Category: Security Spotlight

Blog Defacement

While I am now hosting this blog for nearly 9 years - without any incident - problems tend to happen sooner or later. A lot of hassle and problems has been reduced due to the WordPress Auto Update system - so to update WordPress itself, as well as its plugins - and it works great. However, WordPress introduced - and enabled by default - a REST API - which has a great deal of security problems. And without me always checking each installed version - well, I did not know that... The REST API problems should be fixed by now, but - that came a bit too late for my blog. Nonetheless, I would recommend going to Jetpack -> Settings and disabling JSON API - especially if you're not using it... I learned it the hard way ^^'..

PS: If you disable it, WordPress.com won't be able to talk to your website anymore so... You're gonna have a bad time, if you need that :/. You'll need to decide for yourself...

Regards

Keybase.io got a new Client - and it is awesome!

Finally, Keybase.io got a new Client and it is looking gorgeous: https://keybase.io/.

They added a graphical client to the CLI and included a Chat, as well as the File transfer and Search options. So now, Keybase.io got more easy to use than ever before - and the best thing: A mobile client is soon(tm ;)) to be released.

Actually I missed the release of the client and would not have stumbled upon it, if it weren't for johanbove how send me an encrypted message via the client - and Keybase let me know via email that I got something encrypted waiting for me ;).

Seems like Johan read my last post about Keybase.io and decided to drop me a encrypted message - and as you see, thats the real power of Keybase: You just got to know someones Github/Twitter/Website/WhatEver Account Name - and you can drop her/him an encrypted message, file or chat. And that is infact the point where Keybase.io shines above the regular PGP solutions - it is PGP for the social web :).

So - cheers Johan, thanks for the message - and lot of fun for the rest of you, maybe we connect on Keybase.io - I won't give you my page now - I trust you'll find me very easily ;)!

[Raspberry Pi] Warning - Kernel 4.4.38 breaks boot on RPi 1 & 2

About 14 days ago, RPi Kernel Version 4.4.38 was published. However, something went very wrong somewhere: Raspbery Pi Models 1 and 2 do not boot anymore. As a quickfix I would recommend to download the 4.4.37 Kernel from the Github Repo (https://github.com/raspberrypi/firmware/) and replace the boot Partition on your RPi 1 or 2 SDCard with the /boot path from the 4.4.37 ZIP file - and it should boot again.
If you're RPi is still working - do not update your kernel until this problem is solved! (Issue on Github).

EDIT: Reason for the issue was mostly the open

device_tree=

configuration in the config.txt

Removing this option solved the problem.

Telekom blocking SMTP Servers without asking Users

Sometimes, you see things you just want to refuse to believe.
While it is true that most problems and quirks of software or hardware are due to really profound reasons and can be fixed quickly, sometimes you just cannot find them easily, if something unexpected happend - something which you never even thought of or you just found to be impossible.
My gamechanger - for the WORST - has been Telekom, which I happily would like to propose for the next BigBrother Award:
To cut a long story short: A friend of mine did order an Webhosting Account at all-inkl.com - and this did work without any problem.
I did configure some Domain Redirection, Mail Accounts, included them to the Android Phone of that friend - everything was working just fine.
However, as soon as the person arrived at home, Mail did not work anymore on the phone.
After trying to track down the problem for far too long, I did call the (very nice) support and got some immediate help:
"Are you using a Telekom Line?" - well... Yeah? - "Oh.. Well, they include SMTP Whitelists in the new routers, to stop spammers and we are not on this whitelist... So you can recieve but not send mail..." - WAIT. WHAT?!
A quick check on the WIFI Symbol, IP Range of the Phone and an Network IP DOT 1 in the friendly browser later - "Speedport W724v - What can I do for you?" - Well, [D|F|S][a-z][a-z][a-z]!
Turns out, the new W724V, Entry 2 and Hybrid Home Routers of the Telekom "feature" an SMTP Server WHITELISTE. So if you try to use your nice myname.de SMTP Server - nop'! You have to include your own Servers to that list, otherwise connection will be blocked - regardless if you try to communicate via Port 25 or 587 via SSL or encrypted formats. Really, hot, bad, nasty stuff.
One could mention that fighting spamers is a good idea, but this approach is as china-like as it is 1984.
So, kudos Telekom - you just made it impossible for "non-IT people" to use their own not Telekom and al. hosted SMTP service!
More can be found on this german site: http://all-inkl.com/wichtig/anleitungen/programme/e-mail/speedport-w724v-hybrid/liste-der-sicheren-e-mail-server_399.html

Removing Windows 10 Diagnostics from Windows 7/8/8.1

Windows 10 "Security?": We got opt-out-only-all-included-private-Wifi-Password-Sharing with all your Facebook Friends, access to all data, addressbooks, emails, voice and video as well as the possiblity to shutdown hardware you attached to your PC - if MS does not like it. Quite some people from the Facebook and Computerbild Front already upgraded to the new Windows 10 - "don't get left behind and get your upgrade" - well... it sounds more like a really evil episode of Dr. Who and the Cyberman to me. Ugh.

To get to the point: Microsoft did backport some of his Windows 10 telemetry magic to Windows 7/8/8.1 and installed it unasked as updates. So your data can enjoy its "freedom" even without you upgrading to Windows 10.

Sweet.

TL;DR - Microsoft did backport Windows 10 telemetry to Windows 7/8/8.1. Xvitaly on Github made a nice cmd file, just download it and execute it to remove all the bad updates and Windows 10 Ads. Restart. After that, check the Windows Update Section and disable the Updates in Question. Otherwise, you will install these again on your next Update.
Link: https://gist.github.com/xvitaly/eafa75ed2cb79b3bd4e9

[Security Spotlight] Upgrade OpenSSL to 1.0.1g - Heartbleed Bug - Urgent!

So, thats no joke: OpenSSL broke badly!
Here is the background: http://heartbleed.com/

And as there is no zero-hour-fix for Ubuntu (including 12.04 LTS...), I decided to take chances and overwrite my existing OpenSSL 1.0.1 with the new code. It worked out flawlessly - but your system could *REALLY* break. Thats as dirty as it possibly could get!


wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -xvzf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g/
./config --prefix=/usr
sudo make
sudo make test
sudo make install

[Security] BetterCrypto.org - Applied Crypto Hardening

So, now something a little bit more personal: We all know about the problems in our modern world: NSA, espionage, data stealing / selling, and such. We all use computer systems on an daily base and we know about the importance of cryptography. BUT: We don't really all have an masters degree in computer crypto or such. We all do things in a "well, should be quite right"-way. Because, well - we have a life and a lot of stuff to do. We can't really tell apart which ciffer to use and such. But now - we don't need to - anymore. Please visit https://bettercrypto.org/ and read their paper. It got excellent "Copy 'n Paste" configuration commands for your Apache, Postfix, Mail, etc, etc!

Let's make the world an better and more secure place. For us and all our users!

Thanks :)!