Skip to content

UPTIME – Windows Servers

All Linux servers have the wonderful uptime command.  The question is, does this exist for Windows Servers, and the answer is yes.

Step 1 – Task Manager

Right click Task bar, select Task Manager.  or  Ctl-Alt-Del – Task Manager

Task Manager > CPU Tab > Uptime

UPTIME WINDOWS SERVERS VIA TASK MANAGER

 

Step 2 – Command line

The systeminfo command shows a lot of information.

CMD >

systeminfo | findstr “Time:”

uptime windows servers

 

Step 3 – uptime.exe

Microsoft have a legacy uptime.exe.  But everytime I try to find this utility the page has been moved.

Wiki states The time given by Uptime.exe is not reliable. It does not take into account time spent in sleep or hibernation. Thus, the boot time will drifts forward every time the computer sleeps or hibernates.

 

Step 4 – WMI – lastbootuptime

Windows Management Instrumentation offers an option, that is not impressive.

wmic os get lastbootuptime

uptime wmic

Step 5 – Net

C:\>NET STATISTICS WORKSTATION | findstr "since"

uptime net command

Have fun!
Advertisements

PASSWORD HACKING: Everything you’ve been told about passwords is wrong

The US expert who wrote the standard for password security now says he was wrong – and it’s time for a new way.

In 2003, Bill Burr was a technology manager for the US National Institute of Standards and Technology (NIST) when he was tasked with writing some brief guidelines for password security. He recommended that passwords have a minimum of eight characters with a mix of capitals, numbers and symbols, and be updated frequently.

Soon Burr’s rules were adopted by organisations around the world. Now he says he not only regrets his recommendations, but that they have inadvertently led people to choose poor passwords that are actually easier for hackers to crack.

How hackers discover your password

The aim of Burr’s rules was to defeat what are known as “brute-force” attacks, where hackers use sheer computing power to try thousands of possible passwords, until they stumble on the right combination. By adding more character sets to the mix, you exponentially increase the number of possible combinations an attacker must try.

Consider an eight-character password (e.g. password). If it contains just lower case letters, the number of possible combinations is 26^8, around 208.8 billion. This sounds impressive – until you realise it can take as little as 1.8 seconds for a modern supercomputer or botnet to break such a password.

Add uppercase letters (e.g. PassWord), and the number of combinations is multiplied 256 times, to 52^8. Add digits and symbols (e.g. P@$$w0rd), and it becomes as high as 95^8, requiring much more time to crack, even with an enslaved botnet army hard at work.

The problem, says Gernot Heiser, Scientia professor at the University of New South Wales’ School of Computer Science and Engineering, is that today’s hackers rarely start with a blank slate.

Instead, they begin by searching for English words plus common substitutions, such as $ for S. That makes them very well adapted to breaking exactly the kind of P@ssw0rd$ users tend to create when struggling to comply with Burr’s rules.

How to choose a strong password

The solution, says Heiser, is to use long, memorable passphrases rather than passwords. Ideally, they would be an unforgettable combination of unexpected words, rather than a predictable English sentence. The more characters you add, the longer they’ll take to crack.

“If you choose longer, more complex passphrases with random words, a brute force attack becomes massively harder mathematically,” says Heiser.

He also says Burr’s original advice on changing passwords frequently is flawed – if only because it encourages users to choose shorter and simpler passwords that can be altered with relatively small changes (P@ssw0rd1 in January and P@ssw0rd2 in February, for example).

“The added protection of changing passwords is negative,” Heiser explains. “It’s safer to keep a longer, more complex password than to change it regularly to a simple one with variations that are easier to remember, but simpler to crack.”

Professional Development: CPA Q&A. Access a handpicked selection of resources each month and complete a short monthly assessment to earn CPD hours. Exclusively available to CPA Australia members.

Bring in a password manager

As more of our lives are lived online, we collect more and more passwords. Repeating them across sites is dangerous, since a data breach at a relatively unimportant service provider can leave other, more critical sites wide open. So how are we to remember them all?

Associate professor Mark Gregory from the School of Engineering at RMIT uses the same method he’s employed since the 90s: putting his passwords into a text file, then encrypting it.

“I have about 1000 passwords now, so they’re impossible to remember,” says Gregory. “By encrypting them, I only have to remember one super password to access all of them.”

A more formal version of this same idea is to use a password management system readily available online.

They store all of your passwords in the one place, are encrypted, with only one password for you to manage.

You only need to remember one password to access the system — it takes care of the rest. While premium password managers charge a usually nominal yearly fee, Gregory points out that it’s a small price to pay compared to the potential devastation caused by criminals accessing your data, impersonating you, or getting into your bank account.

How to strengthen your password security

Matthew Byrne is a principal consultant in threat intelligence and cyber defence at Mandiant, and a lecturer at the Australian Centre for Cyber Security. He suggests adding another layer of protection, by enabling the multi-factor authentication option offered by most online banks and major service providers, including Facebook, Gmail, Skype and LinkedIn.

“Using the multi-factor authentication feature means you must use at least two steps to access your information,” Byrne explains.

“This could be entering a code sent to your phone or answering a question that only you know. So if someone gets your password, they’ve only got half of what they need to break in and steal your identity.”

Both Heiser and Byrne agree that the best security available is a combination of password, multi-factor authentication and biometrics, such as fingerprint or facial recognition. This makes it very hard for a hacker to get past, but even this isn’t completely foolproof, as the recent hack of the Samsung S8 iris scanner demonstrated.

“People have fooled fingerprint and iris scanners with photographs,” says Heiser.

The 10 worst passwords

This list is from SplashData’s list of the top 100 worst passwords for 2017, taken from leaked lists of hacked passwords, from most to least common.

123456
password
qwerty
letmein
football
iloveyou
admin
welcome
monkey
login

 

Reference:

https://www.intheblack.com/articles/2018/02/19/everything-about-passwords-is-wrong

XML Security

Recently, I came across a site that deals with XML Security, and includes several tools.

Here’s the link:

https://www.aleksey.com/xmlsec/api/xmlsec-notes.html

Signing a Document

https://www.aleksey.com/xmlsec/api/xmlsec-notes-sign.html

The typical signature process includes following steps:

Online Digital Signature Verifier

https://www.aleksey.com/xmlsec/xmldsig-verifier.html

ECDSA versus RSA – A Comparison of Elliptical Curve Digital Signature Algorithm to RSA

Since the origin of SSL, webservers generated Public/Private keys  using RSA.  However, using strong RSA keys proved slow and expensive in CPU terms.  RSA does not scale well, and slows web performance.

RSA 2048 provides around 112 bits of security.   To achieve 128 bits of security, we need RSA 3072, which is slower, and impacts upon performance.

An alternative to RSA is ECC or Elliptic Curve Cryptography, which uses block ECC enabled TLS.  It uses significantly less CPU cycles, and is very scalable..

ECC 256 bit uses a more advanced algorithm than RSA 2048 bit, but uses a smaller key (only 256 bits).  Therefore it uses fewer CPU cycles to encrypt data, which improves website performance.

ECC 256 bit is 64,000 harder to crack than standard RSA 2048 bit.  Therefore in security terms, ECC is the best option.

We can install Hybrid certificates with an RSA root, and signed by an ECC key.

 

Known Issues

RSA is widely deployed by legacy browsers.

Only TLS 1.2 supports the latest and fastest ciphers.

Some Android devices incorrectly generated random values with ECC.

 

Conclusion

RSA is too expensive to use for security above RSA 2048.

Implement TLS 1.2.

Move to Elliptic Curve algorithms.

 

Reference

Gilchrist A.  (2017).  The Concise Guide to SSL/TLS for DevOps.  2nd end. RG Consulting

https://www.amazon.co.uk/Concise-Guide-SSL-TLS-DevOps/dp/1521278628/

 

 

CENTOS LINUX – How to apply Microcode Patches – CPU

Several hacks have exposed flaws in the Intel CPU.  These patches are called “microcode” and are to patch the CPU.

yum check updates

yum install

Reboot.  As microcode is being installed to the CPU, a reboot is always required.

Sudo dmesg | grep ‘microcode’

microcode patches centos

Another way to check the microcode has been installed.

rpm -qa –last | grep microcode

microcode list microcode patches

 

Reference:

https://www.cyberciti.biz/faq/install-update-intel-microcode-firmware-linux/

 

Alternatives to Google

Great article on alternative search engines.  Startpage returns Google search results, but they strip away your IP, so that Google never know who you are.

https://www.techspot.com/news/80729-complete-list-alternatives-all-google-products.html

 

Google search alternatives

When it comes to privacy, using Google search is not a good idea. When you use their search engine, Google is recording your IP address, search terms, user agent, and often a unique identifier, which is stored in cookies.

Here are ten alternatives to Google search:

  • StartPage – StartPage gives you Google search results, but without the tracking (based in the Netherlands).
  • Searx – A privacy-friendly and versatile metasearch engine that’s also open source.
  • MetaGer – An open source metasearch engine with good features, based in Germany.
  • SwissCows – A zero-tracking private search engine based in Switzerland, hosted on secure Swiss infrastructure.
  • Qwant – A private search engine based in France.
  • DuckDuckGo – A private search engine based in the US.
  • Mojeek – The only true search engine (rather than metasearch engine) that has its own crawler and index (based in the UK).
  • YaCy – A decentralized, open source, peer-to-peer search engine.
  • Givero – Based in Denmark, Givero offers more privacy than Google and combines search with charitable donations.
  • Ecosia – Ecosia is based in Germany and donates a part of revenues to planting trees.

Note: With the exception of Mojeek, all of the private search engines above are technically metasearch engines, since they source their results from other search engines, such as Bing and Google.

 

KALI LINUX – How to change to a UK Keyboard

Kali Linux is great, apart from its American default settings.

Even after you’ve selected the UK  timezone, the keyboard settings will remain as American.  This is the easiest way to select a UK keyboard.

setxkbmap -layout gb

kali linux set british keyboard

Have fun.

OpenSSL – How to renew an expired SSL Certificate, so that the new SSL Certificate has the same Public Key as the old Certificate

Recently, I’ve had the situation where an expired Cert existed, on a global application.  Therefore the question arose, could we renew the expired certificate, but continue to use the existing public keys (contained in the expired SSL certificate).  The answer is yes, we can.

We created a new CSR, valid for the next 10 years, using the same Public Keys as the old Certificate.

So how did the experiment work out?

Step 1 – Private Key

We need to have the existing Private Key.

When we created the private key, the OpenSSL commands were:

genrsa -out server.key 2048

Our private key = server.key

 

Step 2 – CSR

Using OpenSSL the commands for the original certificate were:

req -new -key server.key -out server.csr

  • Step 2 = We can use an EXISTING private key to generate the new Cert .csr.

 

Step 3 – We can normally combine steps 1 and 2 in OpenSSL

req -new -newkey rsa:2048 -keyout server.key -out server.csr

However, why would be break this single command into 2 steps?

  • Step 3 = Always create a new private key.  In our situation, this is exactly what we DON’T want, we want to use the legacy public key.

 

Step 4 – Create the Second Cert CSR using an existing key.

So we issue the OpenSSL command to get a new CSR file based on an existing private key.

req -new -key server.key -out mysecond.csr

openssl mysecond cert csr

openssl mysecond CSR public key generated in noteapd

 

Step 5 – Check the Modulus of each CSR file.

The OpenSSL command to check the modules of each CSR (Public Key)

req -text -in server.csr -noout

Modulus ends with: 57:1b:f7:bd

openssl server check modulus against server.csr text

and then

req -text -in mysecond.csr -noout

Modulus ends with: 57:1b:f7:bd

openssl mysecond csr modulus

 

What are we looking for?

The modulus of both certs will be the same.

 

Step 6 – Convert CSR into CRT

CSR file is the Certificate Signing Request. It contains the information which is needed to generate a certificate based on your private key and information about the WebSite.

CRT is the certificate itself (which you install into your Web browser).  

There is basically no way to convert directly from one to another, as you need a key to sign the certificate, but what can do is to generate a self-signed certificate (e.g. certificate signed by the same key which was used to generate it):

openssl x509 -req -in server.csr -signkey server.key -out server.crt

x509 -req -in mysecond.csr -signkey server.key -out mysecond.crt

openssl convert csr into crt to load into browser

openssl x509 -req -in server.csr -signkey server.key -out server.crt

The certificate is only valid for a month.  That’s not good.

 

Lets add some days into this command.  I want 3650 or 10 years…

x509 -req -in mysecond.csr -days 3650 -signkey server.key -out mysecond10year.crt

 

openssl convert csr into crt for 10 years

If you read the command I’ve entered in the screenshot , you’ll spot a typo, ie 23650 days.

Therefore my Cert is valid until 2084 instead of 2029 – but it proves the command works.

openssl cert to 2084 instead of 10 years

 

Step 7 – To view the certificate Modulus:

openssl x509 -noout -modulus -in [certificate-file.crt]

openssl check modulus command

To view the key Modulus:

openssl rsa -noout -modulus -in [key-file.key]

openssl check modulus of private key

The modulus of the private key and the certificate must match exactly.

If they do not match please locate the matching private key.  If the matching private key can not be located, you can generate a new private key & CSR and reissue the certificate.

 

Reference:

https://stackoverflow.com/questions/7064087/how-to-convert-csr-to-cer-or-whatever-usable-on-windows/7064418

https://knowledge.digicert.com/solution/SO20830.html

 

 

OpenSSL – How to create self signed certificates with Subject Alternative Names

Here’s one of the few great Youtube videos on OpenSSL.

 

What are Subject Alternative Names?

We can have one Certificate that covers several domain URL’s.  A wildcard domain certificate is a totally different beast.  This Certificate takes several specific domains only, not all domains, so this is more restrictive.

Step 1 – Generate a CA Private Key

genrsa -out privkey.pem 2048

 

Step 2 – Generate a 10 year Self Signed CA Certificate

req -new -x509 -days 3650 -nodes -key privkey.pem -sha256 -out ca.pem

Enter in country eg UK

Locality=Newport

Origination Name = University South Wales CA

omit next 3 prompts (1. org unit, 2. common name and 3 email).

 

Step 3 – Create a Server CSR Config file

server.csr.cnf

Example config here:

Note that the CN (eg dev.usw.ac.uk must be quoted in the server_v3.ext file in Step 4) as one of the domains.

usw server csr config file

Step 4 – Create a Server_v3.ext file

This adds in multiple domains, as Subject Alternative Names.  The CN from Step 3 eg dev.usw.ac.uk is quoted here, as its necessary if you want this to work.

Example shown:

usw v3 ext file

 

Step 5 – Create a Self Signed Certificate with Subject Alternative Names v3 ext file

req -new -nodes -out server.csr -keyout server.key -config server.csr.cnf

 

Step 6 – Generate the Server Certificate using the Extension file server_v3.ext

x509 -req -in server.csr -CA ca.pem -CAkey privkey.pem -CAcreateserial -out server.crt -days 3650 -extfile server_v3.ext

 

I’ve followed this procedure twice, generating 2 different company certs, some with 6 domains added into the certificate, and it works flawlessly.

 

 

 

 

 

 

Shibboleth SAML – How to renew an expired certificate without changing the Public Key

Recently I came across an issue with an expired Certificate on a Shibboleth System.  Shibboleth uses the X509 certificate as a means to transmit the Public Key between the SP and IDP.  Oddly Shibboleth does not complain when a Certificate has expired, nor does it check any details in the Cert.  It’s confusing that Shibboleth does not validate the expiry dates, or the host name etc within a Certificate.  The X509 Certificate is like a bus to transport the public key, and as long as you have the bus ticket, nothing about your identity is checked.

However, many Federations and other SAML systems will refuse to allow you to connect with an expired certificate.  So while Shibboleth will quietly ignore the expired certificate,  OpenAthens will prevent you from connecting, and other Federations such as GakuNin will remove  you from their metadata.

Therefore it’s best practice to renew your Certificate.

Here’s an overview of what happens:

shibboleth problems with certificates

 

The default rules for X509 certificate appear to be:

  1. 10 years expiry = 3652 days
  2. Key size = RSA 2048

 

Updating an expired certificate

The goal of this section is to keep the existing public/private key pair for the SP in place, and to issue a new certificate using this existing public key.

We do not want to re-run the keygen.sh script, because that would create an entirely new key pair.

Instead, we will modify some of the code found in the script to make sure we just generate a new cert from the existing keys.

 

 

Step 1  – Create a Config File

First, we need to make a config file for openssl.

This will tell the openssl program how to label the certificate when it creates it. This code is exactly the same as the code generated by the keygen.sh script. Unfortunately, that script deletes this file after it uses it, so we have to make a copy for ourselves.

shibboleth create a config file

 

Step 2  – Backup the existing SP Cert

First, we make a backup of the current sp-cert.pem file, and then use openssl to generate the new certificate. This code assumes you want your self-signed certificate to last for 3652 days = 10 years.

shihbboleth back up cert

 

Step 3 – Install the new Cert and Restart Services

shibboleth install the new cert

Step 4 – Notify Federations of the new Metadata

The UKFED requires a week’s notice of Metadata change as they manually check it.

Next, they will contact the Administrative Contact (ie Contracts) to approve the update.  Technical staff are not allowed to just update metadata as they please.

The UKFED will ask the Administrative Contact to confirm a SHA-256 hash of the new metadata.

Allow time to propagate out the data, the UKFED will normally make a change around 4.30pm on a Friday, and then Inter Federate the metadata to Edugain to send your metadata to Federations outside of the UK (eg Sweden, Italy).

 

 

Reference:

NC State University

https://docs.shib.ncsu.edu/docs/sp_certs.html

%d bloggers like this: