Security – Absoblogginlutely!

Fixed: No passkeys on this device – allowing Passkey support in Android Edge and Keeper

By Andy on Thursday, September 26, 2024

Dialog box in Edge on Android 14 that shows passkeys set to 3rd party management

With the growing increase in Passkey usage on websites, it’s getting pretty important to be able to synchronize these between devices. I have at least two computers and two mobile devices that I’d like to be able to sign into a passkey enabled website with the same method rather than using passkeys on one device and username/password on the other.

Keeper has had passkey support for quite a while now, but up until recently, the ability to synchronize to an android 14 device has not worked and in my case, I would get a Google popup that stated, “No passkeys on this device.”

The Keeper instructions show that the M124 flag needs to be updated. However, I found that following those instructions as a base but going to edge://flags and then searching for edge://flags and then searching for Android Credential Management for passkeys, the drop down box allows the selection for Enabled for 3rd party passkeys. Selecting this, I was then able to use the previously saved passkeys in Keeper.

A good site to test this is passkeys.io as this is just a demo site with no secure data that you might end up losing if the passkey doesn’t work – after all you probably don’t want to test this with your email provider! The bonus is that you can use a random mailinator.com email address to test this without providing your real email address.

One of my banks now supports Passkeys – My main bank is unfortunately way behind the curve and doesn’t even support TOTP passwords unless you have a business account with their MFA typically being a SMS text although sometimes they send a push notification to the app on my phone. It’s odd that they don’t understand it is way more secure to use TOTP or push notifications but you should be doing this consistently rather than about 25% of the time.

Powershell

Fixed: The trust relationship between this workstation and the primary domain failed

By Andy on Friday, May 13, 2022

Login dialog box showing The trust relatiionship between this workstation and the primary domain failed.

Yes, this old chestnut! Had this issue today on a server, but for some reason the standard netdom resetpwd command would not work.

Running the command netdom resetpwd /s:servername /ud:domain\user /pd:* would give me the error message “The machine account password for the local machine could not be reset”

Powershell to the rescue and the equivalent commands running on the affected machine fixed the issue

$c=get-credential

test-computersecurechannel -repair -credential $c

shutdown /f /r /t 3

Unfortunately I’ve had to this multiple times in the past and it’s about time I blogged the solution for my own reference in the future

2Factor

Twitter only seems to have rudimentary support for Yubico keys?

By Andy on Wednesday, December 26, 2018

I was fortunate enough to get a Wired Yubico key earlier in the year and a NFC key for Christmas that I can use with my phone. My intention was to use the new NFC key as my primary key with the Wired key as a backup key in case I lose all my keys or just the NFC key. This is the first in a series of enabling the keys to work with a variety of services. See my

I was originally hoping that I could also use the NFC key with my Surface Pro 2 so I would not have to keep plugging the key into the one usb port but apparently the Surface Pro does not support NFC.

Twitter:-

My first service that I setup was Twitter. I figured it would be fairly simple to setup and not earth shattering if I lost access to Twitter temporarily. By following the Two Factor authentication page on Twitter I had to jump through a couple of hoops to get it working. First I had to enable 2 Factor Authentication that defaulted to my mobile. Once this was enabled and I had verified my identity through an sms message I was then able to add a Security key. I plugged the NFC key into the USB port, pushed the button twice and I was successfully logged in. I was then able to add an authenticator app option and generate a backup key code in case I lose my key and then finally delete the txt authentication method as this is the 2nd weakness in the security chain (after poor password choice.

The Downsides

Unfortunately it seems that you can only use one hardware key with Twitter which means you have to not lose that original Yubico key! This risk can be mitigated by having a 2FA app on your phone and also saving the backup key somewhere safe – I use Authy for the Key generator and keep the backup code in Lastpass and tag each site entry with #2FA so I can easily search Lastpass to find all the sites that require 2 Factor. I’ve also added #2faNFC to keep track of which key is used for which service.

The other downside is that it appears that the Twitter mobile client for Android does not support hardware keys and generates a “This browser doesn’t support security key logins” error message.

Twitter login prompt failure when using a hardware key on a mobile device.

It appears that only desktop pc apps using a browser can support the USB Hardware keys – hopefully this will change in the future as hardware keys get more and more popular. For the mobile login, select “Choose a different verification method” and then use the authenticator app option.

I also have to come up with a way to make the key easy to plug into the laptop(s) – the surface only has one USB port (with a docking station attached) and reaching around to a docking station to plug in a key will get annoying pretty quickly. I think I’ll be getting a USB extension cable that it can be plugged into.

As mentioned earlier, this is my first experience with the hardware key. It was easy to setup but just a little frustrating that the new NFC device can’t be used on a mobile (for Twitter at least).

Have you used a hardware token such as a Yubikey? Please et me know in the comments below!

AntiVirus Security

Ransomware decrypters

By Andy on Monday, March 27, 2017

Filing for future reference for reference in case of a ransomware infection. This list gathers together a list of tools and references that may allow you to get access back to encrypted files.

Kasperky’s Decrypters
Kaspersky’s AntiRansomware or Cryptoprevent– prevent infection in the first place
Avast Decrypters (Multiple tools available)
Trend Micro Decrypters – Multiple decrypters available

Remember the best way to not get infected is to install a cryptolocker prevention tool (I use the Cryptoprevent), watch the sites you go to, educate yourself on what a phishing attack looks like, don’t run as administrator, use opendns (or google safe browsing) and ensure you have a good backup that is not accessible from your normal machine with your normal credentials.

If you know of any others then please let me know.

Edit – https://www.nomoreransom.org/ is also a good resource and probably should be your starting point. It even allows you to upload an encrypted file (or the ransom note) and will then check what version of crypto you have and let you know if there is a decrypter available for you.

Books Security

Book Review – The Art of Invisibility by Kevin Mitnik

By Andy on Thursday, March 16, 2017

The Art of Invisibility: The World’s Most Famous Hacker Teaches You How to Be Safe in the Age of Big Brother and Big Data by Kevin Mitnick
My rating: 4 of 5 stars

A cautionary tale of just how visible you are on the internet and in todays connected society.

First off I am fully aware of the irony of posting a review of this book online on Goodreads, my blog and Facebook after reading a book on how to be invisible on the internet…..

This was a an entertaining read and although I work in the IT field, there were still some security facts in the book that I was not aware so I learnt a fair amount. There are also some useful references for security tools that I had not been previously aware of (although I’m not a security professional).

Despite the above, the book isn’t too technical to make the non IT person bored but it may well make them paranoid! There is a huge emphasis on becoming invisible in the book through extreme measures such as paying a complete strange to buy some gift cards at a store that doesn’t have cameras in the store OR on the way to the store, then using that to buy bitcoins – twice to ensure they are completely laundered and then using those new coins to purchase various items. Not something that the average person in the street is likely to ever do ……and I must admit I do wonder if someone needs to go to all that trouble, would they be reading this book?

There are useful hints and tips about using secure messaging, email etc that can be used by everyone just to keep their internet usage secure which are not too extreme for the day to day consumer.

But for the ultra paranoid/nefarious, this book will either help you solve some of your issues or make you even more paranoid as it brings up points you hadn’t thought of before….

Thanks to Netgalley for the opportunity to read and review this book.

View all my reviews

Security

Cloudflare checker for Lastpass in PowerShell and .net

By Andy on Saturday, February 25, 2017

With the recent report of cloudflare credentials being cached/available in search engines, it is always wise to see just how many sites you’ve logged into recently. If you don’t use a password manager, then you will have a fun time going through your browser history, working out what sites you logged into and then changing your passwords.

Hopefully you are using a Password Manager by now and there are several routines available (with source) to check an exported list of urls from your manager of choice against a public list of cloudflare protected sites.
I used CloudFlareChecker as I could use powershell to filter out my password list to url’s first and then run the site list through the tool (which required the .net runtimes installed).
Out of 1200+ url’s in my password export, there were 25 sites using cloudflare. It didn’t take too long to change credentials and update the passwords in LastPass. Yes it’s worth doing for all sites – but I really don’t have time to log into that many websites!

If you don’t use LastPass then there are several other resources at your search engine of choice that will help you check firefox saved passwords (hopefully you don’t), Keepass or even check an individual website for potential issues.

As an aside, I’ve been trying out Dashlane as an alternative to LastPass but I’ve not been very impressed with it so far. It fails to recognise any saved credentials for Office365 and the extension doesn’t even activate in Chrome so I’m staying with LastPass. If you haven’t signed up for a Password Manager yet, then signing up with this Lastpass premium link gives us both a free month of premium access and if you have any questions then let me know.

Security

Last.fm password breach – you’re doing it wrong.

By Andy on Thursday, September 22, 2016

Last.FM logon page

I received an email from HaveIBeenPowned this morning – the incredibly useful service that lets you know if your username and password was released in a data breach. This time around it was last.fm – a streaming radio station that was pretty popular a long, long time ago. I went to log into the system and checked my gmail account for email from last.fm to see if I had my membership confirmation email – nothing. I had 1 email from last.fm back in 2008 when I had received a friend request (I am so popular!) – that was actually a spam request.

Obviously I had not used the service for a very, very long time. The data breach occurred in 2012, was known about in 2012 and yet they had done nothing about it then. They had also not done anything about it recently after the data breach was leaked as I had not received an email lfrom them etting me know my account had been breached.

To add insult to injury, the old password was still active and I was able to log in with it. I can understand a small pokey geocaching website not understanding security correctly and leaving passwords the same after a data breach with only a small notification on the website, but even they reacted after I sent them an email to say they need to do something better and at least inform their visitors and ideally change their password. Last.fm really have no excuse as they are big enough that they should know better and all of the accounts should have had their passwords changed once the breach was public or better yet, when they knew about the breach.

Instead, the list of usernames and passwords are still out there for people to search and log in with.

I guess the argument for not changing the account password is to let the subscriber log in with their original password that they know about. If the email address was now invalid and the password was changed by last.fm then the user would not be able to get into their account anymore….on the other hand if last.fm does not change the password, anyone could log into the account,reset the password, have access to all the data (including the persons email address) and the account holder would not be able to gain access. The hacker will not be able to change the email address though as they have put protection in place to prevent the email address being changed without a verification email link being clicked on so I guess that is something…..

This is also yet another reminder to use a password manager to “remember” all of your passwords for each site – don’t use the same one at each location. I highly recommend LastPass (unless you are a user with multiple accounts at Office365). At $12 a year for syncing between all of your devices it is well worth the cost and if you sign up with the link above we both get an extra month for free. I used to use the free KeePass software which is standalone and doesn’t hook into your browser like LastPass but it can also sync between devices (with a bit of finagling.

What do you think – should last.fm have changed users passwords when the data breach went public? Have you signed up for HaveIGotPowned? If not – what are you waiting for – it’s free and a great first response tool to keep your accounts more secure.

Security

Arj compression – anyone remember this?

By Andy on Monday, September 12, 2016

We had an interesting ticket come in today where an antispam system had let through a file compressed with the arj format. This immediately brought back memories of compressing files back at university – in the very early 90’s and a format that used to be very popular but nowadays most people, including the rest of our techs had never even heard of.
I am guessing the spammers were hoping that their recipients have winzip, winrar or 7zip installed so they will be able to open the infected file and that as the file format is so old, av scanners will not check them.

Anyone else out there remember Arj files and anyone (dare to admit that they) still use it?

Phone

Fixed: Android Device Manager does not ring your phone on a Samsung S6

By Andy on Saturday, January 9, 2016

Since I have had my S6 I have not been able to get the Android Device Manager to ring my phone. It locates it accurately on the map and will lock the screen ok, but it just wouldn’t ring. Not much use when you know the phone is *somewhere* in the house.
Today I did a bit of experimentation and discovered that my notifications was set to silent, changed this to a value in the middle by pressing the up volume key, selecting the settings gear and then changing notifications and now the phone rings even if the phone is set to silent.

Hope this helps someone else as it does seem to be a common issue with not many useful solutions.
Also, to turn on the android device manager capabilities on the phone, go to apps, settings, lock screen and security, other security settings, Device administrators, and ensure Android Device Manager is enabled (simple huh?)

Exchange / Outlook exchange2007 Security

Would/Should you block linkedin to your Exchange Server?

By Andy on Wednesday, June 5, 2013

Apparently Linkedin now have a feature that allows users to provide their corporate passwords to a third party so the users can then send invites to other people in their office. I really don’t see how this can Be A Good Thing 😉 – Paul Cunningham has a post on ExchangeServerPro on this feature and links to Adam Fowler’s post on how to block LinkedIn to Exchange. This is interesting as we’ve also seen this issue with Verizon doing something that we expect is screenscraping to provide email information to phones. Admittedly this was a while back but we have found it hitting the Exchange server so it will be interesting to see if this successfully blocks the server.

In a meantime, maybe it’s time to not only educate LinkedIn that this is a really bad idea but also your corporate users.

For what it’s worth the solution is to do the following:-

There are a few settings to check. First, under the Set-OrganizationConfig area, you’ll need to check that EwsApplicationAccessPolicy is set to ‘EnforceBlockList’. If it’s not, it’s going to be “EnforceAllowList” and you’re probably OK, as it’s using a whitelist for access to only what’s listed rather than a blacklist, to only block what’s listed.

Next, you need to add LinkedIn into the BlockList. This is done with the command “Set-OrganizationConfig -EwsBlockList LinkedInEWS“

Tag Archives: Security