The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

ACME TLS-SNI-01 validation disabled due to vulnerability – Incidents – Let’s Encrypt Community Support

Posted by jpluimers on 2018/01/11

Now that so many sites depend on LetsEncrypt: maybe it is time for a second one.

We’ve received a credible report of a problem with ACME TLS-SNI-01 validation which could allow people to get certificates they should not be able to get. While we investigate further we have disabled tls-sni-01 validation. We’ll post more information soon.

Source: [Archive.isACME TLS-SNI-01 validation disabled due to vulnerability – Incidents – Let’s Encrypt Community Support

Via:

–jeroen

Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

SSLLabs security reports for some embarcadero subdomains

Posted by jpluimers on 2018/01/09

I hope this is a coincidence. Before Nick Hodges left, the TLS security of the various embarcadero https servers was increased, most from grade F. Now they might soon be grade F again.

Hopefully somebody in IT has time to take a renewed look as security needs constant attention.

community.embarcadero.com

community.embarcadero.com

edn.embarcadero.com

edn.embarcadero.com

forums.embarcadero.com

forums.embarcadero.com

members.embarcadero.com

members.embarcadero.com

quality.embarcadero.com

quality.embarcadero.com

store.embarcadero.com

store.embarcadero.com

www.embarcadero.com

www.embarcadero.com

I’ve only included a fraction of their sub-domains, as really this is a job for the Embarcadero IT department.

Related:

Posted in Encryption, HTTPS/TLS security, Power User, Security | Leave a Comment »

1984 and (IT) (in)security – lots of Spectre / Meltdown links

Posted by jpluimers on 2018/01/07

Over the last few days I’ve collected a lot of Meltdown and Spectre links at 1984 and (IT) (in)security – Google+.

Most of them provide links to what happened this, year, but a few are also on the path leading to these vulnerabilities. In the links you will also find the affected architectures and patches by various vendors which I have tried to summarise below.

In the link collection, I’ve tried to keep the number of hops to the actual sources as short as possible (as many have re-shared original) links but still attribute to the first one I got the link from.

Since the WordPress “Press-This” functionality is limited, even after all these years, so for now it will be a one-time link dump; filling in more of the archival WayBack and Archive.is links and adding more context will hopefully come later.

I will try to keep links roughly in chronological order (please post a comment where I goofed up) and I hope to find some time to have a “most important” or “summary” list eventually.

A few notes first

Remember:

  • There are 2 hard problems in computer science: cache invalidation, naming things, and off-by-1 errors.

    via: [WayBackTwoHardThings There are only two hard things in Computer Science: cache invalidation and naming things — Phil Karlton (bonus variations on the page)

  • Caching is the root of all evil.

List

Read the rest of this entry »

Posted in Power User, Security | Leave a Comment »

Private keys in software from Blizzard, Electronic Arts, Microsoft, and the German Federal Bar (Bulletproof TLS Newsletter Issue #36)

Posted by jpluimers on 2018/01/07

In the blast of Spectre and Meltdown, don’t forget that humans still goof up: [WayBackPrivate keys in software from Blizzard, Electronic Arts, Microsoft, and the German Federal Bar (Bulletproof TLS Newsletter Issue #36).

Luckily enough people keep an eye on these too.

Via:

–jeroen

Posted in Power User, Security | Leave a Comment »

Time to Grow Up: Counterproductive Security Behaviors That Must End // Speaker Deck

Posted by jpluimers on 2017/12/29

Good end-of-year re-reading (hopefully there is a video link by now) by Chris Eng (@chriseng) [WayBack] Time to Grow Up: Counterproductive Security Behaviors That Must End // Speaker Deck

via: [WayBackThats a decent keynote – G+ Kristian Köhntopp.

Read the rest of this entry »

Posted in Development, Infrastructure, Security, Software Development | Leave a Comment »

Idera / Embarcadero at least fixed some of their security issues…

Posted by jpluimers on 2017/12/27

Some security improvements

A long while ago I quoted [WayBack] Ideara / Embaracdero is flushing away user trust in their ability to do secure computing… – Jeroen Wiert Pluimers – Google+.

Since then they have fixed some of the issues:

  • EDN password reset email messages do not contain the plain text password any more
  • The https sites now have much better security certificates

Still, parts of their infrastructure run over http or use other insecure patterns.

Infrastructure and DevOps are hard, but an integral aspect of any company.

Hopefully, their most important new-years resolution is to improve on that.

AppAnalytics still down

I don’t hold my breath as [Archive.ishttps://appanalytics.embarcadero.com/ for more than a month now has been showing

503 Service Unavailable

No server is available to handle this request.

On the other hand: they have improved, so let’s keep our fingers crossed, and it had been running since 2015: [WayBack]Embarcadero Introduces AppAnalytics, the First Usage Analytics Service for Desktop, Mobile, and Wearable Applications

Disabling AppAnalytics in Delphi

There are three ways to disable AppAnalytics in the Delphi IDE to phone home (this is for Delphi XE8, change the version numbers accordingly):

That should at least get rid of the 30 second shut-down timeout in some Delphi versions while they try to post the usage data to AppAnalytics (thanks Uwe Raabe for this great tip!)

–jeroen

Related:

Posted in Delphi, Development, Power User, Security, Software Development | 5 Comments »

Helft homepaginas van Nederlandse overheidswebsites gebruikt geen https – IT Pro – Nieuws – Tweakers

Posted by jpluimers on 2017/12/15

Still some work to do for some of my sites:

–jeroen

[WayBackHelft homepaginas van Nederlandse overheidswebsites gebruikt geen https – IT Pro – Nieuws – Tweakers

Posted in Communications Development, Development, Encryption, https, Internet protocol suite, Power User, Security, TLS | Leave a Comment »

Crypto Museum (Amsterdam, 2016) – Google Photos

Posted by jpluimers on 2017/12/15

Last year Robin Sheat made this nice set of pictures: Crypto Museum (Amsterdam, 2016) – Google Photos

via:

–jeroen

Posted in Encryption, History, Power User, Security | Leave a Comment »

DNS Knowledge DNS Tutorial, News and Tools: How to setup Quad9 DNS on a Linux

Posted by jpluimers on 2017/11/24

Reminder to self so I try this out: [Archive.isDNS Knowledge DNS Tutorial, News and Tools: How to setup Quad9 DNS on a Linux

Quad9 is a free security solution that uses DNS to protect your systems against the most common cyber threats and you can setup it on Linux.

Related: [Archive.is] Quad9 | Internet Security & Privacy In a Few Easy Steps:

Quad9 is a free security solution that uses DNS to protect your system against the most common cyber threats. It improves your system’s performance, plus, it preserves and protects your privacy. It’s like an immunization for your computer.

Via: [WayBack] Remember 8.8.8.8 (Google DNS)? Now we have 9.9.9.9 from IBM/Quad9 that brings together cyber threat intelligence about malicious domains…. – nixCraft – Google+

Remember 8.8.8.8 (Google DNS)? Now we have 9.9.9.9 from IBM/Quad9 that brings together cyber threat intelligence about malicious domains. It can block malware and other bad domains. https://www.dnsknowledge.com/tutorials/how-to-setup-quad9-dns-on-a-linux/ and https://quad9.net/#/ What do you think? Do you use Google DNS or OpenDNS or ISP DNS or newer Quad9 DNS?

–jeroen

Posted in *nix, DNS, Internet, Power User, Security | Leave a Comment »

Vulnerability Note VU#446847 – Savitech USB audio drivers install a new root CA certificate

Posted by jpluimers on 2017/11/10

Savitech has released a new driver package to address the issue. Savitech drivers version 2.8.0.3 or later do not install the root CA certificate.

Users still must remove any previously installed certificate manually.

  1. SaviAudio root certificate #1
    • ‎Validity: Thursday, ‎May ‎31, ‎2012 – ‎Tuesday, ‎December ‎30, ‎2036
    • Serial number: 579885da6f791eb24de819bb2c0eeff0
    • Thumbprint: cb34ebad73791c1399cb62bda51c91072ac5b050
  2. SaviAudio root certificate #2
    • Validity: ‎Thursday, ‎December ‎31, ‎2015 – ‎Tuesday, ‎December ‎30, ‎2036
    • Serial number: ‎972ed9bce72451bb4bd78bfc0d8b343c
    • Thumbprint: 23e50cd42214d6252d65052c2a1a591173daace5

Source: [WayBackVulnerability Note VU#446847 – Savitech USB audio drivers install a new root CA certificate

Background: [WayBack] Inaudible Subversion – Did your Hi-Fi just subv… | RSA Link: While threat hunting, RSA FirstWatch came across a curious exposure in Windows PCs, involving driver packages provided by a certain manufacture…

Via:

–jeroen

Posted in Power User, Security, Windows | Leave a Comment »

« Previous Entries
Next Entries »