Archive for the ‘Security’ Category
Posted by jpluimers on 2023/03/02
Cool: [Wayback/Archive] Canarytokens
Canary tokens are a free, quick, painless way to help defenders discover they’ve been breached (by having attackers announce themselves.)
How tokens works (in 3 short steps):
- Visit the site and get a free token (which could look like an URL or a hostname, depending on your selection.)
- If an attacker ever uses the token somehow, we will give you an out of band (email or sms) notification that it’s been visited.
- As an added bonus, we give you a bunch of hints and tools that increase the likelihood of an attacker tripping on a canary token.
The above documentation is just a small portion of what is at [Wayback/Archive] Canarytokens.org – Quick, Free, Detection for the Masses with even more documentation starting at [Wayback/Archive] Introduction | Canarytokens.
Source code (either the site or a docker image):
It is provided by [Wayback/Archive] Thinkst Canary.
I learned it at the height of the Log4Shell mitigation stress. Some related posts from that period:
Via: [Archive] ᖇ⦿ᖘ Gonggrijp on Twitter: “IP in Luxembourg, owned by Frantech Solutions from Cheyenne, WY. Judging from a quick round of Google appears to be a bulletproof VM hoster, with clients to match. ” / Twitter
Below image via [Wayback/Archive] Tweet2Img.com | Perfect Tweet screenshots with just one click
––jeroen
Posted in Power User, Security | Leave a Comment »
Posted by jpluimers on 2023/02/04
[Wayback/Archive] Massive ESXiArgs ransomware attack targets VMware ESXi servers worldwide
Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) warn that attackers actively target VMware ESXi servers unpatched against a two-year-old remote code execution vulnerability to deploy ransomware.
Tracked as
CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks.
“As current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021,” CERT-FR said.
“The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7.”
To block incoming attacks, admins have to disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that haven’t yet been updated.
CERT-FR strongly recommends applying the patch as soon as possible but adds that systems left unpatched should also be scanned to look for signs of compromise.
CVE-2021-21974 affects the following systems:
- ESXi versions 7.x prior to ESXi70U1c-17325551
- ESXi versions 6.7.x prior to ESXi670-202102401-SG
- ESXi versions 6.5.x prior to ESXi650-202102101-SG
[Wayback/Archive] Esxi Ransomware Help and Support Topic (ESXiArgs / .args extension) – Page 2 – Ransomware Help & Tech Support (there are now 4 pages, most victims OVH, likely many more pages to follow)
[Wayback/Archive] How to Disable/Enable the SLP Service on VMware ESXi (76372)
[Wayback/Archive] html:”We hacked your company successfully” title:”How to Restore Your Files” – Shodan Search which resulted in the above image (I tweeted it at [Wayback/Archive] Jeroen Wiert Pluimers @wiert@mastodon.social on Twitter: “@vmiss33”)
Commands used in [Wayback/Archive] Jeroen Wiert Pluimers @wiert@mastodon.social on Twitter: “@vmiss33 I did forget to disable SLP on a patched system, but doing that is easy as per kb.vmware.com/s/article/76372“:
/etc/init.d/slpd status
/etc/init.d/slpd stop
esxcli system slp stats get
esxcli network firewall ruleset set -r CIMSLP -e 0
chkconfig slpd off
chkconfig --list | grep slpd
More links to follow, but I’m away from keyboard for most of the day.
–jeroen
Read the rest of this entry »
Posted in ESXi6, ESXi6.5, ESXi6.7, Power User, Ransomware, Security, Virtualization, VMware, VMware ESXi | Leave a Comment »
Posted by jpluimers on 2022/11/28
I wish they had mailed me about this: [Wayback/Archive] De Non-Mailing-Indicator
Als je na je inschrijving in het Handelsregister niet benaderd wilt worden met fysieke post of huis-aan-huis bezoek op je ingeschreven adres, dan kun je de NMI activeren. Hiermee geef je aan dat je geen ongevraagde reclame per post of verkoop aan je deur wilt.
Na het activeren van de NMI staat dit zowel op het uittreksel als in de gratis toegankelijke informatie op de website.
…
De bescherming die de NMI biedt, is beperkt tot fysieke post en huis-aan-huis bezoek. De NMI beschermt niet tegen reclame en aanbiedingen via e-mail, telefoon, sms of WhatsApp. Je moet er rekening mee houden dat je ondanks de activering snel na je inschrijving benaderd gaat worden met allerlei aanbiedingen. Bedrijven en organisaties maken daarvoor gebruik van de openbare gegevens van het Handelsregister.
…
Het aanzetten van de NMI betekent dat je minder goed gevonden wordt. Zo heeft Google als beleid dat ze bedrijven met een NMI niet opneemt in Google Maps.
…
Je kunt eenvoudig via een formulier de [Wayback/Archive] Non-Mailing-Indicator activeren of deactiveren.
Met dit formulier kun je de non-mailing-indicator (NMI) activeren of deactiveren. Kies je voor ‘activeren’ dan mogen jouw gegevens uit het Handelsregister niet worden gebruikt voor postreclame of verkoop aan de deur. Je kunt zelf checken of je de NMI wel of niet hebt geactiveerd. Doe hiervoor de volgende stappen:
- Ga naar [Wayback/Archive] de bedrijvenzoeker en vul je bedrijfsnaam of KVK-nummer in.
- Klik op jouw bedrijfsnaam. Je gaat nu naar een pagina waar alle gegevens van jouw bedrijf staan.
- Zie jij de zin “De onderneming/organisatie wil niet dat haar adresgegevens worden gebruikt voor ongevraagde postreclame en verkoop aan de deur” staan? Dan heb jij je NMI geactiveerd. Zie je deze zin niet, dan heb jij de NMI niet geactiveerd.
Als je je inschrijft in het Handelsregister kun je direct de NMI activeren. Als je de NMI op een later tijdstip activeert, bijvoorbeeld enkele maanden na je inschrijving, dan zijn je gegevens al bij veel bedrijven en organisaties bekend en opgenomen in hun databestanden. Dit wordt niet automatisch aangepast tenzij deze bedrijven regelmatig via KVK een update aanvragen. Omdat het achteraf activeren van de NMI in de praktijk weinig effect blijkt te hebben, kun je er het beste voor kiezen om dat meteen bij de inschrijving te doen.
––jeroen
Posted in About, LifeHacker, Personal, Power User, Security | Leave a Comment »
Posted by jpluimers on 2022/10/19
Posted in Development, FortiGate/FortiClient, Hardware, Network-and-equipment, Power User, Security, Software Development, VPN, Windows, Windows 10, Windows 7, Windows 8, Windows 8.1, Windows 9, Windows Development, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Vista, Windows XP | Leave a Comment »
Posted by jpluimers on 2022/09/08
I’ve mentioned this in the past, but not sure I did that on my blog yet, so here it goes:
Avoid writing the deep security layers of your software yourself, as it is hard, even for seasoned security software developers.
Push as much as you can to well tested external libraries.
See for instance [Wayback/Archive.is] GHSL-2021-1012: Poor random number generation in keypair – CVE-2021-41117 | GitHub Security Lab
Three went wrong, leading to easy to guess RSA security keys:
- The library has an insecure random number fallback path. Ideally the library would require a strong CSPRNG instead of attempting to use a LCG and
Math.random.
- The library does not correctly use a strong random number generator when run in NodeJS, even though a strong CSPRNG is available.
- The fallback path has an issue in the implementation where a majority of the seed data is going to effectively be zero.
The most important thing that went wrong was seeding the random number generator, cascading
Via:
–jeroen
Posted in Development, Encryption, Hashing, Power User, Security, Software Development | Leave a Comment »
Posted by jpluimers on 2022/08/31
Especially on Archive, but also on Android and other mobile operating systems, mobile apps can have their in-app browsers to circumvent the OS provided wrapper around the system browser.
On iOS, the Safari is the only system browser engine whereas on Android you can have other engines too, so less Android applications have in-app browsers.
Most of those in-app browsers are in social media applications that go to great length to keep their users inside a walled garden.
The site [Wayback/Archive] inAppBrowser.com helps checking how severely information is leaked through the in-app browser as those potentially have a lot of control. TikTok is worst capturing all input including credentials like user names and passwords.
Read the rest of this entry »
Posted in Chrome, Conference Topics, Conferences, Development, Event, Firefox, iOS Development, JavaScript/ECMAScript, Mobile Development, Power User, Privacy, Safari, Scripting, Security, Software Development, Web Browsers, Web Development | Leave a Comment »
Posted by jpluimers on 2022/08/09
I totally forgot I had not mentioned Signal on my blog, so here it goes:
- Site: [Wayback/Archive.is] Signal >> Home:
Say “hello” to a different messaging experience. An unexpected focus on privacy, combined with all of the features you expect.
- Downloads at [Wayback/Archive.is] Signal >> Download Signal (mobile for Android and iOS, Desktop for Windows, MacOS and Debian based Linux distributions)
- Code is open source in the [Wayback/Archive.is] Github: Signal repositories, some of which are:
- [Wayback/Archive.is] signalapp/Signal-Android: A private messenger for Android.
Signal is a messaging app for simple private communication with friends.
Signal uses your phone’s data connection (WiFi/3G/4G) to communicate securely, optionally supports plain SMS/MMS to function as a unified messenger, and can also encrypt the stored messages on your phone.
- [Wayback/Archive.is] signalapp/Signal-iOS: A private messenger for iOS.
Signal is a free, open source, messaging app for simple private communication with friends.
