For my link archive: [Wayback/Archive] How to set up OpenVPN with Google Authenticator on pfSense – Vorkbaard uit de toekomst
Should work with Authy too.
Via: [Archive] Matthijs ter Woord (@mterwoord) | Twitter
–jeroen
Archive for the ‘Security’ Category
How to set up OpenVPN with Google Authenticator on pfSense – Vorkbaard uit de toekomst
Posted by jpluimers on 2023/09/18
Posted in 2FA/MFA, Authentication, Authy, Power User, Security | Leave a Comment »
Some threadreaderapp URLs
Posted by jpluimers on 2023/09/14
For my link archive so I can better automate archiving Tweet threads using bookmarklets written in JavaScript:
- https://twitter.com/ThomasDamsko/status/1499996661535367169
- https://threadreaderapp.com/search?q=https://twitter.com/ThomasDamsko/status/1499996661535367169
HTTP-302 redirects to:
- https://threadreaderapp.com/thread/1499996661535367169.html
pressing refresh does a POST to:
- https://threadreaderapp.com/thread/1499996661535367169/refreshx
The base will likely be this:
javascript:void(open(`https://archive.is/?run=1&url=${encodeURIComponent(document.location)}`))
which for now I have modified into this:
javascript:void(open(`https://threadreaderapp.com/search?q=${document.location}`))
It works perfectly fine without URL encoding and demonstrates the JavaScript backtick feature for template literals for which you can find documentation at [WayBack/Archive] Template literals – JavaScript | MDN.
Share this:
Posted in *nix, *nix-tools, bash, bash, Bookmarklet, Communications Development, cURL, Development, HTTP, https, Internet protocol suite, Power User, Scripting, Security, Software Development, TCP, Web Browsers | Leave a Comment »
Fixing a broken xs4all internet connection was a simple as a cold NTU reboot – jpluimers on Twitter
Posted by jpluimers on 2023/09/11
Translation of solving a broken xs4all connection:
Solved. Summary:
- Liander and UPS functiond, so both Fritz!Box and NTU had power
- NTU LEDs show Power and Glass, but no Ethernet
- Fritz!Box has green Power and WLAN LEDs and a red Info LED
Solution was cold reboot of NTU.
I also neatly tucked away the NTU power cord for an additional 8 minutes extra down time: [Wayback/Archive] mwgp ping – wiert.me
Share this:
Posted in Fritz!, Fritz!Box, Hardware, Network-and-equipment, Power User, Security | Leave a Comment »
Help:Two-factor authentication – Wikipedia
Posted by jpluimers on 2023/09/06
For my link archive as this page contains instructions to request 2FA privileges at Wikipedia: [Wayback/Archive] Help:Two-factor authentication – Wikipedia
Checking whether 2FA is enabled
To determine whether your account has 2FA enabled, go to Special:Preferences. Under “Basic information”, check the entry for “Two-factor authentication”, which should be between “Global account” and “Global preferences”:
- If the entry says “TOTP (one-time token)”, 2FA is currently enabled on your account.
- If the entry says “None enabled”, 2FA is currently disabled on your account.
- If there is no entry for “Two-factor authentication”, your account currently doesn’t have access to 2FA, and you’ll need to request access at [Wayback] m:Steward requests/Global permissions#Requests for 2 Factor Auth tester permissions before you can enable 2FA.
Viewing m:Steward requests/Global permissions#Requests for 2 Factor Auth tester permissions is possible to do without being logged on at Wikipedia, but for requesting the 2FA permission and accessing Special:Preferences you need to be logged on.
Visit [Wayback/Archive] Steward requests/Global permissions/2018-12 – Meta and look for “OATH tester” for some examples of motivations for requesting.
–jeroen
Share this:
Posted in 2FA/MFA, Authentication, Power User, Security, SocialMedia, wikipedia | Leave a Comment »
Only 2 weeks left to enable 2FA for your GitHub account
Posted by jpluimers on 2023/08/29
If you haven’t done so already, then enable 2FA for your GitHub account now: This will be a requirement in 2 weeks time.
