USW named Cyber University of the Year for second year running – 2020

On 9 September, via livestream, the University of South Wales (USW) Cyber Department picked up an award at the National Cyber Awards 2020, being named as the Cyber University of the Year.

The awards reward those who are committed to cyber innovation, cyber crime reduction and protecting citizens online.

The Education and Learning category acknowledged educational establishments that are leading the way in cyber security education.

Up against University of Oxford, Cardiff University, and Manchester Metropolitan University, USW secured the trophy for our new National Cyber Security Academy (NCSA) and our visible national collaboration.

The pilot NCSA, the first of its kind in Wales and a major UK initiative, is at USW’s Newport Campus, and enrolled its first students in 2016.

https://www.southwales.ac.uk/courses/bsc-hons-applied-cyber-security/3451/usw-named-cyber-university-of-the-year-for-second-year-running/

Fundamentals of Cryptography – Northeastern University

 

 

Encryption: EU Plans To Use Supercomputers To Break Encryption, using Hashcat

 

At EU level, Europol is responsible for reading encrypted communications and storage media. The police agency has set up a “decryption platform” for that. According to Europol’s annual report for 2018, a “decryption expert” works there, from whom the competent authorities of the Member States can obtain assistance. The unit is based at the European Centre for Cybercrime (EC3) at Europol in The Hague and received five million euros two years ago for the procurement of appropriate tools.

The Europol group uses the open source password recovery software Hashcat in order to guess passwords used for content and storage media. According to Monroy, the “decryption platform” has managed to obtain passwords for 32 cases out of 91 where it the authorities needed access to an encrypted device or file. A 39% success rate is not too shabby, depending on how strong the passwords were. But the EU wants to do better, and has decided one way to do that is to throw even more number-crunching power at the problem: in the future, supercomputers will be used. Europol is organizing training courses to help investigators gain access to encrypted materials using Hashcat. Another “decryption expert group” has been given the job of coming up with new technical and legal options. Unfortunately, the approaches under consideration are little more than plans to bully Internet companies into doing the dirty work:

Internet service providers such as Google, Facebook and Microsoft are to create opportunities to read end-to-end encrypted communications. If criminal content is found, it should be reported to the relevant law enforcement authorities. To this end, the Commission has initiated an “expert process” with the companies in the framework of the EU Internet Forum, which is to make proposals in a study.

This process could later result in a regulation or directive that would force companies to cooperate.

There’s no way to “create opportunities” to read end-to-end encrypted communications without weakening the latter. If threats from the EU and elsewhere force major Internet services to take this step, people will just start using open source solutions that are not controlled by any company.

Reference:

https://www.techdirt.com/articles/20200728/07235644992/eu-plans-to-use-supercomputers-to-break-encryption-also-wants-platforms-to-create-opportunities-to-snoop-end-to-end.shtml

Brute Force Password Hacking: How long will it take to Brute Force a password

As we all know, its not a good idea to brute force a password, as its much faster to use password attacks using hashcat.

I found a good graphic on how slow brute force hacking can be, depending on the length and the complexity of the password.  The graph also demonstrates how longer passwords offer, and alphanumeric complexity, can alter the risk vector in your favour.

The game of password hacking is this:

1. Users reset password every month, ie 30 days
2. If we can Brute force the password in 15 days, we can use the password for another 15 days.
3. Brute force attacks, will normally crack the password about half way through the times quote.
4. An 8 character password, is listed as 84 days, which means it should crack in approximately 41 days (close to a months reset).  How would you protect accounts at this point?  It is recommended to force longer passwords, eg 10-14 characters to protect against brute force attacks, as a pragmatic, rather than guaranteed security. Its possible that a brute force attack could break the security in the first day, however, this would be unlikely.

Reference:

http://www.yourdestinationnow.com/2020/07/brute-force-password-guessing-picture.html

 

Encryption: what is an Enveloped Signature

Recently, I’ve had to problem solve an issue with a SAML response being incorrect.  The client response used digital signatures, hashing, RSA public key and base 64 encoding.  Now, each process of the response needed to be worked through, to see where the error occurred.

Enveloped Signature.

• This means the signature is contained within the XML
• The transform Algorithm removes the signature

 

 

 

 

 

 

 

 

 

 

• The message digest states the hashing used – eg SHA1.
• The public key is RSA.
• The Transform Algorithm says this is an enveloped signature.

Example: https://www.di-mgt.com.au/xmldsig2.html

 

Compute Message Digest

Remove the Signature element (enveloped means the signature is contained in the XML).

The SHA-1 digest of this data is (0x)516b984d8ba0d7427593984a7e89f1b6182b011f

or UWuYTYug10J1k5hKfonxthgrAR8= in base64.

Base64 encode or decode online tools are here: https://www.base64decode.net/

RSA Keys

We used Alice’s RSA key to sign this, with PKCS#8 encrypted private key (password: “password”), and corresponding X.509 certificate.

Alice’s public key in XML format is

<RSAKeyValue>
  <Modulus>
    4IlzOY3Y9fXoh3Y5f06wBbtTg94Pt6vcfcd1KQ0FLm0S36aGJtTSb6pYKfyX7PqCUQ8wgL6xUJ5GRPEsu9gyz8
    ZobwfZsGCsvu40CWoT9fcFBZPfXro1Vtlh/xl/yYHm+Gzqh0Bw76xtLHSfLfpVOrmZdwKmSFKMTvNXOFd0V18=
  </Modulus>
  <Exponent>AQAB</Exponent>
</RSAKeyValue>

 

Compute Final XML

 

Whitespace

Where the whitespace does matter?

The whitespace characters shown as ♦ and line endings ¶ below cannot be changed because they were required in the c14n forms to compute the digest value or signature value.

<Envelope xmlns="http://example.org/envelope">¶
♦♦<Body>¶
♦♦♦♦Olá mundo¶
♦♦</Body>¶
♦♦<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>¶
♦♦♦♦♦♦<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />¶
♦♦♦♦♦♦<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />¶
♦♦♦♦♦♦<Reference URI="">¶
♦♦♦♦♦♦♦♦<Transforms>¶
♦♦♦♦♦♦♦♦♦♦<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />¶
♦♦♦♦♦♦♦♦</Transforms>¶
♦♦♦♦♦♦♦♦<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />¶
♦♦♦♦♦♦♦♦<DigestValue>UWuYTYug10J1k5hKfonxthgrAR8=</DigestValue>¶
♦♦♦♦♦♦</Reference>¶
♦♦♦♦</SignedInfo>
...
  </Signature>¶
</Envelope>

 

Definitions

From xmldsig-core:

Enveloping signature

The signature is over content found within an Object element of the signature itself. The Object (or its content) is identified via a Reference (via a URI fragment identifier or transform).

Enveloped signature

The signature is over the XML content that contains the signature as an element. The content provides the root XML document element. Obviously, enveloped signatures must take care not to include their own value in the calculation of the SignatureValue.

 

Sorting attributes

The c14n ordering of attributes is as follows.

1. The default namespace declaration xmlns="...", if any, comes first.
2. Namespace declarations, sorted by prefix (the part after “xmlns:”). So xmlns:a="http://www.w3.org" comes before xmlns:b="http://www.ietf.org".
3. Unqualified attributes, sorted by name. So attr="..." comes before attr2="...".
4. Qualified attributes, sorted by namespace URI then name. So b:attr="..." comes before a:attr="...", because we read this as http://www.ietf.org:attr="..." comes before http://www.w3.org:attr="...". And a:attr="..." comes before a:attr2="..."

<e xmlns="http://example.org" xmlns:a="http://www.w3.org" xmlns:b="http://www.ietf.org" attr="I'm" attr2="all" b:attr="sorted" a:attr="out" a:attr2="now"></e>

For an excellent explanation of the rules to sort attributes when canonicalizing your data for XML-DSIG, see Keith S. Beattie’s article on attribute ordering KSB’s XML C14N Notes.

 

Reference:

https://www.di-mgt.com.au/xmldsig2.html

Windows 7 Alternative – LinuxLite

“We would like to take this opportunity to welcome all Windows 7 people who have come here to find a simple, fast and free alternative to Windows 7 which has reached its end of life and no longer provides security updates,” said Jerry Bezencon, Linux Lite creator and maintainer.

Linux Lite is a Linux distribution and based on Debian and Ubuntu and created by a team led by Jerry Bezencon. The distribution offers a lightweight desktop experience with a customized Xfce Desktop environment. It includes a set of Lite application to make the life easier for a novice Linux user.

 

Linux Lite is a ‘gateway operating system.’ It was created to make the transition from Windows to a Linux based operating system as smooth as possible.

Linux Lite makes the transition to a linux based operating system by offering a full, Microsoft compatible Office suite, familiar software like Firefox, Chrome, Teamviewer, VLC as well as full system back up tools, a comprehensive – easy to follow Help Manual to guide you on your journey, Steam so you can keep playing your Windows games and so much more familiar software.

 

What you can expect from Linux Lite?

A Desktop, taskbar and tray that have a familiar layout.– You get a fully featured FREE Microsoft compatible Office Suite in the form of LibreOffice.– The option to run familiar software such as Steam, DropBox, Kodi, OBS Studio, Skype, Spotify, Teamviewer all from within our Lite Software application.– A Welcome screen that greets you at first boot and makes setting up your Linux Lite install a breeze. Just click and go.– A Hardware Database containing over 30,000 existing pc configurations that is searchable. Herl my hardware run Linux Lite? Look here – https://www.linuxliteos.com/hardware.php– A friendly, welcoming Support Forum that will always do it’s best to find you answers.– A massive, searchable built-in and online Help Manual that covers all aspects of setting up, troubleshooting and working with Linux Lite.– A bundled powerful image editor Gimp that many refer to as a Photoshop competitor FREE in Linux Lite.– Familiar Desktop icons that get you quickly to where you want to go.VirtualBox Support:Out-of-the-box VirtualBox support for YouTube/Online Journalist reviewers and testers has been withdrawn. This was done to remove one more potential boot-up slow down from the list of variables. And there were cases where this has been a PITA for many users.

If you are reviewing or testing, install Linux Lite to the VM then do:Code: [Select]

sudo apt-get install virtualbox-guest-dkms virtualbox-guest-utils virtualbox-guest-x11

 

After a fresh install. You will then have the full experience that VirtualBox provides.

Source:

https://hackersonlineclub.com/linux-lite-4-8-os-released-as-windows-7-alternative/

Amazon Ring – A video of why you should not install Ring

Here’s a video, of why you should not install the Amazon Ring.  The Ring invades the privacy of your friends and neighbours, in addition to your family.

https://twitter.com/Jessica_Holley/status/1204505193003573250/video/1

 

Home security company Ring and its parent corporation Amazon were hit with a lawsuit in federal court Thursday alleging that their cameras have been hacked on numerous occasions due to inadequate protections, confirming privacy advocates’ fears about the devices.

John Baker Orange of Alabama, the plaintiff in the case, said in the lawsuit (pdf) that his Ring security camera was recently hacked while his children were playing basketball outside of his home.

“Mr. Orange’s children were playing basketball when a voice came on through the camera’s two-way speaker system,” reads the lawsuit, which was filed in the U.S. District Court for the Central District of California. “An unknown person engaged with Mr. Orange’s children, commenting on their basketball play and encouraging them to get closer to the camera. Once Mr. Orange learned of the incident, he changed the password on the Ring camera and enabled two-factor authentication.”

“Ring does not fulfill its core promise of providing privacy and security for its customers, as its camera systems are fatally flawed,” the lawsuit states.

The lawsuit also cites the alarming breach of a Ring security camera in DeSoto County, Mississippi, where a hacker gained access to a device installed in an 8-year-old girl’s bedroom and began speaking to her.

“I’m your best friend,” the hacker said. “I’m Santa Claus.”

Each time I’ve watched this video it’s given me chills.

A Desoto County mother shared this Ring video with me. Four days after the camera was installed in her daughters’ room she says someone hacked the camera & began talking to her 8-year-old daughter.

More at 6 on #WMC5 pic.twitter.com/77xCekCnB0

— Jessica Holley (@Jessica_Holley) December 10, 2019

Privacy advocates and digital rights groups have long been sounding the alarm about the gaping security flaws in Ring devices.

**Comment

Amazon should warn parents NOT to install this in an area where children will dress/undress, play etc.  This device is a paedophile’s dream – they can talk to children and watch them day and night.  Its a bad world out there… and the risks are being ignored.  If a parent can see their child in a bedroom – so can the rest of the world. For goodness sake, don’t buy these products.

Reference

https://www.commondreams.org/news/2019/12/27/amazon-and-ring-hit-lawsuit-after-camera-hacks-confirm-worst-fears-privacy-advocates

Single Sign On Thesis 2016

Single sign on Thesis – 2016

https://www.diva-portal.org/smash/get/diva2:908334/FULLTEXT02.pdf

SSO – AWS – Lightsail with Drupal and SimpleSAML Single Sign on

Step 1 -AWS Lightsail

AWS offer Lightsail, with Drupal.  SimpleSAML can be configured to offer Single Sign On with the website.  Select your AWS region eg Ireland or UK.

Select Linux > Drupal

 

 

Next, download SSH Keypairs

Step 1.1 – Download the keypair so that you can connect using SSH & Putty.

Select “Enable Automatic Snapshots” if you want a daily backup image taken.

For Linux-based instances, Lightsail uses Secure SHell (SSH) to connect to your instance (a virtual private server). SSH uses a key pair (a public key and a private key) to match the remote server to an authorized user.

Lightsail creates a default key pair in each AWS Region where you create an instance. Choose Download to download the default private key if you also want to connect to your Lightsail instance using an SSH client such as PuTTY.

Step 1.2 – Select AWS Plan – Free

There is a one month free plan on AWS. Use this for testing.

It’s important to both Name and TAG the instance.  Then select the bright orange button “Create Instance”.

CREATE INSTANCE

Note that it will be in a “pending” state.  Allow a few minutes for the status to change to “running“.

If you take the public IP listed – and paste this into a Chrome web browser, the Drupal web page will appear.

 

Once the status is running, select the 3 dots on the top right hand side.  A drop down list for connect and manage appears.

Select 3 dots > manage > connect via SSH

Now, AWS doesn’t make using Putty to connect to SSH easy.  There’s some additional config required, which isn’t needed for Windows (Remote desktop) connections.

https://lightsail.aws.amazon.com/ls/docs/en_us/articles/lightsail-how-to-set-up-putty-to-connect-using-ssh

You’ll need both the SSH key pair you downloaded earlier, putty and putty generator in order to connect using SSH.

Step 3: Configure PuTTYgen with your Lightsail private key

Now that you have a copy of your .pem key file, you can set up PuTTY using the PuTTY Key Generator (PuTTYgen).

1. Start PuTTYgen (for example, from the Start menu, choose All Programs, PuTTY, PuTTYgen).

1. Choose Load.

   

2. By default, PuTTYgen displays only files with the .ppk extension. To locate your .pem file, select the option to display files of all types.

3. Choose lightsailDefaultKey.pem, and then press Open.

   PuTTYgen confirms that you successfully imported the key, and then you can choose OK.

   Choose Save private key, and then confirm you don’t want to save it with a passphrase.

If you choose to create a passphrase as an extra measure of security, remember you will need to enter it every time you connect to your instance using PuTTY.

Specify a name and a location to save your private key, and then choose Save.

Close PuTTYgen.

 

Test your connection.

Open Putty.  Enter Public IP of Lightsail server and browse to the AUTH directory.  Browse to where you saved the Puttygen Private File.

Lightsail issues a PEM file by default.  Don’t load this.

Browse to the PPK file.  This is the private file that SSH needs to load.

Putty

Use putty to login with SSH using the PPK file.

User = bitnami

How do I get my bitnami password?

 

cat ./bitnami_credentials

cat $HOME/bitnami_application_password

Browse to Chrome, enter in public ip of server, user = user and password as from credentials.

Login as user

Notice the Shortcuts and edit tabs

 

Create a new Admin account.  Add user Button.

Enter user Id.  Role = Admin.

 

Next, use the new Admin account to install the SimpleSAML SP module

Browse to drupal site to locate latest SimpleSAML SP version

https://www.drupal.org/project/simplesamlphp_auth

Download (green button).

 

Extend Menu > URL or File Upload (of the new downloaded file).

Extend > Install the new module/file

SAML SP

https://www.drupal.org/project/saml_sp

Press Install button > Get confirmation screen

 

Error Message

I got an error message on the simplsamlphp install module.

 

Download Externalauth module

Extend > module > upload ExternalAuth > follow the onscreem prompts

Next we have to configure the SP

The SP is configured by an entry in config/authsources.php.  The SimpleSAML Quickstart Guide is here:

https://simplesamlphp.org/docs/stable/simplesamlphp-sp

This is a minimal authsources.php for a SP:

<?php
$config = [

    /* This is the name of this authentication source, and will be used to access it later. */
    'default-sp' => [
        'saml:SP',
    ],
];

Use the locate command to find the authsources.php directories.  This command will become very useful when dealing with Bitnami directories, as they are different from default install directories.

config/authsources.php – contains SP required attributes, LDAP Config

Bitnami does not use default directories, which is a shame.  It gets VERY messy here, simply because the default directories for simplesaml do not apply.

The installation process will create several sub-directories under the directory:

 /opt/bitnami 

• Servers and related tools: apache2/, mysql/, postgresql/, apache-tomcat/, etc.
• Languages: php/, python/, ruby/, tcl/, etc.
• Application files: apps/phpMyAdmin/, apps/drupal/, apps/joomla/, apps/redmine/, etc.
• Common libraries: common/
• Licenses of the components included in the stack: licenses/

Drupal Directories

cd /opt/bitnami/apps/drupal/conf

README.txt states:

The rest of this guide assumes that you installed Bitnami Drupal
Stack in /home/user/drupal-8.7.5-0 on Linux or C:\Program Files\Bitnami Drup$
on Windows or /Applications/drupal-8.7.5-0 on OS X and that you use port
8080 for Apache on Linux and port 80 on Windows and 3306 for MySQL.

Starting & stopping a service.

To start/stop/restart application on Linux you can use the included ctlscript.sh utility, as shown below:

bitnami@ip-172-26-15-231:/$ locate *ctlscript.sh*
/opt/bitnami/ctlscript.sh

./ctlscript.sh (start|stop|restart)
./ctlscript.sh (start|stop|restart) mysql
./ctlscript.sh (start|stop|restart) apache

start – start the service(s)
stop – stop the service(s)
restart – restart or start the service(s)

sudo su –

root@ip-172-26-15-231:/opt/bitnami# ./ctlscript.sh status apache
apache already running

root@ip-172-26-15-231:/opt/bitnami# ./ctlscript.sh restart apache

The installation process will create several subfolders under the main
installation directory:

apache2/: Apache Web server.
php/: PHP Scripting Language.
mysql/: MySQL Database.
apps/
drupal/: Drupal application folder
conf/: Drupal Apache configuration files
htdocs/: Drupal PHP application files
phpMyAdmin/: phpMyAdmin application folder (optional)

As the Bitnami documents are weak regarding simplesaml, I switched to this site.

https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-simplesamlphp-for-saml-authentication-on-ubuntu-16-04#step-4-—-configuring-the-authentication-source

 

Install SimpleSAML to /var/simplesamlphp

Terminal

wget https://simplesamlphp.org/download?latest

tar zxf download?latest

Find the current version

ls simplesamplphp* – note down the version eg 18.3

Now, copy the contents of the directory to /var/simplesamlphp using the cp command. Be sure to replace the version number with the version you have:

sudo cp -a simplesamlphp-1.x.y/.   /var/simplesamlphp/

The -a switch ensures that the file permissions are copied along with the files and folders. The dot at the end of the source file ensures everything in the source directory including hidden files gets copied to the destination directory.

 

sudo apt-get update

 

sudo apt-get install php-xml php-mbstring php-curl php-memcache php-ldap memcached

 

Software check

php -m | grep ‘date\|dom\|hash\|json\|mbstring\|openssl\|pcre\|SPL\|zlib’

sudo systemctl restart apache2 (remember the bitnami directorys use the ./ctlscript.sh

cd /opt/bitnami/./ctlscript.sh restart apache

 

Next, we need to make several changes to the core SimpleSAMLphp configuration located at /var/simplesamlphp/config/config.php.

Finally!  We can see the config.php.

 

nano /var/simplesamphp/config/config.php

Set the administrator password by locating the 'auth.adminpassword' line and replacing the default value of 123 with a more secure password. This password lets you access some of the pages in your SimpleSAMLphp installation web interface.  If you keep the default password of 123, it will error.

/var/simplesamlphp/config/config.php

. . .
'auth.adminpassword'        => 'your_admin_password',
. . .

'timezone' => null,

UK timezone = ‘Europe/London’

Full list of timezones = https://www.php.net/manual/en/timezones.php

Database change to SQL

Save and close the file. You should now be able to access the site in your browser by visiting https://your_domain/simplesaml.

 

Apache file

Next the Apache file needs to be edited to include your server DNS or IP.

The Bitnami main config file for Apache is

/opt/bitnami/apache2/conf/httpd.conf

ServerName 172.26.15.231:80

Enter both public IP and private IP for server, with port 80, as shown.

Add an alias to the httpd.conf.

Alias /simplesaml /var/simplesamlphp/www

Add the directory and access rights

<Directory /var/simplesamlphp/www/>

    Require all granted

</Directory>

SIMPLESAML Webpage

To display the main SimpleSAML home page in a web browser:

http://ip/simplesaml

The Configuration Tab runs diagnostics checks on the SimpleSAML php setup.

The Federation Tab is where we will upload the IDP metadata and format the metadata, after we have created the AWS SSO IDP metadata.

AWS SSO

Access your AWS free tier service.  Enter in SSO on the service.

The next step is to create an AWS SSO login, generate the metadata for this IDP, and upload this to simplesaml.

 

 

 

Once the AWS SSO IDP is created, we need to tell the simplesaml config, about this IDP.  The file that holds the metadata for a remote IDP is called “saml20-idp-remote.php”.

cd /var/simplesamlphp-1.18.3/config/metadata/saml20-idp-remote.php

Default config looks like this.  At this point, you enter in the AWS SSO account you created earlier.

<?php
$metadata['https://example.com'] = [
    'SingleSignOnService'  => 'https://example.com/simplesaml/saml2/idp/SSOService.php',
    'SingleLogoutService'  => 'https://example.com/simplesaml/saml2/idp/SingleLogoutService.php',
    'certificate'          => 'example.pem',
];

 

Your Aws metadata in the saml idp remote config file will look like this (apologies for the artwork)

 

 

 

 

 

 

 

 

 

 

 

SAML: On Breaking SAML: Be Whoever You Want to Be

The XML Signature standard [14] defines the syntax and processing rules for creating, representing, and verifying XML-based digital signatures.

It is possible to sign a whole XML tree or only specific elements.

One XML Signature can cover several local or global resources.

A signature placed within the signed content is called an enveloped signature.

If the signature surrounds the signed parts, it is an enveloping signature.

A detached signature is neither inside nor a parent of the signed data.

 
Signatures are two-pass signatures: the hash value of the resource (DigestValue) along with the used hash algorithm (DigestMethod) and the URI reference to the resource are stored in a Reference element. Additionally, the Transforms element specifies the processing steps which are applied prior to digesting of the resource. Each signed resource is represented by a Reference element in the SignedInfo element. Therefore, SignedInfo is a collection of hash values and URIs. The SignedInfo itself is protected by the signature. The CanonicalizationMethod and the SignatureMethod element specify the algorithms used for canonicalization and signature creation, and are also embedded in SignedInfo. The Base64-encoded value of the computed signature is deposited in the SignatureValue element. In addition, the KeyInfo element facilitates the transport of signature relevant key management information. The Object is an optional element that may contain any data.

Reference:

https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final91.pdf