Skip to content

Go – SCP Book – Secure Coding practices

Go Language – Web Application Secure Coding Practices is a guide written for anyone who is using the Go Programming Language and aims to use it for web development.

This book is collaborative effort of Checkmarx Security Research Team and it follows the OWASP Secure Coding Practices – Quick Reference Guide v2 (stable) release.

The main goal of this book is to help developers avoid common mistakes while at the same time, learning a new programming language through a “hands-on approach”. This book provides a good level of detail on “how to do it securely” showing what kind of security problems could arise during development.

The book is available as mobi or epub.

Reference:

https://www.gitbook.com/book/checkmarx/go-scp/details

THE STORY OF GETTING SSH PORT 22

I wrote the initial version of SSH in Spring 1995. It was a time when telnet and FTP were widely used.

Anyway, I designed SSH to replace both telnet (port 23) and ftp (port 21). Port 22 was free. It was conveniently between the ports for telnet and ftp. I figured having that port number might be one of those small things that would give some aura of credibility. But how could I get that port number? I had never allocated one, but I knew somebody who had allocated a port.

The basic process for port allocation was fairly simple at that time. Internet was smaller and we were in very early stages of the Internet boom. Port numbers were allocated by IANA (Internet Assigned Numbers Authority). At the time, that meant an esteemed Internet pioneer called Jon Postel and Joyce K. Reynolds. Among other things, Jon had been the editor of such minor protocol standards as IP (RFC 791), ICMP (RFC 792), and TCP (RFC 793). Some of you may have heard of them.

To me Jon felt outright scary, having authored all the main Internet RFCs!

Anyway, just before announcing ssh-1.0 in July 1995, I sent this e-mail to IANA:

From ylo Mon Jul 10 11:45:48 +0300 1995
From: Tatu Ylonen <ylo@cs.hut.fi>
To: Internet Assigned Numbers Authority <iana@isi.edu>
Subject: request for port number
Organization: Helsinki University of Technology, Finland

Dear Sir,

I have written a program to securely log from one machine into another
over an insecure network.  It provides major improvements in security
and functionality over existing telnet and rlogin protocols and
implementations.  In particular, it prevents IP, DNS and routing
spoofing.  My plan is to distribute the software freely on the
Internet and to get it into as wide use as possible.

I would like to get a registered privileged port number for the
software.  The number should preferably be in the range 1-255 so that
it can be used in the WKS field in name servers.

I'll enclose the draft RFC for the protocol below.  The software has
been in local use for several months, and is ready for publication
except for the port number.  If the port number assignment can be
arranged in time, I'd like to publish the software already this week.
I am currently using port number 22 in the beta test.  It would be
great if this number could be used (it is currently shown as
Unassigned in the lists).

The service name for the software is "ssh" (for Secure Shell).

Yours sincerely,

Tatu Ylonen <ylo@cs.hut.fi>

... followed by protocol specification for ssh-1.0

The next day, I had an e-mail from Joyce waiting in my mailbox:

Date: Mon, 10 Jul 1995 15:35:33 -0700
From: jkrey@ISI.EDU
To: ylo@cs.hut.fi
Subject: Re: request for port number
Cc: iana@ISI.EDU

Tatu,

We have assigned port number 22 to ssh, with you as the point of
contact.

Joyce

There we were! SSH port was 22!!!

On July 12, 1995, at 2:32am, I announced a final beta version to my beta testers at Helsinki University of Technology. At 5:23pm I announced ssh-1.0.0 packages to my beta testers. At 5:51pm on July 12, 1995, I sent an announcement about SSH (Secure Shell) to the cypherpunks@toad.com mailing list. I also posted it in a few newsgroups, mailing lists, and directly to selected people who had discussed related topics on the Internet.

CHANGING THE SSH PORT IN THE SERVER

By default, the SSH server still runs in port 22. However, there are occasions when it is run in a different port. Testing use is one reason. Running multiple configurations on the same host is another. Rarely, it may also be run without root privileges, in which case it must be run in a non-privileged port (i.e., port number >= 1024).

The port number can be configured by changing the Port 22 directive in /etc/ssh/sshd_config. It can also be specified using the -p <port> option to sshd. The SSH client and sftp programs also support the -p <port> option.

Reference:

https://www.ssh.com/ssh/port

WikiLeaks releases CIA manual on how to turn a Samsung TV into a secret microphone

The latest releases by WikiLeaks appear to include descriptions of CIA-developed malware that could turn Samsung TVs into recording devices.

Details about the British-made ‘Extending’ and the CIA’s ‘Weeping Angel,’ both recently stolen from the CIA, were released by WikiLeaks on Friday.

The documents outline programs that can make certain Samsung TVs into recording devices via a USB drive placed in the televisions, The Hill reported.

The audio channels from the TVs would be rerouted from its microphone to the CIA.

Depending on the veracity of the documents, the initiative might have been developed jointly by Britain’s MI5, which first developed the software, and the CIA.

The British ‘Extending’ and American ‘Weeping Angel’ describe plans for turning certain Samsung TV models into recording devices,

The software differ in which Samsung models they are able to hack. Samsung’s F8000 model was named in documents pertaining to ‘Weeping Angel.’

Reference:

http://www.dailymail.co.uk/news/article-4434572/Wikileaks-CIA-documents-prepares-charge-Assange.html

NSA-leaking Shadow Brokers just dumped its most damaging release yet

Friday’s release—which came as much of the computing world was planning a long weekend to observe the Easter holiday—contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks. Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date.

“It is by far the most powerful cache of exploits ever released,” Matthew Hickey, a security expert and co-founder of Hacker House, told Ars. “It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it. A number of these attacks appear to be 0-day exploits which have no patch and work completely from a remote network perspective.”

One of the Windows zero-days flagged by Hickey is dubbed Eternalblue. It exploits a remote code-execution bug in the latest version of Windows 2008 R2 using the server message block and NetBT protocols. Another hacking tool known as Eternalromance contains an easy-to-use interface and “slick” code. Hickey said it exploits Windows systems over TCP ports 445 and 139. The exact cause of the bug is still being identified. Friday’s release contains several tools with the word “eternal” in their name that exploit previously unknown flaws in Windows desktops and servers.

The full list of tools documented by Hickey are:

  • ETERNALROMANCE — Remote privilege escalation (SYSTEM) exploit (Windows XP to Windows 2008 over TCP port 445)
  • ENTERNALCHAMPION, ETERNALSYSTEM — Remote exploit up to Windows 8 and 2012
  • ETERNALBLUE — Remote Exploit via SMB & NBT (Windows XP to Windows 2012)
  • EXPLODINGCAN — Remote IIS 6.0 exploit for Windows 2003
  • EWORKFRENZY — Lotus Domino 6.5.4 and 7.0.2 exploit
  • ETERNALSYNERGY — Windows 8 and Windows Server 2012
  • FUZZBUNCH — Exploit Framework (Similar to Metasploit) for the exploits.

A separate analysis by researcher Kevin Beaumont found three zerodays affecting Windows systems. They are Esteemaudit-2.1.0.exe, a Remote Desktop exploit that installs an implant on Windows Server 2003 and XP; Eternalchampion-2.0.0.exe, which also works against SMB; and the previously mentioned Eternalblue. Beaumont found four other exploits that he believes may be zerodays, including Eskimoroll-1.1.1.exe, a Kerberos attack targeting domain controllers running Windows Server 2000, 2003, 2008 and 2008 R2; Eternalromance-1.3.0.exe, Eternalromance-1.4.0.exe, an update of Eternalromance-1.3.0.exe; and Eternalsynergy-1.0.1.exe,  a remote code-execution attack against SMBv3.

With the exception of Esteemaudit, the exploits should be blocked by most firewalls. And best practices call for remote desktop connections to require use of a virtual private network, a practice that should make the Estememaudit exploit ineffective. Microsoft also recommends that organizations disable SMBv1, unless they absolutely need to hang on to it for compatibility reasons, which may block Eternalblue. That means organizations that are following best practices are likely safe from external attacks using these exploits. There’s no indication any of the exploits work on Windows 10 and Windows Server 2016, although it’s possible the exploits could be modified to work on these operating systems.

Still, the public distribution of some of the NSA’s most prized hacking tools is sure to cause problems. In a post published by the Lawfare website, Nicholas Weaver, a security researcher at the University of California at Berkeley and the International Computer Science Institute, wrote:

Normally, dumping these kinds of documents on a Friday would reduce their impact by limiting the news cycle. But Friday is the perfect day to dump tools if your goal is to cause maximum chaos; all the script kiddies are active over the weekend, while far too many defenders are offline and enjoying the Easter holiday. I’m only being somewhat glib in suggesting that the best security measure for a Windows computer might be to just turn it off for a few days.

Besides the risk the exploit leaks pose to Windows users all over the world, they are likely to further tarnish the image of the NSA. The highly secretive agency reportedly had at least 96 days to warn Microsoft about the weaponized Windows exploits released today, according to this account from Emptywheel. It points to a January 8 Shadow Brokers leak that references some of the same exploits.

We hack banks

Friday’s dump also contains code for hacking into banks, particularly those in the Middle East. According to this analysis by Matt Suiche, a researcher and cofounder of Cloud Volumes, Jeepflea_Market is the code name for a 2013 mission that accessed EastNets, the largest SWIFT service bureau in the Middle East. EastNets provides anti-money laundering oversight and related services for SWIFT transactions in the region. Besides specific data concerning specific servers, the archive also includes reusable tools to extract the information from Oracle databases such as a list of database users and SWIFT message queries.

“This would make a lot of sense that the NSA compromise this specific SWIFT Service Bureau for Anti-money laundering (AML) reasons in order to retrieve ties with terrorists groups,” Suiche wrote. “But given the small number (74) of SWIFT Service Bureaus, and how easy it looks like to compromise them (e.g. 1 IP per Bank) — How many of those Service Bureau may have been or are currently compromised?”

Suiche also found evidence that Al Quds Bank for Development and Investment, a bank in Ramallah, Palestine, was specifically targeted.

The release also contains the software for “Oddjob”, an implant tool and backdoor for controlling hacked computers through an HTTP-based command server. Other implants have names such as Darkpulsar-1.1.0.exe, Mofconfig-1.0.0.exe, and PluginHelper.py. With the exception of minor generic detections for engines related to a “packer” that conceals Oddjob, none of the implants were detected by antivirus programs at the time this update was going live. AV companies are almost certainly in the process of pushing out updates.

The Shadow Brokers have captured the attention of the intelligence community in the US and around the world. Some of the previous weapons-grade leaks, for instance, exploited unpatched vulnerabilities in Cisco Systems firewalls. Researchers from security firm Kaspersky Lab, meanwhile, have confirmed the leaked code they analyzed bears unique signatures tied to Equation Group, Kaspersky’s name for a state-sponsored group that operated one of the most advanced hacking operations ever seen. In January, Shadow Brokers claims it was suspending operations, after making one last inflammatory release. Friday’s dump shows the group was still holding plenty more incendiary material.

Reference:

https://arstechnica.com/security/2017/04/nsa-leaking-shadow-brokers-just-dumped-its-most-damaging-release-yet/

How to uninstall and reinstall BASH on Windows 10 – The Visual Guide

Windows 10 offers the Linux BASH shell.  We’ve all installed and broken it.  So what do we do next?  The answer is to uninstall and then reinstall it.

You’ve probably unchecked “Windows features”, rebooted several times and found that didn’t work.  So here’s how you uninstall and reinstall BASH.

Step 1 – Uninstall the BASH Shell

Open CMD – as an ADMINISTRATOR

CD C:\Windows\system32

C:\WINDOWS\system32>LxRun.exe /uninstall

 

uninstall linux on windows 10

Step 2 – Reinstall the BASH Shell

C:\WINDOWS\system32>LxRun.exe /install

uninstall linux on windows 10 and reinstall it

You have to say Y to continue.

Step 3 – How to change a password on Bash

passwd

Enter the new password

Step 4 – How to update and install new packages on BASH

Download and Install the Latest Versions of BASH Installed Packages:

sudo apt-get upgrade

This will download and then install your packages – allow some time – go make a cup of coffee while it does this.

Step 5 – How to create a second user in BASH

sudo adduser uwnthesis2

Enter a new password for the user

How to fix OpenVPN randomly disconnecting on Windows 10

After the anniversary update of Windows 10, many OpenVPN users saw their clients randomly disconnecting.

The issue is that the anniversary release of Windows 10 conflicts with the TAP driver used by OpenVPN.  You’d think with the size and technical ability of Microsoft they would fix this issue with OpenVPN.

****

 

Step 1 – Change Adapter Settings

Network & sharing centre > Change Adapter Settings

openvpn fix 1

Step 2 – Select the Tap Adapter (used by OpenVPN)

Right click on the Tap Adapter > Properties

openvpn fix 2

Step 3 – Internet Protocol V4

Properties Button

openvpn fix 3

Step 4 – Advanced Button

openvpn fix 4

Step 5 – Turn off Automatic

Windows 10 defaults to “Automatic Metric”.   You do not want automatic.

You may need to calculate the correct MTU (or pack size).

openvpn mtu

https://www.sonassi.com/help/magestack/setting-correct-mtu-for-openvpn

Here’s the MTU set to 1420

openvpn 1420

 

Your OpenVPN interface/connection should now become stable.

Fix 2 – if the above fix fails then reinstall the TAP driver.

Search for Device Manager > Network Adapters > Tap Driver > Uninstall

 https://swupdate.openvpn.org/community/releases/tap-windows-9.9.2_3.exe

 

Always trust OpenVPN > Installopenvpn fix always trust

 

Phase 2 – is your DNS not stable?

The anniversary coding for Windows 10 is utter rubbish.  If the steps above fail to correct a DNS issue when using OpenVPN – here is phase 2 fix of the DNS.

The fix for this is found at:

https://support.ateamsystems.com/025247-Windows-10-OpenVPN-DNS-Issues

Windows 10 OpenVPN DNS Issues

There is a “bug” in Windows 10 where its DNS resolution uses the interface metrics assigned to it, and OpenVPN’s network interface has too high of a metric to be used for DNS.

To fix it we’ll lower the metric of the OpenVPN interface so it takes priority when you are connected to the VPN.

Identify The OpenVPN Interface Name

First open your Windows 10 Settings menu via the start menu -> Settings.  Then click the “Network & Internet” tile:

From there go to the “Ethernet” tab on the left, then click “Change adapter options” under “Related Settings”.  This will open a window with all of your network adapters, similar to the below:

The next step is to locate which out of these interfaces is the OpenVPN adapter, it will be the one with the words “TAP-Windows Adapter” on the 3rd line (selected above).  Make a note of the name of this adapter.  In the above example it is “Local Area Connection 5”, and we’ll use that moving forward but substitute your own interface’s name instead in the commands below as it is likely different.

Open An Admin Command Prompt

Press   (windows key + x) and pick “Command Prompt (Admin)”:

In the command window type in “netsh int ip show interfaces” which should present a list of all the interfaces:

The value we’re looking for is “Met” (short for “Metric”).  You can see our OpenVPN connection (“Local Area Connection 5”) has a higher or same metric as other network connections.  We need to set this metric value to a lower number than all the other interfaces.

In this case a value of 4 will be lower than all the other interfaces, so we’ll use that.  In the command window run the command “netsh int ip set interface “Local Area Connection 5″ metric=25”, substituting the OpenVPN interface you identified in the first step:

Lastly run the “netsh int ip show interfaces” command again and confirm that the OpenVPN interface is the lowest “Met” value:

Reconnect to the VPN

Attempt to reconnect to the VPN and see if DNS resolution works

Reference:

https://support.ateamsystems.com/025247-Windows-10-OpenVPN-DNS-Issues

My honest advice is that if you’re within the 10 days roll back period of this anniversary update – GET RID OF IT FOR HEAVENS SAKE!!

Vault 7: Infect Apple MAC firmware – Embedded even if Operating system is reinstalled

Today, March 23rd 2017, WikiLeaks releases Vault 7 “Dark Matter”, which contains documentation for several CIA projects that infect Apple Mac firmware (meaning the infection persists even if the operating system is re-installed) developed by the CIA’s Embedded Development Branch (EDB). These documents explain the techniques used by CIA to gain ‘persistence’ on Apple Mac devices, including Macs and iPhones and demonstrate their use of EFI/UEFI and firmware malware.

Among others, these documents reveal the “Sonic Screwdriver” project which, as explained by the CIA, is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting” allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”. The CIA’s “Sonic Screwdriver” infector is stored on the modified firmware of an Apple Thunderbolt-to-Ethernet adapter.

“DarkSeaSkies” is “an implant that persists in the EFI firmware of an Apple MacBook Air computer” and consists of “DarkMatter”, “SeaPea” and “NightSkies”, respectively EFI, kernel-space and user-space implants.

Documents on the “Triton” MacOSX malware, its infector “Dark Mallet” and its EFI-persistent version “DerStarke” are also included in this release. While the DerStarke1.4 manual released today dates to 2013, other Vault 7 documents show that as of 2016 the CIA continues to rely on and update these systems and is working on the production of DerStarke2.0.

Also included in this release is the manual for the CIA’s “NightSkies 1.2” a “beacon/loader/implant tool” for the Apple iPhone. Noteworthy is that NightSkies had reached 1.2 by 2008, and is expressly designed to be physically installed onto factory fresh iPhones. i.e the CIA has been infecting the iPhone supply chain of its targets since at least 2008.

While CIA assets are sometimes used to physically infect systems in the custody of a target it is likely that many CIA physical access attacks have infected the targeted organization’s supply chain including by interdicting mail orders and other shipments (opening, infecting, and resending) leaving the United States or otherwise.

Reference:

https://wikileaks.org/vault7/darkmatter/?cia

The internet of things: how your TV, car and toys could spy on you – Guardian

Smart as a joke has been relabeled as “Surveillance marketed as revolutionary technology”.  There is nothing smart about having a TV that records every conversation in your home, and stores the audio files.

In fact there is an argument to call the buyer “dumb” if they buy a Smart TV, that records their child in the bedroom.  You know that right?

 

Can your smart TV spy on you? Absolutely, says the US director of national intelligence. The ever-widening array of “smart” web-enabled devices pundits have dubbed the internet of things [IoT] is a welcome gift to intelligence officials and law enforcement, according to director James Clapper.

“In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,” Clapper told the Senate in public testimony on Tuesday.

As a category, the internet of things is useful to eavesdroppers both official and unofficial for a variety of reasons, the main one being the leakiness of the data. “[O]ne helpful feature for surveillance is that private sector IoT generally blabs a lot, routinely into some server, somewhere,” said Lee Tien, a senior staff attorney at the Electronic Frontier Foundation. “That data blabbing can be insecure in the air, or obtained from storage.”

There are a wide variety of devices that can be used to listen in, and some compound devices (like cars) that have enough hardware to form a very effective surveillance suite all by themselves. There are, of course, legitimate and tightly warranted reasons for law enforcement surveillance, and there are also companies that take hard lines against turning their users over to the government. But hardware manufacturers often default to crummy security, or don’t offer a choice, and consumers often make themselves more vulnerable than they should.

“One of my technologists has a phrase: ‘internet of other people’s things,’” Tien said. “[E]ven if you bought it, it’s not necessarily truly yours – it may need to talk to the vendor’s machines to work, handing over data about you or those around you (if it has sensors); it may have features you don’t know about or don’t know how to control or can’t control.”

Intelligence officials are not the only ones interested in cracking our hi-tech homes. Knowing when you are in and out, what you have and where you keep it is invaluable information for thieves. And just think what tales your devices could tell divorce lawyers.

Dan Kaminsky, security researcher and chief scientist of White Ops, said despite the worries the internet of things is here to stay. “There’s a lot of work to do building the secure and maintainable platforms of the future, but I think it’ll happen,” he said. “We know this technology isn’t perfect but we know the tremendous human potential it unlocks.”

What’s watching you in today’s houses:

https://www.theguardian.com/world/2016/feb/10/internet-of-things-surveillance-smart-tv-cars-toys

Password Rules Are Bullshit – CodingHorror

Have you seen the classic XKCD about passwords?

To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

We can certainly debate whether “correct horse battery staple” is a viable password strategy or not, but the argument here is mostly that length matters.

 

That's What She Said

No, seriously, it does. I’ll go so far as to say your password is too damn short. These days, given the state of cloud computing and GPU password hash cracking, any password of 8 characters or less is perilously close to no password at all.

So then perhaps we have one rule, that passwords must not be short. A long password is much more likely to be secure than a short one … right?

And what of those nice, long passwords? Are they always secure?

aaaaaaaaaaaaaaaaaaa
0123456789012345689
passwordpassword
usernamepassword

Of course not, because have you met any users lately?

I changed all my passwords to

They consistently ruin every piece of software I’ve ever written. Yes, yes, I know you, Mr. or Ms. über-geek, know all about the concept of entropy. But expressing your love of entropy as terrible, idiosyncratic password rules …

  • must contain uppercase
  • must contain lowercase
  • must contain a number
  • must contain a special character

… is a spectacular failure of imagination in a world of Unicode and Emoji.

I also advocated checking passwords against the 100,000 most common passwords. If you look at 10 million passwords from data breaches in 2016, you’ll find the top 25 most used passwords are:

123456
123456789
qwerty
12345678
111111
1234567890
1234567
password
123123
987654321
qwertyuiop
mynoob
123321
666666
18atcskd2w
7777777
1q2w3e4r
654321
555555
3rjs1la7qe
google
1q2w3e4r5t
123qwe
zxcvbnm
1q2w3e

Even this data betrays some ASCII-centrism. The numbers are the same in any culture I suppose, but I find it hard to believe the average Chinese person will ever choose the passwords “password”, “quertyuiop”, or “mynoob”. So this list has to be customizable, localizable.

If you examine the data, this also turns into an argument in favor of password length. Note that only 5 of the top 25 passwords are 10 characters, so if we require 10 character passwords, we’ve already reduced our exposure to the most common passwords by 80%. I saw this originally when I gathered millions and millions of leaked passwords for Discourse research, then filtered the list down to just those passwords reflecting our new minimum requirement of 10 characters or more.

It suddenly became a tiny list. (If you’ve done similar common password research, please do share your results in the comments.)

I’d like to offer the following common sense advice to my fellow developers:

1. Password rules are bullshit

  • They don’t work.
  • They heavily penalize your ideal audience, people that use real random password generators. Hey guess what, that password randomly didn’t have a number or symbol in it. I just double checked my math textbook, and yep, it’s possible. I’m pretty sure.
  • They frustrate average users, who then become uncooperative and use “creative” workarounds that make their passwords less secure.
  • They are often wrong, in the sense that the rules chosen are grossly incomplete and/or insane, per the many shaming links I’ve shared above.
  • Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won’t take my word for it, read this 2016 NIST password rules recommendation. It’s right there, “no composition rules”. However, I do see one error, it should have said “no bullshit composition rules”.

Reference:

https://blog.codinghorror.com/password-rules-are-bullshit/

Encryption Works – Analysis of CIA wikileaks – we need more encryption – NY Times

Encryption works.

Reference:

%d bloggers like this: