The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,839 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

XZ 5.6.x are backdoored and present in many systems: downgrade to 5.4.x or earlier now; consider libarchive compromised until proven otherwise

Posted by jpluimers on 2024/03/30

Edit 20240331: because of

https://mastodon.social/@kobold/112183756981119562

Debian is working on reverting back to even earlier than 5.4.x

[Wayback/Archive] #1068024 – revert to version that does not contain changes by bad actor – Debian Bug report logs

> I'd suggest reverting to 5.3.1. Bearing in mind that there were security
> fixes after that point for ZDI-CAN-16587 that would need to be reapplied.

Note that reverted to such an old version will break packages that use
new symbols introduced since then. From a quick look, this is at least:
- dpkg
- erofs-utils
- kmod

Having dpkg in that list means that such downgrade has to be planned
carefully.

Original post:

Everything I know about the XZ backdoor

Note that because of the Wayback Machine limit of 5 archivals per URL per day, the archived versions are rapidly getting out-of-date.

It is way worse:

[Wayback/Archive] Thread by @_ruby on Thread Reader App – Thread Reader App

@_ruby: The setup behind the CVE-2024-3094 supply-chain attack is fascinating. I originally wanted to finish and share a tool to audit other OSS projects for anomalous contributor behavior, but I feel what I found tr……

How it was found:

Analogy on how it was found:

Via:

Related:

If you are running homebrew on a Mac, then update too:

Of course this “XKCD dependency” adoption applies:

[Wayback/Archive] GJ4KvbeWIAAS_mu (535×680)

Posted in C, Compression, Development, Infosec (Information Security), Power User, Security, Software Development, xz | Leave a Comment »

VoIP: passing on a phone number from one Fritz!Box to another Fritz!Box

Posted by jpluimers on 2024/03/11

Most Fritz!Box VoIP configurations have a phone number configured to only work on telephony devices (i.e. handsets) on the same Fritz!Box.

But it is possible to define a telephony device that itself is another VoIP end-point.

This way you can hook a second (or more) Fritz!Box up to the phone number(s) of the first Fritz!Box.

I am using this for two reasons:

Below is how to get this going, assuming the first Fritz!Box is a 7490 running firmware 7.29 and the second is a a 7360 with firmware 6.33 (other versions and firmware versions vary slightly).

But first the related post: Many links about free modem/router choice and their configurations for the Dutch KPN internet/VoIP provider where I figured out that just using a 7360 won’t cut it any more.

Read the rest of this entry »

Posted in 2FA/MFA, Authentication, Authy, DECT, Fritz!, Fritz!Box, Hardware, ISDN, Network-and-equipment, Power User, PSTN, Security, Telephony, VoIP | Leave a Comment »

thuddevort on Twitter: “You can disable the extra confirmation under System > FRITZ!Box Users > Additional Confirmation”

Posted by jpluimers on 2024/02/16

My ISP did auto-update the Fritz!Box, but did not send release-notes, so I was not aware this feature had been added eons ago:

[Wayback/Archive] thuddevort on Twitter: “@jpluimers @wijnands @b0rk @xs4all You can disable the extra confirmation under System > FRITZ!Box Users > Additional Confirmation”.

I know a second factor is better for security, but doing that on both sites at the same time when setting up LAN2LAN VPN is tough (Fritz!Box names this either “LAN-LAN coupling” or “VPN Connections between the FRITZ!Box and Other Networks”.

A better feature at the same configuration page is instead of disabling, enabling to confirm using apps like Google Authenticator and Authy:

Read the rest of this entry »

Posted in 2FA/MFA, Authentication, Authy, Fritz!, Fritz!Box, Hardware, Network-and-equipment, Power User, Security | Leave a Comment »

Walls and Ladders when pasting e-mail on account sign-up forms: Paste It – Chrome Web Store

Posted by jpluimers on 2024/02/06

In a game of Walls and Ladders (similar to Arms Race), the Ladders usually win, see the references at the end of the post.

The actual “game” in this case is more and more sites trying to build walls prevent pasting credential related information like user IDs (often e-mail addresses) or passwords often citing “more safety” or “less security risks”, and users get taller ladders wanting to do just that because of their own security concerns:

[Wayback/Archive] Stef 🎈 on Twitter: “Dear mobile/web-apps, please never never disable copy and paste “due to security reasons”. -everybody with a password manager.”

The walls will always loose so it is better to invest the money for the walls into other security measures.

Given that most of the risks are web-sites getting that information exfiltrated, I wish they put more energy into bolting down that side of the security risk side than the hampering legitimate users entering that information in the first place.

