The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

SHAttered – stop using SHA-1; it’s broken

Posted by jpluimers on 2017/02/24

We have broken SHA-1 in practice.

This industry cryptographic hash function standard is used for digital signatures and file integrity verification, and protects a wide spectrum of digital assets, ranging credit card transactions, electronic documents, open-source software repositories and software updates.

It is now practically possible to craft two colliding PDF files and obtain a SHA-1 digital signature on the first PDF file which can also be abused as a valid signature on the second PDF file.

For example, by crafting the two colliding PDF files as two rental agreements with different rent, it is possible to trick someone to create a valid signature for a high-rent contract by having him or her sign a low-rent contract.

–jeroen

Posted in Encryption, Hashing, Power User, Security, SHA | Leave a Comment »

How to Build Your Own Penetration Testing Drop Box – Black Hills Information Security

Posted by jpluimers on 2017/02/03

TL;DR

At testing time, the Hardkernel’s ODROID-C2 absolutely destroyed the competition in this space, so buy this:

Hardware Shopping List (links current as of 8/2/2016)

After that continue the article and start with the Initial Setup of the Kali Image

Source: How to Build Your Own Penetration Testing Drop Box – Black Hills Information Security

–jeroen

via: Joe C. Hecht originally shared to Single Board Computers and Virtual Private Servers (Hardware).

Posted in *nix, Kali Linux, Linux, Pen Testing, Power User, Security | Leave a Comment »

Some ChromeCast URLs

Posted by jpluimers on 2017/02/01

I need to check these against a Chromecast v2 as the below URLs are from a v1 device:

More is possible by using cURL: Chromecast Hacking Has Begun | fiquett.com

sleep 8h; while true; do
curl -H "Content-Type: application/json" http://192.168.71.113:8008/apps/YouTube -X POST -d 'v=somevideo';
done

Related:

–jeroen

via:

Thoughts on a Chromecast Alarm app?
byu/akhilcacharya inChromecast

Posted in Chromecast, Communications Development, Development, Google, Hardware Interfacing, HTTP, https, Internet protocol suite, REST, Security, TCP | 3 Comments »

inversepath/usbarmory: USB armory: open source flash-drive-sized computer

Posted by jpluimers on 2017/01/26

Source: Inverse Path - USB armory

Source: Inverse Path – USB armory

usbarmory – USB armory: open source flash-drive-sized computer

Roughly EUR 100 excluding, SD card, host adapter and enclousure.

Source: inversepath/usbarmory: USB armory: open source flash-drive-sized computer

Since I was talking about security anyway…. this is a nice toy for breaking open laptops or desktops when the administrator forbade the installation of software, or you want software on it executed. This is often the case with company devices, e.g. the laptops which are supplied by banks to their 3rd party suppliers. Outsourcing is cool, remember?

This is a computer on a stick which can run a Linux kernel. In combination with some USB gadget kernel modules, it can be configured to authenticate itself as any device. All you need to do is plug it in, and iterate by brute force through the device identifiers until you hit one which is accepted to be used. Store the statically linked software you want to install or run on the stick beforehand, and here you go. So if you ever need a SSH client on a “secure” Windows laptop… putty.exe FTW.

Posted by Ralf Ramge – Google+

–jeroen

via: Since I was talking about security anyway…. this is a nice toy for breaking open laptops or desktops when the administrator forbade the installation of… – Kristian Köhntopp – Google+

Posted in *nix, Hardware, Pen Testing, Power User, Security, USB | Leave a Comment »

Using the github version of certbot (formerly letsencrypt) to get Let’s Encrypt certificates

Posted by jpluimers on 2017/01/24

The Let’s Encrypt certbot (formerly letsencrypt) had some trouble on my machinery.

When trying to test if Apache default default · Issue #3307 · certbot/certbot and opensuse Tumbleweed: Each time I run certbot, a line with Listen 443 gets added to /etc/apache2/httpd.conf · Issue #3364 · certbot/certbot were fixed, I had to run certbot directly using specific github branches.

Normally certbot queries https://pypi.python.org/pypi/certbot/json to install the latest sanctioned version of itself. Which means this won’t work to run the version from github:

git clone https://github.com/certbot/certbot.git
cd certbot
./cerbot-auto <<command-line-parameters>>

But the below does:

git clone https://github.com/certbot/certbot.git
cd certbot
git checkout -b <<branch-name>>
./letsencrypt-auto-source/letsencrypt-auto --os-packages-only
./tools/venv.sh
source venv/bin/activate
cerbot <<command-line-parameters>>

The last statement will run ./venv/bin/certbot but you can also hard-code that (or perform which certbot to verify the directory is on the pat).

I used it to test with this branch:

git checkout -b origin/osrelease_like

The above are basically steps to setup a virtualenv as mentioned in Developer Guide — Certbot 0.9.0.dev0 documentation.

To undo, just run this from the certbot directory:

deactivate
rm -rf venv

The first statement will adjust your path and the second get rid of the virtual environment including all packages that were downloaded in it.

If you forgot to remove the venv directory, there might be old versions hanging around named like venv.1470590779.bak where the number in the middle is the number of seconds since unix epoch (1970-01-01 00:00:00 UTC) which you might want to remove as well.

Inside the venv environment you can use all kinds of Python tools, for instance:

  • Perform pip install ipdb after which you can add import ipdb;ipdb.set_trace() to any source line to break right into the Python debugger. There, it will drop you into debug console, which is pretty much fully fledged Python interpreter.
  • Run pip freeze to show all installed Python packages.

While testing, you can use the --test-cert or --staging command-line-options to use the Let’s Encrypt staging-environment this prevent running into the live environment rate limits (the main ones at time of writing are a Duplicate Certificate limit of 5 certificates per week and a Certificates per Registered Domain limit of 20 per week, whichever limit is lower).

–jeroen

Posted in *nix, Encryption, Let's Encrypt (letsencrypt/certbot), Linux, openSuSE, Power User, Security, SuSE Linux | Leave a Comment »

API Web Services, integration with third party applications, Secret Server | Thycotic

Posted by jpluimers on 2017/01/18

How good is this?

Access Secret Server using Web Services: mobile apps, third party applications, and scripts (with the proper authentication).

Source: API Web Services, integration with third party applications, Secret Server | Thycotic

I bumped into this after searching for winauthwebservices/sswinauthwebservice.asmx

https://www.reddit.com/r/sysadmin/comments/2o1gvd/thycotics_secret_server_is_on_sale_again/

http://thycotic.com/products/secret-server/compare-installed-editions/

–jeroen

Posted in Development, Hashing, Security, Software Development | Leave a Comment »

The curse of vulnerable OpenSSL DLLs

Posted by jpluimers on 2016/12/30

When you ship OpenSSL DLLs, you should provide an update mechanism outside of your regular product cycle that updates these shortly after vulnerabilities are fixed.

Few if any products do that. So I made an overview from products and OpenSSL DLL versions I had installed on various systems.

I’m a developer, so the list is biased towards tools I use often.

All of them are vulnerable: [WayBackhttps://www.openssl.org/news/vulnerabilities.html

