeknownst to me. This has happened for us more than once.

The Solution

First off, I wanted my solution to contain as little custom code as possible. Not because I dislike writing code, but because for such a small solution as this a huge amount of custom code tends to distract us in the long run. It’s also easier for someone else to pick up from here and expand the solution. We built a more one-off solution than a platform for this very specific need.

I started drawing out the overall architecture on a napkin while having solitary lunch in early January. Unfortunately, the napkin did not survive.

I wanted people to have a mechanism for checking in — wherever they are. When they’ve checked in, we record the GPS latitude and longitude coordinates of the device and save them to a shared repository. That would be a SharePoint Online-based custom list as it’s so easy to use, and it’s very flexible should the needs of the solution grow in the future.

From a SharePoint-based list, we can then pick the location metadata and plot people’s location on a map, which I can easily create with Power BI. The same Power BI visualization is also available through the Power BI mobile app for a quick glance of everyone’s whereabouts.

For people to check in using the solution, we decided to use Microsoft Flow — it has a handy button-based triggering mechanism and it can retrieve the latitude and longitude coordinates automatically from the device. With a recent update, Flow can also capture mandatory metadata as part of the trigger event — such as the person’s name.

Power BI is more than happy with latitude and longitude values, but it’s less useful for human eyes. In case you just want to produce a report of everyone’s locations — say, a street address perhaps — I’m employing Azure Functions. With this serverless approach, we have a smart and endlessly flexible solution to gather more data based on simple latitude and longitude value.

Building the Solution

Microsoft Flow is highly useful for building simple or more complex workflows without much deliberation. The process I built is rather simple, and it looks like this:

The Flow is triggered manually on the mobile device through a button, which is visible on a mobile device. This is step 1 in the Flow above. The button also captures the user’s first and last name, which we’ll use to differentiate between multiple check-ins.

During step 2, we’re calling our custom Azure Function, which is used to gather more metadata besides the crude location of the device. This is also a great extension point for future changes, should we have a need for something more elaborate.

Google Maps provides a nifty set of APIs that help us achieve just this. By calling the Google Maps Geocode API, I can pass on a latitude and a longitude and get Google Maps based data in return. For more information on this API, see here.

Unfortunately, Microsoft Flow is somewhat lacking in its capability to call external APIs with finely tuned parameters and contracts, so this is where Azure Functions comes into play.

We created a simple C#-based Azure Function, that takes a latitude and longitude parameter in the HTTP request, passes them on to Google Maps Geocode API with my developer key, and gets the street address (and a lot of other data that I might need later on) back. The Flow calls my function with the mobile device’s latitude and longitude coordinates, which subsequently passes them on to Google Maps, and we get information back.

The relevant portion of the code is here:

// parse query parameter
string latlon = req.GetQueryNameValuePairs()
.FirstOrDefault(q => string.Compare(q.Key, "latlon", true) == 0)
.Value;

// Set name to query string or body data
latlon = latlon ?? data?.latlon;

var URI = "http://bit.ly/2oDmHL3; + latlon + "&key=<InsertDeveloperKeyHere>";

// // call Google LatLon API
var request = System.Net.WebRequest.Create(URI) as HttpWebRequest;
request.Method = "POST";
request.ContentType = "application/json";
request.ContentLength = 0;
WebResponse response = request.GetResponse ();

StreamReader reader = new StreamReader(response.GetResponseStream());
string json = reader.ReadToEnd();

We can now deserialize the response data (which is a JSON dataset essentially), and look up any information we might need. We’re picking the formatted street address for now, and storing that to the SharePoint list at step 3.

Flow Designer makes it immensely easy to get data from an external API and simply use the response when populating data back to SharePoint Online.

This is the raw data that Flow is able to capture from mobile devices, that are then stored in the SharePoint list.

