beardyjay.co.uk

My main website source code, uses Hugo.
Log | Files | Refs

commit 949ac7723fd629fc55fb3e42f0cbb34ad92e3757
parent 5dae03778d7187f573958a505a1ccf28610e4c12
Author: Jay Scott <jay@beardyjay.co.uk>
Date:   Mon, 25 Feb 2019 12:44:52 +0000

adding new pages

Diffstat:
Mbuild_pages | 3++-
Mdata/projects.txt | 4++++
Mlayout/header.html | 3++-
Aposts/about.md | 89+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Mposts/static_site_generator_bloat.md | 6+++---
Aposts/trawlling_gliffy.md | 81+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
6 files changed, 181 insertions(+), 5 deletions(-)

diff --git a/build_pages b/build_pages @@ -6,6 +6,7 @@ rant_list=' gnu_make_dotfile_management aws_ami_security_research i_got_a_wifi_pineapple + about ' test -d $output || mkdir -p $output @@ -44,7 +45,7 @@ done < data/projects.txt printf "</table>" >> public/index.html ## archaic ## -printf "<h2>ARCHIVE</h2>\n<table>\n" >> public/index.html +printf "<h2>PAST</h2>\n<table>\n" >> public/index.html IFS= while IFS='' read -r line || [ -n "$line" ]; do name=${line#"name: "} diff --git a/data/projects.txt b/data/projects.txt @@ -14,6 +14,10 @@ name: AWS AMI research desc: research on finding public AMIs with private data. link: https://beardyjay.co.uk/aws_ami_security_research/ +name: Ansible AWS VPC role +desc: provision AWS VPC, Subnets, Internet and NAT gateways and routes. +link: https://git.beardyjay.co.uk/ansible_aws_vpc/files.html + name: ami_expose desc: python tool for searching public AWS AMI's for private data. link: https://git.beardyjay.co.uk/ami_expose diff --git a/layout/header.html b/layout/header.html @@ -29,5 +29,6 @@ </header> <p class="header"> - <a href="https://beardyjay.co.uk/">home</a>|<a href="https://git.beardyjay.co.uk">git</a> + <a href="/">home</a>|<a href="https://git.beardyjay.co.uk">git</a>|<a + href="https://www.github.com/beardyjay">github</a> </p> diff --git a/posts/about.md b/posts/about.md @@ -0,0 +1,89 @@ +A long bullet point list of things about me! + +***what I like*** + +* [archinux](https://www.archlinux.org/) and [slackware](http://www.slackware.com/) +* [dwm](https://dwm.suckless.org/) tiling manager +* security +* python and vim +* AWS +* [suckless](https://suckless.org/philosophy/) +* [ansible](https://www.ansible.com/) +* [docker](https://www.docker.com/) +* automation, devops in general + +***what I hate*** + +* bloat +* over-engineering +* desktops + +***In a nutshell*** + +* Got a 386, installed Slackware +* The world of hacking(good type) began +* Left high school +* Worked as a [ASP](https://en.wikipedia.org/wiki/Active_Server_Pages) developer +* Went to college +* Played with a lot of [crackme's](https://en.wikipedia.org/wiki/Crackme) +* Website named UK hacker book +* Got a HNC: computing +* Wrote an exam paper for college, no joke +* Got a HND: software development +* Website removed from hacker book (lol) +* Went to uni and got a computer science degree, learnt more in college tbh! +* Created a [honeypot +network](https://git.beardyjay.co.uk/ssh_honeypot/files.html) +* Worked at an ISP as a Linux sysadmin +* Got married +* Worked in a datacentre as as NOC/Linux admin +* Learned automation Chef/Ansible etc +* Switched over to a new job doing DevOps +* First conference, +[LinuxCon](https://events17.linuxfoundation.org/events/archive/2013/linuxcon-europe) +* Tracked a hacker group with some aussie feds via my honeypot network +* Tool I made named in a [security book](https://www.amazon.co.uk/Open-Source-Intelligence-Techniques-INFOrmation/dp/149427535X)! +* [LPI](https://www.lpi.org/) certified!, LFCS-1500-0294-0100! +* Hello docker! +* Went to [Securi-Tay](https://securi-tay.co.uk/)....meh +* New DevOps role +* ... so much stuff during this part ... +* [AWS](https://aws.amazon.com/certification/) certified! +* Wrote this stuff. + +***my tools of choice*** + +**email** + +* [mutt](http://www.mutt.org/) +* [imapfilter](https://github.com/lefcha/imapfilter) +* [offlineimap](https://www.offlineimap.org/) + +**video** + +* [mpv](https://mpv.io/) +* [ytcc](https://github.com/woefe/ytcc) + +**music** + +* [mpd](https://www.musicpd.org/) +* [beets](http://beets.io/) +* [ncmmcpp](https://rybczak.net/ncmpcpp) + +**desktop** + +* [dwm](https://dwm.suckless.org/) +* [st](https://st.suckless.org/) +* [rofi](https://github.com/DaveDaveuport/rofi) +* [dunst](https://dunst-project.org/) + +**misc** + +* [newsboat](https://newsboat.org/) +* [lutris](https://lutris.net/) +* [irssi](https://irssi.org/) +* [ranger](https://ranger.github.io/) +* [qutebrowser](https://qutebrowser.org/) +* [vim](https://www.vim.org/) +* [stagit](https://git.beardyjay.co.uk/stagit/) +* [git](https://git-scm.com/) diff --git a/posts/static_site_generator_bloat.md b/posts/static_site_generator_bloat.md @@ -2,9 +2,9 @@ Why are static generators so bloated! Out of interest I downloaded a few and had a look at the package dependencies, install size and the amount of contributors. -Some of the packages are just so minimal that I wonder if it's just laziness instead of being efficient. As a good example, one package for the Next framework called `is-path--cwd` is 4 lines long, I shit you not - the readme is three times the size of the package. So instead of a developer just adding this to the application, they add a package. It is just one line after all, right? +Some of the packages are just so minimal that I wonder if it's just laziness instead of being efficient. As a good example, one package for the Next framework called ***is-path--cwd*** is 4 lines long, I shit you not - the readme is three times the size of the package. So instead of a developer just adding this to the application, they add a package. It is just one line after all, right? -Who cares about adding ***another*** dependency, another download, another security entry point, another point of failure eh? I am sure all these packages are the latest versions, still maintained and been audited...? +Who cares about adding another dependency, download, security entry point, point of failure eh? I am sure all these packages are the latest versions, still maintained and have been audited? I get that these tools are now industry standard and most people will not have an issue with this. I think it is absolutely crazy that for some generators you need to download 1000+ of packages just to create a 65Kb base page, mental! What ends up happening is you have tools for managing tools and on it goes on until you have so much tooling that it's now over-engineered and bloated to the extreme. @@ -48,4 +48,4 @@ Below is what I found when I had a look at some of the top static site generator The sad thing is most of these tools require you to add even more packages depending on what your goal is or where you are deploying too. -K.I.S.S people! +***Remember KISS people!*** diff --git a/posts/trawlling_gliffy.md b/posts/trawlling_gliffy.md @@ -0,0 +1,81 @@ +/* +date: 2015-08-03 +author: Jay Scott +title: Trawling Gliffy for Sensitive Data +slug: linux +*/ + + +Gliffy.com is a tool that allows you to draw various diagrams ranging from flowcharts to network diagrams. Gliffy has various tiers of membership, the one that we are interested in is the free tier - the limitation of this tier is that your diagrams are marked as read only to the public. + + +**The Issue** +-------------------------- + +When you create a new diagram a unique identifier (ID) is assigned to that diagram, you would think that the ID would be randomly generated, however, this is not the case. All that Gliffy seem to do is increment the previously generated ID by 1, no matter if its a private or public diagram. + +If you come across a diagram which is private you get an "Unauthorized" message with a 401 HTTP status code. + +![enter image description here](http://i.imgur.com/nCkfRGm.png) + +Also, if the user has removed the diagram and you then try to access the ID, you will get an "Not Found" error and a 404 HTTP status code. + +![404 Not Found](http://i.imgur.com/Lqfx02d.png) + +Using these helpful error codes, it is a trivial process to [create a script](http://fpaste.org/251177/38639697/) to download any diagram that has not been set to private or hasn't been removed by the user. Relying on human error, and with the help of Gliffy's ID generation, let's see what we can find... + +**The Results** +----------------- + +After a I looked at a few random ID's, it seemed to be that any diagrams created with a 8XXXXXX ID were first created in late 2014 until 2015, so that's the range I've stuck with. After creating a bash script, running it over a 4 hour period I managed to find and download **3,252** public diagrams from a total of **26,000** ID's scanned. Initially I cherry picked a few diagrams and the results were eye opening, ranging from full network diagrams to user authentication processes containing username / passwords. + +**Example 1**: + +This redacted diagram showed a wealth of information such as: + + - Public IP Address + - Private IP Address + - Company Name + - Company Remote Locations + - Line Numbers (Ref) + +![Example 1](http://i.imgur.com/7vTNH1I.png) + +**Example 2**: + +I had to heavily redacted this particular diagram as it was one of most technically rich diagrams from the sample I downloaded. + + - Public IP Address + - Private IP Address + - Firewall Rules + - IPSec Tunnel Information + - Company branding + - Company Name + - Company Remote Locations + + +![Example 2](http://i.imgur.com/IK8xAXr.png) + + +**The Fix** +------- + +Don't use the free account for real world diagrams. + +Gliffy could help the situation by not making the IDs so linear. I did contact Gliffy to ask if they had any intention on fixing the way the IDs are generated to reduce this risk, I received this reply: + +> Hi Jay, +> +> Thanks for using Gliffy. We unfortunately do not have any current +> plans to change this. +> +> We have voted for it on your behalf in our public forum located here: +> http://support.gliffy.com/entries/20133138-Make-public-document-URLs-much-harder-to-guess-or-brute-force-attack +> +> We take these requests very seriously. The votes and comments these +> receive help us to gauge public interest and assist us in allocating +> resources for future development. +> +> Thank you, Katy + +So it appears that Gliffy have known about this issue since 2011 when it was first brought up on there forums. If they haven't "fixed" it in 4 years I suspect they never will...