The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,991 other followers

Archive for the ‘Security’ Category

Time to look back at the Spectre vulnerabilities.

Posted by jpluimers on 2020/07/07

About 2 years ago, over the course of almost a year, many Spectre vulnerabilities were found.

In November 2018, this lead many people disabling Hyper Threading: [WayBack] STIBP by default.. Revert?

This is a reminder to self to look back at Spectre to get a better historic feel for it.

Via: [WayBack] Work is being done on the Linux Kernel mailing list about further exploits of the Spectre Family of Exploits. The mitigations are bad – basically, you c… – Kristian Köhntopp – Google+

–jeroen

Posted in Development, Power User, Security, Software Development | Leave a Comment »

Cipher: a command-line tool to decrypt/encrypt files and directories (een recursively) on Windows

Posted by jpluimers on 2020/07/03

A while ago, I had to mass encrypt a lot of directories and files on Windows for some directories in an existing directory structure.

This helped me to find out which ones were already done (it lists all encrypted files on all drives; the /n ensures the files or encryption keys are not altered):

cipher.exe /u /n /h

This encrypted recursively in one directory B:\Directory:

cipher /D /S:B:\Directory /A

It also has options to wipe data (/W), export keys into transferrable files (/X) and many more.

If you like the Windows Explorer more then to encrypt/decrypt (it is a tedious process): [WayBack] How do I encrypt/decrypt a file? | IT Pro.

Via:

–jeroen

Posted in Encryption, NTFS, Power User, Security, Windows | Leave a Comment »

Just as “curl | sudo sh is not advised”, do not impose running http based scripts in your customers IDE

Posted by jpluimers on 2020/06/30

For a long time, it is advised against to curl | sudo sh or equivalent:

  • [WayBackwhy using curl | sudo sh is not advised? – Stack Overflow

    Because you are giving root access to whatever script you are executing. It can do a wide variety of nasty things.

  • [WayBack] The Security Spectrum of curl | sh

    By far the most irresponsible use of curl | sh is to use it with plain, unauthenticated, insecure HTTP instead of HTTPS. This is because it’s not only possible, but also increasingly likely, that the connection over which the shell script is delivered could have its contents silently modified by anyone in network position between the vendor and the installer—especially if you’re using public Wi-Fi. (If you don’t believe this is a real risk, consider that some companies’ business models revolve around modifying JavaScript delivered over HTTP in-transit—and anyone can hijack Wi-Fi with inexpensive, easy-to-obtain devices.)

So I’m surprised that companies still run content – include JavaScript – over an insecure http transport channel in their customers IDE instances.

Many developers run their IDE as Administrator, but even as regular user this is a large security risk: the transport layer is the easiest to hack and will eventually be hacked.

One such occasion was [WayBack] Delphi 10.2.3: Tools > Options Click OK = Script Error I have another weird situation with Delphi 10.2.3. Anytime I open up the options and click OK I … – Michael Riley – Google+ .

That one actually showed the script executed, but normally you do not see it happening at all.

So my advice:

Run the web-traffic from your development machines over a web-proxy like HTTP Fiddler, then disable all http based scripts.

–jeroen

Line 73: https://gist.github.com/jpluimers/40a60ca1e07bb91fa337ecfebe314d64#file-cf-common-js-L73

Read the rest of this entry »

Posted in Development, Power User, Security, Software Development | Leave a Comment »

Hardening: sshd_config – How to configure the OpenSSH server | SSH.COM

Posted by jpluimers on 2020/06/05

If you want to harden your ssh server, read at least [WayBack] sshd_config – How to configure the OpenSSH server | SSH.COM.

After that use some ssh tools to check your config from the outside world. They work in a similar way as the TLS/SSL/https scans from Source: SSL Server Test (Powered by Qualys SSL Labs) or these console based scans and documentation references:

Simiarly for SSH:

Then read further on more in depth SSH topics around key management:

–jeroen

 

Posted in Encryption, Hashing, https, HTTPS/TLS security, OpenSSL, Power User, Security, testssl.sh | Leave a Comment »

Expect your sites to be accessed over https and ensure your certificates match

Posted by jpluimers on 2020/05/22

igOver the last lustrum, there has been a steady increase in https usage. It crossed the 30% mark early 2016, crossing the 50% mark early 2017 and 80% mark early 2018, even the https-by-default configuration is now pretty large:

Ever since 2012, but especially with the increased HTTPS adoption, you can expect more and more users to run plugins like HTTPS Everywhere – Wikipedia which switch a request from insecure http to secure https.

Users are right: http is a thing from the past and https is the way to go forward.

This means you need to ensure your web sites to serve https well, which starts with servicing https at all and includes serving a correct https certificate for them.

Often, IT departments are not even aware that when serving http for a domain, the endpoint also answers https requests for that domain.

WordPress.com was really bad at this when servicing custom domains ordered from their premium plans. Which was odd, as customers payed for those domains. They solved this in spring 2016, they started to use LetsEncrypt (which started in 2015) for their certificates: [WayBack] HTTPS Everywhere: Encryption for All WordPress.com Sites — The WordPress.com Blog.

So this is what you need to do for all your subdomains:

  1. check if they are serviced by http
  2. contemplate (in fact urge to) servicing https for them
  3. when an endpoint services https, ensure the certificates for it are correct
  4. do not mix https and http in the same site
  5. avoid redirecting from https to http

Adopting https can be tedious, but many sites have already done this and wrote down their experiences, even back in 2016:

Many sites still get their https configuration wrong though, and this post is a reminder to myself for one of them.

Read the rest of this entry »

Posted in Encryption, HTTPS/TLS security, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

 
%d bloggers like this: