Implementing encryption at rest on a remote virtual file system

Imagine I had a virtual file system that I am using to store some data (similar to an FTP). I am trying to figure out a scheme where I can implement encryption at rest for the files local to the file server, but at the same time not reveal a key that could compromise the encrypted data at rest. The user retrieving the files should be (mostly) unaware of any encryption so long as they access the files through a given interface (website or something).

This is sort of a thought experiment on how various encrypted cloud storage providers do this. I’d imagine the simplest possible way is to encrypt the files locally on the server, leave the key on the server, and through an HTTP header the user can provide the password. This can be secured using any sort of standard issue in-transit password security scheme and HTTPS, but my fear would be leaving the key unattended on the server. A would-be attacker could gain access to the key and file system and be able to perform an offline attack on it. This sort of begs the question as to how to secure the key on the local system such that this kind of attack would be more difficult.

It seems impractical to have the user send the key to the server, mostly because they would have to send the password along side it anyway which opens up a potential MITM where the attacker can get both the key and password in one go.

I’ve also thought about various 3-fold encryption schemes but for a file server I don’t believe the idea would work well. Using the classic example of Alice writing a message to Bob, putting a lock on it, Bob receives the message and puts his lock on it and sends it back to Alice, and Alice takes her lock off and sends it back to Bob would not only cause significant overhead, it would defeat the purpose of having the file system itself encrypted at rest and you’d be better off just sending encrypted files back and forth on a normal FTP-type system.

Is there any documentation or papers on how one of these systems could possibly be set up? The key-on-server-send-password method I described above seems ok and I am almost certain there are insecurities in the implementation that would render it useless.

Does accessing a port on a remote server via ssh tunnel improve security?

The idea is the following:

I have a port open (P) on a remote machine (R) with a service application running which is listening on (P). I would like to connect from a client machine to the service application on the remote machine.

Possibility 1:

I leave the port open so I can connect directly from my client via the ip and the port to the service application on the remote machine.

Possibility 2:

I restrict the service application via firewall to localhost and forward (P) with an ssh tunnel to my client machine.

My own conclusion:

If I open the port of the service application across the internet, then I have to trust that it cannot be exploited for remote code execution on (R).

If I use an ssh tunnel, then I only have to trust that the listening ssh port cannot be exploited. The number of open ports is reduced and hence the attack surface (from my point of view). I would still be vulnerable if my client machine was compromised, but I’m accepting that risk anyway when using ssh.

Question:

So my question is, is my conclusion correct? Is it more secure to use an ssh tunnel and forward a port instead of exposing that port directly?

Can a website detect remote operation of a computer?

Sorry if this is a dumb question, but I am not very educated when it comes to security.

I was wondering if a website I am visiting can detect whether or not the computer that is being used is being operated remotely.

For example…

I have two desktops. I use Desktop 1 to remotely operate Desktop 2 through windows’ Remote Desktop Connection. Through this connection, I visit a website on Desktop 2. Would it be possible for the website to detect the fact that Desktop 2 is being remotely operated? (Not detect Desktop 1, but just detect remote operation in general).

Thank you

Does Juniper have an equivalent of ‘show security pki local-certificate’ for remote certificates?

On a Juniper Firewall, the command show security pki local-certificate will give all sorts of detail for a local certificate. (The sort of certificate you would use to stand up an IKE connection)

My question is, is there an equivalent command for the certificate being used by the remote peer to validate themselves?

Or, is the remote peer’s certificate also considered by Juniper to be a ‘local certificate’, even though it’s for the remote peer?

I can see that there is a command ‘show security ike active-peer’ that can be used to get the security associate details.

And that there’s a command show security ipsec security-associations that gives a lot of details, but not, it appears, the details of the remote certificate (I don’t have access to enough equipment to check for myself, I’m afraid)

The page IKE Policy for Digital Certificates on an ES PIC suggests that it’s possible to assign a name to the remote certificate.

To define the remote certificate name, include the identity statement at the [edit security ike policy ike-peer-address] hierarchy level:

[edit security ike policy ike-peer-address]

identity identity-name;

It’s not clear to me if that name can then be used in the same way that the name of a locally stored certificate can be.

Juniper’s introduction to PKI does talk about a “Remote server local certificate”, which suggests that maybe for some purposes, local doesn’t strictly mean local but also includes “remote local certificates”. (Odd concept.)

Remote code execution over WAN

Say I am on a a computer behind a NAT and I want to execute an RCE exploit on another computer behind a different NAT(note that no ports are forwarded to the victim’s computer on his/her NAT) Could I then run an exploit like this(assuming that I already know that the target computer is vulnerable to that exploit) and hope to get a shell, if yes what changes are to be implemented such that the exploit is successful?

Secure GET-based remote API access via PHP

I am programming a way in PHP for my users to be able to access a remote API though my website. I was wondering if any of you had some input on whether or not this was secure (NOT considering any vulnerabilities that may be on the remote system)

$  url = sprintf("https://website.com/?uid=%s", $  _GET["uid"]; $  data = null; $  data = file_get_contents($  url); echo $  data; 

Is this secure? if not, can you explain why?

Note: The site does not return any value that is sent using the uid parameter.

Is it possible to hijack specific e-mail with remote access?

I don’t know exactly how to ask this but I was recently presented with e-mails that look like they came from my e-mail and IP address but I didn’t send them and never saw them. It is a back and forth correspondence with another gmail account. Is it possible someone was able to set up a forwarding without my knowing and make it look like it was coming to and from me? I did find that someone had snuck in AnyDesk and had remote access to my laptop during this time, so they had access to everything.

Remote receivers debugging using azure service bus does not work

After i published app (not sure if related) to app o365 catalog (not store) i cannot debug app installed (or uninstalling) receivers using azure service bus anymore. I even tried removing remote endpoints from app manifest, but it did not help.

I also needed to increment app version in manifest to be able to event attempt debugging as app with same version was already in app catalog.

This is what is in output window

Successfully installed app for SharePoint. Services/AppEventReceiver.svc has been registered on Windows Azure Service Bus successfully. Services/AppEventReceiver.svc has been registered on Windows Azure Service Bus successfully. 

When i click on start, app is uninstalled (if it is previously installed), then installed, then VS gets out of debug mode, then there are messages that service bus has been successfully registered. Then internet explorer starts and VS goes back to debug mode (probably for debugging javascript in IE), but this is after app installed receiver finishes (successfully btw).

Enable debugging via Windows Azure Service Bus is checked in project settings. Connection string to Azure Service Bus is provided. I created Service using powershell so it does support necessary authentication methods. Related web project is also set up in app project properties. Debugging using service bus worked for me on this project before.

Any ideas?