Tag Archives: Linux

CentOS 8 with IceWM Desktop Environment

2 Replies

CentOS 8 with IceWM Desktop Environment. Do you need CentOS 8 with IceWM as desktop Operating System? Most likely not. Especially if you want it to work smoothly without any worries and troubles. However, if you enjoy playing with new desktop environments, you might find it fun.

CentOS 8 with IceWM desktop environment

My reasons were as follows:

  1. I wanted to use the same Linux distribution for server and desktop. Just to minimize possible surprises during the deployment.
  2. I wanted to know what is going on in the RPM-based part of Linux world. The only way to achieve this is to use such distribution every day.
  3. I was tired of problems with the Virtual Box guest additions in CentOS 7 (yes , I run it all as a virtual machine), especially after the 3.10 kernel updates. It was time to move on.
  4. I didn’t want to use Gnome 3, because it’s slow and ugly (however it’s fully functional!). And there were no other DEs in CentOS 8 repositories at that time.

So, I tried CentOS 8 with IceWM (installed it from source) and it worked. IceWM is small, very fast, ascetic, and in some ways quite intuitive. There were some problems with the clipboard (in xTerm and with VBox shared clipboard) and with language switching, but I figured it out and I think that I would probably continue to use it. Below are some notes on how I installed it and resolved the issues.

Continue reading

Barapass console Password Manager

2 Replies

Barapass console Password Manager. I decided to publish my simple console Password Manager. I called it barapass (github). I’ve been using It for quite some time in Linux and in Windows (in WSL). Probably it will also work natively in Windows and MacOS with minimal fixes, but I haven’t tried it yet.

Barapass logo

Why do people use password managers?

Well, with password manager it’s possible to avoid remembering passwords and make them arbitrarily complex and long. And no one will be able to brute force them. Of course, you can simply store passwords in text files, but password managers are better than this because:

  • no one will see your password over your shoulder;
  • if an attacker gains access to the files on your host, it won’t possible to read your passwords from the encrypted file or storage (well, ideally);
  • it’s easier to search for objects in the password manager and copy values from it.

I wanted something as simple as editing a text file with the key-value content. And I wanted it to be stored in a secure manner, and security could be easily checked, “simple and stupid”.

Continue reading

Vulnerability Management vendors and Vulnerability Remediation problems

1 Reply

Vulnerability Management vendors and Vulnerability Remediation problems. It’s not a secret, that Vulnerability Management vendors don’t pay much attention to the actual process of fixing vulnerabilities, that they detect in the infrastructure (Vulnerability Remediation). Although it seems to be the main goal of VM products: to make vulnerabilities fixed and whole IT infrastructure more secure, right?

In fact, most of VM vendors see their job in finding a potential problem and providing a link to the Software Vendor’s website page with the remediation description. How exactly the remediation will be done is not their business.

Vulnerability Management vendors and Vulnerability Remediation

The reason is clear. Remediation is a painful topic and it’s difficult to sell it as a ready-made solution. And even when Vulnerability Vendors try to sell it this way, it turns out pretty ugly and does not really work. Mainly because the Remediation feature is sold to the Security Team, and the IT Team will have to use it.

Continue reading

Can a Vulnerability Scan break servers and services?

2 Replies

Can a Vulnerability Scan break servers and services? The most serious problem of Vulnerability Scanners is that they are too complex and unpredictable. Usually they don’t affect the target hosts, but when they do, welcome to hell! And if you scan huge infrastructure, tens thousands hosts and more, it’s not “if” the scanner will break the server it’s “when” it will do it.

As a responsible person for Vulnerability Management you will be also responsible for all the troubles that VM product can make in the IT infrastructure. And what will you say to the angry mob of your colleagues from IT and Business when they will be quite curious to know why did the service/server go down after the scan? Actually, it’s not much to say.

Continue reading

Vulnerability Management at Tinkoff Fintech School

Leave a reply

Vulnerability Management at Tinkoff Fintech School. In the last three weeks, I participated in Tinkoff Fintech School – educational program for university students. Together with my colleagues, we prepared a three-month practical Information Security course: 1 lecture per week with tests and home tasks.

Each lecture is given by a member of our security team, specialized in one of the following modules: Vulnerability Management, Application Security, Infrastructure Security, Network Security, Virtualization Security, Banking Systems Security, Blue & Red-teaming, etc.

Vulnerability Management at Tinkoff Fintech School

The course is still ongoing, but my Vulnerability Management module is over. Therefore, I want to share my impressions and some statistics.

Continue reading

Martian Vulnerability Chronicles

Leave a reply

Martian Vulnerability Chronicles. Well, there should have been an optimistic post about my vulnerability analysis & classification pet-project. Something like “blah-blah-blah the situation is pretty bad, tons of vulnerabilities and it’s not clear which of them can be used by attackers. BUT there is a way how to make it better using trivial automation“. And so on. It seems that it won’t be any time soon. ¯\_(ツ)_/¯

I’ve spent several weekends on making some code that takes vulnerability description and other related formalized data to “separate the wheat from the chaff”. And what I get doesn’t look like some universal solution at all.

Pretty frustrating, but still an interesting experience and great protection from being charmed by trendy and shiny “predictive prioritization”.

Martian Vulnerability Chronicles

Literally, when you start analyzing this vulnerability-related stuff every your assumption becomes wrong:

  • that vulnerability description is good enough to get an idea how the vulnerability can be exploited (let’s discuss it in this post);
  • that CVSS characterizes the vulnerability somehow;
  • that the links to related objects (read: exploits) can be actually used for prioritization.

Actually, there is no reliable data that can be analyzed, trash is everywhere and everybody lies 😉

Let’s start from the vulnerability description. Great example is the last week critical Linux kernel vulnerability CVE-2019-8912.

Continue reading

What’s new in Nessus 8

1 Reply

What’s new in Nessus 8. Today Tenable released a new version of their famous vulnerability scanner – Nessus 8. The existing scanner nodes don’t see the updates yet, but the installation binaries are already available. So you may try to install it.

What's new in Tenable Nessus 8

This major release will be way more positive than the previous one. Of course Tenable did NOT return the multi-user mode and API in Nessus Professional. But on the other hand, they did NOT cut the functionality even further. They even added new features in GUI. And, what is the most important, they did NOT switch to the assets-based licensing (at least yet). 🙂

Continue reading