The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,839 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

SAFECode updates its guide on best secure software development practices – SD Times

Posted by jpluimers on 2020/07/15

Interesting to see is how much is not about actual coding, but of tooling, testing, processes, operations and mindset.

[WayBackSAFECode updates its guide on best secure software development practices – SD Times

PDF: [WayBack] SAFECode releases Fundamental Practices for Secure Software Development: Essential Elements of a Secure Development Life Cycle Program (Third Edition).

Table of Contents:

Page;Topic
 4; Executive Summary
 5; Introduction
 5;  Audience
 6; SAFECode Guidance and Software Assurance Programs
 7; Application Security Control Definition
 7;  Actively Manage Application Security Controls
 9; Design
 9;  Secure Design Principles
10;  Threat Modeling 
11;  Develop an Encryption Strategy
12;  Standardize Identity and Access Management
14;  Establish Log Requirements and Audit Practices  
15; Secure Coding Practices
15;  Establish Coding Standards and Conventions
15;  Use Safe Functions Only
17;  Use Code Analysis Tools To Find Security Issues Early
17;  Handle Data Safely 
20;  Handle Errors 
21; Manage Security Risk Inherent in the Use of Third-party Components
22; Testing and Validation
22;  Automated Testing
24;  Manual Testing
27; Manage Security Findings 
27;  Define Severity
28;  Risk Acceptance Process. 
29; Vulnerability Response and Disclosure
29;  Define Internal and External Policies
29;  Define Roles and Responsibilities
30;  Ensure that Vulnerability Reporters Know Whom to Contact 
30;  Manage Vulnerability Reporters
30;  Monitor and Manage Third-party Component Vulnerabilities 
31;  Fix the Vulnerability
31;  Vulnerability Disclosure
32;  Secure Development Lifecycle Feedback  
33; Planning the Implementation and Deployment of Secure Development Practices
33;  Culture of the Organization 
33;  Expertise and Skill Level of the organization 
34;  Product Development Model and Lifecycle
34;  Scope of Initial Deployment
35;  Stakeholder Management and Communications
35;  Compliance Measurement 
36;  SDL Process Health
36;  Value Proposition.
37; Moving Industry Forward
37;  Acknowledgements
38;  About SAFECode

–jeroen

Posted in Development, Security, Software Development | Leave a Comment »

“error: invalid object 100644” “git svn”

Posted by jpluimers on 2020/07/14

A while back, while using “git svn”, on a Windows system, I got [Archive.is“error: invalid object 100644” “git svn” – Google Search after statements like this:

# git svn rebase
error: refs/remotes/git-svn does not point to a valid object!
error: invalid object 100644 ac7df132f5bd7d639fc525f1f0204a546658d0c5 for 'Source/ToDoList/GX_ToDo.pas'
fatal: git-write-tree: error building trees
write-tree: command returned error: 128

# git svn fetch
error: refs/remotes/git-svn does not point to a valid object!
error: invalid object 100644 ac7df132f5bd7d639fc525f1f0204a546658d0c5 for 'Source/ToDoList/GX_ToDo.pas'
fatal: git-write-tree: error building trees
write-tree: command returned error: 128

In my case, regular git operations (like branching, committing, pushing, etc) worked fine, but git svn would fail.

One problem was that [Archive.is“error: refs/remotes/git-svn does not point to a valid object” – Google Search only returned one un-meaningful result: [WayBack] gist:87613 · GitHub.

Luckily, I had a backup (though it was from a while ago as that VM had not been in use for quite some time) which is the first part in [WayBack] Git FAQ – Git SCM Wiki: How to fix a broken repo?.

Since I was still interested finding out how to resurrect, just in case this happens at a time the backups do not go back far enough, I tried the steps below.

The very first fixing step is to ensure you can quickly restore things, or even better: operate on a copy of the broken pieces. On Windows, robocopy /mir is my friend for this, in Linux rsync -avloz (although on some systems, -z crashes).

TL;DR from the fixing steps

Find out what problems you have, and in which order to fix them. Otherwise you will break more stuff and take longer to fix it.

