The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

Some links on encrypting configuration files or sections

Posted by jpluimers on 2018/10/18

All encryption comes down to a combination of key management and tooling.

With more and more communication projects going on, encryption of the secrets (passwords, API keys, etc) in configuration files, especially the ones that might end up in (sometimes public) repositories will need my attention some day.

My gut feeling is that an asymmetric solution might work best for these kinds of problems.

Here are some links:

–jeroen

Posted in Development, Encryption, Security, Software Development | Leave a Comment »

Do change your underwear often, but not your passwords. Keep both of your desk and do not share them with anyone.

Posted by jpluimers on 2018/09/18

Maastricht University got 2 out of 3: [WayBack] https://twitter.com/ml2mst/status/1030626908629811200 – Jeroen Wiert Pluimers – Google+

–jeroen

via [WayBack] Marti van Lin 🇳🇱 🇮🇱 on Twitter : “Some useful advice from @MaastrichtU #Security #passwords #computerintelligence 😂😂😂 cc: @nixcraft… “

https://twitter.com/ml2mst/status/1030626908629811200

 

Posted in Power User, Security | Leave a Comment »

Some interesting presentations by Arjen Kamphuis

Posted by jpluimers on 2018/09/17

The missing of [WayBackArjen Kamphuis (@ArjenKamphuis) | Twitter, made me revisit some of his past videos. In addition, I made the list quite a bit longer, as I was not aware he made so many presentations.

Many, but not all, of these videos are listed no YouTube video channel of Arjen Kamphuis.

Be sure to read the book Information Security for Journalists – Gendo he co-authored with Silkie Carlo.

–jeroen

 

Posted in Power User, Security | Leave a Comment »

Privacy Badger was blocking fsdn.com CDN domains

Posted by jpluimers on 2018/09/14

Not sure why Privacy Badger blocked both fsdn.com and a.fsdn.com (if someone knows how to find that out: please let me know), but these are CDN domains are used by Slashdot and sf.net, so I have put a.fsdn.com from red to yellow (no cookies).

I have not unblocked s.fsdn.com, which redirects to sourceforge.net over TLS.

Related:

–jeroen

Read the rest of this entry »

Posted in Internet, Power User, Security | Leave a Comment »

https://altd.embarcadero.com/ TLS certificate does not match domain name

Posted by jpluimers on 2018/09/07

One of the domains not yet monitored at embarcaderomonitoring.wiert.me, was the altd download server for ISOs and installers on http and https level. Ultimately you want https, as most of these are about installers, so you do not want any man-in-the-middle to fiddle with them.

TLS on altd fails

Upitmerobot is not yet smart enough to check validity of TLS certificates on https connections.

Chrome, Firefox, Safari, Internet Explorer, wget, curl and ssllabs however are.

altd hides as much from itself as possible

Uptimerobot did not like monitoring the plain http://altd.embarcadero.com/ and https://altd.embarcadero.com/ URLs, because the altd is not browsable, so it tries to hide most of its structure from access. This means they both return an odd response:

Those responses are actually 404 errors (note the - minus sign after curl --trace-ascii: it sends the trace to stdout):

$ wget http://altd.embarcadero.com/
--2018-09-05 10:44:23-- http://altd.embarcadero.com/
Resolving altd.embarcadero.com (altd.embarcadero.com)... 88.221.144.40, 88.221.144.10
Connecting to altd.embarcadero.com (altd.embarcadero.com)|88.221.144.40|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2018-09-05 10:44:23 ERROR 404: Not Found.

$ curl --verbose http://altd.embarcadero.com/
*   Trying 88.221.144.40...
* TCP_NODELAY set
* Connected to altd.embarcadero.com (88.221.144.40) port 80 (#0)
> GET / HTTP/1.1
> Host: altd.embarcadero.com
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Server: Apache
< Content-Type: text/html; charset=iso-8859-1
< Content-Length: 16
< Date: Wed, 05 Sep 2018 08:45:57 GMT
< Connection: keep-alive
< 
* Connection #0 to host altd.embarcadero.com left intact
File not found."

$ curl --trace-ascii - http://altd.embarcadero.com/
== Info:   Trying 88.221.144.40...
== Info: TCP_NODELAY set
== Info: Connected to altd.embarcadero.com (88.221.144.40) port 80 (#0)
=> Send header, 84 bytes (0x54)
0000: GET / HTTP/1.1
0010: Host: altd.embarcadero.com
002c: User-Agent: curl/7.54.0
0045: Accept: */*
0052: 
<= Recv header, 24 bytes (0x18)
0000: HTTP/1.1 404 Not Found
<= Recv header, 16 bytes (0x10)
0000: Server: Apache
<= Recv header, 45 bytes (0x2d)
0000: Content-Type: text/html; charset=iso-8859-1
<= Recv header, 20 bytes (0x14)
0000: Content-Length: 16
<= Recv header, 37 bytes (0x25)
0000: Date: Wed, 05 Sep 2018 08:47:19 GMT
<= Recv header, 24 bytes (0x18)
0000: Connection: keep-alive
<= Recv header, 2 bytes (0x2)
0000: 
<= Recv data, 16 bytes (0x10)
0000: File not found."
File not found."== Info: Connection #0 to host altd.embarcadero.com left intact

This is also the reason that WayBack does not want to archive that link, but it can be archived at [Archive.ishttps://altd.embarcadero.com/.