The Location column holds the data from Google Maps, and Lat and Lon columns contain the exact coordinates for the mobile device at the time of the check in. In addition, we’re using a timestamp column (the Check-in time-column) to filter out older check-ins.

On my Google Nexus 6P, an Android-based phone, the experience looks like this:

Finally, putting the data in a visualization with Power BI is easy. Power BI can employ data from SharePoint Online, and as we have the exact coordinates, we can use a Map control to visualize location data.

In the picture above you can see I’ve checked in from Dublin, and my colleague Heidi checked in from Espoo, a city next to Helsinki in Finland.

Final Thoughts

It took me about 4 hours to build the end-to-end solution. The trickiest part was to build the Azure Function, as I had to figure out what kind of data I am getting from Google Maps, and how to best deserialize the data in a class that I would find comfortable to use in my solution. Everything else — the Flow, SharePoint list, and Power BI solution is a point-and-click exercise, which allows for an easy trial and error while validating the results.

The post Building a Location Beacon Using Microsoft Flow, Power BI, and Azure Functions appeared first on Petri.

The content below is taken from the original (This company is turning FAQs into Alexa skills), to continue reading please visit the site. Remember to respect the Author & Copyright.

The content below is taken from the original (Here’s how Microsoft is helping companies build IoT hardware), to continue reading please visit the site. Remember to respect the Author & Copyright.

The content below is taken from the original (Is it on AWS? Domain Identification Using AWS Lambda), to continue reading please visit the site. Remember to respect the Author & Copyright.

In the guest post below, my colleague Tim Bray explains how he built IsItOnAWS.com . Powered by the list of AWS IP address ranges and using a pair of AWS Lambda functions that Tim wrote, the site aims to tell you if your favorite website is running on AWS.

— Jeff;

Is it on AWS?
I did some recreational programming over Christmas and ended up with a little Lambda function that amused me and maybe it’ll amuse you too. It tells you whether or not a given domain name (or IP address) (even IPv6!) is in the published list of AWS IP address ranges. You can try it out over at IsItOnAWS.com. Part of the construction involves one Lambda function creating another.

That list of of ranges, given as IPv4 and IPv6 CIDRs wrapped in JSON, is here; the how-to documentation is here and there’s a Jeff Barr blog. Here are a few lines of the “IP-Ranges” JSON:

{
  "syncToken": "1486776130",
  "createDate": "2017-02-11-01-22-10",
  "prefixes": [
    {
      "ip_prefix": "13.32.0.0/15",
      "region": "GLOBAL",
      "service": "AMAZON"
    },
    ...
  "ipv6_prefixes": [
    {
      "ipv6_prefix": "2400:6500:0:7000::/56",
      "region": "ap-southeast-1",
      "service": "AMAZON"
    },

As soon as I saw it, I thought “I wonder if IsItOnAWS.com is available?” It was, and so I had to build this thing. I wanted it to be:

1. Serverless (because that’s what the cool kids are doing),
2. simple (because it’s a simple problem, look up a number in a range of numbers), and
3. fast. Because well of course.

Database or Not?
The construction seemed pretty obvious: Simplify the IP-Ranges into a table, then look up addresses in it. So, where to put the table? I thought about Amazon DynamoDB, but it’s not obvious how best to search on what in effect is a numeric range. I thought about SQL databases, where it is obvious, but note #2 above. I thought about Redis or some such, but then you have to provision instances, see #1 above. I actually ended up stuck for a few days scratching my head over this one.

Then a question occurred to me: How big is that list of ranges? It turns out to have less than a thousand entries. So who needs a database anyhow? Let’s just sort that JSON into an array and binary-search it. OK then, where does the array go? Amazon S3 would be easy, but hey, look at #3 above; S3’s fast, but why would I want it in the loop for every request? So I decided to just generate a little file containing the ranges as an array literal, and include it right into the IsItOnAWS Lambda function. Which meant I’d have to rebuild and upload the function every time the IP addresses change.

