Archive for the ‘Security’ Category
Posted by jpluimers on 2016/08/08
Attack from the ’90s resurfaces more deadly than before
Source: Windows Flaw Reveals Microsoft Account Passwords, VPN Credentials
TL;DR: block LAN->WAN port 445
Note this won’t affect web-dav shares like \live.sysinternals.com\DavWWWRoot as that uses ports 443 and 80.
–jeroen
via:
Posted in Communications Development , Development , https , Internet protocol suite , Microsoft Surface on Windows 7 , NTLM , Power User , Security , SMB , TCP , WebDAV , Windows , Windows 10 , Windows 7 , Windows 8 , Windows 8.1 , Windows 9 , Windows Server 2008 , Windows Server 2008 R2 , Windows Server 2012 , Windows Server 2012 R2 , Windows Vista , Windows XP | Leave a Comment »
Posted by jpluimers on 2016/08/03
Frequent password changes are the enemy of security, FTC technologist says
Source: Kristian Köhntopp – Google+
Since the 1980s I’ve been advocating the above opinion and I’m glad some people now agree with me.
If you ever hire or employ me and force such a regular password change policy upon me without allowing me to use a password manager that can communicate securely with the cloud (which means you don’t play TLS man-in-the-middle) then I will either:
create a password-change script that invalidates the password history you keep and re-use my really secure password of choice.
if that fails: add an incrementing value to a reasonably secure base password.
–jeroen
Posted in Power User , Security | Leave a Comment »
Posted by jpluimers on 2016/07/25
Interesting:
just for completeness:
testssl.sh is a nice, console-based tool to check ssl-setups of any ssl/ts – enabled servers, in oposite to ssllabs
It helped me solving this:
Host: http://www.beginend.net
Reason: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Within the testssl.sh directory, you can use this to test with many cyphers:
OPENSSL=./openssl-bins/openssl-1.0.2-chacha.pm/openssl32-1.0.2pm-krb5.chacha+poly ./testssl.sh www.example.com
–jeroen
via
Posted in *nix , https , OpenSSL , Power User , Security | Leave a Comment »
Posted by jpluimers on 2016/07/20
Great explanation of Diffie-Hellman Key Exchange – YouTube .
It is based on mixing colors and some colors of the mix being private.
Brilliant!
–jeroen
VIDEO
Posted in Algorithms , Development , Encryption , Hashing , https , OpenSSL , Power User , Public Key Cryptography , Security , Software Development | Leave a Comment »
Posted by jpluimers on 2016/07/11
Still relevant after a few years: DEFCON 17: More Tricks For Defeating SSL – YouTube .
VIDEO
I landed there after trying to find out how to verify the Internic root server file is actually pubished by Internic via authentication – Ways to sign gpg public key so it is trusted? – Information Security Stack Exchange .
I remember reading his “if you have to perform any cryptographic operation before verifying the MAC on a message you’ve received, it will somehow inevitably lead to doom” post (Moxie Marlinspike >> Blog >> The Cryptographic Doom Principle ), but never noticed his videos .
It is still relevant as there are lots of implementations still vulnerable to these kinds of attacks.
Many more of his blog entries are interesting as well:
Read the rest of this entry »
Posted in Encryption , Hashing , https , OpenSSL , PKI , Power User , Public Key Cryptography , Security , Signing | Leave a Comment »
Posted by jpluimers on 2016/06/10
For my own reference:
Always get at least two keys, configure them, and use only one. Store the rest in a safe place for when the first dies.
Get the NEO (if you need NFC) or NEO-n (if you don’t need NFC but love small form-factor).
–jeroen
(Image courtesy of Yubico)
Read the rest of this entry »
Posted in Encryption , Hashing , Power User , Security , U2F FIDO Security Keys | Leave a Comment »
Posted by jpluimers on 2016/04/27
400+ Free Resources for DevOps & Sysadmins ranging from bitbucket/gitbub via letsencrypt through loggly to cloudflare and all soorts of *aaS online IDEs, payment services and more.
via: Mary Tee referred to by Joe Hecht .
–jeroen
Posted in Development , Encryption , Let's Encrypt (letsencrypt/certbot) , Power User , Security , Software Development | Leave a Comment »
Posted by jpluimers on 2016/04/01
IRC so: »i> Isotopp : Ich habe jetzt nen Mac als Arbeitsplatzrechner… Was will man als UNIX Hacker zuerst an Tools installieren?«
Source: IRC so: »i> Isotopp: Ich habe jetzt nen Mac als Arbeitsplatzrechner… Was will… by Kristian Köhntopp.
Since G+ is very bad at searching, I created this summary of the tools; read the full G+ post (Google Translate is quite OK), including comments on why.
Edit: 20160402 – I’m posting regular updates based on the comments for that G+ post. I’ve changed or added German iTunes store links to US-English ones.
Read the rest of this entry »
Posted in Apple , Audacity , Audio , Fusion , Hardware , Keybase , Keyboards and Keyboard Shortcuts , KVM keyboard/video/mouse , Mac , Mac OS X / OS X / MacOS , MacBook , MacBook Retina , MacBook-Pro , Media , OS X 10.10 Yosemite , OS X 10.11 El Capitan , Power User , Security , VirtualBox , Virtualization , VMware | Leave a Comment »
Posted by jpluimers on 2016/02/25
Just while I was watching a nice DEFCON video about security
VIDEO
I came across these two links:
It really looks like too many companies are not genuinely interested in your security.
(Prices of Crazyradio PA devices on Amazon USA didn’t just go through the roof: they ran out of them)
–jeroen
Posted in Geeky , Security | Leave a Comment »
The Wiert Corner - irregular stream of stuff 