FOR IMMEDIATE RELEASE:

Introducing Jeremiah Cruz as CryptoAUSTRALIA's Project Manager

We are pleased to announce that Jeremiah will work with CryptoAUSTRALIA on our 'Digital Privacy for Professionals' initiative as a volunteer throughout 2018.

Jeremy is a teacher and passionate gamer who sees the weird relationship between tech, law, games and culture. He co-wrote a paper assessing major ISPs password policies and the potential threat they posed to the end users. Jeremy is also a passionate tutor who teaches kids coding.

CryptoAUSTRALIA is a leading authority promoting a society where Australians can defend their privacy. CryptoAUSTRALIA empowers privacy concerned citizens through hands-on education and research relating to digital privacy and online security.

A handful of alternative DNS services offer protection from malware, ransomware and phishing. Providers like OpenDNS and Quad9 can blackhole DNS requests for blocking network traffic associated with botnets, phishing and exploits. These DNS providers promise some level of threat protection, but what do they know? Do they know things? Let's find out!

CryptoAUSTRALIA has compared the threat-blocking performance of ten different DNS providers. Our assessment can reveal that Norton ConnectSafe, SafeDNS and Strongarm have managed to block the largest number of harmful websites.

Comparing DNS Providers

In our previous article, we introduced a range of malware blocking and anti-phishing alternative DNS services. Each of those boasts its anti-malware and anti-phishing features, but how do we know which service is the most effective? To our best knowledge, there are no independent tests measuring the actual performance of these services.

Therefore, CryptoAUSTRALIA is releasing a new utility called DiNgoeS today. This tool can measure and compare the actual threat-blocking performance of ten different DNS providers.

How DiNgoeS Works

Our new tool is straightforward. DiNgoeS downloads a list of domains known for malicious activity from the hpHosts service first. Then it attempts to resolve each domain with every threat-blocking DNS provider. If DiNgoeS finds that a DNS response is blackholed, it considers the blocking action successful.

Once all domains are resolved, DiNgoeS generates a simple report (as shown below). The numbers show how many domains were successfully blocked by each alternative DNS provider.

In addition to the simple summary, DiNgoeS also generates a detailed CSV report of the threat blocking capabilities. The detailed report can be used for further calculations or trend graphs.

Our tool currently supports OpenDNS, Comodo (2x), Norton ConnectSafe, Quad9, Neustar, SafeDNS, Safesurfer, Strongarm and Yandex.DNS. As for threat data, DiNgoeS relies on three hpHosts feeds: exploits (EXP), malware (EMD) and phishing (PSH).

DiNgoeS is now available on GitHub and pull requests are welcome.

Initial Findings

We pulled a fresh list of 500 domains known from malicious activity (EXP, EMD and PSH respectively) on 23 December, and ran DiNgoeS from four different locations (Sydney x2, Frankfurt and N. Virginia). The reason behind the four scans was to iron out the DNS resolution errors (e.g. network congestion, throttling) by taking the average of the four separate results.

Our first results show that Norton ConnectSafe, SafeDNS and Strongarm has managed to prevent the largest number of threats from the ten providers under this assessment.

The highest number of websites was blocked by Norton ConnectSafe. This service was able to stop the largest number of the threats. Interestingly, ConnectSafe excels at blocking browser and OS exploits. As for its anti-phishing and anti-malware capabilities, the service is as effective as the others behind. Note that the total number is a bit exaggerated compared to the rest of the herd, as ConnectSafe was hijacking about 300 domains in the EXP category, even though these domains were already offline.^[1]

The runner-ups are SafeDNS and Strongarm. Although they both managed to block the same amount of domains, there is a subtle difference between the two services. While SafeDNS did block a significant number of domains associated with malware activity, Strongarm did perform well with blocking phishing content.

The next in the line is Quad9. This service did manage to block a high-number of malware-related domains. The explanation is probably that the block list of this service is based on the IBM X-Force threat intelligence service. Unfortunately, the DNS service did not seem to block too many exploits and phishing domains this time.

The following services are Neustar Free Recursive DNS and Safesurfer. Both services seem to perform all right in the malware and exploits categories. They did not perform well with phishing. To Safesurfer's defence, it is advertised as an anti-pornography filter, albeit the FAQ claims the service can block malware, phishing and botnet activity as well.

OpenDNS Home performed better-than-average with malware-related domains. Sadly, the exploit-blocking capabilities seem to be inadequate, as OpenDNS managed to block zero domains from the hpHosts EXP feed.

The next two are Comodo SecureDNS and Comodo Shield. They managed to block a fair number of malware-related domains, but they did not block much in the other two categories. Interestingly, the results are quite similar, probably because the same company is operating both of these services.

Finally, the last one on the list is Yandex.DNS. This service has barely managed to block any malicious sites from any of the hpHosts feeds, although Yandex.DNS boasts its malware-blocking capabilities. Maybe the service can block more threats targeting Yandex's primary audience in Russia.

The Small Print

Our assessment is not meant to be comprehensive, unbiased or complete.

Firstly, we relied on threat data from a single provider only: hpHosts, which was an arbitrary choice. If any of the alternative DNS providers happen to source threat data from hpHosts, it probably distorts our results.

Second of all, occasional DNS resolution errors did occur due to intermittent network issues and throttling. As these errors were unpredictable and random, we ran the scans from four different locations (Sydney x2, Frankfurt and North Virginia) and took the average of the results.

We ran the scan on a single day (2017-12-23), so the results might be different if the scans are rerun at a later date.

Despite these limitations, we believe that the assessment gives our readers a general idea about how the different alternative DNS providers perform compared to each other.

The raw CSV reports generated by DiNgoeS, and our calculations are available to download here. Comments are welcome on Twitter or in private.

Summary

A handful of alternative DNS providers provide threat-blocking capabilities. These services could protect laptops, smartphones and other devices from malware, ransomware and phishing by blackholing DNS requests.

As the actual performance of these threat-blocking DNS providers was previously unknown, CryptoAUSTRALIA has developed a new tool for measuring the effectiveness of these services. DiNgoeS, our new command-line tool, can calculate the total number of domains each DNS service manages to block.

Our assessment found that alternative DNS providers, such as Norton ConnectSafe, SafeDNS and Strongarm live up to the expectations, while other services could improve in certain areas.

This article is a revision of our previous report published on 21/12/2017. Due to a bug in DiNgoeS, our Quad9 results were inaccurate. We quickly fixed the bug and re-ran the assessment. We thank the Quad9 engineers for drawing our attention to the issue.

CryptoAUSTRALIA is a not-for-profit organisation running hands-on workshops for privacy concerned-citizens and professionals. Sign up for the newsletter or follow us on Twitter for the latest updates. Image courtesy of Pixabay.

How can you protect your family from malware and phishing with just a little effort? Various alternative DNS services with built-in threat blocking capabilities are now available to the public. This article introduces these public DNS services and helps you pick the right one for keeping your devices safe and secure.

There are different products and services available for blocking malware, ransomware and deceptive websites, including a myriad of anti-virus software, the Google Safe Browsing browser integration, or browser plugins like Blockade. In our previous article, we introduced a handful of block lists that gives an additional layer of protection for your Pi-hole.

Sophisticated Threats

Anyone can inadvertently navigate to deceptive websites, and the purpose of these products is to prevent the web browser from loading the webpage or downloading a file.

How do these mistakes happen? Deceptive emails may contain web links pointing to pixel-perfect copies of login pages, or malvertising can load fake Flash updates or exploit kits in a hidden iframe. These attacks are getting more and more sophisticated, so out-of-date pieces of advice such as "do not click on links in emails with poor English" are becoming less relevant.

Block List Issues

Furthermore, each website blocking technique (anti-malware, Google Safe Browsing, etc.) has its limitations, so it is a sensible decision to rely on multiple layers of protection.

The first issue is the delay. The latest WebRoot Threat Report suggests that "84% of all phishing sites last less than 24 hours". In other words, time is crucial: the sooner a website gets on the block list, the better. As standard blocking services (Safe Browsing, anti-malware products, etc.) acquire reputation data from different sources, malicious domains may end up too late on their block lists.

Secondly, none of the website blocking services is meant to be comprehensive. While more cautious providers may prefer to keep their customers happy by keeping false-positives low, others may focus on blocking targeted attacks only. The block lists are curated by humans one way or the other, which inherently makes the block lists biased.

Because reaction time is crucial, and block lists are not comprehensive, we should not rely on a single technology.

DNS Based Blocking

As we learned on the Pi-hole workshop, DNS blackholing is a technique that can be used for blocking malicious activity. The Pi-hole blocks ads, trackers, C2 and phishing domains by responding to DNS queries on the block list with NXDOMAIN (i.e. domain not found).

A similar approach is also offered by a range of alternative DNS servers. The premise of these public DNS services is analogous to the Pi-hole: if your computer tries to resolve the domain name of a malicious website (e.g. badsite.com), the server hijacks the DNS request. Public servers typically respond with a false IP address pointing to an informative 'this website has been blocked' page.

DNS-based blocking is very simple, and it only takes a few steps to configure. You can either change the upstream DNS servers either on your home router or your Pi-hole device. Once DNS queries start going through the third-party servers, you are all set.

List of Threat-blocking DNS Services

We are aware of the following DNS services offering malware blocking and anti-phishing capabilities to home users (as of December 2017):

• OpenDNS Home (comes with admin panel with optional user registration) - 208.67.222.222, 208.67.220.220
• Comodo Secure DNS - 8.26.56.26, 8.20.247.20
• Norton ConnectSafe - 199.85.126.10, 199.85.127.10
• IBM Quad 9 - 9.9.9.9
• Neustar Free Recursive DNS - 156.154.70.2, 156.154.71.2
• SafeDNS (comes with admin panel with optional user registration) - 195.46.39.39, 195.46.39.40
• Comodo Shield (comes with admin panel with optional user registration) - 8.26.56.10, 8.20.247.10
• Strongarm (comes with admin panel with optional user registration) - 54.174.40.213, 52.3.100.184
• Yandex.DNS - 77.88.8.88, 77.88.8.2
• SafeSurfer (paid service, main focus is blocking adult websites) - 104.155.237.225, 104.197.28.121

Disclaimer: Be aware that organisations operating these services will have access to your DNS resolution history, which may allow them to reconstruct your browsing history. If you have privacy concerns over this, have a look at our latest guide on self-hosted malware-blocking DNS servers instead.

But Wait, There's More!

Certain DNS providers come with an optional admin panel, which typically allows you to:

• View DNS activity on your network (domains allowed/blocked)
• Block website categories (adult, gambling, social media, etc.)
• Block individual domains (e.g. facebook.com)

The following screenshot shows how you can block website categories with Comodo Shield:

Summary

Malware-blocking and anti-phishing DNS servers can be an excellent companion to other anti-malware services, such as anti-malware products and browser plugins. It takes just a few clicks to change the default DNS servers (provided by your ISP) to these third-party servers with the additional protection built-in. Be careful, though! Your DNS requests go a third-party and this may raise some privacy concerns.

Great, so there are almost a dozen providers available. But how we can pick the best DNS service with the most advanced anti-malware capabilities? Their marketing pitch makes them all look the same. Which service is the lemon? In the second part of this article, we help you pick the right DNS service provider.

