Sourced here: http://www.reddit.com/r/apple/comments/37enow/about_the_latest_iphone_security_vulnerability/
Long story short, latest iphone vulnerability has to do with how it processes banner notifications with Unicode text. Sending the following as a text while a phone is locked it supposed to crash teh phone.
effective
Power.
لُلُصّبُلُلصّبُررً ॣ ॣh ॣ ॣ 冗
I 'tested' this with a friend, looks like Apple might have already fixed it. I can paste the string and it's correct but when sent the jihadi looking string get's mirrored. The friend's phone did not do anything weird or detrimental... it just kept on working.
Yay Apple?
Wednesday, May 27, 2015
Thursday, May 21, 2015
PowerShell - Searching AD for locked out domain accounts
So yeah.. should be a no-brainer to most however with the changed cmdlets in Powershell 4 I had to look it up. This is one of those little things that you probably don't need very often but when you do it's a life saver.
Import-Module activedirectory
Search-ADaccount - Lockedout
That's it. Easy right?
Import-Module activedirectory
Search-ADaccount - Lockedout
That's it. Easy right?
Thursday, May 7, 2015
Rancid, Cisco networking device config backup/differencing
So Monday I started setting up a Rancid server. Honestly I needed something to do until the DR project really kicks off, I was googling.. found mention of a cisco switch/router configuration backup and ran with it.
I setup a CentOS 7 virtual machine, and following the advice laid out here: http://ciscoskills.net/2015/01/03/install-rancid-and-viewvc-on-centos-7/
Was able to get the server going. What I like about ViewVC is that it gives you a nice web gui to view the captured configs with. Also you can select a specific config file and it can display the differences between the selection and the current file. Really cool.
I setup a CentOS 7 virtual machine, and following the advice laid out here: http://ciscoskills.net/2015/01/03/install-rancid-and-viewvc-on-centos-7/
Was able to get the server going. What I like about ViewVC is that it gives you a nice web gui to view the captured configs with. Also you can select a specific config file and it can display the differences between the selection and the current file. Really cool.
Anyway I think this will be one of those systems that just kinda runs.. for months or years and gets forgotten about. Until a switch dies and you need the configuration.
Wednesday, May 6, 2015
Carbon - powershell module
I got an email this morning from Powershell.com letting me know about a new and recommended module named Carbon.
I have only been playing with it for a short time but so far I'm interested. they've added quite a few new and handy cmdlets. And if the folks at Powershell.com recommend it it automatically has my support.
Check it out. Oh and sign up for Powershell.com's PowerTips, I've been getting them every few days for months now. A number of them have proven very useful.
I have only been playing with it for a short time but so far I'm interested. they've added quite a few new and handy cmdlets. And if the folks at Powershell.com recommend it it automatically has my support.
Check it out. Oh and sign up for Powershell.com's PowerTips, I've been getting them every few days for months now. A number of them have proven very useful.
Monday, May 4, 2015
BitLocking an SSD
So today we ran into an issue encrypting an HP Z230 desktop with BitLocker. The desktop did have a TPM chip, which was enabled. The tech went through the typical Bitlocking steps.. enabling, performing the BL check and they it prompted for a reboot like normal.
Here's where it gets a little sticky, upon reboot the user was presented with an F1 to enter the BIOS. I do not know whether or not that was a function of Bitlocking since I have not tried it myself on a Z230 but he assures me the TPM was enabled and functioning properly. which I believe if TPM is disabled or otherwise unusable then BL should have cancelled itself or otherwise complained.
Anyway after that it proceeded to blue screen. Inspecting the disk inside the BIOS results in:
Nice huh? I had him reset to defaults the BIOS, no help. Changed SATA ports, no help. Changed from AHCI to SATA mode, disabled TPM, disabled secure boot.. nothing helped. There is no Recovery info in AD nor could the drive technically be encrypted because this was one reboot and encryption takes many hours.
he is currently trying to slave it onto a machine with Samsung Magician installed just to see what they're own utility reports.
