The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

There are still sites limiting password lengt to low values like 20 or 15. Don’t!

Posted by jpluimers on 2019/08/26

There are still sites limiting password lengt to low values like 20 or 15. Don’t!

The why at [WayBackImplement Proper Password Strength Controls: Password Length has been in place since October 2012, since when cracking passwords has become way faster, so risk at length 20 back then is now a risk at something like length 40.

Password Length

Longer passwords provide a greater combination of characters and consequently make it more difficult for an attacker to guess.

  • Minimum length of the passwords should be enforced by the application.
    • Passwords shorter than 10 characters are considered to be weak (NIST SP800-132).

While minimum length enforcement may cause problems with memorizing passwords among some users, applications should encourage them to set passphrases (sentences or combination of words) that can be much longer than typical passwords and yet much easier to remember.

  • Maximum password length should not be set too low, as it will prevent users from creating passphrases. Typical maximum length is 128 characters.
    • Passphrases shorter than 20 characters are usually considered weak if they only consist of lower case Latin characters.

–jeroen

via:

 

Posted in LifeHacker, Power User, Security | Leave a Comment »

CAA Mandated by CA/Browser Forum | Qualys Blog

Posted by jpluimers on 2019/07/22

[WayBack] CAA Mandated by CA/Browser Forum | Qualys Blog

Certification Authority Authorization (CAA), specified in RFC 6844 in 2013, is a proposal to improve the strength of the PKI ecosystem with a new control to restrict which CAs can issue certificates…

Related:

–jeroen

Posted in Conference Topics, Conferences, DNS, Encryption, Event, HTTPS/TLS security, Internet, Power User, Security | Leave a Comment »

UPC Cable Modem / Ziggo Connect Box / Compal CH7465LG · Issue #122 · reverse-shell/routersploit

Posted by jpluimers on 2019/07/22

I wonder if this one is still exploitable: UPC Cable Modem / Ziggo Connect Box / Compal CH7465LG · Issue #122 · reverse-shell/routersploit

–jeroen

Posted in Power User, Security | Leave a Comment »

Government & Govt Owned – Netherlands – Phishing Scorecard

Posted by jpluimers on 2019/07/12

The archive is of late 2017; I wonder what the state is now: [WaybackGovernment & Govt Owned – Netherlands – Phishing Scorecard

This Phishing Scorecard is the current situation of the security of e-mail stream banks compared. If a bank is one of the technical building blocks to implement in their e-mail security the red cross will be a green check mark. Once a bank’s security policy has only green check marks will stand up and protect them 40% of their customers.

–jeroen

Via: [WayBack‘Mailservers Tweede Kamer missen beveiliging tegen e-mailspoofing’ – update – IT Pro – Nieuws – Tweakers

De mailservers van de Tweede Kamer missen beveiligingsmaatregelen die e-mailspoofing tegen moeten gaan, waardoor het mogelijk is om uit naam van politici e-mails te versturen. Dat blijkt uit een onderzoek van Follow the Money.

Posted in Power User, Security | Leave a Comment »

Some links about the TCP SACK PANIC attacks on Linux and FreeBSD Kernels

Posted by jpluimers on 2019/06/20

The TCP SACK vulnerabilities as found by Netflix: [WayBack] security-bulletins/2019-001.md at master · Netflix/security-bulletins · GitHub.

Easy, but slow workaround from [WayBack] linux – How to disable TCP SACK for CentOS? – Super User:

Temporary (until boot):

echo "0" > /proc/sys/net/ipv4/tcp_sack

Permanent (even after boot):

echo "net.ipv4.tcp_sack = 0" >> /etc/sysctl.conf
sysctl -p

Coverage:

–jeroen

Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, Power User, Security, TCP | Leave a Comment »

The Absurdly Underestimated Dangers of CSV Injection in Excel

Posted by jpluimers on 2019/06/14

Reminder to self: see if this is till a thing in spreadsheet applications: [WayBackThe Absurdly Underestimated Dangers of CSV Injection.

That 7 was "=2+5" in the CSV, but it got much worse.

–jeroen

via: [WayBack] The Absurdly Underestimated Dangers of CSV Injection #Security – ThisIsWhyICode – Google+

Posted in Power User, Security | Leave a Comment »

JWT authentication with Delphi

Posted by jpluimers on 2019/06/11

Nice articles on OAuth2, JWT and other authentication mechanisms:

via [WayBack] Ondrej Kelle – Google+

–jeroen

Posted in Authentication, Delphi, Development, Power User, Security, Software Development | Leave a Comment »

Time capsule opening ceremony today at MIT’s Stata Center after programmers solve MIT’s 20-year-old cryptographic puzzle | MIT CSAIL

Posted by jpluimers on 2019/05/15

[WayBack] Programmers solve MIT’s 20-year-old cryptographic puzzle | MIT CSAIL:

The capsule ceremony will happen Wednesday, May 15 at 4 p.m. at MIT’s Stata Center.

Cool work, with a very cool challenge.

Via/related:

  • a

–jeroen

Posted in Development, Power User, Security, Software Development | Leave a Comment »

Do not blur, but do randomly add noise or move pixels – Censoring image in GIMP – Graphic Design Stack Exchange

Posted by jpluimers on 2019/05/03

Blurring is like a hash function: it cannot be undone, but with enough plain text to blur examples, you can reconstruct the plain text: [WayBack] Why blurring sensitive information is a bad idea | dheera.net | Dheera Venkatraman’s web site

As an alternative, randomly add noise or move pixels. I used  [WayBack] Censoring image in GIMP – Graphic Design Stack Exchange. For the example on the right, I used “Filters → Noise → Spread” from the Stack Exchange answer.

With enough randomness, it is much harder to construct plain/hash combinations.

–jeroen

Posted in Image Editing, LifeHacker, Power User, Security, The Gimp | Leave a Comment »

Keep a Changelog

Posted by jpluimers on 2019/03/20

Lot’s of tips (and translations!) on how to Keep a Changelog [WayBack].

There are lots of useful tips, ranging from content (how to write, what to include) to technicalities (order of entries, unreleased, version numbering, date format) that might seem unimportant but in practice makes using the changelog.

The really cool thing: the site has a changelog of itself showing the best practices.

via:

–jeroen

Posted in Development, Documentation Development, Encryption, Let's Encrypt (letsencrypt/certbot), Security, Software Development | Leave a Comment »

« Previous Entries
Next Entries »