  • 1.0.2.h by ContinuaCI 1.8.1.185 PostgreSQL and Avast 12.3
  • 1.0.2.g by SourceTree 1.9.x embedded git_local
  • 1.0.2d by Git for Windows 2.6.1
  • 1.0.2a by SQLite browser 3.7.0
  • 1.0.1m by Delphi 10.0 Seattle
  • 1.0.1l by Ruby 2.3
  • 1.0.1f by SlikSvn 1.8.5
  • 1.0.1g by Delphi XE8, Delphi XE7, VMware Workstation OVF tool and Adobe Creative Cloud 2.8.1
  • 1.0.0g by Delphi XE6, Delphi XE5, Delphi XE4, Delphi XE3, Appmethod 1.13 and CollabNet SVN Client 1.7.5
  • 1.00d by MarkdownPad 2
  • 1.0.0 by FinalBuider 7 XE2 and FinalBuilder 7 EE
  • 0.9.8za by VMware Remote Console Plug-in 5.1 and VMware Virtual Infrastructure Client 5.1
  • 0.9.8y by VMware VIX Workstation 10
  • 0.9.8t by Veaam Backup and Replication
  • 0.9.8r by ContinuaCI 1.8.1.185 hg support, VMware VIX and VMware Workstation 8.0.2
  • 0.9.8q by Veeam Backup Transport, Veaam Backup, xampp 1.7.4 and Replication and VMware Virtual Infrastructure Client 5.0
  • 0.9.8o by xampp 1.7.4
  • 0.9.8l by xampp 1.7.4
  • 0.9.8n by Delphi XE2, Delphi XE and VMware VIX Workstation 7.1.0
  • 0.9.8m by VMware VMRC Plug-in, VMware VIX and VMware Workstation 8.0.2
  • 0.9.8i by VMware Virtual Infrastructure Client 4.1
  • 0.9.8d by Database Workbench Pro 4.4.3, Database Workbench Pro 5.2.4 and VMware vSphere CLI Perl
  • 0.9.8b by Adobe Creative Suite 5
  • 0.9.7m by VMware VIX server 1.0.9
  • 0.9.7l by VMware VIX VIServer 2
  • N/A by Adobe Create Suite 5 and VMware VIX server 1

–jeroen

via: [WayBackDoes Delphi installer install OpenSSL dll’s?

PS: Below some Software Archeology related links in the comments.

Posted in .NET, CollabNet, Delphi, Development, DVCS - Distributed Version Control, git, OpenSSL, Power User, Ruby, Security, Software Development, Source Code Management, SourceTree, Subversion/SVN | 7 Comments »

Getting A or better grading on SSL Labs HTTPS tests

Posted by jpluimers on 2016/12/30

Now that everyone has had enough time to get proper TLS certificates using for instance LetsEncrypt, it’s time to up the ante: score better than an A on the SSL Labs tests from either their main site or dev site:

Here are some links to get there:

–jeroen

Posted in *nix, Apache2, Communications Development, Development, Encryption, Internet protocol suite, Let's Encrypt (letsencrypt/certbot), Power User, Security, TCP, TLS | Leave a Comment »

I can’t think of a better bunch of people to teach this course…

Posted by jpluimers on 2016/12/09

I can’t think of a better bunch of people to teach this course. Understanding the economics of security, especially from the bad guys perspective is a really valuable tool even if you are totally focussed on code.

https://www.edx.org/course/cyber-security-economics-delftx-secon101x

Cyber Security Economics

edX

I’m going to try to make room in my agenda to follow this course.

–jeroen

via: [WayBack] Alan Cox – Google+

Posted in Power User, Security | Leave a Comment »

Rob Graham 🦃 on Twitter: “1/x: So I bought a surveillance camera https://t.co/HbmPzrZgFK”

Posted by jpluimers on 2016/11/20

Conclusions:

  1. Always put your IoT devices behind a firewall
  2. Isolate each IoT device into it’s own “world” that can communicate as little with the rest of your networks as possible
  3. Preferably isolate each set of IoT devices that do need to communicate in their LoT (Lan of Things)
  4. Use Ad-Blockers

“1/x: So I bought a surveillance camera”: [WayBackRob Graham 🦃 on Twitter: “1/x: So I bought a surveillance camera https://t.co/HbmPzrZgFK”

Interesting: [WayBackErrata Security: Configuring Raspberry Pi as a router

Via: [WayBackPlugging in a new IP webcam. 98 seconds. infected. Wow. https://twitter.com/E… – G+ Jan Wildeboer

Interesting: [WayBackErrata Security: Configuring Raspberry Pi as a router

Of course Rob tried many webcams to find a vulnerable one. And putting telnet port 23 to the open is not the best idea, but people do that or get an indirect infection by some piece of JavaScript from an Ad-Network that searches for local vulnerable devices. That’s how the internet works!

Since Twitter and other social media ten to show the non-interesting part of a stream, here is the full one (no time to edit out the superfluous stuff):

Read the rest of this entry »

Posted in IoT Internet of Things, Network-and-equipment, Power User, Security | Leave a Comment »

« Previous Entries
Next Entries »