Uncategorized

The Parliament App

Image thescobberLeave a comment

Greetings, everyone,

I’m thrilled to introduce The Parliament, the maiden app developed and launched by thing.net.au, now available on the App Store.

This dynamic video streaming application brings live sessions from the Australian Parliament House straight to your fingertips. Seamless access to three primary streams—the House of Representatives, the Senate, and the Federation Chamber—is just the beginning.

The app opens doors to an extensive collection of video content. From the proceedings of house and senate committees to captivating press conferences and a variety of special events, it offers a comprehensive view. Notably, its historical archive is a treasure trove, encompassing recordings from these Chambers across different occasions.

With a powerful search function, users can easily explore videos by their indexed titles. Additionally, the app smartly saves your progress, allowing seamless resumption of videos. Standard features like Picture in Picture and Airplay are seamlessly integrated for enhanced user experience.

The app is compatible with iPhones, iPads, and Apple Silicon computers. An Apple TV version is in the final stages of certification and will soon join the lineup.

Regardless of your interest in parliamentary affairs, I invite you to explore the app. The development journey has been immensely gratifying, and I eagerly anticipate your suggestions for bug fixes, improvements, feature ideas, or reviews.

Thank you for considering The Parliament app!

Lessons learned deploying Microsoft Tunnel Gateway

thescobberLeave a comment

Over the last couple of days I have successfully deployed Microsoft Tunnel Gateway. Using the newer Microsoft Defender app on iOS. There are a few lessons learned here, which you won’t find in the documentation.

  1. The “Supported Operating Systems” list is accurate, when you remove all the deprecations.
    The only two supported routes is CentOS and Redhat Enterprise. Don’t get bogged down with the wrong distribution. Also dedicate a VM to this role.
  2. You will need to define a route to the server running Tunnel Gateway.
    Defining a route to the server running the Tunnel Gateway is essential for seamless functionality. Without this route, clients may connect, but their data will go nowhere. The data will reach your servers, but the responses won’t make it back to the clients. To ensure a smooth and two-way communication flow, it is crucial to set up the appropriate routes for the Tunnel Gateway server. This way, your clients can establish a successful connection and receive responses effectively, guaranteeing a reliable and efficient user experience.
  3. When designating an internal host to check for the health portal, it is recommended to use HTTP for simplicity.
    Opting for HTTPS would require the addition of some root certificates to the deployment, particularly if the SSL is signed by an internal CA. However, it’s important to note that handling SSL certificates signed by an internal CA is beyond the scope of the documentation.
    To streamline the process and avoid complications, consider using HTTP for the health portal setup. This decision ensures smoother implementation and avoids the complexities associated with managing SSL certificates from an internal CA.
  4. Your clients connect you WILL get traffic flow, but right after the tunnel will drop.
    When your clients connect, traffic flow is established, but you may encounter a situation where the tunnel drops immediately after connection. This issue is often caused by a conflict between the internal network range specified in the server configurations panel and the server hosting the tunnel gateway’s internal docker BEP (Backend Pool) range.
    To resolve this problem, ensure that the internal network range specified in the server configurations panel does not overlap or conflict with the server hosting the tunnel gateway’s internal docker BEP range. By addressing this issue, you can maintain a stable and uninterrupted tunnel connection, providing a seamless experience for your clients.
  5. Trust the only port required is what you have specified in the server configurations panel.
    The only port required for the Microsoft Tunnel Gateway is the one you have specified in the “Server Configurations” panel in the portal. The documentation previously mentioned 443/tcp and 443/udp, but please note that UDP has been deprecated since the retirement of the Microsoft Tunnel app.
    To ensure proper functionality, make sure your outbound firewall has port 443 opened to allow communication with various Microsoft resources.
  6. How do I use this as a per app vpn. I can only seem to get Safari to work?
    To configure an app to use the tunnel, go into your iOS app list and select the app you want to send via the tunnel gateway. The configuration property is in Assignments; simply choose the VPN profile that has been created in the device configuration.
  7. Certificate Requirements, So you need a certificate, but there are many different combinations of attributes. So you can cheat here is the info.
openssl.cnf

[req]
req_extensions = v3_req
default_bits = 2048
encrypt_key = no
default_md = sha256
prompt = no
utf8 = yes
distinguished_name     = req_distinguished_name