It turns out that if you care about those addresses, you can subscribe to an Amazon Simple Notification Service (SNS) topic that will notify you whenever it changes (in my recent experience, once or twice a week). And you can hook your subscription up to a Lambda function. With that, I felt I’d found all the pieces anyone could need. There are two Lambda functions: the first, newranges.js, gets the change notifications, generates the JavaScript form of the IP-Ranges data, and uploads a second Lambda function, isitonaws.js, which includes that JavaScript. Vigilant readers will have deduced this is all with the Node runtime.

The new-ranges function, your typical async/waterfall thing, is a little more complex than I’d expected going in.

Postmodern IP Addresses
Its first task is to fetch the IP-Ranges, a straightforward HTTP GET. Then you take that JSON and smooth it out to make it more searchable. Unsurprisingly, there are both IPv4 and IPv6 ranges, and to make things easy I wanted to mash ’em all together into a single array that I could search with simple string or numeric matching. And since IPv6 addresses are way too big for JavaScript numbers to hold, they needed to be strings.

It turns out the way the IPv4 space embeds into IPv6’s ("::ffff:0:0/96") is a little surprising. I’d always assumed it’d be like the BMP mapping into the low bits of Unicode. I idly wonder why it’s this way, but not enough to research it.

The code for crushing all those CIDRs together into a nice searchable array ended up being kind of brutish, but it gets the job done.

Building Lambda in Lambda
Next, we need to construct the lambda that’s going to actually handle the IsItOnAWS request. This has to be a Zipfile, and NPM has tools to make those. Then it was a matter of jamming the zipped bytes into S3 and uploading them to make the new Lambda function.

The sharp-eyed will note that once I’d created the zip, I could have just uploaded it to Lambda directly. I used the S3 interim step because I wanted to to be able to download the generated “ranges” data structure and actually look at it; at some point I may purify the flow.

The actual IsItOnAWS runtime is laughably simple, aside from a bit of work around hitting DNS to look up addresses for names, then mashing them into the same format we used for the ranges array. I didn’t do any HTML templating, just read it out of a file in the zip and replaced an invisible <div> with the results if there were any. Except for, I got to code up a binary search method, which only happens once a decade or so but makes me happy.

Putting the Pieces Together
Once I had all this code working, I wanted to connect it to the world, which meant using Amazon API Gateway. I’ve found this complex in the past, but this time around I plowed through Create an API with Lambda Proxy Integration through a Proxy Resource, and found it reasonably linear and surprise-free.

However, it’s mostly focused on constructing APIs (i.e. JSON in/out) as opposed to human experiences. It doesn’t actually say how to send HTML for a human to consume in a browser, but it’s not hard to figure out. Here’s how (from Node):

context.succeed({
  "statusCode": 200,
  "headers": { "Content-type": "text/html" },
  "body": "<html>Your HTML Here</html>"
});

Once I had everything hooked up to API Gateway, the last step was pointing isitonaws.com at it. And that’s why I wrote this code in December-January, but am blogging at you now. Back then, Amazon Certificate Manager (ACM) certs couldn’t be used with API Gateway, and in 2017, life is just too short to go through the old-school ceremony for getting a cert approved and hooked up. ACM makes the cert process a real no-brainer. What with ACM and Let’s Encrypt loose in the wild, there’s really no excuse any more for having a non-HTTPS site. Both are excellent, but if you’re using AWS services like API Gateway and CloudFront like I am here, ACM is a smoother fit. Also it auto-renews, which you have to like.

So as of now, hooking up a domain name via HTTPS and CloudFront to your API Gateway API is dead easy; see Use Custom Domain Name as API Gateway API Host Name. Worked for me, first time, but something to watch out for (in March 2017, anyhow): When you get to the last step of connecting your ACM cert to your API, you get a little spinner that wiggles at you for several minutes while it hooks things up; this is apparently normal. Fortunately I got distracted and didn’t give up and refresh or cancel or anything, which might have screwed things up.

By the way, as a side-effect of using API Gateway, this is all running through CloudFront. So what with that, and not having a database, you’d expect it to be fast. And yep, it sure is, from here in Vancouver anyhow. Fast enough to not bother measuring.

I also subscribed my email to the “IP-Ranges changed” SNS topic, so every now and then I get an email telling me it’s changed, and I smile because I know that my Lambda wrote a new Lambda, all automatic, hands-off, clean, and fast.

— Tim Bray, Senior Principal Engineer

The content below is taken from the original (Cloud Foundry launches its developer certification program), to continue reading please visit the site. Remember to respect the Author & Copyright.

The content below is taken from the original (Adding offerings and UK Region: Azure rolls deep with PCI DSS v3.2), to continue reading please visit the site. Remember to respect the Author & Copyright.

Check out our AoC

Go here to download Azure’s Payment Card Industry Data Security Standard (PCI DSS) v3.2  Attestation of Compliance (AoC)! When it comes to enabling customers who want or need to operate in a cloud environment AND also need to adhere to the global standards designed to prevent credit card fraud, they need look no further than Azure. 

Why put off until 2018 what you can do today?

When it comes to security and compliance, we are always ready to act. The DSS v3.2 contains several requirements that don’t take effect until January 2018, and while it is possible to get a v3.2 certification without meeting these future requirements, Azure has already adopted them and is currently compliant with all new requirements!

UK, too!

Azure has also added the UK region to our list of PCI-certified datacenters, while expanding coverage within previously certified regions around the world. A new version of our PCI Responsibility Matrix will be released shortly, keep an eye out for that announcement coming soon.

More services = More options for customers

Azure has again increased the coverage of our attestation to keep up with customer needs and we continue to be unmatched amongst Cloud Service Providers in the depth and breadth of offerings with PCI DSS v3.2. A sample of the services added in this attestation include:

Note: Refer to the latest AoC for the full list of services and regions covered. 

• DocumentDB
• Data Catalog
• Machine Learning
• Functions
• Virtual Machine Scale Sets

AoC FAQs and Highlights

Why does the AoC say “April 2016”?

The front page and footer of the AoC says “April 2016”.  This is the date that the template was published by the PCI SSC, it is not the date of our AoC.  Many customers get confused by this, but we are not able to modify the AoC template. Refer to page 76 of the AoC for the date it was actually signed and issued. 

How should I interpret the service listing in the AoC?

We have received feedback in the past that it was difficult to understand what services were covered in the AoC. This was mainly because the services were listed under the groupings and internal names our Qualified Security Assessor (QSA) used for the assessment, along with the fact that many services got re-branded shortly after our 2015 AoC was released.

We incorporated that feedback in the release of our 2016 AoC, and have again updated the service listing in the 2017 AoC to reflect the current set of Azure offerings. Please be aware that if an Azure service is re-branded we are not able to retroactively update the AoC.  If you have questions about the status of an Azure service, please contact Azure support or your TAM. 

Why isn’t Azure assessed as a “Shared Hosting Provider”?

The shared hosting provider designation in PCI DSS is for situations where multiple customers are being hosted on a single server, but doesn’t take into account hosting of isolated virtualized environments.  An example of shared hosting is if a service provider was hosting multiple customer websites on a single physical web server. In that situation, there is no segregation between the customer environments. Azure is not considered a shared hosting provider for PCI because customer VMs and environments are segregated and isolated from each other. So changes made to “Customer X’s” VM does not affect “Customer Y’s” VM, even under the scenario that both VMs are hosted on the same physical host.  

The content below is taken from the original (Microsoft Azure Hands-on Labs now available at Cloud Academy!), to continue reading please visit the site. Remember to respect the Author & Copyright.

The content below is taken from the original (Brit telcos will waive early termination fees for military personnel), to continue reading please visit the site. Remember to respect the Author & Copyright.

