IT. SECURITY. OPEN SOURCE.

Author: jason Page 2 of 3

Svart Hal

Svart Hal: The DNS Firewall

With the unprecedented circumstances we as a society are facing, we have begun to transition from on-premise to a remote workforce. Though this transition is exciting to some, it can truly bring undue stress to an organization, its workforce, and IT infrastructure. Organizations that are new to a remote workforce struggle to ensure that their employees are practicing good cyber hygiene while at home. Ensuring that data is backed up and secured, employees using work devices instead of personal devices when working, and maintaining updated software and antivirus. Many of these systems are automated, pushing software and updates and may not be able to communicate with an employee end point remotely.

Many organizations have an on-premise security stack where all traffic is funneled through. This would include all traffic which travels to and from the business network. A security stack could have a firewall, IDS/IPS, web filtering, antivirus mitigations, VPN, etc. While many organizations have these protections in place, it does not protect a remote workforce without the enforcement of every employee connecting to the VPN. This too places undue strain on the corporate network. Organizations which terminate a VPN connection on the perimeter firewall place additional stress on the device. Every encrypted connection placed on the firewall requires additional CPU and memory to encrypt/decrypt the connection.

Due to the additional strain on the network, companies have opted to have employees only connect to the VPN when accessing internal resources. While this frees up firewall resources, this places a significant burden on ensuring that employees are protected from security threats. As organizations scramble to better protect their remote employees they tend to lose sight of the big picture. The question ultimately becomes, “How can I protect our employees from security risks and do this in a cost effective manner?”

One way of protecting employees is through the use of a DNS firewall. Typical firewalls only block source/destination, port, and protocol traffic. A DNS firewall is synonymous with web filtering, taking care of blocking malicious URLs, protecting the employee from accessing websites which could push malware to the end point. There are plenty of utilities one can use to block these types of attacks. Pi-Hole and OpenDNS provide free and paid services to help mitigate these types of attacks.

I have been working on a project, called Svart Hal, which takes advantage of ISC BIND’s Response Policy Zones (RPZ). In the coming days I will post how an individual or organization can take advantage of the use of RPZ and the scripts which are provided free and Open Source. Users will be able to utilize this set up to save on the cost of spending hundreds or even thousands of dollars on traditional web filtering services. For those currently using RPZ with BIND, and looking for a inexpensive ways to protect your users, please take advantage.

Check out Svart Hal on GitHub

Continuous Battle Over Encryption And Your Privacy

Privacy vs. Services

The NCTA, CTIA, and US Telecom recently sent an open letter to congress with concerns over Google’s implementation of the DNS over HTTPS (DoH) protocol. The DoH protocol allows for encryption of DNS look ups providing additional privacy on the internet. In the letter the companies state that internet service providers provide functionality including, “(a) the provision of parental controls and IoT management for end users; (b) connecting end users to the nearest content delivery networks, thus ensuring the delivery of content in the fastest, cheapest, and most reliable manner; (c) assisting rights holders’ and law enforcement’s efforts in enforcing judicial orders in combatting online privacy, as well as law enforcement’s efforts in enforcing judicial orders in combatting the exploitation of minors.” (pg. 3).

Monopolizing on DNS

Another concern that was stated in the letter is that Google will be able to monopolize on the queries made to their DNS servers. As businesses or households use a particular DNS hosting provider, that provider has the ability to collect the IP address and DNS search results. This would allow that provider to mine the data it has collected and sell it to marketing firms. The companies also state that since all Google made devices would utilize Google’s DNS service, it would cause a single point of failure (That is why Google has two DNS servers; 8.8.8.8 and 8.8.4.4).

Another Attack Against Encryption

U.S. Attorney General William Barr has once again made a plea with tech giant Facebook to create a backdoor into its end-to-end encrypted messaging platforms (i.e. Facebook Messanger, WhatsApp). Barr is not alone, the United Kingdom and Australia have also come out against using such end-to-end encryption. They state that without a backdoor, law enforcement cannot perform their duties in capturing and prosecuting criminals in court. Yet, law makers do not understand that encryption algorithms are completely free and open source. Anyone can do a simple search online and discover the math behind popular, and albeit strongest, encryption we have today. If such backdoors were put in place, privacy advocates will certainly use other tools, like Signal, to protect their secrecy online.

Protecting Privacy online

There are many things that one can do to protect their privacy online. The Electronic Frontier Foundation has published a number of articles on how can maintain privacy. Their Surveillance Self-Defense is a well documented series of articles that you can use to protect your privacy and security while online. From enabling multifactor authentication, creating strong passwords, using password managers, to “Choosing the VPN That’s Right for You.”

BIND And DNS-Over-HTTPS

Privacy and security professionals have been pushing for encryption of internet traffic for many years now. Not only has there been a significant push from the privacy community, search engine giants like Google almost force websites to use encryption to increase search engine optimization (SEO) to drive higher results. Though the costs of purchasing Transport Layer Encryption (TLS) can be quite expensive, open source projects such as Let’s Encrypt allow anyone to create a publicly acceptable TLS certificate for free. These certificates are accepted by major browsers, without throwing warnings, and protects the privacy of the user accessing the site. This only resolves half of the problem.
In a recent article released by the Electronic Frontier Foundation (EFF), DNS is one of the biggest internet privacy issues facing home and corporate users. In its current implementation, DNS relays queries in clear text. This allows Internet Service Providers (ISP’s), or anyone inline of your internet traffic, to look at DNS queries and begin to build a profile on you.

Why is this a problem?

Prior to accessing a website, regardless whether or not it uses encryption, your computer performs a DNS lookup to find the IP address of the website you are trying to access. For instance, a simple DNS request to look up where cnn.com resides goes out over plain text for anyone to see. Then once the computer knows the IP address it is supposed to be access, the web browser makes a request to the website over a TLS connection.

A person sniffing the traffic may not at that point know the contents of the website you are looking at, the individual however does know that you accessed cnn.com. As you might imagine, this is a significant privacy issue where an ISP or the like can then build a profile on you and sell it to third party marketers which can then target ads.

Solving it on the individual level

There are plenty of tools out there that individuals can use to protect their internet traffic. From applications which can be loaded on a computer or smart device to the use of VPN’s and Tor, these can all protect a specific person. What if you wanted to protect a household or an organization? Use of individual applications would be cumbersome to have everyone use individual applications.

BIND with DNS-over-HTTPS

One such was to do this is to set up a Bind DNS server. This will allow everyone in the organization to perform DNS queries and have those queries safeguarded from data mining. However this still allows someone to sniff DNS queries as they are sent in clear text. To overcome this problem we need to install ‘cloudflared’ on the server. The cloudflared service will then perform DNS-over-HTTPS queries, encrypting your internet traffic from the Bind server to Cloudflare’s DNS resolvers. This prevents anyone from sniffing your DNS traffic, allowing for additional anonymity on the internet.

Getting your system ready

First you will need to install and configure Bind on your server. Once that is complete, download and install the [cloudflared][cloudflared] application on the server. After installation you will need to make one minor change to the forwarders section in your `named.conf.options` file. First, remove the comments in front of forwarders, these will be in the form of double forward slashes – //

Next, add the port number to the loopback IP address. The configuration will then look like:

`forwarders { 127.0.0.1 port 54; };`

After that, load up Wireshark and take a look at the traffic. You should no longer see the DNS protocol being used as everything will be running over TLS.

Am I fully protected now?

No. Though you are one step closer, you still need to ensure that you are performing your due diligence when accessing websites on the internet. Be careful when accessing websites that do not use encryption, especially when typing in your username and password. Use multifactor authentication in addition to a password manager and always double check the website you are accessing.

The California Consumer Privacy Act And The .US Domain

As I start this off I would be remiss to state that yes, I have a .us domain, however so do many Americans. You see, the .us top level domain (TLD) is only available to those who reside within the United States. There are other requirements too such as keeping your WHOIS records up to date. Ensuring that WHOIS records show that those who register a .us domain reside within the US. The major downfall to that is the fact that you cannot purchase privacy protections for your domain. So all of you who have purchased .com, .net, .org and so on have those privacy protections available. But not for .us domains. In fact, .at, .be, .ca, .cn, .cx, .de, .eu, .pl, .pro, and .tw TLD’s do not have those protections either – but that is different story for a different day. What makes the .us TLD so important?

The California Consumer Privacy Act of 2018, soon to go into affect on January 1, 2020 provides protections of personal information. You see, in order to maintain a .us domain one must accurately state their personal, or business, information in the WHOIS directory. Under the CCPA, personal information is defined as real name, signature, address, telephone number, insurance policy number, education, employment, employment history, bank account information, credit card number, debit card number, alias, postal address, unique personal identifier, online identifier such as an IP address, email address, account name, social security number, drivers license number, password number, or other similarities. Whew!

If you have never seen a WHOIS lookup on a domain before, it tends to look like:

Domain Name: JASONBROWN.US
Registry Domain ID: D20196051-US
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.godaddy.com
Updated Date: 2018-05-31T13:04:07Z
Creation Date: 2009-05-31T22:47:12Z
Registrar Registration Expiration Date: 2019-05-30T23:59:59Z
Registrar: GoDaddy.com, LLCRegistrar IANA ID: 146
Registrar Abuse Contact Email: abuse@godaddy.com
Registrar Abuse Contact Phone: +1.4806242505
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
Domain Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
Domain Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
Registry Registrant ID: CR17632448
Registrant Name: Jason Brown
Registrant Organization:
Registrant Street:
Registrant City:
Registrant State/Province:
Registrant Postal Code:
Registrant Country:
Registrant Phone:
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: jason@jasonbrown.us
Registry Admin ID: CR17632450
Admin Name: Jason Brown
Admin Organization:
Admin Street:
Admin City:
Admin State/Province:
Admin Postal Code:
Admin Country:
Admin Phone:
Admin Phone Ext:
Admin Fax:
Admin Fax Ext:
Admin Email:
Registry Tech ID: CR17632449
Tech Name:
Tech Organization:
Tech Street:
Tech City:
Tech State/Province:
Tech Postal Code:
Tech Country: US
Tech Phone:
Tech Phone Ext:
Tech Fax:
Tech Fax Ext:
Tech Email: jason@jasonbrown.us
Name Server: ATHENA.NS.CLOUDFLARE.COM
Name Server: LOGAN.NS.CLOUDFLARE.COM
DNSSEC: signedDelegation
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/

I obviously deleted a bunch of stuff but a simple Google search would show you the real results.

Do not get me wrong, California’s Consumer Privacy Act has provided guidelines that the rest of the country should follow. However, law makers continuously make decisions and place deadlines on mandates without fully understanding the impact. How long will it take for law makers to understand the nuances of how the internet works? I myself think its bullshit that one cannot purchase privacy protection for a particular TLD, but I see its reasons.

The amount of data mining, and the cost of providing that information to marketers is astronomical. CSO Online ran an article in 2018 which stated that records on an individual would cost around $141. Take someone 2 minutes to enumerate the entire .us TLD, compile that information and provide it to a marketing company; the amount of data retrieved is priceless.

As you can see, the CCPA has brought to light privacy implications that no one has thought of before. The collection of personal information, the sale of personal information to other companies, and even the disclosure of sale of information. However no one is looking at the information that we have to give up freely in order to do business. It is my hope that we shed a little California sunshine on this situation.

Password Rotation And The Problem Of Not Doing It

Since the release of NIST SP 800-63-3 I have been asked, “Why does our company still perform password rotation?” This question is easier said than done. It is one that requires user awareness training, implementation of auditing and alerting software, and most importantly – multifactor authentication. All of which are necessary, though it can take months to years to implement depending on a companies resources and regulatory requirements.

User Awareness

We still seem to be failing at user awareness training. Our parents, grandparents, kids, co-workers, and yes even us still use easily guessable passwords. Studies have shown that for the past 5+ years the top passwords being used on the internet are, “123456”, “password”, “qwerty”, and “111111.” Talk show host Jimmy Kimmel and his television crew have shown how easy it is to social engineer someone to give up their password. These episodes also show the simplicity of the password with some saying their password is a pets name and a birth date.
Companies such as Microsoft have developed ways to prevent its users from picking simplistic passwords. With its new, “Password Protection for Azure AD” service, it prevents users from creating easily guessable passwords. This is performed by Microsoft’s massive database of commonly used passwords. If a user were to pick a password that was found in the database, the service presents an error message and the user must pick another one.

Auditing and Alerting Software

People often make mistakes, that is a given. Companies make similar mistakes as well. Facebook recently announced that the company was storing user passwords in clear text. What can be worse than that you ask? That database had been queried over 9 million times by Facebook staff. Facebook has been on the defensive stating that this was not a breach. While technically no it was not a breach, it shows how lacking they are in their security and privacy.

There are similar cases where companies lax in their security policies. It certainly opens the question of how we can protect ourselves online. With users picking easily guessable passwords, and the reuse of those passwords, auditing and alerting tools are a necessity. Organizations need tools in place to be able to send alerts when an account is being brute forced. They also need to alert when someone is logging in from a country where there is no organizational presence. These are key indicators of account takeovers. Without this in place, a security operations team will never know if an account has been compromised.

What Is Multifactor Authentication

Multifactor (also known as 2 factor) is defined as:

  • Something you have
  • Something you know
  • Something you are

To suffice this definition, one must utilize two of the three listed. Something you have and something you are is the most common. How does this protect against account take overs? If one were to use a semi-guessable password and configured multifactor authentication, account take over would be extremely difficult to pull off. The reason is that even if someone were to have your password, that person could still not log into the account as the second factor has not been met. The second factor in most instances is something that you have. Examples of this are a smart app on your mobile device, a hardware device such as a YubiKey, or a text message. Though using text messages as a form of second factor is now highly discouraged. Without having physical access to any of these devices, it can be nearly impossible to log into an account. There is a website dedicated to help in configuring multifactor authentication by heading on over to Two Factor Auth List. This website will show you which popular online services allow for multifactor authentication, and if they do not, you are able to send a message to the service asking them to enable it.

Final Thoughts

Password rotation is an evil necessity without properly thinking things through. Yes it does not prevent an account take over, however rotation will eventually keep an attacker from logging in. The use of multifactor authentication, auditing and alerting, coupled with user awareness training are essential to good password hygiene. Without these in place, the organization will be stuck on rotation – like a broken record.

Facebook Exposes Millions of Passwords in Clear Text

Facebook has been under the spot light for quite some time now for its poor security and privacy practices. With this latest privacy blunder, its obvious that the company has not learned from its past. Last week it was uncovered that the company is storing passwords in clear text. This not only affects Facebook users, but InstaGram users too. It was not revealed as to why these passwords were stored in clear text, however what is known is that it affects millions of the company’s users.

In a Facebook blog post by Pedro Canahuati, VP Engineering, Security and Privacy mentioned that the company uncovered the error in January during a routine security review. Canahuati also stated that these clear text passwords were only viewed by those who worked for the company.

At least LinkedIn has your back… Oh nevermind.

Let’s not forget the many security breaches which affected passwords in the past. LinkedIn in 2012 had millions of passwords stolen from the company by hackers. In the breach, the passwords had been hashed, but with a low grade hashing algorithm. At least in LinkedIn’s case we can say the passwords were somewhat protected. In Facebook’s instance, they did not even bother to encrypt the passwords. If the passwords were ever stolen we would see another Yahoo! breach in the making.

Protecting Yourself Online

Canahuati did not mention in his post how to remedy the issue other than to say that the passwords are hashed and salted when an account is created. I would still suggest that everyone change their passwords anyway along with activating multifactor authentication for their account. This way even if someone were to have the password, they would not have the secret token generated by a smart app or hardware token like YubiKey. This also includes those who have InstaGram accounts as well since they were also affected.

One cannot trust the privacy and security that a service provider offers. We must take it upon ourselves to better protect our online identities from mishaps of the services we use. By using password managers to ensure we do not reuse the same password between services to ensuring multifactor authentication is used on every service that offers it is the only way to protect ourselves.

State Sponsored Probing Internet of Things Devices

In order to beef up security of consumer based Internet of Things devices, Japan will now scan IoT devices within its borders. Beginning mid-February, the National Institute of Information and Communications Technology will attempt to break into an estimated 200 million devices. The institute has compiled a list of generic usernames and passwords commonly used by manufacturers for default login credentials. Is this a good thing?

In 2018, the FBI warned citizens of a potential threat to their home routers to reset them (Why the FBI wants you to reboot your router — and why that won’t be enough next time). In 2016 Duetsche Telekom in Germany was down due to an infection of consumer based routers which affected 900,000 consumers (900,000 Routers Knocked Offline in Germany amid Rumors of Cyber-Attack). It took the telecom provider two days to get the word out as most, if not all, of its customers used it for data and voice. Why did it take so long and how did 900,000 routers get infected? One simple answer, the management interface was exposed to the public internet. This allowed the botnet to quickly infect consumer based routers. Once a router became infected, it then scanned the internet looking for other routers to infect.

Japan’s attempt to detect unsecured IoT devices is a good thing, to a point. The Institute has not come out to say what they will do when an unsecured device is detected. Will they send notices to citizens? How will manufacturers be held accountable? What types of fines will be given for poorly secured consumer IoT devices? This is definitely a step in the right direction however it does not appear at this time that they have fully thought through the repercussions.

2019 State of Password and Security Behaviors

This year Yubico teamed up with the Ponemon Institute to deliver the 2019 State of Password and Authentication Security Behaviors report. The report was sampled from around 15,000 participants from around the globe which touched on topics which included privacy and security. The report depicts the grim reality of which we still live in today with regards to passwords and their use. For instance, 69% of respondents share passwords with their co-workers. That number equates to 10,350 of the 15,000 people who responded to the survey. Other statistics show:

  • 51% reuse passwords across business and personal accounts
  • 67% do not use multifactor authentication (or 2 factor authentication)
  • 57% have experienced a phishing attack and never changed their password

Though the report depicts what security professionals have stated for years of what not to do, respondents were asked what their 3 top concerns for data security and privacy:

  • Social Security Numbers or Citizen ID’s
  • Payment Account Details
  • Health Information

Their top reasons for the concerns were:

  • Government Surveillance
  • Connected Devices
  • Growing Use of Mobile Devices

The report also when on to state that the annual loss due to employee misuse of password and poor authentication averages around $5.2M. Again, we need to start doing a better job at evangelizing security best practices to our family, friends, and co-workers on what to do to better protect themselves. You can read the full report at the following link Yubico Authentication Report.

The Need for Better Transparency In Data Breaches

We hear of new data breaches almost everyday, so many that we have reached the pinnacle of “breach fatigue.” A feeling where consumers are tired of hearing about theft of personal information due to carelessness on part of a company. From Equifax, Yahoo!, to Cambridge Analytica, our personal, sensitive information is out on the public internet. Poor cyber security practices is just one of the main issues of data theft among organizations. The second is how companies respond after a breach occurred.

Google is now part of a long standing problem we see today and that is hiding information from consumers with regards to a data breach. This latest breach affecting the Google+ platform, exposed half a million user records through a flaw in their API. A flaw in which the company knew about since 2015. To make matters worse, Google knew of the breach in March of 2018 and yet it did not disclose this information until October 8.This is not the first time a company failed to disclose a data breach. Yahoo! was fined $35 million for not disclosing its breach which occurred in 2014. Why was there such a delay in the announcement and why do law makers allow this to continue?

The U.S. does not have a federal law which protects consumer privacy. This need for protection has been left up to the states to enact privacy laws, which most states have done. However, more oversight is needed to ensure better transparency between companies and consumers. Without additional oversight, this unfortunate practice of withholding breach information will only continue.

So what is next for Google? The typical, “…the implementation of better privacy and security protections.” We have heard this story before. The surprising action is that Google is now shutting down Google+ for good. Google+ could have been a great platform though the market is saturated with social networking sites. Hopefully Google will make true to their word and congress will have a wake up call.

For more information on Google’s breach head over to the Wall Street Journal – Google Exposed User Data, Feared Repercussions of Disclosing to Public.

CloudFlare’s DNS Over HTTPS Service

How does DNS work?

Protecting your privacy online is a hot topic for many. Though many websites have transitioned from HTTP to HTTPS, allowing web traffic to be secured, this does not protect your overall privacy. The internet still relies on older protocols to ensure you are accessing the right website or other online resources.

DNS, or the Domain Name Service, is one of those protocols we rely heavily on everyday. Every internet connected device has at least one IP address. DNS allows you to type in google.com and it resolves the IP address associated to it. One of the biggest issues with DNS is that it is one of those legacy protocols we rely on everyday. It has no built in security and runs completely in clear text. This allows your Internet Service Provider, or anyone capable of capturing internet traffic, to see what websites you access. This means that even if you are accessing a HTTPS website, others can still see your internet history.

Why is this bad?

As we continue on in the digital age, our internet history is being used against us. Website cookies, internet searches, and DNS queries are being sold to marketing companies. Everything you do is being bought and sold to a number of companies and marketing firms. These companies then take this information and use targeted ads in order to get you as the consumer to purchase online goods and services. There have been steps made to discourage and even eliminate this type of intrusion into our privacy however they have not been totally adopted due to complexity.

Protecting your online privacy

Using HTTPS over HTTP is a great first step in protecting the security and privacy of your internet traffic. The next step is to look at protecting the privacy and security of your DNS queries too. Many online DNS services provide this level anonymity and security. CloudFlare’s 1.1.1.1 DNS over HTTPS is one such service that provides this level of protection. Their privacy policy states that under no circumstances will they ever sell your internet searches to outside third party companies. Quad9 by IBM states the same information in their privacy policy too. However just setting your DNS settings to either of these services is not enough. Your router or computer will still send clear text DNS queries without additional configuration.

CloudFlare offers a number of different ways to protect your online searches. If you are looking to just configure the service on your local machine, instructions and downloads can be found at their Downloads page. Quad9 offers the same level of integration.

If you are looking to provide DNS over HTTPS for your entire household or business your in luck as well. There are simple ways to get this configured so that everyone can take advantage. Different types of routers, including pfSense, can be configured to run DNS over HTTPS. To do so, you can utilize Untangle and configure it to run DNS over port 853. The configuration will be placed into the custom option area and will look like this:

server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 2606:4700:4700::1111@853
forward-addr: 2606:4700:4700::1001@853
forward-addr: 9.9.9.9@853
forward-addr: 149.112.112.112@853

Once that is in place, and you have saved your configuration, you will now have an additional sense of privacy and security while online.

Page 2 of 3

Powered by WordPress & Theme by Anders Norén