The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

when apple.com != apple.com – Phishing with Unicode Domains – Xudong Zheng

Posted by jpluimers on 2017/04/21

Vulnerability in Chrome, Firefox, and Opera makes users susceptible to phishing with Unicode domains.

Source: [Archive.isPhishing with Unicode Domains – Xudong Zheng

Basically these are not the same sites:

Depending on the font used, you might notice it if you look very careful.

Keywords: Unicode codepoints, visual similarity, codepoint to character mapping in fonts, Punycode

Via: [WayBack] Same URL, two websites? (notice the difference)1. https://www.аррӏе.com/2. https://www.apple.com/ – Jean-Luc Aufranc – Google+

References:

–jeroen

Posted in Power User, Security | Leave a Comment »

PSA: Don’t use the ‘save password’ feature, or plug random USBs into your computer.  – Album on Imgur

Posted by jpluimers on 2017/03/14

Rubber Ducky

Rubber Ducky

Looks like a simple USB sick. Has it’s own CPU, Micro SD storage and can run scripts by pretending to be a keyboard.

Easy way of getting into computers:

Imgur – PSA: Don’t use the ‘save password’ feature, or plug random USBs into your computer. 

This is a neat little tool called a USB Rubber Ducky.

It simulates a keyboard. Their motto goes along the lines of “Humans use keyboards. Computers trust humans.”. What they’re trying to say is the computer won’t look at this new device as malicious, because it’s ‘a keyboard’. It types at 1000 words a minute, meaning it takes about 8 seconds to completely infect a computer with a small scale payload. It has been featured on the tv show Mr. Robot.

You can get it here:

Take Social Engineering to the next level with a USB Rubber Ducky Deluxe hidden inside an inconspicuous “thumb drive” case. All the fixings included.  Since 201

Source: USB Rubber Ducky Deluxe – HakShop

  • Fast 60 MHz 32-bit Processor
  • Convenient Type A USB Connector
  • Expandable Memory via Micro SD
  • Hideable inside an in an innocuous looking case
  • Onboard Payload Replay Button

Community Payload Generators, Firmware, Encoders and Toolkits

The USB Rubber Ducky project has fostered considerable innovation and creativity among the community. Some gems include

–jeroen

 

via: PSA: Don’t use the ‘save password’ feature, or plug random USBs into your computer.  https://imgur.com/gallery/MGS0L – DoorToDoorGeek “Stephen McLaughlin” – Google+

Read the rest of this entry »

Posted in Development, Power User, Rubber Ducky, Scripting, Security, Software Development | Leave a Comment »

gargoyle, a memory scanning evasion technique

Posted by jpluimers on 2017/03/07

The Blog of Josh Lospinoso: [WayBackgargoyle, a memory scanning evasion technique


[WayBack] gargoyle, a memory scanning evasion technique – Joe C. Hecht – Google+

Source: gargoyle, a memory scanning evasion technique

–jeroen

Posted in Development, Security, Software Development | Leave a Comment »

Generate Mozilla Security Recommended Web Server Configuration Files

Posted by jpluimers on 2017/03/06

In case you manually want to configure or have a web-server that’s not supported by certbot for letsencrypt (yet): Generate Mozilla Security Recommended Web Server Configuration Files.

At the time of writing, these were supported by the generator (* were not supported by certbot for letsencrypt yet):

–jeroen

via: Feature request: admin web interface over HTTPS · Issue #630 · pi-hole/pi-hole

Posted in *nix, *nix-tools, Apache2, Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

Trojans communicating through DNS: Cisco’s Talos Intelligence Group Blog: Covert Channels and Poor Decisions: The Tale of DNSMessenger

Posted by jpluimers on 2017/03/06

DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.

Source: [WayBackCisco’s Talos Intelligence Group Blog: Covert Channels and Poor Decisions: The Tale of DNSMessenger

–jeroen

Posted in DNS, Internet, Power User, Security | Leave a Comment »

Change your passwords and 2FA on a bucketload of sites because of 1139 – cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory – project-zero – Monorail

Posted by jpluimers on 2017/02/25

There are many sites potentially affected by the recently uncovered cloudflare memory leak bug below.

Read this list to get an impression: [WayBacksites-using-cloudflare/README.md at master · pirate/sites-using-cloudflare

Basically you should change your passwords, 2FA authorisations and any other security hooks going through these sites. There are 1000s of them, including many major sites.

The reason for being so cautious is that the leaks have been cached on many systems, including Google Search. Many providers have scrubbed caches, but the information could still be in some caches, or the caches of end-user machines.

Background reading:

–jeroen

Posted in Power User, Security | Leave a Comment »

SHAttered – stop using SHA-1; it’s broken

Posted by jpluimers on 2017/02/24

We have broken SHA-1 in practice.

This industry cryptographic hash function standard is used for digital signatures and file integrity verification, and protects a wide spectrum of digital assets, ranging credit card transactions, electronic documents, open-source software repositories and software updates.

It is now practically possible to craft two colliding PDF files and obtain a SHA-1 digital signature on the first PDF file which can also be abused as a valid signature on the second PDF file.

For example, by crafting the two colliding PDF files as two rental agreements with different rent, it is possible to trick someone to create a valid signature for a high-rent contract by having him or her sign a low-rent contract.

–jeroen

Posted in Encryption, Hashing, Power User, Security, SHA | Leave a Comment »

How to Build Your Own Penetration Testing Drop Box – Black Hills Information Security

Posted by jpluimers on 2017/02/03

TL;DR

At testing time, the Hardkernel’s ODROID-C2 absolutely destroyed the competition in this space, so buy this:

Hardware Shopping List (links current as of 8/2/2016)

After that continue the article and start with the Initial Setup of the Kali Image

Source: How to Build Your Own Penetration Testing Drop Box – Black Hills Information Security

–jeroen

via: Joe C. Hecht originally shared to Single Board Computers and Virtual Private Servers (Hardware).

Posted in *nix, Kali Linux, Linux, Pen Testing, Power User, Security | Leave a Comment »

Some ChromeCast URLs

Posted by jpluimers on 2017/02/01

I need to check these against a Chromecast v2 as the below URLs are from a v1 device:

More is possible by using cURL: Chromecast Hacking Has Begun | fiquett.com

sleep 8h; while true; do
curl -H "Content-Type: application/json" http://192.168.71.113:8008/apps/YouTube -X POST -d 'v=somevideo';
done

Related:

–jeroen

via:

Thoughts on a Chromecast Alarm app?
byu/akhilcacharya inChromecast

Posted in Chromecast, Communications Development, Development, Google, Hardware Interfacing, HTTP, https, Internet protocol suite, REST, Security, TCP | 3 Comments »

inversepath/usbarmory: USB armory: open source flash-drive-sized computer

Posted by jpluimers on 2017/01/26

Source: Inverse Path - USB armory

Source: Inverse Path – USB armory

usbarmory – USB armory: open source flash-drive-sized computer

Roughly EUR 100 excluding, SD card, host adapter and enclousure.

Source: inversepath/usbarmory: USB armory: open source flash-drive-sized computer

Since I was talking about security anyway…. this is a nice toy for breaking open laptops or desktops when the administrator forbade the installation of software, or you want software on it executed. This is often the case with company devices, e.g. the laptops which are supplied by banks to their 3rd party suppliers. Outsourcing is cool, remember?

This is a computer on a stick which can run a Linux kernel. In combination with some USB gadget kernel modules, it can be configured to authenticate itself as any device. All you need to do is plug it in, and iterate by brute force through the device identifiers until you hit one which is accepted to be used. Store the statically linked software you want to install or run on the stick beforehand, and here you go. So if you ever need a SSH client on a “secure” Windows laptop… putty.exe FTW.

Posted by Ralf Ramge – Google+

–jeroen

via: Since I was talking about security anyway…. this is a nice toy for breaking open laptops or desktops when the administrator forbade the installation of… – Kristian Köhntopp – Google+

Posted in *nix, Hardware, Pen Testing, Power User, Security, USB | Leave a Comment »

« Previous Entries
Next Entries »