All Linux servers have the wonderful uptime command. The question is, does this exist for Windows Servers, and the answer is yes.
Step 1 – Task Manager
Right click Task bar, select Task Manager. or Ctl-Alt-Del – Task Manager
Task Manager > CPU Tab > Uptime
Step 2 – Command line
The systeminfo command shows a lot of information.
CMD >
systeminfo | findstr “Time:”
Step 3 – uptime.exe
Microsoft have a legacy uptime.exe. But everytime I try to find this utility the page has been moved.
Wiki states The time given by Uptime.exe is not reliable. It does not take into account time spent in sleep or hibernation. Thus, the boot time will drifts forward every time the computer sleeps or hibernates.
Step 4 – WMI – lastbootuptime
Windows Management Instrumentation offers an option, that is not impressive.
wmic os get lastbootuptime
Step 5 – Net
C:\>NET STATISTICS WORKSTATION | findstr "since"
Have fun!
The US expert who wrote the standard for password security now says he was wrong – and it’s time for a new way.
In 2003, Bill Burr was a technology manager for the US National Institute of Standards and Technology (NIST) when he was tasked with writing some brief guidelines for password security. He recommended that passwords have a minimum of eight characters with a mix of capitals, numbers and symbols, and be updated frequently.
Soon Burr’s rules were adopted by organisations around the world. Now he says he not only regrets his recommendations, but that they have inadvertently led people to choose poor passwords that are actually easier for hackers to crack.
How hackers discover your password
The aim of Burr’s rules was to defeat what are known as “brute-force” attacks, where hackers use sheer computing power to try thousands of possible passwords, until they stumble on the right combination. By adding more character sets to the mix, you exponentially increase the number of possible combinations an attacker must try.
Consider an eight-character password (e.g. password). If it contains just lower case letters, the number of possible combinations is 26^8, around 208.8 billion. This sounds impressive – until you realise it can take as little as 1.8 seconds for a modern supercomputer or botnet to break such a password.
Add uppercase letters (e.g. PassWord), and the number of combinations is multiplied 256 times, to 52^8. Add digits and symbols (e.g. P@$$w0rd), and it becomes as high as 95^8, requiring much more time to crack, even with an enslaved botnet army hard at work.
The problem, says Gernot Heiser, Scientia professor at the University of New South Wales’ School of Computer Science and Engineering, is that today’s hackers rarely start with a blank slate.
Instead, they begin by searching for English words plus common substitutions, such as $ for S. That makes them very well adapted to breaking exactly the kind of P@ssw0rd$ users tend to create when struggling to comply with Burr’s rules.
How to choose a strong password
The solution, says Heiser, is to use long, memorable passphrases rather than passwords. Ideally, they would be an unforgettable combination of unexpected words, rather than a predictable English sentence. The more characters you add, the longer they’ll take to crack.
“If you choose longer, more complex passphrases with random words, a brute force attack becomes massively harder mathematically,” says Heiser.
He also says Burr’s original advice on changing passwords frequently is flawed – if only because it encourages users to choose shorter and simpler passwords that can be altered with relatively small changes (P@ssw0rd1 in January and P@ssw0rd2 in February, for example).
“The added protection of changing passwords is negative,” Heiser explains. “It’s safer to keep a longer, more complex password than to change it regularly to a simple one with variations that are easier to remember, but simpler to crack.”
Professional Development: CPA Q&A. Access a handpicked selection of resources each month and complete a short monthly assessment to earn CPD hours. Exclusively available to CPA Australia members.
Bring in a password manager
As more of our lives are lived online, we collect more and more passwords. Repeating them across sites is dangerous, since a data breach at a relatively unimportant service provider can leave other, more critical sites wide open. So how are we to remember them all?
Associate professor Mark Gregory from the School of Engineering at RMIT uses the same method he’s employed since the 90s: putting his passwords into a text file, then encrypting it.
“I have about 1000 passwords now, so they’re impossible to remember,” says Gregory. “By encrypting them, I only have to remember one super password to access all of them.”
A more formal version of this same idea is to use a password management system readily available online.
They store all of your passwords in the one place, are encrypted, with only one password for you to manage.
You only need to remember one password to access the system — it takes care of the rest. While premium password managers charge a usually nominal yearly fee, Gregory points out that it’s a small price to pay compared to the potential devastation caused by criminals accessing your data, impersonating you, or getting into your bank account.
How to strengthen your password security
Matthew Byrne is a principal consultant in threat intelligence and cyber defence at Mandiant, and a lecturer at the Australian Centre for Cyber Security. He suggests adding another layer of protection, by enabling the multi-factor authentication option offered by most online banks and major service providers, including Facebook, Gmail, Skype and LinkedIn.
“Using the multi-factor authentication feature means you must use at least two steps to access your information,” Byrne explains.
“This could be entering a code sent to your phone or answering a question that only you know. So if someone gets your password, they’ve only got half of what they need to break in and steal your identity.”
Both Heiser and Byrne agree that the best security available is a combination of password, multi-factor authentication and biometrics, such as fingerprint or facial recognition. This makes it very hard for a hacker to get past, but even this isn’t completely foolproof, as the recent hack of the Samsung S8 iris scanner demonstrated.
“People have fooled fingerprint and iris scanners with photographs,” says Heiser.
The 10 worst passwords
This list is from SplashData’s list of the top 100 worst passwords for 2017, taken from leaked lists of hacked passwords, from most to least common.
123456
password
qwerty
letmein
football
iloveyou
admin
welcome
monkey
login
Reference:
https://www.intheblack.com/articles/2018/02/19/everything-about-passwords-is-wrong
Recently, I came across a site that deals with XML Security, and includes several tools.
Here’s the link:
https://www.aleksey.com/xmlsec/api/xmlsec-notes.html
Signing a Document
https://www.aleksey.com/xmlsec/api/xmlsec-notes-sign.html
The typical signature process includes following steps:
- Prepare data for signature.
- Create or load signature template and select start <dsig:Signature/> node.
- Create signature context xmlSecDSigCtx using xmlSecDSigCtxCreate or xmlSecDSigCtxInitialize functions.
- Load signature key in keys manager or generate a session key and set it in the signature context (
signKeymember ofxmlSecDSigCtx structure). - Sign data by calling xmlSecDSigCtxSign function.
- Check returned value and consume signed data.
- Destroy signature context xmlSecDSigCtx using xmlSecDSigCtxDestroy or xmlSecDSigCtxFinalize functions.
Online Digital Signature Verifier
Since the origin of SSL, webservers generated Public/Private keys using RSA. However, using strong RSA keys proved slow and expensive in CPU terms. RSA does not scale well, and slows web performance.
RSA 2048 provides around 112 bits of security. To achieve 128 bits of security, we need RSA 3072, which is slower, and impacts upon performance.
An alternative to RSA is ECC or Elliptic Curve Cryptography, which uses block ECC enabled TLS. It uses significantly less CPU cycles, and is very scalable..
ECC 256 bit uses a more advanced algorithm than RSA 2048 bit, but uses a smaller key (only 256 bits). Therefore it uses fewer CPU cycles to encrypt data, which improves website performance.
ECC 256 bit is 64,000 harder to crack than standard RSA 2048 bit. Therefore in security terms, ECC is the best option.
We can install Hybrid certificates with an RSA root, and signed by an ECC key.
Known Issues
RSA is widely deployed by legacy browsers.
Only TLS 1.2 supports the latest and fastest ciphers.
Some Android devices incorrectly generated random values with ECC.
Conclusion
RSA is too expensive to use for security above RSA 2048.
Implement TLS 1.2.
Move to Elliptic Curve algorithms.
Reference
Gilchrist A. (2017). The Concise Guide to SSL/TLS for DevOps. 2nd end. RG Consulting
https://www.amazon.co.uk/Concise-Guide-SSL-TLS-DevOps/dp/1521278628/
Several hacks have exposed flaws in the Intel CPU. These patches are called “microcode” and are to patch the CPU.
yum check updates
yum install
Reboot. As microcode is being installed to the CPU, a reboot is always required.
Sudo dmesg | grep ‘microcode’
Another way to check the microcode has been installed.
rpm -qa –last | grep microcode
Reference:
https://www.cyberciti.biz/faq/install-update-intel-microcode-firmware-linux/
Great article on alternative search engines. Startpage returns Google search results, but they strip away your IP, so that Google never know who you are.
https://www.techspot.com/news/80729-complete-list-alternatives-all-google-products.html
Google search alternatives
When it comes to privacy, using Google search is not a good idea. When you use their search engine, Google is recording your IP address, search terms, user agent, and often a unique identifier, which is stored in cookies.
Here are ten alternatives to Google search:
- StartPage – StartPage gives you Google search results, but without the tracking (based in the Netherlands).
- Searx – A privacy-friendly and versatile metasearch engine that’s also open source.
- MetaGer – An open source metasearch engine with good features, based in Germany.
- SwissCows – A zero-tracking private search engine based in Switzerland, hosted on secure Swiss infrastructure.
- Qwant – A private search engine based in France.
- DuckDuckGo – A private search engine based in the US.
- Mojeek – The only true search engine (rather than metasearch engine) that has its own crawler and index (based in the UK).
- YaCy – A decentralized, open source, peer-to-peer search engine.
- Givero – Based in Denmark, Givero offers more privacy than Google and combines search with charitable donations.
- Ecosia – Ecosia is based in Germany and donates a part of revenues to planting trees.
Note: With the exception of Mojeek, all of the private search engines above are technically metasearch engines, since they source their results from other search engines, such as Bing and Google.
Kali Linux is great, apart from its American default settings.
Even after you’ve selected the UK timezone, the keyboard settings will remain as American. This is the easiest way to select a UK keyboard.
setxkbmap -layout gb
Have fun.
Recently, I’ve had the situation where an expired Cert existed, on a global application. Therefore the question arose, could we renew the expired certificate, but continue to use the existing public keys (contained in the expired SSL certificate). The answer is yes, we can.
We created a new CSR, valid for the next 10 years, using the same Public Keys as the old Certificate.
So how did the experiment work out?
Step 1 – Private Key
We need to have the existing Private Key.
When we created the private key, the OpenSSL commands were:
genrsa -out server.key 2048
Our private key = server.key
Step 2 – CSR
Using OpenSSL the commands for the original certificate were:
req -new -key server.key -out server.csr
- Step 2 = We can use an EXISTING private key to generate the new Cert .csr.
Step 3 – We can normally combine steps 1 and 2 in OpenSSL
req -new -newkey rsa:2048 -keyout server.key -out server.csr
However, why would be break this single command into 2 steps?
- Step 3 = Always create a new private key. In our situation, this is exactly what we DON’T want, we want to use the legacy public key.
Step 4 – Create the Second Cert CSR using an existing key.
So we issue the OpenSSL command to get a new CSR file based on an existing private key.
req -new -key server.key -out mysecond.csr
Step 5 – Check the Modulus of each CSR file.
The OpenSSL command to check the modules of each CSR (Public Key)
req -text -in server.csr -noout
Modulus ends with: 57:1b:f7:bd
and then
req -text -in mysecond.csr -noout
Modulus ends with: 57:1b:f7:bd
What are we looking for?
The modulus of both certs will be the same.
Step 6 – Convert CSR into CRT
CSR file is the Certificate Signing Request. It contains the information which is needed to generate a certificate based on your private key and information about the WebSite.
CRT is the certificate itself (which you install into your Web browser).
There is basically no way to convert directly from one to another, as you need a key to sign the certificate, but what can do is to generate a self-signed certificate (e.g. certificate signed by the same key which was used to generate it):
openssl x509 -req -in server.csr -signkey server.key -out server.crtx509 -req -in mysecond.csr -signkey server.key -out mysecond.crt
openssl x509 -req -in server.csr -signkey server.key -out server.crtThe certificate is only valid for a month. That’s not good.
Lets add some days into this command. I want 3650 or 10 years…
x509 -req -in mysecond.csr -days 3650 -signkey server.key -out mysecond10year.crt
If you read the command I’ve entered in the screenshot , you’ll spot a typo, ie 23650 days.
Therefore my Cert is valid until 2084 instead of 2029 – but it proves the command works.
Step 7 – To view the certificate Modulus:
openssl x509 -noout -modulus -in [certificate-file.crt]
To view the key Modulus:
openssl rsa -noout -modulus -in [key-file.key]
The modulus of the private key and the certificate must match exactly.
If they do not match please locate the matching private key. If the matching private key can not be located, you can generate a new private key & CSR and reissue the certificate.
Reference:
https://knowledge.digicert.com/solution/SO20830.html
Here’s one of the few great Youtube videos on OpenSSL.
What are Subject Alternative Names?
We can have one Certificate that covers several domain URL’s. A wildcard domain certificate is a totally different beast. This Certificate takes several specific domains only, not all domains, so this is more restrictive.
Step 1 – Generate a CA Private Key
genrsa -out privkey.pem 2048
Step 2 – Generate a 10 year Self Signed CA Certificate
req -new -x509 -days 3650 -nodes -key privkey.pem -sha256 -out ca.pem
Enter in country eg UK
Locality=Newport
Origination Name = University South Wales CA
omit next 3 prompts (1. org unit, 2. common name and 3 email).
Step 3 – Create a Server CSR Config file
server.csr.cnf
Example config here:
Note that the CN (eg dev.usw.ac.uk must be quoted in the server_v3.ext file in Step 4) as one of the domains.
Step 4 – Create a Server_v3.ext file
This adds in multiple domains, as Subject Alternative Names. The CN from Step 3 eg dev.usw.ac.uk is quoted here, as its necessary if you want this to work.
Example shown:
Step 5 – Create a Self Signed Certificate with Subject Alternative Names v3 ext file
req -new -nodes -out server.csr -keyout server.key -config server.csr.cnf
Step 6 – Generate the Server Certificate using the Extension file server_v3.ext
x509 -req -in server.csr -CA ca.pem -CAkey privkey.pem -CAcreateserial -out server.crt -days 3650 -extfile server_v3.ext
I’ve followed this procedure twice, generating 2 different company certs, some with 6 domains added into the certificate, and it works flawlessly.
Recently I came across an issue with an expired Certificate on a Shibboleth System. Shibboleth uses the X509 certificate as a means to transmit the Public Key between the SP and IDP. Oddly Shibboleth does not complain when a Certificate has expired, nor does it check any details in the Cert. It’s confusing that Shibboleth does not validate the expiry dates, or the host name etc within a Certificate. The X509 Certificate is like a bus to transport the public key, and as long as you have the bus ticket, nothing about your identity is checked.
However, many Federations and other SAML systems will refuse to allow you to connect with an expired certificate. So while Shibboleth will quietly ignore the expired certificate, OpenAthens will prevent you from connecting, and other Federations such as GakuNin will remove you from their metadata.
Therefore it’s best practice to renew your Certificate.
Here’s an overview of what happens:
The default rules for X509 certificate appear to be:
- 10 years expiry = 3652 days
- Key size = RSA 2048
Updating an expired certificate
The goal of this section is to keep the existing public/private key pair for the SP in place, and to issue a new certificate using this existing public key.
We do not want to re-run the keygen.sh script, because that would create an entirely new key pair.
Instead, we will modify some of the code found in the script to make sure we just generate a new cert from the existing keys.
Step 1 – Create a Config File
First, we need to make a config file for openssl.
This will tell the openssl program how to label the certificate when it creates it. This code is exactly the same as the code generated by the keygen.sh script. Unfortunately, that script deletes this file after it uses it, so we have to make a copy for ourselves.
Step 2 – Backup the existing SP Cert
First, we make a backup of the current sp-cert.pem file, and then use openssl to generate the new certificate. This code assumes you want your self-signed certificate to last for 3652 days = 10 years.
Step 3 – Install the new Cert and Restart Services
Step 4 – Notify Federations of the new Metadata
The UKFED requires a week’s notice of Metadata change as they manually check it.
Next, they will contact the Administrative Contact (ie Contracts) to approve the update. Technical staff are not allowed to just update metadata as they please.
The UKFED will ask the Administrative Contact to confirm a SHA-256 hash of the new metadata.
Allow time to propagate out the data, the UKFED will normally make a change around 4.30pm on a Friday, and then Inter Federate the metadata to Edugain to send your metadata to Federations outside of the UK (eg Sweden, Italy).
Reference:
NC State University
