Random things #6

Written on 28 November 2014, 11:27am

Tagged with: , , , , ,

1. A few things about yum:

yum plugins
yum update openssl package (heartbleed anyone?)

Info about yum and openssl packages:
yum info yum
yum info openssl

Run yum without plugins:
yum --noplugins

Update openssl package:
yum update openssl

To check that a certain CVE (common vulnerability and exposure) is fixed in the current installation:
rpm -q --changelog openssl | grep CVE-2014-0224

To check openssl version:
openssl version -a

2. vi quick commands:

insert to start editing
escape to stop editing
:x to save and exit (in view mode)
u to undo (in view mode)

3. SFTP Sublime Text plugin is awesome

And it’s only $20

Security concepts

Written on 24 November 2014, 11:08pm

Tagged with:

The CIA of security
Confidentiality + Integrity + Availability
+ (in time) – Authentication and Non-repudiation

Operational model of computer security
Protection = Prevention + (Detection + Response)

Other security concepts
– Least privilege
– Separation of duties
– Implicit deny
– Job rotation
– Layered security
– Diversity of defense
– Security through obscurity: pushing your favorite ice cream to the back of the freezer, or making your admin URL hard to guess 🙂

Identification vs Authentication vs Authorization
Identification – who are you? (typically an username)
Authentication – how can you prove who you are?
– something you know (a password)
– something you have (a physical token)
– something you are (fingerprint reader)
Authorization – what you can do once you are authenticated?

Access control
– DAC – discretionary access control
– MAC – mandatory access control
– RBAC – role based access control
– RBAC – rule based access control

Image: istockphoto

Random things about security

Written on 23 November 2014, 11:12pm

Tagged with: , ,

1. OpenSSL common commands

A list of the most common commands used in OpenSSL: https://www.sslshopper.com/article-most-common-openssl-commands.html

Generate a CSR along with a private key:
openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out domain.csr
Probably the most used openssl command because it’s the first step in moving to HTTPS.

Generate a CSR using an existing private key:
openssl req -out CSR.csr -key privateKey.key -new

Remove a passphrase from a private key (Warning: leaving a private key unencrypted is a major security risk #):
openssl rsa -in privateKey.pem -out newPrivateKey.pem

Transform a certificate from PEM (text) format to DER (bynary) format:
openssl x509 -outform der -in certificate.pem -out certificate.der

Transform a key from PEM to DER format:
openssl rsa -in key.pem -out key.der -inform pem -outform der

These last 2 commands allow you to convert certificates and keys to different formats to make them compatible with specific types of servers (ex – a PEM file for Apache to a PFX for Tomcat or IIS).

The main command options in OpenSSL – req, rsa and x509:
req PKCS#10 X.509 Certificate Signing Request (CSR) Management.
rsa RSA key management.
x509 X.509 Certificate Data Management.

DER (Distinguished Encoding Rules) is a case of BER (Basic Encoding Rules)
OpenSSL as Windows binary: http://slproweb.com/products/Win32OpenSSL.html

2. Let’s encrypt!


When Let’s Encrypt launches in Summer 2015, enabling HTTPS for your site will be as easy as installing a small piece of certificate management software on the server.
The Let’s Encrypt management software will:
– Automatically prove to the Let’s Encrypt CA that you control the website
– Obtain a browser-trusted certificate and set it up on your web server
– Keep track of when your certificate is going to expire, and automatically renew it, etc

3. Some security books

If you plan to get CompTIA Security+:
Get Certified Get Ahead
All-in-One Exam Guide
Comparison between the two books. Amazingly, they are both from 2011 (so more than 3 years old, which in the security field should be ages).

If you know about the Fermat enigma (somehow related), then you you should probably know about its author, Simon Singh. He also wrote a very known book about code and cypher: The Code Book (I know, it’s from 1999, but we were in the context of old books about security 🙂 ). Here’s an idea out of it:

It has been said that the First World War was the chemist’s war, because mustard gas and chlorine were employed for the first time, and that the Second World War was the physicists’ war, because of the atom bomb was detonated. Similarly, it has been argued that the Third World War would be the mathematicians’ war, because they will have control over the next great weapon of war – information.

PS – iPad mini feels just right