Since so many of these sites have leaked my information in the past, any email address I use for activating an account is like 50 characters long. Something I am not going to type once (because of typing mistakes) and definitely not twice (to confirm I did not make typing mistakes).

Read the rest of this entry »

Posted in Authentication, Chrome, Clipboard, Development, Google, HTML, JavaScript/ECMAScript, Power User, Scripting, Security, Software Development, Web Development | Leave a Comment »

Today is the day that video identification died.

Posted by jpluimers on 2024/02/04

[Wayback/Archive] Finance worker pays out $25 million after video call with deepfake ‘chief financial officer’ | CNN

Via:

--jeroen

Posted in Power User, Security | Leave a Comment »

PRANK: Windows XP Updates

Posted by jpluimers on 2024/01/25

This one is cool: [Wayback/Archive] PRANK: Windows XP Updates.

Note that unlike the screenshot below, the actual prank does count the percentage. The actual page does.

You can start this one and various other OSes plus Windows versions and other pranks via [Wayback/Archive] FakeUpdate.net – Windows Update Prank by fediaFedia (at the time of writing Windows 98 install, Windows Vista update, Windows 8 update, Windows 7 update, Mac OS boot, Windows 10 install, Windows 10 update, steam and “fake ransomware”).

It is a cool and relatively harmless way of teaching people to use their lock screen when away from their machine (Windows: Win+L, Mac OS: Ctrl+Shift+Power).

Read the rest of this entry »

Posted in Awareness, Fun, Power User, Security, Windows, Windows 10, Windows 11, Windows 7, Windows 8, Windows 8.1, Windows 9, Windows Server 2000, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Vista, Windows XP | Leave a Comment »

Threads by @BillDemirkapi about the Okta Breach by LAPSUS$

Posted by jpluimers on 2024/01/16

There are many interesting threads about the Okta breach (via Sitel) by LAPSUS$.

Two of them in reverse chronological order (and their starting points on Twitter):

Read the rest of this entry »

Posted in Power User, Security | Leave a Comment »

Fork Gist to Repo on GitHub – Stack Overflow

Posted by jpluimers on 2024/01/09

It is not a full fork and misses a few things (including the Gist description), but is the easiest way to clone a gist to a regular GitHub repository.

I needed it because somehow pushing to gists was denied without explanation or real GitHub feedback.

Another reason is that regular GitHub repositories show you way more information about the commits than Gists do.

Thanks [Wayback/Archive] Noitidart for asking and [Wayback/Archive] Bruno Bronosky for answering at [Wayback/Archive] Fork Gist to Repo on GitHub – Stack Overflow:

Read the rest of this entry »

Posted in Authentication, Development, DVCS - Distributed Version Control, gist, git, GitHub, LifeHacker, Power User, Security, Source Code Management | Leave a Comment »

Yet another reason not to use SMS based 2FA: those phone numbers get leaked or sold as Daniel Cuthbert mentioned on Twitter: “@LinkedIn did indeed sell my 2FA phone number”

Posted by jpluimers on 2023/12/06

Many recommend against using SMS for 2FA because of security reasons (SIM swapping, sniffing, etc), but there is another privacy+security reason: these 2FA phone numbers get leaked or sold as [Wayback/Archive] Daniel Cuthbert (@dcuthbert) found out the hard way last year:

–jeroen

Posted in 2FA/MFA, Authentication, GDPR/DS-GVO/AVG, Power User, Privacy, Security | Leave a Comment »

C#/.NET: for personally identifiable information, use Gaev.Blog.Examples/PiiString.cs at 3.1.1 · gaevoy/Gaev.Blog.Examples

Posted by jpluimers on 2023/10/12

A while ago [Wayback/Archive] Vladimir Gaevoy wrote a great blog post which I bumped into through his tweet [Wayback/Archive] “Blogged: .NET type for personally identifiable information (PII). Working with PII with the help of .NET String is painful. Let’s see the benefits of PiiString as explicit .NET type instead of .NET String  #pii #dotnet #gdpr #security “

The tweet does not fully do justice to his blog post [Wayback/Archive] .NET type for personally identifiable information (PII), as the post not only discusses the background (GDPR and other requirements, for instance the [Wayback/Archive] GDPR compliance checklist – GDPR.eu) and the class, but also with examples how to use it for:

  • conversion to/from user interface plain text
  • hashing to pseudonymized/anonymized form
  • encryption for more secure storage

In addition, more examples cover JSON, Entity Framework, [Wayback/Archive] NLog, and [Wayback/Archive] Serilog — simple .NET logging with fully-structured events.

Read the rest of this entry »

Posted in .NET, C#, Development, Power User, Privacy, Security, Software Development | Leave a Comment »

« Previous Entries
Next Entries »