infosec

Monitoring Certificate Transparency logs for fraudulent SSL certs with Scumblr

I read with interest this article by Facebook, about detecting (possibly) fraudulent SSL certificates being issued by CAs.

I wasn't previously aware of Google's Certificate Transparency initiative, but it seems like a good idea. Basically there exists a sort of blockchain of public, append-only logs of all SSL certs that are being issued (at least, where the CA is cooperating to publish that info?).

'So, what is it you exactly do?' - Part five, troubleshooting

In the last article of this sysadmin series, I talked about the importance of monitoring as an insight into infrastructure and application behaviour - something that is hard to overstate. But what good is monitoring if you don't understand what it's telling you? That's where troubleshooting comes in.

'So, what is it you exactly do?' - Part four, monitoring

Here's a scenario...

At 4:30AM every Thursday (sysadmin's time), a server's site suddenly spikes in load, because a full backup takes place at such a time, which is not an off-peak time in terms of traffic due to international visitors.

A bunch of users visiting a site on that server receive a flurry of 502 errors trying to load some content - a form of application timeout due to the taxing effect on the CPU related to the backup process.

'So, what is it you exactly do?' - Part three, security

This article is third in a series of long, windy answers to the inevitable 'but what exactly do you do as a sysadmin consultant?' question. I started writing this because it's hard to give a sufficient short answer.

Adding Yubikey 2-factor authentication to SSH and sudo in Debian

Throughout 2014 and 2015 I have been adding two-factor authentication to Debian and Ubuntu servers (SSH, sudo) for some of my customers, using Yubikeys as the authentication device and OTP as the auth method. It's quite straightforward to integrate Yubikey OTP auth into Debian SSH servers, provided you are using Debian 7 (Wheezy) or higher, and that you can use the version of OpenSSH from the Backports repository.

This guide will work for SSH auth, as well as for other server-side tasks such as the use of sudo.

Encrypting OSSEC mail notifications with GPG

After reading the SecureDrop security audit announced today, I noted that they GPG-encrypt their OSSEC mail to add an extra layer of protection over the incidents that OSSEC finds and sends alerts for. Neat idea, it never occurred to me. Even though my servers use TLS to transmit mail around, and that I run my own mail server, that traffic still has to hop through some public routes, so why not add more encryption.

Monitoring pastebin.com with Scumblr

I have been experimenting with Scumblr and Sketchy - two open source products released in August 2014 by Netflix.

Broadly speaking, Scumblr is a tool for performing external searches that can aggregate and track the results it finds. In addition it employs various workflow/status/tag features to produce a management tool for taking action on the items or 'events'.

Awesome Screenshot update 3.7.12 offers 'opt out' of spyware option

Back on the 12th August I wrote about my discovery of forced opt-in spyware in the popular Google Chrome extension 'Awesome Screenshot', which tracks and sends all browsing history over plaintext HTTP to an upstream marketing service.

Awesome Screenshot URL tracking and niki-bot

UPDATE: Awesome Screenshot 3.7.12 now offers an 'opt-out' setting to address this (but it's on by default) - read my new article here.

Back in June, my OSSEC logs alerted me to some web crawling activity by a crawler with a user-agent of 'niki-bot'. Chances are if you grep or analyse your web logs, you've seen it too.