Current Matters: 2017

Thursday, November 9, 2017

GnuPG: how to prevent pass-phrase caching

For Linux Mint 18.2 where both gpg and gpg2 are present
(also helpful for Debian 9 and Ubuntu 16.04 and later)

$ gpg --version
gpg (GnuPG) 1.4.20

$ gpg2 --version
gpg (GnuPG) 2.1.11

There is no password caching in this setup with gpg 1.4 in both symmetrical and asymmetrical modes
$ gpg -c test.txt
$ gpg test.txt.gpg
and immediate repetition invokes pass-phrase prompt:
$ gpg test.txt.gpg

$ gpg -e test2.txt
$ gpg test2.txt.gpg
$ gpg test2.txt.gpg

It is not so in case of gpg 2.1

$ gpg2 -c test.txt
$ gpg2 test.txt.gpg
no pass-phrase prompt after several minutes:
$ gpg2 test.txt.gpg

$ gpg2 -e test2.txt
$ gpg2 test2.txt.gpg
no pass-phrase prompt after several minutes:
$ gpg2 test2.txt.gpg

So, you can set gnupg-agent in such a way:

1. install gnupg-agent (if not installed)

sudo apt install gnupg-agent

2. uncomment (if necessarily) in ~/.gnupg/gpg.conf line

use-agent

3. Create the file ~/.gnupg/gpg-agent.conf
For 1 minutes time limit populate it with lines

default-cache-ttl 60
max-cache-ttl 120

4. Restart your session (Cntr+Alt+Backspace)
or execute in terminal:
gpg-connect-agent reloadagent /bye

Additionally, to strengthen algo you can add to ~/.gnupg/gpg.conf these lines:

personal-digest-preferences SHA512 SHA384 SHA256 SHA224
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

For Linux Mint 17.x

It seems that there is no pass-phrase caching if GnuPG 2.x is not installed.

If gpg2 is installed, and there is unwanted pass-phrase caching:

dconf-editor:

sudo apt-get install dconf-editor
dconf-editor

- scroll down in the left part of dconf-editor window to desktop -> gnome -> crypto -> cache.
change gpg-cache-method to timeout
change gpg-cache-ttl to the number of seconds the passphrase to be cached, for eg, 60

terminal:

double-check it with dconf-editor again (probably, there is inconsistency between applications and dconf and gconf):

sudo gsettings set org.gnome.crypto.cache gpg-cache-method 'timeout'
sudo gsettings set org.gnome.crypto.cache gpg-cache-ttl 60

- install gnupg-agent (if not installed)

sudo apt install gnupg-agent

- uncomment or insert (if necessarily) in ~/.gnupg/gpg.conf line

use-agent

- create file ~/.gnupg/gpg-agent.conf and populate it with lines (for 1 minute time limit):

default-cache-ttl 60
max-cache-ttl 120

sudo echo RELOADAGENT | gpg-agent
gpg-agent --default-cache-ttl 60
gpg-agent --max-cache-ttl 120
sudo echo RELOADAGENT | gpg-agent

Reboot your system.

Please note that the suggested above methods are related to GPG-keys. Pass-phrases for SSH-keys should be maintained separately.
It is important to understand that caching of gpg passwords till the end of session is a somewhat dubious practice and opens a possibility of a security issue.

Sunday, May 28, 2017

Windows SMB Remote Code Execution Vulnerability

SMB Security Best Practices

Original release date: January 16, 2017 | Last revised: March 16, 2017

In response to public reporting of a potential Server Message Block (SMB) vulnerability, US-CERT is providing known best practices related to SMB. This service is universally available for Windows systems, and legacy versions of SMB protocols could allow a remote attacker to obtain sensitive information from affected systems.

US-CERT recommends that users and administrators consider:

disabling SMBv1 and
blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

US-CERT cautions users and administrators that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users. For more information on SMB, please review Microsoft Security Advisories 2696547 and 204279.

Original page:
SMB Security Best Practices

How to remove SMB v1 in Windows 8.1, Windows 10, Windows 2012 R2, and Server 2016

Caution! Don’t forget to reboot the targeted systems.

Windows Server: Server Manager method:
Uncheck Features SMB 1.0:

Windows Client: Add or Remove Programs method:
Uncheck Features SMB 1.0:

Windows Client: PowerShell method:

Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol

Note You must restart the computer after you make these changes.

How to remove SMB v1 in Windows 7, Server 2008 R2, Windows Vista, and Server 2008

PowerShell method:
Windows PowerShell 2.0 or a later

To disable SMBv1 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

Note You must restart the computer after you make these changes.

Registry method:

To enable or disable SMBv1 on the SMB server, configure the following registry key:

Registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1

REG_DWORD: 0 = Disabled

REG_DWORD: 1 = Enabled

Default: 1 = Enabled

Note You must restart the computer after you make these changes.

Original page with other methods:
How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

Disabling NetBIOS over TCP/IP

Use the following steps to disable NetBIOS over TCP/IP; this procedure forces all SMB traffic to be direct hosted. Take care in implementing this setting because it causes the Windows-based computer to be unable to communicate with earlier operating systems using SMB traffic:

1. Open Network and Sharing Center and then click Change adapter settings.
2. Right-click Ethernet adapter, and then click Properties.
3. Click Internet Protocol (TCP/IP), and then click Properties.
4. Click Advanced.
5. Click the WINS tab, and then click Disable NetBIOS over TCP/IP.
6. Repeat for all relevant adapters as NetBT_Tcpip is bound to each adapter individually.

Original page: Direct hosting of SMB over TCP/IP

Disabling certain TCP ports via firewall

How to disable Ports 135, 137, 138, 139, 445 via the Firewall

A.) TCP ports 135, 137, 139
1. Open the Control Panel.
2. Click the Windows Firewall.
3. Click Advanced settings.
4. Click Inbound Rule.
5. On the right side, click New rule.
6. Chose the Port.
7. Click Next.
8. Choose Specific local ports.
9. Click TCP radio-button above and type 135, 137, 139
10. Click Next.
11. Choose Block the connection.
12. Click Next.
13. Tick the three checkboxes and click Next.
14. Type My rule: Close TCP ports 135, 137, 139 into the Name box.
15. Click Finish.

B.) TCP port 445
1. Open the Control Panel.
2. Click the Windows Firewall.
3. Click Advanced settings.
4. Click Inbound Rule.
5. On the right side, click New rule.
6. Chose the Port.
7. Click Next.
8. Choose Specific local ports.
9. Click TCP radio-button above and type 445
10. Click Next.
11. Choose Block the connection.
12. Click Next.
13. Tick the three checkboxes and click Next.
14. Type My rule: Close TCP port 445 into the Name box.
15. Click Finish.

C.) UDP ports 137, 138
1. Open the Control Panel.
2. Click the Windows Firewall.
3. Click Advanced settings.
4. Click Inbound Rule.
5. On the right side, click New rule.
6. Chose the Port.
7. Click Next.
8. Choose Specific local ports.
9. Click UDP radio-button above and type 137, 138
10. Click Next.
11. Choose Block the connection.
12. Click Next.
13. Tick the three checkboxes and click Next.
14. Type My rule: Close UDP ports 137, 138 into the Name box.
15. Click Finish.

Microsoft Security Bulletin MS17-010 - Critical

Security Update for Microsoft Windows SMB Server (4013389)
Published: March 14, 2017

The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148.

Security update deployment

Here are the links to the available MS17-010 updates for all of the Windows versions:

Prerequisites:
KB2919442 and KB2919355

All future security and non-security updates for Windows 8.1 and Windows Server 2012 R2 require update 2919355 to be installed. We recommend that you installupdate 2919355

https://support.microsoft.com/en-us/help/2919355

on your Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates.

If you install a language pack after you install this update, you must reinstall this update.

Before applying KB2919355 update, you must have the following update installed on Windows RT 8.1, Windows 8.1, or Windows Server 2012 R2:

KB2919442

https://support.microsoft.com/en-us/help/2919442

A servicing stack update is available for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2: March 2014

Important: When you install this update from Windows Update, updates 2932046, 2937592, 2938439, 2934018, and 2959977 are included in the installation.

Important This update (2919355) replaces update 2883200 . You don't have to install update 2883200 after you install this update.

You can obtain the stand-alone update package through the Microsoft Download Center.

Download Download the x86-based Windows 8.1 update package

http://www.microsoft.com/downloads/details.aspx?familyid=47b21d89-3f78-477f-9402-8021e61bef59

Download Download the x64-based Windows 8.1 update package

http://www.microsoft.com/downloads/details.aspx?familyid=f2917221-a8b3-4024-b755-818ad0e7703d

Download Download the x64-based Windows Server 2012 R2 update package

http://www.microsoft.com/downloads/details.aspx?familyid=373b1bb0-6d55-462e-98b7-6cb7d9ef1448

Note The updates must be installed in the following order:
clearcompressionflag.exe
KB2919355
KB2932046
KB2959977
KB2937592
KB2938439
KB2934018

clearcompressionflag.exe
38 KB
Windows8.1-KB2919355-x64.msu
690.8 MB
Windows8.1-KB2932046-x64.msu
48.0 MB
Windows8.1-KB2934018-x64.msu
126.4 MB
Windows8.1-KB2937592-x64.msu
303 KB
Windows8.1-KB2938439-x64.msu
19.6 MB
Windows8.1-KB2959977-x64.msu
2.8 MB

Date Published:
5/5/2014

KB2919442 is a prerequisite for Windows Server 2012 R2 Update and should be installed before attempting to install KB2919355

Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update KB2919355 original page:
https://support.microsoft.com/en-us/help/2919355

April 2014

To confirm the exact version of Windows Server 2012 R2 that is installed on a computer, run Msinfo32.exe

If Windows Server 2012 R2 Update is installed, the value reported for Hardware Abstraction Layer will be

6.3.9600.17031

- End of prerequisites section -

Security Update for Microsoft Windows SMB Server (4013389)
Windows Server 2012 R2 (all editions)

For all supported editions of Windows Server 2012 R2 download:

Windows8.1-KB4012213-x64.msu

Security only

For all supported editions of Windows Server 2012 R2 download montly rollup containing this update, currently it is windows8.1-kb4019215 or previous one Windows8.1-KB4012216

A system restart is required after you apply this security update.

March 2017 Security Only Quality Update for Windows 8.1 and Windows Server 2012 R2

https://support.microsoft.com/en-us/help/4012213/march-2017-security-only-quality-update-for-windows-8-1-and-windows-server-2012-r2

File name:
Windows8.1-KB4012213-x64.msu
SHA1 hash:
5B24B9CA5A123A844ED793E0F2BE974148520349
SHA256 hash
9570C588FECFF58831F989BA62B0743495B366DEFC382F5DC12FF50E0F9BED9B
File name:
Windows8.1-KB4012213-x86.msu
SHA1 hash
E118939B397BC983971C88D9C9ECC8CBEC471B05
SHA256 hash
DD770131CD4E87F9D8ED8038427F8952905EF31C9BC6E3D32C88FD71F9984EFB

File download page:
http://www.catalog.update.microsoft.com/search.aspx?q=4012213

To determine whether MS17-010 fixes have been installed:

Check by installed Knowledge Base number for any of the listed updates that contain MS17-010 patch.

To check by Windows PowerShell method enter this PowerShell command:

get-hotfix -id KB4012212,KB4012213

If you installed a rollup that contains MS17-010, check for one of applied updates, for example (May 2017):

get-hotfix -id KB4012213,KB4012216,KB4012219,KB4015550,KB4015553,KB4019213,KB4019215

To check for some of previous Server 2012R2 and Windows 8.1 updates:

get-hotfix -id KB2919442

get-hotfix -id KB2919355,KB2959977,KB2919442

How do you really know a machine is vulnerable (or not)?

The nmap script smb-vuln-ms17-010 detects Microsoft SMBv1 hosts vulnerable to a remote code execution vulnerability (ms17-010). First of all make sure you have a recent version of Nmap (version 7.40 or later). Then download the script smb-vuln-ms17-010 from its github repository and place it in your NSE script directory:

Linux - /usr/share/nmap/scripts/ or /usr/local/share/nmap/scripts/
OSX - /usr/local/share/nmap/scripts/ or /opt/local/share/nmap/scripts/
Windows - C:\Program Files\Nmap\scripts\

To install the script in your system:

#nmap --script-updatedb

To detect if a machine is vulnerable, run the following Nmap command:

$nmap -v --script smb-vuln-ms17-010 -p445

Here is an unpatched machine before and after applying some mitigating measures:

A "fully vulnerable" host may return the following script results:
| smb-vuln-ms17-010:
| VULNERABLE:

Wednesday, March 8, 2017

Installing Pale Moon and Firefox ESR browsers in Linux Mint and Windows

Introduction (Windows and Linux related)

March, 2017

The NPAPI plug-in support has been removed from Firefox 52 (with the exception of Adobe Flash). Some of the plugins that will no longer load include Java, Microsoft Silverlight, Adobe Acrobat etc. In case you’re not yet ready for this to happen and require NPAPI plug-ins, Firefox Extended Support Release (Firefox ESR) will keep those plug-ins support enabled until May 2018.

