The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,854 other subscribers

Archive for the ‘Security’ Category

« Previous Entries
Next Entries »

Help:Two-factor authentication – Wikipedia

Posted by jpluimers on 2023/09/06

For my link archive as this page contains instructions to request 2FA privileges at Wikipedia: [Wayback/Archive] Help:Two-factor authentication – Wikipedia

Checking whether 2FA is enabled

To determine whether your account has 2FA enabled, go to Special:Preferences. Under “Basic information”, check the entry for “Two-factor authentication”, which should be between “Global account” and “Global preferences”:

Viewing m:Steward requests/Global permissions#Requests for 2 Factor Auth tester permissions is possible to do without being logged on at Wikipedia, but for requesting the 2FA permission and accessing Special:Preferences you need to be logged on.

Visit [Wayback/Archive] Steward requests/Global permissions/2018-12 – Meta and look for “OATH tester” for some examples of motivations for requesting.

–jeroen

Posted in 2FA/MFA, Authentication, Power User, Security, SocialMedia, wikipedia | Leave a Comment »

Only 2 weeks left to enable 2FA for your GitHub account

Posted by jpluimers on 2023/08/29

If you haven’t done so already, then enable 2FA for your GitHub account now: This will be a requirement in 2 weeks time.

The 2FA/MFA possibility started about half a year ago with [Wayback/Archive] Raising the bar for software security: GitHub 2FA begins March 13 – The GitHub Blog

You can have various means of 2FA, which al start with a choice between:

After completing either of those those, you can view/download a set of backup codes, and you can add more factors to your Multi-factor authentication setup up to these:

Read the rest of this entry »

Posted in 2FA/MFA, Authentication, Development, DVCS - Distributed Version Control, git, GitHub, Power User, Security, Software Development, Source Code Management | Leave a Comment »

5 days after the exploit publication of snowcra5h/CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent

Posted by jpluimers on 2023/07/26

TL;DR is at the bottom (;

5 days ago this exploit development got published: [Wayback/Archive] snowcra5h/CVE-2023-38408: CVE-2023-38408 Remote Code Execution in OpenSSH’s forwarded ssh-agent.

It is about [Wayback/Archive] NVD – CVE-2023-38408 which there at NIST isn’t rated (yet?), neither at [Wayback/Archive] CVE-2023-38408 : The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remot.

However at [Wayback/Archive] CVE-2023-38408- Red Hat Customer Portal it scores 7.3 and [Wayback/Archive] CVE-2023-38408 | SUSE it did get a rating of 7.5, so since I mainly use OpenSuSE I wondered what to do as the CVE is formulated densely at [Wayback/Archive] www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt: it mentions Alice, but no Bob or Mallory (see Alice and Bob – Wikipedia).

Luckily, others readly already did the fine reading and emphasised the important bits, especially at [Wayback/Archive] RCE Vulnerability in OpenSSH’s SSH-Agent Forwarding: CVE-2023-38408 (note that instead of Alex, they actually mean Alice)

“A system administrator (Alice) runs SSH-agent on her local workstation, connects to a remote server with ssh, and enables SSH-agent forwarding with the -A or ForwardAgent option, thus making her SSH-agent (which is running on her local workstation) reachable from the remote server.”

According to researchers from Qualys, a remote attacker who has control of the host, which Alex has connected to, can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib* on Alice’s workstation (via her forwarded SSH-agent if it is compiled with ENABLE_PKCS11, which is the default).

The vulnerability lies in how SSH-agent handles forwarded shared libraries. When SSH-agent is compiled with ENABLE_PKCS11 (the default configuration), it forwards shared libraries from the user’s local workstation to the remote server. These libraries are loaded (dlopen()) and immediately unloaded (dlclose()) on the user’s workstation. The problem arises because certain shared libraries have side effects when loaded and unloaded, which can be exploited by an attacker who gains access to the remote server where SSH-agent is forwarded to.

Mitigations for the SSH-Agent Forwarding RCE Vulnerability

Read the rest of this entry »

Posted in *nix, *nix-tools, bash, bash, Communications Development, Development, Internet protocol suite, OpenSSH, Power User, PowerShell, Scripting, Security, Software Development, SSH | Leave a Comment »

On repeat: “ask information only once”;  Eenmalige uitvraag – NORA Online

Posted by jpluimers on 2023/07/13

Since the SVB PGB site keeps violating the [Wayback/Archive] AP12: Eenmalige uitvraag – NORA Online principle, some more emphasis on it as the usefulness of the “ask information only once” principle is not limited to government sites or commercial sites providing services for the government.

The principle “ask information only once” is valid for any site and needs to be present at all times, especially in these situations:

  1. when an authentication token is expired and re-authentication is needed
  2. when checking if authentication might have been expired and a page refresh is done during that check

I wrote about 1. in SVB PGB and DigiD security suddenly logged you out every 15 minutes despite the count down counter indicating otherwise ( wrote it in March 2021, published it in December 2021 when I thought it had been sort of solved).

That was obnoxious and took a very long time to fix (despite the mandatory aspect of the “ask information only once” principle and me pushing for a quick resolving in [Archive.isJeroen Wiert Pluimers on Twitter: “Omdat de @SVB_PGB site hiermee een noodzakelijk NORA archictectuur principe schendt (je raakt bij de logoff/logon de informatie die je op de pagina aan het invullen bent kwijt): kan dit een hoge prirotieit krijgen? Zie: – …”).

In February 2022, I had enough energy to submit the final PGB administration parts to the SVB PGB site. I didn’t get logged out every few minutes for the first hour or so (that only happened after being authenticated more than one hour, then repeating every 15 minutes), but I bumped into 2: loosing a lot of data in an at first unpredictable manner.

An underlying thing is that despite the NORA rules to be mandatory there is no sanction for the SVB (or any other government organisation) to fix this: users have to use the site and take the burden in order to get their payments. Ruurd Pels highlighted in these two answers to my tweets: harsh, but hitting the nail on the head:

The problem is that every each period of 15 minutes session activity , when you submit a form (the whole flow is form based, where the amount of data per form varies: sometimes just a confirmation button, sometimes a full month of data containing the hours worked) you get an intermediate quickly flashing “Redirecting…” on your screen, then loose the data entered in that form:

  1. [Archive] Jeroen Wiert Pluimers on Twitter: “Het NORA principe wat @StOnSoftware een jaar geleden noemde wordt weer door het @SVB_PGB geschonden. Het duurde even om te reproduceren, maar je verliest ongeveer elke 15 minuten je ingevoerde data. 1/” / Twitter
  2. [Archive] Jeroen Wiert Pluimers on Twitter: “Wat je dan ziet tijdens de submit (Verder, Opslaan) is een kort “Redirecting…” scherm op een willekeurige plek in de flow …, …, … In dit voorbeeld verlies je een maand aan invulwerk en is alles weer leeg. 2/ …” / Twitter
    Declaratie insturen - empty declaration showing you just lost a month of input

    Declaratie insturen – empty declaration showing you just lost a month of input

  3. [Archive] Jeroen Wiert Pluimers on Twitter: “Vorig jaar werd je nog elke 15 minuten uitgelogd en was het nog erger, zie … 3/” / Twitter
  4. [Archive] Jeroen Wiert Pluimers on Twitter: “en … Dat probleem zorgde er voor dat ik maar sporadisch declaraties instuurde, maar nu met een hele stapel declaraties is het probleem op een subtielere wijze nog steeds aanwezig. 4/” / Twitter
  5. [Archive] Jeroen Wiert Pluimers on Twitter: “Kunnen jullie dit laten fixen? Dank alvast. 5/5” / Twitter

After more than an hour, I bumped into 1 again:

  1. [Archive] Jeroen Wiert Pluimers on Twitter: “Oh @SVB_PGB: die bug van uitloggen na een kwartier bestaat nog steeds (zie …). Kreeg ik net in een uur tijd 3 keer. Na inloggen kom je wel weer in de flow, maar de data die je daar hebt ingevuld is dan verdwenen. A/ CC @EefvanKoos” / Twitter
  2. [Archive] Jeroen Wiert Pluimers on Twitter: “@SVB_PGB @EefvanKoos Ik vermoed dat beide te maken hebben met de sessie-duur van de active authenticatie van @DigiDwebcare omdat je in beide gevallen het “Redirecting…” stukje heel kort ziet verschijnen ofwel in het form of bij DigiD login beide met verlies aan data. B/B” / Twitter