The content below is taken from the original (How Azure Security Center helps reveal a Cyberattack), to continue reading please visit the site. Remember to respect the Author & Copyright.

The Azure Security Center (ASC) analysts team reviews and investigates ASC alerts to gain insight into security incidents affecting Microsoft Azure customers, helping improve Azure Security alerts and detections. ASC helps customers keep pace with rapidly evolving threats by using advanced analytics and global threat intelligence.

Although we have come a long way as far as cloud security is concerned, even today security factors are heavily discussed as companies consider moving their assets to the cloud. The Azure Security Center team understands how critical it is for our customers to be assured that their Azure deployments are secure, not only from advanced attacks but even from the ones that are not necessarily new or novel. The beauty of ASC lies in its simplicity. Although ASC uses machine learning, anomaly detection, and behavioral analysis to determine suspicious events, it still addresses simple things like SQL brute force attacks that Bad Guys/Script Kiddies are using to break into Microsoft SQL servers.

In this blog, we’ll map out the stages of one real-world attack campaign that began with a SQL Brute Force attack, which was detected by the Security Center, and the steps taken to investigate and remediate the attack. This case study provides insights into the dynamics of the attack and recommendations on how to prevent similar attacks in your environment.

Initial ASC alert and details

Hackers are always trying to target internet connected databases. There are tons of bad guys trying to discover IP addresses that have SQL Server running so that they can crack their password through a brute force attack. The SQL database can contain a wealth of valuable information for the attackers, including personally identifiable information, credit card numbers, intellectual property, etc. Even if the database doesn’t have much information, a successful attack on an insecurely configured SQL installation can be leveraged to get full system admin privileges.

Our case started with an ASC Alert notification to the customer detailing malicious SQL activity. A command line “ftp -s:C:\zyserver.txt” launched by the SQL service account was unusual and flagged as by ASC Alerts.

The alert provided details such as date and time of the detected activity, affected resources, subscription information, and included a link to a detailed report of the detected threat and recommended actions.

Through our monitoring, the ASC analysts team was also alerted to this activity and looked further into the details of the alert. What we discovered was the SQL service account (SQLSERVERAGENT) was creating FTP scripts (i.e.: C:\zyserver.txt), which was used to download and launch malicious binaries from an FTP site.

The initial compromise

A deeper investigation into the affected Azure subscription began with inspection of the SQL error and trace logs where we found indications of SQL Brute Force attempts. In the SQL error logs, we encountered hundreds of “Audit Login Failed” logon attempts for the SQL Admin ‘sa’ account (built-in SQL Server Administration) which eventually led up to a successful login.

These brute force attempts occurred over TCP port 1433, which was exposed on a public facing interface. TCP port 1433 is the default port for SQL Server.

Note: It is a very common recommendation to change the SQL default port 1433, this may impart a “false sensation of security”, because many port scanning tools can scan a “range” of network ports and eventually find SQL listening on ports other than 1433.

Once the SQL Admin ‘sa’ account was compromised by brute force, the account was then used to enable the ‘xp_cmdshell’ extended stored procedure as we’ve highlighted below in a SQL log excerpt.

The ‘xp_cmdshell’ stored procedure is disabled by default and is of particular interest to attackers because of its ability to invoke a Windows command shell from within Microsoft SQL Server. With ‘xp_cmdshell enabled, the attacker created SQL Agent jobs which invoked ‘xp_cmdshell’ and launched arbitrary commands, including the creation and launch of FTP scripts which, in turn, downloaded and ran malware.

Details of malicious activity

Once we determined how the initial compromise occurred, our team began analyzing Process Creation events to determine other malicious activity. The Process Creation events revealed the execution of a variety of commands, including downloading and installing backdoors and arbitrary code, as well as permission changes made on the system.

