Security and Privacy topics
Recently, there was a poorly written article in The New Straits Times, that suggested the Malaysian Police would know if you were watching porn online. Let me cut to the chase, the article is shit. The software in question, aptly named Internet Crime Against Children Child Online Protective Services (ICACCOPS) is used to detect Child Pornography, and Child Pornography only — as the name...
Gov-TLS-Audit got a brand new domain today. No longer is it sharing a crummy domain with sayakenahack (which is still blocked in Malaysia!), it now has a place to call it’s own. The domain cost me a whooping $18.00/yr on AWS, and involved a couple hours of registration and migration. So I felt that while migrating domains, I might as well implement proper security headers as well. Security...
Last week, MyNic suffered a massive outage taking out any website that had a .my domain, including local banks like maybank2u.com.my and even government websites hosted on .gov.my. Here’s a great report on what happened from IANIX. I’m no DNSSEC expert, but here’s my laymen reading of what happened: .my uses DNSSEC Up to 11-Jun,.my used a DNSKEY with key tag:25992 For some...
Ok, I’ve been pretty involved in the latest data breach, so here’s my side of the story. At around 11pm last Friday, I got a query from Zurairi at The Malay Mail, asking for a second opinion on a strange email the newsdesk received from an ‘anonymous source’. The email was regular vulnerability disclosure, but one that was full of details, attached with an enormous amount...
Couple months back I started GovTLSAudit. A simple service that would scan .gov.my domains, and report on their implementation of TLS. But the service seems to have benefits above and beyond that, specifically around having a list of a government sites that we can use to cross-check against other intel sources like Shodan (which we already do daily) and VirusTotal. So here’s 3 times...
If you’ve come here from a link on twitter — you’d see that the address bar still says login.astro.com.my, but the site is rendering this page from my blog. If not, click this link to see what I mean. You’ll get something like this: Somehow I’ve managed to serve content from my site on an astro domain. Rest assured, I haven’t ‘hacked’ astro servers...
I previously wrote about how data breaches are like diamonds: They’re not as rare as you think They’re worth far more to you than to a thief They last forever And the recent debacle over the Astro data breach epitomizes all of these characteristics. First off, Lowyat has already reported 3 big data breaches (at least by my count), and rest assured these won’t be the last. Data...
Last Month, I embarked on a new project called GovTLS Audit, a simple(ish) program that would scan 1000+ government websites to check for their TLS implementation. The code would go through a list of hostnames, and scan each host for TLS implementation details like redirection properties, certificate details, http headers, even stiching together Shodan results into a single comprehensive data...
Last week I launched a draft of the Gov.my Audit, and this week we have version 2.0 Here’s what changed: Added More Sites. We now scan a total of 1324 government websites, up from just 1180. Added Shodan Results. Results includes both the open ports and time of the Shodan scan (scary shit!) Added Site Title. Results now include the HTML title to give a better description of the site...
I keep this blog to help me think, and over the past week, the only thing I’ve been thinking about, was sayakenahack. I’ve declined a dozen interviews, partly because I was afraid to talk about it, and partly because my thoughts weren’t in the right place. I needed time to re-group, re-think, and ponder. This blog post is the outcome of that ‘reflective’ period. The...