The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

Forceer DigiD om SMS bij inloggen te gebruiken

Posted by jpluimers on 2017/05/26

Zonder SMS is het vrij makkelijk om iemand anders zijn DigiD te gebruiken.

Met SMS is dat een stuk moeilijker.

Het forceren van SMS bij inloggen kan via https://mijn.digid.nl/inloggen_voorkeur

Je moet EERST inloggen op https://mijn.digid.nl/, en daarna naar https://mijn.digid.nl/inloggen_voorkeur gaan (DigiD is niet slim genoeg om na het inloggen daarheen terug te gaan).

Kies daar deze optie:

  • Midden, ik wil inloggen met een extra controle via sms, ook wanneer Basis vereist is

Via: [WayBack90 procent van DigiD-gebruikers gebruikt dienst zonder sms-authenticatie -update – IT Pro – Nieuws – Tweakers

–jeroen

Read the rest of this entry »

Posted in Power User, Security | Leave a Comment »

~650-thousand accounts exposed because of md5 hashing: Font sharing site DaFont has been hacked, exposing thousands of accounts | ZDNet

Posted by jpluimers on 2017/05/19

Over 98 percent of the passwords were cracked, thanks to the site’s poor password security.

No this isn’t just the hacked font

Source: [WayBackFont sharing site DaFont has been hacked, exposing thousands of accounts | ZDNet

via: [Archive.isFont Sharing Site DaFont Has Been Hacked, Exposing Thousands of Accounts – Slashdot

–jeroen

Read the rest of this entry »

Posted in Encryption, Hashing, md5, Power User, Security | Leave a Comment »

Building `libssh2` for Windows (Win32/Win64) is a lot harder than I hoped for

Posted by jpluimers on 2017/05/09

Building libssh2 for Windows (Win32/Win64) is a lot harder than I hoped for.

There were no instructions on their website, there was the occasional “use CMake” at #IRC and that was about it.

Of course running just CMake doesn’t work and getting it working involves a lot of non-descriptive error messages, cursing and fruitless searches for them just bumping into “me too” threads not really providing the solution.

I tried building OpenSSL but after building, no `lib` directory appears so I cannot satisfy the dependencies. Not sure what OpenSSL would bring as I could not find any documentation about it either, so I’ll leave it at that.

Might be that `make test` for OpenSSL doesn’t succeed because some vague non-explained error which is odd when doing this on an almost prestine VS 2015 Community Edition VM.

But I’ll take that up with the OpenSSL people one day.

Oh the joy of Open Source…

Below are the steps (below the –more– mark a gist with the most recent version).

The core are these:

  • you need git, Visual Studio and CMake
  • use CMake to generate project files, msbuild to build (CBuild cannot build any more)
  • After a Win64 build you have to reset the platform to create a Win32 build

These links helped a lot some in the positive, others in the negative sense:

libssh2-build-steps.rst
  1. Install Visual Studio 2015 community edition from https://www.visualstudio.com/en-us/downloads/download-visual-studio-vs.aspx (as of writing:http://download.microsoft.com/download/D/2/3/D23F4D0F-BA2D-4600-8725-6CCECEA05196/vs_community_ENU.exe or http://download.microsoft.com/download/b/e/d/bedddfc4-55f4-4748-90a8-ffe38a40e89f/vs2015.3.com_enu.iso )
  2. Download CMake via https://cmake.org/download/ back then https://cmake.org/files/v3.6/cmake-3.6.2-win64-x64.msi
  3. Install and ensure to add CMake to the PATH for all users:

https://www.dropbox.com/s/ss5xke97iy4yyka/Screenshot%202016-09-13%2009.36.54.png?raw=1

  1. Run this script on a new command-line: 
    git clone https://github.com/libssh2/libssh2.git
pushd libssh2
mkdir buildWin64
pushd buildWin64
:: Generate build for MSVS 2015
cmake .. -G"Visual Studio 14 Win64" -D"BUILD_SHARED_LIBS=1"

:: this fails bitching about v100 not being there:
:: cmake --build . --config "Visual Studio 14 Win64"
:: this just works:
set Platform=
call "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\amd64\vcvars64.bat"
call msbuild libssh2.sln
dumpbin /headers example\Debug\libssh2.dll | find "machine"
popd
mkdir buildWin32
pushd buildWin32
:: Generate build for MSVS 2015
cmake .. -G"Visual Studio 14" -D"BUILD_SHARED_LIBS=1"

set Platform=
call "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\bin\vcvars32.bat"
call msbuild libssh2.sln
dumpbin /headers example\Debug\libssh2.dll | find "machine"
popd
popd

Source: Building libssh2 for Windows (Win32/Win64) is a lot harder than I hoped for

–jeroen

Read the rest of this entry »

Posted in Communications Development, Development, Internet protocol suite, OpenSSL, Power User, Security, SSH, TCP | Leave a Comment »

Troy Hunt: Reckon you’ve seen some stupid security things? Here, hold my beer…

Posted by jpluimers on 2017/04/29

I’d laugh if it wasn’t so embarrassing: [Archive.isTroy Hunt: Reckon you’ve seen some stupid security things? Here, hold my beer….

It reminds me of a Dutch agency with > 1 million low income people paying for a service to be on a notification list for rental houses becoming available that was within their legal rental limits.

If you were not on the list, you’d never gain enough points to get a rental home at all.

If you were on the list, then they’d sent your credentials in plain text requiring very limited information.

Your credentials then would reveal name, date of birth, social security number, full address, bank account and some other personal information.

They never notified me if the security complaint I filed was ever addressed.

–jeroen

via:

[WayBack] Ready for some security nightmares? – This is why I Code – Google+

Posted in Power User, Security | Leave a Comment »

when apple.com != apple.com – Phishing with Unicode Domains – Xudong Zheng

Posted by jpluimers on 2017/04/21

Vulnerability in Chrome, Firefox, and Opera makes users susceptible to phishing with Unicode domains.

Source: [Archive.isPhishing with Unicode Domains – Xudong Zheng

Basically these are not the same sites:

Depending on the font used, you might notice it if you look very careful.

Keywords: Unicode codepoints, visual similarity, codepoint to character mapping in fonts, Punycode

Via: [WayBack] Same URL, two websites? (notice the difference)1. https://www.аррӏе.com/2. https://www.apple.com/ – Jean-Luc Aufranc – Google+

References:

–jeroen

Posted in Power User, Security | Leave a Comment »

PSA: Don’t use the ‘save password’ feature, or plug random USBs into your computer.  – Album on Imgur

Posted by jpluimers on 2017/03/14

Rubber Ducky

Rubber Ducky

Looks like a simple USB sick. Has it’s own CPU, Micro SD storage and can run scripts by pretending to be a keyboard.

Easy way of getting into computers:

Imgur – PSA: Don’t use the ‘save password’ feature, or plug random USBs into your computer. 

This is a neat little tool called a USB Rubber Ducky.

It simulates a keyboard. Their motto goes along the lines of “Humans use keyboards. Computers trust humans.”. What they’re trying to say is the computer won’t look at this new device as malicious, because it’s ‘a keyboard’. It types at 1000 words a minute, meaning it takes about 8 seconds to completely infect a computer with a small scale payload. It has been featured on the tv show Mr. Robot.

You can get it here:

Take Social Engineering to the next level with a USB Rubber Ducky Deluxe hidden inside an inconspicuous “thumb drive” case. All the fixings included.  Since 201

Source: USB Rubber Ducky Deluxe – HakShop

  • Fast 60 MHz 32-bit Processor
  • Convenient Type A USB Connector
  • Expandable Memory via Micro SD
  • Hideable inside an in an innocuous looking case
  • Onboard Payload Replay Button

Community Payload Generators, Firmware, Encoders and Toolkits

The USB Rubber Ducky project has fostered considerable innovation and creativity among the community. Some gems include

–jeroen

 

via: PSA: Don’t use the ‘save password’ feature, or plug random USBs into your computer.  https://imgur.com/gallery/MGS0L – DoorToDoorGeek “Stephen McLaughlin” – Google+

Read the rest of this entry »

Posted in Development, Power User, Rubber Ducky, Scripting, Security, Software Development | Leave a Comment »

gargoyle, a memory scanning evasion technique

Posted by jpluimers on 2017/03/07

The Blog of Josh Lospinoso: [WayBackgargoyle, a memory scanning evasion technique


[WayBack] gargoyle, a memory scanning evasion technique – Joe C. Hecht – Google+

Source: gargoyle, a memory scanning evasion technique

–jeroen

Posted in Development, Security, Software Development | Leave a Comment »

Generate Mozilla Security Recommended Web Server Configuration Files

Posted by jpluimers on 2017/03/06

In case you manually want to configure or have a web-server that’s not supported by certbot for letsencrypt (yet): Generate Mozilla Security Recommended Web Server Configuration Files.

At the time of writing, these were supported by the generator (* were not supported by certbot for letsencrypt yet):

–jeroen

via: Feature request: admin web interface over HTTPS · Issue #630 · pi-hole/pi-hole

Posted in *nix, *nix-tools, Apache2, Encryption, Let's Encrypt (letsencrypt/certbot), Power User, Security | Leave a Comment »

Trojans communicating through DNS: Cisco’s Talos Intelligence Group Blog: Covert Channels and Poor Decisions: The Tale of DNSMessenger

Posted by jpluimers on 2017/03/06

DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.

Source: [WayBackCisco’s Talos Intelligence Group Blog: Covert Channels and Poor Decisions: The Tale of DNSMessenger

–jeroen

Posted in DNS, Internet, Power User, Security | Leave a Comment »

Change your passwords and 2FA on a bucketload of sites because of 1139 – cloudflare: Cloudflare Reverse Proxies are Dumping Uninitialized Memory – project-zero – Monorail

Posted by jpluimers on 2017/02/25

There are many sites potentially affected by the recently uncovered cloudflare memory leak bug below.

Read this list to get an impression: [WayBacksites-using-cloudflare/README.md at master · pirate/sites-using-cloudflare

Basically you should change your passwords, 2FA authorisations and any other security hooks going through these sites. There are 1000s of them, including many major sites.

The reason for being so cautious is that the leaks have been cached on many systems, including Google Search. Many providers have scrubbed caches, but the information could still be in some caches, or the caches of end-user machines.

Background reading:

–jeroen

Posted in Power User, Security | Leave a Comment »

« Previous Entries
Next Entries »