Over past years, various DNS software developers tried to solve the problems with the interoperability of the DNS protocol and especially its EDNS extension (RFC 6891 standard), by temporary workarounds, which aimed to lend their software an ability to temporarily accept various non-standard behaviors. Unfortunately, time has shown that this attitude of adding temporary workarounds is not a long-term solution, especially because the implementations not fully complying with standards were seemingly functional and there was no reason for a permanent fix. The result of these makeshift solutions is their accumulation in the DNS software, leading to a situation where there are so many of them that they themselves begin to cause problems. The most obvious problem is slower response to DNS queries and the impossibility to deploy new DNS protocol feature called DNS Cookies, which would help reduce DDoS attacks based on DNS protocol abuse.
Czech children under age 13 who use Facebook or Instagram are less than four months away from becoming lawbreakers. What makes the situation even worse is the fact that unless a law is passed by this May that would set the threshold for the use of social networking services to 13 years, from that point their use, along with other services, will become illegal for every person aged from 13 to 16 who does not obtain consent of their parents. This issue has already been addressed in our blog by our colleague Jiří Průša. But let’s go deeper.
Or, to be exact, you could welcome it last October, when we released its beta version. In the beginning, we were debugging it, while leaving the registration free, then came the stress test in the form of moving of all users of the Turris routers. We resolved all the issues and considered the suggestions, so nothing was in the way of launching HaaS — Honeypot as a Service.
One of the most comprehensive open source intrusion detection systems Suricata held its annual conference in Prague. And because CZ.NIC intensively uses Suricata in its Turris routers to protect users, we have become a proud partner of the event. There, we shared our experience with other Suricata users and showed the technological solution of the Turris Omnia router, where Suricata can be operated with ease.
A golden opportunity: the bank we’re about to rob is moving to new premises today. To our luck, they’re also testing alarms until 4 PM, so it won’t be suspicious if we accidentally set one off. There is an open window on the first floor protected by a single sensor. Our inside man among the staff has placed an IP camera into the sensor cabinet, so we can see if the sensor we are trying to break has the ‘status OK’ or the alarm is screaming. The IP camera is streaming to YouTube — alas with a delay. The problem is that the sensor communicates via radio waves: every 15 to 30 seconds the diode beeps and the device sends a signal. We’re listening, trying to imitate it, and when we’re sure, we’re gonna shut down the sensor and turn on our little imitation that we built. What is left is just to arrange the tin foil between the antennas, like this… the sensor alarm’s blaring! We are holding our ears and will try again in half a minute.
Today’s children often learn to play a video on a tablet before they utter their first sentence, and game applications are often more popular among our little ones than toy blocks. When the parents find out that a cute hat for a virtual doll has deprived their account of an amount exceeding the price of some real fashion accessory, they start taking an interest in the security settings and in what their kids do on the computer.
It all started when we received a response to one of the automatic e-mails generated by our honeypots when they detect an attack attempt or suspicious behavior. These notifications are sent to abuse contacts of the network from which the attack originated. Portscan of the WAN interface:
Locked Shields is the largest international cyber security drill. It is regularly organised since 2010 by NATO CCDOE (Cooperative Cyber Defence Centre of Excellence), and the focus of the drill is a clash between two teams. The red team attacks the blue team, which plays the role of the defender. This year, the drill was attended by a total of 19 blue teams. The teams were charged with the defense of a diverse computer infrastructure of a fictional country’s military base consisting of different servers, numerous workstations, SCADA systems, etc. The defenders were to face attackers, whose objective was to damage, compromise, or completely take down the network or its elements, or at least to make things complicated for the defenders. In addition to the technical part, the drill is focused also on strategic decision-making, cooperation with the press and the handling legal matters. We were invited by colleagues from GovCert and assigned to the “Linux team”.
Depending on your age, you either might or might not have used Telnet to connect to remote computers in the past. But regardless of your age, you would probably not consider Telnet for anything you currently use. SSH has become the de facto standard when it comes to remote shell connection as it offers higher security, data encryption and much more besides.
Knot DNS 2.1 introduced support for DNSSEC signing using PKCS #11. PKCS #11 (also called Cryptoki) is a standard interface to access various Hardware Security Modules (HSM). Such devices are usually used to improve protection of private key material. The interface is rather flexible and gives the HSM vendors huge amount of freedom, which unfortunately makes its use a bit tricky. There are often surprising differences between individual implementations.