April 16, 2018

15-Year-old Finds Flaw in Ledger Crypto Wallet

"A 15-year-old security researcher has discovered a serious flaw in cryptocurrency hardware wallets made by Ledger, a French company whose popular products are designed to physically safeguard public and private keys used to receive or spend the user’s cryptocurrencies."

https://krebsonsecurity.com/2018/03/15-year-old-finds-flaw-in-ledger-crypto-wallet/

https://krebsonsecurity.com/wp-content/uploads/2018/03/ledgerattack.pdf

Virtual Celebrities.

"Gorgeous, popular, sought-after by brands... but these models on Instagram aren't real. They're digitally created. And to a lot of people, that doesn't matter at all."

http://www.bbc.com/capital/story/20180402-the-fascinating-world-of-instagrams-virtual-celebrities

Data Breach Fin7 Syndicate Hacks Saks Fifth Avenue and Lord & Taylor Stores

"On March 28, 2018, a notorious hacking JokerStash syndicate, also known as Fin7 announced the latest breach of yet another major corporation, with more than five million stolen payment cards offered for sale on the dark web."

https://geminiadvisory.io/fin7-syndicate-hacks-saks-fifth-avenue-and-lord-taylor

March 20, 2018

Getting Started with JSF 2.2 (Java EE 7) in JBoss EAP 7

Introduction

Here is a simple guide to get started with JSF 2.2 development with JBoss EAP 7.

Maven

Lets start with maven war pom for Java EE 7. See also Minimalistic POM for Java EE 7

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 
    <modelVersion>4.0.0</modelVersion>
    <groupId>se.magnuskkarlsson.netbeans.examples</groupId>
    <artifactId>example-ee7-web</artifactId>
    <version>1.0.0-SNAPSHOT</version>
    <packaging>war</packaging>
 
    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <project.build.outputEncoding>UTF-8</project.build.outputEncoding>
        <maven.compiler.source>1.8</maven.compiler.source>
        <maven.compiler.target>1.8</maven.compiler.target>
        <failOnMissingWebXml>false</failOnMissingWebXml>
    </properties>
 
    <dependencies>
        <dependency>
            <groupId>javax</groupId>
            <artifactId>javaee-api</artifactId>
            <version>7.0</version>
            <scope>provided</scope>
        </dependency>
 
        <!-- Test Support -->
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>4.12</version>
            <scope>test</scope>
        </dependency>
    </dependencies>
    
    <build>
        <finalName>${project.artifactId}</finalName>
    </build>
</project>

Java EE 7 Deployment Descriptors

The deployment descriptors used here are. See also Java EE 7 Deployment Descriptors:

  • src/main/webapp/WEB-INF/web.xml - Not required, but will probably later be used. EMPTY
  • src/main/webapp/WEB-INF/faces-config.xml - Is required for JSF to work in EAP. EMPTY
  • src/main/webapp/WEB-INF/beans.xml - Is required for CDI to work. EMPTY

src/main/webapp/WEB-INF/web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
         version="3.1">

</web-app>

src/main/webapp/WEB-INF/faces-config.xml

<?xml version="1.0" encoding="UTF-8"?>
<faces-config xmlns="http://xmlns.jcp.org/xml/ns/javaee"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-facesconfig_2_2.xsd"
              version="2.2">

</faces-config>

src/main/webapp/WEB-INF/beans.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://xmlns.jcp.org/xml/ns/javaee"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/beans_1_1.xsd"
       version="1.1" bean-discovery-mode="all">

</beans>

JSF Managed Bean

Do not use JSF @javax.faces.bean.ManagedBean, instead use standard CDI. It's more generic and you only need to learn one technique.

src/main/java/se/magnuskkarlsson/netbeans/example/ee7/web/Person.java

package se.magnuskkarlsson.netbeans.example.ee7.web;

import java.util.Date;
import javax.enterprise.context.RequestScoped;
import javax.inject.Named;
import javax.validation.constraints.Max;
import javax.validation.constraints.Min;
import javax.validation.constraints.NotNull;
import javax.validation.constraints.Past;
import javax.validation.constraints.Size;

@Named
@RequestScoped
public class Person {

    @Size(min = 1, max = 256)
    private String firstName;
    @Size(min = 1, max = 256)
    private String lastName;
    @Min(12)
    @Max(100)
    private int age;
    @NotNull
    @Past
    private Date birthdate;

    public String getFirstName() {
        return firstName;
    }

    public void setFirstName(String firstName) {
        this.firstName = firstName;
    }

    public String getLastName() {
        return lastName;
    }

    public void setLastName(String lastName) {
        this.lastName = lastName;
    }

    public int getAge() {
        return age;
    }

    public void setAge(int age) {
        this.age = age;
    }

    public Date getBirthdate() {
        return birthdate;
    }

    public void setBirthdate(Date birthdate) {
        this.birthdate = birthdate;
    }
}

JavaServer Faces/JSF Page

src/main/webapp/person.xhtml

<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:h="http://xmlns.jcp.org/jsf/html"
      xmlns:f="http://xmlns.jcp.org/jsf/core">
    <h:head>
        <title>Facelet Title</title>
    </h:head>
    <h:body>
        <h:form>
            <!-- <h:messages style="color:red;" showDetail="true" showSummary="true" /> -->
            <h:panelGrid columns="3">
                <h:outputLabel for="firstName" value="First Name: " />
                <h:inputText id="firstName" value="#{person.firstName}" />
                <h:message for="firstName" style="color: red;" />

