The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,860 other subscribers

Archive for the ‘Authentication’ Category

« Previous Entries
Next Entries »

Fork Gist to Repo on GitHub – Stack Overflow

Posted by jpluimers on 2024/01/09

It is not a full fork and misses a few things (including the Gist description), but is the easiest way to clone a gist to a regular GitHub repository.

I needed it because somehow pushing to gists was denied without explanation or real GitHub feedback.

Another reason is that regular GitHub repositories show you way more information about the commits than Gists do.

Thanks [Wayback/Archive] Noitidart for asking and [Wayback/Archive] Bruno Bronosky for answering at [Wayback/Archive] Fork Gist to Repo on GitHub – Stack Overflow:

Read the rest of this entry »

Posted in Authentication, Development, DVCS - Distributed Version Control, gist, git, GitHub, LifeHacker, Power User, Security, Source Code Management | Leave a Comment »

Yet another reason not to use SMS based 2FA: those phone numbers get leaked or sold as Daniel Cuthbert mentioned on Twitter: “@LinkedIn did indeed sell my 2FA phone number”

Posted by jpluimers on 2023/12/06

Many recommend against using SMS for 2FA because of security reasons (SIM swapping, sniffing, etc), but there is another privacy+security reason: these 2FA phone numbers get leaked or sold as [Wayback/Archive] Daniel Cuthbert (@dcuthbert) found out the hard way last year:

–jeroen

Posted in 2FA/MFA, Authentication, GDPR/DS-GVO/AVG, Power User, Privacy, Security | Leave a Comment »

How to set up OpenVPN with Google Authenticator on pfSense – Vorkbaard uit de toekomst

Posted by jpluimers on 2023/09/18

For my link archive: [Wayback/Archive] How to set up OpenVPN with Google Authenticator on pfSense – Vorkbaard uit de toekomst

Should work with Authy too.

Via: [Archive] Matthijs ter Woord (@mterwoord) | Twitter

–jeroen

Posted in 2FA/MFA, Authentication, Power User, Security | Leave a Comment »

Help:Two-factor authentication – Wikipedia

Posted by jpluimers on 2023/09/06

For my link archive as this page contains instructions to request 2FA privileges at Wikipedia: [Wayback/Archive] Help:Two-factor authentication – Wikipedia

Checking whether 2FA is enabled

To determine whether your account has 2FA enabled, go to Special:Preferences. Under “Basic information”, check the entry for “Two-factor authentication”, which should be between “Global account” and “Global preferences”:

Viewing m:Steward requests/Global permissions#Requests for 2 Factor Auth tester permissions is possible to do without being logged on at Wikipedia, but for requesting the 2FA permission and accessing Special:Preferences you need to be logged on.

Visit [Wayback/Archive] Steward requests/Global permissions/2018-12 – Meta and look for “OATH tester” for some examples of motivations for requesting.

–jeroen

Posted in 2FA/MFA, Authentication, Power User, Security, SocialMedia, wikipedia | Leave a Comment »

Only 2 weeks left to enable 2FA for your GitHub account

Posted by jpluimers on 2023/08/29

If you haven’t done so already, then enable 2FA for your GitHub account now: This will be a requirement in 2 weeks time.

The 2FA/MFA possibility started about half a year ago with [Wayback/Archive] Raising the bar for software security: GitHub 2FA begins March 13 – The GitHub Blog

You can have various means of 2FA, which al start with a choice between:

After completing either of those those, you can view/download a set of backup codes, and you can add more factors to your Multi-factor authentication setup up to these:

Read the rest of this entry »

Posted in 2FA/MFA, Authentication, Development, DVCS - Distributed Version Control, git, GitHub, Power User, Security, Software Development, Source Code Management | Leave a Comment »

On repeat: “ask information only once”;  Eenmalige uitvraag – NORA Online

Posted by jpluimers on 2023/07/13

Since the SVB PGB site keeps violating the [Wayback/Archive] AP12: Eenmalige uitvraag – NORA Online principle, some more emphasis on it as the usefulness of the “ask information only once” principle is not limited to government sites or commercial sites providing services for the government.

The principle “ask information only once” is valid for any site and needs to be present at all times, especially in these situations:

  1. when an authentication token is expired and re-authentication is needed
  2. when checking if authentication might have been expired and a page refresh is done during that check

I wrote about 1. in SVB PGB and DigiD security suddenly logged you out every 15 minutes despite the count down counter indicating otherwise ( wrote it in March 2021, published it in December 2021 when I thought it had been sort of solved).

That was obnoxious and took a very long time to fix (despite the mandatory aspect of the “ask information only once” principle and me pushing for a quick resolving in [Archive.isJeroen Wiert Pluimers on Twitter: “Omdat de @SVB_PGB site hiermee een noodzakelijk NORA archictectuur principe schendt (je raakt bij de logoff/logon de informatie die je op de pagina aan het invullen bent kwijt): kan dit een hoge prirotieit krijgen? Zie: – …”).

In February 2022, I had enough energy to submit the final PGB administration parts to the SVB PGB site. I didn’t get logged out every few minutes for the first hour or so (that only happened after being authenticated more than one hour, then repeating every 15 minutes), but I bumped into 2: loosing a lot of data in an at first unpredictable manner.

An underlying thing is that despite the NORA rules to be mandatory there is no sanction for the SVB (or any other government organisation) to fix this: users have to use the site and take the burden in order to get their payments. Ruurd Pels highlighted in these two answers to my tweets: harsh, but hitting the nail on the head:

The problem is that every each period of 15 minutes session activity , when you submit a form (the whole flow is form based, where the amount of data per form varies: sometimes just a confirmation button, sometimes a full month of data containing the hours worked) you get an intermediate quickly flashing “Redirecting…” on your screen, then loose the data entered in that form:

  1. [Archive] Jeroen Wiert Pluimers on Twitter: “Het NORA principe wat @StOnSoftware een jaar geleden noemde wordt weer door het @SVB_PGB geschonden. Het duurde even om te reproduceren, maar je verliest ongeveer elke 15 minuten je ingevoerde data. 1/” / Twitter
  2. [Archive] Jeroen Wiert Pluimers on Twitter: “Wat je dan ziet tijdens de submit (Verder, Opslaan) is een kort “Redirecting…” scherm op een willekeurige plek in de flow …, …, … In dit voorbeeld verlies je een maand aan invulwerk en is alles weer leeg. 2/ …” / Twitter
    Declaratie insturen - empty declaration showing you just lost a month of input

    Declaratie insturen – empty declaration showing you just lost a month of input

  3. [Archive] Jeroen Wiert Pluimers on Twitter: “Vorig jaar werd je nog elke 15 minuten uitgelogd en was het nog erger, zie … 3/” / Twitter
  4. [Archive] Jeroen Wiert Pluimers on Twitter: “en … Dat probleem zorgde er voor dat ik maar sporadisch declaraties instuurde, maar nu met een hele stapel declaraties is het probleem op een subtielere wijze nog steeds aanwezig. 4/” / Twitter
  5. [Archive] Jeroen Wiert Pluimers on Twitter: “Kunnen jullie dit laten fixen? Dank alvast. 5/5” / Twitter

After more than an hour, I bumped into 1 again:

  1. [Archive] Jeroen Wiert Pluimers on Twitter: “Oh @SVB_PGB: die bug van uitloggen na een kwartier bestaat nog steeds (zie …). Kreeg ik net in een uur tijd 3 keer. Na inloggen kom je wel weer in de flow, maar de data die je daar hebt ingevuld is dan verdwenen. A/ CC @EefvanKoos” / Twitter
  2. [Archive] Jeroen Wiert Pluimers on Twitter: “@SVB_PGB @EefvanKoos Ik vermoed dat beide te maken hebben met de sessie-duur van de active authenticatie van @DigiDwebcare omdat je in beide gevallen het “Redirecting…” stukje heel kort ziet verschijnen ofwel in het form of bij DigiD login beide met verlies aan data. B/B” / Twitter

[Archive] Stephan Eggermont (@StOnSoftware) / Twitter quote retweeted my initial message at [Archive] Stephan Eggermont on Twitter: “🧵 NORA heeft een aantal hele duidelijke principes om de burger niet te frustreren. Niet twee keer naar hetzelfde vragen geldt ook als je een sessie time-out. Dan moet je dus al ingevulde gegevens bewaren” / Twitter, which translated is

🧵 NORA has a number of very clear principles in order not to frustrate citizens. Not asking for the same thing twice also applies if you time out a session. Then you have to save already entered data

An introduction about NORA is at Nederlandse Overheid Referentie Architectuur – Wikipedia:

Nederlandse Overheid Referentie Architectuur of NORA is het interoperabiliteitsraamwerk voor de Nederlandse overheid en vertaalt daartoe wetgeving, beleid en standaarden naar architectuurprincipes, beschrijvingen en modellen. Het is een beschrijving van uitgangspunten voor het inrichten van de informatiehuishouding van de Nederlandse overheid. NORA is relevant voor de uitvoering van alle publieke taken door publieke en private organisaties.

[Wayback/Archive] NORA: Nederlandse Overheid Referentie Architectuur – Bluefrog has a way easier “table of contents” to the principles than the NORA online site (note that some document numbers are intentionally not used):

DE TIEN BASISPRINCIPES VAN NORA

  1. [Wayback/Archive] BP01: Afnemers krijgen de dienstverlening waar ze behoefte aan hebben.
  2. [Wayback/Archive] BP02: Afnemers kunnen de dienst eenvoudig vinden.
  3. [Wayback/Archive] BP03: Afnemers hebben eenvoudig toegang tot de dienst.
  4. [Wayback/Archive] BP04: Afnemers ervaren uniformiteit in de dienstverlening door het gebruik van standaardoplossingen.
  5. [Wayback/Archive] BP05: Afnemers krijgen gerelateerde diensten gebundeld aangeboden.
  6. [Wayback/Archive] BP06: Afnemers hebben inzage in voor hen relevante informatie.
  7. [Wayback/Archive] BP07: Afnemers worden niet geconfronteerd met overbodige vragen.
  8. [Wayback/Archive] BP08: Afnemers kunnen erop vertrouwen dat informatie niet wordt misbruikt.
  9. [Wayback/Archive] BP09: Afnemers kunnen erop vertrouwen dat de dienstverlenerzich aan afspraken houdt.
  10. [Wayback/Archive] BP10: Afnemers kunnen input leveren over de dienstverlening.

DE 38 AFGELEIDE PRINCIPES

  1. [Wayback/Archive] AP01: Diensten zijn herbruikbaar
  2. [Wayback/Archive] AP02: Ontkoppelen met diensten
  3. [Wayback/Archive] AP03: Diensten vullen elkaar aan
  4. [Wayback/Archive] AP04: Positioneer de dienst
  5. [Wayback/Archive] AP05: Nauwkeurige dienstbeschrijving
  6. [Wayback/Archive] AP06: Gebruik standaard oplossingen
  7. [Wayback/Archive] AP07: Gebruik de landelijke bouwstenen
  8. [Wayback/Archive] AP08: Gebruik open standaarden
  9. [Wayback/Archive] AP09: Voorkeurskanaal internet
  10. [Wayback/Archive] AP10: Aanvullend kanaal
  11. [Wayback/Archive] AP11: Gelijkwaardig resultaat ongeacht kanaal
  12. [Wayback/Archive] AP12: Eenmalige uitvraag
  13. [Wayback/Archive] AP13: Bronregistraties zijn leidend
  14. [Wayback/Archive] AP14: Terugmelden aan bronhouder
  15. [Wayback/Archive] AP15: Doelbinding (AP)
  16. (AP16 is intentionally missing: merged into AP17)
  17. [Wayback/Archive] AP17: Informatie-objecten systematisch beschreven
  18. [Wayback/Archive] AP18: Ruimtelijke informatie via locatie
  19. [Wayback/Archive] AP19: Perspectief gebruiker
  20. [Wayback/Archive] AP20: Persoonlijke benadering
  21. [Wayback/Archive] AP21: Bundeling van diensten
  22. [Wayback/Archive] AP22: No wrong door
  23. [Wayback/Archive] AP23: Automatische dienstverlening
  24. [Wayback/Archive] AP24: Proactief aanbieden
  25. [Wayback/Archive] AP25: Transparante dienstverlening
  26. [Wayback/Archive] AP26: Afnemer heeft inzage
  27. [Wayback/Archive] AP27: Een verantwoordelijke organisatie
  28. [Wayback/Archive] AP28: Afspraken vastgelegd
  29. [Wayback/Archive] AP29: De dienstverlener voldoet aan de norm
  30. [Wayback/Archive] AP30: Verantwoording dienstlevering mogelijk
  31. [Wayback/Archive] AP31: PDCA-cyclus in besturing kwaliteit
  32. [Wayback/Archive] AP32: Sturing kwaliteit op het hoogste niveau
  33. [Wayback/Archive] AP33: Baseline kwaliteit diensten
  34. [Wayback/Archive] AP34: Verantwoording besturing kwaliteit
  35. (AP35 is intentionally missing: superseded by AP41)
  36. (AP36 is intentionally missing: superseded by AP41)
  37. (AP37 is intentionally missing: superseded by AP43)
  38. (AP38 is intentionally missing: superseded by AP43 and AP42)
  39. (AP39 is intentionally missing: superseded by AP42)
  40. [Wayback/Archive] AP40: Onweerlegbaarheid (principe)
  41. [Wayback/Archive] AP41: Beschikbaarheid
  42. [Wayback/Archive] AP42: Integriteit
  43. [Wayback/Archive] AP43: Vertrouwelijkheid (principe)
  44. [Wayback/Archive] AP44: Controleerbaarheid

