How to Autosign git commits
In the light of the recent PHP Git server situation, teams are double-downing on signing commits. Signing your commit with your GPG key lets your team know that this code came from the person whose name is on the commit and the code has not been tampered with.
Normally you would just use:
git commit -S -m'My Git message‘
This will prompt you for the gpg passphrase and sign your commit. As developers though, we like to automate things. well, I know I do. Here is how you autosign your commits.
First you need your GPG key. Mine shows up in the output below the sec line and above the uid.
gpg --list-secret-keys --keyid-format LONGNext, set the signingkey and gpgsign value in the git config:
git config --global user.signingKey XXXXXXX
git config --global commit.gpgSign trueReplacing XXXXXXX with your GPG keyid of course.
I hope this helps!
How to patch Sudo
CVE-2021-3156: Heap-Based Buffer Overflow in Sudo (Baron Samedit) made itself known over the past few days and admins everywhere are rushing to patch it. Ill skip the analysis, watch the video below for that, and get right to patching.
To verify your version:
sudo --version
1.8.31 is vulnerable.
Go to https://www.sudo.ws/sudo.html and download the latest relase tar.gz. As of right now, the latest is sudo 1.9.5p2
Once downloaded, de-compress with
tar -xzvf <filename>
cd into the created directory “sudo-1.9.5p2” in this case
run:
./configurethen
make && sudo make installOnce this has completed you mush reload your shell in order to see the new version has been installed. you can type
bashand then
sudo --version
Big thanks to John Hammond for this video on the process.
JetBrains software Teamcity possibly used in Solarwinds hack
In a New York Times article released on January 6, 2021, JetBrains and their Continuous Integration / Continuous Deployment (CI/C) application Teamcity were confirmed to be used by recently hacked software company SolarWinds. JetBrains has officially denied any involvement or investigation from the government in this issue.
Officials are investigating whether the company, founded by three Russian engineers in the Czech Republic with research labs in Russia, was breached and used as a pathway for hackers to insert back doors into the software of an untold number of technology companies.
https://www.nytimes.com/2021/01/06/us/politics/russia-cyber-hack.html
This begs the question, was a known vulneralbility used or could this be another 0 day possibly offered by the illusive Shadow Brokers? Taking a look at released CVEs for TeamCity, one gets the understanding that XSS and Remote Code Execution are very common threat vectors used when compromising TeamCity.
“JetBrains said on Wednesday that it had not been contacted by government officials and was not aware of any compromise. The exact software that investigators are examining is a JetBrains product called TeamCity, which allows developers to test and exchange software code before its release. By compromising TeamCity, or exploiting gaps in how customers use the tool, cybersecurity experts say the Russian hackers could have inconspicuously planted back doors in an untold number of JetBrain’s clients.”
Even though no contact had been made by government officials, a system like TeamCity, when implimented properly, is by nature involved 100% in the development and deployment of their software. Any vulnerability allowing for remote code to be executed would be suspect to investigation.
Cryptocurrency Users Targeted in Cross-Platform ElectroRAT Malware
Using Pastebin unique visitor counts for tracking, over 6,500 victims are estimated to be affected after detection of this malware in December. These numbers may be off and definatly will grow in the coming days.
Called ElectroRAT by Intezer, the RAT is written from ground-up in Golang and designed to target multiple operating systems such as Windows, Linux, and macOS.
https://thehackernews.com/2021/01/warning-cross-platform-electrorat.html
“Cybersecurity researchers today revealed a wide-ranging scam targeting cryptocurrency users that began as early as January last year to distribute trojanized applications to install a previously undetected remote access tool on target systems.” The Hacker News reports
“ElectroRAT is the latest example of attackers using Golang to develop multi-platform malware and evade most antivirus engines,” the researchers said.
“Jamm“,”eTrade,”,”DaoPoker” are the applications at the heart of this threat. These apps gain access to your information by masquerading as cryptocurrency poker platforms. The proliferation of these malicious applications are not silo’d to social media such as twitter or whatsapp, but they have been found on trusted sites such as Bitcointalk and SteemCoinPan.