                <h:outputLabel for="lastName" value="Last Name: " />
                <h:inputText id="lastName" value="#{person.lastName}" />
                <h:message for="lastName" style="color: red;" />

                <h:outputLabel for="age" value="Age: "/>
                <h:inputText id="age" value="#{person.age}" />
                <h:message for="age" style="color: red;" />
    
                <h:outputLabel for="birthdate" value="Birthdate: " />
                <h:inputText id="birthdate" value="#{person.birthdate}" label="birthdate">
                    <f:convertDateTime pattern="yyyy-MM-dd" />
                </h:inputText>
                <h:message for="birthdate" style="color: red;" />
            </h:panelGrid>
            <h:commandButton value="Save" action="confirmation" />
        </h:form>
    </h:body>
</html>

Test

Now lets test standard $JBOSS_HOME/bin/standalone.sh

You can access the jsf page from two URL: http://localhost:8080/example-ee7-web/person.jsf and http://localhost:8080/example-ee7-web/faces/person.xhtml

February 23, 2018

Using Atom Text Editor for Python

In my previous blog Text Editor and IDE for Python I discussed different editors for Python. Here I will use Atom text editor and install plugin for Python.

From Atom open Settings and search for plugin script.

Now you can run python script inside Atom. First write something, save as a .py file. Then hit SHIFT+CTRL+B.

Next we can install autocomplete plugin: autocomplete-python

Text Editor and IDE for Python

Text Editor

Atom text editor for free, by the guys behind github - https://atom.io/.

Sublime text editor for free, but asks you to pay - https://www.sublimetext.com/.

Commercial IDE

Komodo IDE has great reviews - https://www.activestate.com/komodo-ide/python-editor.

The all mighty JetBrains PyCharm, offers debugging - https://www.jetbrains.com/pycharm/.

December 16, 2017

The Kerberos Protocol

Key Concepts

"Kerberos uses symmetric-key cryptography to authenticate users to network services" [1]

"The Authentication Server maintain a database of principals and their secret keys." [2]

"The secret key is derived from a password. ==> Opens for password guessing attacks" [2]

"Basing trust on host addresses." [2]

RFC 4120 "The Kerberos Network Authentication Service (V5)" obsoletes RFC 1510

Overview



Client Authentication

"3.1. The Authentication Service (AS) Exchange" [2]

Message direction Message type Section
1. Client to Kerberos KRB_AS_REQ 5.4.1
2. Kerberos to client KRB_AS_REP 5.4.2
  KRB_ERROR 5.9.1

KRB_AS_REQ: cname, realm, from, till, nonce, address, ...  **cleartext message**
    cname, client's principal.
    realm
    from and till, the expiration time
    nonce, Number used only ones
    address, client's network address
   
KRB_AS_REP: {K.c,tgs, realm, from, till, nonce, ...}K.c {T.c,tgs}K.tgs
    {...}K.c encrypted with the Client Secret Key
    K.c,tgs Client/TGS Session Key
    realm
    from and till, the expiration time
    same nonce as in request

    {...}K.tgs encrypted with TGS Secret Key
    T.c,tgs Client-to-TGS (Ticket-Granting Service) Ticket which includes:
        Client principal
        Client network address
        Client/TGS Session Key

Authentication "This is acceptable because nobody but the principal whose identity was given in the request will be able to use the reply." [2]

Client Service Authorization

"3.3. The Ticket-Granting Service (TGS) Exchange" [2]

Message direction Message type Section
1. Client to Kerberos KRB_TGS_REQ 5.4.1
2. Kerberos to client KRB_TGS_REP 5.4.2
  KRB_ERROR 5.9.1

KRB_TGS_REQ: {authenticator, ...}K.c,tgs {T.c,tgs}K.tgs, address, from, till, nonce
    {...}K.c,tgs encrypted with Client/TGS Session Key
    Authenticator (which is composed of the client principal and timestamp)
   
    {T.c,tgs}K.tgs from KRB_AS_REP
   
    address, Service network address
    from and till, the expiration time
    nonce, Number used only ones

KRB_TGS_REP: {K.c,s, address, from, till, nonce, ...}K.c,tgs {T.c,s}K.s
    {...}K.c,tgs encrypted with Client/TGS Session Key
    K.c,s, Client/Service Session Key
    address, Service network address
    from and till, the expiration time
    same nonce as in request

    {...}K.s encrypted with the Service Secret Key.
    T.c,s Client-to-Service-Ticket which includes:
        Client principal
        Client network address
        Validity period
        Client/Server Session Key

Client Service Request

"3.2. The Client/Server Authentication Exchange" [2]

Message direction Message type Section
1. Client to Application KRB_AP_REQ 5.5.1
2. Application server to client KRB_AP_REP 5.5.2
  KRB_ERROR 5.9.1

KRB_AP_REQ: {authenticator, ts, ...}K.c,s {T.c,s}K.s
    {...}K.c,s encrypted with K.c,s Client/Service Session Key
    authenticator, new Authenticator which includes client principal and timestamp
    ts, timestamp
   
    {T.c,s}K.s from KRB_TGS_REP

KRB_AP_REP [Optional]: {ts}K.c,s
    {...}K.c,s encrypted with Client/Service Session Key
    ts, timestamp

keytabs (Key Tables)

Used for service that typical runs as system service and hence have no login. Here keytabs contains K.s.

Reference

[1] Red Hat System-Level Authentication Guide Chapter 11. Using Kerberos
[2] RFC 4120
[3] Kerberos (protocol) - Wikiwand