The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,839 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

Government & Govt Owned – Netherlands – Phishing Scorecard

Posted by jpluimers on 2019/07/12

The archive is of late 2017; I wonder what the state is now: [WaybackGovernment & Govt Owned – Netherlands – Phishing Scorecard

This Phishing Scorecard is the current situation of the security of e-mail stream banks compared. If a bank is one of the technical building blocks to implement in their e-mail security the red cross will be a green check mark. Once a bank’s security policy has only green check marks will stand up and protect them 40% of their customers.

–jeroen

Via: [WayBack‘Mailservers Tweede Kamer missen beveiliging tegen e-mailspoofing’ – update – IT Pro – Nieuws – Tweakers

De mailservers van de Tweede Kamer missen beveiligingsmaatregelen die e-mailspoofing tegen moeten gaan, waardoor het mogelijk is om uit naam van politici e-mails te versturen. Dat blijkt uit een onderzoek van Follow the Money.

Posted in Power User, Security | Leave a Comment »

Some links about the TCP SACK PANIC attacks on Linux and FreeBSD Kernels

Posted by jpluimers on 2019/06/20

The TCP SACK vulnerabilities as found by Netflix: [WayBack] security-bulletins/2019-001.md at master · Netflix/security-bulletins · GitHub.

Easy, but slow workaround from [WayBack] linux – How to disable TCP SACK for CentOS? – Super User:

Temporary (until boot):

echo "0" > /proc/sys/net/ipv4/tcp_sack

Permanent (even after boot):

echo "net.ipv4.tcp_sack = 0" >> /etc/sysctl.conf
sysctl -p

Coverage:

–jeroen

Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, Power User, Security, TCP | Leave a Comment »

The Absurdly Underestimated Dangers of CSV Injection in Excel

Posted by jpluimers on 2019/06/14

Reminder to self: see if this is till a thing in spreadsheet applications: [WayBackThe Absurdly Underestimated Dangers of CSV Injection.

That 7 was "=2+5" in the CSV, but it got much worse.

–jeroen

via: [WayBack] The Absurdly Underestimated Dangers of CSV Injection #Security – ThisIsWhyICode – Google+

Posted in Power User, Security | Leave a Comment »

JWT authentication with Delphi

Posted by jpluimers on 2019/06/11

Nice articles on OAuth2, JWT and other authentication mechanisms:

via [WayBack] Ondrej Kelle – Google+

–jeroen

Posted in Authentication, Delphi, Development, Power User, Security, Software Development | Leave a Comment »

Time capsule opening ceremony today at MIT’s Stata Center after programmers solve MIT’s 20-year-old cryptographic puzzle | MIT CSAIL

Posted by jpluimers on 2019/05/15

[WayBack] Programmers solve MIT’s 20-year-old cryptographic puzzle | MIT CSAIL:

The capsule ceremony will happen Wednesday, May 15 at 4 p.m. at MIT’s Stata Center.

Cool work, with a very cool challenge.

Via/related:

  • a

–jeroen

Posted in Development, Power User, Security, Software Development | Leave a Comment »

Do not blur, but do randomly add noise or move pixels – Censoring image in GIMP – Graphic Design Stack Exchange

Posted by jpluimers on 2019/05/03

Blurring is like a hash function: it cannot be undone, but with enough plain text to blur examples, you can reconstruct the plain text: [WayBack] Why blurring sensitive information is a bad idea | dheera.net | Dheera Venkatraman’s web site

As an alternative, randomly add noise or move pixels. I used  [WayBack] Censoring image in GIMP – Graphic Design Stack Exchange. For the example on the right, I used “Filters → Noise → Spread” from the Stack Exchange answer.

With enough randomness, it is much harder to construct plain/hash combinations.

–jeroen

Posted in Image Editing, LifeHacker, Power User, Security, The Gimp | Leave a Comment »

Keep a Changelog

Posted by jpluimers on 2019/03/20

Lot’s of tips (and translations!) on how to Keep a Changelog [WayBack].

There are lots of useful tips, ranging from content (how to write, what to include) to technicalities (order of entries, unreleased, version numbering, date format) that might seem unimportant but in practice makes using the changelog.

The really cool thing: the site has a changelog of itself showing the best practices.

via:

–jeroen

Posted in Development, Documentation Development, Encryption, Let's Encrypt (letsencrypt/certbot), Security, Software Development | Leave a Comment »

openssl: checking out RSA private key files in .rsa and .pem format

Posted by jpluimers on 2019/03/19

While checking out an issue with the SSH server for ContinuaCI issue (see info below), I wanted to look at the files leading to the issue: .pem and .rsa files with the private key for the SSH server.

So I browsed through my series of openssl related articles to see if I already had made a script better explaining the cryptic openssl command-line parameters. I didn’t have it yet, but it turned out to be really simple:

C:\ProgramData\VSoft\ContinuaCI\SSHD>"C:\Program Files (x86)\Git\usr\bin\openssl.exe" rsa -in server_keypair.rsa
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
C:\ProgramData\VSoft\ContinuaCI\SSHD>"C:\Program Files (x86)\Git\usr\bin\openssl.exe" rsa -in server_keypair.rsa -text
Private-Key: (1024 bit)
modulus:
    ..:..:..:.....
publicExponent: 35 (0x23)
privateExponent:
    ..:..:..:.....
prime1:
    ..:..:..:.....
prime2:
    ..:..:..:.....
exponent1:
    ..:..:..:.....
exponent2:
    ..:..:..:.....
coefficient:
    ..:..:..:.....
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
C:\ProgramData\VSoft\ContinuaCI\SSHD>"C:\Program Files (x86)\Git\usr\bin\openssl.exe" rsa -in server_keypair.pem
Enter pass phrase for server_keypair.pem:
unable to load Private Key
2675996:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
2675996:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
2675996:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
2675996:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:141:
C:\ProgramData\VSoft\ContinuaCI\SSHD>"C:\Program Files (x86)\Git\usr\bin\openssl.exe" rsa -in server_keypair.pem -passin pass:password
unable to load Private Key
2675996:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:
2675996:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:108:
2675996:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:139:
2675996:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:141:

The command-lines use the [WayBack]rsa tool with:

  • the -in parameter
  • (for the first file) the -text parameter to dump it into human readable form
  • (for the second file) the -passin parameter with a [WayBackpass phrase argument pass:password.

The server_keypair.pem file (having the header -----BEGIN ENCRYPTED PRIVATE KEY----- and footer -----END ENCRYPTED PRIVATE KEY-----) was a password protected RSA private key where somehow ContinuaCI had the wrong password for.

I’m not sure it’s a good idea that the server_keypair.pem file has not password at all.

Read the rest of this entry »

Posted in Continua CI, Continuous Integration, Development, OpenSSL, Power User, Security, Software Development | Leave a Comment »

{Updated} Linux server security checklist. #sysadmin 

Posted by jpluimers on 2019/03/11

Most tips are OK, but:

  1. for password related policies, please read these:
  2. If you do DNS, implement DNSSEC
  3. I think ipv6 is OK, but like ipv4 needs to be firewalled
  4. Be really careful with fail2ban and similar tools: they are easy ways to lock yourself out as well, for instance by someone doing a nice (D)DoS on you.

Tips: [WayBack40 Linux Server Hardening Security Tips [2017 edition] – nixCraft

Via:

–jeroen

Posted in *nix, *nix-tools, Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

Installing Let’s Encrypt Free SSL/TLS Certificate in 2 Minutes with Certbot, Spending Hours Making it Work with Cloudflare

Posted by jpluimers on 2019/03/06

If I ever need to get LetsEncrypt to work with CloudFlare, then I need to read [WayBackInstalling Let’s Encrypt Free SSL/TLS Certificate in 2 Minutes with Certbot, Spending Hours Making it Work with Cloudflare

The steps there should save me hours.

Via [WayBcack] Free Let’s Encrypt SSL/TLS certificates are even easier to install than self-signed certificates. I could do so in 2 minutes in my +Linode … – Jean-Luc Aufranc – Google+.

–jeroen

Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

« Previous Entries
Next Entries »