Security Saturday!
So Wednesday my new hardware got here. Sweet Ryzen 9 and a nice AMD graphic card to back it. Room for upgrades still, since I did not go all-out in expense. It was not needed because I was upgrading from a 6 or maybe even 7 year old laptop (custom built by BTO, it still outruns most laptops on the market).
The old laptop has real troubles now, and so I spent my first paycheck on replacing trusty old Yami with the new family member Lambda. Since Yami I have outgrown my tendency to name things with Japanese words, now we are at pretentious greek symbols used in mathematics.
I joke, I did not want to name it Gandalf or something, but all my other devices slowly inch towards Lord of the Rings names... (Peregrin, Samwise, etc...) So Lambda was the lesser of the two evils. Jupiter was another option, a legacy naming scheme from my dad's home network.
Either way, today I am busy setting up the new hardware so this Security Saturday will be short. We shall take a look at the .well-known directory that some webservers have.
Seethis link towards the .well-known section of my own website: https://technotive.nl/.well-known/security.txt
The .well-known section is there to provide people information that might be useful to have when interacting with a site in a capacity that goes beyond normal visitor. The security.txt file (much like robots.txt, which is NOT in the .well-known section) is an optional standard that provides information of who to contact and how, in the case of a security incident that the site owner should know about (in this case, me).
But as you can imagine, anyone should have access to this .well-known section for it to work. At least read access. This makes the .well-known section a good place to upload malicious files when you compromise someones network, because:
- .well-known is rarely checked, most content there is write-once, then leave alone.
- It can be read by anyone (by design) and therefore an attacker does not need any tricks to make it further available.
- The web-address looks somewhat trusted, especially if you use a nicely named HTML page as payload.
- The website as a whole is HTTPS (ideally) and the file is therefore also trusted in the deal.
This struck me when I found several payloads in phishing earlier this week (I document and categorize all phishing emails as part of my job). I never thought about the .well-known section like that before, but the phishers did and it was a joy to see it. It might be nefarious, but it was clever!
Now, how could you tackle this problem when trying to have your web-server be safe from this? A trick might be to serve the files individually and lock the permissions on the whole folder. It would at the very least slow the attackers down, possibly making them divert to an easier target.
If you are on the receiving end of the phishing and you want to report this problem, look in the .well-known section for the security.txt file!
But wait, the the phishers are in there as well, right?
Well put, they are, and this means security contact information should probably not be hosted on the server it is supposed to be helping... Where should it go? I do not know. I shall keep thinking on this.
Stay safe out there!
There is so much more to this one chapter, but it is so good already!
I had to cut it short because guests arrived, but this should get you started on your own study :)
@calvinrempel Thank you once again for the Theology Tuesday you did, I refer back to it in this one :)
@JamesDerian Congratulations with your Marriage :)
Next time there might (almost certainly) not be a Theology Tuesday, so the official next one will be February 22nd! I have a marriage to attend. As the groom. Our home is still half a project.
Fun times!
Alc and I talk about my book that is now officially finished. This is part 1 of 2. Parts have not been neatly cut. Part two will air 5 minutes after part 1 for coninuity!
Hope you enjoy :)
This is the third corner to have persistent discussions and talks in. I love tech, but especially once it transcends hardware a little. I have two degrees; a bachelor's in Software Engineering and a master's in Information Security Technology. My graduation thesis focused on assembly-level optimizations (that is, one level above the hardware level) and my free subjects were in formal verification. This is why I love programming in the security corner, or maybe it is the other way around.
I started going down the Security path because I early on saw that the world around us would become a dangerous cesspool of badly-implemented and hostile tech. Now I am one of the people that understands the field around that mess :)
So in here you can discuss secure phones, weird programming languages, sad truths about internet-connected fridges. Also about malware, adblockers, and so on and so fort!
A lot of tech talk I do over at the @Lunduke community, where a lot of nerds hang out and it is ...
Much like the reading corner, let's have a music corner! A few rules for this one, since some music can be provocative. I don't mind much but let's keep youtube links with risque thumbnails out of here.
Other music I might also mind. "Do you find that offensive?" might someone ask. Yes, there is some music I choose not to listen on principle, and I walk a thin line there sometimes. But do not worry, I have a wide taste otherwise so feel free to share almost anything :)
Either way, here is the music corner!
Many times when we talk about security, we mean to say "Digital security". In essence we mean to say that our hardware and software that we use stays safe no matter what we do. And even though the ISO27001 standard (and by extension, for example, the NEN7510 standard) make it abundantly clear that security is a people-domain problem, we usually take that as a process-like truth. Meaning, we think that being secure is a matter of regulating people.
The truth is very different. For example, while writing this I am pretty shot. I slept five hours and I an under influence of a bunch of painkillers and some alcohol. Before you ask what I was thinking, let me mention that I have a genetic defect in my spine that I am dealing with right now by taking measured doses of all three (and yes, to get the Bible into this conversation, there is even a biblical ground for the inebriation with alcohol - see proverbs and the letters to Timothy - , although I did not use red wine. But hey, I am still on top of ...
