Monday, December 30, 2013

Using openDNS

One of the main alleys to distribute malware is through the Web: an e-mail contains a link, which is clicked and *bam* the machine is infected. The mechanisms behind that are usually similar across the various strains: the website is accessed, there is a client-side exploit that downloads a piece of malware, which executes and connects to a site to get its instruction or dump its payload.

A common theme is the use of DNS to resolve a name to an IP address: some names have hundreds of "A" records, corresponding to as many compromised machines. A freshly infected system will try to resolve one of these, then connect and proceed as explained above.

Numerous open source initiatives exist to establish lists of these "bad domains" or "malware domains". The most famous is the Malware Domain List, which has several options (csv, hosts, ...) that can be used to generate either a DNS or proxy black list, firewall rules and so forth.

However, this requires that you have either your own DNS or proxy server, or that your firewall supports an automated way of importing the list. Not always possible. In addition, this covers only malware, and for instance, there is no categorization. And unless you add more tools, you have little to no visibility on what is dropped.

This is where OpenDNS comes into play. The service is presented as a traditional DNS server, two in fact, and people can add it instead of their servers: as a forwarder in a corporate server, as a DNS server in a small router or host. Immediately, the known malware domains are dropped and returns the IP of a server operated by OpenDNS to inform that the attempted resolution was nefarious. This also includes typos (mircosoft.com instead of microsoft.com).

But the power of OpenDNS starts when you register with an account - even a free one. Then, you have access to domain filtering by categories - have you ever wanted to drop all these adware sites? - and to statistics. Note that by default the stat collection is disabled.

These consist in the number and type of resolutions, presented in an hourly format, the number of unique domains resolved, the list of resolved domains and how many times over the requested period (a day or multiple days), the list of blocked domains and the reason.

The OpenDNS team is constantly implementing new features, and there is an "idea bank" where users can submit proposals or requests, such as a filtering base on the geolocation of the IP returned, or more logging and alerting.

But what good does it do if the only thing you can see is that "a machine in your network has attempted to resolve a known bad name"? That's why they have developed an agent to install on the end machine: it forces the resolution to go through OpenDNS and provides some more information, allowing for the quick identification of systems.

OpenDNS also offers other services, such as a web filtering proxy and more.

All in all, this is a really nice service to use. It is not expensive at all and can really complement a security solution by providing an additional filtering layer.




Tuesday, December 24, 2013

UK finally pardons Alan Turing

Alan Turing was a genius, with accomplishments spawning multiple domains such as mathematics, computer science, cryptography and more. Without him, WWII would have taken a whole different turn and may have ended with the Nazis winning. Nothing less.

However, his "crime" was that he was gay in UK in the fifties: the UK officially made homosexual relations legal in 1967. As such, Alan Turing was forced to undergo a hormone therapy to "suppress his urges."

Queen Elizabeth II finally pardoned Alan Turing.

Wednesday, December 11, 2013

Friday, December 6, 2013

Tuesday, December 3, 2013

Applying Computer Science skills to Medicine and Biology

Interesting story: following her husband's disease, a computer scientist started applying her skills in natural language processing to parse texts and papers, and has drawn some conclusions. You may find her paper on her MIT page.