Below we have detailed a chronological layout of process command lines that we determined to be malicious:

A day after the initial compromise we began to see the modification of ACLS on files/folders and registry keys with use of Cacls.exe (which appears to have been renamed to osk.exe and vds.exe).

Note: Osk.exe is the executable for the Accessibility On-Screen Keyboard and Vds.exe is the Virtual Disk Service executable, both typically found on a Windows installation. The command lines and command switches detailed below, however, are not used for Osk.exe or VDS.exe and are associated with Cacls.exe.

The Cacls.exe command switches /e /g is used to grant the System account full(:f) access rights to ‘cmd.exe’ and ‘net.exe’.

A few seconds later, we see the termination of known Antivirus Software using the Windows native “taskkill.exe”.

This was followed by the creation of and FTP script (c:\zyserver.txt ) which was flagged in the original ASC Alert. This FTP script appears to download malware (c:\stserver.exe) from a malicious FTP site and subsequently launch the malware.

A few minutes later, we see the “net user” and “net localgroup” commands used to accomplish the following:

a.    Activate the built-in guest account and add it to the Administrators group

b.   Create a new user account and add the newly created user to the Administrators group

A little over 2 hours later, we see the regini.exe command which appears to be used to create, modify, or delete registry keys. Regini can also set permissions on the registry keys as defined in the noted .ini file. We then see, regsvr32.exe silently (/s switch) registering dlls related to the Windows shell (urlmon.dll, shdocvw.dll) and Windows scripting (jscript.dll, vbscript.dll, wshom.ocx).

This is immediately followed by additional modification of permissions on various Windows executables. Essentially resetting each to default with the “icacls.exe” command.

Note: The /reset switch replaces ACLs with default inherited ACLs for all matching files.

Lastly, we observed the deletion of “Terminal Server” fDenyTSConnections registry key. This is a registry key that contains the configuration of Terminal Server connection restrictions. This led us to believe that malicious RDP connections may be the next step for the attacker to access the server. Inspection of logon events did not reveal to us any malicious RDP attempts or connections, however:

• Disabling of Terminal Server connection restrictions by overwriting values in the “Terminal Server” registry key
  reg.exe ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f" 

We also noticed and Scheduled task created. This task referenced a binary named “svhost.exe” to be launched out of the C:\RECYCLER folder, which is suspicious.

Note that the legitimate “svchost.exe” files located in the “\Windows\System32” and “Windows\sysWOW64”. Svchost.exe running from any other directory should be considered suspicious.

• Persistence mechanism – Task Scheduler utility (schtasks.exe) used to set a recurring task
  C:\Windows\System32\schtasks.exe /create /tn "45645" /tr "C:\RECYCLER\svchost.exe" /sc minute /mo 1 /ru "system 

Recommended remediation and mitigation steps

Once we understood the extent and the details of the attack, we recommended the following remediation and mitigation steps to be taken.

First, if possible, we first recommended the backup and rebuild the SQL Server and reset all user accounts. We then implement the following mitigation steps to help prevent further attacks.

1. Disable ‘sa’ account and use the more secure Windows Authentication

To disable ‘sa’ login via SQL, run the following commands as a sys admin

ALTER LOGIN sa DISABLE

GO

2. To help prevent attackers from guessing the ‘sa’ account, rename the ‘sa’ account
To rename the ‘sa’ account via SQL, run the following as a sys admin:

ALTER LOGIN sa WITH NAME = [new_name];

GO

3. To prevent future brute force attempts, change and harden the ‘sa’ password and set the sa Login to ‘Disabled’.

Learn how to verify and change the system administrator password in MSDE or SQL Server 2005 Express Edition.