Once installed the app runs hidden as “mdworker” with full functionality to capture keystrokes, screen caps, upload/download files leaving the host system vulnerable to whatever order is given on the C2 server. The biggest concern to researchers is the choice to use golang as the base language basically allowing for the malicious nature of these applications to go undetected by traditional malware defense systems.
“It is common to see various information stealers trying to collect private keys to access victims wallets. However, it is rare to see tools written from scratch and targeting multiple operating systems for these purposes.” — The Hacker News
British court rejects extradition to U.S. of Julian Assange
The U.S. government has been waiting the British court’s ruling for some time now and on Monday (1/4/21) the court made their announcement. No extradition for Julian Assange on charges pertaining to illegally obtaining and sharing classified material related to national security.
In a hearing at Westminster Magistrates’ Court today, Judge Vanessa Baraitser denied the extradition on the grounds that Assange is a suicide risk and extradition to the U.S. prison system would be oppressive.
While the government sees this as a setback, many privacy and internet policy advocates are cheering.
The full ruling is available for download and a timeline of Julian’s arrest is a good read to catch up on the situation.
Bitcoin Faucets, too good to be true? 2021 edition
Starting Friday 1/1/2021 I will be tracking my faucet activity on Coinpot and the affiliated Moon[coin] faucets. Crypto faucets are a way of gaining ad revinue for the host in exchange of micro crypto coins mainly satoshis. Named for the elusive creator of Bitcoin Satoshi Nakamori. A satoshi is equal to 0.00000001 bitcoin and must be collected to a value of ~0.0001 before many platforms will allow you to withdraw to a wallet or exchange. Oh yea, you have to keep these satoshis on a third-party service until you collect enough to “cash out”.
A crypto faucet is a website that will give you satoshis in exchange for viewing ads or completing simple tasks. A satoshi is the smallest trading unit of a coin, worth 0.00000001 BTC in the case of BitCoin. Crypto faucets exist for most alt coins
The collection process for you the end user involves solving Captchas for the base level task and through “multipliers” you can increase the satoshi that you receive during the time period established by the faucet or “claim period”.
Moon[coin] offers several sites under the name MoonDodgecoin, MoonDashcoin, MoonBitcoin, MoonBitcoinCash, MoonLitecoin etc.. These sites offer a 5 minute claim period and immediately transfer the satoshi to your Coinpot account. Coinpot allows for an easy to manage dashboard as well as other offers to increase your gains.
In this experiment I will be using my phone to claim as well as computer (whichever one I am on), neither offer a benefit over the other. I will be reporting Daily and weekly totals for 1 month to see if my time is worth “free bitcoin”. If you want to play along you can sign up with the links below.
CoinPot – Moon Dash – Moon Bitcoin – Moon BitcoinCash – Moon Litecoin – Moon Dogecoin
Linux One-liners
Who doesn’t love a good Linux one-liner? To me they are the epitome of skill. They represent the ability to not only know what command needs to happen but how to initiate this in a very efficient way. For example one of my favorite commands I am telling people all of the time is
sudo !!
or “sudo bang bang”. This command runs the last command run but with sudo in front of it. We have all had those moments where we want to edit a file but we’re hit with a permissions error of not being root. Instead of re-typing the full command again, just hit ‘sudo !!’ and you’re golden. For more great one-liners check out this great resource at linuxcommandlibrary.com. Here are a few more useful Linux one-liners.
Remove all spaces from all files in current folder
>_ rename 's/ //g' *
Find Duplicate Files (based on size first, then MD5 hash)
>_ fdupes -r .
Fix Ubuntu's Broken Sound Server
>_ sudo killall -9 pulseaudio; pulseaudio >/dev/null 2>&1 &
A function to find the fastest free DNS server
>_ timeDNS() { parallel -j0 --tag dig @{} "$*" ::: 208.67.222.222 208.67.220.220 198.153.192.1 198.153.194.1 156.154.70.1 156.154.71.1 8.8.8.8 8.8.4.4 | grep Query | sort -nk5; }
Number of open connections per ip.
>_ netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
Submit command & rewrite orginal command
>_ <ctrl>+o
How can I prevent SQL injection in PHP?
Preventing SQL injections is a popular topic. #1 on stackoverflow (for php) and also listed on the OWASP top 10. So what is an SQL Injection? The first part “SQL” refers to Sequential Query Language which is used in querying databases like Mysql, Postgres SQL or mariaDB. The term is meant to be used as a generalization for any database connected to a web application. “Injection” is defined by OWASP as:
an attacker’s attempt to send data to an application in a way that will change the meaning of commands being sent to an interpreter. For example, the most common example is SQL injection, where an attacker sends “101 OR 1=1” instead of just “101”.
https://owasp.org/www-community/Injection_Theory
What this means is that while the programmer has developed their code in a way that will query the database for specific data, the attacker will manipulate the query to return different data. The data that the attacker requested can be as damaging to the company under attack as the more private the data stored on the server.
As stated in the quote above the basic example of an attack is using “OR 1=1”. Let me explain how this works. When the intended query is excecuted by the server, “SELECT * FROM USERS WHERE “username” = username” for example, (the first username is whatever is typed in from the web page and the second username is the field in the database), if vulnerable to SQL Injections, the attacker would insert “OR 1=1” to the end followed by their malicous query “SELECT * FROM CREDIT_CARDS”. The key is that the attacker is extending the query with “OR” and then giving the logic of “1=1” which is always “true”. The server will first try and match up the user input for “username” with a stored value in the database but if nothing is found, the “OR” says “if no username is there, try this next bit” and the malicious query will then run. Hopefully you can see the dangers of attacks like these.
How to prevent SQL Injections in PHP
1) Use prepared statements and parameterized queries.
Prepared statements are SQL statements/queries that are sent to the database server separately from any parameters. This makes it practically impossible for an attacker to inject malicious code. There are two ways to implament this.
- PDO
The PHP Data Objects (PDO) extension defines a lightweight, consistent interface for accessing databases in PHP. Using PDO (for any supported database driver):
$query = $pdo->prepare('SELECT * FROM users WHERE name = :name');
$query->execute([ 'name' => $name ]);
foreach ($query as $row) { // Do something with $row } 2. MySQLi (for MySQL)
$query = $dbConnection->prepare('SELECT * FROM users WHERE name = ?');
$query->bind_param('s', $name); // 's' specifies the variable type => 'string'
$query->execute();
$result = $query->get_result();
while ($row = $result->fetch_assoc()) { // Do something with $row }If you are using a database other than MySQL there are database specific options for PDO. PostgreSQL for example uses PDO_PGSQL DSN to connect to the database.
Turning off emulation of prepared statements
By default, prepared statements are not used by default and have to be enabled for PDO to access MySQL. Emulation must be disabled in order for the connection to be created.
$conn = new PDO('
mysql:dbname=wordpress;
host=127.0.0.1;
charset=utf8', 'user', 'password');
$dbConnection->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
$dbConnection->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);The error mode attribute is not necessary for the prepared statements but is advisable and recommended for developers to use. The key to this code is the first setAttribute() line. This tells PDO that we want to use the real prepared statements. Once enabled, this will make sure that the statements and values aren’t parsed by PHP before being sent to MySQL. The attacker will not have an opportunity to inject malicious code once this is enabled.
You can read more about PHP PDO in order to secure your code.
Twitter Alternatives
Believe it or not, Twitter is not the only way to share your thoughts on the internet. Well, in light of recent behavior we’ve come to understand that Twitter is the adult and we all are the teenagers living under their roof. But just like a teenager, there are ways to get away from these rules. Enter Mastodon. No, not this Mastodon (although, I highly recommend a listen). I’m talking about the lesser known social network that gives the users control. Take a quick peek here and go give Mastodon a Toot!
Stop spammers commenting on WordPress media files
by gunnard
A website I worked on last year, recently had a wave of media spam comments hit my inbox. There is no easy way within WordPress to turn off commenting for media items, especially if you have >100 items and just want it DONE! The solution I found was a quick SQL query:
UPDATE `wp_posts` SET `comment_status` = 'closed' WHERE `post_type` = 'attachment' AND `comment_status` = 'open';Super simple (if you have command line mysql or PHPMyAdmin). Hope this helps!
Share this: