The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

Tools for TCP tunnels over HTTP/HTTPS

Posted by jpluimers on 2019/01/16

With the advent of WebSockets, it looks like TCP tunnels over HTTP/HTTPS are gaining more ground and I need to put some research time in them.

Some old to new links:

CONNECT requests are not supported by many HTTP proxies, especially in larger organisations, so chisel and crowbar have a much bigger chance there.

And of course there is SoftEtherVPN/SoftEtherVPN: A Free Cross-platform Multi-protocol VPN Software. * For support, troubleshooting and feature requests we have http://www.vpnusers.com/. For critical vulnerability please email us. (mail address is on the header.).

However, that is a VPN solution which is much broader than just a single TCP tunnel. You can so similar things with OpenVPN, but over HTTP/HTTPS, also requires CONNECT:

SoftEtherVPN seems to be more versatile though. I blogged about that before, but back then didn’t have needs for it yet. VPN over HTTPS: Ultimate Powerful VPN Connectivity – SoftEther VPN Project.

–jeroen

via: [WayBackVPN through only http – Server Fault answer by [WayBack] neutrinus

Posted in Communications Development, Development, HTTP, https, Internet protocol suite, Network-and-equipment, OpenVPN, Power User, TCP, VPN, WebSockets, Windows-Http-Proxy | Leave a Comment »

Top 25 Most Dangerous Programming Mistakes

Posted by jpluimers on 2019/01/15

10 years after the publication of the [WayBack] Top 25 Most Dangerous Programming Mistakes, the list for me is still the same.

You can see this from the CWE/SANS revisions: 1.0 in 2009 until 1.0.3 in 2011: not much changed.

Via: [WayBack] Top 25 Most Dangerous Programming Mistakes (2009) – Lars Fosdal – Google+

–jeroen

Posted in Development, Power User, Security, Software Development | Leave a Comment »

oath-toolkit / oath-toolkit · GitLab

Posted by jpluimers on 2019/01/15

Interesting library with ditto command-line tools: [Wayback/Archive] oath-toolkit / oath-toolkit · GitLab.

It allows you to perform all sorts of OAUTH operations from your code or terminal window including generation and verification of OAUTH tokens through [WayBackOATHTOOL.

Which allows you to do TOTP “zero fucktor” authentication. [WayBack/Archive] Zero Fucktor Authentication – Kristian Köhntopp – Google+: [WayBackZero Factor Authentication – The Isoblog.

The project has it’s home at [WayBackOATH Toolkit, but the repository has done some traveling and for now ended up at GitLab: [Wayback/Archiveoath-toolkit / oath-toolkit together with the web-site source [Wayback/Archive] oath-toolkit / website.

Edit 20230917

Read the rest of this entry »

Posted in Development, Power User, Security, Software Development | Leave a Comment »

If parts of your letsencrypt renewals succeed and others give you “urn:acme:error:connection” then just retry

Posted by jpluimers on 2018/12/10

On the same server, part of my letsencrypt renewals worked fine, while others had an error like this:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/spring4d.4delphi.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for spring4d.4delphi.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/spring4d.4delphi.com.conf produced an unexpected error: Failed authorization procedure. spring4d.4delphi.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data. Skipping.
...
 - The following errors were reported by the server:

   Domain: spring4d.4delphi.com
   Type:   connection
   Detail: Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

A retry worked fine:

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/spring4d.4delphi.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for spring4d.4delphi.com
Waiting for verification...
Cleaning up challenges
...
The following certs were successfully renewed:
  /etc/letsencrypt/live/spring4d.4delphi.com/fullchain.pem (success)

–jeroen

Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

VirusTotal: Avira marks a Delphi built executable als false positive

Posted by jpluimers on 2018/12/06

Found out yesterday that Avira marks one of many Delphi 10.1 built executables as false positive; submitted, but VirusTotal shows it as false positive:

Related:

I think it was Avira too that interfered with my Delphi IDE compiling Delphi applications, especially resource compilation:

–jeroen

Read the rest of this entry »

Posted in Delphi, Development, Security, Software Development | 4 Comments »

Update NOW! CVE-2018-1002105, with root access. ​Kubernetes’ first major security hole discovered | ZDNet

Posted by jpluimers on 2018/12/04

From [WayBack] ​Kubernetes’ first major security hole discovered | ZDNet in reverse order:

Fortunately, there is a fix, but some of you aren’t going to like it. You must upgrade Kubernetes. Now. Specifically, there are patched version of Kubernetes [WayBackv1.10.11,  [WayBack] v1.11.5, [WayBackv1.12.3, and [WayBackv1.13.0-rc.1.

[WayBack] Red Hat said, “The privilege escalation flaw makes it possible for any user to gain full administrator privileges on any compute node being run in a Kubernetes pod. [WayBackThis is a big deal. Not only can this actor steal sensitive data or inject malicious code, but they can also bring down production applications and services from within an organization’s firewall.”

And the bug, [WayBackCVE-2018-1002105, aka the Kubernetes privilege escalation flaw, is a doozy. It’s a [WayBackCVSS 9.8 critical security hole.

Via [WayBack] ​Kubernetes’ first major security hole discovered | ZDNet – Ondrej Kelle – Google+

–jeroen

Posted in Cloud, Containers, Docker, Infrastructure, Kubernetes (k8n), Power User, Security | Leave a Comment »

New official Embarcadero forums online http://community.idera.com/devel- initially only had non-TLS http URLs

Posted by jpluimers on 2018/11/23

If you are not a company good at infrastructure, then do not start hosting new things yourself. This is why I like the DelphiPraxis forums (both English and German), as they really know what they are doing.

Of course, forums never have all the features in a way that each user wants, but DelphiPraxis is secure, has well maintained and public moderators, and a history if quality posts.

But the G+ group did move there for a reason (: [WayBack] We have moved to https://en.delphipraxis.net ! Starting January 1st, 2019 – the G+ Delphi Developers Community will be closed for new posts and new mem… – Lars Fosdal – Google+

After a long series of goofing around with infrastructure (old forums, new forums, now newer forums, years of TLS trouble, selling software or which the infrastructure has been down for a long time), last week, finally they had the [WayBack] New official Embarcadero forums online http://community.idera.com/developer-tools/ The sign-up/login is a bit prickly at first, so keep your login name… – Lars Fosdal – Google+.

The announcement already has a the catch in the title: initially they were http only, so totally insecure for your logon data. They could have easily circumvented that by deploying some LetsEncrypt renewal, for instance the commercial one in Delphi ([WayBack] Execute’s Online Store), of which this is a demo: [WayBackGitHub – tothpaul/LetsEncryptDelphi: Let’s Encrypt component for Delphi Tokyo 10.2.3

I have not added them to embarcaderomonitoring.wiert.me, as they are now on the Idera.com domain, so I will likely start a special monitoring page for those subdomains.

–jeroen

Posted in Delphi, Development, Power User, Security, Software Development | Leave a Comment »

This two-year-old X.org give-me-root hole is so trivial to exploit, you can fit it in a single tweet • The Register

Posted by jpluimers on 2018/11/02

If you run X.org, then patch now because of [WayBack] This two-year-old X.org give-me-root hole is so trivial to exploit, you can fit it in a single tweet • The Register

Overwrite arbitrary files? Load arbitrary code? As setuid root? Sure, why not!

This one got introduced in 2016, which is a lot more recent than an issue discovered in 2014 that was “ancient”: [WayBack] ‘Critical’ security bugs dating back to 1987 found in X Window • The Register:

27-year-old flaw and others slain in open-source patch batch

Via eXploit X: Give Me Root” – Computerphile

–jeroen

Read the rest of this entry »

Posted in History, Power User, Security | Leave a Comment »

GitHub – yandex/gixy: Nginx configuration static analyzer

Posted by jpluimers on 2018/10/26

[WayBack] GitHub – yandex/gixy: Nginx configuration static analyzer

Gixy is a tool to analyze Nginx configuration. The main goal of Gixy is to prevent security misconfiguration and automate flaw detection.

Right now Gixy can find:

You can find things that Gixy is learning to detect at Issues labeled with “new plugin”

This helps you prevent an nginx configuration issue that can server too many static content by using ../ in the web request which got a lot of attention last week, but was in fact already found during 2016 HCTF by Aklis, and presented by Orange Tsai (twitter/github/blog) various times in 2018, including [WayBack] hack.lu 2018.

.

Related:

–jeroen

Read the rest of this entry »

Posted in *nix, DevOps, nginx, Power User, Security | Leave a Comment »

Doctors disabled wireless in Dick Cheney’s pacemaker to thwart hacking – Naked Security

Posted by jpluimers on 2018/10/22

Medical devices are still vulnerable, five years after this became public:

Former US Vice President Dick Cheney’s doctors disabled his pacemaker’s wireless capabilities to thwart possible assassination attempts, he said in an interview with CBS’s ̶…

[WayBackDoctors disabled wireless in Dick Cheney’s pacemaker to thwart hacking – Naked Security

I knew they were, but never realised Dick Cheney had a modified one implanted.

Some people are more equal to others…

via: the below video “Freedom In My Heart And Everywhere” from the linux.conf.au 2012 Keynote by Karen Sandler.

–jeroen

Read the rest of this entry »

Posted in Development, Open Source, Power User, Security, Software Development | Leave a Comment »

« Previous Entries
Next Entries »