arainho ~$ ./blog --list

Secure Git Workshop

Fri, 27 May 2022 00:00:00 +0000

Talk - Secure development with git

I did a talk & demo called “Secure development with git” last Wednesday 25th May, on the UA CyberSecWeek ‘22, that toke place on DETI, University of Aveiro.

I created a GitHub repository called secure-git-workshop to support the talk. The presentation slides are available here.

Colima Sharing File Issues

Fri, 29 Apr 2022 00:00:00 +0000

Introduction

After Docker Desktop changed its new licensing schema, some people went after alternatives such as a Linux VM with docker daemon inside, minikube, Rancher Desktop, and Colima.
I tried them all and end up in Colima after issues with sharing folders/files between host and containers and also port forwarding.

“Now let me show you what happens when I share a file from /tmp/file to a docker container with Colima …”

It’s 28th April and I’m using the following software versions:

docker client version: 20.10.12
colima version: 0.3.4
macOS: 11.6.5

The steps to reproduce the issue are the following:

Download and ensure file is present.

curl -o /tmp/config.yaml https://example.com/config.yaml
test -f /tmp/config.yaml && echo "it's a file"

Removing any config file from colima Linux VM.

colima ssh exec sudo rmdir /tmp/config*

Try to share a file whitin a container.

docker run -it --rm -v /tmp/config.yaml:/opt/config.yaml alpine /bin/sh -c "test -d /opt/config.yaml && echo it\'s a directory"

colima ends up creating a directory !

colima ssh exec ls /tmp/config.yaml && echo $?

Remove the file from your macOS host

rm /tmp/config.yaml
test -f /tmp/config.yaml || echo "config.yaml not found"

And the directory remains in colima Linux VM !

colima ssh exec ls /tmp/config.yaml && echo $?

Now use other container to share /tmp from host and you have “trash” from colima’s /tmp

docker run -it --rm -v /tmp:/opt ubuntu /bin/sh -c "test -d /opt/config.yaml && ls -ld /opt/config.yaml"

Stop and start colima Linux VM, and /tmp/config.yaml dir remains there !

colima stop
colima start
colima ssh exec ls /tmp/config.yaml && echo $?

Solution

It’s 29th April and I open a issue#267 in the Colima GitHub repository and receive a response.

Only two host directories are available to the Linux VM and Docker containers: $HOME and /tmp/colima. I need to use /tmp/colima/file instead of /tmp/file and after that, I’m able to share a file from host to container.

docker run -it --rm -v /tmp/config.yaml:/opt/config.yaml alpine /bin/sh -c "test -d /opt/config.yaml && echo it\'s a directory"

Awesome Api Security

Fri, 11 Feb 2022 00:00:00 +0000

awesome-apisec (aka awesome-api-security) is a collection of awesome API Security tools and resources that reaches 1k stars today :-D

I created a repository on GitHub related to API security in August 2020 with an initial commit and started as a personal list of bookmarks. It evolved, I started to invest in it, learn and experiment more about the topic ending up adding more resources to it.

In 2021 APIsecurity.io referenced my repo in a newsletter, also on their twitter, the Bug Bounty Hunter reference it in 2022 on twitter, and people started to add it to their favorites. I ended up having 400 stars in December 2021, now I have 1k ;-)

Thank you all that found the awesome-api-security repo useful.

My Msc

Tue, 04 May 2021 00:00:00 +0000

I defended my Master’s dissertation on February 8, 2021 at the University of Aveiro, Portugal, Europe (WEST) I take this opportunity to thank my advisors for all the support, dedication, and patience throughout the process.

The dissertation is entitled Container security in CI / CD pipelines and is available online at RIA, the Institutional repository of University of Aveiro (UA).

This dissertation aims to reduce the impact of microservices’ vulnerabilities by examining the respective images and containers through a flexible and adaptable set of analysis tools running in dedicated CI/CD pipelines. This approach intends to provide a clean and secure collection of microservices for later release in cloud production environments. To achieve this purpose, we have developed a solution that allows programming and orchestrating a battery of tests. There is a form where we can select several security analysis tools, and the solution performs this set of tests in a controlled way according to the defined dependencies.

To demonstrate the solution’s effectiveness, we program a battery of tests for different scenarios, defining the security analysis pipeline to incorporate various tools. Finally, we will show security tools working locally, which subsequently integrated into our solution return the same results.

The developed code and pipeline samples are available on gitlab.com/secureapps-ci.

Usbarmory Interlock

Wed, 12 Feb 2020 00:00:00 +0000

usbarmory-interlock

The purpose is to install INTERLOCK in usbarmory Mk I with usbarmory-debian-base_image.

You can check my previous post to check how to prepare burn usbarmory-debian-base_image, connect to usbarmory via ssh / serial.

The INTERLOCK app is a file encryption front-end, that consists of a web-based file manager running JSON application server on a device hosting an encrypted partition.

The main features of INTERLOCK are:

a file manager that allows uploading/downloading of files to/from the encrypted partition
symmetric/asymmetric cryptographic operations on the individual files
secure messaging and file sharing supported with an optional built-in Signal client.

The script to install and setup interlock is

notes

If you prefer Pre-compiled binary releases for ARM targets they are available at interlock repository.

Zoom Zero Day

Wed, 10 Jul 2019 00:00:00 +0000

After the latest news about a zero-day vulnerability in the Zoom client for Mac that allows a malicious website to hijack a user’s web camera without their permission.

Reading this article at Medium from a Security Researcher named Jonathan Leitschuh

So I decided to do 3 things

uninstall zoom.us application from macOS
disable the ability for Zoom to turn on your webcam when joining a meeting
shut down and prevent this server from being restored after updates

To confirm if this server is present run this in your terminal.

lsof -i :19421

You can use this find commands to search all zoom files and folders in your machine, and complete the public gist.

find all files

find . -type f |&grep -iE "us.zoom|zoom|zoom.us"

find all folders

find . -type d |&grep -iE "us.zoom|zoom|zoom.us"

I created a public gist called zoom_uninstall_macos-sh to mitigate these 3 items,
using a public script from Zoom Google Drive, instructions from Jonathan Leitschuh referenced in the medium article and also this post at apple stackexchange.

#!/usr/bin/env bash

echo Stopping Zoom...
pkill "zoom.us"

echo Cleaning Zoom...
echo Cleaning Application Cached Files...
{
  rm -fr -- ~/Library/Application\ Support/zoom.us
  rm -fr -- ~/Library/Application\ Support/ZoomPresence
  rm -fr -- ~/Library/Caches/us.zoom.xos
  rm -fr -- ~/Library/Logs/zoom.us/
  rm -fr -- ~/Library/Logs/zoomRooms/
  rm -fr -- ~/Library/Logs/zoominstall.log
  rm -fr -- ~/Library/Preferences/ZoomChat.plist
  rm -fr -- ~/Library/Preferences/us.zoom.xos.plist
  rm -fr -- ~/Library/Saved\ Application\ State/us.zoom.xos.savedState
}

echo "Cleaning Application..."
{
  rm -fr -- ~/Applications/zoom.us.app
  rm -fr -- ~/.zoomus/ZoomOpener.app
  rm -fr -- ~/.zoomus
}
echo "Removed Application..."

echo "Preventing the vulnerable server from running on your machine..."
# (You may need to run these lines for each user on your machine.)
pkill "ZoomOpener"; rm -rf ~/.zoomus; touch ~/.zoomus && chmod 000 ~/.zoomus;
pkill "RingCentralOpener";  rm -rf ~/.ringcentralopener; touch ~/.ringcentralopener && chmod 000 ~/.ringcentralopener;

echo "Disabling the ability of Zoom to turn on your webcam when joining a meeting..."
defaults write ~/Library/Preferences/us.zoom.config.plist ZDisableVideo 1           # For just your local account

echo "Removing Launch Daemons/Agents and Internet Plug-Ins..."
{
  rm -fr -- ~/Library/LaunchDaemons/us.zoom.rooms.daemon.plist
  rm -fr -- ~/Library/LaunchAgents/us.zoom*
  rm -fr -- ~/Library/Internet\ Plug-Ins/ZoomUsPlugIn.plugin/
}

echo "Switching to a user with sudo privileges to remove more zoom things..."
{
  sudo rm -fr -- /Applications/zoom.us.app
  sudo kextunload -b zoom.us.ZoomAudioDevice
  sudo rm -fr -- /System/Library/Extensions/ZoomAudioDevice.kext
  sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1       # For all users on the machine
  sudo rm -fr -- /Library/Internet\ Plug-Ins/ZoomUsPlugIn.plugin/
  sudo rm -fr -- /Library/LaunchDaemons/us.zoom.rooms.daemon.plist
  sudo rm -fr -- /Library/LaunchAgents/us.zoom*
}

Usbarmory Setup

Fri, 19 Apr 2019 00:00:00 +0000

usbarmory-setup

I order my usbarmory device from crowdsupply to Europe, and after more than one month and paying customs duties the armory finally arrived :-)

1. Preparing your own microSD card

1. check microSD-compatibility
1. choose one of the available images for usbarmory.
1. burn the image into microSD card

I choose a Samsung microSD and a pre-compiled release of Debian stretch image available here.

2. Connect to usbarmory

We have to options to connect with the usbarmory device, via serial or ssh .

Option 1 - serial interface

We can connect to usbarmory serial port through a USB to TTL cable, the breakout header can be accessed as, the breakout header can be accessed as described in gpio page.

I solder a header in usbarmory and use pins 1,5,6 to connect ‘usb to ttl’ adapter with silicon CP210x chipset and specific drivers. To connect in macOS use the next command:

screen /dev/tty.SLAB_USBtoUART 115200

Option 2 - ssh connection

In this image usbarmory-debian-base_image usbarmory cames with predefined ipv4 address 10.0.0.1, so set the laptop or workstation ip address to 10.0.0.2 and connect to your usbarmory.

Now we can log in with

ssh 10.0.0.1 -l usbarmory

3. Additional setup

Create a ssh key pair, and sent it to usbarmory

ssh-keygen -t rsa -b 4096 -C "usbarmory key"
ssh-copy-id -i $HOME/.ssh/id_rsa_usbarmory usbarmory@10.0.0.1

Notes

macOS Monterey

We need the CDC Composite Gadget interface in the macOS Network Preferences.

Also if we want to share our internet access with the usbarmory device

in macOS Monterey set ip address of CDC Composite Gadget interface to 10.0.0.2
finally set Enable Internet Sharing to ON in System Preferences

on other macOS versions

In some case we may need to

have RNDIS/Ethernet Gadget interface in the Network Preferences
Set usbmory ip to 192.168.2.X/24 and gateway 192.168.2.1
Set ip address of RNDIS/Ethernet Gadget interface to 192.168.2.1
finally set Enable Internet Sharing to ON in System Preferences

Enable HTTPS on your website with Let’s Encrypt

Mon, 26 Sep 2016 15:57:00 +0000

Let’s Encrypt

Let’s Encrypt is a new Certificate Authority: It’s free, automated, and open

Enable HTTPS Automatically

Automatically enable HTTPS on your website with EFF’s Certbot, deploying Let’s Encrypt certificates.

To install just do

mkdir /usr/local/bin/ || exit
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

If you would like to generate specific certificates, use the certonly command.

certbot-auto --agree-tos --email admin@example.com --apache certonly -n -d example.com -d example.org

Add your new certificate to Apache

In Apache if you need to specify the chain file, otherwise clients will complain about certificate hierarchy in some browsers and Operating Systems.

vi /etc/apache2/sites-enabled/000-defaul-ssl

    SSLCertificateFile      /etc/letsencrypt/archive/example.com/cert1.pem
    SSLCertificateKeyFile   /etc/letsencrypt/archive/example.com/privkey1.pem
    SSLCertificateChainFile /etc/letsencrypt/archive/example.com/chain1.pem

Or add the new certificate to nginx

vi /etc/nginx/nginx.conf

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Automating renewal

Let’s Encrypt certificates last for 90 days, so it’s highly advisable to renew them automatically!

We can use pre-hook and post-hook to stop services before renewing the certificates and after, in this case i use apache2 but can be nginx. Let’s test automatic renewal for our certificates by running this command:

certbot-auto renew \
    --dry-run \
    --force-renew \
    --standalone \
    --noninteractive \
    --pre-hook "service apache2 stop" \
    --post-hook "service apache2 start"

And finally add a line to cron, auto-renew-certs.sh it’s the previous command in a script.

# Let's Encrypt 
0 3 1 * * root /usr/local/bin/auto-renew-certs.sh | mail -e -s "[Let's Encrypt] monthly renew certs" admin@example.com

Some usefull links

https://certbot.eff.org/ https://certbot.eff.org/#ubuntuother-apache https://certbot.eff.org/docs/using.html#renewal https://certbot.eff.org/docs/using.html#renewing-certificates

Clone disks with dd

Tue, 05 Jul 2016 11:51:00 +0000

0. !!! WARNING !!! ‘dd’ may damage your system …

Please use disks with no data or non critical data, and use dd with extreme caution. Test things first, Disks, Flash Drivers and operating systems differ so be carefull.

1. Before clonning let’s check the state our original disk sdc, see the rw flag bellow RO.

# blockdev -v --getro /dev/sdc
get read-only: 0

# blockdev -v --getro /dev/sdc1
get read-only: 0

# blockdev --report  /dev/sdc
RO    RA   SSZ   BSZ   StartSec            Size   Device
rw   256   512  4096          0   1000204886016   /dev/sdc

# blockdev --report  /dev/sdc1
RO    RA   SSZ   BSZ   StartSec            Size   Device
rw   256   512  4096       2048   1000203091968   /dev/sdc1

# hdparm -r1 /dev/sdc

2. Lock property of device sdc, this will set the device and partition to read-only mode

blockdev --setro /dev/sdc
blockdev --setro /dev/sdc1

# blockdev -v --getro /dev/sdc
get read-only: 1

# blockdev -v --getro /dev/sdc1
get read-only: 1

We also can use the hdparm instead of blockdev

hdparm -r1 /dev/sdc

/dev/sdc:
 setting readonly to 1 (on)
 readonly      =  1 (on)

# hdparm -r /dev/sde

/dev/sde:
 readonly      =  1 (on)

3. Insert the clean device

dmesg -T 

[Tue Jul  5 13:13:41 2016]  sdg: sdg1
[Tue Jul  5 13:13:41 2016] sd 5:0:0:0: [sdg] Attached SCSI disk

4. Clone the devices with dd

Used device ids instead of sda, sdX, etc it’s safer. :-)

ls -lh /dev/disk/by-id/* | grep -i kingston | awk '{ print $9}'
/dev/disk/by-id/usb-Kingston_DT_HyperX_000000-0:0 -> ../../sde

option 1 ( safer )

sudo dd status=progress if=/dev/disk/by-id/usb-Kingston_DT_HyperX_0011100-0:0 /dev/disk/by-id/ata-Hitachi_HDT000_XXX

option 2 ( risky )

sudo dd status=progress if=/dev/sdc /dev/sdg

In my Arch Linux i have progress with dd version 8.25,

# dd --version
dd (coreutils) 8.25

On some of Debian/Ubuntu or other Linux Distro the option is to use dd_rescue, that has progress and other nice features for data recovery.

dd_rescue /dev/sdc /dev/sdg

After using deftlinux for some data recovery, i found that is possible to set devices in read only mode. You can check details in the here deft-quickguide.

Move running process to new screen shell

Fri, 01 Jul 2016 09:34:00 +0000

In order to move a running process on your current shell to a new screen session, you can use reptyr and screen or even tmux.

Imagine that your connected via ssh to a remote server and your current job is taking to long to complete … or you forgot to open a tmux or a screen session and launch a long task …

I found the solution at serverfault, and an nice post at monkeypatch blog.

$ htop                 # Launch new process
$ ctrl+z               # Suspend the current process
$ screen               # Launch screen
$ reptyr $(pgrep htop) # Get back the process