Hack-the-Planet Podcast: Episode 006

Episode 6 of our podcast (Germany only!) is finally online. For your convenience, the episode is available on YouTube as well.

This episode talking about:

Traefik: https://traefik.io/ ・
Drive-In Briefkästen: https://twitter.com/aheil/status/1173900925318107136 ・ Automated Konbini: https://www.forbes.com/sites/akikokatayama/2019/02/26/japan-aims-to-automate-all-convenience-stores-by-2025-with-a-new-rfid-technology/ ・
Neue Packstationen: https://www.golem.de/news/deutsche-post-lidl-und-dhl-bauen-500-neue-packstationen-1907-142346.html ・
Arduino Aquarium Futter Automat: https://www.schrankmonster.de/2019/09/16/smart-arduino-fish-pond-feeder-turtlefeeder/ ・
Louis Rossmann Macbook Repairs: https://www.youtube.com/user/rossmanngroup ・
Make Buch: https://www.dpunkt.de/buecher/12488/9783864903687-make%3A-elektronik.html ・
Icinga: www.icinga.com ・
SONOS Auto Bookmarker: https://github.com/bietiekay/sonos-auto-bookmarker ・
TOTP – Time based one-time password: https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm ・
1Password: https://1password.com/ ・
Enpass: https://www.enpass.io/ ・
ODroid GO: https://wiki.odroid.com/odroid_go/odroid_go ・
ODroid Go: https://www.hardkernel.com/shop/odroid-go/ ・

Have You Been Pwned?

Another way to figure out if your account and corresponding account data is https://haveibeenpwned.com/

Have I Been Pwned 

Beside the web form an RESTful API is provided to check automatically. Right now 6,474,028,664 accounts are listed from about 340 hacked websites. Also a list of the breaches, the data comes from is provided. All together it is an easy way to check if your digital identity was recently stolen.

Collection #n

After Collection #1 it did not took long until additional sets fo leaked account and password information appeared. Meanwhile there are Collection #2 to Collection 5. 

All together there are more than 8,000,000,000 are meanwhile leaked. While I accept and actually think of systems being hacked at one point – remember it is not about the if, it is about the when – I cannot understand how actual passwords are stored. 

As I did design a large multi-user system some years ago, we did not save clear text passwords in the system. We actually did even not transport the password from the client to the server in plain text. Said that, I still try to image how anyone could even think of storing passwords in plaintext. 

If you are interested, if any of your password are leaked, you probably should check theIdentity Leak Checker service provided by the Hasso-Plattner-Institute

HPI Password Leak Checker

I actually checked three mail addresses I usually use to sign in at various services.

Leaked Passwords #1

As this is a mail address I don’t use to sign in at public services a lot, the result was not very surprising. Actually, that was I found an account to delete. For my second account this does not look that well. The mail address (and probably passwords) appear in Collections #1 to 2. 

Leakd Passwords #2

The same actually is true for my third and last address I do use for public services. 

Leaked Passwords #3

While I do reset passwords from time to time, it still is worrying that so many passwords have been leaked. I probably will change some passwords of my major accounts as well as I will delete some accounts I really won’t use anymore – or even have never used such as a MySpace account, I completely forgot about.

That way, the HPI Identity Leak Checker might help also to figure about forgotten accounts worth closing. 

 

Enable Keychain for SSH Connections after macOS Sierra

If you are connecting a lot from via SSH to remote servers, entering passphrases over and over might be a pain. As long as your hardware is secured, you might consider enabling the macOS keychain also for your SSH connections.

Go to ~/.ssh and open or create the config file. Now just enter the following entry to the file.

Host *
    UseKeychain yes

In the case you want to enable the keychain only for a certain server, simply replace * with your hostname such as foo.com.

Prior to macOS Sierra, macOS offered a dialog to enter the passphrase where you were able to select the passphrase to be remembered. For some reason, this dialog was removed. On the other hand, the keychain option has been introduced with macOS 10.12.2.

WordPress Level Up – Applying Let’s Encrypt to Self-Hosted WordPress

Finally, I found some minutes to set up my website with SSL encryption. The issue here, many hosters demand a fortune for certificates. 

Applying Let’s Encrypt

Let’s Encrypt is a free alternative, providing certificates, accepted by most of the browsers.

While manually installing a certificate can be a real pain, Let’s Encrypt utilizes Certbot to do on your behave. Once installed you can select the sites to protect and let do Certbot its work. There is a crisp description on the Let’s Encrypt page which explains how this actually works.

To be honest, applying SSL certificate using this setup makes it absolutely easy for everybody to do so – as long as you have shell access on your server. After downloading the packages – which are provided for a variety of OS and Web server software – Certbot even takes care of the configuration.  You also can configure the sites in a way, that all HTTP requests are automatically are forwarded to HTTPS.

Once done, the site was already available via HTTPS. Unfortunately, Chrome told me the connection is still not secure.

The help provided did not help much either.

Further investigation eventually showed all images within posts did not use HTTPS even after the base URL of the site was changed in WordPress settings.

The links are not created on the fly – the are actually stored in the text. In the database. At least for internal resources (aka images from your own server), I expected something like relative links or similar. To be honest, I have never looked that much at the WordPress internals.

Altering the Database

To change this quickly, I decided to alter all not secure URLs in the database. As changing the protocol from HTTP to HTTPS is changing base URLs as when changing the domain, you could make use of tools to do so.

I found Misha Rudrastyh’s Query Generator very useful to create all SQL queries for changing the database content.

When moving WordPress websites from one domain to another, this tool is a great time saver. Just generate the queries and run them in MySQL.

In my case, I ended up with the following six statements.

UPDATE wp_options SET option_value = REPLACE(option_value, 'http://www.aheil.de', 'https://www.hack-the-planet.net') WHERE option_name = 'home' OR option_name = 'siteurl';
UPDATE wp_posts SET post_content = REPLACE (post_content, 'http://www.aheil.de', 'https://www.hack-the-planet.net');
UPDATE wp_postmeta SET meta_value = REPLACE (meta_value, 'http://www.aheil.de','https://www.hack-the-planet.net');
UPDATE wp_comments SET comment_content = REPLACE (comment_content, 'http://www.aheil.de', 'https://www.hack-the-planet.net');
UPDATE wp_comments SET comment_author_url = REPLACE (comment_author_url, 'http://www.aheil.de','https://www.hack-the-planet.net');
UPDATE wp_posts SET guid = REPLACE (guid, 'http://www.aheil.de', 'https://www.hack-the-planet.net') WHERE post_type = 'attachment';

Once done the next request already ended up in a valid and secure HTTPS request.

Warning: Do a backup (apply mysqldump) before altering your WordPress database, in case you brick it for whatever reason.

tl;dr

Using certificates issued by Let’s Encrypt you can automatically apply these by using Certbot to secure your website. While doing this I experienced some issues with WordPress as all URLs are stored as plain text in the database. With generated scripts from Misha Rudrastyh’s Query Generator altering the WordPress content to apply HTTPS instead of HTTP is quite easy.

Fixing the GPG Crash on Yosemite

Since upgrading to Yosemite, I have trouble running GPGMail with my Mac. When hitting the New Mail button Mail simply crashes.

GPG New MailThere is little I can do, and I almost gave up. The logs don’t help that much, though.

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_CRASH (SIGABRT)
Exception Codes:       0x0000000000000000, 0x0000000000000000

Application Specific Information:
*** Terminating app due to uncaught exception 'NSUnknownKeyException', reason: '[<HeadersEditor 0x7fb0b6584680> valueForUndefinedKey:]: this class is not key value coding-compliant for the key _composeHeaderView.'
abort() called
terminating with uncaught exception of type NSException

However, there is this single thread in the GPG support forum, someone had the exact problem, while support pointed out there is some Yosemite beta of the GPG tools. Just in time,  GPG Suite Beta 4 was released, and it works like a charm.

GPG Suite Beta 4 workingIn case you are looking for the public key, pick it up here.

 

Fingerprints as Security Token

I am still wondering how people can even think of using fingerprints as security tokens. You spread them all over. It’s like writing down your credit card PIN wherever you are.

Therefore, fingerprints a great for identifying you, however, not for authenticating yourself.

Think about it. These are two absolutely different things.

Time to Switch off SSLv3

You probably have heard of the SSL 3.0 vulnerability aka Poodle. So if you haven’t or if you have and haven’t done anything about it, it’s definitely time to switch it off.

I simply went though my browsers and turned it of, as nowadays it should not be used anymore. To check if your browser is vulnerable, just check out the Poddle Test. If it does look like below, follow the instructions to make it look different.

Poodle TestFirefox

In Firefox you simply type in

about:config

in the address bar of the browser. In the configurations settings you now need to set the value for security.tls.version.min to 1.

Firefox TLS 1Once done, you should be safe, I was told. However, using Firefox ESR 31.1.1, the Poodle Test above still indicates vulnerability.

However, with version 32.0.3 on Mac OS X, setting the minimum TLS version works as a charme.

Poodle TestInternet Explorer

For IE, you should check out Microsoft Security Advisory 3009008 giving a workaround how to turn SSL 3.0 off.

Tools / Internet Options / Advanced got ot the Security category and uncheck Use SSL 3.0 and check Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2.

IE TLS SettingsAgain this should at least give you the feeling of security.

IEEE Data Breach

A few days ago, Radu Drăgușin discovered a data leak at the IEEE servers, enabling him to download about 100.000 plain text keywords (probably mine as well).

On the one hand it shows how critical it is to consider the security off your system, nevertheless if you are a small company or a worldwide organization such as the IEEE. On the other hand it showed that even large organizations you never thought of this might face such fatal security leaks.

However, Radu went ahead and (a) decided not to share the information he gained through this security leak with public (big kudos for this decision), (b) to prepare various statistics on ieeelog.com based on the information (which are indeed interesting without revealing traceable information about individuals) and (c) to inform IEEE about the leak (also kudos for this). As a result you can say, he was quite responsible with the data he received and at least e followed some of the principles, provided by the IEEE Computer Society Code of Ethics.

One result of his analysis is the fact, that about almost 300 users are using the password 123456, reminding me Mel Brooks epic Star Wars parody Spaceballs, Dark Helmet saying

“So the combination is… one, two, three, four, five? That’s the stupidest combination I’ve ever heard in my life! That’s the kind of thing an idiot would have on his luggage!”

As a result, I went straight to my IEEE account and changed the password. Luckily, it was a password not used for any other site beside the IEEE. Said that, if you have an IEEE account, it probably is a good thing to go there directly changing yours as well if not already done.

Most used IEEE passwords

And Radu, whenever you ever read this post, if have the chance please have a look into the log files and let me know if the user aheil is listed there as well.

DropBox with TrueCrypt on Lion and Windows

After receiving my new MacBook, I wanted to sync a whole set of files between both systems. For convenience, I decided to use DropBox instead of a thumb drive and for security reasons, I decided to use TrueCrypt to encrypt some of my confidential data within the DropBox folders.

Using a TrueCrypt container within DropBox is quite convenient as I am syncing my DropBox folders with various machines (e.g. at work). However, I do not want to access these file there nor do I want that an admin might check out my “oooh so secret” files (not saying they would, though).

DroppBox with TrueCrypt on Lion and Windows

With my rusty Mac OS kung-fu, I had to install TrueCrypt first. Of course, this failed and being the first app I did install on Lion, this was somewhat demotivating. Before you have install a version from MACFuse. It seems that the official version is not up to date, however, there are rumors you might use the latest version provided at Tuxera.com.

Once MACFuse and TrueCrypt are set up and the machine is rebooted, create a TrueCrypt container within DropBox. When creating on OS X Lion, you might want choose FAT for the containers file system so you can mount it on the Windows system as well. However, any change within this container will synchronize the container as a whole. Not being very efficient if this is a 256 MB file, it seems that one can turn of the timestamp of the TrueCrypt container to avoid syncing it. This will prevent that the container gets synced after files within the container are changes, however, the itself files are still updated. To turn it of, open TrueCrypt and select Settings / Preferences… chose the Security tab and uncheck the Preserve modifications timestamp of file container checkbox.

TrueCrypt Settings on OS X Lion

Of course, the same has to be done on your Windows system.

TrueCrypt Settings on Windows 7

Once both settings are applied, only the initial sync of the container will take some time. Thereafter, only the files within the container are updated. for me this seems to be a quite good solution to keep my boxes in sync and to avoid rubbernecks seeking through my private stuff. The setup is done quite easily, only the hassle with MACFuse was quite annoying.