Image courtesy of Pixabay

Since I got in the middle of the privacy community in Sydney, I am particularly interested the challenges both vulnerable individuals and organisations face. Just a few weeks ago, I had an unpleasant experience at the doctor whereby my sensitive health details got mixed up with someone else's. Various organisations work hard in Australia to not let things like this happen to anyone.

One of the groups I have been following recently is Electronic Frontiers Australia (EFA). It grabbed my attention recently as a fresh new board got elected just last month and since then, the community around the organisation seems to be revitalised. EFA is not only one of the biggest privacy and digital rights group in Australia, but it is working for the community for more than 2X years.

What I found personally interesting is that the EFA chair is a woman for the first time ever, and there are a couple of initiatives since the election to help vulnerable women such as victims of domestic abuse.

So, I got very excited when I learned that the EFA's executive officer, Jon Lawrence was in town. We quickly arranged a meeting at a burger joint to chit-chat about the organisation's plans for the new year over.

We sat down at Down 'n' Out, a weird clone of the famous chain from California. Although I am a bit familiar with Jon's work, this was my first time meeting him face to face. Although he was on the road for days, he was [It was the end of the day, so by this point we were both feeling pretty hungry and keen to start our chat]. Once our order was taken, Jon did not hesitate to kick off the conversation.

Cast:

• Jon: Jon Lawrence, Executive Officer, Electronic Frontiers Australia
• KB: Karissa A. Breen, Technologist, Karissa Breen Industries
• Nick: Nick Kavadias, Former EFA Board Member, now CryptoAUSTRALIA

KB:
<< introductions, small talk>>

Jon:
<< small talk >>

KB:
So there's a couple of questions that I wanted to ask collectively. But then, maybe it's more of a conversation about what you've built up.

Jon:
Sure.

KB:
I noticed that you guys' had a press release about having a new female apart of your board. Why was it such a big deal that your first woman had been elected as the EFA chair? [Can be visited at: https://www.efa.org.au/2017/10/16/first-female-leadership/]

Jon:
Well, it's been a long time coming. I think because of the challenges we've had as an organisation for quite a long time is, you know, diversity, generally.

KB:
Yep, totally.

Jon: And gender diversity, so we've obliged part of that. I mean, a sort of core... Across the quarter base is kind of your technical community, which does have a... You know, there is a gender bias in our community. So... But that's not really... There are other organisations that we work with that have done great work on this sort of stuff. In our communities and in Australia particularly. They've done a really good job.

KB:
Yes.

Jon:
And it's certainly something that we've been trying to do, and I think it's exciting that we've had that breakthrough. I think, if anything, it's going to mean that, you know, there's an example there and it shows to other women, but potentially other underrepresented groups that there's an opportunity for them to get involved, and help the organization.

And I think it's inevitable that having female leadership will make it more likely that we do things that are creating the sort of environments that attract more women, to the environment.

I've certainly never been convinced that I've had the answer to those sort of questions, so.

KB:
So, I guess on the back of that, how do you think more women are getting involved with EFA?

Jon:
Well, I mean you know, there certainly are women in that sort of tech industry and tech field, and I know there's a lot of great women doing some great leadership stuff, and we've certainly had some of them around.

We do tend to see, I think, one of our other fallbacks is sort of the policy area, so it tends be a lot worse, and the gender balance there is, if anything, probably the other way. So, you know, that's certainly one area that we've seen a lot of women come through. There's some fantastic women in that sector. Generally I think that's more diverse than the tech sector, at least it used to be. I don't know how close the stereotype is to reality, but it's certainly something the tech sector has struggled with for a while.

KB:
You are absolutely correct Jon. What would be... the biggest issue for Australians moving forward, given everything that's going on in the market?

Jon:
Well, I think the sort of, the kind of comprehensive, ubiquitous surveillance capabilities that come into place are pretty unprecedented and will be essentially impossible to wind back once they're in place.

KB:
…yes, that is true.

Jon:
You know it is true that lots of people willingly allow themselves to be surveilled on Facebook now that it works like that.

KB:
Yes

Jon:
But, of course, there's no other choice there. Everyone uses Facebook. Some people, well, a lot of people are actually able to, use pseudonyms and protect their identity, so a lot of minority groups have those sorts of issues. But this also includes teachers, judges and police officers. They need to be able to have an online existence without necessarily being social with it.

So it's a bit of a chance, I guess, but yeah. We've had the manual for data retention, so all the details of where you're going on your phone, the phone calls you're making, and who you're making them to. That's all now being recorded. We've got this facial recognition database, which it essentially going to have every adult in Australia in it. That's pretty impressive stuff, and there's not a whole lot, well it doesn't leave a whole lot of space for private activity.

KB:
Is there anything else happening that worries you recently?

Jon:
The other thing that's happening - and this is in the Summerland and Elmerland and - the cash is essentially disappearing from society as well, so it will soon be affect... it's not long before it will be effectively impossible to do anonymous transactions.

KB:
Yep. The traceability will become...

Jon:
Absolutely, so you know, it's...

KB:
Vacant.

Jon:
Yeah. And you know, you put those

Nick:
This is yours! [Hands over the burger tray]

KB:
Thank you so much! [Eyes light up]

Nick:
Did you get a burger, Jon?

Jon:
Yeah.

Nick:
Where's the burger order?

KB:
Oh.

Nick:
Sorry.

KB:
That's alright. Thank you, I got fries

Nick:
Do you need cutlery or anything?

Jon:
I'll just take a napkin thanks… Where was I? So..

KB:
Anonymous transactions... [giggles]

Jon:
Yeah, we're always told, you know, that there's computing capabilities innate in terrorism. I mean, for our children, and the reality is that yes, they're almost certainly helpful in those regards, but... they will be useful for developing.

KB:
Yes…

Jon:
And that's our number one, and that list will grow over time, and that's just how these things work.

I think Australians are generally pretty trusting of our government, so we're really not the sort of anti-authority society that we like to think we are. And what make it worse...

KB:
Yes… You mean we're relatively compliant?

Jon:
Absolutely!

KB:
Hmmm, yes.

Jon:
The good thing, I think, about Australians…

KB:
We have road rules that are implemented (giggles)

Jon:
Yes. We're actually a pretty law abiding society, and pretty happy to comply with the government, and pretty happy to give government pretty broad counts. And, while we have relatively, sort of, benign governments, it's rare that community situations where things get nasty, or war breaks out. It's not possible...

KB:
No one's well known…

Jon:
All of a sudden you've got the infrastructure set up for a police attack.

KB:
Do you believe Australia's are almost walking into this next phase of evolution almost blindly?

Jon:
Yeah, I think so. You know, you look at the UK who are a couple steps ahead of us at the present.

KB:
Yep

Jon:
Yeah, that's definitely helping. And London, for example, is like one CCTV camera for every three people. I think we certainly are seeing - and this is has been building over the last year or so.

KB:
Yep

So we had the census that got a lot of people talking about... privacy issues on the front page. The central leak kid fiasco - that sort of fit into that. Facial recognition also. These are now becoming mainstream issues, and being talked about in the mainstream media in a way that we haven't seen... I haven't really seen since I've been involved in it.

So in a sense, that's quite encouraging because, at least, the conversation has been had. I'm in the situation now, where I talk to my family and they know exactly what I'm talking about!

KB:
Well…

Jon:
I was talking to my sister when I said I was speaking with the media today, she goes, "Oh, is it about facial recognition software?" And I went, "yes, yes it is."

KB:
Yasss!

Jon:
Yes, I thought they might be interested in that, so. You know, having that stuff in the mainstream media is...

KB:
Sure. Please continue.

Jon:
Get people talking about it, then hopefully, we can work with the Australian electronic organisations to build the level of education and knowledge around these things and in the wider community. But also, within political class as well. There are some politicians, of course, that I guess are really good on this stuff, but we have to step it up with others.

KB:
Yes.

Jon:
I’ve been here in both the major parties as well. They don't speak out so much because it is the party rules, but they certainly exist. But on the whole, the level of, understanding and conceptual understanding... They don't need to know the technical exams about roads. They need to understand things in a sort of conceptual, architectural way. That's very important.

We thought Malcolm Turnbull was... I think Turnbull does actually understand these things certainly in a way that he's read a sense of it.

KB:
Yeah, wow.

Jon:
But that hasn't helped us in the way that some would have liked.

KB:
So how do you think we can collaborate... to help Australia? What would be your advice on how to do this better and a more unified approach. From my point of view, it's quite disparate at the moment. What would be your advice on the education piece, and do you think it should be incumbent for massive enterprises to talk more openly about this?

Jon:
I think there is a natural division of labor between peer favorites and frontal policy focus and organizations because Australia is out there, on the ground talking about the educational and training working in Australia, and of course, we can work together on that better.

I think there's a real role for the commercial sector to play on this. I think there's a number of sectors that do this already. I mean banks, for obvious reasons, have a very clear interest in making sure their customers have a say in what efficiency looks like, and how encryption works and so forth, and they've done a really good job!

I think on the privacy side of things, ironically, I think Facebook has done a great job…

…and has probably done as much with telling people about privacy as anyone else. Facebook and Google have got lot better over the last few years about telling people. They are going to real efforts to tell people about their privacy policies.

KB:
Yes, that is true.

Jon:
Pushing out prompts to people to go and look at their privacy settings and so forth. They've got a lot better at doing that.

That doesn't stop the whole organization on Facebook is pretty much anti-privacy, but still I think they take it seriously because at the end of the day, if their users don't trust them, they'll go away.

KB:
They wouldn't have a platform…

Jon:
Yeah.

KB:
There’s only one last question. Coming back to being together-unified, we talked about the disparity between... do you think it's even worthwhile having some sort of a front facing ambassador or champion to really drive this forward?

Jon:
Yeah, I mean somebody like Scott Ludlam on this sort of issue... He can pull a crowd. I mean he can get radio attention in a way that, I never will. Yeah, and I think...

KB:
Well…

Jon:
Well, you know. But I mean he's very good at it, and he's got fantastic hair and he has seventy-thousand Twitter followers and...

No I think it is important to have high spokes people because that's how you get attention.

KB:
Yeah, a crowd brings a crowd!

Jon:
But it will be interesting in... As you told me earlier, you know, the greens are introducing Bill Right. I think that's going to be a very interesting conversation, and you know, policy discussion. I think... I wouldn't be that optimistic about it happening very short term, but you know... It's something the labor party would support in principal.

I've spoken to people on this coalition side of this...

KB:
Yep.

Jon:
...And I don't think... You know they sort of tend to shy away from, sort of, commemoration sorts of things.

KB:
Yep.

Jon:
So I don't know if there'll be too much yet. But it will be interesting, and you know, if we can get any additional protection, you know, any additional enforcement protections we can get on privacy and so on and so forth are a step forward because there really are so few of them, and you know, they're coming into constitution so…

After a pretty good chat with Jon, we had eaten all burgers and fries. It was interesting as the chat was so casual and it was a great way to find out more about what the EFA does. If you too are interested in finding out more or getting involved, please check out some of their stuff here. You can sign-up as a volunteer on the EFA website or subscribe to the EFA Privacy mailing list.

The End.