In this case, two things failed: one on the git side, and one on the git svn side. Since git svn depends on git, the best approach is to fix the git problem first, then the git svn thing.

Fixing this manually try 1

Read the rest of this entry »

Posted in CertUtil, Development, DVCS - Distributed Version Control, git, Hashing, md5, Power User, Security, SHA, SHA-1, SHA-256, SHA-512, Software Development, Source Code Management, Subversion/SVN, Windows | Leave a Comment »

Time to look back at the Spectre vulnerabilities.

Posted by jpluimers on 2020/07/07

About 2 years ago, over the course of almost a year, many Spectre vulnerabilities were found.

In November 2018, this lead many people disabling Hyper Threading: [WayBack] STIBP by default.. Revert?

This is a reminder to self to look back at Spectre to get a better historic feel for it.

Via: [WayBack] Work is being done on the Linux Kernel mailing list about further exploits of the Spectre Family of Exploits. The mitigations are bad – basically, you c… – Kristian Köhntopp – Google+

–jeroen

Posted in Development, Power User, Security, Software Development | Leave a Comment »

Cipher: a command-line tool to decrypt/encrypt files and directories (een recursively) on Windows

Posted by jpluimers on 2020/07/03

A while ago, I had to mass encrypt a lot of directories and files on Windows for some directories in an existing directory structure.

This helped me to find out which ones were already done (it lists all encrypted files on all drives; the /n ensures the files or encryption keys are not altered):

cipher.exe /u /n /h

This encrypted recursively in one directory B:\Directory:

cipher /D /S:B:\Directory /A

It also has options to wipe data (/W), export keys into transferrable files (/X) and many more.

If you like the Windows Explorer more then to encrypt/decrypt (it is a tedious process): [WayBack] How do I encrypt/decrypt a file? | IT Pro.

Via:

–jeroen

Posted in Encryption, NTFS, Power User, Security, Windows | Leave a Comment »

Just as “curl | sudo sh is not advised”, do not impose running http based scripts in your customers IDE

Posted by jpluimers on 2020/06/30

For a long time, it is advised against to curl | sudo sh or equivalent:

  • [WayBackwhy using curl | sudo sh is not advised? – Stack Overflow

    Because you are giving root access to whatever script you are executing. It can do a wide variety of nasty things.

  • [WayBack] The Security Spectrum of curl | sh

    By far the most irresponsible use of curl | sh is to use it with plain, unauthenticated, insecure HTTP instead of HTTPS. This is because it’s not only possible, but also increasingly likely, that the connection over which the shell script is delivered could have its contents silently modified by anyone in network position between the vendor and the installer—especially if you’re using public Wi-Fi. (If you don’t believe this is a real risk, consider that some companies’ business models revolve around modifying JavaScript delivered over HTTP in-transit—and anyone can hijack Wi-Fi with inexpensive, easy-to-obtain devices.)

So I’m surprised that companies still run content – include JavaScript – over an insecure http transport channel in their customers IDE instances.

Many developers run their IDE as Administrator, but even as regular user this is a large security risk: the transport layer is the easiest to hack and will eventually be hacked.

One such occasion was [WayBack] Delphi 10.2.3: Tools > Options Click OK = Script Error I have another weird situation with Delphi 10.2.3. Anytime I open up the options and click OK I … – Michael Riley – Google+ .

That one actually showed the script executed, but normally you do not see it happening at all.

So my advice:

Run the web-traffic from your development machines over a web-proxy like HTTP Fiddler, then disable all http based scripts.

–jeroen

Line 73: https://gist.github.com/jpluimers/40a60ca1e07bb91fa337ecfebe314d64#file-cf-common-js-L73

Read the rest of this entry »

Posted in Development, Power User, Security, Software Development | Leave a Comment »

Hardening: sshd_config – How to configure the OpenSSH server | SSH.COM

Posted by jpluimers on 2020/06/05

If you want to harden your ssh server, read at least [WayBack] sshd_config – How to configure the OpenSSH server | SSH.COM.

After that use some ssh tools to check your config from the outside world. They work in a similar way as the TLS/SSL/https scans from Source: SSL Server Test (Powered by Qualys SSL Labs) or these console based scans and documentation references:

Simiarly for SSH:

Then read further on more in depth SSH topics around key management:

–jeroen

 

Posted in Encryption, Hashing, https, HTTPS/TLS security, OpenSSL, Power User, Security, testssl.sh | Leave a Comment »

Expect your sites to be accessed over https and ensure your certificates match

Posted by jpluimers on 2020/05/22

igOver the last lustrum, there has been a steady increase in https usage. It crossed the 30% mark early 2016, crossing the 50% mark early 2017 and 80% mark early 2018, even the https-by-default configuration is now pretty large:

Ever since 2012, but especially with the increased HTTPS adoption, you can expect more and more users to run plugins like HTTPS Everywhere – Wikipedia which switch a request from insecure http to secure https.

Read the rest of this entry »

Posted in Encryption, HTTPS/TLS security, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

On my list of things to try: GitHub – arthepsy/ssh-audit; SSH server auditing

Posted by jpluimers on 2020/05/18

This looks like an ssh equivalent to testssl.sh: [WayBack] GitHub – arthepsy/ssh-audit: SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc).

It is on my list of things to try, so I’ve put a watch on the repository changes.

–jeroen

Read the rest of this entry »

Posted in Communications Development, Development, Encryption, Internet protocol suite, Power User, Security, SSH, TCP | Leave a Comment »

Exploits Database by Offensive Security

Posted by jpluimers on 2020/05/11

Interesting to monitor (it has a nice RSS feed!) so you can ensure your systems get patched sooner rather than later:

The Exploit Database – Exploits, Shellcode, 0days, Remote Exploits, Local Exploits, Web Apps, Vulnerability Reports, Security Articles, Tutorials and more.

–jeroen

Posted in Power User, Security | Leave a Comment »

SSH through HTTPS

Posted by jpluimers on 2020/05/04

Often, hotspots only allow http/https traffic. Other traffic – like SSH – is blocked. Nowadays, fewer hotspots block that, but too many still do.

So it can be worth a while to route your SSH server through HTTPS (I don’t like Web-based SSH that much as terminal emulation in browsers isn’t that well yet, but that seems to change rapidly, more on that in the “Further reading” section below).

After some background reading at apache – Tunnel over HTTPS – Stack Overflow, here are a few links that help you do it:

Server side: DAG: Tunneling SSH over HTTP(S).

You need:

  • An internet connected Apache server (eg. with IP address 10.1.2.3)
  • A FQDN that points to this IP address (eg. ssh.yourdomain.com)
  • A virtual host configuration in Apache for this domain (eg. /etc/httpd/conf.d/ssh.yourdomain.com.conf)
  • A configuration to adapt ssh to use the HTTP tunnel

Read more at DAG: Tunneling SSH over HTTP(S) and SSH over SSL, a quick and minimal config..

Client side: Using SSH over the HTTPS port · GitHub Help.

Steps:

  1. Test of it works at all
  2. Edit your local ~/.ssh/config file to redirect SSH to HTTPS

Read more at Using SSH over the HTTPS port · GitHub Help.

Using Putty and an HTTP proxy to ssh anywhere through firewalls | Me in IT.

the Digital me: SSH Tunneling Proxy using Putty on Windows and Linux (Unblock YouTube / Orkut / Facebook).

Tunneling SSH through HTTP proxies using HTTP Connect – ArchWiki.

HTTP Tunneling – ArchWiki.

Running SSHD on port 443.

Not all proxy configurations and hotspots support this. But it might be worth a look: SSH Over Proxy.

Further reading: Web-based SSH.

SSH plugins for browsers:

Web based SSH:

–jeroen

Posted in Communications Development, Development, Encryption, HTTP, https, HTTPS/TLS security, Internet protocol suite, Power User, Security, SSH, TCP | Leave a Comment »

« Previous Entries
Next Entries »