[req_distinguished_name]
countryName = [Country]
stateOrProvinceName = [State]
localityName = [City]
organizationName = [Organisation]
commonName = [External.DNS.Name]


[v3_req]
subjectAltName = @alt_names

[alt_names]
DNS.1 = [Internal.DNS.Name]
DNS.2 = [External.DNS.Name]


sudo openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr -config openssl.cnf

Send your server.csr to your windows PC and run 

certreq -submit -attrib "CertificateTemplate:WebServer" server.csr

Follow the process to receive the certificate. Once you have the server.crt you need to append a base64 version of the full certificate chain to the file. Send it back to the Tunnel Gateway server and place the certificate and private key in the filesystem as defined in the documentation. Your file will need to look like the below example.

-----BEGIN CERTIFICATE-----
MIIHOzCCBSOgAwIBAgITTAAAAYgTOK4pNtgKAQAAAAABiDANBgkqhkiG9w0BAQsF
ADB/MRIwEAYKCZImiZPVLGQBGRYCYXUxEzARBgoJkiaJk/IsZAEZFgNjb20xFjAU
BgoJkiaJk/IsZAEZzzzXJlezzzBgoJkiaJk/IsZAEZFzzzpY2UxJDAikkshwuduq
...
2M4+WpuQMRE2SYEwr2iYb4s46vbL96ale+6qlUHE2zdCOs6eVf/XG4qZcWB8RPzB
bTndZRFJ2B3htcgPmXSd7peFrTZsqIFyCU2zKuoIMSYV096zryM5Tecy28dOhJ7H
jgJFZQWR+SwXz9g8zWWkn6jvsxY5NysvpZ+53Sjdbw==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIF8zCCA9ugAwIBAgIQcLNdGlZ0e6BJCkAvoQjm0jANBgkqhkiG9w0BAQsFADB/
MRIwEAYKCZImiZPyLGQBGRYCYXUxEzARBgoJkiaJk/IsZzzzgNjb20xzzzAUBgoJ
kiaJk/IszzzFgZjYXJleXMxzzzoJkiaJk/IsZAEZFgzzzzz2UxJDAiBgNVw82hsj
...
VgtrSxckbpAGnlMs5Pq6bMpzpBwIp+oB6F2y1/f2fhrbbV6oDH9ruDfq+N884Tbk
2JR8S7UAN3cxbs7Z9YS+8xfqMmcnqN62otV5xalFmbiegES0+/FeOluFFexPyEds
/AdwDnf3kCMrx+i+BJQOEgJ+LEStAjJtgwu3dKhjMlUVCXkb3gca
-----END CERTIFICATE-----

Hopefully these ramblings make sense,

Core I9 11900K-F CLOCK_WATCHDOG_TIMEOUT

thescobberLeave a comment

Had two 11th Generation Intel CPU’s come past my desk in the last week. One was a Z490 and the other a Z590. Both were Gigabyte Aorus Boards. CLOCK_WATCHDOG_TIMEOUT seems to be reproducible with nearly every execution of UserBenchmark.

When running UserBenchmark they both would get to Core 2 of the CPU tests, freeze and throw this error. Once I had them throw a WHEA_UNCORRECTABLE_ERROR. That time the faulting module was GenuineIntel.sys.

Anyway, in BIOS under the CPU optimisations disabling “Adaptive Speed Boost” corrects this error. There must be a issue with how GigaByte has implemented this function. There is not much info around the internet about CLOCK_WATCHDOG_TIMEOUT, the general push seems to be to install some sort of device driver scam ware.

MYOB API 0x80070643 – fatal error during installation

thescobberLeave a comment

Ive been having issues with the MYOB API on Premier 2021 Server Edition.

Ever since 2021.2 I have been unable to upgrade the MYOB API service with the server installer. The API installer would ask the location, and whether to self sign the certificate that protects the API endpoint. Uninstalling the API service will also appear to proceed then fails.

As far as the install logging goes, none of it was helpful. And the MYOB help focuses solely on .NET 4.5 and updates.

To fix this issue. you will need a certificate bundle in PFX format. I did not have to enter the password for the bundle at all. Which is a indication the software does not attempt to install it.

