Sunday, January 6, 2019

"I don't want to bother turning on Two Factor Authentication"

By Steve Endow


January 2019 Update:  A security researcher has developed a tool that can intercept logins and 2FA codes through a man-in-the-middle attack. 

https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/

This type of attack can apparently defeat most, if not all code based 2FA systems.  

I have a separate blog post discussing YubiKeys / U2F tokens, which are touted as being more secure than code-based 2FA authentication schemes.

The article mentions that the tool "is inefficient against U2F-based schemes that rely on hardware security keys."  I am not sure if author did mean inefficient, or if he meant ineffective, but I don't think U2F tokens would prevent the browser from authenticating with a YubiKey with the MITM in place.  

If anyone has information indicating that U2F validates the URL and / or can prevent this type of MITM proxy attack, I would love to read about it.



The other day I received a Skype message from a friend.  It was an abbreviated URL using the Google URL shortener.

It looked something like this:

          https://goo.gl/zADTrqeUItixixqazsva&34525?id=username


Since it was from a friend I knew well, I was about to click on it.

Then I paused.

The URL format seemed a bit odd.  After a moment of reflection, I realized it looked suspicious.  Then I realized that the message appeared in Skype.  And this friend doesn't message me on Skype.  And I vaguely recall receiving a similar message on Skype from a customer a few years ago.

I messaged my friend through another app and let him know that his Skype account had been compromised.

He was able to login to his Skype account and confirm it had been compromised.  He was able to see several logins from other countries.




He let me know that he reset his password, and considered the problem resolved.

I then recommended enabling two factor authentication on the account.

His response:  "I don't regularly use the account, so I don't want to deal with the potential hassle of 2FA".


I propose looking at 2FA differently.

Installing Windows from a USB Flash Drive

By Steve Endow


UPDATE:  Ian Grieve informed me that there is a Microsoft tool that will help you create a bootable USB drive from an ISO image.  

Here is his article about the "Windows USB/DVD Download Tool":

http://www.azurecurve.co.uk/2013/01/how-to-make-a-bootable-windows-8-usb-drive/


Here is the current Microsoft link to download the tool (as of Jan 2019):

https://www.microsoft.com/en-us/download/details.aspx?id=56485



I'm currently building a new dedicated Windows server for running Dynamics 365 Business Central Docker images.


Since I only build a new machine every 2-3 years, I always have to lookup how to setup a bootable USB flash drive with the Windows installation files.

I am confident that I will forget this information in 2 weeks, so I'm posting this for posterity.


Here are the two articles that I used.

I initially tried to use Windows Disk Manager, but it didn't allow me to set the USB partition to "Active".  So I had to use the steps from this first article to set the active partition.


Prepare the USB drive using DiskPart:

https://docs.microsoft.com/en-us/windows-server-essentials/install/create-a-bootable-usb-flash-drive


Insert USB flash drive
Administrator Command Prompt
diskpart
list disk
select disk <#>         (make sure to select the correct disk for your USB drive!!!!)
clean
create part pri
select part 1
format fs=fat32 quick
active
exit


And because Windows ISO images now have files larger than 4GB, you can't copy them to FAT32 file systems.  So I had to use the commands from this article to copy the Windows installation files to the USB drive.

After mounting the Windows ISO file so that it shows up as a new drive letter, run the two commands listed at the bottom of the article.  Make sure to set the drive letters to match your source and destination drive letters.


Copy the files to the USB drive using Robocopy and DISM: (commands at bottom)

https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/install-windows-from-a-usb-flash-drive


robocopy D: E: /s /max:3800000000

Dism /Split-Image /ImageFile:D:\sources\install.wim /SWMFile:E:\sources\install.swm /FileSize:3800



Steve Endow is a Microsoft MVP in Los Angeles.  He is the owner of Precipio Services, which provides Dynamics GP integrations, customizations, and automation solutions.

You can also find him on Twitter and YouTube





Saturday, December 22, 2018

Using my iPad as a Laptop Replacement, and for Coding!

By Steve Endow

For the last month, I've been using an iPad Pro with the Apple Smart Keyboard Folio and Apple Pen to see how much work I could do on the iPad, and see whether I could use it to replace my laptop.

When I am away from the office and have a few minutes to get some work done, I want to start working immediately, and get a task done immediately.  It feels like it's getting harder for me to do that without interruption on my Windows laptop. Sometimes WiFi is flaky and I have to reboot. Other times the VPN won't connect and I have to reboot. Then there are the incessant, nagging Windows updates that regularly interrupt my work and sometimes require a reboot. I'm currently having a weird issue where Windows File Explorer is unresponsive for 10-60 seconds, CPU utilization spikes for no obvious reason, and I either have to wait for things to calm down, or have to, you guessed it, reboot to try and clear things up.

Obviously, this topic isn't even relevant for many people who primarily work at a desk, but if you regularly work remotely, or regularly use a laptop for productivity tasks, I think the iPad is worth trying.

In this video, I show how to code Azure Functions on an iPad and use the Azure Continuous Deployment feature to automatically deploy the changes made on the iPad.

The entire video was made on my iPad.  The presentation, the screen shots, the code, and even the video editing was done completely on my iPad.



Thursday, December 20, 2018

Bulk Export Dynamics GP Document Attachments using .NET

By Steve Endow

1/23/2019 UPDATE:  Version 1.20 released


A user on the GPUG Open Forum asked if there was a way to export all of the documents that are attached to Dynamics GP customers.

I previously wrote a blog posts showing how to export a single document attachment using BCP:

https://dynamicsgpland.blogspot.com/2017/05/extract-dynamics-gp-document-attach.html


And another showing how to export a single document attachment using .NET:

https://dynamicsgpland.blogspot.com/2017/05/extract-and-save-dynamics-gp-document.html


But the BCP solution is only for a single attachment, and the .NET solution didn't have any features for filtering or organized export of attachments.

So today I updated the .NET solution to allow the user to select a Database, Record Type, and indicate whether Deleted attachments should be exported.



Once those options are selected, the user can retrieve a list of all of the attachments, which shows the type, the associated record number, the file name, and file size.

The user can then select an export path and click a button to export all of the attachments to disk.


The application and full source code can be downloaded here:

       Version 1.20:  https://1drv.ms/u/s!Au567Fd0af9TpRUtDRq_heyOh50p


Version 1.20 includes several enhancements:

-Login dialog allows you to specify SQL Server, username, and password for SQL login
-Support named system databases
-Config file allows you to add additional document types
-Added PM and POP document types


New record types can be added by editing the configuration file.


Please note that this .NET application was assembled in a few hours, and is not a refined, polished, commercial software release.  It does not have lots of configuration options or error handling, so you will want to test it in a TEST environment and be aware that it may need some modifications to work in your environment.


Steve Endow is a Microsoft MVP in Los Angeles.  He is the owner of Precipio Services, which provides Dynamics GP integrations, customizations, and automation solutions.

You can also find him on Twitter and YouTube





YubiKeys are neat, but have very limited support...at the moment.

By Steve Endow


TL;DR: If you're a typical computer user, save your money and do not purchase U2F keys at the moment.  The technology is promising, but adoption is still so limited that it probably doesn't make sense for most people to use U2F on just one or two accounts.


January 2019 Update:  A security researcher has developed a tool that can intercept logins and 2FA codes through a man-in-the-middle attack. 

https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/

This type of attack can apparently defeat most, if not all code based 2FA systems.  The article only mentions that the tool "is inefficient against U2F-based schemes that rely on hardware security keys."  I am not sure if author did mean inefficient, or if he meant ineffective, but I don't think U2F tokens would prevent the browser from authenticating with a YubiKey with the MITM in place.  This YubiKey article explains that U2F prevents authentication with a fake phishing site, but does not appear to directly address the MITM proxy attack used by the Modlishka tool, which accesses the real Google site.

If anyone has information indicating that U2F validates the URL and / or can prevent a MITM proxy attack, I would love to read about it.


I read about physical USB security keys quite a while ago, but it wasn't clear to me exactly how they worked and I couldn't fully understand the value that they provide.

They go by various names:  'security key', 'USB security key', U2F, or FIDO.  And then there are specific brand names for the keys, such as YubiKey (by Yubico) and Titan Security Key (by Google).

I had previously considered trying one, but couldn't figure out what I would use it for, until last month when Troy Hunt wrote an article on how he researched Google's new Advanced Protection Program and how it uses U2F.

https://www.troyhunt.com/beyond-passwords-2fa-u2f-and-google-advanced-protection/


The article is very informative and speaks well to how easy it is to setup the U2F keys.

