Skype For Business Certificate Encryption Agorithm RSASSA-PSS is not supported in Skype for Business

I ran into this issue for the first time and just wanted to document this. It was a bit of a surprise, but documented the fact

that Skye For Business is not supporting Current Encryption Methodology RSASSA-PSS. This was a real snake bite. Having

been involved in many deployments, I never ran into this issue. so a few point on this:

  • From Skype 4B stand point, look at this as a Certificate authority problem
    • besides failing calls you have
    • Bad certificate endpoint audits
    • bad chain audits
  • SHA1RSA is being phased out like this year was the deadline as I recall
  • You would expect SFB to have moved to more modern encryption
  • SHA2RSA is apparently not supported either but does support RSAPSS (which MS documentation says is supported)
  • And its True! Microsoft Windows has been more open then some of the other Departments, to support modern Authorization and Encryption.
  • But Certain things like Skype and possibly Exchange 2016 Secure Mail, may be limited to SHA1RSA as an absolute requirement. This has not changed as of 10.2017

So for the mean time, this means you are more and more likely, to find this occurring, and my article will become helpful. I will try to find some errors to post, to give you some terms of this challenge.

For Example:

  • Elliptic Curve Cryptography
  • Microsoft works with them all
  • To avoid this issue, you need to install you CA with “Use Alternate Signature Format” Unchecked, during Install.
  • If the issue is a Public Certificate, you will need to re-Request the Certificate and tell the Provider you do not want an Alternate Signature format for your PKCS #1 Version 2.1  Certificate.

I have it on my desk but i am out of time. But Early warning. The New RSASSA-PSS is not currently supported by SFB.

Yeah RSASSA-PSS is not supported signature algorithm for Lync/SFB servers, this information has been provided in the following article, https://technet.microsoft.com/en-us/library/gg398066(v=ocs.15).aspx

Like it. This 2013 article is what Microsoft Passed on for Skype for Business 2013.

L

Advertisements

On capturing Cyber Attaks 2015

Good day all,

I wanted to take some time to reflect on 2015 and the events we have seen. Obviously this has been a politically  charged year and there has been a lot of unrest globally. In this context, I wanted to take a minute to heighten some awareness about a subject not often detected in support calls. The issue of Cyber-Terrorism or Just plain Virus Detection is something we used to catch pretty easily. However, since 2008 , the attack methods have become more sophisticated, and the methods required to detect criminal behavior on Dell servers has become obtuse. I mean, we are here fix an issue and close a case. But, If we happened to be at the depth in the case, where we are analyzing logs and captures anyway, there becomes, what I feel is a need to  protect our cuosmters from what is observed.  We should be cognizant to  warn the customer if they are in danger of any criminal element, invading their business.

To this goal, I wanted to just send out a few resources to allow you to just look at a few dead giveaways, and provide you with some easy info, to see the packets for the threat that they may pose.

First understand that Attack events happen all the time. They generally match up to Unrest events or even holidays. I guarantee if you look at traffic on your firewall this holiday season, you will see traffic from China and or

North Korea or other countries that have no business being on your system. I don’t know why hackers choose times of civil unrest or holidays to do their hacking, but I have noticed this phenomenon over the course of years. This brings me to my first point:

Look for IP addresses and check to see who owns them.

 Very simply, Do a Who is or even a map lookup- check out this link- http://www.infosniper.net. You get instant feedback on where this external connection is coming from. Frequent visits from foreign soils, especially countries on the

Embargo list, are a telltale sign you’re on a list somewhere. You better get your protection in order when you see this activity.

HTTP communication Gets are a very common way to see rogue behavior

Here is a template you can follow the steps to see how to isolate a PHP attack. This is a trace during the Boston Bombing period. This article ranks at the top of articles I have seen because it can teach you a lot:

  1. How to find suspect HTTP packets.
  2. How to find like .JS or stat.htm
  3. How to extract a script from the trace.
  4. How to analyze a script to see if it is a virus
  5. How to use tools that know what IDs to look for in a trace

There is more to learn from this one link, but have a look for yourself. You can just follow along if you are looking at a trace, and you’re doing the steps in no time.

General Rogue troubleshooting

My final point is another Keeper document. Likely the most important link for you is this article called Wirewhark: a guide to color my packets.  It is a great read as a training cliff note, and can help you look for attacks on  Your customers computer. The resources are plentiful, but you really want to spend at least some time in Wire shark every month. It is a tool that pays back benefits. IT is a tool, who has the loyalties of elements of the Federal Government, FBI, Law enforcement and other like-minded security conscious groups. Let’s help those groups. Get your certification today!

SO what does this PDF cover? 16 points and only 30 pages!! This is a wireshark jump start for sure. It is a good refresher as well.  In just a few pages you will get up to speed on:

 

  1. Profiles
  2. Display filters
  3. Color rules
  4. Packet Details
  5. Network Reconnaissance
  6. DNS reconnaissance
  7. DNS Information
  8. Network Mapping
  9. NPAP scanning
  10. Web Server Scanning
  11. Detect Host Exploitation
  12. FTP brute force attack
  13. Data Recovery
  14. Attachments
  15. Detecting Covet Channels
  16. SSH over ICMP

 

In closing, It is difficult to grasp that this issue is happening on systems we work on. Don’t take it from me. I had do my reading too. I can put you to a good resource . These articles are written by top security experts on threats realized in the United States and around the world:

https://www.sans.org/reading-room

 

 

To all a happy and safe holiday,

Skype for Business First Clean install on RTM bits has issues with windows updates.

I installed clean Skype for Business 2015 over the weekend and I did get stuck in an odd place. The pre-requesites for a clean in stall of server 2012 R2 are not documented well at the time of this writing. The new Windows intall, does not seem to install SFB if the windows updates are complete. I mean complete. Green check mark. Microsoft says all good here!

windowsupdates

 

The whole issue begins with Update kb/2982006. This wont install on my system. It requires the pre-requisite KB 2919355, which in turn looks to require- KB2919442 which wont install.

What to do. What to do. My 15 th try was to clean my image up with the following command:

Dism /Online /Cleanup-Image /ScanHealth

THis command stayed at 20% for 20 minutes or more, so I am pretty sure something was being fixed. I should look at the logs, but I am trying to install SFB, not windows server. In due process, the DISM command finished, failed

Next, I found a great script, which I am keeping, which by the way failed, because of this issue-
https://gallery.technet.microsoft.com/lync/Install-Requirements-for-aabf7358

 

I struggled on for two more days and finally just manually installed the update with a dism extraction. What a lousy ending to the story. Well I hope you dont have the situation I had.

It does work, But it is odd, to say the least. It seems like its an error in the RTM release, because the Pre-Requisites seem to have rolled up into other KB numbers then the infamous KB2982006. Here we go, a work around is near-

Before installing this, I removed the admin tools for SFB from Programs and features and reviewed this article-DN933900
Expand –F:* C:\Hotfixes\Windows8.1-KB2982006-x64.msu c:\temp\
DISM.exe /Online /Add-Package /PackagePath:c:\temp\Windows8.1-KB2982006-x64.cab

And the Lync, I mean SKYPE install completed. This is the portions which is installing the Business components, via the wizard:

 

skypsavebusiness

Happy Skype for Business day: defined as the day you finally get around to installing it and it works. 🙂