As an alternative, you may install the Pale Moon browser. Pale Moon is an open-source browser forked from Firefox. It has the fully customizable interface similar to Firefox 28. Pale Moon uses Goanna engine, which is a fork of Firefox’s Gecko. A good number of Firefox extensions will work in Pale Moon thanks to its Firefox extension compatibility mode, though the two browsers are not the same, and sometimes you will have to check the list of add-ons with known compatibility issues and possible workarounds here: https://addons.palemoon.org/incompatible/ (Pale Moon will continue to support XUL and XPCOM based add-ons, contrary to Mozilla’s plan to deprecate them in Firefox 57.)

In the standard Firefox versions 52, 53 and 54 the user can turn on NPAPI plugin support using about:config (Nevertheless, please note that in Firefox 55 and later the ability to restore NPAPI plugin support has been removed completely.)

Here is how it can be done:

1.
Open a new tab in Firefox and enter the following text in the address bar:

about:config

Confirm that you will be careful if a warning message appears for you.

2.
Create a new boolean option and name it plugin.load_flash_only

3.
Set the plugin.load_flash_only option to false.

4.
Restart Firefox.

Background information

Most of add-ons will cease working with Firefox:
https://blog.mozilla.org/addons/2016/11/23/add-ons-in-2017/

The Road to Firefox 57 – Compatibility Milestones(post and comments):
https://blog.mozilla.org/addons/2017/02/16/the-road-to-firefox-57-compatibility-milestones/

Installing Firefox ESR in Windows

Just download and run Firefox ESR setup file for your system and language from this page:

https://www.mozilla.org/en-US/firefox/organizations/all/

Installing Firefox ESR in Linux Mint

1.
Download
Please download the latest Firefox ESR from here:
https://www.mozilla.org/firefox/organizations/all.html

For the US English ESR installer these urls could be pasted into the location bar of a browser:

Linux (64bit)
https://download.mozilla.org/?product=firefox-esr-latest&os=linux64&lang=en-US
Linux (32bit)
https://download.mozilla.org/?product=firefox-esr-latest&os=linux&lang=en-US
Windows (64bit)
https://download.mozilla.org/?product=firefox-esr-latest&os=win64&lang=en-US
Windows (32bit)
https://download.mozilla.org/?product=firefox-esr-latest&os=win&lang=en-US
OS X
https://download.mozilla.org/?product=firefox-esr-latest&os=osx&lang=en-US

Current Firefox ESR release with non-flash plugins re-enabled (they are disabled in the regular 52.0 and later releases) :

firefox-52.7.3esr.tar.bz2 (February 2018)

FTP link:
https://ftp.mozilla.org/pub/firefox/releases/52.7.3esr/

Expected end-of-life Firefox 52.x ESR branch: 2Q 2018

Please be sure to download the appropriate archive that matches the architecture of your OS and language. So, use linux-x86_64 (64-bit OS) or linux-i686 (32-bit OS) directory.

2.
Extracting tarball

If directory /opt doesn't exist:
sudo mkdir /opt

Open terminal in the download directory and extract archive to /opt:
sudo tar -xvjf firefox-52.7.3esr.tar.bz2 -C /opt

Just replace firefox-52.7.3esr.tar.bz2 file name if newer version is available

3.
Linking the new Firefox ESR

sudo ln -s /opt/firefox/firefox /usr/bin/firefox-esr

4.
Creating a shortcut

Right-click on the Desktop and choose Create a new launcher here...
In the Launcher Properties window browse from the Command field to /usr/bin/firefox-esr
In the name field enter Firefox-ESR
Click on the generic icon on the left and browse to /usr/share/pixmaps/ and select the firefox.png icon, then click OK.
Press OK to Would you like to add this launcher to the menu also?

This will create a copy of Firefox ESR alongside your current Firefox browser. You may add the Firefox ESR launcher to the Panel and remove from the Panel a standard Firefox launcher.

5.
Profile
Please note that till version 56.x there is no need to export add-ons and bookmarks, as both versions may use the same profile, located in /home/user/.mozilla/firefox/ , named something like xyz0xyz.default

There are substantial changes in Firefox 57 profile. To use Firefox ESR 52.x and Firefox 57 Quantum intermittently you need to create separate profiles directories and edit your profiles.ini accordingly:

/home/user/.mozilla/firefox/profiles.ini
StartWithLastProfile=0

To start both versions simulateously use --no-remote switch:
Firefox --ProfileManager --no-remote

If Firefox Quantum messed up with your old add-ons, to bring them back, set in about:config to false the preference extensions.blocklist.enabled and, if neccesary, reinstall old versions of add-ons.

Sample of ini file


[General]

StartWithLastProfile=0



[Profile0]

Name=ESR

IsRelative=1

Path=ESR

Default=1


[Profile1]

Name=Quantum

IsRelative=1

Path=Quantum

Shortcut command for Firefox Quantum
firefox --no-remote -P "Quantum"

Shortcut command for Firefox ESR 52.x
/usr/bin/firefox-esr.52 --no-remote -P "ESR"

Installing Pale Moon browser in Windows

Just download and execute a file from these pages:
Pale Moon - portable
http://www.palemoon.org/palemoon-portable.shtml
Pale Moon Windows 32-bit
http://www.palemoon.org/palemoon-win32.shtml
Pale Moon Windows 64-bit
http://www.palemoon.org/palemoon-win64.shtml

Installing Pale Moon browser in Linux Mint

1.
Download a tar.bz2 tarball from here:
http://linux.palemoon.org/download/mainline/

Please be sure to download the appropriate archive that matches the architecture of your OS. Current Pale Moon for Linux version is 27.9.0 (March 2018).

2.
Extract the tarball anywhere you like and execute the "palemoon" file inside it. Or follow the instructions below if you want to install manually.

If directory /opt doesn't exist:
sudo mkdir /opt

For 64-bit OS:

Open terminal in download directory and extract the archive into /opt:

sudo tar -xvf palemoon-27.9.0.en-US.linux-x86_64.tar.bz2 -C /opt

Just replace palemoon-27.9.0.en-US.linux-x86_64.tar.bz2 file name if a newer version is available

For 32-bit OS:

Open terminal in download directory and extract the archive into /opt:

sudo tar -xvf palemoon-27.9.0.en-US.linux-x86_64.tar.bz2 -C /opt

Just replace palemoon-27.9.0.en-US.linux-x86_64.tar.bz2 file name if a newer version is available

3.
Create a symbolic link /usr/bin/palemoon that points to /opt/palemoon/palemoon:

sudo ln -s /opt/palemoon/palemoon /usr/bin/palemoon

Icons:


sudo ln -s /opt/palemoon/browser/chrome/icons/default/default16.png /usr/share/icons/hicolor/16x16/apps/palemoon.png

sudo ln -s /opt/palemoon/browser/chrome/icons/default/default32.png /usr/share/icons/hicolor/32x32/apps/palemoon.png

sudo ln -s /opt/palemoon/browser/chrome/icons/default/default48.png /usr/share/icons/hicolor/48x48/apps/palemoon.png

sudo ln -s /opt/palemoon/browser/icons/mozicon128.png /usr/share/icons/hicolor/128x128/apps/palemoon.png

4.
Creating a shortcut:

Right-click on the Desktop and choose Create a new launcher here...
In the Launcher Properties window browse from the Command field to /usr/bin/palemoon
In the name field enter Pale Moon
Click on the generic icon on the left and browse to /usr/share/icons/hicolor/48x48/apps/ and choose the palemoon.png icon, then click OK.
Press OK to Would you like to add this launcher to the menu also?

That's it.

About copying existing Firefox profile to Pale Moon

It is recommended you export your bookmarks in Firefox and import them in Pale Moon, and otherwise start fresh.
Extensions are best re-installed on Pale Moon anew.
Recomended extensions:
uBlock Origin
NoScript