Ben Tasker's Blog

Spamhaus still parties like it's 1999

Details
Published: Wednesday, 16 October 2019 17:02
Written by Ben Tasker

I recently had visibility of a Spamhaus Block List (SBL) listing notification on the basis of malware being detected within a file delivered via HTTP/HTTPS.

As part of the report, they provide the affected URL (for the sake of this post we'll say it's https://foo.example.com/app.exe) along with details of the investigation they've done.

Ultimately that investigation is done in order to boil back to a set of IPs to add to their list.

Concerningly, this is, literally just 

dig +short foo.example.com

Which gives them output of the form

CNAME1
CNAME2
1.2.3.4
4.5.6.7

They then run a reverse lookup (using nslookup) on those IP addresses in order to identify the ISP. The IPs are added to the SBL, and a notification sent to the associated ISP.

In this case, the URL was a legitimate file, though it had been bundled with some software falling under the Possibly Unwanted Application (PUA) category. The point of this post, though, is not to argue about whether it should have been considered worthy of addition.

The issue is that Spamhaus' investigation techniques seem to be stuck in the last century, causing potentially massive collateral damage whilst failing to actually protect against the very file that triggered the listing in the first place.

In case you're wondering why Spamhaus are looking for malware delivery over HTTP/HTTPS, it's because the SBL has URI blocking functionality - when a spam filter (like SpamAssasin) detects a URL in a mail, it can check whether the hosting domain resolves back to an IP in the SBL, and mark as spam if it does (in effect limiting the ability to spread malware via links in email - undoubtedly a nice idea).

 

Just to note, although they make it difficult to identify how to contact them about this kind of thing, I have attempted to contact Spamhaus about this (also tried via Twitter too).

It also seems only fair (to Spamhaus) to note that I also saw a Netcraft incident related to the same file, and they don't even provide the investigative steps they followed. So not only might Netcraft be falling for the same traps, but there's a lack of transparency preventing issue from being found and highlighted.

Read more ...

Twitter Screws Up With Data It Shouldn't Hold

Details
Published: Wednesday, 09 October 2019 08:49
Written by Ben Tasker

I recently had a (NSFW) grumble about Twitter. Part of that grumble was about the fact that Twitter insist you provide a mobile phone number in order to re-instate your account after a suspension.

As part of my appeal against the suspension I noted that that's arguably not GDPR compliant - a phone number is (undoubtedly) PII, and is not required in order to provide the service. For Twitter to hold that number requires consent, and it's unlawful for them to withhold the service if consent is not given for non-essential data processing.

Part of the reason for my objection was because Social Media companies (in the form of Facebook) have already proven they cannot be trusted with things like mobile phone numbers.

Presumably Twitter weren't happy with the fact that I needed to use Facebook as an example, as they've now gone ahead and had a data processing screw up of their own.

Read more ...

Screenshot Social Media, Don't embed

Details
Published: Sunday, 22 September 2019 11:55
Written by Ben Tasker

Ever since the web was born, there have been concerns about preserving what's published on there for future generations. That's why things like the Wayback machine exist. Things like our approach, and concerns, around online privacy have also evolved with time.

But, the way we communicate on the web has changed pretty dramatically. Personal blogs are still a thing, but humanity has increasingly leaned towards communicating via social media - Twitter, Facebook etc. 

Now, we increasingly see news reports with embedded posts containing expert commentary about the topic of the news, and even reports about something someone has posted.

Those expert commentators are even occasionally being asked to change the way they tweet to make it easier for news sites to embed those tweets into their own stories (that request turned out to be from Sky News btw).

For all their many, many faults, the social media networks are a big part of how we communicate now, and posts on them are embedded all over the place.

This brings with it a number of avoidable, but major issues.

The aim of this post is to discuss those, and explain why you should instead be posting a screenshot of the tweet/post.

I'm going to refer to "Twitter" and "Tweets" a lot, purely because it's shorter than "Facebook" or "Social Media", but the concerns here apply across the board.

Read more ...

Brexit: My Predictions

Details
Published: Friday, 04 October 2019 10:33
Written by Ben Tasker

For the most part, I've managed to keep Brexit related posts off this site (if you follow me on Twitter, apologies - you'll know I've resolutely failed to stay out of the fold there). I have previously made my position fairly clear though.

As we approach end of days though, I thought it'd be interesting to get my thoughts and predictions down so that I can potentially look back and see how well they aged.

Although this post is quite long, my predictions are broken down into bulletpoints at the end.

Read more ...

Breaking the Google Addiction one step at a time

Details
Published: Tuesday, 10 September 2019 17:21
Written by Ben Tasker

Google isn't your friend. Google isn't my friend. Google is, and always has been, a data-whore.

But, still we use them and allow them to slurp up more and more data about us.

They're a bit like Amazon in that respect - you know they're an increasingly terrible company, but they're just so convenient and you keep on using them whilst ignoring the power they're amassing over the market.

But, it is something that's been concerning me more and more over the years.

We install adblockers, no-script and other extensions to add a fig-leaf to our privacy, or to try and avoid Google's user-hostile changes, yet we keep on using the same services. Even when they completely change the UI around on us, for no good reason, we still keep using their services.

I decided, quite a while ago, it was time I made a change, but then did very little, at least until recently.

As great as a "clean-break" might sound, going cold turkey off Google's services is never going to work - no model of user behaviour supports making massive jarring changes.

So I decided to start with the most obvious interaction with Google - their search engine. I don't have Google Home or similar, so my most frequent interaction with Google is search.

Read more ...

More Articles ...

  1. Twitter Jail: My Memoirs
  2. A small reminder of Legitimate URLs for my content
  3. Last Nights Storm
  4. The Curious Case of BitFi and Secret Persistence