CI/CD and secure supply chain

https://www.sigstore.dev/ ( & cosig https://github.com/sigstore/cosign )

https://in-toto.io/

(cf. red hat trusted software supply chain which actually embeds those open source tools)

+ backstage.io for "platform engineering"

Generating a cookie secret

Generating a cookie secret 

required step for a lot of web-based use-case when a cookie must be stored on the client side, for example with oauth2-proxy to set-up remote authentication.

• docker / python 

docker run -ti --rm python:3-alpine python -c 'import secrets,base64; print(base64.b64encode(base64.b64encode(secrets.token_bytes(16))));'

Followings solutions are from : https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview (v7.2.x)

• Python

python -c 'import os,base64; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'

• Bash

dd if=/dev/urandom bs=32 count=1 2>/dev/null | base64 | tr -d -- '\n' | tr -- '+/' '-_'; echo

• Open SSL

openssl rand -base64 32 | tr -- '+/' '-_'

• PowerShell

# Add System.Web assembly to session, just in case
Add-Type -AssemblyName System.Web
[Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes([System.Web.Security.Membership]::GeneratePassword(32,4))).Replace("+","-").Replace("/","_")

• Terraform

# Valid 32 Byte Base64 URL encoding set that will decode to 24 []byte AES-192 secret
resource "random_password" "cookie_secret" {
  length           = 32
  override_special = "-_"
}

MVT + Adb : how to use this consensual forensics tool to analyse whether your phone has been compromised by the pegasus/NSO discoveries. Forensics, long time no see !

Following pegasus revelations, I decided to play a bit with the tool provided by Amnesty International Security Lab in July 2021. 

Forensics, long time no see !

Sources : https://github.com/mvt-project/mvt

Doc : https://docs.mvt.re/en/latest/android/download_apks.html

Pretty strait-forward, once you have ADB installed on your computer.

the following steps are for and android phone + mac OS laptop

Step 0 : set your phone in "developper mode". For me I had to go to the settings and press 7 times on the release logo. 

Step 1 : plug your phone in USB, enabling USB debugging https://developer.android.com/studio/debug/dev-options#enable%3E

Step 2 : install ADB

brew install android-platform-tools

Check that you see your device, and then stop adb (not required after).

adb devices

adb kill-server

Step 3 : install mvt

pip3 install mvt
Step 4 : run mvt over your phone

mkdir output && mvt-android download-apks --output ./output --all-checks

Password breaches

 https://cybernews.com/personal-data-leak-check/

Curl : get cert and connect using it

 Obtain cert from self signed site

openssl s_client -showcerts -connect 75.74.58.21:443 </dev/null 2>/dev/null | sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | grep -m1 -B-1 -- '-----END CERTIFICATE-----'  > cert.pem







Connect with cert

curl --cacert cert.pem https://hostname.com 

CVSS : Common Vulnerability Scoring System (v3) calculator

As explained in wikipedia:CVSS "Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It is under the custodianship of the Forum of Incident Response and Security Teams (FIRST). It attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized. The scores are based on a series of measurements (called metrics) based on expert assessment. The scores range from 0 to 10. Vulnerabilities with a base score in the range 7.0-10.0 are High, those in the range 4.0-6.9 as Medium, and 0-3.9 as Low.^[1]"

•  FIRST announces CVSS version 3 

• Common Vulnerability Scoring System Version 3.0 Calculator (FIRST)
  https://www.first.org/cvss/calculator/3.0
• Common Vulnerability Scoring System Version 2 Calculator (Nvd.Nist)
  https://nvd.nist.gov/CVSS-v2-Calculator

Security links

• Bruce Schneier on security (blog) : https://www.schneier.com/

• CERT (French government) : http://www.cert.ssi.gouv.fr/site/index.html
• including a list of links towards France companies CSERT

• SANS  Daily security awareness tips : http://www.sans.org/tip_of_the_day.php
• SANS "securing the human" blog : http://www.securingthehuman.org/blog
• SANS DFIR (digital forensic & incident response) http://digital-forensics.sans.org/community/links
• Found on Sans daily tips : "Security
• Phishing http://www.onguardonline.gov/games/phishing-scams.aspx 
• Spyware http://www.onguardonline.gov/games/beware-spyware.aspx 
• Identity Theft http://www.onguardonline.gov/games/id-theft-faceoff.aspx 
• Social Networking http://www.onguardonline.gov/games/friend-finder.aspx
• ...

while true for WPS

While true permettant de se connecter dès que quelqu'un initie une connexion avec du WPS

wpa_cli
while : ; do sudo wpa_cli wps_pbc any ; sleep 120 ; done &

Source :
http://korben.info/intrusion-dans-un-reseau-wifi-grace-au-wps.html?utm_source=feedburner&utm_medium=email&utm_campaign=Feed:+Korben_nl+%28Korben%29

Security tools

Sans revenir sur la possibilité très élevée que le fameux Anon-os soit en fait plein de chevaux de troie (trojan), notons avec intérêt les quelques softs qui sont livrés avec :

Here some of preinstalled apps on Anonymous-OS: - ParolaPass Password Generator - Find Host IP - Anonymous HOIC - Ddosim - Pyloris - Slowloris - TorsHammer - Sqlmap - Havij - Sql Poison - Admin Finder - John the Ripper - Hash Identifier - Tor - XChat IRC - Pidgin - Vidalia - Polipo - JonDo - i2p - Wireshark - Zenmap - ...

Molly-guard (for ssh)

Installant sshd sur mon eee ubuntu m'a conseillé d'ajouter également «molly-guard», dont je n'avais jamais entendu parler.

Found on http://packages.ubuntu.com/fr/intrepid/molly-guard

protects machines from accidental shutdowns/reboots

The package installs a shell script that overrides the existing shutdown/reboot/halt/poweroff commands and first runs a set of scripts, which all have to exit successfully, before molly-guard invokes the real command.

One of the scripts checks for existing SSH sessions. If any of the four commands are called interactively over an SSH session, the shell script prompts you to enter the name of the host you wish to shut down. This should adequately prevent you from accidental shutdowns and reboots.

This shell script passes through the commands to the respective binaries in /sbin and should thus not get in the way if called non-interactively, or locally.