[Archive] Stephan Eggermont (@StOnSoftware) / Twitter quote retweeted my initial message at [Archive] Stephan Eggermont on Twitter: “🧵 NORA heeft een aantal hele duidelijke principes om de burger niet te frustreren. Niet twee keer naar hetzelfde vragen geldt ook als je een sessie time-out. Dan moet je dus al ingevulde gegevens bewaren” / Twitter, which translated is

🧵 NORA has a number of very clear principles in order not to frustrate citizens. Not asking for the same thing twice also applies if you time out a session. Then you have to save already entered data

An introduction about NORA is at Nederlandse Overheid Referentie Architectuur – Wikipedia:

Nederlandse Overheid Referentie Architectuur of NORA is het interoperabiliteitsraamwerk voor de Nederlandse overheid en vertaalt daartoe wetgeving, beleid en standaarden naar architectuurprincipes, beschrijvingen en modellen. Het is een beschrijving van uitgangspunten voor het inrichten van de informatiehuishouding van de Nederlandse overheid. NORA is relevant voor de uitvoering van alle publieke taken door publieke en private organisaties.

[Wayback/Archive] NORA: Nederlandse Overheid Referentie Architectuur – Bluefrog has a way easier “table of contents” to the principles than the NORA online site (note that some document numbers are intentionally not used):

DE TIEN BASISPRINCIPES VAN NORA

  1. [Wayback/Archive] BP01: Afnemers krijgen de dienstverlening waar ze behoefte aan hebben.
  2. [Wayback/Archive] BP02: Afnemers kunnen de dienst eenvoudig vinden.
  3. [Wayback/Archive] BP03: Afnemers hebben eenvoudig toegang tot de dienst.
  4. [Wayback/Archive] BP04: Afnemers ervaren uniformiteit in de dienstverlening door het gebruik van standaardoplossingen.
  5. [Wayback/Archive] BP05: Afnemers krijgen gerelateerde diensten gebundeld aangeboden.
  6. [Wayback/Archive] BP06: Afnemers hebben inzage in voor hen relevante informatie.
  7. [Wayback/Archive] BP07: Afnemers worden niet geconfronteerd met overbodige vragen.
  8. [Wayback/Archive] BP08: Afnemers kunnen erop vertrouwen dat informatie niet wordt misbruikt.
  9. [Wayback/Archive] BP09: Afnemers kunnen erop vertrouwen dat de dienstverlenerzich aan afspraken houdt.
  10. [Wayback/Archive] BP10: Afnemers kunnen input leveren over de dienstverlening.

