http://xordataexchange.github.io/crypt/
Crypt allows you to store and retrieve encrypted configuration values from an etcd or consul key/value store.
Tag: security
SSH Kung Fu: List of useful SSH use cases
http://blog.tjll.net/ssh-kung-fu/
List of use cases from the blog entry
HTML5 Security Cheatsheet
This is probably most useful for folks doing penetration testing or writing
security scanners: https://html5sec.org/
It’s Dangerous: Python crypto library for signing data before sending through untrusted environments
(via)
“Various helpers to pass data to untrusted environments and to get it back safe and sound.”
Example Use Cases
- You can serialize and sign a user ID for unsubscribing of newsletters into URLs.
This way you don’t need to generate one-time tokens and store them in the database.
Same thing with any kind of activation link for accounts and similar things.- Signed objects can be stored in cookies or other untrusted sources which means you don’t need to have sessions stored on the server,
which reduces the number of necessary database queries.- Signed information can safely do a roundtrip between server and client in general which makes them useful for passing server-side state
to a client and then back.
SQRL: (Secure Quick Reliable Login): Proposed new web login & authentication system
I came across SQRL from listening to the Security Now podcast on the TWIT podcast network. When I heard about it, I immediately thought, “I want that!” I’m not sure if it will eventually catch on or not, but there are aspects to SQRL that I find appealing.
You can find details about the proposed SQRL authentication spec on the creator’s page or in the podcast where he announced it.
I recently came across an illustrated guide to SQRL that might help with understanding some of the more gnarly bits.
From the SQRL page on GRC.com:
Wishing to login to an online service where an “SQRL” code appears nearby:
- The user can tap or click directly on the SQRL code to login,
- or launch their smartphone’s SQRL app, and scan the QR code.
- For verification, SQRL displays the domain name contained in the SQRL code.
- After verifying the domain, the user permits the SQRL app to authenticate their identity.
- Leaving the login information blank, the user clicks the “Log in” button… and is logged in.
Behind the scenes:
The website’s login presents a QR code containing the URL of its authentication service, plus a nonce. The user’s smartphone signs the login URL
using a private key derived from its master secret and the URL’s domain name. The Smartphone sends the matching public key to identify the user,
and the signature to authenticate it.
Yeah. So the quotes above are probably not adequately explaining why I’m excited by the possibilities of SQRL. It seems like a simpler way to login, and I like that it doesn’t require you to trust a third party. Clicky the links or listen to the podcast to learn more.
Doozer: consistent distributed data store written in Go
This looks interesting. At work we use a VIP to control which machines are in the live group and which are in the dark (standby) group. We used to use DNS, but the propagation delay caused issues, especially if we needed to roll back a change.
Doozer is a highly-available, completely consistent store for small amounts of extremely important data. When the data changes, it can notify
connected clients immediately (no polling), making it ideal for infrequently-updated data for which clients want real-time updates. Doozer is good
for name service, database master elections, and configuration data shared between several machines.
Repsheet: Local reputation engine for your site implemented as Apache module that stores its data in Redis
From the Repsheet Github repo:
Repsheet is a collection of tools to help improve awareness of robots and bad actors visiting your web applications. It is primarily an Apache web
server module with a couple of addons that help organize and aggregate the data that it collects.Repsheet attempts to solve the problem of automated defenses against robots and noisy attackers. It collects and records activity of the IP
addresses that access your web sites and helps determine if they are misbehaving. If they are, they are put on the Repsheet. Once there, you can
choose to outright deny them access to your site or warn your downstream applications that the requestor is a known bad actor and that the request
should be handled differently. Essentially, it is a local reputation engine.
WinSCP
I’m a command-line guy, but lots of people on my team perfer graphical tools.
WinScp is a really useful piece of software. From the WinScp website:
WinSCP is an open source free SFTP client, SCP client, FTPS client and FTP
client for Windows. Its main function is file transfer between a local and a
remote computer. Beyond this, WinSCP offers scripting and basic file manager
functionality.
Back Up Your Data
Not long after we got married, my wife came to me and asked, “Are our wedding
photos backed up?”
“Yes”, I replied.
“Just so you know. At some point, I’m going to want to look at those photos
again. If they are not available for any reason, we are going to have a
problem, so you do whatever you have to do to make sure I still have my
pictures. Put them in the safe deposit box. Network them to the clouds.
Something. Just make sure I have my pictures.”
I make sure she has her pictures by backing them up.
I prefer to backup my files in multiple ways and in multiple places for maximum
convenience and maximum reliability. Then again, I’m super nerdy. 8^)
If the only place your toddler’s pictures live is on your laptop, then those
suckers are one Mountain Dew away from existing only in your memories.
Maybe I’ll go into detail about backup options later on, but here are some of
my recommendations.
DropBox
This program creates a folder on your computer that is synchronized to servers
on the internet. The amount of data you can store is small, but it is great
for backing up documents. You can synchronize with your phone too.
Western Digital My Passport Essential SE
http://amazon.com/Passport-Portable-External-Drive-Storage/dp/B007FQNKRC
This is a portable hard drive that you can plug into your computer. It comes
with software that you can use to backup your entire computer.
CrashPlan
You can use this program to backup to a hard drive (like the Western Digital My
Passport Essential SE ) for free, or you can pay as little as $2.00 /month to
backup your PC to servers on the internet. (I’d recommend the $4.00 / month
plan since it lets you back up the whole computer.)
Extra Protection for your Online Accounts
A friend of mine fell prey to a scammer and her email account got hacked.
They gained access to several of her online accounts and did a lot of damage.
Once someone gets access to your email account, they can click “Reset Password”
on any other site you use to gain control of it too. Consider setting up your
email and Facebook accounts to send a code to your phone whenever someone tries
to login from a new computer or device. This is called
“Two-Factor Authentication” or Two-Step Verification”. It requires something
you know (your password) and something you have (your phone) before you are
granted access on an unrecognized device. Here are links to pages where you
can setup two-factor-authentication for a few popular services:
Gmail: https://support.google.com/accounts/bin/answer.py?hl=en&answer=180744
Yahoo Mail: https://edit.yahoo.com/commchannel/sec_chal_manage
Facebook: https://www.facebook.com/settings?tab=security§ion=approvals&view
Dropbox (Click “Security” after sign-in): https://www.dropbox.com/account#security