Software

Short presentation about the ease of finding and getting into unprotected systems.

PDF can be downloaded here.

Presentation given at Stibbe on 5 May 2015.

You’ve just updated your Raspberry Pi (or whatever Linux) and you’re noticing your CIFS (smb) mounts aren’t getting auto mounted anymore. You curse and start noticing this error:

# mount -t cifs //192.168.1.100/public -o username=public,password=public sam/ mount error(13): Permission denied Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

The solution is to add after -o username=X,password=Y the following: sec=ntlm; thus it becomes -o username=X,password=Y,sec=ntlm.

You can do the same in fstab:

Because of the mediastorm it’s time for an update. The previous (1, 2, 3) blog posts are outdated!

I’ll do my usual slashdot-effect post in a couple of days (it’s already at 10k views today).

Banks that changed rank since last post (all for the better):

• 16/02/2015:
  • Keytrade: B to A
  • Hello Bank!: C to A
  • ING: F to A-
  • Record Bank: F to A-
• 17/02/2015:
  • ABK: F to B
  • Bank Van Breda: C to B
• 18/02/2015:
  • MeDirect: F to A
  • Added 6 new (small) banks
• 27/02/2015
  • Ogone: C to A-
• 02/03/2015
  • Fortuneo: C to B
• 03/03/2015
  • Crelan: B to A

I cannot test Europabank using SSL Labs. I can only speculate they requested SSL Labs to not scan them. I have also added a couple new banks (Delta Lloyd, Deutsche Bank, Moneyou, Fortuneo, BKCP, Binck, and Isabel as bank tool).

EDIT: ING is now A- (not reflected in this blog post). EDIT 2: Keytrade & Hello Bank also went to A. I’ll post a new blog post later tonight. EDIT 3: Updated post here.

Part three, or how I single-handedly “fixed” SSL at the Belgian banks. ;)

Part one and two are available here. Not related but useful nonetheless NY Times article about bank hackers.

Argenta promised to fix their SSL, so it’s the time to check everything again.

E-mails that had been deleted for over 7 days were automatically removed from the IMAP server. E-mail date was ignored (ie the mail could have been from 2010; the actual time in “Trash” counted). This didn’t happen to other folders (Sent, Archive, Spam). This recently happened and hadn’t happened before.

I had to restore my trash folder from backups every 7 days (yay for rdiff-backup).

It took me a while to figure it out… The problem first appeared in October, right after several big changes:

I previously wrote about Belgian banks & SSL. Updated version (15/02/2015) here.

Going through my Google Analytics I noticed some noteworthy network domains, which Google discribes as “The fully qualified domain names of your visitors’ Internet service providers (ISPs)”.

I had to wait a little while for the ARMv7 version for my EfikaMX devices, but they finally had time to compile it. Yay!

The updated cookbooks are on Github.

Changes (commits):

• Better key management
• fr24feed.ini
• No more separate dump1090 launch
• newest fr24 version

Download links for Linux & RPi.

Tested using SSL Labs on 20/01/2015. Updated version 01/02/2015 here and 15/02/2015 here.

Only providing the weak points. Once there is one SHA1 key in the chain, I will report everything as weak.

Check SSL Labs for a full report, including what they actually did good (if anything).

Grade A

• Rabobank (A+): no known issues. Support for HTTP Strict Transport Security and prevented downgrade attacks.
• Triodos (A): no downgrade attack prevention.
• Belfius (A-): weak signature (SHA1), no Forward Secrecy.

Grade B

I had the same theme for over four years. I’ve made quite a few custom css and PHP edits myself, and it had been outdated for ages… But it served me well.

However, it’s now time for something new.

As always, as minimalistic as possible.

On a side note, this blog has been moved from vm1 (and one before that) a virtual machine running on a dual Xeon 3070 (2.66Ghz) at Databarn to Akama, a VM on an 8 core Xeon E3-1230 (3.2Ghz) at Leaseweb.

Here’s my very simple Ansible playbook for Flightradar24 nodes.

While I run it on EfikaMX, it should work on most Debian based devices. Just be sure to modify the FR24 software download URL.

This Ansible playbook is untested on its own. It comes out of a way bigger (private) Ansible playbook, and I kind of just copy pasted this part, as others might benefit from it.

After running Ansible, you should reboot for driver blacklisting to work in cases it’s needed on your device (it is on RPis). And be sure to edit /root/flightradar24.sh with your key.