Tuesday, July 16, 2019

PANOS updates with a letter in the name

Looking at my PANOS updates emails,  I notice that they had a PANOS with "h4" in the name  Do not see that much of this but it does happen..




It seems like we are seeing more PANOS supplemental hotfixes which could be seen as a good or bad thing. Good in that issues are being found and fixed.

These updates needs to be reviewed for critical issues and applied. When you  see a lot of HIGH  CVEs than it's truly time to take a closer investigation.

In a HA setup, you can easily apply these updates with zero impact.





NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Thursday, July 11, 2019

Opera VPN in the browser

Vpnbook is one of the best vpn solution that  can come handy. Here we will look at opera browser vpn. They have the ability to select VPN for web-browsing.

The vpn tab when "blue" means your  true web-browsing address is being hidden.



Various locations when selected will show a different  what is my address details.





My real ipv4.address at this open Wifi HotSpot is show below as 216.24.68.195.




Using opera all traffic will be sourced with the VPN address and anything other traffic will use the real address.



Keep in mind most web-proxy will registering these ip as proxy-avoidance. YMMV but this another method to ensure your internet web-privacy during browsing.

Tor and Epic are two other means that can ensure privacy during web browsing. So if you do not trust the big GOV , look at web-privacy methods that are free and simple to execute.

“Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."

Eric Snowden






NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

HOWTO Use A Yubikey SmartCard macOS10.14.3 Mojave

In this blog I will show you just how easy it is for securing the macos login & by using a yubikey.

I 'm using  a Yubikey 5 NFC in this demo. These are military grade and almost Indestructible.

https://www.yubico.com/product/yubikey-5-nfc/





1st download the yubikey manager, run thru the installer . In my setup I'm using 1.1.2 on all of my macos devices




Next, run the yubikey manager and see if you can find the details on your yubikey. It should report back both model and SN# info.




note: The usb interfaces where slow on my powerbook with seeing the yubikey details.





Go thru the steps and set a PIN and  PUK.

note: Do not write these down, but you need to remember them. Also you always can re-change the PIN and PUK, but you need the current PIN and PUK codes to make any changes.






Generate new certificate details. Doing this process it will ask you to remove+re-insert the yubikey and enter your keychain login.

NOTE: you will need your PIN also since the pairing is to pair the login+pin+yubikey for user authentication.









Now your done. When you have the Yubikey inserted, the login  prompt on the macOS desktop will require a PIN for login. This one of the simplest methods that can secure a macOS desktop with out using a 2 factor OTP authenticator.




You can read more about  Yubikey and macOS from these wonderful folks at evil-martians. They have some cool tips and with regards to security at the desktop and applications.

https://evilmartians.com/chronicles/stick-with-security-yubikey-ssh-gnupg-macos

https://evilmartians.com/chronicles




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \

Tuesday, July 2, 2019

Privacy and Security for passwords

E.Snowden  who has  shown us the US.gov  and other big governments of the world,  does not want us ( personal  sector )  to deploy harden security practices.

https://en.wikipedia.org/wiki/Edward_Snowden


We used passwords everyday, and in some case the same password across multiple systems. This is due that we can't manage hundreds of passwords and not  all systems MFA enabled.

If you have no  OTP ( one time password ) mechanism for a login , your at risk if your password is ever lost or the system was ever compromised. Mail.com had this happen with million of email-user accounts btw.

Here's a sure want to use passwords and make a strong password lengths and complexity and then you secure the data with a x509  certificate. You should avoid reusing passwords across multiple systems by all means. Yes it's tempting but in reality poor security execution.


So let's dive in....


example 1

You have a cool password for gmail.com,  but you can remember it since it's so long and so cool . Just encrypted it and then only you the owner of the matching private key can decrypt it



NOTE: that is not  password , so don't try to use it 


Okay example 2

You need to  make a long  IPSEC PSK of  36byte bytes & that is random to share with a vendor and who in the h#ll will remember it?

No problem encrypted the data by using a x509 pub-key




NOTE: You can do this and  send encrypted keys to others if they have a existing PKI-infastructure  and issue user certificates

This allows for you  to make very strong keys and with no risk if they are ever lost or stolen since they are encrypted. You only have to manage your certificate and ensure that you have a strong passphrase.


All of my traveling laptop have a aes128  loopFileSystem and with my encrypted keys stored. This way I can have my mail, bank, forums, alarm code, pin, account#s,  and others  systems passwords close by and 100% secured

!  And only need to manage one single master passphrase for decryption. !



TIP: You can add subject headers for the SMIME headers to  help provide pointer on what the password is for. Do not but sensitive information in this field

Example:

Subject line was added that describe this data contains.





With openssl , you can easily  encrypted with des / aes128 -thru- 256 or a few others ciphers. keep in mind your data is always at risk if your passwords are compromised.


lastly,  store the pass-phrase for your private-key in your memory or a vault. A good rule is passphrase made up of 8 words or more.


example

Bad      "This is a key"
Good  "This is Much STonger K3n is S0 Sm@rt! "







NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o
        /  \