Internet

Secure your cloud

I got asked another question. I’m going to paraphrase the question for this blog entry. Given the Russian invasion of Ukraine and the response of other nations (sanctions, asset confiscation, withdrawal of services, isolation of the Russian banking system…) there is a chance of enhanced cyber attacks against Western banking infrastructure in retaliation. How can we be 100% sure our cloud environments are secure from this? Firstly, I want to dispel the “100%” myth.

The problems with port 80

I got asked a question… this gives me a chance to write an opinion. I have lots of them! If I redirect my port 80 traffic to another site, do I need to get a TLS cert? The question here is related to if a bank (or other service) has changed their name, then do they still need to maintain a TLS site for the old name? Can’t they just have http://mybank.

X-Forwarded-For and IP Allow-List

What is IP Allow-Listing Typically when you want to access a remote resource (e.g. login to a server) you need to provide credentials. It might be a simple username/password, it could be via SSH keys, it could use Mutual TLS with client-side certificates… doesn’t really matter. One concern is “what happens if the credential is stolen”. IP allow-listing is a way of restricting where you can use that credential from.

Extending the wireless on my router

3 years ago I replaced OpenWRT with a home grown router. It’s worked pretty well, but I wanted to take advantage of improvements in networking (5Ghz!) and also improve coverage. This kinda became important due to COVID lockdown and Work From Home. My library, where I was working from, had very weak network signal. I needed to do better. So I decided to look at turning off in the inbuilt WiFi and use an external WAP (Wireless Access Point, or just AP).

Firewall Basics

What is a firewall? Think of an office building with a keycard entry system. To get into the building you need to put your card to the reader. If it think you’re authorized then the gate will open and you can enter. Similarly, a number of offices require you to “badge out” as well. This badge/gate system is a simple analogy for a firewall. A network firewall may be considered to be a security gate to separate the network up into “inside” and “outside” and you define rules to allow traffic to pass through the gate.

RSA wrapped AES

Here’s a common requirement: We want to transfer a file containing sensitive data to a partner; they want us to put the data in their S3 bucket. How can we do this securely? Now you might start with putting controls around the S3 bucket itself; make sure it’s properly locked down, audit logs and so on. But there’s a number of issues with this. In particular, S3 bucket permissions are easy to get wrong.

The three tier network is dead

It’s a fairly common design in enterprise networks; a three tier network architecture, with firewalls between the tiers. Typically these layers are split up with variations of the following names: Presentation Layer (Web) Application Layer (App) Data (or storage) Layer (Data) Typically you may have additional tooling in front of each layer; e.g a load balancer, a web application firewall, data loss protection tools, intrusion detection tools, database activity monitoring…

Monitoring my router with graphs

WARNING: technical content ahead! There’s also a tonne of config files, which make this page look longer than it really is, but hopefully they’ll help other people who want to do similar work. A few months back I replaced my OpenWRT router with a CentOS 7 based one. This machine has been working very well, and handles my Gigabit FIOS traffic without any issues.

Building a home router

WARNING: technical content ahead! There’s also a tonne of config files, which make this page look longer than it really is, but hopefully they’ll help other people who want to do similar work. For many years I’ve been using variations of the Linksys WRT54G. I first switched to this router when freeware ROMs became available; I’ve used DD-WRT, Tomato, OpenWRT and others.

Phishing and Certificate Transparency

Many people are at a large risk of a phishing attack. In this scenario the person may receive an email that looks like it came from a legitimate source (e.g. their bank) and encourages them to click a link that presents them with their bank login page. The user then attempts to login… Except that site isn’t their banking site. It’s a mockup that looks like the real one. And they’ve now told their banking password to the attacker.

Make it easy to use

There is a temptation in computer security circles to aim for the perfect. After all, we know that if there is a hole then it will be found and will be exploited. So we tend to build (hopefully! ahem OpenSSL) secure products that will withstand attacks… and then fail at usability Let’s take a brief travel through… Unix naming services NIS In the long distant past (the 1980s), Sun Microsystems created a system called NIS (Network Information Services)1.

Stop, step back, take a minute, slow down

There’s an old comment; “A Lie Can Travel Halfway Around the World While the Truth Is Putting On Its Shoes”. This came from a pre-internet world. Today a lie can travel around the world in seconds. Personal annecdote Last year I broke the MBR on every hard disk on my home server. I was panicing. I really didn’t want to rebuild and restore from backup, and then re-rip all my DVDs; such a time sink!