Why just blocking port 80 won’t help you

We know HTTP is insecure since across the web IANA’s assigned port list is used by default which says port 80 should be used for HTTP traffic, but it’s not that you cannot run anything else which is “non-standard” in port 80.

Anyways, coming to point you could be running HTTP server on any port 80, 8080, 8090 whatever, HTTP protocol by design is left insecure. Since we cannot change the standard 80 usage everywhere (IPv6 is still on way even after decades) there are multiple remediations that can be used to avoid common challenges with HTTP.

  1. Instead of serving anything on port 80/HTTP, use it solely for redirecting to correct HTTPs/443. As recommended by cio.gov, letsencrypt
  2. Enforce HSTS Policy on your domain, by nature it will be effective only when your domain is access by the client once. if you don’t know what HSTS is, it is just a HTTP header that tells browser to always open website in HTTPS.
  3. Blocking or disabling doesn’t make your server any secure, in fact it makes things worse.
    1. There is still an open opportunity of MITM attack. The flaw is in protocol not in the implementation of HTTP, which is why anyone can sniff and serve you alternate content, even if you have port blocked in server.
    2. You will make things worse for your users, they won’t be able to access your website as normally they would.
    3. if you serve HSTS headers over HTTP, at least HSTS will be enforced on one hand.
    4. Everywhere you have to type HTTPS, which people don’t do, it is a painful thing to enforce.
  4. It is not about 80, it is more about not using HTTP anywhere, if you have other ports that serve content over HTTP it is still an issue!

Life : A simple advice

A thoughtful advice given to me long back, just posting it here for general reference, should work for you too ūüėČ

Stand strong always, may the sun always shine brightly for you after heavy rain.


Anger is paralyzing, its just the absence of control, You will have no use of it whatsoever.


So be patient and calm, make people quiet wid your skills, mindset and behavior if these three don’t work then don’t think ur words would matter.

Anonymous, June 2014

PDF Signing using hardware token (DSC) in Python

Hardware based tokens are widely used in India to generate signed PDF’s like invoices and agreement. We wrote small Python code to sign the invoices automatically where token was attached to a local server.

Windows drives are widely available but rare to find linux drivers are listed https://www.e-mudhra.com/Repository/index.html

You can uncomment to get the token name print(self.pkcs11.getSlotList(tokenPresent=True))
print(self.pkcs11.getTokenInfo(1)) to get token name, for PROXKey the name "WD PROXKey" was generated.

.dll/.so path for common tokens

  • For Windows the file will be in Windows\SysWOW64″ or “WINDOWS\system32” or “WINNT\system32‚ÄĚ
  • For Linux machine the file will be in /usr/local/lib/ or /usr/lib/
Hardware Token TypeLibrary file (Windows)Library file (Linux)
SafeSignaetpkss1.dllaetpkss1.so
eMudhraeMudhra\eMudhra CSPV1.0\wdpkcs.dll1. WatchData/eMudhra_3.4.3/lib/libpkcs11wrapper.so
2. WatchData/eMudhra_3.4.3/lib/libwdpkcs_eMudhra_343.so
Trust Key1. TRUST KEY\TRUST KEY CSP V1.0\wdpkcs.dll
2. C:\Windows\System32\TRUSTKEYP11_ND_v34.dll
1. WatchData/TRUSTKEY/lib/libpkcs11wrapper.so
2. WatchData/TRUSTKEY/lib/libwdpkcs_TRUSTKEY.so
Belgium eID MiddleWarebeidpkcs11.dllbeidpkcs11.so
Gemalto Cryptocard Tokenlibgtop11dotnet.dlllibgtop11dotnet.so
EPasseps2003csp11.dll
Aladdin eTokeneTPKCS11.dll
Safenet iKeydkck201.dll
Starkeyaetpkss1.dll
Watchdata PROXkeySignatureP11.dllWatchData/ProxKey/lib/libwdpkcs_SignatureP11.so
.DLL or .so path’s for linux.

