Sunday, January 6, 2019

"I don't want to bother turning on Two Factor Authentication"

By Steve Endow

January 2019 Update:  A security researcher has developed a tool that can intercept logins and 2FA codes through a man-in-the-middle attack.

This type of attack can apparently defeat most, if not all code based 2FA systems.  

I have a separate blog post discussing YubiKeys / U2F tokens, which are touted as being more secure than code-based 2FA authentication schemes.

The article mentions that the tool "is inefficient against U2F-based schemes that rely on hardware security keys."  I am not sure if author did mean inefficient, or if he meant ineffective, but I don't think U2F tokens would prevent the browser from authenticating with a YubiKey with the MITM in place.  

If anyone has information indicating that U2F validates the URL and / or can prevent this type of MITM proxy attack, I would love to read about it.

The other day I received a Skype message from a friend.  It was an abbreviated URL using the Google URL shortener.

It looked something like this:

Since it was from a friend I knew well, I was about to click on it.

Then I paused.

The URL format seemed a bit odd.  After a moment of reflection, I realized it looked suspicious.  Then I realized that the message appeared in Skype.  And this friend doesn't message me on Skype.  And I vaguely recall receiving a similar message on Skype from a customer a few years ago.

I messaged my friend through another app and let him know that his Skype account had been compromised.

He was able to login to his Skype account and confirm it had been compromised.  He was able to see several logins from other countries.

He let me know that he reset his password, and considered the problem resolved.

I then recommended enabling two factor authentication on the account.

His response:  "I don't regularly use the account, so I don't want to deal with the potential hassle of 2FA".

I propose looking at 2FA differently.

Installing Windows from a USB Flash Drive

By Steve Endow

UPDATE:  Ian Grieve informed me that there is a Microsoft tool that will help you create a bootable USB drive from an ISO image.  

Here is his article about the "Windows USB/DVD Download Tool":

Here is the current Microsoft link to download the tool (as of Jan 2019):

I'm currently building a new dedicated Windows server for running Dynamics 365 Business Central Docker images.

Since I only build a new machine every 2-3 years, I always have to lookup how to setup a bootable USB flash drive with the Windows installation files.

I am confident that I will forget this information in 2 weeks, so I'm posting this for posterity.

Here are the two articles that I used.

I initially tried to use Windows Disk Manager, but it didn't allow me to set the USB partition to "Active".  So I had to use the steps from this first article to set the active partition.

Prepare the USB drive using DiskPart:

Insert USB flash drive
Administrator Command Prompt
list disk
select disk <#>         (make sure to select the correct disk for your USB drive!!!!)
create part pri
select part 1
format fs=fat32 quick

And because Windows ISO images now have files larger than 4GB, you can't copy them to FAT32 file systems.  So I had to use the commands from this article to copy the Windows installation files to the USB drive.

After mounting the Windows ISO file so that it shows up as a new drive letter, run the two commands listed at the bottom of the article.  Make sure to set the drive letters to match your source and destination drive letters.

Copy the files to the USB drive using Robocopy and DISM: (commands at bottom)

robocopy D: E: /s /max:3800000000

Dism /Split-Image /ImageFile:D:\sources\install.wim /SWMFile:E:\sources\install.swm /FileSize:3800

Steve Endow is a Microsoft MVP in Los Angeles.  He is the owner of Precipio Services, which provides Dynamics GP integrations, customizations, and automation solutions.

You can also find him on Twitter and YouTube

"I don't want to bother turning on Two Factor Authentication"

By Steve Endow January 2019 Update:  A security researcher has developed a tool that can intercept logins and 2FA codes through a man-in-...