Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Security

Interest things for security in general:

Articles:

Yubikey

warning

There is a vulnerability about yubi keys:

Secure password:

LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \
  tr -d "1IOS5U" | fold -w 30 | sed "-es/./ /"{1..26..5} | \
  cut -c2- | tr " " "-" | head -1

Configuration notes

  • Not do keytocard of your primary cipher key, this should stay save on your backup media.
  • Always!!! backup your $GNUPGHOME before doing keytocard - not saving on quit will drop your keys anyways.
  • Lint (hopenpgp-tools) your pgp key with: gpg --export <KEYID> | hokey lint

Error at adding key to agent:

⋅⋅➤ ssh-add id_ed25519
Enter passphrase for id_ed25519:
Could not add identity "id_ed25519": agent refused operation

Check path for pinentry-program /opt/homebrew/bin/pinentry-mac in ~/.gnupg/gpg-agent.conf

Quick commands

gpg --batch --generate-key gen-params-ed25519
gpg --quick-add-key $KEYID ed25519 sign 1y
gpg --quick-add-key $KEYID ed25519 auth 1y
gpg --quick-add-key $KEYID cv25519 encrypt 1y

Bitwarden Desktop - ssh key management

doc: https://bitwarden.com/help/ssh-agent

TLDR;

  1. Open bitwarden desktop - settings and activate Enable SSH-Agent
  2. Create a ssh key entry in bitwarden (its enough to paste the private key content)
    1. \cat id_ed25519 | pbcopy
  3. Set env var export SSH_AUTH_SOCK=/Users/<user>/Library/Containers/com.bitwarden.desktop/Data/.bitwarden-ssh-agent.sock (needs to be present for your shell, so add it to your .zshrc)
  4. Edit your .ssh/config and adjust IdentityFile ~/.ssh/id_ed25519.pub to use the .pub keyfile for reference the private-key of your ssh key agent

To list all available ssh keys, use ssh-add -L

Security quote

Security is a team sport, and accelerating SFI isn’t just job number one for our security teams – it’s everyone’s top priority and our customers’ greatest need. If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems. This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all. - Satya

Source: Microsoft(😆) Blog

Passwords

Rotation

warning

A security policy to rotate passwords is a security finding in audits as NIST and BSI classified it.

NIST SP 800-63 Digital Identity Guidelines

  1. Authenticator and Verifier Requirements 3.1.1.2 Password Verifiers
    1. […]
      1. Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

Source: nist

ORP.4 Identitäts- und Berechtigungsmanagement

  1. ORP.4.A23 Regelung für passwortverarbeitende Anwendungen und ITSysteme (B) [IT-Betrieb] IT-Systeme oder Anwendungen SOLLTEN NUR mit einem validen Grund zum Wechsel des Passworts auffordern.

Source: BSI

Pentest

Polyglot files

With a polyglot file, you re able to compromise a file upload with restricted file-types.

cat beispiel.pdf beispiel.zip > polyglot-pdf.zip

This zip file, will be recognized as a pdf file:

$ file polyglot-pdf.zip
polyglot-pdf.zip: PDF document, [...]

If a backend just checks the content-type its still PDF. So if you download this file and get original file as .zip file and extract it, you will get the pdf & zip file included there.

Last change: 2025-06-05, commit: 1ff003f