Posted by jpluimers on 2018/03/02
I wonder what has become of Hypponen’s law:
Whenever an appliance is described as being “smart”, it’s vulnerable.
[WayBack] »Smart car = vulnerable carSmart watch = vulnerable watchSmart home = vulnerable home«– https://twitter.com/mikko/status/808291700921737216 – Jeroen Wiert Pluimers – Google+
via:
[WayBack] »Smart car = vulnerable carSmart watch = vulnerable watchSmart home = vulnerable home«– https://twitter.com/mikko/status/808291700921737216 – Kristian Köhntopp – Google+
–jeroen
Posted in Power User, Security | Leave a Comment »
Posted by jpluimers on 2018/02/01
About a year ago, this company was incorporated: https://beta.companieshouse.gov.uk/company/10542519
; DROP TABLE “COMPANIES”;– LTD
[WayBack] ; DROP TABLE “COMPANIES”;– LTD – Overview (free company information from Companies House)
via: [WayBack] From the Trololo-Dept: https://beta.companieshouse.gov.uk/company/10542519 – Kristian Köhntopp – Google+
–jeroen
Posted in Database Development, Development, Power User, Security | Leave a Comment »
Posted by jpluimers on 2018/01/17
Thanks for the excellent comment explaining how to use hardware tokens as a comment to [WayBack] Using hardware security tokens cross-platform is only slightly more complicated than piloting a Space Shuttle. ##sarcasm – Jan Wildeboer – Google+
Jan Wildeboer:
+Jeroen Wiert Pluimers OK. Let’s look a bit at how this works. There are several competing standards/ways to use a security token. Typically you’ll decide between the two most used ones. As a CCID device AKA SmartCard with OpenSC or using gpg-agent. And that’s an either/or question. Some of the security tokens can only work with gpg-agent, some can do both (but not at the same time) and some are only useful as CCID style (e.g. the Nitrokey HSM).
OK. So now we look at platforms. CCID using OpenSC mostly works everywhere, but you might need to install some additional software depending on your OS. Older versions of MacOS X were notoriously bad, since (High) Sierra it has become better.
On Linux it again really depends. The gnome-keyring-agent that is active in a Gnome session really messes everything up, so better deactivate that. Which is not really trivial. But you have to have a socket for ssh-agent to pick up the key, so some stuff goes to your .bash.rc and you have to make some changes to Gnome config.
If you want to use a Yubikey for 2FA, note that it cannot do TOTP (Time based One Time Password) which Amazon wants for AWS auth. So you need another helper app on your computer.
Here’s some articles that explain it in detail:
- Using a Yubikey in CCID for ssh: [WayBack] Yubikey 4 for SSH with physical presence proof
- Using a Yubikey for gpg and ssh in gpg-agent mode: [WayBack] Yubikeys for SSH Auth | EngineerBetter | More than Cloud Foundry specialists
- Using a Yubikey for 2FA: [WayBack] Yubikeys for Two-Factor Auth | EngineerBetter | More than Cloud Foundry specialists
- Yubikey, SSH, gpg and Fedora [WayBack] GPG, Smartcard and ssh – Harald Hoyer
The middle two links are actually part of the series [WayBack] Yubikey All The Things | EngineerBetter | More than Cloud Foundry specialists which has a third post [WayBack] Yubikeys for Static Secrets | EngineerBetter | More than Cloud Foundry specialists
–jeroen
Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, Power User, Security, SSH, TCP | Leave a Comment »
Posted by jpluimers on 2018/01/11
I wish I had bumped into this when it got released in 2015: [WayBack] badssl.com hosted in the cloud and maintained by two people from Google and Mozilla.
Where ssllabs.com is for checking server-side certificates, this one is for checking clients against many, many (did I already write MANY?) server side configurations both good (with a varying set of security settings like cyphers and key exchanges) and bad.
One of the bad ones is expired.badssl.com which your clients should not be able to connect to without throwing a big error.
Sources are at [WayBack] GitHub – chromium/badssl.com: Memorable site for testing clients against bad SSL configs.
Before using, please read their
Disclaimer
badssl.comis meant for manual testing of security UI in web clients.Most subdomains are likely to have stable functionality, but anything could change without notice. If you would like a documented guarantee for a particular use case, please file an issue. (Alternatively, you could make a fork and host your own copy.)
badssl.com is not an official Google product. It is offered “AS-IS” and without any warranties.
–jeroen
Posted in Communications Development, Development, HTTP, https, Internet protocol suite, Security, Software Development, TCP, TLS, Web Development | Leave a Comment »
Posted by jpluimers on 2018/01/11
Now that so many sites depend on LetsEncrypt: maybe it is time for a second one.
We’ve received a credible report of a problem with ACME TLS-SNI-01 validation which could allow people to get certificates they should not be able to get. While we investigate further we have disabled tls-sni-01 validation. We’ll post more information soon.
Source: [Archive.is] ACME TLS-SNI-01 validation disabled due to vulnerability – Incidents – Let’s Encrypt Community Support
Via:
–jeroen
Posted in Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »
Posted by jpluimers on 2018/01/09
I hope this is a coincidence. Before Nick Hodges left, the TLS security of the various embarcadero https servers was increased, most from grade F. Now they might soon be grade F again.
Hopefully somebody in IT has time to take a renewed look as security needs constant attention.
I’ve only included a fraction of their sub-domains, as really this is a job for the Embarcadero IT department.
Related:
Posted in Encryption, HTTPS/TLS security, Power User, Security | Leave a Comment »
Posted by jpluimers on 2018/01/07
Over the last few days I’ve collected a lot of Meltdown and Spectre links at 1984 and (IT) (in)security – Google+.
Most of them provide links to what happened this, year, but a few are also on the path leading to these vulnerabilities. In the links you will also find the affected architectures and patches by various vendors which I have tried to summarise below.
In the link collection, I’ve tried to keep the number of hops to the actual sources as short as possible (as many have re-shared original) links but still attribute to the first one I got the link from.
Since the WordPress “Press-This” functionality is limited, even after all these years, so for now it will be a one-time link dump; filling in more of the archival WayBack and Archive.is links and adding more context will hopefully come later.
I will try to keep links roughly in chronological order (please post a comment where I goofed up) and I hope to find some time to have a “most important” or “summary” list eventually.
Remember:
There are 2 hard problems in computer science: cache invalidation, naming things, and off-by-1 errors.
via: [WayBack] TwoHardThings There are only two hard things in Computer Science: cache invalidation and naming things — Phil Karlton (bonus variations on the page)
Posted in Power User, Security | Leave a Comment »
Posted by jpluimers on 2018/01/07
In the blast of Spectre and Meltdown, don’t forget that humans still goof up: [WayBack] Private keys in software from Blizzard, Electronic Arts, Microsoft, and the German Federal Bar (Bulletproof TLS Newsletter Issue #36).
Luckily enough people keep an eye on these too.
Via:
–jeroen
Posted in Power User, Security | Leave a Comment »
Posted by jpluimers on 2017/12/29
Good end-of-year re-reading (hopefully there is a video link by now) by Chris Eng (@chriseng) [WayBack] Time to Grow Up: Counterproductive Security Behaviors That Must End // Speaker Deck
via: [WayBack] Thats a decent keynote – G+ Kristian Köhntopp.
Posted in Development, Infrastructure, Security, Software Development | Leave a Comment »
Posted by jpluimers on 2017/12/27
A long while ago I quoted [WayBack] Ideara / Embaracdero is flushing away user trust in their ability to do secure computing… – Jeroen Wiert Pluimers – Google+.
Since then they have fixed some of the issues:
Still, parts of their infrastructure run over http or use other insecure patterns.
Infrastructure and DevOps are hard, but an integral aspect of any company.
Hopefully, their most important new-years resolution is to improve on that.
I don’t hold my breath as [Archive.is] https://appanalytics.embarcadero.com/ for more than a month now has been showing
503 Service Unavailable
No server is available to handle this request.
On the other hand: they have improved, so let’s keep our fingers crossed, and it had been running since 2015: [WayBack]Embarcadero Introduces AppAnalytics, the First Usage Analytics Service for Desktop, Mobile, and Wearable Applications
There are three ways to disable AppAnalytics in the Delphi IDE to phone home (this is for Delphi XE8, change the version numbers accordingly):
reg add "HKEY_CURRENT_USER\Software\Embarcadero\BDS\16.0\UsageAnalytics" /v Enabled /t REG_DWORD /d 0 /fdel "C:\Program Files (x86)\Embarcadero\Studio\16.0\bin\TrackingSystem220.bpl"$(BDS)\Bin\TrackingSystem220.bpl(normally having value Embarcadero Tracking System Package) as described in Delphi packages I have disabled by prefixing their description with an underscore (and why)That should at least get rid of the 30 second shut-down timeout in some Delphi versions while they try to post the usage data to AppAnalytics (thanks Uwe Raabe for this great tip!)
–jeroen
Related:
Posted in Delphi, Development, Power User, Security, Software Development | 5 Comments »
The Wiert Corner - irregular stream of stuff 