The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

Criminals are mailing altered Ledger devices to steal cryptocurrency: looks added USB flash card is from Intenso

Posted by jpluimers on 2021/06/28

Last week, Bleeping Computer write about [Wayback] Criminals are mailing altered Ledger devices to steal cryptocurrency:

Scammers are sending fake replacement devices to Ledger customers exposed in a recent data breach that are used to steal cryptocurrency wallets.

The fake Ledger hardware wallet has a piggy back USB flash device on it (image from Mike):

[Archive.is] _MG_ on Twitter: “Malicious hardware implant in the wild! I helped @LawrenceAbrams dig into this. It’s a hardware wallet with a malicious implant added. It’s being mailed to targets. Read about it here: “

This week, Jilles opened up a bunch of USB flash devices to compare them with the pictures of the fake Ledger hardware wallet, where Mike noted that likely an Intenso device. It all started with a compliment

I reacted that earlier this year, I had an Intenso device die that was the boot stick for an ESXi server which after booting (once in months at most) only does read-only access to it. If I find it back (I might have ditched it), I will open it up and post pictures.

[Wayback] Jeroen Wiert Pluimers on Twitter: “Note I had one of these Intenso sticks die in an ESXi server: it was just the boot stick, so no writes at all. “

Anyway, this was the one that died (maybe because it was very cheap):

According to [Wayback] USB Sticks | Intenso, these devices are manufactured by or for this German company:

Intenso International GmbH
Gutenbergstraße 2
49377 Vechta, Germany

Indeed the conclusion of Jilles and Mike, while figuring out the type of USB PCB, was already that opening up the device could give an indication in what geographic region or what era these fakes might originate from:

Meta-information is information too, and especially important in forensics.

Fake Ledger hardware wallet video

Mike also created a video. It is below the signature.

This was the tweet about it: [Archive.is] _MG_ on Twitter: “I sat down and walked through the Ledger Wallet implant. From phish, to Amazon poisoning attack, to implant, and what’s next. “

Attribution

As Jilles mentioned, attribution is important, though both Mike and Jilles hardly sees that with red teams. So thanks Mike and Jilles for doing the grunt work.

[Archive.is] Jilles on Twitter: “Thanks @_MG_! One of the hard things about creating cool stuff for red teams is that you usually cannot share what epic stuff you did, apart from your team and the client. Unless… You see one of your methods in the wild. And really love the tiny USB modules being used here.… https://t.co/Cs4rzvuNrT”

[Archive.is] Jilles on Twitter: “I have actually been working on assignments where attribution, purpose and forensics of discovered implants had to take place. Not a red team exercise.… “

–jeroen

Read the rest of this entry »

Posted in Power User, Security | Leave a Comment »

mnot S05E03 – Boba – Met Nerds om Tafel

Posted by jpluimers on 2021/06/18

Some links via [WayBack] S05E03 – Boba – Met Nerds om Tafel:

–jeroen

Read the rest of this entry »

Posted in LifeHacker, Power User, Privacy, Security | Leave a Comment »

Chocolatey: installing Oracle SQL Developer and updating the chocolatey package

Posted by jpluimers on 2021/05/13

Sometimes an install is not just as simple as C:\>choco install --yes oracle-sql-developer.

Edit 20210514:

Note that most of the below pain will be moot in the future as per [Archive.is] Jeff Smith 🍻 on Twitter: “we’re working on removing the SSO requirement, it’s already done for @oraclesqlcl – see here … “ referring to [Wayback] SQLcl now under the Oracle Free Use Terms and Conditions license | Oracle Database Insider Blog

SQLcl, the modern command-line interface for the Oracle Database, can now be downloaded directly from the web without any click-through license agreement.

It means the Oracle acount restriction will be lifted, and downloads will be a lot simpler.

I started with the below failing command, tried a lot of things, then finally almost gave up: Oracle stuff does not want to be automated, which means I should try to less of their stuff.

First of all you need an Oracle account (I dislike companies doing that for free product installs; I’m looking at Embarcadero too) by going to profile.oracle.com:

[WayBack] Chocolatey Gallery | Oracle SQL Developer 18.4.0 (also: gist.github.com/search?l=XML&q=oracle-sql-developer)

Notes

  • This version supports both 32bit and 64bit and subsequently does not have a JDK bundled with it. It has a
    dependency on the jdk8 package to meet the application’s JDK requirement.
  • An Oracle account is required to download this package. See the “Package Parameters” section below for
    details on how to provide your Oracle credentials to the installer. If you don’t have an existing account, you can
    create one for free here: https://profile.oracle.com/myprofile/account/create-account.jspx

Package Parameters

The following package parameters are required:

/Username: – Oracle username
/Password: – Oracle password

(e.g. choco install oracle-sql-developer --params "'/Username:MyUsername /Password:MyPassword'")

To have choco remember parameters on upgrade, be sure to set choco feature enable -n=useRememberedArgumentsForUpgrades.

Then the installation failed fail again: ERROR: The response content cannot be parsed because the Internet Explorer engine is not available, or Internet Explorer's first-launch configuration is not complete. Specify the UseBasicParsing parameter and try again.

The trick is to RUN IEXPLORE.EXE AS ADMINISTRATOR ONCE BEFORE INSTALLING FROM CHOCOLATEY. Who would believe that.

The reason is that the package uses Invoke-WebRequest which requires Internet Explorer and PowerShell 3. Chocolatey packages however need to be able to run on just PowerShell 2 without Invoke-WebRequest.

Maybe using cURL can remedy that; adding a dependency to is is possible, as cURL can be installed via chocolatey: [WayBack] How to Install cURL on Windows – I Don’t Know, Read The Manual. Another alternative might be [WayBack] Replace Invoke-RestMethod in PowerShell 2.0 to use [WayBack] WebRequest Class (System.Net) | Microsoft Docs.

Read the rest of this entry »

Posted in CertUtil, Chocolatey, CommandLine, Database Development, Development, DVCS - Distributed Version Control, git, Hashing, OracleDB, Power User, PowerShell, Security, SHA, SHA-1, Software Development, Source Code Management, Windows, XML, XML/XSD | Leave a Comment »

Certified Secure – XS4ALL Challenge

Posted by jpluimers on 2021/04/23

This was a cool one a few years back: [WayBack] Certified Secure – XS4ALL Challenge

–jeroen

Posted in Fun, History, Power User, Security | Leave a Comment »

<3 "Minimum Defendable Product": it is part of "Minimum Viable Product".

Posted by jpluimers on 2021/04/21

An important concept in [Archive.is] Kristian Köhntopp on Twitter: “<3 “Minimum Defendable Product”. Das ist ein wichtiges Konzept, das übernehme ich in meinen Sprachgebrauch.… “ quoting

[Archive.is] Mario Hachemer on Twitter: “Ich hab einen Vortrag gehalten zu dem Thema IT Security in Start-ups. Einen Begriff den ich zu dem Zweck definiert hab war das “Minimum Defendable Product” im Kontrast zum MVP. Es bietet sich an als Startup kritisch zu ermitteln welche Assetklassen man sichern kann. Das spart.… “

It is from this thread (also a threat) [Archive.is] Kristian Köhntopp on Twitter: “Operational excellence… “:

Operational excellence

Secrets gehören nicht in Source. Keine SSL Keys, keine Datenbank Passworte, und auch sonst nichts.

In Source gehört Code, der Secrets aus einem Secrets Service (Vault et al) holt, oder, wenn man einige Jahre hinterher ist, aus Files, die von hierasecrets gebaut werden.
Auch zum Testen gehören keine Secrets in den Code. auch hier können Testkeys wie in Production provisioniert werden und nach dem Test verworfen werden (wenn man will)

Die Option, Secrets im Code zu haben muss im Code Review angemeckert werden.
Willkommen in 2021, willkommen zu Operational Excellence.

[Wayback] docs.aws.amazon.com/config/latest/…
Hier die passende AWS OE Security Pillar

The first tweet quoted a surprise about the Luca App (which is highly controversial in Germany: it is a Corona contact tracing app which has some [Wayback] severe security issues):

Read the rest of this entry »

Posted in Conference Topics, Conferences, Development, Event, Security, Software Development | Leave a Comment »

Some links with notes on WoonVeilig/Egardia security system communications, protocols and support by 3rd party home automation apps

Posted by jpluimers on 2021/03/23

Security issues for older models (mainly GATE01 and WV-1716 systems; which used a lot of Climax components):

A more recent security review:

Physical security is important too; ensure the system is in an enclosed closet, powered by a UPS and your communication lines are secured as well: [WayBack] Manipulationen an Alarmanlagen verhindern – Smarthomewiki

Dutch links on the hardware connections and protocols used:

More recent information:

API usage:

More subdomains (in 2019) via:

–jeroen

Read the rest of this entry »

Posted in Communications Development, Development, Power User, Security, Software Development | Leave a Comment »

Manage two WoonVeilig or egardia systems from one smartphone / Twee WoonVeilig systemen beheren vanaf 1 telefoon

Posted by jpluimers on 2021/03/19

A while ago, I suggested to WoonVeilig that it would be really great if you could manage multiple of their alarm systems from one smartphone without the need to re-logon.

