Archive for the ‘Security’ Category
Posted by jpluimers on 2017/10/12
Oh boy: [WayBack] Alles kaputt: In der Cloud gibt es keine Wände. – Kristian Köhntopp – Google+:
Two Amazon EC2 instances communicating over the CPU cache without the need of a network in-between them.
Open sourced foundations: IAIK/CJAG: CJAG is an open-source implementation of our cache-based jamming agreement.
In our BlackHat Asia 2017 Talk we show that the cache covert channel we built is so fast and reliable that we can do much more than tunneling SSH over it: We show that we can even stream a music video in decent quality through the cache – on the Amazon EC2 cloud.
See the BlackHat Asia Briefings Information here: https://www.blackhat.com/asia-17/brie…
See a video of the Live Demo here: https://www.youtube.com/watch?v=yPZmi…
Find our NDSS 2017 paper here: https://gruss.cc/files/hello.pdf
–jeroen
Read the rest of this entry »
Posted in Development, Hardware Development, Security, Software Development | Leave a Comment »
Posted by jpluimers on 2017/08/07
sslh accepts connections on specified ports, and forwards them further based on tests performed on the first data packet sent by the remote client.
Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any other protocol that can be tested using a regular expression, can be recognised. A typical use case is to allow serving several services on port 443 (e.g. to connect to ssh from inside a corporate firewall, which almost never block port 443) while still serving HTTPS on that port.
Hence sslh acts as a protocol demultiplexer, or a switchboard. Its name comes from its original function to serve SSH and HTTPS on the same port.
sslh supports IPv6, privilege dropping, transparent proxying, and more.
Interesting…
–jeroen
Posted in *nix, https, Linux, OpenSSL, OpenVPN, Power User, Security | Leave a Comment »
Posted by jpluimers on 2017/07/31
testssl.sh has supported IPv6 for a long while if the OpenSSL binary supports it
See the below thread, specifically the mentioned comments.
- IPv6 · Issue #11 · drwetter/testssl.sh [WayBack]
- OpenSSL with IPv6 support is needed:
- You need to specify the
-6 parameter or have HAVE_IPv6=true set in HAS_IPv6=true testssl.sh <mycmdline>:
- Special branch of OpenSSL supporting all ciphers (reminder to self: build OS X binaries for it)
- Works with the Google IPv6 site:
- There is still some work to do:
- But the
--ip parameter now supports IPv6 addresses:
–jeroen
Posted in OpenSSL, Power User, Security, testssl.sh | Leave a Comment »
Posted by jpluimers on 2017/07/25
I’ve been using cURL but always had a feeling not to its potential basically because the cURL man page [WayBack] is both massive and lacks concrete useful practical examples.
For instance, I knew about the --header and --verbose options (I always use verbose names even though shorter -H and -v exist) to pass a specific header and get verbose output, but the man page basic examples like this by Tader:
curl --header --verbose "X-MyHeader: 123" www.google.com
source: How to send a header using a HTTP request through a curl call? – Stack Overflow [WayBack]
There are some more examples at bropages.org/curl but they’re hardly organised or documented.
So I was really glad I found the below answer [WayBack] by Amith Koujalgi to web services – HTTP POST and GET using cURL in Linux – Stack Overflow.
But first note that recent versions (around 7.22 or higher) of cURL now need to combine the --silent and --show-error (or in short -sS) parameters to suppress progress but show errors: linux – How do I get cURL to not show the progress bar? – Stack Overflow [WayBack]
Back to the examples
Read the rest of this entry »
Posted in *nix, Communications Development, cURL, Delphi, Development, HTTP, https, Internet protocol suite, JavaScript/ECMAScript, JSON, Power User, REST, Scripting, Security, Software Development, TCP, TLS, XML, XML/XSD | 1 Comment »
Posted by jpluimers on 2017/06/30
It’s such an all time classic from 2006 that people even kept scans of the original 2006 Computer World publication by [WayBack] John Klossner.
Over the last few years, it has done its round over the internet a few times, so I did some digging for the scans, colour and mono originals.
Data security versus Human Error.
In this corner, we have firewalls, encryption, antivirus software, etc. And in this corner, we have Dave!!
[WayBack] John Klossner Cartoons: Computer World has the original black and white version: it’s even a gif!
Way better than the scan from paper: [WayBack] ShackF00 » Weekend Round-up: Google Issues and a Sad-but-True Comic
In 2014, Spiceworks re-ran the black and white one: [WayBack] And in THIS corner we have Dave! (Funny cartoon) – IT Security – Spiceworks
In 2015, Wombat Security published a coloured version on social media, and even bigger too: not just large, huge as well (:
–jeroen
via: [WayBack] Dave – CodeProject – Google+
Read the rest of this entry »
Posted in Encryption, Firewall, Fun, Power User, Security | Leave a Comment »
Posted by jpluimers on 2017/06/27
Interesting read with lots of references: [WayBack] The Cryptowars, twenty years ago – The Isoblog.
My TL;DR:
- the current cryptowar is very similar to 20 years ago
- back then it was won by the people
- current outcome is unclear (but the rules of math cannot be changed)
- Laws/Rules/Postulates:
- John Gilmore
- »The Net interprets censorship as damage and routes around it.«
- Shoshana Zuboff
- »Everything that can be automated will be automated.«
- »Everything that can be informated will be informated.«
- »Every digital application that can be used for surveillance and control will be used for surveillance and control.«
- Kristian:
- »20 years later, the Cryptowar is still a thing. It will never be over.«
–jeroen
via: [WayBack] So as a society, we are having the same conversation for 20 years now, and we won’t really make progress here because of Zuboff’s law. – Kristian Köhntopp – Google+
Posted in Encryption, History, Opinions, Power User, Security | Leave a Comment »
Posted by jpluimers on 2017/06/23
For my blog archive as I already shared it on G+
[WayBack] With so many vulnerabilities out there, here is how to find out of if a fixed is applied to vulnerabilities on Debian/Ubuntu Linux using CVE. – Jeroen Wiert Pluimers – Google+
[WayBack] Debian/Ubuntu Linux: Find If Installed APT Package Includes a Fix/Patch Via CVE Number – nixCraft
Explains how to view the changelog of an installed package on a Debian or Ubuntu Linux server to find out if a fix/patch applied via CVE number.
Hans Wolters:
And find all packages that belong to one cve :-)
zgrep -i cve /usr/share/doc/*/changelog.Debian.gz|grep 1000364
–jeroen
Posted in OpenVPN, Power User, Security | Leave a Comment »
Posted by jpluimers on 2017/06/23
WHAT IS A BOGON, AND WHY SHOULD I FILTER IT?
A bogon prefix is a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPNs or other tunnels) should never have a source address in a bogon range. These are commonly found as the source addresses of DDoS attacks.
Source: The Bogon Reference – Team Cymru
The regular Bogon list is pretty static (last change in 2012), so I’ve listed the text version below. But the full Bogon list (including unused IPv4 space) is dynamic.
0.0.0.0/8
10.0.0.0/8
100.64.0.0/10
127.0.0.0/8
169.254.0.0/16
172.16.0.0/12
192.0.0.0/24
192.0.2.0/24
192.168.0.0/16
198.18.0.0/15
198.51.100.0/24
203.0.113.0/24
224.0.0.0/4
240.0.0.0/4
–jeroen
Posted in Internet, Power User, routers, Security | Leave a Comment »
Posted by jpluimers on 2017/06/21
For one of my VMs I forgot to note which of the initial password I had changed, so I wanted to check them.
Since I didn’t have a keyboard attached to the console and ssh wasn’t allowing root, I needed an alternative than actual login to test the passwords.
Luckily /etc/shadow, with getent and openssl came to the rescue.
Since getent varies per distribution, here is how it works on OpenSuSE:
Read the rest of this entry »
Posted in *nix, *nix-tools, ash/dash, bash, bash, Development, Encoding, Hashing, Linux, md5, openSuSE, Power User, Scripting, Security, SHA, SHA-256, SHA-512, Software Development, SuSE Linux | Leave a Comment »
The Wiert Corner - irregular stream of stuff 