Image courtesy of Pixabay

Wow, 2017 was a wild ride! CryptoAUSTRALIA is one-year-old this month, and we could not have done it without the generous support of the community. In this article, we express our gratitude to our friends and outline our exciting plans for 2018.

A Year Full of Events

This year we have been busy with bringing you a range of exciting talks and workshops. We kicked off the year with Roland Wen’s presentation about election hacking, as a reflection of the scandal around the US presidential elections. The following month, our guests had a chance to learn how they could sanitise their social media presence before job interviews or cross-border travels.

In May, we brought the privacy community together for Privacy Awareness Week with an insightful panel discussion with Dr Elizabeth Coombs ^[1], Dr Suelette Dreyfus ^[2], Jon Lawrence ^[3], David Vaile ^[4], and Professor Brian Martin ^[5]. The panel shared their thoughts on issues threatening the privacy of Australian citizens, such as the metadata retention scheme.

We also had a chance to welcome Stephen Blanks (NSWCCL), who gave us his insight into the lack of protection of fundamental rights in Australia. Julie Posetti also shared the findings from her UNESCO study about information source protection in the digital age. Additionally, we organised a joint-event with The Walkley Foundation, where journalists had a chance to learn secure communication practices and to develop metadata sanitisation skills.

We also covered numerous other technical areas with the hands-on workshops, such as secure communication by using the Matrix secure-chat platform, intrusion detection with honey tokens, and ad-blocking with Pi-hole. We finished off the year with an event demonstrating how breach data is routinely used to hack individuals. Besides our speakers, we would also like to thank our workshop instructors, namely Alexi Chiotis, Kate Golden, Adel Karimi and Daniel Reddi for their efforts.

Lastly, we would like to say a big thank you to Dr Suelette Dreyfus (Blueprint for Free Speech^[6]) and Robin Doherty (ThoughtWorks) for bringing Marcy Wheeler to the CryptoParty event in Melbourne. Marcy (also known as @emptywheel) is an independent US journalist writing about national security and civil liberties. Due to the incredible efforts of Suelette and Robin, the Melbourne community had a chance to hear Marcy’s insights on the upcoming legislation changes affecting the Five Eyes Alliance.

We would also like to express our gratitude to all our volunteers for helping us this year, including Zoltan Balazs, Andy Bennett, Peter Borbely, Karissa Breen, Michael van Coppenhagen, John Gerardos, Denis Khoshaba, Pawan Kumar, Takahiro Nei, Peter Tonoli and Ed Yuwono for their dedication and passion.

We thank our very generous financial sponsors for helping us succeed. First of all, NCryptcellular for supporting us throughout this year. We thank Mercury ISS, NTT Security and NCryptcellular (again!) for making the Privacy Awareness Event happen. We'd also like to thank Fishburners and Infopeople for generously allowing us the use of their spaces for events.

Lastly, we are grateful for all the support we received from the fantastic community. Our events could not have happened without your generous support both online and offline.

What Will the Year 2018 Bring?

In the next year, our goal is to focus on two main directions: events and projects. We will continue our tradition of bringing exciting speakers and workshops to the the general public. In addition to the events, however, we plan to expand our activities into research.

Workshops FTW

Our privacy is in danger, and this is not going away soon. State-sponsored hacking, mass-surveillance, metadata retention and cyber-crime are just a few things invading our privacy on a daily basis. In addition, governments have started pushing tech companies into backdooring their secure communication platforms (e.g. WhatsApp). To add insult to injury, private companies are now referring to our personal data as ‘the new oil’ that is fuelling the digital economy.

As a reflection to these threats invading our privacy, we intend to organise more hands-on workshops over the next year. We believe in the learning-by-doing approach, and reckon that we should possess the necessary skills to defend our privacy until data governance policies change for the better.

So keep an eye on our Events page for the latest workshops. If you are interested in being a workshop instructor on a one-off or regular basis, then please email us at cfp@cryptoaustralia.org.au. In case you are keen on bringing our events to other cities, please apply as an event coordinator here.

Digital Privacy for Professionals

Professionals in industries such as law, medicine and accounting deal with confidential client information and communications. In 2018, we plan to provide events and resources for professionals that cater to the individual needs of specific professional industries.

Sign up for our special newsletter to get the latest on this initiative. We will keep you updated as the project is moving forward. If you would like to participate, let us know.

Closing Notes

We certainly have an exciting year ahead full of events and projects. The digial privacy of citizens has never been in such danger as it is now.

So help us to make our initiatives happen sign up as a volunteer today. We are also looking for content creators, social media and community managers, event coordinators, fundraising managers and project managers.

If your company is looking for a good cause to support, then please write to us for our sponsorship options at sponsorship@cryptoaustralia.org.au.

Keep an eye on our blog and library for the latest practical technical guides, research and reports about digital privacy and security. To never miss an event, sign up to one of our groups on Meetup. You can also follow us on Twitter or subscribe to the newsletter for the latest news and events.

Lastly, we finish this year off with an EOY party on Tuesday! Join us with our friends from SecTalks and Ruxmon for drinks and nibbles.

Hope to see you in 2018!
Gabor & The CryptoAUSTRALIA Team

Cover photo courtesy of Pixabay

DNS blackholing can be a powerful technique for blocking malware, ransomware and phishing on your home network. Although numerous public DNS services boast threat-blocking features, these providers cannot guarantee you total privacy. The following article shows how you can build your private DNS server and add threat-blocking capabilities by using DNS Response Policy Zones (RPZ).

In our previous piece, we showed how you could add additional feeds to your Pi-hole for malware and phishing blocking. You can also use third-party DNS servers (e.g. OpenDNS, Norton ConnectSafe) for their threat-blocking features. We encourage to use both of these techniques, but you should be aware of their limitations.

Delay and Privacy Issues

The first problem of Pi-hole feeds is the reaction time. The latest WebRoot Threat Report suggests that "84% of all phishing sites last less than 24 hours". In other words, the faster a website gets on the blocklist, the better. Sadly, the Pi-hole blocklists are updated once a week by default. Although you can change the update frequency, it is still far from real-time blocking. Many of the lists are community maintained with unoffical targets of monthly updates.

The other issue is privacy. If you are forwarding your DNS requests to a third-party company, you are essentially giving away your web browsing history. Good privacy policies will not protect you and your data. Even if the company champions good privacy practices, a change in the management or a warrant can break those promises in the blink of an eye.

DNS-based Domain Blocking

A private DNS server can be a solution to both of these concerns. First of all, you can host a private DNS server in your favourite datacentre. Secondly, you can block DNS queries requesting malicious domains with the Response Policy Zone (RPZ) feature.

As for the privacy concerns, as the operation of the DNS server is under your control, you can configure what queries to log and when. Also, DNS resolution happens on your private server, so no third-party has access to the queries being submitted.^[1]

As for the threat-blocking capabilities, you can add an overlay with Response Policy Zones (RPZ). This feature is simple: your DNS server can override DNS query responses when the domain in question is on the blocklist. RPZs are currently supported by BIND9, PowerDNS and a few other commercial products. For a detailed explanation of RPZs, please read these articles.

A further advantage of the RPZ feature is simplicity and agility. Firstly, the reputation feeds are pulled from the remote sources with standard DNS zone file transfers. There is no need to convert the blocklists into another format. Secondly, new domains on the remote blocklist are promptly pushed to your DNS server. The remote server emits a standard NOTIFY message, which triggers your private server to download the changes and apply them immediately.

DNS Resolver Build Instructions

We suggest picking a hosting provider close to your physical location to keep the DNS resolution snappy. What you will need:

• a physical or virtual server
• at least 2 GB of memory (4 GB is preferred)
• Ubuntu 16.04 LTS
• a fixed IP address
• familiarity with SSH and the command line

The first step is spinning up a new instance running Ubuntu, and installing the necessary packages:

# apt-get update && apt-get dist-upgrade
# apt-get install bind9

As reputation feeds can be 50-150 megabytes large, BIND tends to eat up that sweet-sweet memory. So, to prevent the kernel killing the BIND process when the system is running out of memory, we suggest setting up a swap file.

# fallocate -l 2G /swap.img
# chmod 600 /swap.img
# mkswap /swap.img
# swapon /swap.img
# echo '/swap.img none  swap  sw 0  0' >> /etc/fstab

That was easy! Now we shall move on to the actual configuration part.

Warning: In our example, we are adding the data feeds from SURBL. Please note that if you copy-paste the settings below, the zone transfer will NOT work. You will need to subscribe to the data feed at SURBL and ask their customer service to whitelist the IP address of your DNS server. Read more about the availability of data feeds after the configuration section.

Replace the contents of /etc/bind/named.conf.options with the following settings:

acl goodclients {
        localhost;
        localnets;
        1.2.3.4;  # Replace this with your home IP address
};

options {
	directory "/var/cache/bind";
	max-cache-size 10m;
	cleaning-interval 30;
	max-cache-ttl 3600;
	max-ncache-ttl 3600;

	allow-query { goodclients; };
	allow-recursion { goodclients; };
	allow-query-cache { goodclients; };
	allow-transfer { none; };
	allow-update { none; };

	version "none";
	recursion yes;
	
	auth-nxdomain no;
	listen-on-v6 { none; };

	response-policy {
		zone "rpz.mw.surbl.org";
		zone "rpz.ph.surbl.org";
		zone "rpz.cr.surbl.org";
		zone "rpz.abuse.surbl.org";
	} qname-wait-recurse no;
};

To secure against DNS amplification attacks, your DNS server will only respond to the clients specified under the goodclients section. Therefore, you have to replace 1.2.3.4 with the public IP address of your home network (use whatismyip.com or this search to find out what your IP is).

As for blocking, the magic happens in the response-policy section. We tell BIND here to override the DNS responses in case a domain features in one of the SURBL zone files.

We are not ready yet. Save the file and now create a new file named /etc/bind/named.conf.surbl, and add the following:

zone "rpz.mw.surbl.org" {
        type slave;
        masters { 94.228.131.210; 94.228.131.211; };
        file "/var/cache/bind/rpz.mw.surbl.org";
        allow-query { goodclients; };
};

zone "rpz.ph.surbl.org" {
        type slave;
        masters { 94.228.131.210; 94.228.131.211; };
        file "/var/cache/bind/rpz.ph.surbl.org";
        allow-query { goodclients; };
};

zone "rpz.cr.surbl.org" {
        type slave;
        masters { 94.228.131.210; 94.228.131.211; };
        file "/var/cache/bind/rpz.cr.surbl.org";
        allow-query { goodclients; };
};

zone "rpz.abuse.surbl.org" {
        type slave;
        masters { 94.228.131.210; 94.228.131.211; };
        file "/var/cache/bind/rpz.abuse.surbl.org";
        allow-query { goodclients; };
};

In this file, we specify where our DNS server can download the reputation feeds from: 94.228.131.210 and 94.228.131.211. Note: These two IP addresses belong to SURBL and you need a subscription.

