PowerShell Inconsistency Frustrations

This will be updated over time as a location to note the various inconsistencies present in Windows PowerShell
Remove-ADComputer the -Confirm switch is not a space $false but rather a :$false
  Remove-ADComputer -Identity “computername” -Confirm:$false

Logitech C922 Pro vs Logitech C930e

C930e : https://amzn.to/43NRd8e

C922 Pro : https://amzn.to/3QgjD7U

https://www.streamtechreviews.com/blog/c920-c925e-c930e-c922

Brother ADS-4700W Network Capable Scanner

Replacement options for the ZyXEL USG60 and USG60W

The ZyXEL USG60 and 60W made its debut in 2016 as a replacement for the USG50. It is a decent, entry level, enterprise grade, rack mount router, with a pretty solid command line interface. The wireless was always a little lacking, but that was more than made up for by its AP control, which could be bumped up with the purchase of an additional license. Without going into the features of the USG60/W, though, the time has come to plan for its replacement – and the recent Denial of Service Vulnerability may have expedited that for some.
The most immediate option for replacement would be the USGFlex 200, sometimes called the USG60 v2, although the comparison is pretty loose. At the time of writing this, the unit can be found for sale at between $400 and $600 USD.

That’s not yet the end of this story, though, so check back later for more information on replacement options for the ZyXEL USG60/W.

Facebook Account Takeover Hack, but Meta Does the Most Damage

On February 24th, 2022, the same day that Russia invaded the Ukraine, my Facebook account was the target of a successful Account Takeover attack. In the 30 minutes it took for me to respond to the attack and get the account locked, the hacker/s exploited Facebook’s own tools to successfully lock me out of my account. As of the time of writing this post, 4 days remain before Meta permanently deletes my Facebook account, an account that I have built over the course of more than a decade. It will be a loss that I will not soon forget – or forgive. But it’s the lack of any accessible human intervention or assistance from Meta/Facebook that is doing the most damage.

How did they do it?

Simply put, the attacker/s exploited Facebook’s “forgot password” feature. When someone forgets their password (usually because they’re not using a password manager), they can request that a password reset link be sent to their email address. For some of us, there is more than one email address associated with the account. In my case, I had added an email address to my account to verify ownership of a domain so that I could regain control of a client’s Facebook business page.

It was using this email address that the attacker/s were able to exploit the forgot password feature and gain access to the account, and they did it by taking the expired domain name and registering it themselves so they could receive the email to reset the password.

Timing was also key here, as I had, coincidentally, relaxed my FB account security in order to help try to address harassments my significant other was experiencing on FB (another issue that Facebook was not addressing).

Once in the account, they deleted the other email addresses, and began engaging in whatever nefarious activity they chose to pursue, including running advertisements using my Facebook Advertising account.

Now, since I don’t allow people to discover me using my email addresses, I am left to wonder – what kind of OSINT activity was used to gather the email addresses that were on my account in the first place? My best guess – Cambridge Analytica.

30 minute response time

From the first email requesting the password be changed to the moment when I was able to get Facebook to lock the account as having been hacked, only 30 minutes took place. But in that 30 minutes, a lot of damage was done.

Since I do know people from the Ukraine, and since this all happened during the first day of Russia’s invasion of the Ukraine, I have to believe that Russian hackers are the most likely source of the attack; though, it would be next to impossible to prove this without some kind of cooperation from Facebook/Meta – and there seems to be little or no interest on Meta’s part to help in any way.

Of course, it is a little more sophisticated. Emails from Facebook during the Account Takeover show that an iPhone was used to change the password via an IP address belonging to Comcast/Xfinity in Portland, Oregon.

My response

Within the first 30 minutes of the attack, I reported the attack to Facebook, and they responded that the account had been locked pending verification. I then had to proceed through a reset password using previous passwords, but, since the email address I actually use had been removed, I had to take the added step of providing a copy of my ID. It took about 2 days for Facebook to verify the account and change the primary email address back to what it should have been.

But, when I logged in, I was greeted with a message that my account had been suspended due to posts or comments that didn’t follow Facebook’s Community Standards. My only option was to request a review – which I did.

Meanwhile, I also reached out to GoDaddy, the domain registrar that had been used to register the domain and use it for the hack, and notified them of the activity. They asked for evidence to support my claim, which I sent them, and they responded swiftly, revoking the domain name registration for whoever had just registered it within just 48 hours.

I also notified Xfinity/Comcast, who confirmed that one of their IP addresses had been used in the attack and they opened a case – I haven’t heard back.

Then, a few days later, on March 1st I received another notice from security@facebookmail.com that my account may have been accessed and I was required to change the password, which I did. Upon logging in, the message remained that the account has been disabled and a “Review requested.”


I have also tried submitting evidence of the hack via a Facebook help page, but the submission was rejected. If I login, as suggested by the error message and return to https://www.facebook.com/help/103873106370583/ and click the link to “use this form to request a review” it just takes me to the page that says the account is suspended and that a review has been requested. It is at this point that words reminiscent of the immortal George Carlin come to mind – What Review?!!!!

On March 6th I received a message from PayPal that my payment to Facebook Ads had been successfully processed – only, I hadn’t authorized any advertisements. So, I started a dispute through PayPal – but that required waiting months for a response from Facebook. That left me with only one option – I contacted my bank. When they learned of the attack, they took swift action – disputing the charge with PayPal, who did then (based on this information from the bank) refund the money. The bank then shut down the account and I had to open a new one.

I also filed with both the FBI and the FTC, detailing the attack, and sent emails to every Facebook/Meta support resource I can find, including paypal.ads3@fb.com, disabled@fb.com, support@fb.com and via Twitter. In response I have heard … nothing.

It is worth noting that there is no evidence that Facebook/Meta is doing anything. Logging into the FB account says that a review has been requested, logging out says that time is running out to request a review. So, is anything happening at all? Probably not. Even tagging Meta’s head of security policy does nothing to draw attention to this problem.

Oh let the bots come rolling in

In case you’re wondering what happens when you reach out on Twitter for support, let me tell you – the bots. Oh, my, the bots. “Did your account get hacked? Try this hacker security something or rather and they’ll get your hack back.”

Now, even if there are legitimate companies out there who could, potentially, help someone regain access to their account – it shouldn’t be necessary. And the absence of any meaningful response from Facebook/Meta to Account Takeovers like this means that even more unscrupulous players swoop in, like botfly laden mosquitoes, ready to pounce on people who have already been the victim of an attack.

The prevalence of these predators is entirely Facebook/Meta’s fault. They could fix this, by simply making sure that victims get live, human responses instead of relying on incomplete and/or broken AI.

What will be lost

So much will be lost if Facebook does nothing to help with this (and I have no reason to believe they will). Along with communication I have had with people via messenger, and all the contacts that I have made over the course of a decade, which includes personal, business and political connections, there are also the pages of friends and family who have died. Anything I had been tagged in over the years, the long history of that FB account, so many events that I helped run over the years, all will be lost to the etherverse. So, too, will my business FB page (which has also been disabled as a result of this attack), group memberships, including groups I managed (like an Autism Dads and Men’s group). Fortunately, it looks like my Oculus purchases might be safe, since Meta backed off on that requirement, but I was concerned about that, too. Some of this loss won’t be tragic, others, will be harder to handle. I already miss my Grandmother. Losing access to the FB messages we sent back and forth will definitely be something hard to forgive.

The Data Protection Agency

I’m not the only person to complain about the lack of any kind of access to a real human at Facebook to deal with these problems. And, while I have been reluctant to join the oversight party, having looked at Facebook’s terms of service and the limited amount of responsibility that they choose to take for themselves, I have to say that this experience has pushed me to support the movement for a Data Protection Agency in the U.S. Among the other proposed elements of this legislation, it would require companies like Facebook to disclose hacks and breaches, and would prevent accounts from being deleted during the course of an investigation. As the hour grows closer for my account to be deleted, not by the hackers, but by Facebook for failing to address the actions of the hackers, I definitely see the appeal of such legislation.

