Still some work to do for some of my sites:
–jeroen
[WayBack] Helft homepaginas van Nederlandse overheidswebsites gebruikt geen https – IT Pro – Nieuws – Tweakers
Archive for the ‘Security’ Category
Helft homepaginas van Nederlandse overheidswebsites gebruikt geen https – IT Pro – Nieuws – Tweakers
Posted by jpluimers on 2017/12/15
Posted in Communications Development, Development, Encryption, https, Internet protocol suite, Power User, Security, TLS | Leave a Comment »
Crypto Museum (Amsterdam, 2016) – Google Photos
Posted by jpluimers on 2017/12/15
Last year Robin Sheat made this nice set of pictures: Crypto Museum (Amsterdam, 2016) – Google Photos
via:
- [WayBack] Robin Sheat – Google+: Yesterday I went to the Crypto Museum. Here I’ve dumped all the unedited photos of some the stuff they have. If there’s a picture of an information sheet, it typically comes after the thing it’s talking about. I was under a bit of time pressure so didn’t have a thorough look, however they’ve added another opening date in January that I’ll probably go back to it on.
The museum’s web page is: http://www.cryptomuseum.com/events/2016/sc/index.htm
- [WayBack] Kristian Köhntopp – Google+
–jeroen
Share this:
Posted in Encryption, History, Power User, Security | Leave a Comment »
DNS Knowledge DNS Tutorial, News and Tools: How to setup Quad9 DNS on a Linux
Posted by jpluimers on 2017/11/24
Reminder to self so I try this out: [Archive.is] DNS Knowledge DNS Tutorial, News and Tools: How to setup Quad9 DNS on a Linux
Quad9 is a free security solution that uses DNS to protect your systems against the most common cyber threats and you can setup it on Linux.
Related: [Archive.is] Quad9 | Internet Security & Privacy In a Few Easy Steps:
Quad9 is a free security solution that uses DNS to protect your system against the most common cyber threats. It improves your system’s performance, plus, it preserves and protects your privacy. It’s like an immunization for your computer.
Via: [WayBack] Remember 8.8.8.8 (Google DNS)? Now we have 9.9.9.9 from IBM/Quad9 that brings together cyber threat intelligence about malicious domains…. – nixCraft – Google+
Remember 8.8.8.8 (Google DNS)? Now we have 9.9.9.9 from IBM/Quad9 that brings together cyber threat intelligence about malicious domains. It can block malware and other bad domains. https://www.dnsknowledge.com/tutorials/how-to-setup-quad9-dns-on-a-linux/ and https://quad9.net/#/ What do you think? Do you use Google DNS or OpenDNS or ISP DNS or newer Quad9 DNS?
–jeroen
Share this:
Posted in *nix, DNS, Internet, Power User, Security | Leave a Comment »
Vulnerability Note VU#446847 – Savitech USB audio drivers install a new root CA certificate
Posted by jpluimers on 2017/11/10
Savitech has released a new driver package to address the issue. Savitech drivers version 2.8.0.3 or later do not install the root CA certificate.
Users still must remove any previously installed certificate manually.
- SaviAudio root certificate #1
- Validity: Thursday, May 31, 2012 – Tuesday, December 30, 2036
- Serial number: 579885da6f791eb24de819bb2c0eeff0
- Thumbprint: cb34ebad73791c1399cb62bda51c91072ac5b050
- SaviAudio root certificate #2
- Validity: Thursday, December 31, 2015 – Tuesday, December 30, 2036
- Serial number: 972ed9bce72451bb4bd78bfc0d8b343c
- Thumbprint: 23e50cd42214d6252d65052c2a1a591173daace5
Source: [WayBack] Vulnerability Note VU#446847 – Savitech USB audio drivers install a new root CA certificate
Background: [WayBack] Inaudible Subversion – Did your Hi-Fi just subv… | RSA Link: While threat hunting, RSA FirstWatch came across a curious exposure in Windows PCs, involving driver packages provided by a certain manufacture…
Via:
- [WayBack] Mit Code Signing, hieß es schon bei Microsoft vor 20 Jahren, kommt alles in Ordnung und ActiveX ist übrigens komplett sicher. Dann wurden auch Gerätetreiber signiert, und alles wurde noch sicherer. So wie hier. – Kristian Köhntopp – Google+
- [WayBack] We have reached Peak Internet… Oder wie +Nils Magnus sagen würde: Alles klar, Herr Kommissar. – Alexander Gabert – Google+
–jeroen
Share this:
Posted in Power User, Security, Windows | Leave a Comment »
TLS tests for your mail server
Posted by jpluimers on 2017/11/09
Need to do some more research on this to ensure I didn’t goof up:
- TLS Sender Test – TestSender.pl
- Part of bigger CheckTLS.com – TLS Tests and Tools
- [WayBack] What’s the best way to check if an SMTP server is SSL-enabled or not? – Server Fault
- [WayBack] security – How to inspect remote SMTP server’s TLS certificate? – Server Fault
–jeroen
Share this:
Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, postfix, Power User, Security, sendmail, SMTP | Leave a Comment »
RSA keys by Infineon chips or libraries can be cracked fast; Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping…
Posted by jpluimers on 2017/10/16
All of our house is wired by ethernet for a reason…
WPA2 Flawed. Once again, it turns out that designing something properly secure is really, really, REALLY hard.
[WayBack] Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping https://arstechnica.com/… – Lars Fosdal – Google+
[Archive.is] If fixes exist, third party firmware will have it in days. Most OEMs, never. I do worry a lot about unfixable flaws in the wifi standards… – Kristian Köhntopp – Google+:
Dave reminds us that there is a reason why people mod the firmware of their Wifi routers, and that reason is actually now more critical than ever.
Via [WayBack] https://www.krackattacks.com/ has a FAQ. Some interesting questions from there:… – Kristian Köhntopp – Google+:
[WayBack] KRACK Attacks: Breaking WPA2 : This website presents the Key Reinstallation Attack (KRACK). It breaks the WPA2 protocol by forcing nonce reuse in encryption algorithms used by Wi-Fi.
Since we’re talking security, watch your RSA as it is way worse than the WPA2 one: [Archive.is]
[WayBack] Dan Goodin @dangoodin001: 2nd major crypto vulnerability being disclosed Monday involves millions of 1024- and 2048-bit RSA keys that are practically factorizable.
[WayBack] ROCA: Vulnerable RSA generation (CVE-2017-15361) [CRoCS wiki]
The time complexity and cost for the selected key lengths (Intel E5-2650 v3@3GHz Q2/2014):
[WayBack] New vulnerabilities found in RSA 1024 and 2048 bit keys. Estimated cost of cracking based on access to the Public key only: 1024 bit: $40 2048 bit: $20k… – Lars Fosdal – Google+
Jan Wildeboer did a nice explanation in laymen terms of both security issues published today:
- [WayBack] This is a helluva lot more frightening than ##KRACK. RSA keys can be factorised fast when they come from Infineon chips and are generated by their libra… – Jan Wildeboer – Google+
- [WayBack] IS WPA2 BROKEN? MY TAKE ON ##KRACK TL;DR ##KRACK does not violate the formal proof of security in the 4-way handshake. Fixes are available/coming soon…. – Jan Wildeboer – Google+
–jeroen
Share this:
Posted in LifeHacker, Power User, Security, WiFi | Leave a Comment »
The cloud has no walls: cache-based jamming agreement to communicate over the CPU cache even without rights
Posted by jpluimers on 2017/10/12
Oh boy: [WayBack] Alles kaputt: In der Cloud gibt es keine Wände. – Kristian Köhntopp – Google+:
Two Amazon EC2 instances communicating over the CPU cache without the need of a network in-between them.
Open sourced foundations: IAIK/CJAG: CJAG is an open-source implementation of our cache-based jamming agreement.
In our BlackHat Asia 2017 Talk we show that the cache covert channel we built is so fast and reliable that we can do much more than tunneling SSH over it: We show that we can even stream a music video in decent quality through the cache – on the Amazon EC2 cloud.
See the BlackHat Asia Briefings Information here: https://www.blackhat.com/asia-17/brie…
See a video of the Live Demo here: https://www.youtube.com/watch?v=yPZmi…
Find our NDSS 2017 paper here: https://gruss.cc/files/hello.pdf
–jeroen
Share this:
Posted in Development, Hardware Development, Security, Software Development | Leave a Comment »
Positive Technologies – learn and secure : Disabling Intel ME 11 via undocumented mode
Posted by jpluimers on 2017/09/04
Interesting: [WayBack/Archive.is] Positive Technologies – learn and secure : Disabling Intel ME 11 via undocumented mode
Repository: ptresearch/unME11: Intel ME 11.x Firmware Images Unpacker
More archived links:
- [WayBack] https://www.troopers.de/downloads/troopers17/TR17_ME11_Static.pdf
- [WayBack] http://fm.csl.sri.com/LAW/2009/dobry-law09-HAP-Challenges.pdf
Via: [WayBack] The NSA is running Intel machines with ME off, and so can you: http://blog.koehntopp.info/index.php/2508-turning-off-the-intel-management-engine-me/ – Kristian Köhntopp – Google+
–jeroen
Share this:
Posted in Power User, Security | Leave a Comment »
ssl/ssh multiplexer
Posted by jpluimers on 2017/08/07
sslh accepts connections on specified ports, and forwards them further based on tests performed on the first data packet sent by the remote client.
Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any other protocol that can be tested using a regular expression, can be recognised. A typical use case is to allow serving several services on port 443 (e.g. to connect to ssh from inside a corporate firewall, which almost never block port 443) while still serving HTTPS on that port.
Hence sslh acts as a protocol demultiplexer, or a switchboard. Its name comes from its original function to serve SSH and HTTPS on the same port.
sslh supports IPv6, privilege dropping, transparent proxying, and more.
Interesting…
–jeroen
- Source: ssl/ssh multiplexer [WayBack]
- Github: yrutschle/sslh: Applicative Protocol Multiplexer (e.g. share SSH and HTTPS on the same port)
- Via: Google hangouts
Share this:
Posted in *nix, https, Linux, OpenSSL, OpenVPN, Power User, Security | Leave a Comment »
Reminder to self: testssl.sh has supported IPv6 for a long while if the OpenSSL binary supports it
Posted by jpluimers on 2017/07/31
testssl.sh has supported IPv6 for a long while if the OpenSSL binary supports it
See the below thread, specifically the mentioned comments.
- IPv6 · Issue #11 · drwetter/testssl.sh [WayBack]
- OpenSSL with IPv6 support is needed:
- You need to specify the
-6parameter or haveHAVE_IPv6=trueset inHAS_IPv6=true testssl.sh <mycmdline>: - Special branch of OpenSSL supporting all ciphers (reminder to self: build OS X binaries for it)
- Works with the Google IPv6 site:
- There is still some work to do:
- But the
--ipparameter now supports IPv6 addresses:
–jeroen
Share this:
Posted in OpenSSL, Power User, Security, testssl.sh | Leave a Comment »
The Wiert Corner - irregular stream of stuff 