Finally, edit /etc/bind/named.conf and append the following to the end:

include "/etc/bind/named.conf.surbl";

Restart your DNS server to apply the new changes:

# systemctl restart bind9

If everything has been configured properly, you should see messages in /var/log/syslog similar to:

Dec  3 12:00:26 myserver named[1196]: transfer of 'rpz.abuse.surbl.org/IN' from 94.228.131.210#53: connected using 172.12.34.52#51172
Dec  3 12:00:26 myserver named[1196]: zone rpz.abuse.surbl.org/IN: transferred serial 1512302336

Debugging

If something does not work, the first thing you should check is whether you are allowed to retrieve the remote feeds from SURBL:

$ dig AXFR @94.228.131.210 rpz.cr.surbl.org

The command above should retrieve a lengthy list of domains from the cr blocklist.

To verify whether domain blackholing is operating correctly, run the following command on your DNS server:

$ dig @127.0.0.1 test.cr.surbl.org

Your DNS server should respond with status: NXDOMAIN in the ->>HEADER<<- section and ADDITIONAL SECTION should feature SOA dev.null. zone.surbl.org..

; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.0.1 test.cr.surbl.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37220
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.cr.surbl.org.		IN	A

;; ADDITIONAL SECTION:
rpz.cr.surbl.org.	180	IN	SOA	dev.null. zone.surbl.org. 1512301442 180 180 604800 180

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 03 12:07:13 UTC 2017
;; MSG SIZE  rcvd: 99

If one of these is failing, check your configuration files and event log again.

So Which Blocklist Should I Use?

So the million dollar question: which blocklist should I use? There are a few providers on the market. Luckily, we did a little investigation, so you do not have to.

The following providers offer reputation feeds via DNS zone transfers:

• DissectCyber
• Farsight Security
• Infoblox
• Spamhaus
• SURBL
• SWITCH
• ThreatStop
• Strongarm
• Malware Patrol

The overall experience with these feed providers is mixed. Even though we found good-quality feeds, almost every single company is only targeting the commercial market. Unfortunately, this either makes the purchase difficult or expensive for a home user.

Our first pick was DissectCyber, as this company seemed to target home users as well. Alas, we found a very unusual sign-up process and the control panel was just way too confusing. Secondly, we could not figure out where the reputation data was coming from, so we had some doubts with regards to the quality of the feeds. We gave up after a few failed registration attempts and moved on to the other providers.

We contacted Farsight Security then.^[2] Their blocklist revolves around the Newly Observed Domains (NOD) concept, based on the idea that emerging threats are hosted on new domains (e.g. someone registers pay-pal.com for hosting a phishing site). Unfortunately, the subscription fee costs an arm and a leg (i.e. thousands of US dollars), so Farsight is not an option for home users. On a related note, the customer rep tipped me off that Brian Krebs is also a Farsight user, and researchers may get access to the feeds for free under the company's grant programme.

Our next try was Infoblox, which did not seem to offer any RPZ feeds on a subscription basis. We suspect the Infoblox feeds are available to their customers only. We also tried to request access to the SWITCH feeds. One of the customer reps got back to us, but once the agent learned that we are a not-for-profit, his emails stopped coming. As for ThreatStop, the company did not bother to respond.

Malware Patrol offers their feeds in multiple formats, including zone transfers. The pricing seemed to be appealing at first: the premium feeds cost U$3.59/month. We subscribed to the premium package, but we quickly found out that the feeds are only available in a zipped format. It turned out zone transfers come with the commercial (and more expensive) subscriptions only.

We had high hopes for the Spamhaus feed, as their DNSBL service is one of the best when it comes to Spam filtering. Spamhaus offers a feed called 'DROP' (Don't Route Or Peer Lists) for free, but we did not find it that useful. The real thing is what they call the 'Standard group' with a price tag of U$250/year. We were a bit disappointed here, as the subscription may be a sensible investment for small businesses, but probably not for a home user.

Strongarm, on the other hand, targets home-users. Although the free personal subscription does not include the RPZ feeds, the U$3/user/month Business package does. This offer sounds like a fair deal.

We got hold of a free trial from SURBL. We were impressed by the quality of the feeds, as they are curated from a handful of open-source and commercial sources. New domains are pushed out as delta updates every 10-15 minutes. Quite surprisingly, the latest additions to the hpHosts phishing and malware feed are quickly blocked by SURBL, too. We were also satisfied with the technical support team, who helped us set up the service in no time. However, the disappointing thing, again, was the sales team at SecurityZones (SURBL sells the subscription via third-parties). The team just got back to us this morning with a few follow up questions and a quote, weeks after our initial request.

In summary, Strongarm seems to be the strongest contender from the pack. We found both its customer service and the price tag home-user friendly. The second and third place go to SURBL and Spamhaus for the perceived level of quality, but their customer service was somewhat disappointing.

Summary

So, does a private DNS server worth all this hassle? Maybe, it depends on your preferences and your budget.

As for the malware blocking and anti-phishing capabilities, providers of threat data are not ready for serving the end-user market. The pricing is too expensive, and the companies are not dealing with individual subscribers. We hope these feeds will be reasonably priced for the home-user market.

Until then, one potential option to overcome the obstacles is pooling up. For example, the $250/year Spamhaus feed allows the protection of maximum 350 users. If a group of friends can subscribe to Spotify Family family, why they do not spend a few dollars each on threat protection? As for alternative feeds, Strongarm probably worth the small investment (U$3/user/month), but we would prefer the more enterprise-grade feeds (if they were available) from SURBL and Spamhaus. If you do not mind retrieving blocklists in a different format and converting them, you may want to look into the zipped Malware Patrol feeds.

If your top priority is privacy, however, you should run your private DNS server. As a side effect, your DNS server will validate DNSSEC signatures. To hide and secure traffic between the DNS server and the clients, we would undoubtedly add DNSCRYPT to the equation as well.

What are your thoughts? Who is your preferred threat-feed provider? How do you block threats on your home network? Let us know on Twitter at @CryptoAUSTRALIA.

Image courtesy of Pixabay

Pi-hole is a network-wide ad blocking service you can install on a Raspberry Pi. The project is praised for its advertisement blocking capabilities, but did you know that you can also block malware and phishing websites on your home network? The following article details our favourite blacklists helping you protect your devices from malware and nefarious activities on your home network.

If you have not installed Pi-hole yet, please check out our blog post (Coming soon!) or drop-in to one of our workshops first. Once you have it up and running, the default block list on the Pi-hole is already blocking ads and to a smaller extent, malware.

As of today, the default installation features two block lists: StevenBlack's Unified Host List and DNS-BH Malware Domains. While the former combines other smaller block lists for blocking adware and malware, the latter is a decent anti-malware list provided by RiskAnalytics. The two block lists already do their job. However we recommend adding a few more community-managed block lists to your Pi-hole (Settings --> Pi-Hole's Block Lists) for a more comprehensive protection.

The following list features our favourite domain block lists for the Pi-hole. Please note that the list is not meant to be impartial nor comprehensive.

Malware and Phishing

• https://hosts-file.net/exp.txt - hpHosts - Websites hosting exploits
• https://hosts-file.net/emd.txt - hpHosts - Websites hosting malware
• https://hosts-file.net/psh.txt - hpHosts - Phishing websites
• https://www.malwaredomainlist.com/hostslist/hosts.txt - Extensive anti-malware list by Malware Domain List
• https://v.firebog.net/hosts/Airelle-hrsk.txt - Airelle's list of phishing domains
• https://v.firebog.net/hosts/Shalla-mal.txt - Shalla's Ad and Spyware Blacklists
• https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt - Ransomware Tracker - Ransomware C2 server block list (generic)
• https://ransomwaretracker.abuse.ch/downloads/LY_C2_DOMBL.txt - Ransomware Tracker - Ransomware C2 server block list (Locky)
• https://ransomwaretracker.abuse.ch/downloads/CW_C2_DOMBL.txt - Ransomware Tracker - Ransomware C2 server block list (CryptoWall)
• https://ransomwaretracker.abuse.ch/downloads/TC_C2_DOMBL.txt - Ransomware Tracker - Ransomware C2 server block list (TeslaCrypt)
• https://ransomwaretracker.abuse.ch/downloads/TL_C2_DOMBL.txt - Ransomware Tracker - Ransomware C2 server block list (TorrentLocker)
• http://www.networksec.org/grabbho/block.txt - ThreatExpert.com's malware and adware block list
• https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt - DShield.org Suspicious Domain List (Medium-level)
• http://someonewhocares.org/hosts/hosts - Dan Pollock's list for blocking ads and spyware
• https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt - Disconnect.me anti-malvertising block list
• http://www.joewein.net/dl/bl/dom-bl.txt - jwSpamSpy - Domains featured in Spam emails
• https://raw.githubusercontent.com/ZeroDot1/CoinBlockerLists/master/hosts - CoinBlockerLists - Blocks browser-based cryptocurrency miners

Tracking

• https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/win10/spy.txt - WindowsSpyBlocker - Blocks Windows 10 telemetry domains
• https://v.firebog.net/hosts/static/SamsungSmart.txt - Blocks Samsung SmartTV trackers
• https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt - Disconnect.me anti-tracking block list
• https://v.firebog.net/hosts/Easyprivacy.txt - EasyPrivacy - A privacy companion of the popular EasyList ad block list

Ads

• https://hosts-file.net/ad_servers.txt - hpHosts - Blocks ad and tracking servers
• https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt - Disconnect.me ad-blocker list
• https://gist.githubusercontent.com/anudeepND/adac7982307fec6ee23605e281a57f1a/raw/5b8582b906a9497624c3f3187a49ebc23a9cf2fb/Test.txt - Block YouTube ads
• https://v.firebog.net/hosts/Easylist.txt - EasyList - Might be familiar from the uBlock and Adblock browser plugins
• https://v.firebog.net/hosts/AdguardDNS.txt - Block list powering the Adguard ad blocker

A copy-pasteable list for your Pi-hole is available here. For more block lists, make sure to visit https://wally3k.github.io/

More Frequent Updates

By default, the Pi-hole cron job updating the block lists runs on Sunday at 01:59 am. To get a fresh block list each day, we need to increase the update frequency as the following:

1. Open /etc/cron.d/pihole in your favourite text editor
2. Locate the following line:
   59 1 * * 7 root PATH="$PATH:/usr/local/bin/" pihole updateGravity
3. Replace number 7 (Sunday) with * (every day). Your new entry should look like this:
   59 1 * * * root PATH="$PATH:/usr/local/bin/" pihole updateGravity
4. Save the file and enjoy the daily updates

Missing something? What is your favourite block list and why? Ping us on Twitter and let us know.

Image courtesy of iStock

On 15 November 2017, CryptoAUSTRALIA is holding a workshop in Sydney on how to get a network-based ad blocker called Pi-hole up and running on your home network. Pi-hole can be configured to run on a PC with any modern Linux distribution, but we’ll be focusing on getting it working on a small, ARM-based computing device called a Raspberry Pi (RPi), which costs about $100.

You may ask, why should I go to the trouble of running a dedicated network device to block ads? I run uBlock, Privacy Badger, NoScript, or AdBlock Plus and have an anti-virus subscription. Do I really need this? YES, absolutely!

The reality is you probably do not or cannot run anti-virus on all your computing devices, like your Smart TV, and not all devices support browser plug-ins. If you’re like me and have kids, they get all the hand-me-down smartphones which don’t even support the latest Android/iOS security patches, let alone have support for ad blockers, and even devices which do, it's just not possible to block many ads built into apps.

