2020-12-05 Playing with a fully programmable LED strip
At work there is a sort-of competition for the best christmas decorations in the office. At the end of last year I considered doing something with programmable LEDs to 'participate' in this competition in 2020. This year turned out somewhat different, but slowly my son is also somewhat interested in electronics, soldering and making the computer do something. So I set out to find fully programmable LED strips. I found a good comparison of LED strips in a Youtube video: LED Strips, what's the difference? WS2811, WS2812B, 2812Eco, WS2813, WS2815, SK6812, SK9822. which compares the several available types and their pros and cons. After viewing this video and for my limited experiment I thought the WS2812B based LED strip would be the best choice. The next hurdle was controlling it and I found Connect and Control WS2812 RGB LED Strips via Raspberry Pi which has pointers to the right code. I am not following the advice on that page about working with mains power cables. That looks dangerous. I ordered a WS2812B based LED strip and a matching power supply for 5V 40Watt from a Dutch webshop and got it in a few days later. I was amused by the warning the webshop gave that a LED strip like this is for advanced users only because you have to add a controlling device and do all the programming. That is exactly what I intended to do! Programming is in Python3, and I haven't written any Python code before. But with a lot of google searches and looking at samples I got the idea right. I now have the LED strip blinking in exactly the patterns I want, including a nice pattern for a christmas tree. And it blinks 'MERRY CHRISTMAS' in morse code, because why not!
2019-03-19 Time to update putty
An interesting bit of news: SSH client gets patched after RSA key exchange memory vuln spotted.The fixes implemented on PuTTY over the weekend include new features plugging a plethora of vulns in the Telnet and SSH client, most of which were uncovered as part of an EU-sponsored HackerOne bug bounty.Get your updated putty at the PuTTY download page. Update: Interesting visual change in putty: informational lines from the client are now prefixed by a putty logo. This could make it harder to mislead the user in certain attacks.
2018-10-01 Getting distracted on shodan
This morning I was looking on shodan for open remote desktop servers in the work network since RDP was mentioned as an attack vector in the latest GANDCRAP ransomware. Searching for '3389' on shodan found something completely different: an open industrial control system (ICS) for tankstation gauges.IN-TANK VOORRAAD TANK PRODUCT VOLUME TC VOLUME VULVOL HOOGTE WATER TEMP 1 UL 98 9757 9693 10283 939.2 0.0 20.09 2 EURO 2...According to The Internet of Gas Station Tank Gauges -- Take #2 - Rapid7 this was already a reported issue in January 2015 and according to their research it may be possible to do bad things with this access. The above is from a gas station I can find on google maps. Oh I found the way to search for open remote desktop servers on shodan: port:3389.
2018-09-24 Windows 10 WiFi can't deal with password changes
The work laptop is now "upgraded" to Windows 10. I wasn't sure about it as I saw Windows 7 as less annoying but it's the corporate choice. And after I changed the password for my eduroam wifi-account it just gives an error and does not connect to the wireless network. The obvious choice to show the option to enter a new password does not pop up (unlike Android which came with that suggestion right away). Even the "network troubleshooter" doesn't come with the source of the connection problem let alone the obvious solution. The Windows 10 "solution" is to just forget the network and discover it again. I'm glad this isn't a network where I need special options and a certificate to log in.
2018-08-17 Trying (and failing) to correlate security logs
Since activating sendmail authentication with secondary passwords I see a number of attempts to guess credentials to send mail via my system. This is not very surprising, given the constant attack levels on the wider Internet. For work I am looking at log correlation and monitoring and with that in mind I noted that finding the right information from sendmail where and when the attempt came from is quite hard since there are several processes busy and it's hard to correlate the logging. The failed attempt is logged by saslauthd in /var/log/auth.log:Aug 16 12:28:57 greenblatt saslauthd: pam_unix(smtp:auth): check pass; user unknown Aug 16 12:28:57 greenblatt saslauthd: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Aug 16 12:28:59 greenblatt saslauthd: do_auth : auth failure: [user=monster] [service=smtp] [realm=idefix.net] [mech=pam] [reason=PAM auth error] Aug 16 12:29:00 greenblatt saslauthd: pam_unix(smtp:auth): check pass; user unknown Aug 16 12:29:00 greenblatt saslauthd: pam_unix(smtp:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= Aug 16 12:29:02 greenblatt saslauthd: do_auth : auth failure: [user=monster] [service=smtp] [realm=] [mech=pam] [reason=PAM auth error]This is probably related to this sendmail log information:Aug 16 12:28:56 greenblatt sm-mta: STARTTLS=server, relay=184.108.40.206.static.user.indesat.com [220.127.116.11] (may be forged), version=TLSv1/SSLv3, verify=NO, cipher=DHE-RSA-AES256-SHA, bits=256/256 Aug 16 12:29:02 greenblatt sm-mta: w7GASspx020716: 18.104.22.168.static.user.indesat.com [22.214.171.124] (may be forged) did not issue MAIL/EXPN/VRFY/ETRN during connection to MSP-v6But I can't be sure as there are multiple 'did not issue MAIL/EXPN/VRFY/ETRN' messages in the logs. So I can't build a fail2ban rule based on this.