Luckily, a Google search for site:altd.embarcadero.com revealed there is a non-installer file short enough (~72 kibibytes) for Uptime robot to check, so it now verifies it can access these:

–jeroen

Read the rest of this entry »

Posted in *nix, *nix-tools, cURL, Encryption, HTTPS/TLS security, Monitoring, Power User, Security, Uptimerobot, wget | Leave a Comment »

Nice thread starting on the current state of CAs promoting OV/EV instead of doing innovation, with many comments on how to properly use LetsEncrypt

Posted by jpluimers on 2018/08/24

[Archive.isThread by @sleevi_: “It’s a real shame that CAs have gotten so high off their own supply, that they’ve become blind to the real problems they cause by p… – Kristian Köhntopp – Google+

On CAs: [Archive.is] Thread by @sleevi_: “It’s a real shame that CAs have gotten so high off their own supply, that they’ve become blind to the real problems they cause by promoting OV/EV. It’s almost as if they believe that 1988 had all the solutions, and we’ve been declining since then. Example: Let’s say we accept that organizational identity is a valuable component. Coupling it to TLS is terrible, because it encourages all the bad practices we see – such as making it hard to obtain or automate certificates, discouraging key rotation, extending cert lifetime […]”

–jeroen

Twitter thread:

https://twitter.com/sleevi_/status/1012321195562237952

 

Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

Hack The Box :: Penetration Testing Labs

Posted by jpluimers on 2018/08/13

Cool playground:

An online platform to test and advance your skills in penetration testing and cyber security.

Source: Hack The Box :: Penetration Testing Labs

Via [WayBack] hackthebox – Penetration testing labs This is an amazing platform – super addictive! Hack The Box is an online platform al… – Jürgen Christoffel – Google+

–jeroen

Posted in LifeHacker, Power User, Security | Leave a Comment »

ngHttp2 and OpenSSL win32/i386/x86 and win64/x64_86 (a.k.a. x86_64) builds for Windows

Posted by jpluimers on 2018/08/08

[WayBack] ngHttp2 DLLs has a simple a version scheme. The build inside the Windows PHP distribution includes these version numbers. The TreadSafe versions work as plug in replacement for github.com/grijjy/DelphiScalableClientSockets/tree/master/Bin which is used by github.com/grijjy/GrijjyFoundation/blob/master/Grijjy.Http.pas#L11. You obtain them via [WayBack] PHP For Windows: Binaries and sources Releases; and at the time of writing these were the most recent versions:

[WayBack] OpenSSL DLLs has a much more complex version scheme, as they are numeric but OpenSSL releases are not.

  • DLLs have four numbers a.b.c.d
  • OpenSSL versions have three numbers and a letter a.b.c.x
  • The letter matches the fourth digit, though the ones marked with * have not been used yet:
    # letter # letter # letter # letter # letter remark
    1 a 6 f 11 k 16 p 21 u
    2 b 7 g 12 l 17 q 22 v *
    3 c 8 h 13 m 18 r 23 w *
    4 d 9 i 14 n 19 s 24 x *
    5 e 10 j 15 o 20 t 25 y *
    26 z *

[WayBack] Index of /SSL has “Pre-compiled Win32/64 libraries without external dependencies to the Microsoft Visual Studio Runtime DLLs, except for the system provided msvcrt.dll.”

These work no matter what development/deployment stacks you use (including a Visual Studio based stack).

The most recent version as of writing is 1.0.2o, which maps to 1.0.2.20 which contains libeay32.dll and ssleay32.dll for both the i386-win32 and x86_64-win64 build (not sure why they both use 32 in the name):

openssl-1.0.2o-i386-win32.zip
openssl-1.0.2o-x64_86-win64.zip which supports x86_64 as this site is about the only one using x64_86 in the name

Background reading:

These binaries are for instance used by (most of them are behind or far behind on the OpenSSL version):

  • Avira Antivirus
  • subversion
  • git mingw64
  • VMware Tools
  • Microsoft OneDrive
  • Delphi Indy communications library

Speaking of which: this is a recent Delphi wrapper around libeay32.dll: [WayBack] GitHub – lminuti/Delphi-OpenSSL: Delphi implementation of OpenSSL

–jeroen

Posted in Delphi, Development, OpenSSL, Power User, Security, Software Development | 2 Comments »

Hacking Articles,Ethical Hacking Training in Delhi,Metasploit Training

Posted by jpluimers on 2018/08/06

Nowadays, with tools like Metasploit and what tools leaked from the NSA and other agencies, it is so easy to hack a system even if it is almost up to date.

All the more reason to keep your systems fully patched all the time.

To get a Metasploit impression: [WayBackHacking Articles,Ethical Hacking Training in Delhi,Metasploit Training

–jeroen

via: [WayBack] I gotta find time to look at this… Joe C. Hecht – Google+

Posted in Power User, Security | Leave a Comment »

A cheat-sheet for password crackers

Posted by jpluimers on 2018/07/30

Interesting: [WayBackA cheat-sheet for password crackers

Via: [WayBackJoe C. Hecht – Google+

–jeroen

Posted in *nix, *nix-tools, Hashing, md5, Power User, Security, SHA, SHA-256, SHA-512 | Leave a Comment »

« Previous Entries
Next Entries »