Our workshop will cater for people from a wide range of backgrounds and abilities:

If don't know much about RPi, but still want to get your hands dirty. (Bring your laptop! We will make a working Pi-hole virtual machine available and we’ll also bring along our own device so you can see what it’s all about.)

If you own a RPi and want to bring it along to configure. (We recommend you bring a new SD/micro SD card which is at least 2GB in size, so you don't destroy your current RPi setup.)

If you want to learn how to run Pi-hole on your home network to block ads, malware, viruses, command and control servers, and phishing attacks, then this workshop is for you.

If you want to learn how to stop your kids accessing pornography, gambling and other undesirable websites on all your internet-enabled devices, then this workshop is for you.

If you want to save your precious internet bandwidth because your internet speeds suck, then this workshop is for you.

What the workshop will cover:

• What hardware/software Pi-hole supports;
• How Pi-hole does its magic in blackholing internet traffic;
• How to get the latest version of Rasbian Lite up and running and install Pi-hole without ever having to plug your RPi into a monitor, keyboard, or mouse;
• Various ‘hacks’ on running Pi-hole on your home network and get it working with your home router/ wifi access point;
• How to manage and customise the Pi-hole block lists and other advanced DNS configurations; and
• How to run Pi-hole away from your home network.

If you do not own a RPi, but are keen on getting one before the workshop, our friends at Little Bird Electronics, who are official resellers of Raspberry Pi in Australia and based in Sydney, have provided us with a discount code to use on their online store until the end of November. The code is 10OFFLBE. Note: The code does not apply to Raspberry Pi Zero or Raspberry Pi Zero W - these devices can run Pi-hole, but require the purchase of a separate USB Ethernet dongle.

We recommend you purchase either a Raspberry Pi 3 Beginners Kit, or if you’re looking for a barebones setup, then get yourself a Raspberry Pi 3 Model B and a case. You'll also need to find an old microSD card which is at least 2 GB and a micro USB cable/wall charger.

You can sign-up to the workshop on our Meetup page (Quick, limited spaces!): https://www.meetup.com/CryptoAus-Sydney/events/244498283/

If you are interested in other privacy focused Raspberry Pi projects, check out our article from earlier here

See you at the workshop!!

If you are about to hand over your private details in exchange for a store loyalty card, are you confident that your data remains in safe hands?

It can be difficult to predict if the supermarket manages your sensitive details securely and responsibly. The company may store them on vulnerable servers waiting for hackers to attack. Also, your data might be sold to data brokers for things like targeted advertising and political purposes. Companies are often opaque with their data management practices, and it can be difficult to understand what is happening once our private details are handed over.

This article borrows a few solutions from economics and attempts to apply them to questionable data handling practices.

Identity Verification in Australia

One of my pet peeves is the ‘100 points check’. In Australia we rely on this personal identification system for things like job applications, rental agreements, bank and credit card applications or managed Bitcoin wallet applications.

This identification procedure has been in use since 1988, when home computers stored data on cassettes, and the primary display of a home computer was a TV set. Today, even though many organisations or transactions do not have legislative requirements or reporting obligations (such as banks) to require a 100 point ID check, many organisations ask for it anyway, just to make sure they know they are really dealing with the right person.

Bad Practices at a Real Estate Agency

So, I applied for a lovely apartment recently, which is already a stressful procedure on its own. As part of the rental application process, I was asked to provide a stack of documents to the real estate agent including: a scanned copy of my passport, driver’s licence, Medicare card, and bank statements.

The first shock came when I was instructed to send these documents in a simple email. To make matters worse, I had to do it even before I was shortlisted as a potential tenant. Considering that about 20 people had turned up on the apartment viewing (Sydney… doh!), the agent would be receiving hundreds of email applications per day with all sorts of sensitive documents attached.

As a security professional, I began to worry about the long-term fate of my documents. Questions were racing in my head: Is my real estate agent going to store my documents on an encrypted drive or just in a shared S3 bucket with some misconfigured permissions? Will the agent share these files with third-parties and how? How secure is the agent’s email server? Will my email and sensitive attachments linger around in the agent’s inbox waiting for a hacker to take the email account over? Will I be notified if my personal details are compromised?

This situation was an example of the information asymmetry between my real estate agent and me. The agent knew what would happen to the documents once they were sent in, while I did not. Now, this imbalance allows my agent to spend as little as possible on good security and privacy practices. What is more insidious is that it enables them to sell my data to data brokers and marketing agencies, without my knowledge either legally or illegally. So what can we do about this? Fortunately, this is a well-explored area in Economics called ‘principal–agent problem’ and it is solvable.

Borrowing Ideas from Economics

The ‘principal–agent problem’ occurs when one party (the “agent”) has more or better quality information than the customer (the “principal”). Agents acting on behalf of the customer may exploit the situation if the incentives are not set right.

For example, a taxi driver, who knows a city like the back of her hand, may rip off her passengers who are unfamiliar with the city. Restaurants may relax on their hygiene and food safety standards because their patrons cannot see what is happening in the kitchen. This conflict of interest is also known as ‘moral hazard’.

In general, the same situation applies when we trust companies - like my real estate agent - with sensitive information. If the agent had the incentives to manage documents securely, they would probably need to hire a security expert. The expert would set things up like a secure file sharing solution, two-factor authentication and introduce good data disposal practices. The problem is that these additions cost money and real estate agents are incentivised not to foot the bill. In other words, my real estate agent is not interested in protecting my data, but signing rental agreements for as many apartments as possible in the shortest amount of time.

How We Can Solve the Information Asymmetry

To eliminate the moral hazard problem, we have to either lessen the information asymmetry or change the incentives. Customers either have to understand what they are getting into, or companies need to be interested in good data management practices.

Before we explore the various options, just a word about public shaming. The usual media circus after a data breach is rarely effective. Apart from a few exceptions, companies never go bankrupt, stock prices are not significantly affected on the long-term, and the number of customers bounces back eventually. The general public are quickly desensitised by the continuous news of data breaches, or the attention soon shifts to the latest data breach.

Solution 1: Education and Transparency

The first solution to the moral hazard problem is a combination of education and transparency. If customers knew what the proper data management practices are, and they could observe them in action, customers would be able to make informed decisions. Ideally, customers should recognise if something is wrong before they hand over their personal data.

As for my real estate agent, I knew that the practices were terrible. It was clear to me from the start that the agency was applying lousy information security practices. Emails with sensitive attachments is a no-no as they are not encrypted en-route. Furthermore, copies of the emails linger in the sender’s outbox and the recipient’s inbox. If one of the mailboxes is compromised, the documents can easily be retrieved. As for transparency, I had no clue where my files would be stored and how they would be disposed. I could only assume the worst.

The problem is that I spent about a decade in the information security industry. Without boasting about my skills here, it is unrealistic to expect from everyone to be an information security expert. Even if the company is fully transparent, one would need a high-level of technical knowledge to understand what is going on. Most of us, understandably, are not willing to invest years in understanding secure data management practices and have better things to do. Education may work in simple situations, but not this one.

Solution 2: Rating Sites and User Reviews

The second option is lowering the incentives to exploit the information asymmetry situation. For example, rating sites like Yelp! makes restaurant-owners interested in providing a better service rather than cutting corners here and there. If a restaurant is continuously getting bad reviews for the overall experience, it will soon go out of business. Amazon, Airbnb and eBay are also good examples how poor user-ratings can drive sellers with poor practices (as known as ‘lemons’) out from the market.

We should let customers rate companies by their privacy and data management practices. Does a company have an upload portal for sensitive documents? Is strong authentication (e.g. two-factor) available? Is it easy to delete an account? Five stars! Does the loyalty program sell your personal details and your purchase history to data brokers? Is the business asking for more information that it needs to provide you its service? Booo, 0/10!

Recently, security blogger, Troy Hunt went as far as suggesting to put warning labels on IoT devices:

Hey @vtechtoys, how about put this warning on the box so it can be seen before purchasing? Yeah, didn’t think so... https://t.co/erdFdUp4jS pic.twitter.com/qRUUCmz1SY

— Troy Hunt (@troyhunt) October 12, 2017

On a related note, the OAIC Notifiable Data Breaches scheme could also serve as a some kind of rating system. From 2018, Australian companies earning over $3M in revenue will be required to submit a formal report to the Information Commissioner in circumstances where they have been hacked and personal or financial data was involved. If I could simply look up how many times my real estate agency was affected by a data breach, I would certainly pick a different company if they had previously been involved in a data breach.

Solution 3: Certification Programs

The third option is a licensing scheme, in which independent third-parties could review and enforce good data management practices. Certifications can reward and enforce good practices in other industries. For example, taxi drivers cannot even operate without a licence. Mandatory certifications can guarantee and enforce a minimum standard of service within an industry.

Another successful certification program is HACCP, which keeps restaurants clean around the world. This certification scheme prescribes food handling and good hygiene practices that keep customers safe from biological hazards. Some of the rules may seem bureaucratic and cumbersome, but at the end of the day, patrons do not usually leave HACCP-compliant restaurants with food poisoning.

We could apply the same approach to companies handling sensitive personal information. For instance, we could let an independent body tell us whether a company is managing sensitive data responsibly. What if all organisations that carry out the ‘100 point ID checks’ had to be compliant with a collection of rigorous security practices? What if my rental agency would not be allowed to process documents for the 100 points check if the company was negligent? In case a restaurant does not comply with the rules, HACCP food safety auditors can revoke or suspend their licences. Similarly, my rental agency without the identity checks should not be able to sign new lease agreements.

On a related note, failed self-regulatory certificate programs demonstrate that certifications are not taken seriously if the penalties are rarely enforced. PCI DSS is probably one of the better-known ones, which is supposed to apply good information security practices to companies processing credit card payments. However, fines are almost never imposed, and data breaches are still rampant.

This is all Theory! But Do These Practices Work?

The three approaches outlined above may sound academic, but they are already working practice. User ratings and certifications protect privacy and security of the Internet everyday, and here is how:

• User ratings are used to tackle phishing. A service called SpamCop is a DNS-based email block list (DNSBL) that powers the email filter of a flurry of free (Postfix, Sendmail) and commercial email gateways (Cisco IronPort). Anyone can ‘rate’ phishing emails by submitting them to SpamCop on a voluntary basis. Emails which end up on the SpamCop blocklist are usually blocked by email gateways integrated with SpamCop, and they never reach the recipient's mailbox.
  

• Internet users are protected by a rating system called Google Safe Browsing, which is a service that allows anyone to flag malicious and deceptive websites. Popular web browsers like Firefox and Chrome are all integrated to this service. Every time you visit a site, your web browser looks the URL up on the Safe Browsing service. If the website is flagged as malicious, the browser rejects to load the page.

• As for independent ratings, the VPN Comparison Chart is an independent certification scheme that works. The maintainer nicknamed ‘That One Privacy Guy’ is essentially a ‘certification body’ who is widely accepted within the privacy community as an authority. His VPN Chart is a checklist of good privacy and security practices. More than two-hundred paid VPN providers are assessed against a hundred of different criterions such as jurisdiction and logging practices. That One Privacy Guy's Badge Chart shows which paid VPN providers are embracing good privacy practices. The consensus within the privacy community is that the VPN providers from the top of the list are safe to use.

In summary, the Internet community can fight deceptive emails and websites by closing the information gap with these services. As for certifications, the Internet community has accepted a quasi-authority that rates third-party VPN providers by a set of arbitrarily-chosen good practices.

The Information Asymmetry is Solvable

As some of the practical examples from above demonstrate, the information gap between companies which store our sensitive personal data and the consumer is solvable. Principles borrowed from economics, namely education, rating systems, and regulations could be applied to solve the privacy challenges between sellers and customers.

The first option that closes the information gap is education. If customers knew how their personal data is to be managed by a company, they would be able to make more informed decisions. However, it is impractical to train all consumers into full-blown information security professionals to allow them to make these decisions on their own.

Community-powered rating systems, on the other hand, could signal whether a company is responsibly managing personal data or not. Better informed customers could rate the data management practices of a company, which would allow others to make a better-informed decisions. Albeit rating systems are inherently imperfect, issues like fake reviews are well understood and can be managed.

Finally, industry-specific certifications and legislation could ensure that our sensitive data ends up in safe hands. The threat of losing business because of the loss of licence can be a strong incentive to apply good data management practices. For instance, peak bodies, self-regulatory organisations or legislation could specify minimum standards, and companies who fail to tick all the boxes should not be able to carry out the 100 points ID checks. The threat of losing business could incentivise companies to invest into better security and data management practices.

What Is Next?

If you are in Australia, participate in the ongoing consultation process of the Notifiable Data Breaches scheme. If you are living abroad, keep an eye on emerging trends like IoT regulations and GDPR, they are both exciting areas to explore further. As for the 100 points check, it is likely that the AusPost Digital iD™ or other Verification of Identity (VoI) providers will replace or complement the current online identity checking practices.

The author is the president of the not for profit organisation named CryptoAUSTRALIA, whose vision is a society where everyone in Australia has the necessary skills to defend their privacy.

Edits and peer review: Nick Kavadias

Image Credits:

• https://www.pinterest.co.uk/pin/48061921004830592/
• https://www.tinytickle.co.uk/commodore-ads/images/kids-education.jpg
• http://www.infosurv.com/survey-incentives-to-use-or-not-to-use/

At CryptoAUSTRALIA we are always asking ourselves the question: How can we teach everyone in Australia to defend their privacy? We believe in the “learning-by-doing” approach, so what could be more fun and engaging than a hands-on workshop? Once we realised how many excellent privacy-related tools are available for the Raspberry Pi, we began looking into dozens of these projects. So we hand-picked a shortlist of the interesting ones from the plethora of RPi projects available and got together on the long weekend to trial them.

We planned to get together on a glorious Saturday to eat as many hot dogs as humanly possible and to showcase the shortlisted projects to each other. The goal was to pick the best project by day’s end and turn it into an exciting series of CryptoAus workshops for the benefit of the community. The clear winner was the ad and malware blocking project 'Pi-Hole' and here is why.

The Shortlisted Raspberry Pi Projects

We picked the project candidates a couple of days before the get-together. Our selection criteria was simple: if the project had something to do with privacy, we gave it a go.

The final list of candidates we settled on was the following:

• Pi-Hole – Ad-blocking service on your home LAN
• Tor/VPN gateway – Protect the privacy of your network traffic from the ISP
• e2guardian/squidGuard – Block malware and phishing websites on your devices
• CIRCLean – USB flash drive sanitiser
• Bro IDS – Detect if you have a malware-infected computer on your network

Getting Our Hands Dirty

So everyone got together around 10 am at my apartment along with their RPis and a few other accessories. Nick brought an LCD screen and keyboard with him, which turned out to be a good idea. Ed brought an old Raspberry Pi Model 1, so we were able to test how a project would run on a Pi Zero (they both have the same CPU and memory). Aiza got her USB card reader, and Roland brought his charming smile.

We spent the first hour setting up a second switch that Ed had smuggled in from the UK. My home router only had two available Ethernet ports for the five Raspberry Pi devices, so we desperately needed at least an additional four Ethernet ports. Ed fired up his shoddy BT router, which was probably full of unpatched vulnerabilities, and it was ready to go after a few missteps. We concluded that we would need a proper 8 or a 16-port purpose-built switch for an actual CryptoAus workshop to avoid long troubleshooting sessions.

In the meantime, we flashed a few SD cards with Raspbian Stretch and NOOBS. Raspbian Lite can run on a 2 GB card, while NOOBS requires at least 8 GB. Once the wired and wireless networks were up and running, we quickly hooked up our RPis on the LAN and popped the freshly-written SD cards into the devices.

Raspbian has SSH disabled by default for security reasons unless an empty file named ‘ssh’ is written on the boot partition. Raspbian was then ready for action. We discovered NOOBS needed some user interaction and additional package downloads to get ready. As we are short on both network bandwidth and time on CryptoAus workshops, NOOBS will not be our choice of OS this time.

Once the Pis all booted up, we began installation of the projects, except for CIRCLean, but more about this later.

Pi-Hole

Pi-Hole is essentially a DNS server with a friendly web interface. The premise is that you run a DNS service on the local network, and use the Raspberry Pi as the server. Pi-Hole will take care of the DNS resolution by proxying the DNS traffic to third-party DNS services and blocking requests that feature on its blacklist.

Pi-Hole can be installed with a single command: curl -sSL https://install.pi-hole.net | bash. While this approach makes the installation process very simple, it is a bit scary as we were piping unknown Linux commands from a remote script file as the root user. However, we like to live life dangerously, so we did it anyway.

Nonetheless, the installation only took a couple of minutes. Once it was complete, we were able to connect to the admin panel with a web browser. We navigated to the ‘Settings’ tab and changed two things: the upstream DNS servers and the blocklists.

The default upstream DNS servers on the Pi-Hole are Google DNS (8.8.8.8, 8.8.4.4), which offers neat things like DNSSEC signature validation. Some people, however, may prefer privacy-respecting DNS services like OpenNIC. Other built-in options available like Comodo, Norton ConnectSafe) offer advanced security features, such as phishing protection. Paid upstream DNS services such as Strongarm or Cisco Umbrella can be added to enjoy the benefits of advanced malware protection and web content filtering capabilities.

Long story short, we decided on free OpenDNS service because of its essential security features. OpenDNS can block malware, phishing and botnet domains, as well as dodgy website categories like ‘Web Spam’.

The gist of Pi-Hole is the DNS-based blacklist, which is compiled from third-party blocklists. If a client makes a DNS request to Pi-Hole, and the requested hostname is on the blacklist, Pi-Hole will hijack the DNS response and will respond with a faux DNS record. The tampering is a good thing in this context, as the connecting clients will not be able to connect to third-party advertising servers or malicious websites to display ads or execute malware.

The default blocklist is not too restrictive. Depending on your personal preferences, you may only want to block ads and malware traffic, while others prefer blocking inappropriate websites at home. We found two excellent blacklist sources for malicious domains: The Big Blocklist Collection and Fabrice Prigent’s list.

The Big Blocklist Collection features various feeds compiled for the Pi-Hole. Feeds such as Easylist feature in the well-known browser plugins like uBlock andAdBlock. Other feeds sourced from malware researchers such Zeus Tracker are also available. In the end, we picked Easylist and Disconnect.me’s “simple ad” and “simple malvertising” lists. Interestingly, there is also a list for Samsung SmartTV owners who wish to block the chatty “smart” features of their TV's.

Fabrice Prigent maintains the other blocklist. His list is utilised by proxy servers such as squidGuard or e2guardian. Prigent maintains a website categorisation list, similar to commercial proxy appliances (e.g. BlueCoat. IronPort), where unwanted websites can be blocked by categories such as pornography, gambling, games or malware. Depending on your preferences, you may also prefer protecting your family from certain website categories.

We concluded that Pi-Hole is relatively straightforward to install and operate. The web UI is very intuitive and easy to use. We all agreed that this project is ideal for a CryptoAus workshop because our guests could just take their devices back home (or rebuild them in no time) and be up and running very quickly blocking ads and malware. The security and privacy benefits of a Pi-Hole device are immediate.

Tor Gateway

The second project we have looked into is a secure gateway using Tor. The premise of the project is that you could run the Tor client on a Raspberry Pi and create a new Wifi Access Point (AP). The traffic from the devices connected to this AP are then tunnelled through the Tor network.

We thought that the project could potentially be useful for privacy-enthusiasts, who wish to minimise their metadata or penetration testers who prefer to keep their IP address hidden. OPSEC mistakes happen all the time with computer-based Tor clients, and this device would protect the user from IP and network traffic leaks.

The word ‘project’ is a bit of an exaggeration here because the Tor guides were more like ad-hoc write-ups than comprehensive and well-maintained projects. Nevertheless, we managed to source a few of these write-ups and gave them a try:

• http://makezine.com/projects/browse-anonymously-with-a-diy-raspberry-pi-vpntor-router/
• https://learn.adafruit.com/onion-pi/what-youll-need
• https://www.lifehacker.com.au/2017/03/how-to-anonymise-your-browsing-with-a-tor-powered-raspberry-pi/
• https://pimylifeup.com/raspberry-pi-tor-access-point/

The problem we found with the guides was that they were not updated. Some of them were written for the Raspberry Pi 1 or 2 – which does not come with a built-in wifi device. Others were built on previous editions of Raspbian, where the wireless configuration was a bit different.

Long story short, we spent a good amount of time reading the various HOWTOs and trying to adopt them for Raspberry Pi 3 and Raspbian Stretch. There were a few issues with doing this. The first was that the various guides used different IP addressing, NAT and firewall rules, although we managed to overcome this. The real killer was the Wifi AP configuration. Even though we followed the official guide to install hostapd, our devices were not able to connect to the new access point for some reason. They just kept connecting and connecting, but the process never completed.

We spent more than an hour trying to debug the AP issue, the Wifi was simply not working. In this project's current state we thought it was unacceptable for a real-workshop. Getting the wifi AP working needs some work. Even though we still reckon a Tor gateway is really useful, we called it quits and gave up on the idea of running this as a workshop.

e2guardian / squidGuard

This project was an ad-hoc idea that stemmed from the success with Pi-Hole earlier that day. We thought, Pi-Hole is something great, but its main purpose is ad-blocking and not content filtering. Pi-Hole has limitations because it can only do DNS blocking. In circumstances where we want to protect kids from accessing inappropriate content, we need URL filtering. So we thought we'd looked at a proxy service for a more sophisticated protection.

I vaguely remembered squidGuard, which is an add-on to the open-source Squid proxy. After some quick research, we found two ways to block website categories with open-source tools: squidGuard and e2guardian.

The first pick was squidGuard, which runs Squid proxy under the covers. Now both squidGuard and Squid need to be configured from the command-line and it can get a bit messy. The complicated configuration process was a bit worrying considering the mixed experience levels of participants we get at CryptoAus workshops. Secondly, we only have about 1 to 1.5 hours before guests start to lose interest. We concluded that this would not work because of lots of manual steps and time constraints.

We also gave e2guardian a try. The project is a fork of the stale Dansguardian project. Sadly, the configuration experience was very similar to squidGuard.

The final nail in the coffin was when we discovered that almost every single free third-party website categorisation project had been abandoned. The heart of these projects are the third-party feeds with lists of inappropriate websites and URLs assigned into the unwanted website categories.

Although we thought a proxy is a good method for filter offensive content at home, we found the projects inappropriate for the workshops because of complexity and project inactivity. The installation and configuration should be automated or be easy to be a viable choice for a CryptoAus workshop. Simple web GUIs are ideal, where users can just tick and untick website categories(e.g. malware, gambling). Both these projects require configuration file editing.

CIRCLean

This project is an interesting one: CIRCLean is a USB sanitiser tool created by CERT Luxembourg. A CIRCLean device can potentially be used by those receiving files on USB drives frequently such as journalists.

A USB drive with malicious intent could:

• Trick the computer into recognising the device as a keyboard and type a pre-written set of keystrokes. For example, a USB Rubber Ducky could open a Terminal, then download and install a backdoor on the computer in under a minute. Computers can be disguised as flash drives, too.
• Autorun, AutoPlay or exploits run a malicious file automatically
• The files themselves may also hide malicious content

What a CIRCLean device does is transfer the files from an untrusted USB flash drive to a second USB device. CIRCLean merely copies text and audio files from one to the other. On the other hand, files with active content (Word documents with macros) are flagged as ‘dangerous’ once they are copied to the second device. Executable files are also renamed to DANGEROUS_filename_DANGEROUS.

Once we downloaded the latest CIRCLean image from GitHub, we dd’d the image file onto the memory card. As opposed to the other projects, the image already comes with an older edition of Raspbian, so it should have started working out of the box - as we thought.

Once we popped the card in, we tried to figure out what to do now. We wanted to SSH into the device to download the latest updates, but the device just did not respond. We had a second look at the CIRCLean instruction manual, and apart from a short HOWTO guide, we found the documentation quite brief. We managed to find a few other files under the doc/ folder on GitHub, but we did find the documentation neither self-explanatory nor relevant.

We ended up wondering what to do now with the device. We probably should have connected the Raspberry Pi to LCD screen at this point to see what was going on. However, we got a bit demotivated by then, so we gave up after a few additional SSH attempts and moved on to the next project.

Nonetheless, we think this is an admirable project and would probably give it another try on a separate occasion. The documentation, however, could be a bit more extensive. Perhaps a video guide would lower the bar for everyone, especially if the target audience does not necessarily possess advanced tech skills such as journalists.

Bro IDS

We ran out of hot dogs our attention had started to shift to the AFL Grand Final by the time we got to this last one. The premise of this idea was to install a homebrew Intrusion Detection System (IDS) on a Raspberry Pi for detecting malware activity on your home network. This would allow users to identify and disconnect an infected device from your network before valuable files and sensitive passwords would start leaving your computer.

But first, what is an IDS? A typical IDS is usually an appliance that big corporates buy for a fortune, the incident handler team wastes their time with false positive alerts and years later the device ends up in the bin.

Bro IDS, on the other hand, is a robust system that features a powerful scripting language and lots of functionality straight out of the box. Simply put, it inspects network traffic on the LAN and looks for signs of suspicious activity. For example, if one of your laptops starts connecting to a malware command-and-control (C2) domain, it is very likely that the device has been compromised. So, we thought it might be a good idea to put Bro IDS on a Raspberry Pi for policing your devices on your home LAN.

We found a few promising projects with varying levels of maturity:

• https://github.com/TravisFSmith/SweetSecurity
• https://www.tripwire.com/state-of-security/security-data-protection/sweet-security-part-2-creating-a-defensible-raspberry-pi/
• https://github.com/musicmancorley/BriarIDS
• http://www.binorassocies.com/en/blogs/2016/03/brostash.html
• https://www.sneakymonkey.net/2016/10/30/raspberrypi-nsm/
• https://bløgg.no/2015/11/installing-bro-the-network-security-monitor-on-raspberry-pi/

The most promising one was SweetSecurity, which is a collection of scripts to install Bro IDS and other tools with a few commands. Once a fresh installation of Raspbian was up and running, we cloned SweetSecurity and ran the installer.

Unfortunately, we ran into problems again. First of all, the full install requires at least 2 GB of RAM, while the Raspberry Pi Model 3 only has 1 GB. No worries, we re-ran the installer and picked ‘Sensor Install’ which is supposed to only deploy Bro IDS. It turned out that the scripts install Bro from source, so compilation on an RPi would have taken too long. Normally, this is not an issue. However, we would hit the 1-1.5 limit on the CryptoAus workshop. At this point in the afternoon we were all exhausted, so we started to wrap this up.

What Did We Choose and Why

By the end of the session, we all felt that Pi-Hole was the strongest contender for the CryptoAus workshop.

We found that Pi-Hole was very easy to install and configure, and it provides a great deal of privacy and security benefits for the user and their families. Pi-Hole installs and configures itself with just a minimal user interaction. Although the default configuration just works fine, it was easy to fine-tune the device with a web browser. We found the admin panel was easy to use and every configuration option was just self-explanatory. Finally, Pi-Hole ran perfectly on older RPi devices with slower processors and lower memory, such as the original Model 1 (also Pi Zero).

Furthermore, we thought that the additional value CryptoAUSTRALIA could bring to the workshop was the know-how around:

• the third-party DNS servers
• the ad and malware blocklists
• the website category filters

Different DNS services offer different benefits: while some of them focus on privacy, others provide protection from phishing and other malicious websites. Same goes for the blocklists: some of them can blackhole ads, while others can block other things like URL shorteners or phishing sites. Certain lists and the website category filters could help protect the family from inappropriate content such as adult content. We have all this experience accumulated in the team, and we are ready to hand it over.

What About the Others?

We found the other five projects also had benefits, but unfortunately, the constraints of the workshop would not allow us to feature any of them. We would give CIRCLean a try again probably at an event for journalists. We would reconsider the Tor gateway one if a HOWTO were available for Raspberry Pi 3 or the process would be automated with scripts or Ansible. Sadly, e2guardian and squidGuard seem to be too complicated, and Bro just takes too much time to set everything up.

What Is Next?

We still have to figure a few details out, like do we provide hardware at the workshop or we let everyone to bring their own? Should we provide memory cards with Raspbian on it, or do we even include time at the event for writing the OS onto the card? Will we have enough time remaining then? Or what blocklists to suggest and why? If you are keen answering these questions or volunteering with this up-coming workshop, please drop us a line.

Otherwise, keep an eye on our event page and our Twitter feed, as we will be publishing more details about the upcoming CryptoAus workshop in the forthcoming weeks.

If you are interested in the upcoming Raspberry Pi workshop, make sure to follow us on Twitter and subscribe to our Meetup groups at https://cryptoaustralia.org.au/events

Disclaimer: None of the brands on the photos nor Raspberry Pi has sponsored CryptoAUSTRALIA

So I am pretty bad at going to the doctor on time, yes I am one of those people who get the overdue notifications on the weekly.

I finally had enough courage to turn up to get my regular medication. Generally, when doctors release scripts it’s one of those situations where you put your script in your bag and run out.

When I needed to return back to the doctor, overdue of course. I realised that when I was consulting my nurse, they asked me my date of birth, which is totally normal. But then I heard this awkward silence, “that is not correct Miss Breen”. I was actually super concerned that I couldn’t remember my date of birth... #awkward.

The Comedy of Errors

The doctor then called me by a different name, and it wasn’t Karissa... it was some randoms name! I then took back the script to realise that the document was actually not my script... it was in fact someone else’s! I perused the document and yep there it was, full name, date of birth, address and phone number, enough to create a fake identity under this person’s name. Things were definitely uncomfortable on both ends by this point.

The part that set me back by this situation was that no one from the doctor's surgery really knew how to handle the situation. After some backwards and forwards, I started to feel pretty bad that I had a random person’s private details in my hands. For someone who is a security person, this raised great concerns as I am not sure if everyone would be honest as I was about this situation.

When you hear on the news around data breaches, this is an example of an accident that could go terribly wrong. My original doctor wasn’t actually in that day, so another doctor had to “make some changes” on my script. I then had to go back to the pharmacy with an “updated” script.

But, what concerns me is that I actually don’t know if this same situation with my details has landed in the hands of some other random in Sydney and is floating about. I think the main problem is the lack of due diligence on both ends. I probably should have checked before leaving the doctor when I was issued with the script. Although, I do believe doctors need to be mindful of ensuring they are not giving away sensitive information to the next person.

Security Troubles in the Healthcare Sector

The Verizon Data Breach Investigation Report is an annual report on data breach trends. Verizon uses questionnaires and hundreds of key industry players to contribute to the report with data and feedback.

Healthcare is usually one category in the report. Take a look at the 2017 report, you can find the relevant section on page 22. According to the report, the major reason of data breaches in healthcare are: 'Human Errors' (the report calls it 'Miscellaneous Errors') and 'Physical Theft and Loss'.

The paragraph with the heading "A comedy of errors" perfectly shows what Human Errors mean and actually this ties into my current example shared above.

Check out page 50, there is a section dedicated to "Miscellaneous Errors" elaborating this data breach type in detail.

If you open the 2016 report, and look for the similar sections, you see it has not really changed over time. Human Errors in Healthcare is #1. If you go to page 11, the matrix underpins this claim.

Check it out here:

What Can We Do

The takeaway from my own experience is that humans make mistakes and training can help prevent these situations from happening. Implementing correct processes in place would have remediated this situation quickly and would limited upheaval.

Here is the example of the script, for privacy reasons, the details have been redacted.

For Australians, The Australia Privacy Foundation raised the threats of the consolidated patient register called 'My Health Record'.

Human errors are a bad case of things like this going wrong. This is my own personal story and I wanted to share with you that these types of incidents happen on the daily and it is not always an organised crime for these types of events. I would be super keen to hear your own personal stories, with something similar.

Keep on keepin’ on,
KB

This article first appeared in Karissa Breen's blog. Photo courtesy of Hamza Butt

Do you ever get that feeling that’s someone is watching you, or you are being followed? It freaks me out. Now, how do you feel when some random person has taken a photo of you?

Well, sometimes you can never be too sure about what the case is. But, what happens when the creep shots take cheap shots? Yep, a whole new level we are heading to.

What is a Creep Shot?

A creep shot is a photo taken directly of women in public by men.

Creep shots are focused on female’s bodies that are clothed. These cheap shots are sexually suggestive rather than sexually explicit. Cheap shots are a slight variation of the technology-driven sexual cyber violence that we have all heard of like revenge porn, up skirting and unsolicited male pics.

As everyone wants to be innovative and ‘trending’, new technologies like camera pens, Google Glass and shoe spy cameras has allowed more people to take photos, however, technology has made it easier for the cheap shots to capture their token creep shots. This is even going next level that there are cheap shot websites where men are assessing the calibre of the cheap shots with other creep shot men.

What is going on in the world? Good question, I am asking the same thing. There is really limited knowledge on why people do what they do. Although it did become apparent that the creep shots thought it was harmful and funny, good joke lads. Perhaps some of the creep shots feel it’s their only way to fit and feel a part of a club – how about joining the golf club?

Help is Available

We have been noticing that other nations are trialling cyber harassment helpline. One of the initiatives hosted by Pakistan addresses the gaps women face when dealing with these pretty awkward situations. The helpline also offers a safe house for women to feel supported. The support staff have developed in-depth privacy which includes caller confidentiality and high-quality support service.

This ridiculous behaviour puts women in a vulnerable position and potentially put them at risk if they confront the creepers.

As for Australia, the Office of the eSafety Commissioner has put together some material called eSafety Women to assist them when they are feeling vulnerable or threatened by some creeper related activity. This initiative is to empower women to take control of their online experiences.

Please review the eSafety Women program here: https://www.esafety.gov.au/women

Stop creepin’!

CryptoAUSTRALIA thanks Rosie Williams for her valuable input that improved this article

The Australian Government must ensure transparency of its intelligence sharing with other countries in order to safeguard Australian citizens’ private information, a coalition of privacy and human rights organisations said at the launch of a new campaign.

An international coalition of 30+ organisations led by Privacy International (PI) has written to national intelligence oversight bodies in over 40 countries, including Australia, seeking information on the intelligence sharing activities of their governments.

Countries, including Australia, may use secret intelligence sharing arrangements to circumvent international and domestic rules against direct surveillance. These arrangements can also lead to the exchange of information that can facilitate human rights abuses, particularly in countries with poor human rights records or weak rule of law.

National intelligence oversight bodies hold intelligence agencies accountable to the public by exercising scrutiny over the legality, propriety, effectiveness, and efficiency of the intelligence activities of their governments. Recently it was revealed that intelligence from the Pine Gap base in Alice Springs is being used by the US in its deadly, covert drone strike program that has caused significant civilian casualties overseas.

The coalition of human rights organisations has written to countries including those who form the Five Eyes Alliance, which is a secretive, global surveillance arrangement between the United States, the United Kingdom, Canada, Australia and New Zealand. The letter was also sent to nearly all of the countries forming surveillance partnerships that have grown from the Five Eyes: the Nine-Eyes (the Five Eyes plus Denmark, France, the Netherlands and Norway), the 14-Eyes (the Nine-Eyes plus Belgium, Germany, Italy, Spain and Sweden), and the 43-Eyes (the 14-Eyes plus the 2010 members of the International Security Assistance Forces to Afghanistan).

Specifically, organisations are seeking more information about whether these national oversight bodies:

• Are informed about the intelligence sharing activities of their governments;
• Can independently oversee the intelligence sharing activities of their governments;
• Can access all relevant information about the intelligence sharing activities of their governments;
• Can review decisions by their governments to share intelligence and/or conduct independent investigations into the intelligence sharing activities of their governments; and
• Cooperate with other oversight bodies to supervise the intelligence sharing activities of their governments.

A deadline of 31 October 2017 has been given for each national oversight body to respond. PI has created an interactive map, which illustrates the countries included in the campaign and the national intelligence oversight bodies that have been contacted in each country. The map will be updated when responses are received.

PI has also provided national oversight bodies with a briefing highlighting the international human rights implications of intelligence sharing arrangements between governments, with recommendations to increase transparency around these activities.

The global coalition of 30+ human rights organisations includes 6 Australian-based organisations: Australian Lawyers for Human Rights, CryptoAUSTRALIA, Digital Rights Watch, Electronic Frontiers Australia, the Human Rights Law Centre, and the NSW Council for Civil Liberties.

Scarlet Kim, Legal Officer at Privacy International, said:

"As intelligence agencies around the world have expanded their surveillance capabilities, so has the amount of information they exchange with each other, including data collected in bulk. These sharing arrangements are shrouded in secrecy and shielded from accountability. National oversight bodies perform a critical role in holding intelligence agencies accountable. The public has a right to know whether their mandates include scrutiny of intelligence sharing and what form this scrutiny takes."

Benedict Coyne, President, Australian Lawyers for Human Rights, said:

“In the light of the legislation that the Australian Federal Government has passed requiring retention of Australians’ personal data, it is particularly important that Australians are informed about what is being done with that data, and how their privacy rights are being eroded without any public scrutiny.”

Gabor Szathmari, President of CryptoAUSTRALIA, said:

“While many Australian citizens are rightly concerned about the state of national security at the present moment, citizens would also like to be reassured that intelligence gathering is only conducted for the purpose of ensuring the security of citizens.”

“Australian oversight bodies should be empowered to act on behalf of the citizens of Australia and ensure that intelligence agencies are operating in a fair and transparent manner serving the people of Australia. These bodies include the Inspector-General of Intelligence and Security, Independent National Security Legislation Monitor, and the Parliamentary Joint Committee on Intelligence and Security.”

Tim Singleton Norton, Chair of Digital Rights Watch, said:

“The Australian public have a right to know the scale of privacy invasion that is being undertaken under the guise of national security. Our human rights to privacy are being compromised by widespread warrantless surveillance without adequate safeguards, and our partnerships with foreign governments such as those that form the Five Eyes is resulting in increasingly less transparency and oversight. Australian citizens have a right to understand these processes and what is being done to ensure they are accountable to a public good.”

Emily Howie, Director of Legal Advocacy at the Human Rights Law Centre, said:

“There are untold legal consequences of intelligence sharing that demand immediate inquiry. Documents revealed this year show that Australians are likely involved in intelligence sharing with the United States to locate the targets of the deadly US drone strike program. If true, Australians could be complicit in civilian deaths from drone strikes - that might mean complicity in war crimes.”

*“The government has been given free reign to scoop up our personal information but won’t provide guarantees for how that information is passed on, including to international partners. It’s unacceptable and makes each and every one of us vulnerable.” *

Dr Lesley Lynch from the NSW Council for Civil Liberties, said:

“Whilst we accept that the Government must act to protect its citizens from current complex global security challenges (and intelligence gathering alliances with allies will be part of that), there is an obvious danger is that, in the process, we trash the very core liberties that are fundamental to a healthy democracy.”

“Mass electronic surveillance by government agencies is a real threat to our democratic way of life if not appropriately constrained by effective independent oversight - including sufficient transparency for the community to have a broad understanding of what kind of surveillance is conducted, on whom, who has access and how it is used.”

“Australia has a number of bodies oversighting our intelligence and security agencies. There has been some recent and welcome expansion of their responsibilities and powers to match the rapid proliferation of our counter-terrorism laws. However, many questions remain as to the overall effectiveness of this oversight. Furthermore, the extreme secrecy and limited reporting to the public by these bodies makes it impossible for the community to exercise effective democratic control as to the broad nature of our state surveillance agenda – at home or abroad. We must have a more balanced and less secretive approach to our national security policy.”

Read the letters here: Independent National Security Legislation Monitor, Inspector-General of Intelligence and Security, Parliamentary Joint Committee on Intelligence and Security, PI Briefing

See what people say on Twitter under the #IntSharing hashtag

Update (20/10/2017): Response from the Parliamentary Joint Committee on Intelligence and Security Department of the House of Representatives is now available here

Update (2/11/2017): Response from the Inspector General of Intelligence and Security is now available here

I often get asked "Should I use Antivirus software on my Mac?" The answer is: it depends.

Note: This is a multipart article, Part 1 is available here

The risk of getting infected on macOS is significantly lower than on Windows. But it is not completely zero. It is hard to find any good study on this topic (here is one), but this is a widely accepted fact at the moment. There are many factors which contribute to this lower risk:

1. Fewer people use macOS than Windows
2. macOS upgrades (major releases) are typically free for a longer time than the Windows, therefore more Mac users update their OS than Windows users. Microsoft started the free upgrade from Windows 7 to Windows 10 some years ago, but previously, an upgrade like this was not free.
3. People using macOS tend to pay for their software and are less likely to pirate it from shady sites. Pirated software may contain adware, backdoors and hidden Bitcoin miner software that may harm your computer.

Personally, I am not a fan of macOS Antivirus. macOS Antivirus never was the focus of development at AV companies. It is mostly reactive, and there are a lot less proactive features in it than in the Windows counterpart. For example, on Windows, AV can warn when a program accesses the webcam. On macOS, the AV can turn off the webcam, but it can’t warn when a program accesses the webcam.

When looking at independent tests of macOS Antivirus, you have to know that most labs do not have access to the latest macOS threats, so they tend to test with old and known malware. Which means the gap between synthetic test results (100%) and real life are even wider than in the case of Windows Antivirus tests. In other words, anti-malware tests you may read in magazines can be very misleading, as these tests are far from representing the real-life situation.

Also, macOS includes its own AV called GateKeeper, which does a basic job of preventing the user from running malicious programs. GateKeeper prevents known malware from starting and warns the user if (s)he tries to execute unsigned stuff.

But there are ways around GateKeeper. For example: scripts (e.g. Python). Or Microsoft Office macros. Or in-memory malware. Or probably tens (hundreds?) of other ways. These techniques all can circumvent the built-in protection on Mac, which the more sophisticated malware products frequently do.

So then how do I protect myself?

Instead of focusing on Antivirus, I recommend people install software which can restrict unauthorised access to critical parts of the operating system.

Networking

One of the best security tools for macOS is Little Snitch. It is a software firewall which will notify the user every time an unknown application starts to communicate over the Internet. Training it in the first few days can be a bit time consuming, but after this time it performs nicely.

Problems can arise with application updates themselves not causing rules to not work anymore. Online meeting applications (GoToMeeting, Webex) can be particularly troublesome – these are updated frequently, and they may try to communicate with hosts on arbitrary ports.

File Access

Another great macOS tool is F-Secure X-Fence (formerly Little Flocker), which monitors read and write file access. The same training concept applies as with Little Snitch – after the initial training period, it just works.

On the above screenshot, Microsoft Word tried to read/write/execute the 133t_0day.sh. If the user blocks on Deny, this exploit is blocked.

Persistence

BlockBlock is a tool which alerts users when a program is installed that tries to execute itself every time the computer boots. Most malware uses some form of persistence to stay on a host after a restart. Because malware at some point in time has it to register itself with the OS; there are few ways to persist in an OS and most malware uses the same techniques, so this can be detected by AV software.

Note that I have not had first-hand experience with BlockBlock.

On the screenshot, the osxMalware application tried to install itself, so it starts with every boot of the system. By clicking on 'Block', the user can block this action.

Conclusion

By supervising the network communication, file access and persistence, users can create a safe environment, where totally new and unknown malware can be blocked. But these solutions can be a pain for novice users.

But trusting AV on macOS is not as a good choice as it is on Windows. For example, the following article details a malware campaign targeting macOS users, which went unnoticed by most macOS AV engine.

If you are a novice user, you can try to protect yourself with AV designed for macOS, but don’t expect much.

If you are a security conscious macOS user with some experience in IT, there are steps you can take to sleep better at night without AV (see Little Snitch, X-Fence or BlockBlock). While a determined attacker may find ways around your defences, whitelisting network, file access and OS service persistence is a good start against common threats.

Sabri on Twitter

CIA bypassed Little Snitch by injecting its malware into the browsers. Could have still been spotted with activity monitor

Zoltan (@zh4ck) is a full-time AntiVirus bypasser and public speaker from Hungary. He frequently rants on Twitter about how people should try things harder. He has experience from both blue and red side, and enjoys the cat and mouse game between attackers and defenders.

Peer review: AC

Photo courtesy of Jose