7 min read DNS is one of the most fundamental components of today’s internet, one of the simplest technologies at the same time, but it’s also one of the biggest risks, and can be one of the best indicators when something is at risk. There are many cyber attacks that either have their root in DNS, or just use DNS just as a part of the structure of the attack without even thinking about it. Understanding your organization’s DNS traffic is a very solid step in protecting the overall organization. Monitoring DNS lookups with Elasticsearch and analyzing with machine learning can significantly reduce risk around several types of attacks. Here are some of the threats based in DNS and how to know about them.
5 min read This idea came to me when I was configuring Puppet Server to manage our Windows VMs. One thing that annoyed me for the longest time was having Notepad++ installed everywhere, and getting that popup that an update is available. Disabling the update check is not the solution. I realized that our server deployments are good. We build containers and automate installation of programs with package managers like Chocolatey on Windows and Yum on CentOS, and fully orchestrate servers and services. We can do something similar to keep our own personal computers’ software up-to-date using chocolatey, and without all the orchestration tech we usually needed. Basically just a scheduled task that runs a chocolatey script to keep our stuff up-to-date.
11 min read I get asked a lot which cloud provider I prefer, even by people that know me well, and the answer I give lately really surprises them I think. My answer is: a combination of all of them and colocated environments. I think when it comes to the major players in the cloud world namely GCP, Azure and AWS, most of the offerings are pretty much on-par with each other. The preference people have really comes from the trust in the company’s management of the environment, price, friendliness and familiarity of interface; and clear visibility into what’s going on. Well sure, but that’s only good as long as you’re only using one, but in many enterprises, there are really good reasons to use a combination of cloud providers, combined with on-premise and colocated hardware. Some of these reasons include risk of availability in extreme cases of global outages from a single provider (and there are examples of this in the past,) and others include specific niche offerings that are only offered by one provider and only used by a specific department. Let’s take a look at tools some of the top technology companies use to manage their cloud-hybrid environment.
11 min read The panic and adventure starts on a day like any other, I go to work, we have our daily standup, I write some code, and even answer a few emails. However the next part really surprised me. I get a heads up from a friend in one of our overseas offices alerting me that something really big just happened and to start poking around. As suggested I check around with some of my colleagues in other offices, and surely enough we shortly find out.. our CTO just sent in his…
8 min read
The most important things in security and performance, more than anything else I’d say is: measure, measure, measure, and when you have all the info, set up automatic measuring and alerts. We’ve already set up scanning for some basic things like malware, but there’s a lot more to scan for.
SSL / Encryption settings / strength
SSL Server Test from Qualys will test the SSL/TLS configuration of your website, and provide you a lot of details about your encryption capabilities, known vulnerabilities and identify misconfigurations. Using the settings configured so far, your grade should be A+, but that can change as new threats are discovered, so you should check this regularly.
2 min read OpenSSL is a toolkit for generating and working with certificates, as well as a general-purpose cryptography library. While a very powerful tool, it also means that there are a lot of options, so here are a few commands I commonly find useful. We’ll cover some common OpenSSL commands to convert between certificate formats and containers, and getting a Let’s Encrypt certificate installed.
Combine a private key (.key) and a public key (.crt) into a password protected certificate archive / PKCS #12 format (.pfx)
openssl pkcs12 -export -out site.com.pfx -inkey site_com.key -in site_com.crt
9 min read
Setting up Cloudflare
Sign up for a free account at https://www.cloudflare.com/.
Upgrading to Pro has some definite benefits
Add your site
As soon as you log in, you have the option of adding your first site
Verify your DNS records
At the next step it will try to detect and import all your existing DNS records. You’ll next be changing your nameservers to use Cloudflare’s nameservers, so make sure all your DNS records are present. There is an option to avoid this if the situation really requires it, and proceed with CNAME records, but you’ll have to reach out to Cloudflare support to discuss those options.
7 min read
Upgrade wordpress and any default plugins or themes that have updates
If you already have a theme you want to use, you can probably skip to the end of this section.
There are a bunch of great marketplaces. Wordpress’ builtin one and ThemeForest.net are some of the best. Click on Appearance -> Themes
4 min read I find wordpress to be sufficient for my needs for a blog, so it’s my go-to for a really simple site or blog. If custom logic is needed, it’s a no-go, and it’s all the way custom based on what’s needed. “Right tech for the job.”
In this series I’ll show how to create a simple, fast and security-conscious blog.
Part 1: Hosting / installation
Part 2: Plugins, upgrading PHP, HTTP security headers
Part 3: Caching, WAF and Optimizations
Part 4: Monitoring and performance testing
Hosting / Installation
Azure, AWS and GCP have great free offerings for getting started, and free-tier that’s probably sufficient for small blogs. Wordpress.com could be a good option as well. I prefer Digital Ocean in this case, because I have full control over the VM, it’s really cheap ($6/month), it’s a one-click deploy droplet, and really fast. Digital Ocean also monitors security bulletins and sends me relevant info on vulnerabilities, so I can patch anything that’s needed, and they handle backups seamlessly.
3 min read We found ourselves with a requirement to download an updated version of a public dataset on a regular basis, so PowerShell + windows scheduler came to mind, since the application runs in a windows environment. But only to find that PowerShell doesn’t make this quite trivial. In PowerShell v5+ we have the Expand-Archive command: Expand-Archive c:\a.zip -DestinationPath c:\a but this doesn’t support gzip or tar gzip is a compression algorithm, and is based on the DEFLATE algorithm, which is a combination of LZ77 and Huffman coding. There’s a…