Oct 18, 2022

How to enumerate own Active Directory groups in Java

A lot of code lines must be written… import java.io.BufferedReader; import java.io.IOException; import java.io.InputStreamReader; import java.net.InetAddress; import java.net.Socket; import java.net.UnknownHostException; import java.security.cert.X509Certificate; import java.text.MessageFormat; import java.util.ArrayList; import java.util.Enumeration; import java.util.Hashtable; import java.util.List;

Ldap

2 min read

Ldap

2 min read

Oct 14, 2022

How to write a very simple Java proxy (which can be compiled to a native Linux ELF) to fix SAML requests

Because sometimes it’s not possible to change sender and receiver and you must have a man in the middle.. import java.io.IOException; import java.io.OutputStream; import java.net.InetSocketAddress; import java.net.URI; import java.net.URLEncoder; import java.nio.ByteBuffer; import java.util.Base64; import java.util.concurrent.atomic.AtomicReference; import java.util.regex.Pattern; import java.util.zip.DataFormatException; import java.util.zip.Deflater; import java.util.zip.Inflater; import com.sun.net.httpserver.HttpExchange; import com.sun.net.httpserver.HttpHandler; import com.sun.net.httpserver.HttpServer…

Saml

2 min read

Saml

2 min read

Sep 29, 2022

Guacamole doesn’t want to connect to RHEL 9

As of time of writing Guacamole 1.4.0 available from DockerHub is built on old Debian with old libssh2 1.8.0 not supporting EC cryptography. To be able to use modern SSH we must bake own guacd container image. I decided to do it one time manually, so the Dockerfile is simplified…

Guacamole

2 min read

Guacamole

2 min read

Aug 16, 2022

API Security across microservices

The first choice for API security in the microservice architecture is OpenID Connect 1.0 and JWT. It’s important to know that there many ways to use JWT incorrectly. The JWT created as a result of interactive user authentication is copied to next (nested) API calls. It’s very easy to copy…

Api Security

4 min read

Api Security

4 min read

Jun 23, 2022

Not every security software is created equally

You installed very cool container security tool on every Kubernetes cluster in your enterpise. Some containers crush or hang, REST calls don’t work. Can we decompile the software to analyze what’s wrong? Yes, provided that we are in EU (see: https://eur-lex.europa.eu/EN/legal-content/summary/computer-programs-legal-protection.html) Decompilation * Prior authorisation from the rights-holder is not…

Decompile

3 min read

Not every security software is created equally

Decompile

3 min read

May 13, 2022

Microsoft Defender ATP on Linux (in pictures)

Conclusion: Microsoft with it’s cloud EDR is not yet ready on Linux. Competition has got more mature pro

Edr

2 min read

Microsoft Defender ATP on Linux (in pictures)

Edr

2 min read

Microsoft Defender ATP on Linux (in pictures)

Apr 28, 2022

How to execute Incident Response script on Kubernetes node using EDR agent in a privileged pod.

Incident Response on AWS EC2 instance is easy. You need remote access and you just execute Incident Response script. What about EC2 instance hosting Kubernetes node without remote access to host OS? We can use privileged pod with host filesystem mounted. CONTAINERD=$(ps aux | grep -c “/usr/bin/containerd-shim-runc-v2”) INSIDE_PRIV_CONTAINER=0 [ $CONTAINERD -gt 0…

Incident Response

1 min read

Incident Response

1 min read

Mar 3, 2022

How to integrate SentinelOne with ForgeRock SSO

ForgeRock is a continuation of Sun Microsystems’ OpenSSO Enterprise (containing technologies from iPlanet/Sun ONE/DSEE, Glassfish AS, etc.). Open source components are available as OpenAM (https://github.com/OpenIdentityPlatform/OpenAM/releases). SentinelOne is a security platform supporting SAML SSO.

Openam

2 min read

How to integrate SentinelOne with ForgeRock SSO

Openam

2 min read

How to integrate SentinelOne with ForgeRock SSO

1. We need to create a new Realm, then add new Hosted and Remote providers.

Feb 14, 2022

JailVM and Malware Scanning API in AWS

Mature organization uses internal reusable Malware Scanning API. Except clamav and standard command-line anti-virus Cyber Defence Center can expose as API malware detonation sandbox. Malware should not be run in a standard container because it can escape and infect the host. It should be run in the Firecracker or Kata…

Kata

2 min read

Kata

2 min read

Jan 27, 2022

(Introduction to) Simple Cloud Threat Modelling

The observation that people using complex, heavy and formal security frameworks miss and don’t understand very basic security gaps of modern IT ecosystem led me to the decision to write about the need for simple cloud threat modelling. Well established security frameworks are very formal and resemble waterfall. In ever…

Cloud Security

7 min read