Category Archives: Network Security

Power outages, mud and slow internet

ITSec Challenges in a less developed country Appropriate Reddit

It is a strange feeling when the tour book is strangely correct about your holiday location. There really is only 1 international ATM machine for an island of 330,000 people. The power goes out, allot. The police take up, um, “road side collections” and can be quite heavily armed. I don’t know when I felt more scared, being taken sued last year or when my father-in-law politely drove off after refusing to pay an on the spot fine/bribe. Tanzania like any other country has challenges. Some, quite frustrating to IT goals such as extremely expensive, low quality, slow internet service or frequent, unstable quality electricity. It is possible to have the necessary technology to run an organization in the harsh IT environment.

Friendly tips for basic IT sanity in Tanzania

  1. Don’t expect electricity clean, stable electricity all the time.
    1. Use uninterruptable power supplies on all your desktops.
    2. Have building battery backups of a generator with fuel.
    3. Always connect your electronics to a power strip that is at least a surge protector.
  2. Expect to lose your stuff.
    1. Any country where the majority of the population lives on about $1.70 a day gives way to desperation/petty theft.
    2. Employees can be easily bribed by your competition. Pay and treat them well.
    3. Encrypt your drives, from hard drives to SD cards. It is far better to just lose your smartphone with encrypted data than to lose your smartphone with sensitive or embarrassing information on it which is accessible.
    4. Weather and the environment is harsh, think about hardware failures.
  3. Limited number of talented IT technologists
    1. One of the islands we visited, part of Zanzibar has received electricity in 2010. Schools near Dar es Salam have no desks let alone electricity. Computer technology is new here.
    2. Learn some Swahili, it will help you explain issues. Google translate Swahili is in its infancy and cannot currently be relied upon.
    3. Research your staff or support company well. There are very few options but ask around before you sign any contract or new hire.
  4. Bandwidth is not up to European standards.
    1. Some Europeans and Asians have the good life when it comes to the internet. Lightning fast speeds and great quality. This is Africa.
    2. Expect to pay allot for any internet services.
    3. Have a backup provider just in case yours fails.
    4. Do not take the cheapest unless it is a promotional deal from a reputable provider.
    5. Use a router/modem that also has a 3G or higher backup connection. This can keep your office or you up and running if your provider loses power.
  5. Cost and availability
    1. What is available in other parts of the world might not be in Africa.
    2. High end hardware or software might not be sold or supported here due to lack of customer base.
    3. If you must import hardware bring spares.
  6. Security
    1. Availability: Backup to a mirrored drive, save to the cloud uploading and synchronizing as required. Use more than 1 DNS provider and do not solely rely on your ISP.
    2. Integrity: Lock down those USB drives and use end point protection.
    3. Confidentiality: install encryption software for hard drives, cloud backups and email. The government and possibility others most likely monitor unencrypted communications

Tanzania and similar countries are challenging but can yield successful IT implementations. Few places in the world make the challenge worth it. Beaches, live coral, lions, elephant, galloping giraffe and the Rift Valley. The people are generally happy, beautiful terrain, enticing lagoons and cultures.

I didn’t plan on spending my New Year’s Eve covered with mud after trying to push a SUV out of an impassible road. Luckily someone came along with a shovel by chance within an hour. Our rescuers tried to tow us out but the rope broke. Although it was the best New Year’s Eve ever, we could have avoided the mud baths if we had packed a rope and shovel.


























Blacklists and other Internet resources – please share your favourites

Last month I had promised some commenters and readers I would publish some of my blacklists when I got home. In my defence I’m still not home but I organised some of my blacklists and other resources anyway. The list published below is a small collection from people I have met (CL merci) who have shared their lists with me. Chris’ list is not a comprehensive list but a good starter point for organising with examples. The document can be easily changed around for you or your organisation.

The list can be a basis for scraping data into ArcSight via a Flex Connector to update suspect or blacklists (active lists, metrics for reports, trends. They can also be used for built-in tools for ArcSight or similar with a small amount of scripting. ArcSight has a built in Who Is search tool, using similar parameters you can build a Google Safe Search Diagnostics too based on IP or Domain or perhaps search Virus Total. The information can also be added to intelligent web proxy servers. This is ideal since about 80% of traffic now goes over web HTTP/HTTPS. Web proxy servers are a major egress point in the perimeter.

This type of list can be helpful in operations when analysts need to find, use and reference resources quickly. The list can be used to build a department favourites list/internet based tools list. Also, many times information security websites will be marked and filtered by web proxy servers or anti-virus software. For example, I spoke at the 28C3 CCC last year and my anti-virus was Comodo on my laptop. The anti-virus software blocked the 28C3 CCC and affiliated Chaos Computer Club websites even after I disabled the DNS feature, physically pointed my DNS elsewhere and examined my hosts file. I had to reinstall a fresh OS to access the Chaos Computer Club websites. This type of list can be used to add exclusions to anti-virus or filters as legitimate resources for the security team or other similar departments.

Screenshot of example form below.

Chris’ Internet resource list

SHA256: a411c88cd1c5b02fa0a7a95a9c26e5335b15e73db94f8f16edeaf1c251de2e4f

Blank Internet resource list

MD5: 46553f361006335927aa12849b83464c

SHA-1: 51a26581dccc50eede954b82736799fb7ad6b3a5

SHA256: 24dc6625118799bfa7041ef72d3542f883b73d620afbd6a7ab673643be34a7dc

If you need this form in a different format please ask and I will try to accommodate for Open Office.

Please add to the form and comment. My list is Europe and North American centric, we would love other regional lists. Any other associated information is welcome.

FBI DNS Changer Deadline Extended to 9 July, 2012

FBI DNS Changer Deadline Extended to 9 July, 2012

The US FBI was granted an extension on the court order to maintain control of the DNS Changer IP ranges until 9 July, 2012. This extension was granted based on the large amount of computers and routers which were still making DNS requests to these IP ranges. According to The Register, a research group called IID found about 18.8% of all US Fortune 500 companies surveyed were affected on 23/02/2012. This is a substantial decrease, down from 50% of US Fortune 500 companies in January, 2012 based on a previous study by IID.
The FBI court order might not be extended again due to substantial decreases in the number of USA based suspected infections. Conversely, our group has observed suspect infections in approximately 25% of the networks we advise and consult for in Europe, Africa, Middle East and Asia Pacific. The infections in the USA might be dropping; however, too many non-USA geo-located IPv4 sources remain infected. The majority of identified assets were fully updated and patched end point assets, critical servers with up-to-date Anti-virus software or routers with modified configuration files.

Why do so many suspected infections remain? 

  1. Over reliance on Anti-virus software.
    1. A clean anti-virus scan does not equate to a clean asset, it just means that version and vendor of anti-virus was unable to find an infection at this time. Malware can be written specifically to evade or disable certain features of anti-virus software.
  2. Inability to understand the risks of allowing external DNS requests to untrusted locations.
    1. You wouldn’t knowingly ask the enemy for directions to your own ambush. The same principal applies to allowing or not investigating external DNS requests to un-trusted or suspected malicious DNS servers.
    2. Also, just because a firewall dropped outbound activity does not mean there is no risk to the network. You still have a suspected infected machine that requires investigation.
  3. Inability to find the end points due to short TTL’s in large DHCP based networks or other issues.
    1. Finding end points has been a big challenge for our clients. Their networks have grown or merged in many cases without full documentation or change control. This is a huge gap in security for many but one that can be easily remedied through documentation and network mapping applications.
  4. Lack of time or fiscal budget to properly review logs.
    1. Please review your firewall and proxy drops, this is very, very important.

If your organization has assets making DNS requests to the FBI controlled IP ranges related to the DNS Changer they need to be investigated. We start in the following order in large networks with many possible infections:

  1. Revise firewall or other perimeter controls to avoid more assets making suspect requests, e.g. close the hole.
  2. Investigate all assets which successfully made DNS requests.
  3. Investigate assets attempting to make DNS requests by frequency and criticality of the asset.
    1. If the asset in question is a critical router or server, especially a DNS server open an incident immediately as further compromise of the network is suspected.
    2. If one asset is making 1000 DNS requests while another made 25 investigate the more active asset.
    3. Review the configuration file of routers which might be compromised and check through the DNS settings.



Reporting can be your friend and can lead to pro-activity, i.e. don’t wait for your anti-virus to alert you to an infected machine. For example we wrote a very basic series ArcSight reports which runs on a daily basis:

  1. All assets making DNS requests to the FBI DNS Changer IPv4 ranges successfully.
  2. All assets attempting to make DNS requests to the FBI DNS Changer IPv4 sorted Z-A showing the assets making the most DNS requests at the top of the report with a bar graph.
    1. Using graphs can help visualize the problem to management and gain their buy-in. Looking at the problem from a business standpoint does not make you less technical but better at communicating the issue to those that approve budgets, staff and possibly investigations.

If you have any questions, concerns or techniques which have been successful in your organization please feel free to share them.