DE 38 AFGELEIDE PRINCIPES

  1. [Wayback/Archive] AP01: Diensten zijn herbruikbaar
  2. [Wayback/Archive] AP02: Ontkoppelen met diensten
  3. [Wayback/Archive] AP03: Diensten vullen elkaar aan
  4. [Wayback/Archive] AP04: Positioneer de dienst
  5. [Wayback/Archive] AP05: Nauwkeurige dienstbeschrijving
  6. [Wayback/Archive] AP06: Gebruik standaard oplossingen
  7. [Wayback/Archive] AP07: Gebruik de landelijke bouwstenen
  8. [Wayback/Archive] AP08: Gebruik open standaarden
  9. [Wayback/Archive] AP09: Voorkeurskanaal internet
  10. [Wayback/Archive] AP10: Aanvullend kanaal
  11. [Wayback/Archive] AP11: Gelijkwaardig resultaat ongeacht kanaal
  12. [Wayback/Archive] AP12: Eenmalige uitvraag
  13. [Wayback/Archive] AP13: Bronregistraties zijn leidend
  14. [Wayback/Archive] AP14: Terugmelden aan bronhouder
  15. [Wayback/Archive] AP15: Doelbinding (AP)
  16. (AP16 is intentionally missing: merged into AP17)
  17. [Wayback/Archive] AP17: Informatie-objecten systematisch beschreven
  18. [Wayback/Archive] AP18: Ruimtelijke informatie via locatie
  19. [Wayback/Archive] AP19: Perspectief gebruiker
  20. [Wayback/Archive] AP20: Persoonlijke benadering
  21. [Wayback/Archive] AP21: Bundeling van diensten
  22. [Wayback/Archive] AP22: No wrong door
  23. [Wayback/Archive] AP23: Automatische dienstverlening
  24. [Wayback/Archive] AP24: Proactief aanbieden
  25. [Wayback/Archive] AP25: Transparante dienstverlening
  26. [Wayback/Archive] AP26: Afnemer heeft inzage
  27. [Wayback/Archive] AP27: Een verantwoordelijke organisatie
  28. [Wayback/Archive] AP28: Afspraken vastgelegd
  29. [Wayback/Archive] AP29: De dienstverlener voldoet aan de norm
  30. [Wayback/Archive] AP30: Verantwoording dienstlevering mogelijk
  31. [Wayback/Archive] AP31: PDCA-cyclus in besturing kwaliteit
  32. [Wayback/Archive] AP32: Sturing kwaliteit op het hoogste niveau
  33. [Wayback/Archive] AP33: Baseline kwaliteit diensten
  34. [Wayback/Archive] AP34: Verantwoording besturing kwaliteit
  35. (AP35 is intentionally missing: superseded by AP41)
  36. (AP36 is intentionally missing: superseded by AP41)
  37. (AP37 is intentionally missing: superseded by AP43)
  38. (AP38 is intentionally missing: superseded by AP43 and AP42)
  39. (AP39 is intentionally missing: superseded by AP42)
  40. [Wayback/Archive] AP40: Onweerlegbaarheid (principe)
  41. [Wayback/Archive] AP41: Beschikbaarheid
  42. [Wayback/Archive] AP42: Integriteit
  43. [Wayback/Archive] AP43: Vertrouwelijkheid (principe)
  44. [Wayback/Archive] AP44: Controleerbaarheid

The missing numbers (see also [Wayback/Archive] Betrouwbaarheid – NORA Online, [Wayback/Archive] Vervangen of Vervallen elementen in NORA – NORA Online and [Wayback/Archive] Vervangen of Vervallen uitspraken in NORA – NORA Online):

For a management overview, see [Wayback/Archive] NORA (Nederlandse Overheid Referentie Architectuur) – Digitale Overheid.

–jeroen

Posted in Authentication, Development, DigiD, Power User, Security, Software Development, Web Development | Leave a Comment »

All the Cyber Ladies: Een podcast voor, door en over vrouwen in cybersecurity. – PodcastFeed

Posted by jpluimers on 2023/06/20

Een ontzettend belangrijke podcast is [Wayback/Archive] All the Cyber Ladies – PodcastFeed

Een podcast voor, door en over vrouwen in cybersecurity.

Ik mis geregeld de periode van 30-35 jaar terug waarin IT-teams vaak “gewoon” uit 25% vrouwen bestonden. Gemêleerde teams zijn van onschatbare waarde voor goed functionerende IT, niet alleen vanuit oogpunt van #a11y en #inclusie: ook voor information security.

De tijd maakt inmiddels gelukkig een inhaalslag: er komen steeds meer vrouwen in de IT en je merkt gestaag dat teams diverser worden. All the Cyber Ladies draagt eraan bij dat proces binnen information security verder te versnellen.

De podcast is begin juni dit jaar van start gegaan en heeft nu al een trouwe schare volgers die hopelijk verder groeit naarmate Google deze hoger in de zoek-index opneemt.

Uiteraard is er ook een [Wayback/Archive] All the Cyber Ladies – PodcastFeed RSS zodat je die aan je eigen Podcast Player kunt toevoegen (en vaak staat die er al zoals bijvoorbeeld bij [Wayback/Archive] Player.FM: All The Cyber Ladies podcast)

Via [Wayback/Archive] Lucinda on Twitter: “@jpluimers Zeker!! Je kan de podcast in veel andere players vinden. https://t.co/ksUB8Hd7e4” / Twitter.

