So what is SecretKeeper?

One day I got a password sent to me over email at work. Then some time later – by Slack, Teams, Skype for Business, Skype, you name it. And yes, I totally get it – there are various password managers, tools and solutions that let you share a secret securely – why don’t we all use them? But there is no need to perform an epic eye-roll (yes, it’s a signature move of many security people) and blame incompetent users for doing something not completely secure…

The better question to ask is – if I wanted to share a secret securely, would it be actually that simple? So simple that it doesn’t create an entry barrier, doesn’t drain your colleagues energy and doesn’t require many extra step, manuals and precautions. As simple as sending it via a chat. Turned out, sharing sensitive information wasn’t that simple at all. Security always comes with strings attached, in a form of additional complexity, MFA, captcha, 16-letter-at-least-one-digit passwords and so forth.

Therefore, I decided to create SecretKeeper. I wanted it to be:

  • Used for sharing “secrets” – sensitive bits of information or files between two users.
  • It has to be deadly simple to use – one page, one button, one click.
  • Secure as it can be – goes without saying
  • Easily deployable to your hosting provider (so you can control your own instance)

The idea is incredibly simple – it is a web application that saves your secret (text or file) encrypted for a short amount of time. It generates a one-time link that you can share. Once the secret is read, it is deleted forever. There are no additional passwords or controls to protect the link – but it is a sha-256 hash of a random number, a long string that is hard to guess.

So, you want to share “hello” with your buddy. You open SecretKeeper:

skeeper1

You write hello in the textbox, chose the time of life for the secret – and get a link for sharing.

skeeper2

SecretKeeper is meant to be hosted by you, your organization or a hosting provider you trust. Therefore, I spent some nights making deployment as simple as one-click. There are two options:

  • Docker container
  • Azure AppService

The entire code is open-source, you can make sure there are no backdoors. It runs Kestrel, .NET Core 2.2, generates random links using secure algorithm (no System.Random!) and gets along with certificates really well. By the way, there is no other way to run it but with HTTPS. I even went full pro-mode on and audited it with Burp Professional and fixed some caching and HSTS configuration issues.

You can try out a working version of Appservice with SecretKeeper here:

https://skeeper.azurewebsites.net/

I finally made all the final adjustments to call it 1.0 release, but there are many exciting features I would like to add to the tool – for example, add additional protections, such as password, or login with your SSO account to make it Enterprise-ready (chuckles). Anyway, a help is welcome, just check the list of open issues.

New way of managing on-prem Windows servers securely – Project Honolulu

Project Honolulu – a new tool that attaches UI to Powershell WMI capabilities for managing your servers securely.

I don’t have to explain why connecting with RDP to a remote server is a really really bad security practice. By default, Windows has no timeout on a disconnected RDP session. In fact, after you close your RDP session, your user (some kind of admin, right?) stays logged in to the server and God knows what happens when you don’t watch! For example, anyone who gains access to the same server as a non-privileged user can dump in-memory credentials and steal your remote session (i.e. with help of the infamous Mimikatz tool).

How to mitigate this problem? Don’t connect to servers with RDP. Ever! Microsoft believes that the solution is using WMI (Windows Management Instrumentation) via Powershell. At least, it protects you from those guys who wait in the server for you to log in to steal your credz. Sounds great but I want back my GUI, right?

Luckily, we’ve just got a tool for it – Project Honolulu. It executes PowerShell WMI commands in the backend and streamlines framework’s capabilities through the lean (and flat, of course!) UI. It allows you to perform most of the operations you would typically make in RDP. Hyper-V and Failover clusters are also supported.

Nowadays, the tool is in the Technical Preview but “it perfectly works in my environment” (c). Download it here.

Some screenshots from my Honolulu:

honolulu

honolulu2

It covers most common operations such as modifying firewall rules, local groups, checking logs, registry, resource utilization, installing new roles and features, and so much more!

Have fun!

Pandora FMS server with docker-compose

Docker-compose is amazing, this tool allows you to literally deploy complex clusters of containers with one command. Previously, I had a seamless experience running ELK (Elastic, Logstash, Kibana) with docker-compose and now decided to give a try to Pandora with it.

Pandora FMS is a great tool for monitoring and securing the infrastructure since it provides insights into anomalies that may happen to your servers. And it is open source and free!

To start with, I found 3 containers required to run the Pandora Server on the Docker Hub of Pandora FMS : MySQL DB instance initialized with Pandora DB, Pandora Server, and Pandora Console.

All the deployment magic happens within each container, and my task was only to create some infrastructure and orchestration for them with help of docker-compose.

I put the result on Github – pandora-docker-compose.

Here is a quick overview of  what it does:

  • Creates a dedicated network and assigns IPs to containers
  • Configures Postfix for sending emails to admins (int he default container it was not working)
  • Synchronizes time with Docker host
  • Maps Pandora DB files to local host folder so that you can back them up and restore

 

Extract ISO without mounting it

I’ve spent a lot of time looking for the easiest way to unpack ISO image file under Linux without mounting it (it requires root privileges).

The solution you may find over the Internet describes various tools – one option is to install p7zip and p7zip-plugins (which is OK) or other custom tools which I wouldn’t like to depend on in my configuration.

However, there is not much information about bsdtar that is an excellent replacement of the common tar tool which also allows unpacking ISO images with:

$ bsdtar xvf image.iso