How is the Mirai botnet’s C&C authenticated?

I was just reading the accepted answer on this post about the Mirai botnet’s C&C communication, and it got me wondering how the attacker is authenticated. Basically, what is preventing someone from “borrowing” (or “stealing”) the botnet from the attacker?

I see from the answer in the post mentioned above that the commands sent from C&C to bot are encrypted (not SSL, but encrypted). That encryption would probably provide some level of authentication as long as the key is kept secret (because the key would be required to issue commands). However, that raises another question… how is the secret shared between C&C and bots?

can one obtain a file listing from a protected directory when one has not authenticated

I am monitoring a webdav service that has been probed repeatedly since the beginning of February. The Apache 2.4 httpd server hosts just this one application. Access to the application is only possible over https and is controlled by an .htaccess file. Various directories in the web site directory tree are further restricted by an .htgroup file.

The probes have not actually retrieved any files. All attempts to GET result in a 401 Forbidden code. However, the probe is using actual file names found in the directory tree.

There is no ssh service to this host available except when explicitly manually enabled; and then only to internal private ip addresses.

My question is: what technique is/was used to discover the file names and directory structure? I have been trying to find a way to accomplish this and I cannot discover it. But clearly, there must be some way this information was obtained by the probing party.

Why authenticated boot not Secure boot?

Context: Secure boot is one of the important elements of Trusted Computing in computer system. One variety of the Secure boot is authenticated boot. While secure boot prevent the boot of a non trusted software, the authenticated boot detects a non trusted software but does not prevent its boot.

Questions:

What are the reasons that would encourage deploying authenticated boot in the system rather than secure boot? In my point of view, it makes more sense (from security point of view) to deploy the secure boot.

Is there other varieties of the secure boot except the authenticated boot?

Any recommendation of reading about Trusted Computing and secure boot?

Thanks!

Secure REST API that only works for users authenticated by App with SSO (OAuth?)

I somehow need to accomplish the following:

  1. User accesses a application written in JavaScript.
  2. Application uses SSO to identify the user who is logged into Windows.
  3. Application obtains the access role for that user for the application.
  4. When the application performs a REST request, only authorized users with a specific role are allow retrieve data.

My company users Windows Active Directory (not Azure) with Kerberos protocol to manage our users login to their computers.

I’m having a hard time wrapping my head around implementing this in this environment. I can’t find any resources or articles that talk about this kind of setup.

I feel OAuth is the right direction but don’t know what needs to be build/configured.

  • Do I need a new server running OAuth?
  • Does that server need to connect to the Windows Active Directory?
  • How does the JavaScript application get the secure token used for the REST API?

Is this even possible with this tech stack?

Authenticated users changing personal details

We have a website where users authenticate with a username/password and also have the option of switching on two factor authentication

One of the options they have in our application is to amend their home address which is then immediately updated on our back-office database

One client has asked for an extra later of security (their words, not mine) for when the user does this.

We’ve discussed sending a PIN to the mobile number or email we have recorded for the user, – I was wondering what others have implemented (if anything at all!)

Feels a little overkill to me as they are not changing bank details or any sort of payment instruction

Thanks

Tomcat OIDC Authenticated Realm

I am currently using a tomcat authenticator implementation (https://github.com/boylesoftware/tomcat-oidcauth). The authenticator is implemented as a tomcat valve. This implementation still requires a realm to be used, which is using the default tomcat realm, this requires that users be set up in tomcat-users.xml to get a principal.

I am wondering if instead of using the default realm, or any other realm for that matter, I were to use the Authenticated User Realm org.apache.catalina.realm.AuthenticatedUserRealm, in combination with the boylesoftware authenticator, would still be a secure way to login a user.

The description of this realm(https://tomcat.apache.org/tomcat-9.0-doc/config/realm.html) states:

AuthenticatedUserRealm is intended for use with Authenticator implementations (SSLAuthenticator, SpnegoAuthenticator) that authenticate the user as well as obtain the user credentials. An authenticated Principal is always created from the user name presented to without further validation.

Note: It is unsafe to use this Realm with Authenticator implementations that do not validate the provided credentials.

The note specifically calls out Authenticator implementations need to validate credentials, which an IDP server for OIDC would do, so this seems like this would be a valid authenticator to use with this realm.

  • Would this approach be secure?
  • or Would I need to create a custom tomcat realm that would somehow parse an id_token?
  • How do I remove the need for another connection to a user store?

Accessing Search API from authenticated app

Using Sharepoint Online, I discovered that it’s possible to perform server-wide searches using the Sharepoint Search API. This works brilliantly in my browser, if I am logged in with my account, when I access: https://mycompanytenant.sharepoint.com/_api/search/query?querytext=%27abc%27 I can see all the results there.

I’m trying to use this functionality in a user-consented app. After performing the OAuth2 authorization flow and grabbing a token, performing the same request results in the following:

  statusCode: 401,   message: '401 - "{\"error_description\":\"Invalid issuer or    signature.\"}"', 

This is the code used for the request:

        const requestOptions = {             url: `https://$  {tenant}/_api/search/query?querytext='$  {query}'`,             headers: {                 'Authorization': 'Bearer ' + this.accountInfo.accessToken             },             method: 'GET'         }          return requestPromise(requestOptions) // node module that handles requests as promises             .catch(error => {                 console.log('sp error: ', error);                 return bluebird.reject(error);             }); 

My problem is that, while the access token is fully functional for use in the Graph API (the only other API that my app consumes), it is not being authorized for the search API. I assume this must be an issue with the scopes. So, I have tried configuring all logical scopes for my app (and requesting permission in the app during authentication), and I have even granted admin consent for my app, to be sure. Here are the currently configured resources:

Scopes

Inspite of this, the same error persists. What am I missing? According to the documentation, this should be possible…

Different front page for anonymous users and authenticated users

I have an app in Drupalgap. I would like to display a different frontpage for anonymous users and authenticated users, for example /dashboard for the first and /user_listing for the last.

I have read “Display Different Text for Anonymous and Authenticated Users”, but it is not the same scenario. (/user_listing has ['access user profiles'] as access_arguments.)

I also have tried with drupalgap_goto() without succeed.

How can it be done?

Is it possible to prevent man-in-the-middle attacks in token-based authenticated online games without packets encryption?

I’m creating a home made MMO server (as a hobby / way to learn something new). I’ve decided to use a token based authentication for game traffic.

Many people say that you shouldn’t use any kind of packets encryption in case of the authorative-type game servers. Every packet should be validated and we should assume that the clients are transparent. I get it.

But what to do with the possibility of network sniffing and the man-in-the-middle attacks? If you use the token based authentication, you have to send the token together with the data. The token can be eavesdropped and the attacker can impersonate as you. Is there a way to prevent this without using the encryption?