hash – How good/bad is this implementation to secure password?

I’ve just started new project and decide to try something new, so I’am not using anymore EnityFramework and Identity framework. I Decide to try MongoDB, so i wanted to design from scratch storing Users in database.

In database I’am going to store password and salt. My salt generator looks like this:

internal class SaltGenerator : ISaltGenerator
{
    private const int SaltLength = 32;

    public string GenerateSalt()
    {
        var saltBytes = new byte(SaltLength);
        using (var cryptoService = new RNGCryptoServiceProvider())
        {
            cryptoService.GetNonZeroBytes(saltBytes);
        }

        return Convert.ToBase64String(saltBytes);
    }
}

and Password hash generator:

internal class PasswordHashGenerator : IPasswordHashGenerator
{
    public string HashPassword(string password, string salt)
    {
        if (string.IsNullOrEmpty(password))
            throw new ArgumentNullException(nameof(password));

        if (string.IsNullOrEmpty(salt))
            throw new ArgumentNullException(nameof(salt));

        using(SHA256 sha256 = SHA256.Create())
        {
            var computedPassword = $"{password}{salt}";
            var passwordBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(computedPassword));

            return Convert.ToBase64String(passwordBytes);
        }
    }
}

And to test that everything is fine, very simple unit tests:

(Fact)
    public void Should_GenerateSalt()
    {
        // Arrange
        ISaltGenerator _saltGenerator = new SaltGenerator();

        // Act
        var salt = _saltGenerator.GenerateSalt();

        // Assert
        Assert.False(string.IsNullOrEmpty(salt));
    }

(Theory)
    (InlineData("testPassword", "testHash"))
    (InlineData("nextTestPasword", "nextTestHashHash"))
    (InlineData("testPasswooooord", "testHaaaaaash"))
    (InlineData("c98b7acd-19af-45a0-b133-96a43c8d2204", "eafe4fbb-4480-462d-9d3e-6d20a2128e8a"))
    public void Should_GeneratePasswordHash(string password, string salt)
    {
        // Act
        var hashedPassword = _passwordHashGenerator.HashPassword(password, salt);

        // Assert
        Assert.False(string.IsNullOrEmpty(hashedPassword));
        var nextHashedPassword = _passwordHashGenerator.HashPassword(password, salt);

        Assert.Equal(hashedPassword, nextHashedPassword);
    }

My question: How good/bad this code is? What should I change to be sure, that password is protected enough? On the internet i also found somenthing like this:
How to Use Argon2 for Password Hashing in C#
Is this implementation much better?

smb – Is SMB3-only Samba secure?

There’s lots of “SMB is bad” parrotting online, and whenever I look closely, these claims are either unsubstantiated, or apply to unpached or misconfigured Windows servers or old versions of the SMB protocol.

If I put stuff like this in my smb.conf

server min protocol = SMB3
smb encrypt = required
tls cafile = /letsencrypt/chain.pem
tls certfile = /letsencrypt/cert.pem
tls keyfile = /letsencrypt/key.pem

am I still in trouble?

Notably, Microsoft’s own Azure Cloud ostensibly offers Internet facing SMB3 shares. So there must be a way to secure them, right? One thing that still worries me is that I’ve never seen Windows Explorer complain about self signed certificates.

diffie hellman – ESP32: Secure WiFi credentials via WebCrypto?

Background information:

I am not a computer scientist. However, in a research project I am currently building a ESP32-based sensor. Multiple sensors of this type are going to be used by multiple users.

Every time a user wants to utilize a sensor, the sensor needs to get the WiFi credentials of this specific user so that the ESP32 can connect to the WiFi (for publishing the sensor data in a dashboard). In order to deliver these WiFi credentials, the ESP32 will be set up as a WiFi access point (AP) during configuration phase. Each user shall be able to use his/her smartphone to connect to the ESP, which runs a small HTTP server and delivers a login form to the user’s smartphone. After entering the credentials, they are sent via HTTP to the ESP32, which then can use this to login to the WiFi of my institute. Obviously, transferring the WiFi credentials via HTTP is not safe and, thus, they need to be encrypted.

Although it would be possible with a few workarounds, I don’t want to use HTTPS for the communication between smartphone and ESP32, since it seems to involve a lot of implementation inconveniences. I also don’t want to use a separate smartphone app, but want to stay with the browser-based approach, if possible.

The idea:

I found the following blog post which demonstrate how one can achieve a Curve25519-based Diffie-Hellman (DH) key exchange between a Node-JS Server and an ESP8266. Additionally, I stumbled across WebCrypto yesterday. This led me to the following idea:

My ESP32 might deliver a WebCrypto code together with the login form, which it sends to the user’s smartphone. Since WebCrypto seems to be supported by most of the modern smartphone browsers, the smartphone could locally generate a key pair via WebCrypto. The ESP32 could generate it’s own key pair via the Crypto library mentioned in the link. Then both devices can do a Diffie-Hellman key exchange, the smartphone can encrypt the WiFi password, sent it to the ESP32, which can then decrypt it and use it.

Questions:

I have absolutely no experience with encryption, coding Diffie-Hellman key exchange, or using WebCrypto. Obviously, there is a lot that can be implemented in a wrong way and cause a false security feeling. Furthermore, WebCrypto seems to have no implementation of Curve25519. Therefore, I have a few questions:

  1. Is there a simpler approach to achieve a secure WiFi credential transfer from the smartphone to the ESP32?

  2. Is the proposed idea realistic and safe?

  3. What are the biggest security pitfalls which I need to consider during implementation of this idea?

  4. If you have experience with WebCrypto, what alternatives to the Curve25519 key generation would be the best?

  5. At the end of the aforementioned link, the author mentioned that ensuring device identity is a problem which is not solved in their example. What does that mean?

security – How we can secure the ClientID & ClientSecret inside our remote event receivers (Inside SharePoint Provider hosted app)

I have developed many remote event receivers and host them inside azure web apps. now the web.config file inside those remote event receivers contain the ClientId & ClientSecret, as follow:-

 <appSettings file="custom.config">
    <add key="ClientId" value="e***7" />
    <add key="ClientSecret" value="h***g=" />
  </appSettings>

Now if a hacker or an end user found those values inside the project code, then the user can control all the sites, as when we register the remote event receivers we grant them full control on the site collection.. so any advice how we can secure those details? so if someone access the source code of the RER then she/he can not view those details?

Thanks

web browser – How do applications which are integrated using a javascript client side sdk, secure their data or disallow spam?

Take an example of google maps. google maps provides a javascript client SDK, which means any web app running javascript can access the google maps sdk. You need to use an API_KEY so that google can rate limit your requests, and apply some quota on the requests coming from your api key. If you exceed the quota you would be charged more.

The API_KEY has to be specified in the client side javascript, so it would be visible to anyone who uses your application, and then anyone can abuse your quota. To get around this, google suggests to add referrer based security while setting up your sdk on the google app console. You can specify a list of origins that google would accept requests from, based on the referrer header. So if someone gets your api key and tries to use that from another web application running on another domain, either google would not respond to those requests, or, the request wouldn’t be added in your quota. This acts as a basic level of security, BUT, the referrer header can be easily spoofed.

Now google maps does not have any user specific data, so may be API_KEY abuse is not that big an issue.

Consider an application like sentry, which allows a javascript client to send events to a sentry server. Sentry can also impose similar restrictions based on the referrer or origin header, and only allow events to your sentry server from certain domains. But wouldn’t it be easy for someone to directly send events to your sentry and spam your sentry server?
Sentry suggests to not send any PII in the events anyway, so in case it was possible to get data somehow, at least the guidelines are clear.

But what about products like Intercom, where the primary functionality is collecting user data in some form or the other. If someone knows the unique id of another user in intercom, they can basically see all the data from the other user, their chats , their messages etc. Intercom is a completely frontend setup, where the request to the intercom script and the intercom server happen through the front end, so if the front end can get user’s data through intercom, then any other user can get another user’s data by initiating intercom with the other user’s id on their browser or directly using curl. There is no auth as such, there is an app key which is also completely frontend.

I am just trying to understand how do such applications secure themselves?

Some points about intercom:

  • it opens in an iframe, with intercom.com domain
  • possibly the api has CORS restrictions, so only requests from intercom.com domain are allowed, but these restrictions are not applicable for curl
  • it exposes some javascript methods to initialize with a app secret and you can pass a unique id for the user. The app key is frontend only so can easily be seen in any integration, and the user id can be leaked through other ways. Once leaked, I can just use this user id and the secret key from anywhere to get messages for the user.

How more secure is using Shim/PreLoader than having Secure Boot disabled?

I have my doubts on how secure is using Shim/PreLoader to allow booting Linux with Secure Boot enabled.

My doubt comes from the fact that it seems to me Shim’s MokManager and PreLoader’s HashTool can be run by anyone with physical access to the device. They are not password protected nor limit their execution in any other way. The attacker gaining acces to the machine can run the tool and whitelist his own binary, then Secure Boot will allow this binary to boot. How more secure is that than having Secure Boot disabled?

Even if I remove the MokManager/HashTool from ESP, the attacker could provide his own copy of that binary, as they are easily available in the internet. They are all signed by Microsoft certificates, so they will pass Secure Boot validation without problems.

raindog308’s Journeys: Secure Your Data With a Dragon at SecureDragon


A long time ago in a galaxy…well, in Florida, there was a company called BackupDragon.  They provided backup VPSes, in a time when these were not yet common.  Today, “storage VPSes” are all over the marketplace but a decade ago, there were few players who specialized in the “high storage, low other resources” offering.

BackupDragon evolved into SecureDragon, a very well-run provider owned by Joe Dougherty (@KuJoe on LET).

Joe has been in the hosting game since forever.  In fact, he used to be an admin on FreeWebHostingTalk (when it still existed – it since has been folded into WHT).  He quite literally wrote the book on free web hosting.  As you might imagine for a book copyright 2010, its information is archaic today but it was an excellent book that talked about many practical aspects of free web hosting.

So when you buy services from SecureDragon, you know you’re benefitting from the experience of someone who’s been around the block.  SecureDragon offers OpenVZ, KVM, backup service, Storage VMs, and cPanel hosting.

What’s neat about SD is that they’ve continued to innovate.  Instead of chasing the bottom of the price ladder, they’ve added features to keep their business sustainable.  Some examples:

  • They have a custom control panel called Wyvern that includes features not seen at other providers.  For example, you can live-migrate your OpenVZ containers to any of their 8 locations.  This panel has been professionally audited for security.
  • They continue to offer a backup service separate from their storage servers.  So if you want space for backups but don’t want to admin a VPS, you can just get a backup account.
  • They’ve continually focused on transparency, including server status, frequent announcements, and published average ticket response times.

I’ve always had a good experience at SD.  They’re generally not the cheapest (though watch LET for occasional deals!) but they always work hard to earn your business.

Now read more to see some pricing!

All prices current as of this posting.

KVM 512

  • 512MB
  • 10GB Disk
  • 1 Core
  • 1000GB Bandwidth
  • 1Gbps Port
  • 1 ipv4
  • /64 ipv6
  • Tampa, FL
  • $3.99/mo
  • (ORDER)

KVM 1GB

  • 1GB
  • 20GB Disk
  • 2 Cores
  • 2000GB Bandwidth
  • 1Gbps Port
  • 1 ipv4
  • /64 ipv6
  • Tampa, FL
  • $4.99/mo
  • (ORDER)

