The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

Index of /materials/haxpo2015ams

Posted by jpluimers on 2015/11/27

It feels like yesterday, but haxpo2015ams was already six months ago!

Session materials index:

Index of /materials/haxpo2015ams

[ICO] Name Last modified Size Description
[PARENTDIR] Parent Directory
[ ] D1 – Frank Breedijk – Help my Security Officer is Allergic to DevOps.pdf 2015-05-28 07:19 6.7M
[ ] D1 – Lisha Sterling – Hacking Humanitarian Project for Fun and Profit.pdf 2015-05-27 18:27 6.1M
[ ] D1 – Marc Newlin – ReDECTed.pdf 2015-05-27 16:56 1.7M
[ ] D1 – P. Mason, K. Flemming A. Gill – All Your Hostnames Are Belong to Us.pdf 2015-05-27 16:03 2.8M
[ ] D1 – Wouter van Rooij – Future Privacy.pdf 2015-05-27 16:16 715K
[ ] D2 – Bob Baxley – Privacy and Security in the Internet of Things.pdf 2015-05-28 17:00 7.1M
[ ] D2 – Edwin Sturrus – Data Security and Privacy in the Age of Cloud.pdf 2015-05-28 15:24 1.2M
[ ] D2 – Jessica Maes – Privacy in Digital Society.pdf 2015-05-28 12:18 4.1M
[ ] D2 – Jimmy Shah – BYOD is Now BYOT – Current Trends in Mobile APT.pdf 2015-05-28 15:55 3.6M
[ ] D3 – Jaya Baloo – Crypto is Dead Long Live Crypto.pdf 2015-05-29 17:17 4.4M
[ ] D3 – Jeroen van der Ham – Responsible Disclosure in The Netherlands.pdf 2015-05-29 16:37 1.7M
[ ] D3 – Oliver Matula and Christopher Scheuring – Evaluating the APT App Armor.pdf 2015-05-29 11:55 3.9M
[ ] D3 – R. Schaefer and J. Salazar – Pentesting in the Age of IPv6.pdf 2015-05-29 16:22 1.8M
[ ] D3 – Ruben van Vreeland – New Attack Vectors for Exploiting Web Platforms.pdf 2015-05-29 11:55 816K
[ ] HAXPO HIGHLIGHT – Andrew Tanenbaum – MINIX3.pdf 2015-05-28 15:19 9.2M
[ ] HAXPO HIGHLIGHT – Eleanor Saitta – Designing Security Outcomes.pdf 2015-05-29 15:15 1.4M
[ ] HAXPO HIGHLIGHT – Reuben Paul – The A-to-Z of CyberSecurity.pdf 2015-05-28 15:19 17M
[ ] HAXPO WELCOME – Richard Thieme – Too Much to Know.pdf 2015-05-27 13:37 6.3M
Apache/2.4.7 (Ubuntu) Server at haxpo.nl Port 80

–jeroen

Posted in *nix, *nix-tools, Encryption, Hashing, https, LifeHacker, OpenSSL, PKI, Power User, Public Key Cryptography, Security, Signing | Leave a Comment »

StartSSL indeed offers free Class1 certificates for any subdomain

Posted by jpluimers on 2015/11/20

Thanks Craine for answering:

StartSSL does in fact offer free SSL certs for subdomains, though they are Class 1 certificates.

It works: just start the process for the domain, then when you get to the step for entering a subdomain, enter any one (of course www works, but you can do the process multiple times so register certificates for multiple subdomains).

–jeroen

via: tls – Free second-level domain SSL certificate – Information Security Stack Exchange

Posted in *nix, *nix-tools, Apache2, https, Power User, Security | Leave a Comment »

How is NSA breaking so much crypto? “weak” standard primes for Diffie-Hellman are being widely used and take NSA only ~$100 million to crack

Posted by jpluimers on 2015/11/19

Interesting: a few quotes below, read How is NSA breaking so much crypto? and the full paper Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice for details.

The key is, somewhat ironically, Diffie-Hellman key exchange, an algorithm that we and many others have advocated as a defense against mass surveillance. Diffie-Hellman is a cornerstone of modern cryptography used for VPNs, HTTPS websites, email, and many other protocols. Our paper shows that, through a confluence of number theory and bad implementation choices, many real-world users of Diffie-Hellman are likely vulnerable to state-level attackers.

.. there was a very important detail that got lost in translation between the mathematicians and the practitioners: an adversary can perform a single enormous computation to “crack” a particular prime, then easily break any individual connection that uses that prime.

How enormous a computation, you ask? …  For the most common strength of Diffie-Hellman (1024 bits), it would cost a few hundred million dollars to build a machine, based on special purpose hardware, that would be able to crack one Diffie-Hellman prime every year.