Google Cloud SSH Permission Denied Public Key

Debian LogoI recently ran into an issue with a Debian VM instance that had been upgraded from Stretch to Buster. Prior to the upgrade, the ssh via gcloud os login worked just fine. After the upgrade, however, every attempt resulted in a permission denied error.

Now, there are a lot of posts and threads about this particular error. In this case, however, none of them provided the necessary answers to solve this particular scenario. Worse, yet, the backup user account was (suddenly?) no longer or otherwise not in the sudoers group – which added a minor complexity to the troubleshooting.

Post upgrade problem appears :

gcloud beta compute ssh –zone “<zone name>” “<vm name>” –tunnel-through-iap –project “<project name>”

<username>@compute.: Permission denied (publickey).
ERROR: (gcloud.beta.compute.ssh) [/usr/bin/ssh] exited with return code [255].

Troubleshooting – unique elements only

  1. Login to Cloud Platform
  2. Create a Snapshot of the VM
  3. edit the VM Instance
  4. Enable connecting to serial ports and save
  5. connect to the serial port (I found it useful to do this from a terminal window on a separate screen)
  6. gcloud compute –project=<projectname> connect-to-serial-port <vmname> –zone=<zonename>
  7. Reset the vm
  8. Look for the following from the console as the VM reboots : localhost systemd[1]: Reloaded OpenBSD Secure Shell server. [ 12.027817] google_guest_agent[378]: ERROR oslogin.go:147 Error updating NSS cache: exec: “google_oslogin_nss_cache“: executable file not found in $PATH. localhost google_guest_agent[378]: ERROR oslogin.go:147 Error updating NSS cache: exec: “google_oslogin_nss_cache”: executable file not found in $PATH.
    (note – if you still have sudo access via the serial console, you can obviously skip this next step since it’s just adding an existing user to the sudoers group)
  9. Edit the VM Metadata
  10. key : startup-script
    value : #!/bin/bash usermod -aG sudo
  11. Reset the VM
  12. Login using the indicated username and verify sudo
  13. remove the startup-script from metadata
  14. sudo systemctl list-unit-files | grep google | grep enabled
  15. Verify the following : google-disk-expand.service enabled
    google-guest-agent.service enabled
    google-osconfig-agent.service enabled
    google-shutdown-scripts.service enabled
    google-startup-scripts.service enabled
    google-oslogin-cache.timer enabled
    Note, especially, if google-oslogin-cache.timer is missing.
  16. sudo apt-get update
  17. sudo apt-get install
  18. curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add –
  19. DIST=$(cat /etc/os-release | grep “VERSION=” | sed “s/\”\|(\|)\|VERSION=//g” | awk ‘{print tolower($NF)}’) sudo tee /etc/apt/sources.list.d/google-cloud.list << EOM deb http://packages.cloud.google.com/apt google-compute-engine-${DIST}-stable main deb http://packages.cloud.google.com/apt google-cloud-packages-archive-keyring-${DIST} main EOM
  20. sudo apt update
  21. sudo apt install -y google-cloud-packages-archive-keyring sudo apt install -y google-compute-engine google-osconfig-agent
  22. sudo reboot
  23. check from your local machine to see if the problem is solved.
  24. gcloud beta compute ssh –zone “<zone name>” “<vm name>” –tunnel-through-iap –project “<project name>”
  25. if not, then : sudo apt update sudo apt install google-compute-engine google-compute-engine-oslogin google-guest-agent google-osconfig-agent
  26. Check again from your local machine to see if the gcloud compute ssh connection works.
  27. If it’s all working, remember to clean up any unneeded snapshots
  28. Edit the VM instance, disable “connecting to serial ports” and save

Wrap up and Links

Hopefully that helped solve your problem. If not, here are a few links that may guide you towards a successful resolution :

 

Suspicions arise during search for Email to PDF solution

The problem presented

First, a little background on the problem itself. The task to convert a large number of emails to PDF as part of a legal discovery.  Converting individual emails to PDF is not a big deal – open, print to PDF. That’s pretty much a standard feature on most desktop operating systems today. The problem arises when there are dozens, or even hundreds of emails that need to be converted. In this case, something more robust than this one by one solution is required. Okay, surely there are some products out there that are available.