Why books matter not just reading

So I am developer and maker – basically a keen person who is interested in almost everything which sounds logical. As hard it is to understand more interested I become in something.

In current “vast” space of information, On an average I read 10-15 articles a day that is being done since last 8 years but there hasn’t been a sense of knowledge satisfaction. If I compare it to my school days where I used to read through books which were related to computers, technical but outdated there is significant difference in satisfaction. (Do note, here I am not debating about articles in digital form & books in physical form.)

To understand the problem I started by creating a new habit.

Reading books – few pages as I wake up, few pages in evening. (Not a strict goal but 2 books/month – where each book averages to 200 pages and isn’t fictional )

So far it has been good and satisfaction level is quiet high !

but why ?

It seems it has to do with us :

  1. We skim not read, We skim news paper for information, we usually skim articles for information which we seek, we skim most of the content. With time, when brain see’s similar organization of content it activates the skimming mode.
  2. Information online is volatile; You might find similar or same piece of advise everywhere, copied & in few days it might disappear – & when not used it is trashed by brain. We need to see something once in a while to automatically recall & become more persistent.

    Eg: You read a book, keep it somewhere, you might stumble across it someday & open it – might check few things – you brain will start recalling many events but how many times you re-read same article ?
  3. Content doesn’t have a sense of authenticity; You come across articles, read them, understand them but mostly you can’t trust a content. How many people spend a month or a year in writing an article ?
    Articles have one key focus SEO, even if content is genuine it should have click baits, keywords etc but authenticity is not something search engines seek.
  4. Effort is missing; Again I am not talking about every article but publishing an article doesn’t require enough effort. While writing a book takes money, getting a publication house to agree and years of effort to put down thought – because once it is printed – it is printed.

    if you write something wrong – you can’t take book from people, there is error – it will persist for your lifetime. People will judge you by your book and it’s cover.
  5. Information is not organized; When you get a book, it’s always on specific theme and in all those pages it will talk just about that. You read related content such that slowly it starts persisting in your brain. And that how I got a sense of knowledge.

Irony is – this is an article.

This doesn’t mean that articles are bad but I have following perception on how articles should or shouldn’t be :

  1. Not for SEO : Yes, check the site if a lot of articles are of clickbait nature they will actually not convey good enough information. if a person is writing articles very frequently – those are there just for sake of being there.
  2. Should convey meaningful information : Now days most articles are just DERIVED from some other article, it is a good thing if article can innovate in certain manner or atleast put effort to organise certain information.
  3. There is no way but experience – on one hand you should not trust every source and should get information from trusted sources, but on other a good source doesn’t write frequently or broad topics. With time if one observes he/she can come to know how to identify bogus sources.
  4. Refer to official sources for information, yes just as in programming there are millions of tutorials but if I ever want to learn about something new I refer to official documentation – it doesn’t matter how badly it is written but usually documentations are accurate and explain logic as they are written by developers not content writer having bleak understanding about underlying principles. Same if for everything – if you want to read about some rules refer to government issued rule book – might not sound good – but it’s best way to have accurate information.

I know this is not a popular blog and there are not million followers but since you have read this articles feel free to comment and share what I missed – what else should be incorporated.

Solving the problem of phishing !

Phishing is a never ending war thug of war where one side is only trying to stop other side from winning, “Attackers are always trying to be innovative while defenders are trying to innovate on the innovation done by defenders.”

Ironic as it may sound, but this is what it is.

This article is not about blaming some organisation not doing enough to protect the customers here it is more about the vendors who are trying to defend, while current time doesn’t demand defence – instead it needs aggressive attack mechanism, even proactive attacks before damage could be done.

Approach

To solve the problem I am proposing a N step approach to solve the problem of phishing.