Use cases for managing two security systems are like:

  • managing home and office security systems
  • managing your own security system, and that of a family member in need
  • managing the systems of both your permanent and vacation home

Right now, this is not possible from the WoonVeilig app, but there is a little trick to manage 2 systems from one phone.

This tricks works because the WoonVeilig system is developed by Egardia and both [WayBack] WoonVeilig and [WayBack] Egardia use the same back-end, despite their management sites being slightly different:

This also means that if you want to fiddle with the systems, searching for egardia will get you far more results than for woonveilig.

So the trick is to install two apps, and use different credentials for each app. This allows you to manage two security systems at once:

Notes:

  • in both apps, you can use userid and password woonveiligdemo , or egardia7 to get into a demo environment
  • the WoonVeilig app is only in Dutch
  • the Egardia app allows you to switch languages (English/Dutch/German/French)
  • there are no apps supporting just English, German or French

–jeroen

Posted in Power User, Security | Leave a Comment »

Enable Block at First Sight to detect malware in seconds | Microsoft Docs

Posted by jpluimers on 2021/03/12

On my reading list, because I saw it suddenly enabled on a domain based Windows network:

[WayBackEnable Block at First Sight to detect malware in seconds | Microsoft Docs

Enable the Block at First sight feature to detect and block malware within seconds, and validate that it is configured correctly.

It seems to have been introduced early 2018: Windows Defender – Wikipedia: Advanced Features

Windows 10’s Anniversary Update introduced Limited Periodic Scanning, which optionally allows Windows Defender to scan a system periodically if another antivirus app is installed.[5] It also introduced Block at First Sight, which uses machine learning to predict whether a file is malicious.[21]

There is a BAFS – Windows Defender Testground for which you need a Microsoft account.

–jeroen

Posted in Power User, Security, Windows, Windows 10 | Leave a Comment »

Evil environment variables….

Posted by jpluimers on 2021/02/11

I totally agree with Nick Craver “I absolutely hate environmental variables for configuration. They’re brittle, they’re ambient, they can be changed and FUBAR any known state underneath you, they’re an attack vector, just…”.

A little event in the early 1990s made me cautious whenever I see environment variables in use.

One of my clients had a network that had to be separated into three logical areas: one for workstations communicating with a certain server and some equipment, and another for a different server and other equipment, and finally a bunch of semi-local workstations that did some peer-to-peer and specialised equipment communication.

For that era, this was a LOT of stuff to manage.

Since users always were working from the same computers, and there was very little overlap between the areas, I created a bunch of login scripts. Since this was Novell NetWare 3.x era, you only had default, system and user login scripts (see [WayBack] NetWare 3 Login Script Fundamentals), of which only system+default or system+user could be combined. No groups scripts yet (:

So I introduced an environment variable NETWORK that would hold the kind of logical network.

Boy was I surprised that a few days later, the head of administration came to me with a problem: one of his administration programs – despite no documentation mentioning anything about such a feature – suddenly asked for a license!

A few hours of phone calls and trying later, we found the culprit: that software had an undocumented feature: when the NETWORK environment variable was set, it assumed a large corporate, with a very special license feature.

That was the day, I started to be wary of environment variables.

The workaround was simple: have the program being started with a batch file, temporarily clean the NETWORK environment variable, then run the application, and finally restore the environment variable.

Inspired by two tweets I got within a few days time:

–jeroen

Read the rest of this entry »

Posted in History, Power User, Security | Leave a Comment »

Deciphering the Messages of Apple’s T2 Coprocessor | Duo Security

Posted by jpluimers on 2021/01/28

Interesting read: [WayBack] Deciphering the Messages of Apple’s T2 Coprocessor | Duo Security.

Via:

–jeroen

Posted in Development, Security, Software Development | Leave a Comment »

« Previous Entries
Next Entries »