Would this be worth it for an intelligence agency? Since a handful of primes are so widely reused, the payoff, in terms of connections they could decrypt, would be enormous. Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.

NSA could afford such an investment. The 2013 “black budget” request …  shows that the agency’s budget is on the order of $10 billion a year, with over $1 billion dedicated to computer network exploitation, and several subprograms in the hundreds of millions a year.

… However, our proposed Diffie-Hellman break fits the known technical details about their large-scale decryption capabilities better than any competing explanation. For instance, the Snowden documents show that NSA’s VPN decryption infrastructure involves intercepting encrypted connections and passing certain data to supercomputers, which return the key. The design of the system goes to great lengths to collect particular data that would be necessary for an attack on Diffie-Hellman but not for alternative explanations, like a break in AES or other symmetric crypto.

Since weak use of Diffie-Hellman is widespread in standards and implementations, it will be many years before the problems go away, even given existing security recommendations and our new findings. In the meantime, other large governments potentially can implement similar attacks, if they haven’t already.

Our findings illuminate the tension between NSA’s two missions, gathering intelligence and defending U.S. computer security. If our hypothesis is correct, the agency has been vigorously exploiting weak Diffie-Hellman, while taking only small steps to help fix the problem. On the defensive side, NSA has recommended that implementors should transition to elliptic curve cryptography, which isn’t known to suffer from this loophole, but such recommendations tend to go unheeded absent explicit justifications or demonstrations. This problem is compounded because the security community is hesitant to take NSA recommendations at face value, following apparent efforts to backdoor cryptographic standards.

–jeroen

via:

Posted in Algorithms, Development, Encryption, Power User, Security, Software Development | Leave a Comment »

Hash Toolkit – Reverse MD5 / SHA1 Hashes

Posted by jpluimers on 2015/11/11

Interesting: Hash Toolkit – Reverse MD5 / SHA1 Hashes

They generate and allow you to generate various hashes, and store both the hash and original so you can reverse it.

Not meant for production data, but an approach for verifying if you do hashing correctly.

–jeroen

via: Hash Toolkit – Reverse MD5 / SHA1 Hashes.

Posted in Development, Hashing, md5, Power User, Security, Software Development | Leave a Comment »

Life in a post-database world: using crypto to avoid DB writes

Posted by jpluimers on 2015/11/05

Interesting: Life in a post-database world: using crypto to avoid DB writes.

For some security related operations, you only need smart use of HMAC, and no temporary database entries.

Thanks for the Jan Wildeboer referral to this.

–jeroen

Posted in Development, Hashing, Power User, Security, Software Development | Leave a Comment »

HTTPS Everywhere Firefox/Chrome/Opera extension – Electronic Frontier Foundation

Posted by jpluimers on 2015/09/11

Over time this has become a must have: HTTPS Everywhere | Electronic Frontier Foundation developed by EFF and TOR.

Too bad many sites still do not work correctly with it.

This is especially true for places or networks where HTTP (or even worse HTTPS) is going through a MitM layer, for instance many mobile providers do this by injecting tracking bits to your traffic:

–jeroen

via: HTTPS Everywhere | Electronic Frontier Foundation.

Posted in https, Power User, Security | Leave a Comment »

Dropbox adds u2f support … if you connect to it via Chrome. Using FIDO U2F. Easy with Plug-Up foldable key.

Posted by jpluimers on 2015/08/21

I like this: the plug-up affordable FIDO U2F Security Key by  HAPPLINK.

You could already use it for Google 2nd factor authentication (2FA) through Chrome. You can do this from your own applications for instance through the U2F reference implementation.

Now you can also as 2FA to DropBox, also through Chrome. And it is easy with the plug-up key (Thanks Kristian):

Uuuund… umgestellt. Das war ja einfach.

http://www.amazon.de/dp/B00OGPO3ZS

Es gibt andere Fido Token, die können mehr. Ich nehme dieses, das kostet fast nix und man kann die kaufen und verteilen wie Konfetti.

Or inside the Europe mainland, for instance in:

–jeroen

via: Dropbox adds u2f support … if you connect to it via Chrome. If I’m not….

Posted in Chrome, DropBox, Google, GoogleAuthenticator, LifeHacker, Power User, Security, SocialMedia, U2F FIDO Security Keys | Leave a Comment »

security – How do I view the contents of a PFX file on Windows? – Super User

Posted by jpluimers on 2015/07/27

Dumping any kind of certificate file gives you access to more details than the Windows UI usually shows you.

This is especially handy when checking out errors or issues (which can be very difficult to track down).

For binary PFX files, the certutil and openssl commands come in very handy:

Some options to view PFX file details:Open a command prompt and type: certutil -dump Install OpenSSL and use the commands to view the details, such as: openssl pkcs12 -info -in unverified.

OpenSSL is a separate download (from my OpenSSL category of articles, see Some command-line tips for OpenSSL and file format pfx, p12, cer, crt, key, etc. conversion of certificates, keys) to get it.

CertUtil now ships with Windows by default (it wasn’t in the Windows XP era, I’m not sure about Windows Server 2003).

Here is the CertUtil help for dumping certificate information;

Dump certificate file information CertUtil [Options] [-dump] [File] Options: [-f] [-silent] [-split] [-p Password] [-t Timeout]

Note:

  • the [-v] option is not listed, but does work; it will give a more verbose dump.
  • [-dump] also works other certificate file extensions like .p7b files.

Here is the OpenSSL help for dumping pkcs12 information:

openssl pkcs12 [-export] [-chain] [-inkey filename] [-certfile filename] [-name name] [-caname name] [-in filename] [-out filename] [-noout] [-nomacver] [-nocerts] [-clcerts] [-cacerts] [-nokeys] [-info] [-des | -des3 | -idea | -aes128 | -aes192 | -aes256 | -camellia128 | -camellia192 | -camellia256 | -nodes] [-noiter] [-maciter | -nomaciter | -nomac] [-twopass] [-descert] [-certpbe cipher] [-keypbe cipher] [-macalg digest] [-keyex] [-keysig] [-password arg] [-passin arg] [-passout arg] [-rand files] [-CAfile file] [-CApath dir] [-CSP name]

DESCRIPTION

The pkcs12 command allows PKCS#12 files sometimes referred to as PFX files to be created and parsed. PKCS#12 files are used by several programs including Netscape, MSIE and MS Outlook.

COMMAND OPTIONS

There are a lot of options the meaning of some depends of whether a PKCS#12 file is being created or parsed. By default a PKCS#12 file is parsed. A PKCS#12 file can be created by using the -export option see below.

PARSING OPTIONS

-in filenameThis specifies filename of the PKCS#12 file to be parsed. Standard input is used by default.

-infooutput additional information about the PKCS#12 file structure, algorithms used and iteration counts.

and the OpenSSL help for dumping pkcs7 information:

openssl pkcs7 [-inform PEM|DER] [-outform PEM|DER] [-in filename] [-out filename] [-print_certs] [-text] [-noout] [-engine id]

DESCRIPTION

The pkcs7 command processes PKCS#7 files in DER or PEM format.

COMMAND OPTIONS

-inform DER|PEM; This specifies the input format. DER format is DER encoded PKCS#7 v1.5 structure.PEM the default is a base64 encoded version of the DER form with header and footer lines.

-print_certs; prints out any certificates or CRLs contained in the file. They are preceded by their subject and issuer names in one line format.

-text; prints out certificates details in full rather than just subject and issuer names.

Notes:

  • do not forget the -inform DER option to specify a binary .p7b file.
  • the -text option gives you more verbose information

via OpenSSL: Documents, pkcs71.

–jeroen

via:

Posted in CertUtil, OpenSSL, PKI, Power User, Public Key Cryptography, Security, Windows | Leave a Comment »

Hacking Team had more and more need for SSL MITM

Posted by jpluimers on 2015/07/07

Interesting reads:

–jeroen

Posted in Communications Development, Development, https, Internet protocol suite, LifeHacker, Power User, Security, TCP, TLS | Leave a Comment »

Time to upgrade: SHAAAAAAAAAAAAA | Check your site for weak SHA-1 certificates.

Posted by jpluimers on 2015/06/01

They days of SHA-1 are quickly coming to an end. Chrome has already marked SHA-1 signed TLS/SSL certificates for having an expiration > 2015-12-31 as insecure for a few weeks now. They promised to sunset SHA-1 about 9 months ago.

So if you haven’t done so, upgrade your HTTPS (and HTTP/2 which defaults to TLS) certificates to SHA-2. A great site of help here is SHAAAAAAAAAAAAA | Check your site for weak SHA-1 certificates. It is open source at GitHub.

You’ve less than 6 months now.

More in dept-reading (especially the comments by Ryan Sleevi): Chrome 42 (next stable) will mark SHA-1 signed certs with a validation date >2015 as insecure!.

–jeroen

PS: if you really need to do the balancing act, you technically can serve old certificates to SHA-2 incompatible clients while serving more secure certificates to modern clients. But it’s a risk, so you might as well tell these old clients they’re out.

Posted in https, Power User, Public Key Cryptography, Security, TLS | Leave a Comment »

« Previous Entries
Next Entries »