Insights For Success

Strategy, Innovation, Leadership and Security

Threat

Google to protect users from IDN Homograph Attacks

GeneralEdward KiledjianComment
fire-and-water-2354583.jpg

What geeks call an International Domain Name Homograph Attack, the general public calls typo-squatting. This is when threat actors buy domain names that are close to popular ones hoping to trick users, examples:

  • gma1l.com instead of gmail.com

  • paypa1.com instead of paypal


To help protect users from these tricksters, Google is launching Navigation suggestions for lookalike URLs. Think of this as an AI powered auto-correct for URLs. This feature is in active experimentation in Canary 70 and should enter the mainstream version in the coming months. A google engineer even spoke about it at the Usenix conference.

usenix.PNG

If you are one of the courageous experimenters running Canary, you can enable this feature now using this flag:

chrome://flags/#enable-lookalike-url-navigation-suggestions

Find phishing and malware with a simple search

GeneralEdward KiledjianComment
cyber-security-1805246.png

A very important function of any information security team is threat intelligence. Threat Intel can be a complicated and costly service in some cases but can be as simple a running a simple search in other cases. Here is a trick to get you started with the simple and cheap function.

Did you know you can find lots of "fun" phishing and malware links using nothing more than a simple VirusTotal search? Search VirusTotal for Google Storage API (precooked link). 

Go down midway on the results page and voila.

VT1.PNG

The one I highlighted above takes you to a dropbox phishing site

VT2.PNG

Some may not be fully formed yet. Some may already be taken down but you can find some interesting opportunities for research. 

Simple "script kiddy" level Threat Intel for you.

Improve your internet security right now, easily and for free

GeneralEdward KiledjianComment
matrix-2953869_1920.jpg

Quad9 is a new DNS service launched by a non-profit consortium (founding members are IBM Security, Packet Clearing House & Global Cyber Alliance). The promise of the Quad9 DNS service is good security using the knowledge of some of the world's leading security research firms, by merely changing your default DNS server and ALL for free. 

The service is (not so creatively) called Quad9 because the DNS address is 9.9.9.9

Is the Quad9 service fast?


I used the free DNS Benchmark tool by Steve Gibson with connections from Canada, the USA, the UK and Switzerland. I performed ten tests from each region, and in every test, the Quad9 service was in the top 3 fastest DNS services available. In most cases coming in first. 

DNS1.png

Quad9 is lightning fast because they use anycast routing which automatically finds and uses the nearest DNS server to the user. 

At launch, the service is powered by 70 servers in 40 countries, but the intention (in 2018) is to grow the fleet to 160 servers.

So how does it improve my security?

So why should you switch from your existing DNS service to the free Quad9 DNS service? Quad9 is a security and privacy enhancing DNS service that delivers much more security than any other DNS service currently available to consumers (more than your ISP, OpenDNS, etc.)

Quad9 says " Quad9 blocks against known malicious domains, preventing your computers and IoT devices from connecting malware or phishing sites." The threat intelligence is provided by the IBM X-Force but also includes 18 additional threat feeds from partners. Typically companies would pay tens of thousands for this level of protection and they are offering it for free.

You can configure your home router to use Quad9 and all device inside your house would be automatically protected (including that cheap easy to hack $29 webcam you bought from a shady online reseller). 

If a device (using Quad9) tries to contact a "bad" site, they will get back an NX domain error code (aka not found). This is how they prevent devices from being directed to dangerous sites.

Remember that a known good site could have been compromised and therefore could attempt to pull content from a shady site. Quad9 will prevent this from happening. 

Quad9 will continue adding features to further improve your security.

What about false positives?


They maintain a list of the 1,000,000 most used sites on the internet as a whitelist. This means that they cannot (mistakenly) blacklist an important site and make it unavailable. 

It looks like a well designed and well thought out platform.

What about my privacy?

The first thing you should realise is that most home connection use the DNS services of their ISP, and I consider most ISPs as the least trustworthy operators in your computing chain. Most are willing to sell your data cheaply to anyone willing to buy it.

Quad9's privacy statement is clear "No personally identifiable information is collected by the system. IP addresses of end-users are not stored on disk or distributed outside of the equipment answering the query in the local data center. Quad 9 is a nonprofit organization dedicated only to the operation of DNS services. There are no other secondary revenue streams for personally identifiable data; and the core charter of the organization is to provide secure, fast, private DNS."

Conclusion

I switched to Quad9, and it has been everything they promised. I recommend everyone reading this switch and try it out. It is one more layer of protection, and this one is easy & free.