Microsoft has been breached, Google suffers a major outage, and finally some solid technical details on Target’s massive credit card hack.

Plus a great batch of your questions, a rockin roundup, and much much more.

Thanks to:

— Show Notes: —

Microsoft breach leads to hackers stealing Law Enforcement documents

• According to the company, a number of Microsoft employees were targeted with attacks aiming to compromise both email and social media accounts, and in some cases, the attacks were successful.
• “It appears that documents associated with law enforcement inquiries were stolen”
• Adrienne Hall, General Manager at Microsoft’s Trustworthy Computing Group, wrote in a blog post.
• He continues: “If we find that customer information related to those requests has been compromised, we will take appropriate action,” Hall continued. “Out of regard for the privacy of our employees and customers – as well as the sensitivity of law enforcement inquiries – we will not comment on the validity of any stolen emails or documents.”
• The attackers have conducted their offensive against both email and social media accounts of Microsoft’s employees, the company did not reveal how many documents might have been exposed neither the nature of the attackers.
• What’s interesting about this is that the incident was significant enough to disclose, indicating that a fair number of documents could have been exposed, or that the company fears some documents will make their way to the public if released by the attackers.
• According to Microsoft, the Syrian Electronic Army may be behind the attacks.
• “Our current information suggests the phishing attacks are related,” Hall told SecurityWeek in an emailed statement.
• In March 2013, Microsoft released its first transparency report, noting that it had received over 70,000 law enforcement requests in 2012.
• Additional Coverage:
• Spear phishing against Microsoft, exposed law enforcement inquiries
• Microsoft Believes Law Enforcement Documents Compromised in Hack
• Microsoft says new phishing attacks targeted law enforcement documents | Ars Technica
• Microsoft: documents were stolen during recent employee email hack | The Verge
• Syrian Electronic Army stole law enforcement docs from Microsoft

Target Update

• An examination of the malware used in the Target breach suggests that the attackers may have had help from a poorly secured feature built into a widely-used IT management software
• As we previously noted the attackers used malware on the POS boxes to send credit card data read from memory to a central control server on Targets internal network.
• The user account “Best1_user” and password “BackupU$r” were used to log in to the shared drive (indicated by the “S:” under the “Resource Type” heading in the image above.
• That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas base BMC Software — includes administrator-level user account called “Best1_user.”
• BMC explains the Best1_user account is installed by the software to do routine tasks. That article states that while the Best1_user account is essentially a “system” or “administrator” level account on the host machine
• The Best1_user account appears to be associated with the Performance Assurance component of BMC Software’s Patrol product. According to BMC’s documentation, this account is normally restricted, but the attackers may have usurped control to facilitate lateral movement within the network.” According to a Dell SecureWorks paper being circulated to certain Dell customers.
• According to SecureWorks, one component of the malware installed itself as a service called “BladeLogic,” a service name no doubt designed to mimic another BMC product called BMC BladeLogic Automation Suite.
• According to a trusted Krebs source who uses mostly open-source data to keep tabs on the software and hardware used in various retail environments, BMC’s software is in use at many major retail and grocery chains across the country, including Kroger, Safeway, Home Depot, Sam’s Club and The Vons Companies, among many others.
• Initial entry into the network is suspected to have been facilitated by a SQL injection attack, according to Malcovery.
• Update: BMC says it is working with McAfee to investigate
• Krebs: WSJ says that vendor credentials that were used in the attack may have been from vendor other than BMC
• Additional Coverage – Ars Technica

Google breaks itself, and then fixes itself, while Engineers are busy on Reddit

• At 10:55 a.m. PST this morning, an internal system that generates configurations—essentially, information that tells other systems how to behave—encountered a software bug and generated an incorrect configuration.
• The incorrect configuration was sent to live services over the next 15 minutes, caused users’ requests for their data to be ignored, and those services, in turn, generated errors.
• Users began seeing these errors on affected services at 11:02 a.m., and at that time our internal monitoring alerted Google’s Site Reliability Team. Engineers were still debugging 12 minutes later when the same system, having automatically cleared the original error, generated a new correct configuration at 11:14 a.m. and began sending it; errors subsided rapidly starting at this time.
• By 11:30 a.m. the correct configuration was live everywhere and almost all users’ service was restored.
• Reddit AMA
• Additional Coverage – Reuters
• Additional Coverage – TechCrunch
• Additional Coverage – FoxNews

• FauxShow – Final sticker map! That was quite the experience! Awards Show on Feb 15th

Feedback:

• Unrecoverable read errors, how they affect ZFS
  • Has RAID5 stopped working – No, it never worked
• Dell Poweredge 1800 server
• pfSense firewalls hardware?
  • Amazon.com: PLANEX Wireless N 150Mbps USB2.0 RJ45 Mini Print Server Supports Windows 7 and MAC OS, WPS, IEEE 802.11n/g/b print server support SNMP & HP Web JetAdmin/ Hi-Speed USB – EN, Fast EN – 10Base-T, 100Base-Print Server/2.4 Ghz Wi-Fi Wireless Network LAN Print Server/Mini -103MN for office and SOHO usage supports peer to peer or server based printing 2dBi internal antenna x 1: Electronics
• Using RAID (or RAID-Z) with SSD drives
• cURL vs curling

Round-Up:

• How I lost my $50,000 Twitter username
  • Update: GoDaddy restored account and increase employee training
  • Update: PayPal denies providing attackers with details
• Yes, Virginia, There Really is Social Engineering
• Slashdot headline claims IE market share down to single digits, turns out metrics are only from W3School, so are skewed towards web developers
• Why the backblaze hard drive reliability numbers are wrong
• ISC highlights findings from Cisco Annual Security Report
• Gmail bug sends thousands of emails to the same guy
• If You Used This Secure Webmail Site, the FBI Has Your Inbox
• Department of Justice says company that did background check on Snowden faked over 665,000 background checks
• 4 HTTP security headers you should know about
• LeaseWeb Labs talks about ZFS