An assortment of indigestible things

Category: security

Using a Response Policy Zone with malwaredomains

Stop signThe lovely people at RiskAnalytics provide lists of domains known to serve malware at It makes these available in several formats including DNS zone files. They don’t even charge for the service which is, frankly, awesome!

Many people configure their DNS servers so that they spoof the zone for each domain such that traffic is redirected to (i.e. your own machine). This effectively stops hosts on that network from connecting to those zones and downloading unpleasant stuff. However, if you’re running a local webserver, say for development purposes, things can get confusing very quickly!

An alternative is using a DNS Response Policy Zone. This requires BIND version 9.8 or greater (or another DNS server that supports RPZ). RPZs are much more flexible than the approach above because they give us finer control over what we want the DNS server to tell the client. I have taken the approach that returning NXDOMAIN is the cleanest way of blocking traffic to these domains because a web browser will immediately give up on receiving that response. There’s no need to worry that a local webserver might interfere with domain blocking.

Selectively blocking Samsung TVs’ network access

Old television

This TV probably wasn’t spying on you.

You may have read in the recent Wikileaks exposé that the CIA developed the capability of making Samsung TVs spy on their unsuspecting users. While this hack requires physical access (a specially crafted USB stick must be plugged into the telly), it got me thinking about the network traffic generated by smart TVs. I’ve already blocked a few domains that my unit connects to, and this seems like a good time to share my work.

How to block Windows 10 telemetry with your local resolver

CCTV camerasThere’s been a lot of talk about the data sent by a Windows 10 machine back to Microsoft. Some researchers have even found evidence of data being sent even when all available privacy settings are enabled. There is an emerging market for tools that will nobble Windows 10’s data collection, but who knows whether they work, or even if they’re malicious. Thankfully there is another way: if you run a local resolver, you can configure it such that DNS queries for domains linked to telemetry will always fail. Here’s how it’s done.

Upgrading to SHA-256? Some XP users will think your site is down

broken-httpsIt’s several weeks now since Google announced that they are phasing out support for certificates signed with the SHA-1 algorithm. The end result will be that, starting in Q1 2015, SHA-1 certificates with long expiry times will be treated as completely invalid by Chrome.

Unfortunately, upgrading to SHA-256 certificates will break Internet Explorer on pre-SP3 versions of XP in a horrible way. Users will get the IE Generic Page of Awfulness, making it look like your site is down.

Using ZoneMinder with a cheap CCTV camera

One of the server rooms I look after has an old CCTV camera in the ceiling, and I decided to press it into service to enhance security for that room. I now get alerts from Nagios when motion is detected, so that I can go and see who’s been poking around. Here’s how I got there.

Moving from Debian ‘stable’ WordPress to the latest version

I’ve been running WordPress 3.0.5 for a while now, as it’s the version in the current Debian ‘stable’ repository. For a while now I’ve been meaning to move to the latest and greatest (which, as I write, is 3.3.1), but didn’t want to mess about with pinning in apt to run a ‘mixed system‘. WordPress has had its own automatic upgrade system since 2.7, and with a history of nasty vulnerabilities, I want to be able to apply upgrades as soon as they are released by the WordPress team.

Security through obscurity is a good thing!

(This is a bit of a rant. There may well be more rants to come.)

If you say to a security professional, ‘I’m going to run my ssh daemon on an unusual port for security reasons’, you’d better stand back and wait for the gasp. *gasp* they say! That’s just security through obscurity, which is no security at all! Shut down your servers and turn the lights off on the way out, you worthless collection of mucus.

‘Security through obscurity’: it even rhymes, which means that it joins the list of empty phrases that sound like they carry authority but actually don’t. ‘It’s Adam and Eve, not Adam and Steve!’ ‘White is right!’ Ohhh I seeeee: there was me thinking you were just a bigot, but your argument rhymes, so it smartly trumps anything I could possibly say!

Securing your home wireless network with RADIUS

(like my previous post, this process is reconstructed from memory and a judicious amount of diffing… so there may be bits missing)

Call me paranoid, but I’ve always been nervous about my home wireless network. I know that WPA is supposed to be reasonably secure (my router, a Netgear DG834Gv2, doesn’t support WPA2), but the lack of logging makes me worry that I really don’t know who might be having a go at it. I do all the right things to secure it — strong password, MAC filtering — but still I worry that someone might sit outside my house downloading something that could get me prosecuted. (and yes I know that MAC filtering isn’t strong security but it will defeat a casual would-be intruder).

Powered by WordPress & Theme by Anders Norén