Thursday 21 December 2017

CTF training

On the 14th of December, our company decided to hold a CTF training provided by Dennis van Halteren and Joep van Gassel of Nováccent Group1 for us poor software developers.

I had never heard of it before, so I was kind of interested.

Capture the Flag is a competition where different teams compete to each find the most "Flags": issues in especially for the competition buildt pieces of software. Different flags have different scores. The Application you are trying to hack will let you know in different fashions about the flags you have found. Some flags are hard, some are easy, their respective points reflect this.

The CTF training consisted of an introduction into security and how to test it, and the main CTF competition.

One of the good points of the introduction, was regarding some of the tools that are used in security and penetration testing, which I will mention here:

BeEF3
a tool for injecting bad stuff into browsers of users by means of a vulnerable website
Kali Linux4
a Linux OS containing a lot of penetration test tools and security tools by default

The introduction was very general and lacked depth and lasted about an hour. I already learned most of it during a session working with WebGoat from OWASP2 some years previously.

The CTF competition was a lot of fun. We sorted ourselved into groups of two or three software designers. Each group was provided with a key with which to enter the portal from which all the assignments could be started. A dashboard showing the different scores was available on the big screen.

A number of web portals were provided to us, which all contained different challenges for us to overcome:

Some of the security issues to detect were:

  • caching
  • escalating priviledges
  • using left-over files that should have been deleted
  • SQL injection
  • using error messages to gain insight into the backend
  • wrong permissions that allow too much
  • examining web code for vulnerabilities (HTML, JavaScript, CSS)

The intensity was very high, all of us competing in finding the most flags the fastest. The combination of thinking very hard, trying stuff, frustration if it didnt't work, the cooperation and communication between team members, made most of us feel quite exhausted at the end of the day.

There was no followup after the competition, which I felt was a pity. The trainers were available for questions regarding some of the assignments during and after the competition.

References

[1] Nováccent Group
https://www.novaccent.nl/
[2] OWASP WebGoat
https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
[3] Kali Linux - a free and open-source penetration testing platform
https://www.kali.org/
[4] BeEF - The Browser Exploitation Framework
http://beefproject.com/
Practice CTF List / Permanant CTF List
http://captf.com/practice-ctf/
Wikipedia - Wargame (hacking)
https://en.wikipedia.org/wiki/Wargame_(hacking)

Thursday 14 December 2017

The Dangers of Optional.orElse

Our architect at work explained how to properly use the Optional class, and sometimes it is not easy. I shall explain one of the intricaties in this blog with the aid of Cake, because who doesn't love cake?

Now some people tell me that the cake is a lie1 2. Now, this may or may not be the case. So there may or there may not be cake.

This is basically the definition of the Optional2 class in Java 8.

Optional<Cake> cake;

One of my colleagues is a fan of Eddie Izzard4 5.

Our architect at work presented us the code he encountered of the Optional.orElse. I've changed it a bit by adding more cake.

If you run this program, you'll notice that after you have received a nice cake, you immediately die!

This is due to the fact that the expression in the .orElse is immediately evaluated after the new Cake(). This is very basic Java and what is to be expected.

Unfortunately, we software designers seem to have a blind spot, when it comes to the orElse() method. We automatically compare it to the if-else construction we know and love, and then we assume the behaviour is the same.

It is as if your brain automatically shunts over to the wrong abstraction.

The .orElse() is actually only suitable for constants.

Conclusion

In order to fix the problem, you need to use a lambda. To use a lambda, you need to use a different method of the Optional class, namely .orElseGet().

The code would look as follows:

    cake.orElseGet(this::death);

I had really hoped, that they would have changed the method name to something better. Some notable good examples would have been:

  • "orElseConstant"
  • "orDefault"

References

[1] Know Your Memes - The Cake is a Lie!
http://knowyourmeme.com/memes/the-cake-is-a-lie
[2] Wikipedia - Portal (video game)
https://en.wikipedia.org/wiki/Portal_(video_game)
[3] Oracle Javadoc - Optional
https://docs.oracle.com/javase/8/docs/api/java/util/Optional.html
[4] Wikipedia - Eddie Izzard
https://en.wikipedia.org/wiki/Eddie_Izzard
[5] Youtube - Eddie izzard-cake or death
https://www.youtube.com/watch?v=BNjcuZ-LiSY

Friday 8 December 2017

My wife's new labtop

Well, World of Warcraft has once again got its hooks into me. I plan on reactivating my account. Ever since the proclamation from Blizzard that World of Warcraft Classic is going to be actively developed, I've got the itch.

My wife would like to play as well, but our labtop, though working fine, is having trouble if the settings are higher than 0.

So, the search for an entry level gaming labtop on a tight budget was on!

As I have no experience with buying labtops or computers on a regular basis, time to do some research.

I decided, for an entry level gaming labtop videocard, to shoot for the NVidia GTX 960M or the NVidia GTX 1050.

I hear the processor is not the most interesting/important part of gaming, so a 7th generation i5 would be fine.

Memory is also not that important, as long as it is at least 8 Gigabytes. I do hope to be able to upgrade this, when I decide to do some software development on said labtop.

An SSD is a very nice to have, otherwise you end up on loading screens that take a while in any serious multi-gigabyte game.

brand type proccessor video (mem) hdd/ssd mem/max
Asus RoG RoG GC533VW-FY079T i7 6700HQ 960M (2gb) hdd 8/16
MSI 6L62M 7RDX-1267NL i5 7300HQ 1050 (2gb) hdd/ssd 8/32
Acer Nitro AN515-51-5048 i5 7300HQ 1050 (4gb) hdd/ssd 8/32
Lenovo Legion Y520-15LBKN-80WK00Q4mh i7 7700HQ 1050 (2gb) hdd/ssd 8/16
Asus RoG 6L502VM-FY479T i7 7700HQ 1060 hdd/ssd 8/16
HP Pavilion Power 15-cb001nd i5 7300HQ 1050 (2gb) hdd/ssd 8/16

We decided on the HP, also because my wife's company sells it and we can get a (small) discount.

I would have liked to go for a Republic of Gamers (RoG) labtop, pure for the novelty value and the design, but alas it was not to be.

Originally my wife had something in mind around the 700 euro price tag, but we failed miserably in that category. These gaming labtops start from 899 euros and up.

Saturday 2 December 2017

Automated executing of MySQL/MariaDB scripts

I am running MariaDB and I wish to execute sql scripts without all this hassle of entering my password. Of course this carries severe security risks with it, that we need to be aware of and, if possible, mitigate.

Via the commandline

It is possible to execute sql scripts via the commandline1, but the problem here is that the password you use is visible in the process list. So this is a security risk.

Let's not do this.

mysql_config_editor

I firstly checked out mysql_config_editor2, which enables you to put the password and other options into an encrypted configuration file. But it turns out that MariaDB does not come with that specific tool. The encryption used seems quite weak, and there's an article about the security issues at [3]. There is also the blogpost at [4] giving some details.

So now what?

Well, there is always the plan to use the configuration file .my.cnf5, and you can store your mysql or mariadb password in there and everything would be hunky-dory.

The .my.cnf looks like this:

[client]
password=topsecretpassword

You are no doubt aware that the password is stored in cleartext.

The following security measures should be in place:

  • always make sure the permissions on the file are set to -rw-------
  • create a user in your database with only those permissions that are required by your scripts. In most cases, this is select/update/delete/insert statements.
  • when you are finished with your scripts, it might be a good idea to remove the password from the conf file. I understand that with cron jobs and batch scripts this might not be possible.

There is an example of a my.cnf containing every possible configuration option at /usr/share/mysql/my-large.cnf when you install MariaDB.

References

[1] StackOverflow - How to execute a MySQL command from a shell script?
https://stackoverflow.com/questions/8055694/how-to-execute-a-mysql-command-from-a-shell-script
[2] MysqlManual 5.7 - mysql_config_editor
https://dev.mysql.com/doc/refman/5.7/en/mysql-config-editor.html
[3] MariaDb Blog -
https://mariadb.com/resources/blog/mysql-56-security-through-complacency
[4] Todd's MySQL Blog - Understanding mysql_config_editor’s security aspects
http://mysqlblog.fivefarmers.com/2012/08/16/understanding-mysql_config_editors-security-aspects/
[5] MariaDB - Configuring MariaDB with my.cnf
https://mariadb.com/kb/en/library/configuring-mariadb-with-mycnf/