CategoryMisc

Just a collection of stuff (mostly from my old blog)

GitHub webhooks with Serverless

G

GitHub Webhooks with Serverless

Just because you have webhook, doesn’t mean you need a webserver.

With serverless AWS Lambdas you’ve got a free (as in beer) and always on ability to receive webhooks callbacks without the need for pesky servers. In this post, I’ll setup a serverless solution to accept incoming POST from a GitHub webhook.

govScan.info now has DNS records

g

DNS Queries on GovScan.Info This post is a very quick brain-dumpĀ  of stuff I did over the weekend, in the hopes that I don’t forget it :). Will post more in-depth material if time permits over the weekend. govScan.info, a site I created as a side hobby project to track TLS implementation across .gov.my websites — now tracks DNS records as well. For now, I’m only tracking MX, NS...

Supply Chain Woes

S

The security community has been abuzz with an absolutely shocker of story from Bloomberg. The piece reports that the Chinese Government had subverted the hardware supply chain of companies like Apple and Amazon, and installed a ‘tiny chip’ on motherboards manufactured by a company called Supermicro. What the chip did — or how it did ‘it’ was left mostly to the...

Hosting a static website on S3 and Cloudflare

H

Hosting an S3 site via Cloudflare From my previous post, you can see that I hosted a slide show on a subdomain on hitbgsec.keithrozario.com. The site is just a keynote presentation exported to html format, which I then hosted on an S3 bucket. The challenge I struggled with, was how to point the domain which I hosted on Cloudflare to the domain hosting the static content. The recommended way is to...

Keith’s on #HITBGSEC

K

I haven’t blogged in a long while — but I have a good(ish!) excuse. I spent most of August prepping for the #HITBGSEC conference in Singapore. It was my first time presenting at a security conference, and I had an absolute blast. The output of the countless hours I spent is in the embedded youtube video below, and the presentation material can downloaded here[.key] and a html version...

Why my people will never be Ministers

W

As Malaysians woke up today, to a brand new cabinet of Ministers, many have already begun expressing their dissatisfaction on the lineup. I know better than to wade into these politically charged discussions — but I will point out that my people have long been overlooked for Ministerial positions. Who are ‘my people’ you ask… Hackers. Or if you prefer a less negative word...

Gov TLS Audit has a website!

G

Gov TLS Audit finally has a website to complement the API. I used the services of a guy from fiverr to code the site, it isn’t the best design in the world, but it’s good enough for now. The site allows you to query a site and view the historical details of a particular .gov.my website. The full list of .gov hostnames can be found here. It also links to the full daily scan outputs (in...

First I deleted my most popular tweet — then I deleted 2000 more.

F

Two weeks ago, I rage-tweeted something regarding Malaysian politics that got a lot more viral than I liked (I’ve censored out the profanity for various reasons, most notably, there are teenagers who read this blog). It was a pointless collection of 200 characters, that somehow resonated with people enough to be shared across social media. Obviously, since it was me, the tweet was filled...

Why we need centralized breach notification

W

Let’s start with the basics. Data Breaches are common — and will continue to be the norm. How the App Economy and Big Data ruined it As we shifted towards the ‘App-Economy’ and ‘Big-Data’ (circa 3 years ago), consumers begun sharing more data with more apps. Everyone and their granny, wanted to create a new app, and everyone was told to collect as much data as...

I scanned 1000 government sites, what I found will NOT shock you

I

Previously, I moaned about dermaorgan.gov.my, a site that was probably hacked but was still running without basic TLS. This is unacceptable, that in 2018, we have government run websites, that ask for personal information, running without TLS. So I decided to check just how many .gov.my sites actually implemented TLS, and how many would start being labled ‘not secure’ by Google in...