The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,947 other followers

Archive for the ‘Hashing’ Category

Avoid writing the deep security layers of your software yourself, as it is hard, even for seasoned security software developers (see CVE-2021-41117 | GitHub Security Lab)

Posted by jpluimers on 2022/09/08

I’ve mentioned this in the past, but not sure I did that on my blog yet, so here it goes:

Avoid writing the deep security layers of your software yourself, as it is hard, even for seasoned security software developers.

Push as much as you can to well tested external libraries.

See for instance [Wayback/Archive.is] GHSL-2021-1012: Poor random number generation in keypair – CVE-2021-41117 | GitHub Security Lab

Three went wrong, leading to easy to guess RSA security keys:

  1. The library has an insecure random number fallback path. Ideally the library would require a strong CSPRNG instead of attempting to use a LCG and Math.random.
  2. The library does not correctly use a strong random number generator when run in NodeJS, even though a strong CSPRNG is available.
  3. The fallback path has an issue in the implementation where a majority of the seed data is going to effectively be zero.

The most important thing that went wrong was seeding the random number generator, cascading

Via:

–jeroen

Posted in Development, Encryption, Hashing, Power User, Security, Software Development | Leave a Comment »

CyberChef: The Cyber Swiss Army Knife – a web app for encryption, encoding, compression and data analysis.

Posted by jpluimers on 2022/06/23

[Wayback/Archive.is] CyberChef:

a simple, intuitive web app for carrying out all manner of “cyber” operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.

Source code at [Wayback/Archive.is] gchq/CyberChef: The Cyber Swiss Army Knife – a web app for encryption, encoding, compression and data analysis.

Via [Archive.is] Jilles🏳️‍🌈 on Twitter: “Hidden in plain sight. Rot13 cross word. Hidden Barcodes. Qr codes. Barely any InfoSec skill required. Still a hand full. Usually my to go place is: Cyberchef. I did a fun one for cyberklaas using ansi art.… “

Jilles also pointed to the solving part in [Archive.is] Jilles🏳️‍🌈 on Twitter: “See also, for solving: SCWF… “

The [Wayback/Archive.is] Solve Crypto with Force! needs to run without most script blockers, so best run it in an anonymous/private browser window.

Source code for SCWF is at [Wayback/Archive.is] DaWouw/SCWF: CTF tool for identifying, brute forcing and decoding encryption schemes in an automated way.

Screen shot of Cyberchef example “Perform AES decryption, extracting the IV from the beginning of the cipher stream” [Archive.is]:

Read the rest of this entry »

Posted in Development, Encryption, Hashing, Power User, Security, Software Development | Leave a Comment »

Ryan O’Horo on Twitter : “Computerphile with a clear and complete explanation of how the block cipher AES works and how it’s different from older ciphers. Background info… “

Posted by jpluimers on 2021/09/01

From a while back, but still relevant: [WayBack] Ryan O’Horo sur Twitter : “Computerphile with a clear and complete explanation of how the block cipher AES works and how it’s different from older ciphers. Background https://t.co/WyvYpM5JJN SP Networks https://t.co/MGILCxkqUR AES Cipher https://t.co/ReHpnCBTvI… https://t.co/VbZomPrOow”

Videos below the fold

–jeroen

Read the rest of this entry »

Posted in Development, Encryption, Hashing, Power User, Security, Software Development | Leave a Comment »

Some links related to Apple’s NeuralHash algorithm, as it was reverse engineered and collisions can be generated so abuse with pictures matching sensitive hashes can be performed

Posted by jpluimers on 2021/08/24

Last week, I wrote [Archive.is] Jeroen Wiert Pluimers on Twitter: “Apple’s NeuralHash algorithm for automagically reporting sensitive images from iOS devices has not only been reverse engineered, but also collisions can now be generated. Now just wait for abuse of innocent pictures matching sensitive hashes. … “

Below, for my link archive, some relevant links on this:

–jeroen

Posted in AI and ML; Artificial Intelligence & Machine Learning, Development, Hashing, Power User, Security, Software Development | Leave a Comment »

Chocolatey: installing Oracle SQL Developer and updating the chocolatey package

Posted by jpluimers on 2021/05/13

Sometimes an install is not just as simple as C:\>choco install --yes oracle-sql-developer.

Edit 20210514:

Note that most of the below pain will be moot in the future as per [Archive.is] Jeff Smith 🍻 on Twitter: “we’re working on removing the SSO requirement, it’s already done for @oraclesqlcl – see here … “ referring to [Wayback] SQLcl now under the Oracle Free Use Terms and Conditions license | Oracle Database Insider Blog

SQLcl, the modern command-line interface for the Oracle Database, can now be downloaded directly from the web without any click-through license agreement.

It means the Oracle acount restriction will be lifted, and downloads will be a lot simpler.

I started with the below failing command, tried a lot of things, then finally almost gave up: Oracle stuff does not want to be automated, which means I should try to less of their stuff.

First of all you need an Oracle account (I dislike companies doing that for free product installs; I’m looking at Embarcadero too) by going to profile.oracle.com:

[WayBack] Chocolatey Gallery | Oracle SQL Developer 18.4.0 (also: gist.github.com/search?l=XML&q=oracle-sql-developer)

Notes

  • This version supports both 32bit and 64bit and subsequently does not have a JDK bundled with it. It has a
    dependency on the jdk8 package to meet the application’s JDK requirement.
  • An Oracle account is required to download this package. See the “Package Parameters” section below for
    details on how to provide your Oracle credentials to the installer. If you don’t have an existing account, you can
    create one for free here: https://profile.oracle.com/myprofile/account/create-account.jspx

Package Parameters

The following package parameters are required:

/Username: – Oracle username
/Password: – Oracle password

(e.g. choco install oracle-sql-developer --params "'/Username:MyUsername /Password:MyPassword'")

To have choco remember parameters on upgrade, be sure to set choco feature enable -n=useRememberedArgumentsForUpgrades.

Then the installation failed fail again: ERROR: The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.

The trick is to RUN IEXPLORE.EXE AS ADMINISTRATOR ONCE BEFORE INSTALLING FROM CHOCOLATEY. Who would believe that.

The reason is that the package uses Invoke-WebRequest which requires Internet Explorer and PowerShell 3. Chocolatey packages however need to be able to run on just PowerShell 2 without Invoke-WebRequest.

Maybe using cURL can remedy that; adding a dependency to is is possible, as cURL can be installed via chocolatey: [WayBack] How to Install cURL on Windows – I Don’t Know, Read The Manual. Another alternative might be [WayBack] Replace Invoke-RestMethod in PowerShell 2.0 to use [WayBack] WebRequest Class (System.Net) | Microsoft Docs.

Read the rest of this entry »

Posted in CertUtil, Chocolatey, CommandLine, Database Development, Development, DVCS - Distributed Version Control, git, Hashing, OracleDB, Power User, PowerShell, Security, SHA, SHA-1, Software Development, Source Code Management, Windows, XML, XML/XSD | Leave a Comment »

 
%d bloggers like this: