The latest articles on DEV Community by Sven Strittmatter (@weltraumschaf). https://dev.to/weltraumschaf https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F356180%2F78cc3838-cb02-4b92-9436-255a879653fa.jpeg https://dev.to/weltraumschaf en Sven Strittmatter Thu, 29 Oct 2020 17:53:39 +0000 https://dev.to/weltraumschaf/credential-stuffing-vs-password-spraying-2fnc https://dev.to/weltraumschaf/credential-stuffing-vs-password-spraying-2fnc <p>At my <a href="https://www.iteratec.com">employer</a> we use Office 365. I'm not an Microsoft advocate. My friends and colleagues rather know me as Apple-Fanboy and BSD-Geek. But I have to admit that Office 365 works good enough. Even in these pandemic times when we work from home Teams and such serves very well.</p> <p>As part of our security team we also encounter attacks against our user accounts. Maybe you read about that in the press: There are <em>credential stuffing</em> and <em>password spray</em> attacks going on this year against Office 365 accounts. Today I wondered what the concrete difference is between these two types of attacks. Until today I used the terms interchangeably: Its all a kind of brute force, right? No, it's not that easy.</p> <h2> Credential Stuffing </h2> <p>This is an attack where an adversary uses a <strong>known pair of username and password</strong> to gain access. Eg. there is a password leak from the site foobar.com: They stored username and password in plain text. Lot of users use the same username password across many sites. So one could try to use the username and password from foobar.com at Facebook, Twitter or whatever to gain access.</p> <p>So <em>credential stuffing</em> uses a list of known username password combinations to brute-force against an authentication.</p> <h2> Password Spraying </h2> <p>In contrast this is an attack where the adversary <strong>only knows the username</strong> and tries a list of <a href="%5D(https://en.wikipedia.org/wiki/List_of_the_most_common_passwords)">common or weak passwords</a> with it. Eg. you know that the usernames at foobar.com are same as the email addresses and you can harvest some of them from the website. Then you use a list of commonly used or weak password (eg. <code>test1234</code>, <code>password</code> etc.) together wit the usernames to gain access.</p> <p>So <em>password spraying</em> uses a list of known usernames in combination with commonly known and/or weak passwords to brute-force authentication.</p> <p>First posted at <a href="https://blog.weltraumschaf.de/blog/Credential-Stuffing-vs-Password-Spraying/">https://blog.weltraumschaf.de/blog/Credential-Stuffing-vs-Password-Spraying/</a></p> security Sven Strittmatter Fri, 23 Oct 2020 10:44:56 +0000 https://dev.to/weltraumschaf/authn-vs-authz-2h9l https://dev.to/weltraumschaf/authn-vs-authz-2h9l <p>When you do some "login stuff" nowadays you may stumbled upon the terms <em>AuthN</em> and <em>AuthZ</em>. Maybe you wondered what these "N" and "Z" means? Short answer:</p> <ul> <li> <em>AuthN</em> stands for <em>Authentication</em>, and</li> <li> <em>AuthZ</em> stands for <em>Authorization</em>.</li> </ul> <p>That's easy right? We're done for this blog post 🙃</p> <h2> Authentication vs. Authorization </h2> <p>But what is the difference of these two terms? Is it not the same? Short answer: No, it isn't!</p> <h3> Authentication </h3> <p><em>Authentication</em> is all about who you are. In the most simple form when you type a username and password somewhere. In a more complex scenario – eg. when you buy a TLS certificate – when you go to a notary showing your identity card.</p> <p>So <em>authentication</em> is the process of verify that you are the person you are pretending to be.</p> <h3> Authorization </h3> <p><em>Authorization</em> is all about what you are allowed to do. In the most simple form you are allowed to clone a Git repository and push into it, but you are not <em>authorized</em> to delete branches in that repository. <em>Authorization</em> must be granted by an entity which have more rights (is privileged) than you. Eg. when you want to buy a new laptop you request this to your boss and she authorizes this by granting or declining it.</p> <p>So <em>authorization</em> is the process of verify what you are allowed to do.</p> <h2> Last Words </h2> <p><em>Authentication</em> can be used without <em>authorization</em> but vice versa is not possible. To <em>authorize</em> someone or something – not only natural persons may be <em>authenticated</em> or <em>authorized</em>, but also entities like computers, servers, APIs, etc. – it is required to <em>authenticate</em> first to know who you grant or decline access (<em>authorize</em>). Eg. when you walk around in a large factory there may be <em>restricted areas</em> with a security guard protecting it. You must show him your corporate identity card for <em>authentication</em>. Then the guard looks up in his system if you are allowed to access that ares (<em>authorization</em>) and grants or declines that you go on.</p> <p>First posted at <a href="https://blog.weltraumschaf.de/blog/AuthN-vs-AuthZ/">https://blog.weltraumschaf.de/blog/AuthN-vs-AuthZ/</a></p> security Sven Strittmatter Thu, 08 Oct 2020 16:41:26 +0000 https://dev.to/weltraumschaf/oauth-2-0-implicit-flow-considered-harmful-1l04 https://dev.to/weltraumschaf/oauth-2-0-implicit-flow-considered-harmful-1l04 <p><a href="https://blog.weltraumschaf.de/blog/OAuth-Implicit-Flow-Considered-Harmful/">https://blog.weltraumschaf.de/blog/OAuth-Implicit-Flow-Considered-Harmful/</a></p> oauth security Sven Strittmatter Mon, 21 Sep 2020 12:34:28 +0000 https://dev.to/weltraumschaf/improve-your-documentation-with-russian-roulette-43b7 https://dev.to/weltraumschaf/improve-your-documentation-with-russian-roulette-43b7 <p><a href="https://blog.weltraumschaf.de/blog/Improve-Your-Documentation-with-Russian-Roulette/">https://blog.weltraumschaf.de/blog/Improve-Your-Documentation-with-Russian-Roulette/</a></p> Sven Strittmatter Fri, 22 May 2020 10:08:09 +0000 https://dev.to/weltraumschaf/semantic-versioning-29i0 https://dev.to/weltraumschaf/semantic-versioning-29i0 <p>Please use Semantic Versioning and please use it right!</p> <p><a href="https://blog.weltraumschaf.de/blog/Please-Use-Semantic-Versioning/">https://blog.weltraumschaf.de/blog/Please-Use-Semantic-Versioning/</a></p> <h1> SemVer </h1> Sven Strittmatter Fri, 08 May 2020 12:34:48 +0000 https://dev.to/weltraumschaf/hardening-your-sshd-with-ansible-2ipj https://dev.to/weltraumschaf/hardening-your-sshd-with-ansible-2ipj <p>I blogged about harding SSHd with Ansible to increase security of your server: <a href="https://blog.weltraumschaf.de/blog/Hardening-Your-SSHd-with-Ansible/">https://blog.weltraumschaf.de/blog/Hardening-Your-SSHd-with-Ansible/</a></p> security sshd ansible