- [Wayback/Archive.is] signalapp/Signal-Desktop: Signal — Private Messenger for Windows, Mac, and Linux
Signal Desktop links with Signal on Android or iOS and lets you message from your Windows, macOS, and Linux computers.
- [Wayback/Archive.is] signalapp/libsignal-client
libsignal-client contains platform-agnostic APIs useful for Signal client apps, exposed as a Java, Swift, or TypeScript library. The underlying implementations are written in Rust
- [Wayback/Archive.is] signalapp/Signal-Server: Server supporting the Signal Private Messenger applications on Android, Desktop, and iOS
Server supporting the Signal Private Messenger applications on Android, Desktop, and iOS
–jeroen
Posted in Power User, Security | Leave a Comment »
Posted by jpluimers on 2022/08/02
Last year in OWASP top rated security “feature” A01:2021 – Broken Access Control, I promised to write more about how learn about OWASP documented and rated security vulnerabilities.
Today is the day you should start learning from [Wayback/Archive.is] Github: OWASP WebGoat:
Deliberately insecure JavaEE application to teach application security
It is a Java backend with a JavaScript/HTML frontend, but the vulnerabilities just as easily apply to other back-end stacks.
Repositories:
- [Wayback/Archive.is] WebGoat/WebGoat: WebGoat is a deliberately insecure application
WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.
WARNING 1: While running this program your machine will be extremely vulnerable to attack. You should disconnect from the Internet while using this program. WebGoat’s default configuration binds to localhost to minimize the exposure.
WARNING 2: This program is for educational purposes only. If you attempt these techniques without authorization, you are very likely to get caught. If you are caught engaging in unauthorized hacking, most companies will fire you. Claiming that you were doing security research will not work as that is the first thing that all hackers claim.
- [Wayback/Archive.is] WebGoat/WebGoat-Lessons: 7.x – The WebGoat STABLE lessons supplied by the WebGoat team.
This repository contains all the lessons for the WebGoat container. Every lesson is packaged as a separate jar file which can be placed into a running WebGoat server.
- [Wayback/Archive.is] WebGoat/WebWolf (Can’t have a goat without a wolf, but I wonder where the cabbage is)
- [Wayback/Archive.is] WebGoat/WebGoat-Legacy: Legacy WebGoat 6.0 – Deliberately insecure JavaEE application
This is the WebGoat Legacy version which is essentially the WebGoat 5 with a new UI.
This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application penetration testing techniques.
- [Wayback/Archive.is] WebGoat/WebGoat-Archived-Releases: WebGoat 5.4 releases and older
WebGoat 5.4 releases and older
- [Wayback/Archive.is] WebGoat/groovygoat: POC for dynamic groovy/thymeleaf based lesson system
POC to demonstrate dynamic lessons with groovy controller/thymeleaf templates
They are by OWASP:
The Open Web Application Security Project (OWASP) is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.[4][5]The Open Web Application Security Project (OWASP) provides free and open resources. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 – 2021 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations.
Very important is the [Wayback/Archive.is] OWASP Top Ten Web Application Security Risks | OWASP:
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
Globally recognized by developers as the first step towards more secure coding.
Companies should adopt this document and start the process of ensuring that their web applications minimize these risks. Using the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces more secure code.
Changes in the OWASP Top 10 between 2017 and 2021:
More OWASP repositories (including the [Wayback/Archive.is] OWASP/Top10: Official OWASP Top 10 Document Repository and [Wayback/Archive.is] OWASP/www-project-top-ten: OWASP Foundation Web Respository which seem to be at a 4-year update interval got updated in 2021) are at [Wayback/Archive.is] Github: OWASP.
Related: [Archive.is] Jeroen Wiert Pluimers on Twitter: “This so much sounds like German government IT-projects: …”
Via:
–jeroen
Posted in Authentication, CSS, Development, Encryption, HTML, Java Platform, JavaScript/ECMAScript, Pen Testing, Scripting, Security, Software Development, Web Development | Leave a Comment »
Posted by jpluimers on 2022/07/08
I missed this announcement: [Wayback/Archive] HTTPS Is Actually Everywhere | Electronic Frontier Foundation.
Though in practice there still are a few sites not having HTTPS (usually old blogs, sometimes old forums too), almost all have (thanks Let’s Encrypt!) and many not even support HTTP any more.
So the HTTPS Extension in Google Chrome recently pointed me to [Wayback/Archive] Set Up HTTPS by Default in Your Browser | Electronic Frontier Foundation, which pointed me to the above post, which taugt me that most browsers (Firefox, Chrome, Edge and Safari) by now have an HTTPS-only mode which you can enable by hand or sometimes is just the only way.
Cool, I love progress!
–jeroen
Posted in Encryption, HTTPS/TLS security, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »
The Wiert Corner - irregular stream of stuff 