2017-03-10 Improving the Internet security one service at a time
At work we (indirectly) get the scanning results from Shadowserver which now includes open VNC servers which is yet another service we don't really want left open to the Internet in general. A few were found which are now actively chased after to get them firewalled/disabled. I really like the concept of shadowserver. ISPs that want the information can get full overviews of insecure services and botnet activity on their network. A full overview of what shadowserver looks for can be found at The scannings will continue until the Internet improves - Shadowserver.
2016-03-14 VirtualBox 5 host-only network looks too much like a bridging adapter
Ever since I upgraded VirtualBox to a version 5 on my work laptop I can't start virtual machines which want to use the VirtualBox host-only network. For some communication I'd like to use that host-only network. Diving deep into the possible reasons found me VirtualBox can't find host-only adapters on Windows 10 which tells:Oh and please double check that when you go to "Network Connections" and open the Properties dialog of the "VirtualBox Host-Only Network" connection, you see "VirtualBox NDIS6 Bridged Networking Driver" in the "This connection uses the following items" list.This is indeed the case on my work laptop, and the use of the NDIS6 driver is an upgrade compared to VirtualBox 4. But I know the windows policy at work includes "you cannot use bridged networking" so I think I found the reason. So now the solution is to use the main NAT network device. I was using the host-only network for some communication between the virtual machine and the host system or other virtual machines which should not be influenced by the 'outside world'. Now I seem to be using NAT as a firewall for that, which is wrong.
2015-08-18 I'm a CISSP© now
After taking the course in April and doing the exam in June I am now a Certified Information Systems Security Professional. As part of my job in computer security it is good to have this knowledge, it really helps me understand things.
2015-06-20 A fast-changing security world
At work I reviewed something about TLS security I wrote in May 2014 and noticed I had to make some serious adjustments for the May 2015 state. SSLv3 is no longer accepted, SHA1 is no longer an accepted hashing algorithm and other changes. This week on the home server greenblatt I had two different impacts from the latest OpenSSL update: SSL communications with the Fritz!Box was failing and SSL in sendmail was failing, both due to the latest insights into the security of the Diffie-Hellman key exchange. These insights are very very new: in April I did a course in the Certified Information Systems Security Professional (CISSP) common body of knowledge and I learned the default Diffie-Hellman parameters were safe. Now we learn to generate them for each individual system at the same strength as the private key. Knowledge of cryptographic quality ages fast at the moment.
2014-09-22 (#)Items with tag work before 2014-09-22
So work made a laptop with the standard Windows 7 software image available to me and I noticed when I took it home it doesn't do any IPv6. Which is not what I want. Some searching found How to disable IPv6 or its components in Windows - Microsoft Support which has the right answers which were used by the people creating this software image. I changed the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents registry key to 0x01 so I don't get the Isatap/Teredo tunnels. Interesting remark in that support article:We do not recommend that you disable IPv6 or its components, or some Windows components may not function. Additionally, system startup will be delayed for 5 seconds if IPv6 is disabled.I guess I'll have to find another way to disable the Isatap/Teredo tunnels to make the system boot faster. I want IPv6 to work when it's available native or not at all. Some aspects of the work network make things slow when tunneling protocols are tried. Which is probably the reason of disabling it in the first place. Update 2014-10-01: It seems this setting gets reset somehow: I am at the Surfnet Relatiedagen 2014 and just noticed the laptop has no IPv6 on the network here, which surprised me. But a check of the settings showed no IPv6 addresses at all, not even link-local. A check on my Android phone shows globally routable IPv6 addresses.