Let's Encrypt, a leading issuer of SSL/TLS certificates, has taken a big step forward by adding support for Certificate Transparency. This capability, now merged into Let's Encrypt's Boulder CA suite, resolves a long-standing feature request by embedding Signed Certificate Timestamps (SCTs) into newly minted certificates. Because the SCT is attached directly to the certificate, no additional server modules or configuration is needed by site administrators.

Certificate Transparency support allows websites using Let's Encrypt certificates to implement the Expect-CT HTTP header. This header provides additional security by instructing web browsers to verify the certificates they receive against public certificate transparency logs. Forged or otherwise malicious certificates are often absent from these logs, and will ...

Yesterday, Scott Arciszewski from ParagonIE published The 2018 Guide to Building Secure PHP Software. If you develop for (or attack) the web in any language, this is an excellent reference that addresses a number of common web application pitfalls.

In the section devoted to security headers, I saw a reference to one that's flown under my radar until now: Expect-CT. Scott Helme has a nice write-up of Expect-CT, and I went off to read the specification for myself. As it happens, the HTTP Working Group just posted an updated draft today, but the changes aren't substantive.

The executive summary of Expect-CT is that Chrome can no...

When downloading and compiling software, it's always a good idea to verify the integrity of the source files you obtain. Package handlers like yum and apt handle this automatically, but it must be done manually when you download software yourself.

ISC, the publisher of the BIND DNS server, provides cryptographic signatures with each release. If you have gpg installed, you can use the signature to validate your downloaded BIND tarball. ISC's download URLs follow a consistent naming pattern; simply change the version number in the URLs below to match the version you need.

Download the BIND source

[root@host /home/files]# wget https://ftp.isc.org/isc/bind9/9.11.17/bind-9.11.17.tar.gz
  `bind-9.11.17.tar.gz' saved [8206030/8206030]

Download the associated signature file

[root@host /home/files]# wget https://ftp.isc.org/isc/bind9/9.11.17/bind-9.11.17.tar.gz.sha256.asc
  `bind-9.11.17.tar.gz.sha256.asc' saved [874/874]
`...

See US-CERT announcement GRIZZLY STEPPE – Russian Malicious Cyber Activity.

Following is a script that will create an ipset containing IP addresses identified as part of GRIZZLY STEPPE, and create iptables rules to log and block traffic to/from those hosts. Some of these hosts are or were Tor exit nodes, and there may be collateral damage.

#Block hosts designated as GRIZZLY STEPPE (Russian Malicious Cyber Activity) participants
#See https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity

#Remove existing iptables rules
iptables -D INPUT $(iptables -L INPUT -v -n --line-numbers | grep grizzly-steppe | awk '{print $1}')
iptables -D OUTPUT $(iptables -L OUTPUT -v -n --line-numbers | grep grizzly-steppe | awk '{print $1}')

#Remove ipset if it exists
ipset -q -F grizzly-steppe
ipset -q -X grizzly-steppe

#Create ipset
ipset -N grizzly-steppe hash:net
...