Category Archives: security

Selectively blocking Samsung TVs’ network access

Old television

This TV probably wasn’t spying on you.

You may have read in the recent Wikileaks exposé that the CIA developed the capability of making Samsung TVs spy on their unsuspecting users. While this hack requires physical access (a specially crafted USB stick must be plugged into the telly), it got me thinking about the network traffic generated by smart TVs. I’ve already blocked a few domains that my unit connects to, and this seems like a good time to share my work.
Continue reading

Leave a Comment

Filed under networking, security

How to block Windows 10 telemetry with your local resolver

CCTV camerasThere’s been a lot of talk about the data sent by a Windows 10 machine back to Microsoft. Some researchers have even found evidence of data being sent even when all available privacy settings are enabled. There is an emerging market for tools that will nobble Windows 10’s data collection, but who knows whether they work, or even if they’re malicious. Thankfully there is another way: if you run a local resolver, you can configure it such that DNS queries for domains linked to telemetry will always fail. Here’s how it’s done.
Continue reading

2 Comments

Filed under security

Upgrading to SHA-256? Some XP users will think your site is down

broken-httpsIt’s several weeks now since Google announced that they are phasing out support for certificates signed with the SHA-1 algorithm. The end result will be that, starting in Q1 2015, SHA-1 certificates with long expiry times will be treated as completely invalid by Chrome.

Unfortunately, upgrading to SHA-256 certificates will break Internet Explorer on pre-SP3 versions of XP in a horrible way. Users will get the IE Generic Page of Awfulness, making it look like your site is down.

Continue reading

Leave a Comment

Filed under security

Using ZoneMinder with a cheap CCTV camera

One of the server rooms I look after has an old CCTV camera in the ceiling, and I decided to press it into service to enhance security for that room. I now get alerts from Nagios when motion is detected, so that I can go and see who’s been poking around. Here’s how I got there.
Continue reading

8 Comments

Filed under esxi, security

Moving from Debian ‘stable’ WordPress to the latest version

I’ve been running WordPress 3.0.5 for a while now, as it’s the version in the current Debian ‘stable’ repository. For a while now I’ve been meaning to move to the latest and greatest (which, as I write, is 3.3.1), but didn’t want to mess about with pinning in apt to run a ‘mixed system‘. WordPress has had its own automatic upgrade system since 2.7, and with a history of nasty vulnerabilities, I want to be able to apply upgrades as soon as they are released by the WordPress team.
Continue reading

6 Comments

Filed under security, wordpress

Security through obscurity is a good thing!

(This is a bit of a rant. There may well be more rants to come.)

If you say to a security professional, ‘I’m going to run my ssh daemon on an unusual port for security reasons’, you’d better stand back and wait for the gasp. *gasp* they say! That’s just security through obscurity, which is no security at all! Shut down your servers and turn the lights off on the way out, you worthless collection of mucus.

‘Security through obscurity’: it even rhymes, which means that it joins the list of empty phrases that sound like they carry authority but actually don’t. ‘It’s Adam and Eve, not Adam and Steve!’ ‘White is right!’ Ohhh I seeeee: there was me thinking you were just a bigot, but your argument rhymes, so it smartly trumps anything I could possibly say!
Continue reading

Leave a Comment

Filed under rants, security

Securing your home wireless network with RADIUS

(like my previous post, this process is reconstructed from memory and a judicious amount of diffing… so there may be bits missing)

Call me paranoid, but I’ve always been nervous about my home wireless network. I know that WPA is supposed to be reasonably secure (my router, a Netgear DG834Gv2, doesn’t support WPA2), but the lack of logging makes me worry that I really don’t know who might be having a go at it. I do all the right things to secure it — strong password, MAC filtering — but still I worry that someone might sit outside my house downloading something that could get me prosecuted. (and yes I know that MAC filtering isn’t strong security but it will defeat a casual would-be intruder).
Continue reading

11 Comments

Filed under security