Friday, February 24, 2017

SHA1 RIP

It was announced that SHA1 have been broken in practice. On following post https://shattered.it/, you can learn how dangerous is becoming to still use this cryptographic hash function. Basically, now it's possible to have or create two different documents with same hash SHA1 signature.
For example: on shattered.it there are two pdf documents (shattered-1.pdf, shattered-2.pdf) with different contents but with same SHA1 hash ! If you don't believe the shattered.it, you can download the example pdfs locally and generate the SHA1 hash, for example using powershell and
Get-FileHash cmdlet:


If you don't believe your eyes, try it yourself :)

And finally as a simple conclusion, with this publicly available example in mind, I think it would be the best for your data, to start making plans for replacing SHA1 with SHA2 algorithm ASAP.

Wednesday, February 8, 2017

Missing rule in Outlook

In this case, scheduled meetings to a user were mysteriously forwarded to a group of users. Helpdesk engineers have removed all the rules that could be seen for that user mailbox, and again all scheduled meetings for that user were again forwarded to this particular group of users. Helpdesk team escalated this user issue to Exchange admins in order to do same tracking. And from Exchange tracking logs can be seen that scheduled meetings were forwarded by mailbox rule ?!?!? :




But, where is that rule ? Get-InboxRule for this user mailbox returned nothing, because helpdesk engineers have removed all the rules, and still there is a rule in this user mailbox that is forwarding the scheduled meetings. So, obviously there is a rule corruption for this user mailbox, and MFCMAPI is your friend. Latest version of this tool can be downloaded from codeplex http://mfcmapi.codeplex.com/ .


Please follow this article https://blogs.msdn.microsoft.com/hkong/2015/02/27/how-to-delete-corrupted-hidden-inbox-rules-from-a-mailbox-using-mfcmapi/ , to learn how to delete corrupted rules with this very powerful tool.


After deleting this corrupted rule from the user mailbox, no other scheduled meetings were forwarded from this user to the particular group of users.


And again, please be very careful when using MFCMAPI in order to avoid corruption.