What do the forums have to say?

This seemed like the kind of problem that a little search engine work and visits to the standard places, Spiceworks and Stackexchange, for example, should be able to provide a ready solution for. And, indeed, there were some fairly consistent answers, which were corroborated by some individual sites. In addition to the Adobe products, three that came up were Mail Converter Tools, Aryson PST File Converter,  and SysTools MSG to PDF Converter.

  • https://www.the-next-tech.com/top-10/how-to-batch-convert-outlook-email-message-to-pdf-format/
  • https://community.spiceworks.com/how_to/170844-how-to-convert-pst-to-pdf-with-attachments
  • https://community.spiceworks.com/how_to/169561-how-to-convert-eml-file-to-pdf-file-using-free-professional-method
  • https://softwarerecs.stackexchange.com/questions/49107/export-emails-and-attachments-to-pdf
  • https://sysc.org/export-multiple-outlook-emails-to-pdf/

 

Checking the details

Aryson Technologies

Let’s start with Aryson Technologies PST Converter. The specs page seems to suggest the product offers a lot of features, far more than what the project calls for. Sounds great – right up until the FAQ’s. Here’s where I first start getting uncomfortable. To begin with, Q1 reads “Kindly follow the instructions when using Windows 10.” Kindly? Let’s read on :

  1. Go to Windows Defender
  2. Click on ‘Settings’.
  3. And turn of ‘real-time protection’.

Hold on. Wait. What?!! Let’s dissect this. First, it wants people to turn off security software?! Well, actually, it wants to turn ‘of’ the software – a simple misspelling, true, but, re-reading, the page there are a number of of unusual word choices and phrasing. There’s also no spacing between “Electronic” and “Yes, or “Version” and “V20.0.”

Aryson Technologies Page Language and Spelling plus Disable Windows Defender raises doubts

While the spelling alone shouldn’t be a show stopper, the request to turn off security software does set off alarm bells.  Still, I keep scrolling. I get to the footer, and I see more misspellings and odd phrasings, like “At Service Since” instead of “In Service Since” or “In Business Since” and the word “Useful” in “Useful Links” is misspelled, too. But, the answer is here, too : There are two addresses shown : one at 2880 Zanker Road, Suite 203, San Jose, CA – 95134, USA, the other in Uttar Pradesh India.

Aryson Technologies US Addresses Operates out of a coworking space

Now, software from another country isn’t entirely a show stopper, even if the security software FAQ has me concerned, so I press onto the Buy Now,  option. There are two payment methods : PayPal, and share*it.

Trustpilot, btw, gives shareit a score of 1.8 out of 5 – aka “Poor.” https://www.trustpilot.com/review/shareit.com

Too many problems are showing up for my comfort level, especially for the

Which reminds me – how did I get here again? Oh, the posts on Spiceworks – one authored by Adom from Aryson Technologies, and the other a comment on another thread by the same person. Hmmm.

Mail Converter Tools

Next on this list, based on comments on the same Spiceworks thread by Aryson was a link to Mail Converter Tools. The price looks decent, specs look good enough, but I want to scroll quickly. Wait – that section “You Might Be Interested in These Products Too” looks awfully familiar. Yep. It’s almost identical, including many of the product offerings, to the one from Aryson.

Aryson Technologies You might be interested in these products too

Mail Converter Tools You might be interested in these products too

Let’s check contact us.  Well, well. Remember that 2880 Zanker Road address we found for Aryson – here it is again. Okay. Alarm bells for both products are going off, now. Let’s dig further :

2880 Zanker Road : Listed on Regus.com as a coworking space.

Okay, now, I appreciate the value of these kinds of office spaces, especially for those who don’t want to, or cannot, advertise their home addresses. But we are talking about purchasing products that are being advertised as purchased by the likes of IBM. This isn’t sitting well with me.

And how about that domain – sysinfotools. That shows it as being in Noida, U.P. India. We’re definitely talking the same company, now.  Granted, the company offers Affiliate and Reseller programs, but my confidence in any of their products is now gone.

SysTools MSG to PDF Converter

Okay. I realize I’m already jaded at this point, but we just went from Sysinfotools to SysTools. I’m already not optimistic, here. Right off the bat, their post about How to Save Outlook Email as PDF shows that they are operating out of India – note the email address at bharatnewstv.in .

SysTools Manual Steps Shows India Email Address

Okay, let’s jump to the Contact us : PO Box 36 in Springville, Utah.

Sysc Contact Us in Utah

How did we  get here? It was a post on a site called sysc.org , and where does their Contact Us show they are located – yep. You guessed it – Utah.

In Summation

None of this speaks to the validity or functionality of these products. They could be legitimate, fully functional products. However, in order for me to choose, or recommend a product, I need to feel that I can trust that product, and the company behind it. I need to know that I can get support, and that I’m not creating risk through the risk of these products. My look at these products so far, however, does not leave me feeling that I can trust these products. Maybe you have more experience with the specific products than I do and can vouch for them. If so, that’s great. But I encourage everyone to do your research before purchasing products like these – and question everything.

If you’re looking for a quick and easy solution right now, I suggest you try Adobe Acrobat Professional

Hot Swap Raid 10 Drive with no Reboot on Dell Poweredge R530 with PERC H730P

Dell’s documentation on the R530 and the PERC H730P leaves a lot to be desired, especially when it comes to the contradictory nature of the information on hand. This Dell community post from 2019 shows just how confusing it can be as a result. In it, the OP laments that they are “Still in disbelief, with how much money I paid for this Gen-12 server, that I have to reboot to take a hot-swap drive offline in preparation for replacement!” Whether that was true of the idrac firmware installable at the time is unclear, but that’s not the only area of confusion as this belief carries on in this community post from 2021, in which a DellEMC employee states “If it is iDRAC8 then you can do it from iDRAC but need a system reboot. You can also do it from PERC configuration utility during boot.” And, just to add in injury to insult, this Dell EMC PowerEdge RAID Controller 9 User’s Guide H330, H730, and H830 article only defines Hot Swapping and tells you it is only possible if the controller supports it and the drives match.

This spec sheet for the R530 from Dell lists a variety of different RAID controller options available for the R530, but says nothing about whether any of the controllers support hot swap.  This continues on this Dell spec sheet for the H730P which still mentions nothing about hot swap, mentioning only hot spare. In several places online I found mention of the R530 supporting Hot Plug, rathe than Hot Swap (though it does point readers to the owners manual).

Is there any hope?

The Dell PowerEdge R530 owners manual is the first place we really see any hope that the server does, in fact, support hot swap, both in the “Front Panel Features” and in the “Installing a hot-swap hard drive” sections.  Okay. That’s great. Now what? Dell lays out one option in this article titled “PowerEdge HDD: How to physically replace an HDD (Hot Swap procedure).” Finally!

By this point, it would be easy to rush into the replacement process. But there are pre-requisites that could be easily missed in a rush, and one option to ensure those are completed are laid out in this article titled “Dell PowerEdge: How to switch offline a hard disk using OpenManage Server Administrator

Can this be done Using racadm?

Yes, and no.

On a Windows Server, using Admin permissions, you can run the following :

  • racadm storage get pdisks
    • The results will look something like this :
      • Disk.Bay.0:Enclosure.Internal-0-1:RAID.Integrated.1-1
    • Copy and paste the entire line for the drive that is in imminent failure.
  • racadm raid forceoffline:Disk.Bay.#.Enclosure.Internal.#-#:RAID.Integrated.#-#
    • Remember, everything after forceoffline: will be copied and pasted from the appropriate line from the get pdisks command.
  • If all goes well, the results will include something along the lines of :
    • STOR094 : The storage configuration operation is successfully completed and the change is in pending state.
      • Those last few words are important : change is in pending state. Now, read further on :
      • To apply the configuration operation immediately, create a configuration job using the –realtime option.
  • racadm jobqueue create RAID.Integrated.#-# -s TIME_NOW –realtime
    • Note that the #-# portion is simply the text from :RAID in the racadm storage get pdisks line.
    • If the operation is successful, it will read as follows :
      • RAC1024: Successfully scheduled a job.
        Verify the job status using “racadm jobqueue view -i JID_XXXX” command.
        Commit JID = JID_#########
    • racadm jobqueue view -i JID_#########
    • Continue re-running this command until the Percent Complete=[100]

Technically, the job is done and you can use several different options to view the state of the disks and confirm that the disk is offline. Once replaced, the array should detect it is in a degraded state and begin rebuilding with the new drive. But, how do you know? This is where racadm fails us. As far as I know, there is no way to query the state of the rebuild with racadm. But you can do it with omreport :

  • omreport storage pdisk controler=#
    • Look for the State, and the Progress to confirm that it is rebuilding, and then you can monitor the % complete.

And that’s it! A successful hot swap of a hard drive in a RAID array with no reboot on a Dell PowerEdge R530 with a PERC H730P.

Quickbooks Printing error and the Windows Print Spooler

When opening QuickBooks you might receive an error about a missing component that affects PDFs. After acknowledging the error, you find you can’t set up printers or print anything at all, in fact. The error reads as follows :
QuickBooks detected that a component required to create PDF files is missing. This may cause issues with printing transactions, emailing forms or saving anything as a PDF file inside of QuickBooks desktop.
There are a multitude of sites that talk about deleting or renaming (a better option) the QBPrint.qbp file in C:\ProgramData\Intuit\QuickBooks #### replace the #### symbols with the year version of your QuickBooks. This has approach consequences, however, like the fact that you may have to set up all your printers again and even re-edit some forms. Worse yet – it may or may not even solve the problem.
There is, however, another possible solution that is much less invasive – the Windows Print Spooler.
To find it, click your start button and type “services” or use your Windows Key+R to bring up the run window and type services.msc into the open line and click ok (or hit enter). This will bring up the list of services. If the Name column isn’t sorted alphabetically, click on it to sort it then find print spooler. If it’s not already running, right click and choose start. If it’s disabled, then right click and choose properties, set the startup type to either Manual or automatic, then click start and Okay. The service will start. Now return to QuickBooks, exit and re-open. If all is well, QuickBooks will open without any errors and you will once again be able to print.
If the Spooler is already running, try right clicking on it and choosing restart, then quit QuickBooks and re-open it and see if the error goes away.

ZyXEL ZyWALL VPN100

The ZyXEL VPN100 is the company’s lowest tier of VPN/SD-WAN appliance that is Rack Mountable. Other options are the VPN50 (not rack mountable), VPN300 and VPN1000 (both rack mountable).

The VPN100 includes 4x Gigabit LAN, 2x WAN, 1x SFP port, 1x DB9 console port and 2x USB 3.0 ports.

Similar to other ZyWALL products, the device can also provide AP Management services, with a default of 8 managed AP’s before additional licenses are required. Up to 72 wireless access points can be managed with the VPN100, though the recommended maximum access points per group is 60. In addition, the device supports up to 10 SP350E ticket printers for those wanting to use the hospitality gateway features, such as smaller coffee shops or hotels.

Also in alignment with other ZyWALL products, there are two basic versions of the device : the base hardware version, and the UTM bundled version. The UTM bundles include options for AntiVirus, AntiSPAM, Content Filtering and Intrusion Detection and Protection and GeoFencing. The UTM features can also be purchased separately in the event that, for example, you aren’t hosting your own email server behind the firewall.

One of the key features of the ZyXEL ZyWALL products is their support of IKEv2 for both site-to-site VPNs and for road warrior or client-server vpn connections. IKEv2 configurations can be created in a variety of configurations, with PSKs, certificates, EAP and combinations thereof supported.

Full specs can be found on the ZyXEL website at https://www.zyxel.com/us/en/products_services/VPN-Firewall-ZyWALL-VPN100/specifications

Ordering

DIY : ZyXEL ZyWALL VPN100 on Amazon

Hire ECLAT Tech : Call 503-629-9214 for project pricing including equipment.