archiveren

internet

Quick version to improve client-side browser behaviour… (client-side best effort, so nothing is enforced…)

  • remove asp info
  • enforce https
  • specify thumbprint of known expected certificates and intermediate, and root for website
  • whitelist content security sources
  • set x-frame, aka preventing your site can be used in an iframe
  • enable xss protection
  • disable content type niffing

Add the following to your website’s web.config
(yes, web.config needs that ‘"’ around the thumbprints…)


 <httpProtocol>
  <customHeaders>
   <remove name="X-Powered-By" />
   <add name="Strict-Transport-Security" value="max-age=31536000" />
   <add name="Public-Key-Pins" value="pin-sha256=&quot;thumbprintofcertificate1&quot;; pin-sha256=&quot;thumbprintofcertificate2-intermediate&quot;; pin-sha256=&quot;thumbprintofcertificate3-rootcert&quot;; max-age=31536000" />
   <add name="Content-Security-Policy" value="default-src https: data: 'unsafe-inline' 'unsafe-eval'" />
   <add name="X-Frame-Options" value="DENY" />
   <add name="X-Xss-Protection" value="1; mode=block" />
   <add name="X-Content-Type-Options" value="nosniff" />
   </customHeaders>
  </httpProtocol>
 

Long version: https://scotthelme.co.uk/hardening-your-http-response-headers/

Check via https://securityheaders.io/?q=https%3A%2F%2Fhome.mendelonline.be&hide=on

 

 

Get yourself a cheap cloud host running Windows Server.
Add ssl based SSTP vpn
Add ssl based Remote Desktop Gateway.
Put let’s encrypt on all of it.

For quick access to blocked url’s, put a glype php proxy somewhere (maybe on that same iis)

 

My current setup, a host in azure running vpn and rdp-gateway, mostely connecting to rdpgateway on home server connecting to vm-guest… You know… RDP-ception!

Now you can go everywhere!

 

My Vaio died…
For all the ones that will be pointing “hahahahaha, told you so”: whatever =)
In the end, it was the Samsung SSD inside that died…

Anyway, needed to reinstall my laptop. Quick list of essential tools!

And since the sudden disappearance of wallbase -> http://alpha.wallhaven.cc/ for a new wallpaper! 🙂

desktopAnd for the first time I didn’t make my account localadmin 🙂 Let’s see how that turns out 🙂

http://www.hdkn.net/ is pretty awesome for a headless torrent client! It even has a native PowerShell module! But it doesn’t implement everything you want. (runs only in x86 shell, no magnets support, …)

Here a quick (and very dirty) PoSh snippet to add magnets to the download engine using its REST API… (don’t judge me on code quality!)

Accesstoken is the “api key” from the upper right corner, id is whatever you want it to be, and the convertto-json can probably be used as well.. But it was late, and this works :-).


$accesstoken="111111-11111111-11111"
$url="http://host.ext:port/jsonrpc"
while($magnet = read-host "gimme magnets")
{
$body = @"
{"id":74,"jsonrpc":"2.0","method":"torrents.addUrl","params":["$magnet",{"name":"","savePath":"E:\\ServerFolders\\Linuxes"}]}
"@
Invoke-RestMethod -Method Post -Uri $url -Header @{ "Authorization" = "Token $accesstoken" } -Body $body -ContentType "application/json"
}
$body = @"
{"id":1,"jsonrpc":"2.0","method":"torrents.getAll","params":[]}
"@
$res=Invoke-RestMethod -Method Post -Uri $url -Header @{ "Authorization" = "Token $accesstoken" } -Body $body -ContentType "application/json"
$res.result |ft

WP_20141026_18_16_40_Pro WP_20141026_18_16_33_Pro

 

 

 

 

 

 

 

 

 

 

My first time TechEd and it was awesome!
Much more heavy that anticipated: went to sessions everyday from 8.30 ‘till 18.15 sucking up all available knowledge!
Talked to a bunch of interesting people, tried to learn as much as possible, saw cool demo’s and was impressed by the huuuge amount of people there!

 

Things to remember!

REST

Further, I saw Mimikatz come by like 10 times, got the colours of ProcessExplorer explained to me for 3 times, learned how to set a filter in ProcessMonitor 2 times…

Had great fun with speakers @samilaiho and @andymalone

Got back with cool presents from @tycotic and @tintri_emea

Sometimes, you just want to store files in the cloud. This because you want your data to be available everywhere. Or you want a offsite backup. Or you want to share it with someone.

Anyway, you have to put it SOMEWHERE.
And preferable, somewhere secure, and not to expensive.

Now, you have the classic hosting providers. Providing you with an http/ftp capable webspace.But, as always, that’s a bit expensive…storage_azurestorage_googlestorage_amazon

When you start looking around, for backup, archive or file hosting services, you stumble upon the classic tools like dropbox, skydrive, backblaze, crashplan, …

But, in my case, that’s also not something I’m looking for.
I just want to mount a “cloud-drive” via a webservice, ftp or webdav. It can even has it own tool, as long as the actual files stay in the cloud…

So, into “the big three”: Amazon S3, Google Cloud Storage and Windows Azure Storage blobs… Pricing is on the right of this blogpost.

Still… They’re like 5-10€/month for 100GB… That’s 100€ per year.
With 100€ you can buy yourself a 1000GB hard disk, and put it on your desk and revproxy the thing?
Even with the electricity cost you’re not going to hit that 100€ limit…

Or buy a new hard drive each year, and put the old one somewhere safe! At a friend’s house, in your basement, you can even bury it in your garden ^^

I was considering getting an Azure subscription, now not any more 🙂

Another story standing since November 2012 (lol 😀 ).
The only thing that has changed: ARR (read on) is now officially supported by Microsoft!
They’re even almost/perhaps/maybe/theoretical/optional considering it as a successor for TMG2010 😛

Anyway, this post is not entirely correct. What we were trying to do was reverse proxy to an sub-directory. That didn’t work…
But  you can get some feeling with the possibilities of IIS’s ARR .

3 days later, but I solved this terrible situation…

The story

Our current website http://www.smartsys.be runs on an asp-powered cms called “umbraco” (url).
So, that makes it needs IIS and MS SQL accordingly…

Second part of the story: we want to introduce a blog with our success stories!
Number one blog software of our choice: wordpress (ofcourse 🙂 )

But, as we all know, wordpress runs on php and not asp, and an accompanying database…

The options:

  1. install php/fastcgi on IIS, mess around with it’s config, use ms sql as backend db, and run everything in IIS…
  2. use apache for both reverse proxying and serving the wordpress pages
  3. let IIS serve our umbraco web pages and set it up as reverse proxy for apache!

So, in the end, we tried only both last options.
I didn’t actually want to try and install php in IIS and maybe mess up our actual web service…

The result

Apache as reverse proxy didn’t end very well…
Actually, it didn’t work at all…
No idea why, didn’t put much effort in it…

On the other hand, IIS as reverse proxy wasn’t easy as well…
It took almost 3 days to figure out what went wrong, how to avoid it from happening, and in the end: how to solve it!
note: not 3 full days, but “some time during 3 days” ^^

How!

So, a little how-to:

First of all, you need IIS, just enable the feature on your Windows or Windows Server.
Secondly, you need “Application Request Routing“. You can download and install this without taking down your website.
This module is officially supported by Microsoft!

So, when both are installed, you can start configuring…

Enable ARR for your site : select your server in IIS Manager, open Application Request Routing under IIS options, choose “Server Proxy Settings” from the actions tab, and mark “enable” and press apply.

Secondly, we can start reverse proxying!

Select your site, in our example the “default web site”, and open the “url rewrite” module.
Here is where the magic should happen!

You can easily add a new rule clicking “add rule(s)”. And in our case, we’re choosing for “reverse proxy”.

Next, choose the path for your destination server, in our case being “http://localhost:8080/test/&#8221; .
Also, in the case for wordpress (very important): enable outbound rules, these are the rewrite rules…

One of the main issues want took so long to understand was a redirection issue: wordpress itself tries to redirect your to its config page, and IIS trying to rewrite the request to the wordpress folder. Resulting in endless 301 redirections… So, watch out here!
At first, I believed I could fix it by changing the config in wordpress. And I took to long to try to fix it that way. In the end (and what we’re doing in this manual) letting IIS handle all this reverse proxy work does the job…

So after adding this rule, we need to correct it somehow.
The default settings are not really good enough (maybe in your case it is!)

So, let’s have a look at the Inbound rule. Just open it.
I’m going to change the “pattern” IIS filters on from “(.*)” to “^test/(.*)” . This makes only requests for “blog.smartsys.be/test/” to be accepted.

Secondly, you have to add {R:1} to the end of the “rewrite url”. Otherwise things as http://blog.smartsys.be/test/wordpress/wp-admin/index.php would never work. It’s just the argument from the initial request that’s forwarded to the rewritten url…

That’s it, apply and close, next we’ll have a look to the outbound rule.

So, the big problem with wordpress is something with redirection. So, in the end, I made it undectectable for wordpress it’s being reverse proxied. So, in wordpress its point of view, it’s just running on localhost:8080 .

This implies we need to rewrite localhost:8080 to something external available, in our case “blog.smartsys.be”…
This is where the “outbound rule” comes in!

I just modified some parts of the default configuration the “add reverse proxy” wizard from before created.

At first: match all content!
The pattern should be” ^http(s)?://localhost:8080/(.*)”
And action value becomes: “http://blog.smartsys.be/{R:2}”

So, I hope you don’t spend any time on trying to let wordpress fix it (because it won’t), just let IIS do all the work!

The interwebz is a complex wasteland.
Almost every websites requires a login. And I don’t want to use the same password everywhere!
I have some categories in my “default” passwords, the simple password (19bit) for the “one-time-use” websites , the more complex ones (still only max 65 bit) for the “special sites” like facebook, google, of my hr department…  Actually, my “toughest” password (my cronos admin password) only reaches 87 bits…

lotsofaccounts

only a couple of my accounts…

Anyway, when you’re on the internet for a couple of years, you gather some accounts.

Lots of them

LOTS OF THEM……

And in the beginning, it was fun.
You only have 1 computer, you only use 1 browser, you just store everything in there.

But then something new shows up.
You start experimenting with Firefox.
And you buy a laptop.
And you have a network profile at school, or at work.
Or you’re on a holiday and you need to login on your webmail.

You need something to sync all your information, and to make it all available wherever you are.
Same for bookmarks, but that’s another story…

The last couple of years I always made use of random sync tools. At first, the sync-tools from Mozillaphoto.jpg itself, later on some other 3th party tools, but the last tool I got stuck with was xmarks. But last year it was bought by lastpass. So all my passwords were suddenly in their hands…
I’m not sure I like that…

But I kept using it, because it comes in damn handy!
All your password perfectly in sync between devices, nice plugin’s for every browser, and even a nice web interface!

But, still, you trust your password with someone else…

Anyway, this week I started doing some consultancy (read, they’re teaching me) for another Cronos Group Company working on InfoSec (another blogpost about this will follow!). And the first thing that 6556_3b90_500happened when firing up my laptop in front of these guys, was firefox opening, and lastpass popping up…

fuck

10 seconds later, my new boss mentioned something like “goe bezig”, roughly translated to “nice going”

Anyway, today I present you: THE SOLUTION

You’re own sync tool build around keepass!

I’ve been using keepass as long as I can remember. It contains all my secrets, my passwords, my configs, my life. But I always used it off-line. I open it, copy paste something, close it and erase my clipboard.
Actually, it never occurred to me you can use it otherwise!

Until today, on my first hit on google: “keepass firefox” 😛

After trying out some random extensions, I kept using PassIFox. And it works! And it works gooood!

Just install the plugin for Firefox, you also need a plugin for lastpass (to enable an http web service), and you’re good to go! Uninstall lastpass, throw away all other 3th party related crap you don’t want to be associated with your passwords!
From now on, you only have 1 place you store your passwords in: your own aes-256 encrypted keepass db!

The really interested reader now wants to shout “you’re not syncing anything between computers!”.
But, then I would answer “you’re to soon with your remark” 😛

Put all of the above in a skydrive/dropbox/owncloud/anything, and you can run around using your passwords everywhere!

Jej!

————–

Some remarks on passifox: browse to any website with a login field, rmb -> fill user & pass. This is the ony known interface to the firefox plugin! Use this to setup the initial connect with lastpass (connect will appear).

Some remarks on the entire process: I always trusted sites like lastpass. I don’t know exactly why. But when you work for a InfoSec company, you can’t risk anything. Right? 🙂
Maybe it was of laziness, because lastpass just works that handy 😛 But in the end, so does passifox! So please, when you read this, thing twice about who you trust with what!

Remark on skydrive/dropbox/owncloud: even Microsoft’s skydrive can, in the end, leak information. Or I can forget to log off somewhere. Forget to logoff from any live-enable website and someone can have access to these files as well. Even when you run owncloud, your provider can be the target of an attack (happened in the Netherlands last week…). But hey, the only thing these “21the century burglars” can download, is an aes encrypted file! Good luck with that 🙂
Hell, with this setup you can even put an hidden truecrypt container in skydrive containing a portable firefox and keepass… But only, who’s that paranoid? 😛

AD FS, STS, SSO, Claims, Realms, Tokens, SAML, WS-Federation, WS-Security, … All these fuzzy terms that where thrown at my last month…

The project was to implement AD FS (see title) in our environment.
The single and only purpose of AD FS is to create a “single sign on experience” between applications. Sign on on any website, and you can visit all other websites with that same account! (Only trusted websites that is, ofc…)
There are claims providers for Exchange OWA, Sharepoint. You can use it native in custom and cross-platform applications, on Microsoft Azure and in our case Office 365.
And because it’s based on an open standard, you don’t have to use .net, but you can use Java (jeej) as well! Or even php -> http://code.google.com/p/simplesamlphp/.
As long as your application is compatible with saml, you’re good to go!

So, all mentioned abbreviations also have a meaning! And if you want to know what it means and what their purpose is, read this article on msdn!

A more “conceptual” article you can read: A Guide to Claims-Based Identity and Access Control (2nd Edition)
Especially the part about “the airport” explains a lot 😛

Some more “academic” OASIS articles on WS-Trust and WS-Federation

And if you want to know more about WSDL, just read wikipedia 🙂