KVM 2GB

  • 2GB
  • 40GB Disk
  • 4 Cores
  • 4000GB Bandwidth
  • 1Gbps Port
  • 1 ipv4
  • /64 ipv6
  • Tampa, FL
  • $9.99/mo
  • (ORDER)

OpenVZ 96MB

  • 96MB RAM
  • 3GB Disk
  • 2 Cores
  • 250GB Bandwidth
  • 1Gbps Port
  • 1 ipv4
  • /64 ipv6
  • 9 US Locations
  • $11.99/year
  • (ORDER)

OpenVZ 512MB

  • 1GB RAM
  • 25GB Disk
  • 4 Cores
  • 2000GB Bandwidth
  • 1Gbps Port
  • 1 ipv4
  • /64 ipv6
  • 9 US Locations
  • $5.99/mo
  • (ORDER)

OpenVZ 2GB

  • 2GB RAM
  • 35GB Disk
  • 4 Cores
  • 3000GB Bandwidth
  • 1Gbps Port
  • 1 ipv4
  • /64 ipv6
  • 9 US Locations
  • $12.99/mo
  • (ORDER)

Related posts:

raindog308’s Journeys: BuyVM, Pony-Powered in the LowEnd Market for 10+ Years!

raindog308

I’m Andrew, techno polymath and long-time LowEndTalk community Moderator. My technical interests include all things Unix, perl, python, shell scripting, and relational database systems. I enjoy writing technical articles here on LowEndBox to help people get more out of their VPSes.

multi factor – MFA authentication to O365 – remote workers users without mobile phone. Which secure solution?

we are deploying O365 in my company (teams, sharepoint, exchange online, office suite). In order to connect outside our network (remote workers especially during this pandemic), we ve implemented MFA with MS authenticator and OTP with SMS. Some users use their professional phones, others their personal one to make this second factor authentication…but some do not have professional phones AND don’t want to use their personal ones for privacy. Giving them hard token is an issue for us as it s difficult to manage for logistics and support. We are thinking about soft tokens in the PC itself. Do you think it is secure enough? What are the solutions for soft token in a PC? What is the risk ? If there is a keylogger in the PC, even if the attacker is getting the password and the PIN for the soft token, how he can use it in another PC as the soft token was enrolled only in the first machine ?

More globally, if you have some documentation or hints to understand what are the attack vectors with several authentication methods to SAAS applications (personal device, professional device managed by the company & antivirus/EDR, laptop, PC, MFA w/ mobile SMS/authenticator OTP/Authenticator push), enrolled PC/mobile w/ intune,MFA w/ soft token in the laptop and additional certificate in the PC…), I am more than interested 🙂

Thanks to all, and it is my first post 🙂

Big Sur Add trusted certificate via command line (Safari Can’t establish a secure connection)

I am trying to have Safari stop preventing me from visiting one of my dev machines with an invalid cert.

I am trying to use the solution in this thread but install it using the CLI:

   security add-trusted-cert  -r trustRoot  -k ~/Library/Keychains/login.keychain-db /tmp/test.cert

I am still receiving the “Safari Can’t Open the Page because Safari can’t establish a secure connection to the server” error.

I want it to be applied to the user so I don’t want to do the -d flag. And I know I am correctly downloading the cert because if I add the certificate and trust it through the OSX GUI, it works fine.

Another interesting note is that this solution works for my Brave and Firefox browsers, so it’s just Safari that is giving me grief, but even safari works when I add the downloaded cert via the GUI.

iphone – What i need to do to backup and secure my mobile data before sending it to repair

I have iPhone 11 and its screen was broken, so I will send it to an authorized reseller for Apple. but before doing so I will remove all the data I have these data include; photos, videos, apps (mail app, WhatsApp, and other apps).

so I have these 2 questions:-

  1. Is there a way to backup all my data and apps and to be able to restore them after getting my mobile fixed?

  2. How I can securely remove the data inside my phone, so it can not be recovered when I send it to the technician?

Thanks