Today I saw an interesting IMAP probe. These are usually background noise, occurring by the hundreds each day and mostly trying weak passwords against non-existent accounts. This particular login attempt was made on a valid alias, so I took a few seconds to dig deeper, and found an indicator of attack I hadn't seen before.

Immediately preceding the IMAP authentication attempt, the same IP address had issued one HTTP GET request and two HTTP POST requests for /autodiscover/autodiscover.xml on the same domain (the file doesn't exist). Not being familiar with autodiscover.xml, I looked up the documentation and it's a WPAD-like configuration discovery scheme for Outlook. Aside from people whose own Outlook clients and/or Exchange servers are spamming their own web server logs with requests, I couldn't find many people talking about seeing it in their httpd logs. autodiscover.xml doesn't seem to be commonly scanned, spidered, or ab...

Facebook's data collection tactics make waves

With Facebook and Cambridge Analytica in the news, Facebook's threat to privacy is finally getting the widespread attention it deserves. Beyond the obvious political propaganda concerns, the wider implications of Facebook's data collection are coming to light, and some of the examples are alarming. Multiple users have downloaded their history and discovered that Facebook had records of all of their phone calls and text messages.

In addition to siphoning up phone-related data, much of the web has become infected with Facebook tracking beacons that collect your browsing history on desktop PCs and mobile devices. When you see a Facebook "Like" or "Share" button on a web page, your browser typically loads these directly from Facebook's servers. Some websites without visi...

Let's Encrypt, a leading issuer of SSL/TLS certificates, has taken a big step forward by adding support for Certificate Transparency. This capability, now merged into Let's Encrypt's Boulder CA suite, resolves a long-standing feature request by embedding Signed Certificate Timestamps (SCTs) into newly minted certificates. Because the SCT is attached directly to the certificate, no additional server modules or configuration is needed by site administrators.

Certificate Transparency support allows websites using Let's Encrypt certificates to implement the Expect-CT HTTP header. This header provides additional security by instructing web browsers to verify the certificates they receive against public certificate transparency logs. Forged or otherwise malicious certificates are often absent from these logs, and will ...

Yesterday, Scott Arciszewski from ParagonIE published The 2018 Guide to Building Secure PHP Software. If you develop for (or attack) the web in any language, this is an excellent reference that addresses a number of common web application pitfalls.

In the section devoted to security headers, I saw a reference to one that's flown under my radar until now: Expect-CT. Scott Helme has a nice write-up of Expect-CT, and I went off to read the specification for myself. As it happens, the HTTP Working Group just posted an updated draft today, but the changes aren't substantive.

The executive summary of Expect-CT is that Chrome can no...

When downloading and compiling software, it's always a good idea to verify the integrity of the source files you obtain. Package handlers like yum and apt handle this automatically, but it must be done manually when you download software yourself.

ISC, the publisher of the BIND DNS server, provides cryptographic signatures with each release. If you have gpg installed, you can use the signature to validate your downloaded BIND tarball. ISC's download URLs follow a consistent naming pattern; simply change the version number in the URLs below to match the version you need.

Download the BIND source

[root@host /home/files]# wget https://ftp.isc.org/isc/bind9/9.11.23/bind-9.11.23.tar.gz
  `bind-9.11.23.tar.gz' saved [8257821/8257821]

Download the associated signature file

[root@host /home/files]# wget https://ftp.isc.org/isc/bind9/9.11.23/bind-9.11.23.tar.gz.sha256.asc
  `bind-9.11.23.tar.gz.sha256.asc' saved [833/833]
`...

See US-CERT announcement GRIZZLY STEPPE – Russian Malicious Cyber Activity.

Following is a script that will create an ipset containing IP addresses identified as part of GRIZZLY STEPPE, and create iptables rules to log and block traffic to/from those hosts. Some of these hosts are or were Tor exit nodes, and there may be collateral damage.

#Block hosts designated as GRIZZLY STEPPE (Russian Malicious Cyber Activity) participants
#See https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity

#Remove existing iptables rules
iptables -D INPUT $(iptables -L INPUT -v -n --line-numbers | grep grizzly-steppe | awk '{print $1}')
iptables -D OUTPUT $(iptables -L OUTPUT -v -n --line-numbers | grep grizzly-steppe | awk '{print $1}')

#Remove ipset if it exists
ipset -q -F grizzly-steppe
ipset -q -X grizzly-steppe

#Create ipset
ipset -N grizzly-steppe hash:net
...