Outlook 365 Email View Problems

This morning my users woke up to Office 365 had updated. One of these updates seems to cripple Outlook 365. The issue that has been observed is that when you open an email the body either blank, or shows a single line. depending on the size of the window.

To roll back to a previous version, using InTune management login to https://manage.microsoft.com/ and open the App deployment policy for your Office 365 suite.

Set
Remove other versions to Yes,
Version to install to Specific,
Specific Version to 2103-13901.20400

Click Review and Save.

Any clients that were deployed with InTune will reinstall office once all the apps have been closed.

A client wont downgrade while office apps are open. To force a downgrade ask the users to ‘sync’ in Settings\Accounts\Access Work or School, Select the configured work location and click Info then Sync.

Trigger a Sync remotely, but unless the office apps are closed the downgrade may not complete immediately.

After the downgrade users will see a splash screen that says, please wait while we update office.

A user can after the InTune sync elect to downgrade office with the Update Now button, which will deploy the administrators chosen update.

Hope this helps someone,

Scobber

How to get your Kindle DX working in 2021

The Kindle DX is very much a legacy device. Amazon don’t have much information on it available online. Most of the software update and help guides no longer exist. I also found plenty of resources on identifying your kindle, but there were no downloads available.

So the Kindle DX, it has no wifi, but has the world-wide 3G network (whisper net). The problem is that the Root Certificates in the device have expired. So there is no SSL, which means no Registration/Deregistration. The Kindle store is browsable, I think its because the site is HTTP. but HTTPS for downloads.

Back to getting your Kindle working. There are a few guides out there, but no links to downloads. the download I found on a 3rd party site was not for my DX.

Full Download Page for ALL models
https://www.amazon.com/gp/help/customer/display.html?nodeId=GKMQC26VQQMM8XSW

Kindle DX (2nd Generation)

  • 2.5.8

OK. to get your serial open settings, Home -> Menu -> Settings
Under device info you will find your serial number. The current software version of your Kindle will be at the bottom.

  1. Check your Software version
    • If your software version is not 2.5.8. Download the “Download this file” link corresponding to your Kindle serial number. If you are already on this version, goto step 2.
    • Using the USB on your computer. Copy it to the ‘root’ of the Kindle’s USB disk.
    • While still in the settings page, press menu then Update Kindle.
  2. Update the Kindle Services
    • If your software version is not 2.5.8. Download the “Kindle Services Update” link corresponding to your serial number.
    • Using the USB on your computer. Copy it to the ‘root’ of the Kindle’s USB disk.
    • While still in the settings page, press menu then Update Kindle.

If for any reason the Kindle ‘disconnects’ from your computer while copying the updates on, try another computer or cable. and if ‘update this kindle’ does not appear active in the menu, choose restart instead. The Kindle usually triggers all available updates on reboot.

If the kindle was not unregistered correctly before a factory reset it will come to live with the previous account. you can at this point unregister and reregister.

Windows 10 Power Policy Settings not functioning after update

Windows 10 power policies have some strange behaviours when applied over time. Negative issues seem to arise between SCCM, GPOL, and MDM deployments. Then the issues are exasperated by Windows Update when Windows 10 performs a major update. I have also heard of home users losing control of their power sleep settings.

In the work environment when some computers are upgraded from Windows 10 1809 to 1909 – 2004 using windows update, or the update assistant. The strange power related settings happened when they became MDM aware. Our power policy here is 5 minutes screen off, 10 minutes sleep when on battery. Then 60 minutes screen off and 65 minutes sleep when on AC. This is because of the needs of the organisation. All our computers are mobile and we do not want to have a machine on in a bag to cook itself.

In our domain it has been through all the various architectures, from way back when NT 4.0 was new. It was upgraded all the way through to Windows Server 2016. Hybrid joined to Office 365 and Azure AD.

All the power settings have been unlinked from Group Policy, and are only provided via Intune. Through a ORM-URI custom policy. But for some computers, not all. The AC sleep is 7 minutes 30 seconds. Even though the user dashboards appear to display the correct timeouts. If the computer is completely reset using a base Windows 10 1909 or 2004 build. Then Joined to the domain and enrolled in MDM all the power settings function as expected.

All the different user dashboards. Whether in control panel, or the new settings menu, registry, InTune or Group Policy have no effect when changing the windows power policy. The settings dashboards appear to display the chosen timeout. but in practice the computer is stuck to sleeping between one to seven minutes. The only solution which works persistently appears to be a reinstall of Windows.

Eufy Wireless Camera DoS

Eufy wireless cameras consist of a NVR called the home base and the cameras. The home base is marketed as WiFi 2.4 and sub GHz wireless.

The cameras appear autonomous and use the sub GHz for command and control. When a camera performs a recording. The 2.4GHz wifi will startup and the home base will store the recording on the MMC/SD card plugged into the home base.

The DoS attack works the same way as a normal WiFi deauthentication attack. The MAC of all the devices is readily available. The SSID is hidden but still discoverable. And the said appears to be generated in the same way as a home router.

The way the attack is most successful. When the camera wakes run airdump-ng. Then use airreplay-ng to deauthenticate against the bssid. When the camera reconnects it will display the ssid of the base station.

When you get the ssid of the base station. Start up airbase-ng and start an AP spoofing the ssid of the access point and turn up the power. Script some deauthentication runs on the base stations bssid. When the camera reconnects it will begin dumping all its footage out addresses to the wrong bssid.

Most of the footage is discarded in this process.

I would expect this attack would work on most WiFi based cameras. Eufy cameras are also susceptible to deauthentication on the broadcast address, ff:ff:ff:ff:ff:ff.

Ubiquiti UniFi Beachhead

CVE-2020-27888

The UniFi range of products includes switches, access points and routers. I have recently come across a interesting quirk with how the wireless repeater mode works.

As you may or may not be aware, you can extend your network footprint automatically with UniFi access points. They will when enabled automatically peer access points together. In an effort to establish a virtual cable and keep the network segment connected. I have recently observed two instances with my own UniFi network that could be a show stopper.

  1. When a access point device is installed in a location, powered on and connected to the network. While it is not adopted to a controller (the process of exchanging authentication information). It will wait in limbo for a controller to arrive, and adopt it.
    The problem with this is, if the access point is connected to the private network its possible to adopt it wirelessly. Adopting the access point is a straightforward process. Bring an access point near, and click adopt.
    This will provide connectivity to everything on the access points ethernet socket.
  2. When a access point is removed it is possible to use it to gain access to the network. When it returns within range it will automatically change into wireless uplink mode. And provide connectivity to everything on the access points ethernet socket.

So, when #2 occurs. If a access point is stolen. UniFi has a mechanism to deal with revoking permissions. However if you forget the device while it is in a disconnected state. The access point will not be ‘reset to factory’ automatically. It will continue to perform its meshing duties all the while maintaining ‘managed by other’ state.

Detecting such an attack like #1 would be your devices will appear “managed by other”.
Detecting such an attack like #2 would be to have rogue AP’s detection enabled. Because this does trigger the Rogue AP prompt. In your UniFi console. Only while the device is connected will it say managed by other.

In both these scenarios. There is full ethernet transit enabled. and the entire network is functioning normal.

What mitigations I would like to see from Ubiquiti?

Disable the radio after a period of time waiting to be adopted. power cycling it should reset the timer on the wireless adoption sequence.

Incorporate a mechanism for an administrator to ‘roll’ (automatically or manually). The meshing keys on the access points. this way the credential caching issue should not persist forever.

TTN Downlink Problems

Configuring the gateway parameters in console.thethingsnetwork.org is not as important as it appears. Here in Australia the ‘thethings.meshed.com.au’ appears to apply arbitrary filtering on our gateways. It is the only router in this region (AU_915). so from time to time when this filtering is an issue we will swap to another router. We also don’t use thethings.meshed.com.au for applications much. because integrations are not as configurable, and we have to use a ‘special’ dashboard.

So the issue here is the “frequency plan” setting seems to only be for statistics. As is the “Router” configuration. It can be set to anything, it does not appear to mean much. When set to anything you can forward packets in anywhere. and by the Things Networks own documentation. A unregistered gateway will still work. but the packets it received will be stamped untrusted.

So back to the problem. When you use ttn.opennetworkinfrastructure.org as your router. All downlink packets are enqueued against the channel plan for EU_868. When this happens the gateways here in Australia to discards the transmission. Even though the gateways frequency plan is defined correctly in the dashboard. This lets me to believe that value is only for statistics.

60c5a8fffe74d372 >< 172.20.1.55 PUSH 207 :: {"rxpk":[{"tmst":1623936916,"chan":2,"rfch":0,"freq":917.200000,"stat":1,"modu":"LORA","datr":"SF10BW125","codr":"4/5","lsnr":8.5,"rssi":-70,"size":23,"data":"AETpAdB+1bNwEQFVAAAAAAGu+9RhEKQ="}]} :: 
thethingsnetwork <> 52.169.76.203 PULL_RESP 213 :: {"imme":false,"tmst":1622032348,"freq":869.525,"rfch":0,"powe":27,"modu":"LORA","datr":"SF12BW125","codr":"4/5","ipol":true,"size":33,"ncrc":true,"data":"IAzxv/1dO/oMXS5B/Ke4zhfnBTYMQDboBpq0FuO2fphB"}} ::

The only way to overcome this problem appears to use the correct router for the region. Which for AU_915 is the infrastructure hosted by Meshed. And I guess we will have to put up with the arbitrary filtering.

Working OTAA compatible TTN Routers

au915.thethings.meshed.com.au
router.au.thethings.network
router.us.thethings.networkMake sure the gateway has min/max TX freq set. Does work-around meshed for OTAA
Working routers for AU_915
Router DNS AddressRegionRegion
thethings.meshed.com.auAUS
router.au.thethings.networkAUS
au915.thethings.meshed.com.auAU915 915-298AUS/NZ
as923.thethings.meshed.com.auAS923 – “AS1” 922-923 AUS
https://www.thethingsnetwork.org/docs/gateways/packet-forwarder/semtech-udp.html
https://www.thethingsnetwork.org/country/australia/
Router DNS AddressRegionCountry
router.eu.thethings.networkEU433 and EU863-870EU
router.us.thethings.networkUS902-928US
router.cn.thethings.networkCN470-510 and CN779-787China
router.as.thethings.networkAS923Southeast Asia
router.as1.thethings.networkAS920-923 “AS1”Southeast Asia
router.as2.thethings.networkAS923-925 “AS2”Southeast Asia
router.kr.thethings.networkKR920-923Korea
router.jp.thethings.networkAS923-925Japan
router.au.thethings.networkAU915-928Australia
ttn.opennetworkinfrastructure.orgEU433 and EU863-870Swizerland
https://www.thethingsnetwork.org/docs/gateways/packet-forwarder/semtech-udp.html

So ensure you set your router DNS entry to one that corresponds to the table above. Otherwise the things network appears to tell the gateway to TX on an out-of-band channel. and a misconfiguration on the end of the operator could mean transmitting on licensed spectrum. and potentially prosecution. Despite every other effort being made to be compliant.

I expect the only reason why the US router works is because the downlink channels match both AU_915 and US_915

Proxying GWP Packets

GWP is the first protocol widely used by LoraWAN. It started out as a proposal from Semtech to prove the concept. Essentially GWP is just JSON wrapped in UDP.

It has become apparent that there is a need for a GWP proxy, not only to provide access for multiple gateways. but also to provide debugging. Using this GWP proxy it was possible to discover a design flaw in interoperability between the RAK2287 software and The Things Network. In the protocol specification it makes use of a ‘temp’ variable in the ‘stat’ data structure. Which RAK Wireless implemented.

The Things Network silently discarded the entire packet and reset the last seen counter. The result from this was the gateways current GPS position was also discarded, and incoming packets from devices would not be stamped with the GPS co-ordinates.

The GWP proxy can be found on GitHub. https://github.com/Scobber/GWP-Proxy

Because this was a quick implementation, it lacks some features. It will provide bi-directional communications. and all output is visible on STDOUT.

The RAK2287 Gateway can be found:
https://store.rakwireless.com/products/rak-discover-kit-2

Packet Forwarder Protocol
https://github.com/Lora-net/packet_forwarder/blob/master/PROTOCOL.TXT

Github Issue https://github.com/RAKWireless/rak_common_for_gateway/issues/19

Remote Desktop Gateway Certificates

When installing RD Gateway Certificates using the server manager snapin. If the error ‘The WSMan provider host process did not return a proper response’ occurs. This error can be triggered by importing a PFX key bundle with no password.

The easiest way around it is to import the bundle into the local user store, then re-export with the password field set.

‘Certify the Web’ saves PFX files with no password. So if you are using a similar LetsEncrypt application to secure RD. This maybe your problem.

Translogix Importing

Translogix maybe built around Fox Pro 9. But importing and exporting data can at times be a tedious task.

Thankfully there are classes and interfaces that can be taken advantage of to get data in and out. To get data out you can either write a custom export, which will dump data to a syntactically correct xml or csv file. It can also render data to paper style reports.

Exporting data can also be accomplished through the Visual Fox Pro ADO drivers. These drivers are limited to x86 though, due to the age of Visual Fox Pro.

Importing data in must be completed through custom imports, Using ADO is not appropriate.

It is possible to import job data into Translogix. There are some caveats that have been encountered. You can import a job, with a complete dataset. However assigning a manifest number will add the job to the manifest. It will not populate the driver, rego, and trailer fields. If there is a requirement to add the job to a manifest. Passing the manifest specific driver, rego and trailer fields will be required.

This is because a ‘job’ also stores data about who and what is transporting it. Each time you change a manifest number the data is re-looked up. If a modification is done to a manifest on these fields. To update the data on the job it will need to be removed and added again to the manifest.

When importing a manifest, the same interface as the job import is used. However the man_type field must be set to ‘M’ ‘0x4d’ and the job_type field must also be set to ‘M ‘ that is ‘0x4d 0x20’.

Time Stamping

If you are after validation when a piece of data was generated and verified. It is possible to sign arbitrary data with a timestamp in the same way as Authenticode.

Why would you want to do this? In my scenario I have a scanned image database, This database contains all the Proof of Delivery documents for a large transport company. Suppose I want to sign all the inward images at the time they were first imported into the database.

This level of protection costs about 2kb per image, and will provide assurance that the image has not changed since the timestamp was signed. It would not provide protection if the file is resigned. You could employ some sort of anti-replay protection.

To get started, for the proof of concept, suppose we want to sign “testfile.txt” with the text abcdxyz inside

# openssl ts -query -data "testtimestamp.txt" -cert -sha256 -no_nonce -out request.tsq

This will result in the request file “request.tsq” being generated. Which is essentially the SHA256 hash of test file.txt.

request.tsq
000 30390201 01303130  0d060960 86480165  |09...010...`.H.e|
010 03040201 05000420  073f5622 473e0b6b  |....... .?V"G>.k|
020 3f485afe fcadff10  b281b8df be81e308  |?HZ.............|
030 882cf331 e667f068  0101ff             |.,.1.g.h...|

This file is now served to the time stamping service of our choice.

# cat request.tsq | curl -s -S -H 'Content-Type: application/timestamp-query' --data-binary @- http://timestamp.globalsign.com/scripts/timestamp.dll -o response.tsr

You will then get a P7 response that contains the timestamp and signature of when the file signature was signed. This is the most important file to save for verification. You can also verify against the hashed request file, it will save you time when it comes to verifying large files.

The easiest way to display the signature time is through openssl again,

# openssl ts -reply -in response.tsr  -text

Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified

TST info:
Version: 1
Policy OID: 1.3.6.1.4.1.4146.2.2
Hash Algorithm: sha256
Message data:
    0000 - 07 3f 56 22 47 3e 0b 6b-3f 48 5a fe fc ad ff 10   .?V"G>.k?HZ.....
    0010 - b2 81 b8 df be 81 e3 08-88 2c f3 31 e6 67 f0 68   .........,.1.g.h
Serial number: 0x1DAAB7B41F40C33E4F29A4CC09BF0582A684BFCD
Time stamp: Sep  1 01:10:50 2020 GMT
Accuracy: unspecified
Ordering: no
Nonce: unspecified
TSA: DirName:/C=SG/O=GMO GlobalSign Pte Ltd/CN=GlobalSign TSA for Standard - G2
Extensions:

If you have the root certificate file you can also verify the signature chain through this method.

Saved Signature Verification
# openssl ts -verify -CAfile ./bundle.cer -in response.tsr -queryfile request.tsq 
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: OK

Verifying directly against source file
# openssl ts -verify -CAfile ./bundle.cer -data testfile.txt -in response.tsr 
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: OK

Testing whether the timestamp becomes invalid
# echo abcxyy > testfile.txt && openssl ts -verify -CAfile ./bundle.cer -data testfile.txt -in response.tsr 
Using configuration from /usr/lib/ssl/openssl.cnf
Verification: FAILED
139911881494976:error:2F064067:time stamp routines:ts_check_imprints:message imprint mismatch

Please be aware that to verify your certificate bundle, you already need a working trust store. Whether you built that trust store manually by concatenating multiple root and intermediate certificates you wish to trust or using the system trust model.

As expected if your source file changes but your verifying the TSQ against the TSR then it will still return it is valid.