Shortly after, I read some announcements claiming that Microsoft had added YubiKey support to Microsoft logins. Awesome, right? (I failed to read the fine print)

So I decided to buy some and give them a try.

The reviews I read about Google's Titan keys were mixed. While they are more economically priced, the key fob version is apparently cheap plastic that can fall apart or break if dropped.

So I decided to pay more and get the YubiKey version, which appears to be much higher quality.  And that's where the first issue becomes obvious.

Friday, November 30, 2018

eConnect Performance: Using GetNextDocNumbers vs taGetNext stored procedures

By Steve Endow

This one is definitely an obscure topic that nobody is asking about.

But hey, I was curious.

I was researching whether the eConnect GetNextGLJournalEntryNumber could handle a heavy load, and whether it would throw any errors when issuing lots of JE numbers.

Interestingly, I was unable to break it.  I was able to get one SQL exception error when running my test while also trying to get a new JE number in the GP Journal Entry window, but I was unable to reproduce that error.

This image shows 3 instances of my load test application simultaneously retrieving a total of 3,000 JE numbers over about 45 seconds.

3,000 JE Numbers


 public string GetNextJENumbereConn()  
 {  
   GetNextDocNumbers getNext = new GetNextDocNumbers();  
   
   try  
   {  
     string nextJE = getNext.GetNextGLJournalEntryNumber(IncrementDecrement.Increment, ConnectionStringWindows());  
     return nextJE;  
   }  
   catch (Exception ex)  
   {  
     throw ex;  
   }  
 }  


Testing just 1 instance of my load tester, I saw that it took about 16 seconds to generate 1,000 JE numbers using the eConnect method.

So, naturally, I wondered what the performance would be if I called the stored procedure directly.

Thursday, November 29, 2018

How long does it take to import Dynamics GP GL JEs with Analytical Accounting?

By Steve Endow

I recently did some tests to see how long it takes to import GL Journal Entries with large numbers of line items.

Those test results were fairly consistent, and showed that eConnect does a pretty good job of importing JEs with a large number of lines.  Only 8 seconds to import a JE with 2,000 lines seems pretty good to me, as I suspect most customers don't import JEs that large.

For anyone who is familiar with Dynamics GP integrations, the next obvious question is how eConnect handles imports of GL JEs when there is Analytical Accounting data involved.

From experience, I know that GL JEs with AA do not import terribly quickly or efficiently.

Here are the results of importing a single JE with varying line counts.  Every line in the JE has one AA code assigned.

100 lines:  3-8 seconds
200 lines:  3-9 seconds
500 lines:  9-17 seconds
1,000 lines:  21-47 seconds 
2,000 lines:  174-222 seconds


There are two obvious differences when you add Analytical Accounting codes to your GL JE import.

First, they take much, much longer.  A standard JE with 500 lines takes 2 seconds, but when you add AA, that same JE takes 9-17 seconds.

A standard JE with 2,000 lines takes 8 seconds, but when you add AA, that same JE takes 174-222 seconds.

HUUUUUGE decrease in import performance.

The second issue is the incredible variance in import times for the single JEs with AA data.  When importing the standard JEs, the import times were completely consistent.  Over 10 runs, I might have seen a 1 second variance, if any.

In this test with AA data, I imported the same JE at least 10 times for each line count, and you can see how different the times are.  The durations seem almost random.  The import times did not gradually increase or decrease--they would just increase on one run, and then decrease on the next.

The times varied from 89% to 200%, which is pretty wild.  I don't know how a stored procedure could have so much variance in performance from one run to the next.  If it wasn't such a nightmare to trace the activity from the eConnect procedures, I'd look into it.

So there you have it.  If you have to import transactions with Analytical Accounting data, you have been warned.  It seems that the eConnect procs for AA do not perform well.

Steve Endow is a Microsoft MVP in Los Angeles.  He is the owner of Precipio Services, which provides Dynamics GP integrations, customizations, and automation solutions.

You can also find him on Twitter and YouTube





"I don't want to bother turning on Two Factor Authentication"

By Steve Endow January 2019 Update:  A security researcher has developed a tool that can intercept logins and 2FA codes through a man-in-...