Table of Contents
Security
- Уязвимость Dropbox, вследствие которой у многих из 275 миллионов пользователей долгое время пропадали файлы из их хранилищ
- Port knocking – a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. See also Port Knocking.
- Программа для определения самых опасных уязвимостей – тех, для которых есть эксплойты в общедоступных базах данных, включая Rapid7 и exploit-db
-
-
- Машинное обучение вместо DPI (deep packet inspection). Строим классификатор трафика с помощью Random Forest – идентификация используемых протоколов прикладного уровня в тех условиях, когда полезная нагрузка зашифрована
- Критическая уязвимость позволяет перехватывать весь сетевой трафик пользователей Windows путём подмены WPAD через протокол NBNS NBSTAT.
Wireless / WiFi
- BlueProximity – secure your desktop by automatically locking and unlocking the screen when you and your bluetooth-enabled phone leave/enter the desk.
Crypto
- Conceal provides a set of easy to use APIs for performing fast encryption and authentication of data
- Extracting Qualcomm's KeyMaster keys: breaking Android full disk encryption – also explains Apple encryption approach
Hacking
Communication
Safer alternatives for Skype:
- Bleep — безопасный мессенджер от BitTorrent с большими амбициями – для обмена данными используется одноранговая децентрализованная P2P-сеть
- Эдвард Сноуден рекомендует Silent Circle – сеть обмена информацией, в том числе телефонными звонками и текстовыми сообщениями
Mobile
- АНБ отслеживает местоположение мобильных телефонов по всему миру (см. т.ж. ссылки в разделе Похожие публикации)
- Bluetooth и другие способы взлома наручников – наручные Bluetooth браслеты позволяют следить за перемещениями пользователя, а также за его здоровьем, без его ведома; потенциальные грабители могут узнать, находитесь ли вы в квартире, или даже – насколько крепко вы спите в данный момент
Authentication
Two-factor authentication
-
-
- YubiKey – supports NFC
- PGP and SSH keys on a Yubikey NEO, yubikey and ssh authentication – using Yubikey as PGP key storage. Note that it isn't possible to take an existing SSH keypair and import the private key to Yubikey, but GPG authentication subkey can be exported as an SSH key.
- Cygwin socket setup explains how to tune GIT+SSH+KeeAgent
- Integration with bash on Windows 10 preview explains how to bridge Cygwin socket with Unix socket
Spectre and Meltdown attacks
- According to information from Intel, hardware fixes for Meltdown & Spectre v2 are provided in Cannon Lake & Cascade Lake (8th generation) processors.
- To list all applicable / compatible microcodes run:
# iucode-tool -S -l /lib/firmware/intel-ucode iucode-tool: system has processor(s) with signature 0x000006e8 ... selected microcodes: 110/001: sig 0x000006e8, pf_mask 0x20, 2005-11-15, rev 0x0039, size 4096 059/001: sig 0x000006ec, pf_mask 0x80, 2006-09-12, rev 0x0059, size 4096 059/002: sig 0x000006ec, pf_mask 0x20, 2006-05-01, rev 0x0054, size 4096
NFC-платежи
- Как мы превратили телефон в банковскую карту – про платежные карты, NFC-телефоны, Trusted Service Manager
HTML
- Уязвимости на web портале – описывает Cross-site scripting, Content and character set sniffing, Clickjacking
SSL
- The "SSL strip" exploit
The tool – called ‘SSL strip’ – is based around a man-in-the-middle attack, where the system for redirecting people from the insecure to the secure version of a web page is abused. By acting as a man-in-the-middle, the attacker can compromise any information sent between the user and the supposedly secure webpage. The author of the exploit claims to have used it to steal data from PayPal, GMail, Tickermaster, and Facebook – including sixteen credit card numbers and control of more than 100 email accounts.
This kind of vulnerability has always existed with SSL because it is difficult to be certain about where the endpoints of communication lie. Rather than having a secure end-to-end connection between Amazon and you, there might be a secure connection between you and an attacker (who can read everything you do in the clear), and then a second secure connection between the attacker and Amazon.
-
- Lucky Thirteen: Breaking the TLS and DTLS Record Protocols by Nadhem J. AlFardan and Kenneth G. Paterson (2013)
- Как расшифровать TLS-трафик от браузера в Wireshark с использованием пользовательской переменной
SSLKEYLOGFILE. - Анализ SSL/TLS трафика в Wireshark используя секретный ключ сервера
Solutions:
- Server Side TLS – recommended configurations for Apache.
-
-
- В новой версии Google Chrome будут помечаться небезопасными SSL-сертификаты, использующие алгоритм SHA-1, в зависимости от его даты выдачи.
SSL Certificate Authorities
- Let's Encrypt offers a 90-days trial SSL certificate for free
- GlobalSign offers SSL certificate for free for OpenSource project
- NameCheap / Comodo offers SSL certificate for $7.50/year
- SSLMate offers SSL certificate for $16/year
Бесплатные SSL-сертификаты на 2 года с поддержкой до 100 доменов– New WoSign and StartCom certificates are distrusted if issued after 21.10.2016 starting from Firefox 51 (see StartCom for more information related to other browsers). To add back support to Firefox download root CA certificate1) and install it to Firefox (Options → Advanced → Certificates tab → View Certificates → Authorities tab → Import).
KeePass
- URL Field Capabilities e.g.
cmd://{%Applications%}\VncViewer\tvnviewer.exe centurion:5901 -password={PASSWORD} - BrowsePass – pure JavaScript addon that can read KeePass DB
PGP
-
- Signing Subkey Cross-Certification – explains how master key and sub keys are cross-certified
-
- opmsg – a replacement for GPG with Perfect Forward Secrecy support.
-
The victim’s email client decrypts the email and loads any external content, thus exposing the plaintext to the attacker
Disable HTML rendering.
How to force GPG to read passphrase from console?
It should be mentioned that this extra security measure was implemented in GPGv2 to be sure that user input is not intercepted. From maillist:
It should be noted however that such behaviour trades convenience for security. That is because an X window provided by GTK/QT pinentries is able to grab input globally, whereas pinentry-curses is not. It would be therefore possible for a malicious application to hijack and record passphrase being given to pinentry curses in X terminal.
To disable the pinentry GUI window:
- Disable the pinentry GUI window:
export PINENTRY_USER_DATA="USE_CURSES=1" unset GPG_AGENT_INFO
- Use gpg2 without GUI asking for passphrase and Disable gpg GUI asking for paraphrase (requires
pinentry-cursespackage installed):pinentry-program /usr/bin/pinentry-curses
Alternatively one can download GPGv1 CLI from this FTP site (e.g. gnupg-w32cli-1.4.18.exe).
See also GPG key management operations via the agent considerations.
GPG agent log entries
In cron log the following shows up on every opened SSH session:
systemd[10575]: Closed GnuPG network certificate management daemon. systemd[10575]: Closed GnuPG cryptographic agent (access for web browsers). systemd[10575]: Closed GnuPG cryptographic agent and passphrase cache (restricted). systemd[10575]: Closed GnuPG cryptographic agent (ssh-agent emulation). systemd[10575]: Stopped target Timers. systemd[10575]: Closed GnuPG cryptographic agent and passphrase cache.
Use the following command to disable GPG agent (taken from bug#850982):
systemctl --global mask --now gpg-agent.service gpg-agent.socket gpg-agent-ssh.socket gpg-agent-extra.socket gpg-agent-browser.socket
See also /usr/share/doc/gnupg-agent/README.Debian.
How to digitally sign PDF?
From Digitally signing PDF files:
- Convert PEM certificate to PFX format:
openssl pkcs12 -export -in cert.pem -out cert.pfx - Download PortableSigner
- Download Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for Java8 (here for Java7) and unpack JARs to
jre\lib\security\. 
Merge all JARs into one uberjar. As JCE provider JARs must be signed, all the following to jre\lib\security\java.security(ordering may vary):
security.provider.11=org.bouncycastle.jce.provider.BouncyCastleProvider
otherwise execution will fail with the following message:
Error reading certificate (wrong password) error constructing MAC: java.lang.SecurityException: JCE cannot authenticate the provider BC Error creating keystore error constructing MAC: java.lang.SecurityException: JCE cannot authenticate the provider BC- Run
java -jar PortableSigner.jar -n -t input.pdf -o output.pdf -s cert.pfx -p secret_password -c "Final revision" -r "Approved for publication" -l "Department of public relations"
Alternatively one can use LibreOffice v5.3 or higher:
- LibreOffice uses Firefox or Thunderbird profile to lookup for personal certificates, see Applying Digital Signatures concerning how to import one.
- Choose File → Digital Signatures → Sign Existing PDF, select PDF, then click on Sign Document on appeared notice message.
- Click on Sign Document, click Sign Document… in the bottom of the dialog, select certificate, click OK. Click Close to close Digital signatures dialog – PDF document is written back.
See also:
Kaspersky antivirus
Mentioned also in:
| 2010/02/13 23:22 | ||
| 2015/04/26 06:25 | ||
| 2010/02/13 23:22 | ||
| 2010/02/13 23:22 | ||
| 2010/02/13 23:22 |
How to disable notification about registration?
From Напоминание о регистрации:
Run one of the reg files below with self-protection off and then reboot:
For 64-bit systems:
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\protected\AVP14.0.0\OlaFormScheduler] "enabled"=dword:0
For 32-bit systems:
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected\AVP14.0.0\OlaFormScheduler] "enabled"=dword:0
Activation code is invalid for this region
Solution:
- Активация Kaspersky через прокси using valid key and proxy list (another list, another list). Before using check that proxy really supports HTTPS – for that create a list of proxies with host and IP in first two columns and run the following script to check how reliable is the proxy:
for c in `seq 1 10` do cat proxy_list.txt | while read host port other do https_proxy=http://$host:$port wget -q --tries=1 --timeout=3 -O /dev/null https://www.tut.by && echo "OK $host:$port" done | sort done
- Код активации не подходит для этого региона – substituting external IP using SoftEther VPN Client.