The missing numbers (see also [Wayback/Archive] Betrouwbaarheid – NORA Online, [Wayback/Archive] Vervangen of Vervallen elementen in NORA – NORA Online and [Wayback/Archive] Vervangen of Vervallen uitspraken in NORA – NORA Online):

For a management overview, see [Wayback/Archive] NORA (Nederlandse Overheid Referentie Architectuur) – Digitale Overheid.

–jeroen

Posted in Authentication, Development, DigiD, Power User, Security, Software Development, Web Development | Leave a Comment »

Mysk 🇨🇦🇩🇪 on Twitter: “Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices. TL;DR: Don’t turn it on. The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.…”

Posted by jpluimers on 2023/05/10

Do not use the Google 2FA Authenticator to to sync secrets across devices.

The why is explained in the (long) tweet by [Wayback/Archive] Mysk on Twitter: “Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices. TL;DR: Don’t turn it on. The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.…”

For similar reasons, you might not want to use Authy by Twilio to sync between devices either, though that is less insecure as it enforces you to use a backup-password in order to sync these through the cloud: in the past that backup-password had few security restrictions so it was easy to use a relatively insecure password.

Related (most in Dutch):

Read the rest of this entry »

Posted in 2FA/MFA, Authentication, Google, GoogleAuthenticator, Power User, Security | Tagged: , , , , | Leave a Comment »

OWASP WebGoat repositories: Deliberately insecure JavaEE application to teach application security

Posted by jpluimers on 2022/08/02

Last year in OWASP top rated security “feature” A01:2021 – Broken Access Control, I promised to write more about how learn about OWASP documented and rated security vulnerabilities.

Today is the day you should start learning from [Wayback/Archive.is] Github: OWASP WebGoat:

Deliberately insecure JavaEE application to teach application security

It is a Java backend with a JavaScript/HTML frontend, but the vulnerabilities just as easily apply to other back-end stacks.

Repositories:

  1. [Wayback/Archive.is] WebGoat/WebGoat: WebGoat is a deliberately insecure application

    WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.

    This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.

    WARNING 1: While running this program your machine will be extremely vulnerable to attack. You should disconnect from the Internet while using this program. WebGoat’s default configuration binds to localhost to minimize the exposure.

    WARNING 2: This program is for educational purposes only. If you attempt these techniques without authorization, you are very likely to get caught. If you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.

  2. [Wayback/Archive.is] WebGoat/WebGoat-Lessons: 7.x – The WebGoat STABLE lessons supplied by the WebGoat team.

    This repository contains all the lessons for the WebGoat container. Every lesson is packaged as a separate jar file which can be placed into a running WebGoat server.

  3. [Wayback/Archive.is] WebGoat/WebWolf (Can’t have a goat without a wolf, but I wonder where the cabbage is)
  4. [Wayback/Archive.is] WebGoat/WebGoat-Legacy: Legacy WebGoat 6.0 – Deliberately insecure JavaEE application
    This is the WebGoat Legacy version which is essentially the WebGoat 5 with a new UI.
    This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application penetration testing techniques.
  5. [Wayback/Archive.is] WebGoat/WebGoat-Archived-Releases: WebGoat 5.4 releases and older

    WebGoat 5.4 releases and older

  6. [Wayback/Archive.is] WebGoat/groovygoat: POC for dynamic groovy/thymeleaf based lesson system

    POC to demonstrate dynamic lessons with groovy controller/thymeleaf templates

They are by OWASP:

The Open Web Application Security Project (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.[4][5]The Open Web Application Security Project (OWASP) provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 – 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations.

Very important is the [Wayback/Archive.is] OWASP Top Ten Web Application Security Risks | OWASP:

The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

Globally recognized by developers as the first step towards more secure coding.

Companies should adopt this document and start the process of ensuring that their web applications minimize these risks. Using the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.
Changes in the OWASP Top 10 between 2017 and 2021:

More OWASP repositories (including the [Wayback/Archive.is] OWASP/Top10: Official OWASP Top 10 Document Repository and [Wayback/Archive.is] OWASP/www-project-top-ten: OWASP Foundation Web Respository which seem to be at a 4-year update interval got updated in 2021) are at [Wayback/Archive.is] Github: OWASP.

Related: [Archive.is] Jeroen Wiert Pluimers on Twitter: “This so much sounds like German government IT-projects: …”

Via:

–jeroen

Posted in Authentication, CSS, Development, Encryption, HTML, Java Platform, JavaScript/ECMAScript, Pen Testing, Scripting, Security, Software Development, Web Development | Leave a Comment »

2fa.directory: public list of sites with two factor auth support which includes SMS, email, phone calls, hardware, and software.

Posted by jpluimers on 2022/05/09

List of sites with two factor auth support which includes SMS, email, phone calls, hardware, and software.

[Wayback/Archive.is] twofactorauth at 2fa.directory with GitHub sources at [Wayback/Archive.is] 2factorauth/twofactorauth: List of sites with two factor auth support which includes SMS, email, phone calls, hardware, and software..

Via: [Archive.is] Jilles🏳️‍🌈 on Twitter: “Ik gebruik custom e-mail accounts + 1Password/keepass en MFA; Yubikey, Authy, Authenticator. Geef geen eerlijk antwoord op googlebare security questions. En nog steeds ligt alles op straat. Tip: https://t2fa.directory … “

–jeroen

Read the rest of this entry »

Posted in Authentication, Power User, Security | Leave a Comment »

Bash functions to encode and decode the ‘Basic’ HTTP Authentication Scheme

Posted by jpluimers on 2022/02/24

IoT devices still often use the ‘Basic’ HTTP Authentication Scheme for authorisation, see [Wayback] RFC7617: The ‘Basic’ HTTP Authentication Scheme (RFC ) and [Wayback] RFC2617: HTTP Authentication: Basic and Digest Access Authentication (RFC ).

Often this authentication is used even over http instead of over https, for instance the Egardia/Woonveilig alarm devices I wrote about yesterday at  Egardia/Woonveilig: some notes about logging on a local gateway to see more detailed information on the security system. This is contrary to guidance in:

  • RFC7617:
       This scheme is not considered to be a secure method of user
   authentication unless used in conjunction with some external secure
   system such as TLS (Transport Layer Security, [RFC5246]), as the
   user-id and password are passed over the network as cleartext.
  • RFC2617:
       "HTTP/1.0", includes the specification for a Basic Access
   Authentication scheme. This scheme is not considered to be a secure
   method of user authentication (unless used in conjunction with some
   external secure system such as SSL [5]), as the user name and
   password are passed over the network as cleartext.

Fiddling with those alarm devices, I wrote these two little bash functions (with a few notes) that work both on MacOS and in Linux:

# `base64 --decode` is platform neutral (as MacOS uses `-D` and Linux uses `-d`)
# `$1` is the encoded username:password
function decode_http_Basic_Authorization(){
  echo $1 | base64 --decode
  echo
}

# `base64` without parameters encodes
# `echo -n` does not output a new-line
# `$1` is the username; `$2` is the password
function encode_http_Basic_Authorization(){
  echo $1:$2 | base64
}

The first decodes the <credentials> from a Authorization: Basic <credentials> header into a username:password clean text followed by a newline.

The second one encodes a pair of username and password parameters into such a <credentials> string.

They are based on these initial posts that were not cross platform or explanatory:

  1. [Wayback] Decode HTTP Basic Access Authentication – Stack Pointer
  2. [Wayback] Create Authorization Basic Header | MJ’s Web Log

–jeroen

Posted in *nix, *nix-tools, Apple, Authentication, bash, bash, Communications Development, Development, HTTP, Internet protocol suite, Linux, Mac OS X / OS X / MacOS, Power User, Scripting, Security, Software Development, TCP, Web Development | Leave a Comment »

« Previous Entries
Next Entries »