A PFX bundle has to contain a public and private key. These are used to secure the API endpoint from an adversary using a packet sniffer. PFX bundles from unknown sources should always be considered dangerous, and should never be imported to your certificate store.

With the PFX bundle in the filesystem of your server, open the API installation wizard, found in “C:\Program Files (x86)\MYOB\AccountRight\API_Installer”. When the installer asks whether to use a self signed, or user provided certificate. Choose user provided and select the certificate bundle filename. When the installer fails, you will be able to uninstall the MYOB API application with add/remove programs. Once the MYOB API is completely removed. When you rerun the installer from the location above. This time choose self-signed and the latest API service should install correctly.

Update for 2022.1

The MYOB Api Service Must be stopped in the Services Controller.
‘Services.msc’

Outlook 365 Email View Problems

thescobberLeave a comment

This morning my users woke up to Office 365 had updated. One of these updates seems to cripple Outlook 365. The issue that has been observed is that when you open an email the body either blank, or shows a single line. depending on the size of the window.

To roll back to a previous version, using InTune management login to https://manage.microsoft.com/ and open the App deployment policy for your Office 365 suite.

Set
Remove other versions to Yes,
Version to install to Specific,
Specific Version to 2103-13901.20400

Click Review and Save.

Any clients that were deployed with InTune will reinstall office once all the apps have been closed.

A client wont downgrade while office apps are open. To force a downgrade ask the users to ‘sync’ in Settings\Accounts\Access Work or School, Select the configured work location and click Info then Sync.

Trigger a Sync remotely, but unless the office apps are closed the downgrade may not complete immediately.

After the downgrade users will see a splash screen that says, please wait while we update office.

A user can after the InTune sync elect to downgrade office with the Update Now button, which will deploy the administrators chosen update.

Hope this helps someone,

Scobber

How to get your Kindle DX working in 2021

thescobber2 Comments

The Kindle DX is very much a legacy device. Amazon don’t have much information on it available online. Most of the software update and help guides no longer exist. I also found plenty of resources on identifying your kindle, but there were no downloads available.

So the Kindle DX, it has no wifi, but has the world-wide 3G network (whisper net). The problem is that the Root Certificates in the device have expired. So there is no SSL, which means no Registration/Deregistration. The Kindle store is browsable, I think its because the site is HTTP. but HTTPS for downloads.

Back to getting your Kindle working. There are a few guides out there, but no links to downloads. the download I found on a 3rd party site was not for my DX.

Full Download Page for ALL models
https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW

Kindle DX (2nd Generation)

  • 2.5.8

OK. to get your serial open settings, Home -> Menu -> Settings
Under device info you will find your serial number. The current software version of your Kindle will be at the bottom.

  1. Check your Software version
    • If your software version is not 2.5.8. Download the “Download this file” link corresponding to your Kindle serial number. If you are already on this version, goto step 2.
    • Using the USB on your computer. Copy it to the ‘root’ of the Kindle’s USB disk.
    • While still in the settings page, press menu then Update Kindle.
  2. Update the Kindle Services
    • If your software version is not 2.5.8. Download the “Kindle Services Update” link corresponding to your serial number.
    • Using the USB on your computer. Copy it to the ‘root’ of the Kindle’s USB disk.
    • While still in the settings page, press menu then Update Kindle.

If for any reason the Kindle ‘disconnects’ from your computer while copying the updates on, try another computer or cable. and if ‘update this kindle’ does not appear active in the menu, choose restart instead. The Kindle usually triggers all available updates on reboot.

If the kindle was not unregistered correctly before a factory reset it will come to life with the previous account. you can at this point unregister and reregister.

Windows 10 Power Policy Settings not functioning after update

thescobberLeave a comment

Windows 10 power policies have some strange behaviours when applied over time. Negative issues seem to arise between SCCM, GPOL, and MDM deployments. Then the issues are exasperated by Windows Update when Windows 10 performs a major update. I have also heard of home users losing control of their power sleep settings.

In the work environment when some computers are upgraded from Windows 10 1809 to 1909 – 2004 using windows update, or the update assistant. The strange power related settings happened when they became MDM aware. Our power policy here is 5 minutes screen off, 10 minutes sleep when on battery. Then 60 minutes screen off and 65 minutes sleep when on AC. This is because of the needs of the organisation. All our computers are mobile and we do not want to have a machine on in a bag to cook itself.

In our domain it has been through all the various architectures, from way back when NT 4.0 was new. It was upgraded all the way through to Windows Server 2016. Hybrid joined to Office 365 and Azure AD.

All the power settings have been unlinked from Group Policy, and are only provided via Intune. Through a ORM-URI custom policy. But for some computers, not all. The AC sleep is 7 minutes 30 seconds. Even though the user dashboards appear to display the correct timeouts. If the computer is completely reset using a base Windows 10 1909 or 2004 build. Then Joined to the domain and enrolled in MDM all the power settings function as expected.

All the different user dashboards. Whether in control panel, or the new settings menu, registry, InTune or Group Policy have no effect when changing the windows power policy. The settings dashboards appear to display the chosen timeout. but in practice the computer is stuck to sleeping between one to seven minutes. The only solution which works persistently appears to be a reinstall of Windows.

Eufy Wireless Camera DoS

thescobberLeave a comment

Eufy wireless cameras consist of a NVR called the home base and the cameras. The home base is marketed as WiFi 2.4 and sub GHz wireless.

The cameras appear autonomous and use the sub GHz for command and control. When a camera performs a recording. The 2.4GHz wifi will startup and the home base will store the recording on the MMC/SD card plugged into the home base.

The DoS attack works the same way as a normal WiFi deauthentication attack. The MAC of all the devices is readily available. The SSID is hidden but still discoverable. And the said appears to be generated in the same way as a home router.

The way the attack is most successful. When the camera wakes run airdump-ng. Then use airreplay-ng to deauthenticate against the bssid. When the camera reconnects it will display the ssid of the base station.

When you get the ssid of the base station. Start up airbase-ng and start an AP spoofing the ssid of the access point and turn up the power. Script some deauthentication runs on the base stations bssid. When the camera reconnects it will begin dumping all its footage out addresses to the wrong bssid.

Most of the footage is discarded in this process.

I would expect this attack would work on most WiFi based cameras. Eufy cameras are also susceptible to deauthentication on the broadcast address, ff:ff:ff:ff:ff:ff.

Ubiquiti UniFi Beachhead

thescobberLeave a comment

CVE-2020-27888

The UniFi range of products includes switches, access points and routers. I have recently come across a interesting quirk with how the wireless repeater mode works.

As you may or may not be aware, you can extend your network footprint automatically with UniFi access points. They will when enabled automatically peer access points together. In an effort to establish a virtual cable and keep the network segment connected. I have recently observed two instances with my own UniFi network that could be a show stopper.

  1. When a access point device is installed in a location, powered on and connected to the network. While it is not adopted to a controller (the process of exchanging authentication information). It will wait in limbo for a controller to arrive, and adopt it.
    The problem with this is, if the access point is connected to the private network its possible to adopt it wirelessly. Adopting the access point is a straightforward process. Bring an access point near, and click adopt.
    This will provide connectivity to everything on the access points ethernet socket.
  2. When a access point is removed it is possible to use it to gain access to the network. When it returns within range it will automatically change into wireless uplink mode. And provide connectivity to everything on the access points ethernet socket.

So, when #2 occurs. If a access point is stolen. UniFi has a mechanism to deal with revoking permissions. However if you forget the device while it is in a disconnected state. The access point will not be ‘reset to factory’ automatically. It will continue to perform its meshing duties all the while maintaining ‘managed by other’ state.

Detecting such an attack like #1 would be your devices will appear “managed by other”.
Detecting such an attack like #2 would be to have rogue AP’s detection enabled. Because this does trigger the Rogue AP prompt. In your UniFi console. Only while the device is connected will it say managed by other.

In both these scenarios. There is full ethernet transit enabled. and the entire network is functioning normal.

What mitigations I would like to see from Ubiquiti?

Disable the radio after a period of time waiting to be adopted. power cycling it should reset the timer on the wireless adoption sequence.

Incorporate a mechanism for an administrator to ‘roll’ (automatically or manually). The meshing keys on the access points. this way the credential caching issue should not persist forever.