–jeroen

Posted in accessibility (a11y), Awareness, Cyber, Development, Inclusion / inclusive society, Infosec (Information Security), Power User, Security, SocialMedia | Leave a Comment »

Removing identifiable metada from PDF files

Posted by jpluimers on 2023/06/19

I archived a long thread that started with [Archive] 𝚓𝚘𝚗𝚗𝚢﹏𝚜𝚊𝚞𝚗𝚍𝚎𝚛𝚜 on Twitter: “More fun publisher surveillance: Elsevier embeds a hash in the PDF metadata that is unique for each time a PDF is downloaded, this is a diff between metadata from two of the same paper. Combined with access timestamps, they can uniquely identify the source of any shared PDFs. ” / Twitter at [Wayback/Archive] Thread by @json_dirs on Thread Reader App – Thread Reader App.

TL;DR: publishers put hashes in PDF metadata to track back redistribution; they hardly use smarter watermarking as those are difficult to automatically parse; the hashes can be easily removed.

Read the rest of this entry »

Posted in Hashing, LifeHacker, PDF, Power User, Security | Leave a Comment »

How to encourage phishing: send email to users from a different domain than they are subscribed to

Posted by jpluimers on 2023/06/08

Many organisations train their personell with phishing attempts from domains that are different from the one the organisation uses.

The mantra is: only respond to emails (or clicking links in them) from domains you know.

Microsoft sent (still sends?) account expiration emails for various *.microsoft.com, *.visualstudio.com and other Microsoft domains like this:

[Wayback/Archive] 232840055-2ccfdb9b-2a13-4a34-92f5-f27f337825f8.png (766×653) email from Microsoft account team <account-security-noreply@mail.msa.msidentity.com>

Read the rest of this entry »

Posted in Pen Testing, Phishing, Power User, Red team, Security | Leave a Comment »

Mysk 🇨🇦🇩🇪 on Twitter: “Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices. TL;DR: Don’t turn it on. The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.…”

Posted by jpluimers on 2023/05/10

Do not use the Google 2FA Authenticator to to sync secrets across devices.

The why is explained in the (long) tweet by [Wayback/Archive] Mysk on Twitter: “Google has just updated its 2FA Authenticator app and added a much-needed feature: the ability to sync secrets across devices. TL;DR: Don’t turn it on. The new update allows users to sign in with their Google Account and sync 2FA secrets across their iOS and Android devices.…”

For similar reasons, you might not want to use Authy by Twilio to sync between devices either, though that is less insecure as it enforces you to use a backup-password in order to sync these through the cloud: in the past that backup-password had few security restrictions so it was easy to use a relatively insecure password.

Related (most in Dutch):

Read the rest of this entry »

Posted in 2FA/MFA, Authentication, Authy, Google, GoogleAuthenticator, Power User, Security | Tagged: , , , , | Leave a Comment »

Kevin Beaumont on Twitter: “Folks, we named blue team and red team wrong. https://t.co/eWKCSH8lqQ” / Twitter

Posted by jpluimers on 2023/04/28

[Archive] Kevin Beaumont on Twitter: “Folks, we named blue team and red team wrong. ” / Twitter

–jeroen

Read the rest of this entry »

Posted in Fun, Power User, Security | Leave a Comment »

VMware fixes critical zero-day Workstation/Player/Fusion exploit revealed at Pwn2Own

Posted by jpluimers on 2023/04/26

A less clickbaity title than most articles today as the below only applies to the VMware hypervisors running on MacOS and Windows.

The last Pwn2Own Zero Day Initiative revealed two major issues that allow a virtual machine to either execute code or read hypervisor memory on the VMware Workstation/Player/Fusion host:

  1. [Wayback/Archive] NVD – CVE-2023-20869

    VMware Workstation (17.x) and VMware Fusion (13.x) contain a stack-based buffer-overflow vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine.

  2. [Wayback/Archive] NVD – CVE-2023-20870

    VMware Workstation and Fusion contain an out-of-bounds read vulnerability that exists in the functionality for sharing host Bluetooth devices with the virtual machine.

Both issues have been fixed now, so be sure to deploy the fixes or, if you can’t, apply the workarounds.

Read the rest of this entry »

Posted in Fusion, Power User, Security, Virtualization, VMware, VMware Player, VMware Workstation | Leave a Comment »

« Previous Entries
Next Entries »