I am very new to networking, I am working on an old codebase from 2003 with a friend and we are having problems where we had some issues with packet spoofing and packet replay attacks. We have a client and server infrastructure using winsock 2 and overlapped I/O from what I can understand, what would be a relatively quick and easy way to add security without completly rewriting that part of the codebase?
Related
I have not, but shall DAST* security test, out of curiosity, an IoT device; Nodemcu esp8266 www server I built. It's showing a HTML page (on a mobile phone for example) that allows to control and interact with a camera module and a A/C relay. With it I can for example show images captured in the camera I even think it has some image recognition built in, and I can switch on and off a relay for electrical current to a light bulb (110/220v A/C power)
Before I start pentest I though I better start thinking of what types of exploits one would be able to find and detect? Which sinister exploits I will be able to find, or rather ought be able to find given a proper pentest exercise? (And if I do not find exploits, my approach to the pentest of the Iot might be wrong)
I ponder it might be a totally pointless exercise since the esp8266 www server (or rather its LUA programming libraries) might not have any security built into it, so basically it is "open doors" and everything with it is unsafe ?
The test report might just conclude what I can foresee be that the the "user input needs to be sanitized"?
Anyone have any idea what such pentest of a generic IoT device generally reports?
Maybe it is possible to crash or reset the IoT device? Buffer overruns, XXS, call own code ?
I might use ZAP or Burpsuite or similar DAST security test tool.
I could of course SAST test it instead, or too, but I think it will be hard to find a static code analyzer for the NodeMCU libraries and NUA scripting language easily ? I found some references here though: https://ieeexplore.ieee.org/abstract/document/8227299 but it seems to be a long read.
So if someone just have a short answer what to expect in a DAST scan/pentest , it would be much appreciated.
Stay safe and secure out there !
Zombieboy
I do my vulnerability scanning with OpenVAS (I assume this is what you mean by pentesting?). I am not aware of any IOT focused Tools.
If your server is running on esp8266, i would imagine that there is no much room for authentication and encryption of http traffic, but correct me if i am wrong).
Vulnerability Scan results might show things like unencrypted http traffic, credentials transmitted in cleartext (if you have any credentials fields in the pages served by the web server) etc. Depending on if there is encryption, you might also see weak encryption findings.
You might get some false positives on your lua webserver reacting like other known webservers when exploits are applied. I have seen this kind of false positive specially on DoS vulnerabilities when a vulnerability scan is testing a vulnerability and the server becomes unresponsive. Depending on how invasive your vulnerability scanner is, you might get a lot of false positives for DoS on such a constrained platform.
I've been studying Linux socket programming recently, and the concepts are still swirling and unsettled in my head. Can someone confirm or correct my understanding of the domain argument to socket() and socketpair(): one should choose PF_LOCAL (or PF_UNIX) if one wants the socket communication to be strictly within the same computer, and one should choose PF_INET if the socket communication is meant to be between different computers -- is that correct?
No, it's the communications domain you want to use. See the man page for socket. For example, AF_INET means v4 internet protocols, AF_INET6 means v6 internet protocols, AF_APPLETALK means AppleTalk, and so forth. You almost certainly want AF_INET or AF_INET6.
Whether the other program you'll be communicating with is on the same machine or not isn't really relevant since you can communicate with the local host just fine using internet protocols.
However, there is a small performance penalty associated with using the internet domain protocols. If your application will be connecting only with other applications on the same machine, using the AF_LOCAL/AF_UNIX domain will be faster and will offer you some additional advantages such as file-level security controls on the sockets. Just be aware that you won't be able to use your code between different computers without modifying it if you go that route.
A good discussion of the pros and cons of this choice can be found here.
I would like there be a way to communicate between and Apache Server and an Application running on a Linux laptop.
The only way I can think of doing this is using SSL Sockets in a CGI python or perl script. Is this a good idea by any chance?
The Apache Server and the application are on the same machine, so perhaps having encryption might not be a big deal, since an attacker would need to gain physical access to hack the process. On the other hand it is connected to the network, and possibly could be sniffed.
Is encryption in such a case? Could an attacker sniff the data in that case?
Also if this is indeed a good idea, does anyone have resources on how to implement ssl socket with perl or python?
If you are using loop back address (local host or 127.0.0.1), i don't think it can be sniffed on the network since it doesn't go beyond your interface card. So encryption is not a concern here.
For the second part, following is an SO example python client though uou can find tons any way.
Another thing is being on Linux, you can simply connect via shell too. Just use netcat i.e. nc. You can send any text to server as well as read back using this command line application.
Don't reinvent the wheel.
I have a client server environment and would like to secure the network traffic using IPsec. What is involved to get this implemented? The application is working fine, I just need to secure the traffic between computers.
What do I need - certificates on each computer for example? Do I need to make changes to the socket read/write code?
Since IPSec is implemented at the IP level, your application does not need to be changed for IPSec (and it will not notice anything about it).
What exactly is needed for IPSec depends - but you'd be better off asking this question on serverfault.
We have an embedded device that needs to interact with an enterprise software system.
The enterprise system currently uses many different mechanisms for communication between its components: ODBC, RPC, proprietary protocol over TCP/IP, and is moving to .Net-implmented web services.
The embedded device runs a flavor of *nix, so we're looking at what the best interaction mechanism is.
The requirements for the communication are:
Must run over TCP/IP.
Must also run over RS-232 or USB.
Must be secure (e.g. HTTPS or SSL).
Must be capable of transferring ~32MB of data.
Our current best option is gSOAP.
Does anyone out there in SO-land have any other suggestions?
Edit: Steven's answer gave me the most new pointers. Thanks to all!
You can define RESTful services the use HTTPS (which uses TCP/IP by definition) and is capable of transferring any amount of data.
The advantage of REST over SOAP is that REST is simpler. It can use JSON instead of XML which is simpler.
It has less overhead than the SOAP protocol.
Can't you just use SSL over TCP?
If you have some kind of *nix (may I guess? It's either QNX or embedded linux, right?) it should work pretty much out of the box via Ethernet, USB and RS232. Keep thing simple.
32mb is plenty of memory for this task. I would allocate between 2 and 4 mb of memory for networking & encryption (code + data).
It's not real clear why you want to tie this to a remote-procedure-call protocol like SOAP. Are there other requirements you aren't mentioning?
In general, though, this sort of thing is handled very easily using normal web-based services. You can get very lightweight http processors written in C; see this Wikipedia article for comparisons of a number of them. Then a REST interface will work fine. There are network interfaces that treat USB as a TCP connection, as well.
If you must be able to run over RS232, you might want to look elsewhere; in that case, something like sftp might do better. Or write a simple application-layer protocol that you can run over an encrypted connection.
If you are going to connect your application using RS232, I assume that you will be using PPP to connect the device to the internet. The amount of data that you are proposing to transfer is somewhat worrisome, however. Most RS232 connections are limited to 115200 baud which, ignoring the overhead required for TCP/IP/PPP framing is going to yield a transfer rate of at most 11,000 bytes per second. This implies that it will take a minimum of approximately 2800 seconds or 46 minutes to make whatever transfer that you intend.