4. It’s also a good idea to ensure that ‘xp_cmdshell’ is disabled. Again, note that this should be disabled by default.

5. Block port TCP port 1433 if it is not needed be opened to the internet. From your Azure Portal, take the following steps to configure a Rule to block 1433 in Network Security Group

a. Open the Azure portal

b. Navigate to > (More Services) -> Network security groups

c. If you have opted into the Network Security option, you will see an entry for <ComputerName-nsg> — click it to view your Security Rules

d. Under Settings click "Inbound security rules" and then click +Add on the next pane

e. Enter the Rule name and Port information.Under the ‘Service’ pulldown, choose MS SQL and it will automatically select Port range = 1433 as detailed below.

f. Then apply the newly created rule to the subscription

6. Inspect all stored procedures that may have been enabled in SQL and look for stored procedures that may be implementing ‘xp_cmdshell’ and running unusual command.

For example, in our case, we identified the following commands:

7. Lastly, we highly recommend configuring Azure subscription(s) to receive future alerts and email notifications from Microsoft Azure Security Center. To receive alerts and email notifications of security issues like this in the future, we recommended upgrading from ASC “Free” (basic detection) tier to ASC “Standard” (advanced detection) tier.

Below is an example of the email alert received from ASC when this SQL incident was detected:

Learn more about SQL detection

• Azure SQL Database Threat Detection–Advanced DB Security in the Cloud
• Protect Azure SQL Databases with Azure Security Center
• SQL Threat Detection – Your built-in security expert

The content below is taken from the original (One-click disaster recovery of applications using Azure Site Recovery), to continue reading please visit the site. Remember to respect the Author & Copyright.

Disaster recovery is not only about replicating your virtual machines but also about end to end application recovery that is tested multiple times, error free, and stress free when disaster strikes, which are the Azure Site Recovery promises. If you have never seen your application run in Microsoft Azure, chances are that when a real disaster happens, the virtual machines may just boot, but your business may remain down. The importance and complexity involved in recovering applications was described in the previous blog of this series – Disaster recovery for applications, not just virtual machines using Azure Site Recovery. This blog covers how you can use the Azure Site Recovery construct of recovery plans to failover or migrate applications to Microsoft Azure in the most tested and deterministic way, using an example of recovering a real-world application to the public cloud.  

Why use Azure Site Recovery “recovery plans”?

Recovery plans help you plan for a systematic recovery process by creating small independent units that you can manage. These units will typically represent an application in your environment. Recovery plan not only allows you to define the sequence in which the virtual machines start, but also helps you automate common tasks during recovery.

Essentially, one way to check that you are prepared for disaster recovery is by ensuring that every application of yours is part of a recovery plan and each of the recovery plans is tested for recovery to Microsoft Azure. With this preparedness, you can confidently migrate or failover your complete datacenter to Microsoft Azure.
 
Let us look at the three key value propositions of a recovery plan:

• Model an application to capture dependencies
• Automate most recovery tasks to reduce RTO
• Test failover to be ready for a disaster

Model an application to capture dependencies

A recovery plan is a group of virtual machines generally comprising an application that failover together. Using the recovery plan constructs, you can enhance this group to capture your application-specific properties.
 
Let us take the example of a typical three tier application with

• one SQL backend
• one middleware
• one web frontend

The recovery plan can be customized to ensure that the virtual machines come up in the right order post a failover. The SQL backend should come up first, the middleware should come up next, and the web frontend should come up last. This order makes certain that the application is working by the time the last virtual machine comes up. For example, when the middleware comes up, it will try to connect to the SQL tier, and the recovery plan has ensured that the SQL tier is already running. Frontend servers coming up last also ensures that end users do not connect to the application URL by mistake until all the components are up are running and the application is ready to accept requests. To build these dependencies, you can customize the recovery plan to add groups. Then select a virtual machine and change its group to move it between groups.

Once you complete the customization, you can visualize the exact steps of the recovery. Here is the order of steps executed during the failover of a recovery plan:

• First there is a shutdown step that attempts to turn off the virtual machines on-premises (except in test failover where the primary site needs to continue to be running)
• Next it triggers failover of all the virtual machines of the recovery plan in parallel. The failover step prepares the virtual machines’ disks from replicated data.
• Finally the startup groups execute in their order, starting the virtual machines in each group – Group 1 first, then Group 2, and finally Group 3. If there are more than one virtual machines in any group (for example, a load-balanced web frontend) all of them are booted up in parallel.

Sequencing across groups ensures that dependencies between various application tiers are honored and parallelism where appropriate improves the RTO of application recovery.

Automate most recovery tasks to reduce RTO

Recovering large applications can be a complex task. It is also difficult to remember the exact customization steps post failover. Sometimes, it is not you, but someone else who is unaware of the application intricacies, who needs to trigger the failover. Remembering too many manual steps in times of chaos is difficult and error prone. A recovery plan gives you a way to automate the required actions you need to take at every step, by using Microsoft Azure Automation runbooks. With runbooks, you can automate common recovery tasks like the examples given below. For those tasks that cannot be automated, recovery plans also provide you the ability to insert manual actions.

• Tasks on the Azure virtual machine post failover – these are required typically so that you can connect to the virtual machine, for example:
  • Create a public IP on the virtual machine post failover
  • Assign an NSG to the failed over virtual machine’s NIC
  • Add a load balancer to an availability set

• Tasks inside the virtual machine post failover – these reconfigure the application so that it continues to work correctly in the new environment, for example:
  • Modify the database connection string inside the virtual machine
  • Change web server configuration/rules

For many common tasks, you can use a single runbook and pass parameters to it for each recovery plan so that one runbook can serve all your applications. To deploy these scripts yourself and try them out, click the button below and import popular scripts into your Microsoft Azure Automation account.

 
With a complete recovery plan that automates the post recovery tasks using automation runbooks, you can achieve one-click failover and optimize the RTO. 

Test failover to be ready for a disaster

A recovery plan can be used to trigger both a failover or a test failover. You should always complete a test failover on the application before doing a failover. Test failover helps you to check whether the application will come up on the recovery site.  If you have missed something, you can easily trigger cleanup and redo the test failover. Do the test failover multiple times until you know with certainty that the application recovers smoothly.

Each application is different and you need to build recovery plans that are customized for each. Also, in this dynamic datacenter world, the applications and their dependencies keep changing. Test failover your applications once a quarter to check that the recovery plan is current.

Real-world example – WordPress disaster recovery solution

Watch a quick video of a two-tier WordPress application failover to Microsoft Azure and see the recovery plan with automation scripts, and its test failover in action using Azure Site Recovery.

• The WordPress deployment consists of one MySQL virtual machine and one frontend virtual machine with Apache web server, listening on port 80.
• WordPress deployed on the Apache web server is configured to communicate with MySQL via the IP address 10.150.1.40.
• Upon test failover, the WordPress configuration needs to be changed to communicate with MySQL on the failover IP address 10.1.6.4. To ensure that MySQL acquires the same IP address every time on failover, we will configure the virtual machine properties to have a preferred IP address set to 10.1.6.4.

With relentless focus on ensuring that you succeed with full application recovery, Azure Site Recovery is the one-stop shop for all your disaster recovery needs. Our mission is to democratize disaster recovery with the power of Microsoft Azure, to enable not just the elite tier-1 applications to have a business continuity plan, but offer a compelling solution that empowers you to set up a working end to end disaster recovery plan for 100% of your organization’s IT applications.

You can check out additional product information and start replicating your workloads to Microsoft Azure using Azure Site Recovery today. You can use the powerful replication capabilities of Azure Site Recovery for 31 days at no charge for every new physical server or virtual machine that you replicate, whether it is running on VMware or Hyper-V. To learn more about Azure Site Recovery, check out our How-To Videos. Visit the Azure Site Recovery forum on MSDN for additional information and to engage with other customers, or use the Azure Site Recovery User Voice to let us know what features you want us to enable next.