In Googling I found https://helgeklein.com/blog/2015/01/how-to-enable-bitlocker-hardware-encryption-with-ssd/ and http://superuser.com/questions/700009/how-do-i-encrypt-samsung-840-ssd-with-bitlocker
Now from what I have read it's not just Samsung related, but they are popular so it stands to reason more people using them = more people encrypting.
I will obtain a test ssd and perform my own spelunking however this has stopped my plans for encrypting my own Z230 ;)
Here's where it gets a little sticky, upon reboot the user was presented with an F1 to enter the BIOS. I do not know whether or not that was a function of Bitlocking since I have not tried it myself on a Z230 but he assures me the TPM was enabled and functioning properly. which I believe if TPM is disabled or otherwise unusable then BL should have cancelled itself or otherwise complained.
Anyway after that it proceeded to blue screen. Inspecting the disk inside the BIOS results in:
Nice huh? I had him reset to defaults the BIOS, no help. Changed SATA ports, no help. Changed from AHCI to SATA mode, disabled TPM, disabled secure boot.. nothing helped. There is no Recovery info in AD nor could the drive technically be encrypted because this was one reboot and encryption takes many hours.
he is currently trying to slave it onto a machine with Samsung Magician installed just to see what they're own utility reports.
In Googling I found https://helgeklein.com/blog/2015/01/how-to-enable-bitlocker-hardware-encryption-with-ssd/ and http://superuser.com/questions/700009/how-do-i-encrypt-samsung-840-ssd-with-bitlocker
Now from what I have read it's not just Samsung related, but they are popular so it stands to reason more people using them = more people encrypting.
I will obtain a test ssd and perform my own spelunking however this has stopped my plans for encrypting my own Z230 ;)
Friday, May 1, 2015
BitLocker - A short story on how to setup in a domain.
Bitlocker, well in case you've never heard of it is a data encryption method developed by Microsoft for use on the 'recent' Windows platform, OS requirements include:
Windows Vista/7 - Ultimate and Enterprise
Windows 8/8.1/2008/Later - Professional and Enterprise
BitLocker meets FIPS 140-2 using AES encryption.
Now having recently gone through this in my own company I can say it was MUCH less painful that I ever thought it could have been previously. First off make sure your domain is at least a functional level of 2008. If you are still on a 2003 level you will need to extended the schema. I did not have so you;d need to Google-Fu up the procedures on doing that.
Now one of the first things I did was go here:
https://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
I used the Add-TPMSelfWriteACE.vbs script to make sure the access control entry for TPM in AD was created.
Windows Vista/7 - Ultimate and Enterprise
Windows 8/8.1/2008/Later - Professional and Enterprise
BitLocker meets FIPS 140-2 using AES encryption.
Now having recently gone through this in my own company I can say it was MUCH less painful that I ever thought it could have been previously. First off make sure your domain is at least a functional level of 2008. If you are still on a 2003 level you will need to extended the schema. I did not have so you;d need to Google-Fu up the procedures on doing that.
Now one of the first things I did was go here:
https://technet.microsoft.com/en-us/library/dd875529%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
I used the Add-TPMSelfWriteACE.vbs script to make sure the access control entry for TPM in AD was created.
- Download and review Add-TPMSelfWriteACE.vbs (http://go.microsoft.com/fwlink/?LinkId=167133) from the download page.
- Modify Add-TPMSelfWriteACE.vbs as appropriate for your environment.
- Type the following at a command prompt, and then press ENTER:cscript Add-TPMSelfWriteACE.vbs
Then I created the GPO that would require the Recovery Key to be stored within AD:
Now quite honestly.. once those were done I took a test laptop.. enabled the TPM within the bios. I enabled BitLocker and let it do the hardware check. It rebooted once, came back up and proceeded to encrypt the drive which took like 6 hours for a 500gb drive.
Once complete I verified the Recovery Key was stored in AD under the computer object:
Boom, done. I didn't really notice any performance hit after the encryption process completed however admittedly this is not my main machine so I need to use it for a while to better gauge that.
Subscribe to:
Posts (Atom)