  1. Get ready with your defences – Just as in war, first strengthen your defences. It can be done by proactively doing following:
    1. Training your employees
    2. Asking cybersecurity team to be vigilant
    3. Performing vulnerability assessment and penetration testing.
    4. DDOS prevention (you might need, DDOS is cheap these days)
    5. DMARC, Cousin domains monitoring
    6. WAF, SIEM & other stuff.
  2. A small attack ( to know capabilities )
    1. To get an idea monitor what type of attacks are originating.
    2. Measure similarity among phishing attacks – you might be able to figure out active APT groups.
    3. Initiate takedown’s, publish something about them in media (yes, you heard me – more aggressively, see how they react)
  3. Attack the psychology
    1. Setting up “honeypot” (honeypot is key, I cannot write the process in detail, but trust me – they are something you will need) to gather information.
    2. Giving the attacker bogus information
    3. You win !

But how ?, the key part of approach is psychology – if you attack infrastructure it can be bought easily, success of a phishing attack depends on how good results the attacker gets.

Reasoning

if you ever conducted an actual phishing attack or have observed programmatic logics – attackers have adopted methods to get 2FA from clients but once verified data is valuable. Let’s do some math.

Let’s say you are conducting a phishing attack & it costs you to 100$ to compromise a web site or host it, sending email might cost you 0.001$.
Assuming 1/1000 spam are clicked – you are technically going to spend 1$ per click, let’s say 10% of clickers turn to victim. To get useful data you will require 10$.

if captured data is being sold in market at 20$ for every good data – you are going to make profit of 10$ excluding hosting cost.

but what if you are getting bogus data, which feels just good but now it is useless since 2FA has failed, or may be the server’s are not responding. Overall if vendors can make cost of Phishing high, only those will survive who have willingness to catch a whale.

Why world will be never cooler again !

The below article discusses my point of view in a mix technical fashion.

…and everyone is aware hot and cool are relative terms. Long before you touched ice, you never knew what is cooler than water. The moment you touched ice, you immediately altered your definition of cold. Moreover, definition of hot and cold are relative to your expectations. Even though you touched ice, it became coldest thing ever, you would have started imagining about living in igloo, but you never expected to build one in middle of thar.


To give you more feel of what I am saying, imagine back in middle ages, a person living in the middle of desert introduced to a water cooler, he would say it is the coolest thing. But if we take the same person to Greenland he stays for a week there, will he feel the same when he comes back ?, Probably not. Why ? because now he knows there is a cooler place possible where he can live.

Fast-forward to near present, Long before AC’s were just an idea – water cooler were luxury and fans were the things which gave chill while cool breeze used to give a chill. Slowly, globalization took over – science innovated, AC’s were reality. Water coolers became more like fan, their cool wind was now filled with moisture, fans became dry.

The perception of world has changed, that’s the reason – global warming can never be stopped, it can only be slowed, why ?

When you were out in open, it felt hot why ? – because recently you were in some cool place, you turn on fan – still hot, water cooler – still hot, AC at 25c – felt better, you go outside – sit in ac set to 17 – you come back you feel hot – turn on AC – Set to 25c – it is still hot – set to 17 – now it’s normal.

All this would feel normal , but this is a loop where once we are caught it’s hard to get out (probably never) why? – Let’s dig deeper.

  • AC is cool, Some Rich X Company gets it’s rich CEO a cool place with a million dollar AC.
  • People move in & out – while surviving in cool breeze of water coolers
  • They want to enjoy same cool environment as CEO – they work hard to get one.
  • Their collegue want same and everyone keeps getting AC.
  • As AC’s got cheaper, more people bought it as luxury.
  • More than People’s feeling of hot and cold changed , it impacted it’s surrounding.
  • The outside got hotter – why ? because of heat emitted by AC’s
  • People lowered temp – the heat emitted increased
  • People lowered it more and the outside world felt hotter.
  • Eventually the cool breeze can’t be cool – because the breeze are hot with heat emitted.
  • Forcing others to get AC.
  • Now, everyone is in AC – the world is hotter – we are installing AC’s to make it cooler.

Now, You can’t live without AC – because outside is hotter. It’s us making it hotter to make it cooler. The out will feel hotter day by day – people will lower the temperature – world will keep getting hotter because you want it to be cool. Sad thing – it will never end.

What can we do ?
One could say move to nature, it will take a lot more effort to educate everyone on this planet. My suggestion ? Sit in AC room and discuss possible solutions.

IOT Push Button (Like Amazon Dash)

Amazon Dash button is an incredible piece of hardware and another example of “applied engineering” in Amazon, just like Kindle.

The inspiration for this project isn’t directly derived from amazon dash, I wasn’t aware of it until I started digging the internet but at end, I had to set the performance goal to Amazon dash, because no other piece of hardware was up to mark. A detailed teardown of dash button can be found here.

So, Since “decades” I wanted to build some piece of hardware which I could dynamically program for any functionality like playing next youtube video, unlocking door, rebooting a machine, minimizing all open tabs or whatever with a push of a button. The button should be portable and independent of device for operation.

To meet my requirements I had to remove BLE or any other radio-based technology which needed a receiver or additional unit to operate. ESP-12F is power intensive and somewhat large if compared to esp-01.  The end prototype looked like this and worked as expected.

Below is list of components I used.

  • 1x LiPo Battery – 150mAh
  • 1x ESP8266-01
  • 1x 1k Register
  • 1x Tactile Switch Button

You might require a soldering iron with fine tip, basic desoldering skills, access to 3d printer, FTDI board or similar setup.

The schematics of setup would look like below:

The functioning would be like – We turn on ESP using push button, but it would take time to log in to wifi, authenticate – so we need to keep it on for pretty long time – which could be done by using programming output pins, As soon as ESP turn on GPIO2 can be set to HIGH, Once operation is finished it can be set to low. Few challenges which I found on way (with fixes):

  • Power is very limited – So we need to remove LED’s from the esp, this would save a lot of power and would increase battery life by almost a fold!
  • You should use diode and transistor to limit current, since I am not an electronic nerd I would not comment on it.
  • You should set a timeout period, in case you are writing custom logic else battery will drain and you will never come to know why!

After soldering – You have to upload following code which need to be tweaked according to need, but it has basic logic code –

The code can set in hotspot mode if couldn’t connect to wifi and if could connect it would make a connection to mqtt server and make an announcement then shutdown.

I hope you enjoyed the article, it wasn’t a detailed writeup and I dropped many details – but if you have any questions you can comment or drop mail – I will surely help.

Cheap BLE : JDY-08

Disclaimer : This post is based on my experience which is completely subjective, in no way I am promoting any application or product ūüėČ

 

I have been trying to get my hands into BLE4.0 modules since long. As always I was looking for small, cheap solution, JDY-08 was one of solution I came across – it seemed just Perfect !

JDY-08
JDY-08 Module

It is based on TI-CC2541 SOC, Low power consumption – long range Voila!

Below is what is being advertised by most vendors:

  1. maximum transmit power of 0db, the maximum transmission distance of 80 meters.
  2.  support serial allowing users to modify the device name through AT commands service UUID, transmit power, pairing password instructions, convenient to use and flexible.
  3. Ultra-low standby power consumption 400uA ~ 800uA
  4. Ultra-long connection distance 100 ft / 60 m
  5. Fast reaction speed 0.4 secondsFor Apple, AndroidReceive no byte limit, up to 6K Bytes/sec.

I quickly ordered 10pcs without a second thought.

Below is what you should keep in mind:

  1. Datasheet, documentation – everything is in Chinese! Cool !
    Luckily, Few folks did translation –¬†https://docs.google.com/document/d/14mHWT3GhELCj-6yxsam0k5bjzazq8nnPoz4B_gYh04k
    Also, you can check http://forum.arduino.cc/index.php?topic=432074.0 because this is the only helpful resource in the web.
  2. Firmware is broken – at least for me, some other user confirmed same in above Arduino thread.
  3. No other support.
  4. Non-standard board pitch, you cannot use header pins

But it is good in many ways:

  1. Small size, thin, light, small – cool!
  2. If you use HC-05 or HC-06 for transparent communication, you can use GATT terminal for transparent communication.
  3. Very low power consumption – from my tests, I found 0.5ma consumption.
  4. Long range Рupto 30meters without optimization.
  5. iBeacon mode – works fine – but power consumption was 0.5ma

I was unable to test as I could only use GATT write & notify methods, AT commands to change mode & device name, even AT+RST returned ERR.

You can use following tools to test :

Below is schematic I followed:

 

 

 

Adding a display over network !

You are doomed if your laptop has only one HDMI Port & you are running Linux in that box.

Unlike windows – where there are tons of easy to run solution, & there are still tons of solutions if you have big numbers in your pocket.

Certainly – I neither wish to spend money on external VGA/HDMI extender or docking station nor to change OS. So after googling a lot I discovered a solution which utilized a different machine to act as the streaming client. You can use RPI or an old p4 machine.

Below is how it works.

  1. Adds a virtual display on your machine, usually all graphics card support at least one virtual display.  You do all this using xrandr
  2. Create a VNC Server to stream that display – but since you cannot each time run two commands just to connect display – we are running VNCViewer in listen mode
  3. Connect to vnc viewer & keep running it in the background.

You Laptop —[Display Data]—> Network —-> VNCViewer

As suggested above you data is being streamed over the network ¬†– you cannot run 4k data. But if you have good Lan speed you won’t face any problem.

I have also optimized settings for best experience – so far I can use terminal, watch videos – the only drawback is you feel the lag when you use keyboard or mouse for realtime feedback.

In Client Machine, i.e. your laptop.

You will need to install x11vnc & screen

In server Machine (LAN address 10.0.0.2)

You will need to install VNC Viewer in client side.

Just Another DIY “Smart” Watch

Note : This article was written after project was partially completed, so i don’t have better images.

There are hundred’s of projects for building “Smart watch using arduino”, I have curated a list of better projects at end of this article. I didn’t plan to copy any of given projects but at end it turned out that world is a big place. So this blog post is my effort in developing “My smartwatch”.

Hardware :

  1. Arduino Pro mini
  2. Bluetooth module (HC-05)
  3. OLED Module (SSD1306)
  4. LiPo Battery (110 mAh)
  5. Thin copper wire, single strand if possible.
  6. FTDI Breakout board or any way to program Arduino pro mini.
  7. Micro USB female pins
  8. Membrane Tape

Tools :

  • Soldering iron – along with soldering wire, flux, etc.
  • 3d Printer/Good Crafting Skills to make a case
  • Working brain ! (Recommended)

Software :

  • Android Phone (BTTerm) /Linux System(minicom, rfcomm), Windows Phone, Windows *, Mac OS Users are on their own but you can search for “Bluetooth serial terminal”
  • Arduino IDE
  • Common Sense ! (Recommended)

The guide here is definitely not a step by step guide, it just tells the flow (an algorithm not code).

  1. Desolder pins in your OLED display. Yea, all header pins.. for noobs like me it’s a tough task.
  2. Desolder pins of HC-05/HC06 if it has, if you got module without header, skip
  3. Connect all GND, VCC pins of arduino, hc-05, oled Easy ?
  4. Solder oled pins SCL -> A5, SDA -> A4  to arduino.
  5. Solder hc-05 pins  TX -> 10, RX -> 11  to pro mini.
  6. Then Solder VCC with a switch (Any you prefer) & to battery.
  7. Upload the code
  8. Connect to HC-05 using phone & send any data.

    HC-05 Soldered

Oled, HC-05, ProMini Stacked.

 

 

 

 

 

 

Everything stacked Packed

Back View

Front View

 

 

 

 

 

 

 

 

 

Click here to watch working video.

Below is arduino code :

 

As told initially my build is not the best one, there are people with better electronics & better output check these :

http://www.instructables.com/id/Make-your-own-smart-watch/?ALLSTEP

http://makezine.com/projects/make-43/open-source-smartwatch/

http://www.tinkernut.com/portfolio/make-smartwatch-old-cell-phone-part-1/

http://oswatch.org/mkII_build_page_1.php

https://hackaday.io/project/12876-chronio

http://blog.zakkemble.co.uk/diy-digital-wristwatch/