The 2FA/MFA possibility started about half a year ago with [Wayback/Archive] Raising the bar for software security: GitHub 2FA begins March 13 – The GitHub Blog
You can have various means of 2FA, which al start with a choice between:
- An OTP app (pick your choice, for instance from for instanceComparison of OTP applications – Wikipedia)
- SMS/text (not really recommended due to SIM swap scam – Wikipedia)
After completing either of those those, you can view/download a set of backup codes, and you can add more factors to your Multi-factor authentication setup up to these:
Share this:
Posted in 2FA/MFA, Authentication, Development, DVCS - Distributed Version Control, git, GitHub, Power User, Security, Software Development, Source Code Management | Leave a Comment »
5 days after the exploit publication of snowcra5h/CVE-2023-38408: Remote Code Execution in OpenSSH’s forwarded ssh-agent
Posted by jpluimers on 2023/07/26
TL;DR is at the bottom (;
5 days ago this exploit development got published: [Wayback/Archive] snowcra5h/CVE-2023-38408: CVE-2023-38408 Remote Code Execution in OpenSSH’s forwarded ssh-agent.
It is about [Wayback/Archive] NVD – CVE-2023-38408 which there at NIST isn’t rated (yet?), neither at [Wayback/Archive] CVE-2023-38408 : The PKCS#11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remot.
However at [Wayback/Archive] CVE-2023-38408- Red Hat Customer Portal it scores 7.3 and [Wayback/Archive] CVE-2023-38408 | SUSE it did get a rating of 7.5, so since I mainly use OpenSuSE I wondered what to do as the CVE is formulated densely at [Wayback/Archive] www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-agent.txt: it mentions Alice, but no Bob or Mallory (see Alice and Bob – Wikipedia).
Luckily, others readly already did the fine reading and emphasised the important bits, especially at [Wayback/Archive] RCE Vulnerability in OpenSSH’s SSH-Agent Forwarding: CVE-2023-38408 (note that instead of Alex, they actually mean Alice)
“A system administrator (Alice) runs SSH-agent on her local workstation, connects to a remote server with ssh, and enables SSH-agent forwarding with the -A or ForwardAgent option, thus making her SSH-agent (which is running on her local workstation) reachable from the remote server.”
According to researchers from Qualys, a remote attacker who has control of the host, which Alex has connected to, can load (dlopen()) and immediately unload (dlclose()) any shared library in /usr/lib* on Alice’s workstation (via her forwarded SSH-agent if it is compiled with ENABLE_PKCS11, which is the default).
The vulnerability lies in how SSH-agent handles forwarded shared libraries. When SSH-agent is compiled with ENABLE_PKCS11 (the default configuration), it forwards shared libraries from the user’s local workstation to the remote server. These libraries are loaded (dlopen()) and immediately unloaded (dlclose()) on the user’s workstation. The problem arises because certain shared libraries have side effects when loaded and unloaded, which can be exploited by an attacker who gains access to the remote server where SSH-agent is forwarded to.
Mitigations for the SSH-Agent Forwarding RCE Vulnerability
Share this:
Posted in *nix, *nix-tools, bash, bash, Communications Development, Development, Internet protocol suite, OpenSSH, Power User, PowerShell, Scripting, Security, Software Development, SSH | Leave a Comment »
On repeat: “ask information only once”; Eenmalige uitvraag – NORA Online
Posted by jpluimers on 2023/07/13
Since the SVB PGB site keeps violating the [Wayback/Archive] AP12: Eenmalige uitvraag – NORA Online principle, some more emphasis on it as the usefulness of the “ask information only once” principle is not limited to government sites or commercial sites providing services for the government.
The principle “ask information only once” is valid for any site and needs to be present at all times, especially in these situations:
- when an authentication token is expired and re-authentication is needed
- when checking if authentication might have been expired and a page refresh is done during that check
I wrote about 1. in SVB PGB and DigiD security suddenly logged you out every 15 minutes despite the count down counter indicating otherwise ( wrote it in March 2021, published it in December 2021 when I thought it had been sort of solved).
That was obnoxious and took a very long time to fix (despite the mandatory aspect of the “ask information only once” principle and me pushing for a quick resolving in [Archive.is] Jeroen Wiert Pluimers on Twitter: “Omdat de @SVB_PGB site hiermee een noodzakelijk NORA archictectuur principe schendt (je raakt bij de logoff/logon de informatie die je op de pagina aan het invullen bent kwijt): kan dit een hoge prirotieit krijgen? Zie: – …”).
In February 2022, I had enough energy to submit the final PGB administration parts to the SVB PGB site. I didn’t get logged out every few minutes for the first hour or so (that only happened after being authenticated more than one hour, then repeating every 15 minutes), but I bumped into 2: loosing a lot of data in an at first unpredictable manner.
An underlying thing is that despite the NORA rules to be mandatory there is no sanction for the SVB (or any other government organisation) to fix this: users have to use the site and take the burden in order to get their payments. Ruurd Pels highlighted in these two answers to my tweets: harsh, but hitting the nail on the head:
- [Archive] Ruurd ✒️ on Twitter: “@jpluimers @BiancaPrins In dit soort gevallen moet je eigenlijk regelen dat als een instantie geen richtige heffing of richtige steun uitvoert ze er financieel nadeel van hebben. Verkeerde heffing? Helemaal terugbetalen in plaats van corrigeren. Verkeerde steun: driedubbel uitbetalen. Etcetera.” / Twitter
- [Archive] Ruurd ✒️ on Twitter: “@jpluimers @BiancaPrins Het probleem is: er is geen sprake van een prikkel. De instantie (UWV, SVB, overheid noem maar op) heeft er geen last van. Er is geen prikkel om dit te verbeteren. Het kost ze geen geld als de boel niet functioneert.” / Twitter
The problem is that every each period of 15 minutes session activity , when you submit a form (the whole flow is form based, where the amount of data per form varies: sometimes just a confirmation button, sometimes a full month of data containing the hours worked) you get an intermediate quickly flashing “Redirecting…” on your screen, then loose the data entered in that form:
- [Archive] Jeroen Wiert Pluimers on Twitter: “Het NORA principe wat @StOnSoftware een jaar geleden noemde wordt weer door het @SVB_PGB geschonden. Het duurde even om te reproduceren, maar je verliest ongeveer elke 15 minuten je ingevoerde data. 1/” / Twitter
- [Archive] Jeroen Wiert Pluimers on Twitter: “Wat je dan ziet tijdens de submit (Verder, Opslaan) is een kort “Redirecting…” scherm op een willekeurige plek in de flow …, …, … In dit voorbeeld verlies je een maand aan invulwerk en is alles weer leeg. 2/ …” / Twitter
Declaratie insturen – empty declaration showing you just lost a month of input
- [Archive] Jeroen Wiert Pluimers on Twitter: “Vorig jaar werd je nog elke 15 minuten uitgelogd en was het nog erger, zie … 3/” / Twitter
- [Archive] Jeroen Wiert Pluimers on Twitter: “en … Dat probleem zorgde er voor dat ik maar sporadisch declaraties instuurde, maar nu met een hele stapel declaraties is het probleem op een subtielere wijze nog steeds aanwezig. 4/” / Twitter
- [Archive] Jeroen Wiert Pluimers on Twitter: “Kunnen jullie dit laten fixen? Dank alvast. 5/5” / Twitter
After more than an hour, I bumped into 1 again:
- [Archive] Jeroen Wiert Pluimers on Twitter: “Oh @SVB_PGB: die bug van uitloggen na een kwartier bestaat nog steeds (zie …). Kreeg ik net in een uur tijd 3 keer. Na inloggen kom je wel weer in de flow, maar de data die je daar hebt ingevuld is dan verdwenen. A/ CC @EefvanKoos” / Twitter
- [Archive] Jeroen Wiert Pluimers on Twitter: “@SVB_PGB @EefvanKoos Ik vermoed dat beide te maken hebben met de sessie-duur van de active authenticatie van @DigiDwebcare omdat je in beide gevallen het “Redirecting…” stukje heel kort ziet verschijnen ofwel in het form of bij DigiD login beide met verlies aan data. B/B” / Twitter
[Archive] Stephan Eggermont (@StOnSoftware) / Twitter quote retweeted my initial message at [Archive] Stephan Eggermont on Twitter: “🧵 NORA heeft een aantal hele duidelijke principes om de burger niet te frustreren. Niet twee keer naar hetzelfde vragen geldt ook als je een sessie time-out. Dan moet je dus al ingevulde gegevens bewaren” / Twitter, which translated is
🧵 NORA has a number of very clear principles in order not to frustrate citizens. Not asking for the same thing twice also applies if you time out a session. Then you have to save already entered data
An introduction about NORA is at Nederlandse Overheid Referentie Architectuur – Wikipedia:
Nederlandse Overheid Referentie Architectuur of NORA is het interoperabiliteitsraamwerk voor de Nederlandse overheid en vertaalt daartoe wetgeving, beleid en standaarden naar architectuurprincipes, beschrijvingen en modellen. Het is een beschrijving van uitgangspunten voor het inrichten van de informatiehuishouding van de Nederlandse overheid. NORA is relevant voor de uitvoering van alle publieke taken door publieke en private organisaties.
[Wayback/Archive] NORA: Nederlandse Overheid Referentie Architectuur – Bluefrog has a way easier “table of contents” to the principles than the NORA online site (note that some document numbers are intentionally not used):
DE TIEN BASISPRINCIPES VAN NORA
- [Wayback/Archive] BP01: Afnemers krijgen de dienstverlening waar ze behoefte aan hebben.
- [Wayback/Archive] BP02: Afnemers kunnen de dienst eenvoudig vinden.
- [Wayback/Archive] BP03: Afnemers hebben eenvoudig toegang tot de dienst.
- [Wayback/Archive] BP04: Afnemers ervaren uniformiteit in de dienstverlening door het gebruik van standaardoplossingen.
- [Wayback/Archive] BP05: Afnemers krijgen gerelateerde diensten gebundeld aangeboden.
- [Wayback/Archive] BP06: Afnemers hebben inzage in voor hen relevante informatie.
- [Wayback/Archive] BP07: Afnemers worden niet geconfronteerd met overbodige vragen.
- [Wayback/Archive] BP08: Afnemers kunnen erop vertrouwen dat informatie niet wordt misbruikt.
- [Wayback/Archive] BP09: Afnemers kunnen erop vertrouwen dat de dienstverlenerzich aan afspraken houdt.
- [Wayback/Archive] BP10: Afnemers kunnen input leveren over de dienstverlening.
DE 38 AFGELEIDE PRINCIPES
- [Wayback/Archive] AP01: Diensten zijn herbruikbaar
- [Wayback/Archive] AP02: Ontkoppelen met diensten
- [Wayback/Archive] AP03: Diensten vullen elkaar aan
- [Wayback/Archive] AP04: Positioneer de dienst
- [Wayback/Archive] AP05: Nauwkeurige dienstbeschrijving
- [Wayback/Archive] AP06: Gebruik standaard oplossingen
- [Wayback/Archive] AP07: Gebruik de landelijke bouwstenen
- [Wayback/Archive] AP08: Gebruik open standaarden
- [Wayback/Archive] AP09: Voorkeurskanaal internet
- [Wayback/Archive] AP10: Aanvullend kanaal
- [Wayback/Archive] AP11: Gelijkwaardig resultaat ongeacht kanaal
- [Wayback/Archive] AP12: Eenmalige uitvraag
- [Wayback/Archive] AP13: Bronregistraties zijn leidend
- [Wayback/Archive] AP14: Terugmelden aan bronhouder
- [Wayback/Archive] AP15: Doelbinding (AP)
- (AP16 is intentionally missing: merged into AP17)
- [Wayback/Archive] AP17: Informatie-objecten systematisch beschreven
- [Wayback/Archive] AP18: Ruimtelijke informatie via locatie
- [Wayback/Archive] AP19: Perspectief gebruiker
- [Wayback/Archive] AP20: Persoonlijke benadering
- [Wayback/Archive] AP21: Bundeling van diensten
- [Wayback/Archive] AP22: No wrong door
- [Wayback/Archive] AP23: Automatische dienstverlening
- [Wayback/Archive] AP24: Proactief aanbieden
- [Wayback/Archive] AP25: Transparante dienstverlening
- [Wayback/Archive] AP26: Afnemer heeft inzage
- [Wayback/Archive] AP27: Een verantwoordelijke organisatie
- [Wayback/Archive] AP28: Afspraken vastgelegd
- [Wayback/Archive] AP29: De dienstverlener voldoet aan de norm
- [Wayback/Archive] AP30: Verantwoording dienstlevering mogelijk
- [Wayback/Archive] AP31: PDCA-cyclus in besturing kwaliteit
- [Wayback/Archive] AP32: Sturing kwaliteit op het hoogste niveau
- [Wayback/Archive] AP33: Baseline kwaliteit diensten
- [Wayback/Archive] AP34: Verantwoording besturing kwaliteit
- (AP35 is intentionally missing: superseded by AP41)
- (AP36 is intentionally missing: superseded by AP41)
- (AP37 is intentionally missing: superseded by AP43)
- (AP38 is intentionally missing: superseded by AP43 and AP42)
- (AP39 is intentionally missing: superseded by AP42)
- [Wayback/Archive] AP40: Onweerlegbaarheid (principe)
- [Wayback/Archive] AP41: Beschikbaarheid
- [Wayback/Archive] AP42: Integriteit
- [Wayback/Archive] AP43: Vertrouwelijkheid (principe)
- [Wayback/Archive] AP44: Controleerbaarheid
The missing numbers (see also [Wayback/Archive] Betrouwbaarheid – NORA Online, [Wayback/Archive] Vervangen of Vervallen elementen in NORA – NORA Online and [Wayback/Archive] Vervangen of Vervallen uitspraken in NORA – NORA Online):
- AP16 (merged into AP17) [Wayback/Archive] Identificatie informatie-objecten – NORA Online
- AP35 (superseded by AP41) [Wayback/Archive] Continuïteit van de dienst – NORA Online
- AP36 (superseded by AP41) [Wayback/Archive] Uitgangssituatie herstellen – NORA Online
- AP38 (superseded by AP43) [Wayback/Archive] Identificatie authenticatie en autorisatie – NORA Online
- AP38 (superseded by AP43 and AP42) [Wayback/Archive] Informatiebeveiliging door zonering en filtering – NORA Online
- AP38 (superseded by AP42) [Wayback/Archive] Controle op juistheid volledigheid en tijdigheid – NORA Online
For a management overview, see [Wayback/Archive] NORA (Nederlandse Overheid Referentie Architectuur) – Digitale Overheid.
–jeroen
Share this:
Posted in Authentication, Development, DigiD, Power User, Security, Software Development, Web Development | Leave a Comment »
All the Cyber Ladies: Een podcast voor, door en over vrouwen in cybersecurity. – PodcastFeed
Posted by jpluimers on 2023/06/20
Een ontzettend belangrijke podcast is [Wayback/Archive] All the Cyber Ladies – PodcastFeed
Een podcast voor, door en over vrouwen in cybersecurity.
Ik mis geregeld de periode van 30-35 jaar terug waarin IT-teams vaak “gewoon” uit 25% vrouwen bestonden. Gemêleerde teams zijn van onschatbare waarde voor goed functionerende IT, niet alleen vanuit oogpunt van #a11y en #inclusie: ook voor information security.
De tijd maakt inmiddels gelukkig een inhaalslag: er komen steeds meer vrouwen in de IT en je merkt gestaag dat teams diverser worden. All the Cyber Ladies draagt eraan bij dat proces binnen information security verder te versnellen.
De podcast is begin juni dit jaar van start gegaan en heeft nu al een trouwe schare volgers die hopelijk verder groeit naarmate Google deze hoger in de zoek-index opneemt.
Uiteraard is er ook een [Wayback/Archive] All the Cyber Ladies – PodcastFeed RSS zodat je die aan je eigen Podcast Player kunt toevoegen (en vaak staat die er al zoals bijvoorbeeld bij [Wayback/Archive] Player.FM: All The Cyber Ladies podcast)
Via [Wayback/Archive] Lucinda on Twitter: “@jpluimers Zeker!! Je kan de podcast in veel andere players vinden. https://t.co/ksUB8Hd7e4” / Twitter.
–jeroen
Share this:
Posted in accessibility (a11y), Awareness, Cyber, Development, Inclusion / inclusive society, Infosec (Information Security), Power User, Security, SocialMedia | Leave a Comment »
Removing identifiable metada from PDF files
Posted by jpluimers on 2023/06/19
I archived a long thread that started with [Archive] 𝚓𝚘𝚗𝚗𝚢﹏𝚜𝚊𝚞𝚗𝚍𝚎𝚛𝚜 on Twitter: “More fun publisher surveillance: Elsevier embeds a hash in the PDF metadata that is unique for each time a PDF is downloaded, this is a diff between metadata from two of the same paper. Combined with access timestamps, they can uniquely identify the source of any shared PDFs. ” / Twitter at [Wayback/Archive] Thread by @json_dirs on Thread Reader App – Thread Reader App.
TL;DR: publishers put hashes in PDF metadata to track back redistribution; they hardly use smarter watermarking as those are difficult to automatically parse; the hashes can be easily removed.
Share this:
Posted in Hashing, LifeHacker, PDF, Power User, Security | Leave a Comment »
How to encourage phishing: send email to users from a different domain than they are subscribed to
Posted by jpluimers on 2023/06/08
Many organisations train their personell with phishing attempts from domains that are different from the one the organisation uses.
The mantra is: only respond to emails (or clicking links in them) from domains you know.
Microsoft sent (still sends?) account expiration emails for various *.microsoft.com, *.visualstudio.com and other Microsoft domains like this:
[Wayback/Archive] 232840055-2ccfdb9b-2a13-4a34-92f5-f27f337825f8.png (766×653) email from
Microsoft account team <account-security-noreply@mail.msa.msidentity.com>
Share this:
Posted in Pen Testing, Phishing, Power User, Red team, Security | Leave a Comment »
The Wiert Corner - irregular stream of stuff 