DNS with Pi-Hole + DNSCrypt

This is a follow on post from Using a Pi-hole to fight phishing.

I already had Pi-Hole running. It’s a fantastic tool for several reasons, namely:

  • Allows you to block adverts and malware at a DNS level. This is much more effective than using ad-blockers. All devices on the network can be protected using this measure (as opposed to say just a browser on a single desktop PC).
  • Allows you to block additional sites which you want.
  • Gives you visibility to what is happening on your own network.
  • Allows you to leverage more secure DNS technologies such as DNS-over-HTTPS (DoH) for all devices.

My instance was running along with cloudflared proxy to allow for my external DNS requests to take place using DoH. However, I did have an issue where my connection seemed to drop or hang randomly. This started driving me up the wall some what. After further investigation I found the root case to be the DNS requests to Cloudflare:

So I did some digging around and came across a recommendation to use dnscrypt-proxy instead of cloudflared. After looking at it, I found this a better solution since not only does is support DoH and DNS over TLS (which cloudflared does as well), it also support DNSCrypt. So it is more versatile than cloudflared. Additionally, while I admire what Cloudflare does and provides, I would like to move aware from a single vendor for these type of things, and have something which makes it easy to switch my external DNS name resolver.

dnscrypt-proxy

Steps to install dnscrypt-proxy are pretty straight forward:

  1. Change the current directory to /opt: cd /opt
  2. Download the latest version: sudo wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.39/dnscrypt-proxy-linux_arm64-2.0.39.tar.gz
  3. Unarchive the downloaded archive: sudo tar -xvzf ./dnscrypt-proxy-linux_arm64-2.0.39.tar.gz
  4. Remove the downloaded archive: sudo rm dnscrypt-proxy-linux_arm64-2.0.39.tar.gz
  5. Rename the unpacked directory: `sudo mv ./linux-x86_64 ./dnscrypt-proxy
  6. Change directory to dnscrypt-proxy: cd dnscrypt-proxy
  7. Create configuration from an example: sudo cp ./example-dnscrypt-proxy.toml ./dnscrypt-proxy.toml
  8. Edit the configuration:
    server_names = ['cloudflare'] # you can can change this and get a list of names from https://dnscrypt.info/public-servers
    listen_addresses = ['127.0.0.1:54']
  9. Install the dnscrypt-proxy: sudo ./dnscrypt-proxy -service install
  10. Start dnscrypt-proxy: sudo ./dnscrypt-proxy -service start

Pi-hole

Steps to install Pi-hole are pretty straight forward as well:

  1. In your home directory, clone the Pi-hole repository: git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole
  2. Change directory to the install directory: cd "Pi-hole/automated install/"
  3. Run the installation script: sudo bash basic-install.sh
  4. Accept the defaults. You will have to set a name server, just choose any from the list (this will be changed later).
  5. Log into the Pi-hole Admin Web UI.
  6. Navigate to the Settings tab.
  7. Click on the DNS tab.
  8. Uncheck any Upstream DNS Servers which are selected and check Custom 1(IPv4) under and set the value to 127.0.0.1#54.
  9. Save the changes.
  10. Test your setup: dig @<pi-hole_ip> www.google.com (where <pi-hole_ip> is the IP address of your Pi-hole server).
  11. If you want to setup TLS for your admin web UI, edit the file /etc/lighttpd/external.conf:
$HTTP["host"] == "<enter-appropriate-hostname>" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "<certificate-and-private-key>"
    ssl.ca-file =  "<ca-cert>"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-compression = "disable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}
  1. Restart lighttpd: sudo systemctl restart lighttpd

This a slightly modified copy of a post which is available at: https://blog.sean-wright.com/dns-with-pi-hole-dnscrypt/

Note: The Cyber Volunteer 19 team recommend this setup for HOME use only. Hospitals and healthcare providers should use business class solutions for DNS services and protective DNS.

Using a Pi-hole to fight phishing

Introduction

Due to recent events related to COVID-19, some Health Centres in Europe have fallen  victim to ransomware attacks. The first channel to spread ransomware is often phishing, so here are some suggestions to block web surfing to phishing sites if users have clicked on any emailed phishing links.

In my personal journey of learning about this technology, I installed some time ago Pi-hole Ad Blocking on my Raspberry Pi to avoid annoying commercials when surfing the net from home. Pi-hole can have more powerful applications as well, such as adding other types of blacklists to the Pi-hole – and a phishing site blacklist could be one of them.

The chain

The chain to follow to transform your Pi-hole into a DNS that blocks phishing links is pretty easy:

  1. Download and install Pi-hole; there are many guides on the Internet, depending on where you want to install it, here’s one for Raspberry.
  2. Add the phishing list to the adlist.list of your Pi-hole installation.
  3. Update your Gravity list.
  4. Report and vote for phishing sites.
  5. Check that Pi-hole blocks the right DNS queries.

As stated, the first step is pretty simple – yet it’s off topic here (ping the author if you are in trouble with the installation), so now to discuss directly the second point.

Add phishing list

I recently found a very good project that updates a phishing blacklist every 6 hours. This list could be implemented in your own Pi-hole installation to block phishing sites. It is called Phishing Army and it updates its lists directly from 3 sources:

Add Phishing Army blacklist to your Pi-hole

To add the Phishing Army blacklist to your Pi-hole simply add the list to the list file in the path /etc/pihole/adlist.list file in your Pi-hole installation. Just connect to the Pi-hole via ssh and type this command:

# vim /etc/pihole/adlists.list

Paste the link at the bottom of your list file, write and quit.

Update your Gravity list

Now you have to update the Gravity black list by typing the command

# pihole -g

Report and vote for phishing sites

The first thing to do is to report and vote for phishing sites and the easiest way is to follow the instruction written on the amazing blog of the CyberV19 volunteers about using the voting system on Phishtank. When a Phishtank-submitted link reaches a good number of votes, it is marked as phishing. At this stage, it will then be put on the blacklist update of Phishing Army and automatically updated in the feed to your Pi-hole.

Checks

Now you can check if your Pi-hole is blocking malicious DNS requests. Search for a full or partial link in the Query Lists Search of the Pi-hole:


Try to surf to one of the links in the results and see the DNS query blocked by the Pi-hole:


Well done!

Conclusions

This is a home setup scenario. For a small company or test enterprise solutions, we would suggest installing Pi-hole in a docker container and configuring the Domain Controller to point to the Pi-hole as your primary DNS.

To reiterate, we recommend this setup for HOME use only. Hospitals and healthcare providers should use business class solutions for DNS services and protective DNS.

Thanks

Thanks to Luca Testoni for writing this blog and and contributing to CV19! This is a slightly modified version of the post on https://blackcloud.me/fight-phishing/

Helping the fight against phishing!

PhishTank is a collaborative clearing house for data and information about phishing on the Internet. We can use Phishtank to help take down and disrupt phishing operations.

We are also working on some custom tooling; however, in the meantime let’s make sure everyone knows how easy it is to help fight phishing!

Getting Started

To report and vote for sites on Phishtank, you first need to register on the Phishtank site at https://www.phishtank.com/:

Click on Register or use the following URL:

https://www.phishtank.com/register.php

Enter your details:

Click I’m not a robot and complete the captcha:

Click Verify and then Create My Account:

You will now be sent an email with a validation link:

You are now good to go! Next, we need to sign in:

Reviewing and Voting

We are now ready to report and vote for phishing sites!

Click on the submission ID you want to review.

Review the site – this one is impersonating the World Health Organization (WHO):

Click it’s a PHISH (or another option, depending upon the result of your review):

We have now voted this as a phishing site! Simples! If the site gets validated enough it will be added to block lists.

Phishtank can be used to report both URLs and phishing emails. The process is fairly simple. If you want to  check a URL, you can do this from the main page. If it is not in the database, follow the onscreen instructions and submit the phish. You can then share the URL with the group and we can help review and upvote sites once they’re submitted.

Every little bit we do to disrupt these networks helps, so get registered and make sure you remember to report and upvote!

Embedding safety culture and behaviour

In times of uncertainty we can see that demand for information security and risk management is increasing daily. How is our volatile, uncertain, complex and ambiguous (VUCA) world impacting healthcare services and companies that need to adapt to it?

The rush to use cloud services sometimes means organizations are not thinking fully about the risks. Thinking that “it’s in the cloud, therefore it’s safe” is wrong, though vendors may claim it is.

Therefore, it’s important to ensure that information risk is managed properly, and one way to do that is to embed safety culture when working with suppliers.

There is a risk to business activities if information becomes disclosed to those not authorized to see it, or if information or systems fail to be available or are corrupted.

It is therefore important that we take the appropriate security precautions to ensure that the third-party suppliers we work with have the right measures in place to protect the confidentiality of and ensure the integrity and availability of information.

Based on this Ponemon Study, more than 56% of organizations claimed that they have had data breaches in the past two years that can be linked to third parties. On top of that, 6% were unsure if they had suffered a data breach at all.

What we can do to ensure that we have effective, preventive controls in place:

  1. Assess supplier networks
    1. Consider including your expectations for security controls and periodic auditing within vendor contracts to ensure that your selected suppliers meet the same level of scrutiny as your internal enterprise. 
  2. Know your risks
    1. Identify your most valuable assets, such as intellectual property, proprietary information, and customer and employee personal data.
  3. Include third parties in your remediation plan
    1. Don’t assume that suppliers will handle everything for you.

Once we understand what assets we need to protect, it is easier to assess the risks. We must also remember to form partnerships with providers to ensure that value from services will be maximized and at the same time, both parties will be accountable for protecting critical data.

But how should we mitigate the risks, as the question is not if but when a breach will happen?

  1. Contract
    1. Security and risk mitigation requirements must be included in an organization’s contractual agreement with third-party vendor and service providers.
  2. Incident Response
    1. Does the service provider have an enhanced and up-to-date incident response plan? Does the third party test the resiliency of the plan and go through simulated tabletop exercises?
  3. Assessment
    1. Accept standardized questionnaire content based on known best practices security frameworks (i.e. ISO 27001, NIST)
  4. Penetration tests
    1. Look for vulnerabilities, such as unapplied patches and potential attack vectors, that could put your data at risk.
  5. Strong Access Controls
    1. Where possible, ensure vendors are using your systems and relevant controls to access your environment.
  6. Minimize risky providers
    1. Continuously monitor the cyber posture of the supplier and receive live alerts on any significant changes.

There’s too much at stake right now, so one of the things we can do is to raise awareness, build community and ensure that continuity of services will be maintained.

This post was authored by: Radoslaw Gnat

Protecting front-line healthcare services

Author: @SarahASmith75

As the situation with COVID-19 continues to develop, this is putting a strain on the availability and continuity of healthcare services.

Whilst it is generally accepted that social-distancing can slow the velocity of infection; the number of cases is set to rise over the coming weeks and months. Those most at risk are elderly and/or have underlying medical conditions. Healthcare professionals in regular contact with suspected and actual cases also increases the likelihood of them becoming ill and needing to self-isolate.

This increased demand and shortage of resources can lead to secondary incidents and failures, particularly with the availability of buildings, facilities and IT services.

So what can healthcare services do to protect themselves from the potential impact of COVID-19?

From a business continuity perspective, we will consider 3 key scenarios:

  1. Availability of buildings and facilities
  2. Availability of key IT systems
  3. Availability of key people
  1. Availability of buildings and facilities

As the number of people requiring treatment and hospitalisation rises, so does the demand for specialist buildings and facilities.

Intensive care facilities and ventilators require round-the-clock availability of power, which increases the potential for failure.

In addition, people in hospital for other reasons may need to be segregated to reduce their likelihood of exposure.

Things to consider:

  • Resilience of buildings to utilities failure
  • Testing of on-site and mobile generators 
  • Diesel storage for generators
  • Turning off non-essential services to reduce load
  • Physical separation and zoning of areas 
  • Increased cleaning and waste disposal to reduce secondary infection vectors
  • Use of hotels for staff and non-critical patients
  • Use of portable cabins or marquees for triage
  • Use of mobile catering units 

2.     Availability of key IT services

Not only is access to IT systems and data required for managing patients, it is also needed for reporting and modelling.

In crisis situations, IT systems and data are at risk from cyberattacks and data breaches as criminals look to exploit the situation or cause further disruptions.

Things to consider:

  • Ability to flex capacity and performance to meet demand
  • Proactive monitoring and system checks
  • Regular backups of systems and data
  • Security and awareness training
  • Ability to failover IT services in the event of failure or corruption
  • Ability to shut down non-essential services
  • Manual workarounds if key IT services not available
  • Use of third parties to provide additional IT support 

3.     Availability of key people

This goes beyond medical and care professionals and extends to ancillary staff to support the buildings, facilities and IT services.

When managing a crisis, people tend to work longer hours to deal with demand, but this can often be counter-productive due to fatigue and susceptibility to illness. 

Things to consider:

  • Prioritise essential and critical services
  • Perform key skills gap analysis
  • Perform additional training and awareness
  • Enforce strict breaks and rotation of shifts
  • Assess transport needs for staff and patients
  • Request additional support from private sector:
    • First aiders
    • Health and safety professionals
    • Security guards
    • IT professionals
    • Catering
    • Laboratory technicians
    • Child carers and teachers
    • Drivers

Vast numbers of people are being affected by COVID-19, either directly or indirectly.  It is vital to protect front-line healthcare services from buildings, facilities and IT failures, to ensure people can get access to the care and support they need. 

By working together, we can enable the continuity and availability of these essential services.

Thanks to @SarahASmith75 for creating this great post! We will be working out a wider process for volunteer submissions in the near future; in the meantime, please contact @UK_Daniel_Card or @LisaForteUK.

Supporting the world in cyber space

An unchartered path

We are working away in the background, as many of you can probably imagine, there are a huge rang of logistical challenges in our path. Healthcare (and other sensitive/critical services) is not somewhere where we can just rock up and start jumping on systems and networks, even just organisationally and from a comms point of view the challenges aren’t small. We want to make sure that as a group we can help no matter where we are.

A Force for Good

To this end we are formulating ideas for initiatives whereby we can support our healthcare services from an internet perspective.

Our thinking in this space is along these lines:

  • Phishing Reporting
  • Malware Analysis
  • OSINT/Threat Intelligence
  • Malicious Website Takedowns
  • COVID19 ‘Opportunity Abuse’
  • Social Media Amplification
  • Creation of helpful content around good cyber security guidance
  • Sharing of useful resources and trusted services

We are taking a cautious approach with how we enable this group, we are doing a huge amount of work talking with partners, volunteers and technical solution providers, but we also MUST ensure that the work we do is conducted inline with our mission to HELP (not hinder)! We’ve put together a code of conduct to help support this!

If anyone has any suggestions for other ways we can support, please get in touch with the team on the LinkedIn group.

Active Defences – Protective DNS

Introduction

The NCSC provide a range of services for public organisations (such as the NHS). Part of these include active defence services. One of these is protective DNS!

Protective DNS

Protective DNS acts as a sink holing mechanism to help prevent an unsuspecting web user from visiting a malicious site (such as a phishing site or one hosting malware). Well what’s that?

So DNS acts as an address book, you enter a URL e.g. www.google.com and your device does a look up to its name server, if the address exists it will return back a valid response. Now protective DNS is where rather than forwarding your requests to raw internet DNS servers, we use a managed service which has a constantly updated list of known malicious sites, etc. That way, if you try and visit a bad site, you get given a safe address and your device doesn’t even get there! Now my explanation here is really simple, it’s a bit more complex in reality. Luckily the team at NCSC have written up a far more in depth view of this.

https://www.ncsc.gov.uk/information/pdns

If you are a public organisation hopefully you’ve already got this and a load of other controls deployed, however I wanted to highlight this again, as if you are a public sector organisation you can request and leverage this as one of the ways to help prevent the impact of phishing and typos, etc. (I typo all the time!)

For those of you who are operating at a personal or business level, there are a range of commercial and free services available such as:

https://www.opendns.com/

https://www.quad9.net/

Another line of defence

So, no matter how big or small your organisation is, and if it is public or private you can implement protective DNS as one of the many controls required to keep you safe from cybercriminals. Remember, you need a layered approach to cyber security and protective DNS is just one of those that can be a great way to fight back!

Building the right foundations

In response to the initial concept we have had a huge level of response from volunteers. We do however realise that in order to be effective we need to have some structure and need to do a level of planning at the backend to ensure the following:

  • Healthcare providers are aware of the intent.
  • Healthcare providers know how to request support
  • That there is the appropriate processes and procedures in place to put HC providers in contact with volunteers

This list isn’t exhaustive, there are lots of things to consider when setting up a volunteer organisation, so please bear with us. We are in talks with both healthcare providers and government agencies to make sure we get this off on the right foot, that we have a suitable structure and that ultimately we can all help support our great healthcare providers in a manner which gives them the help and support they need, in the manner they need it.

Please bear with us as we develop and grow this, we are trying to move at pace but also ensure we focus on our primary objective of delivering actionable support to healthcare, we already are working with NHS trusts.

In the meantime we ask that people join our LinkedIn group whilst we co-ordinate across healthcare providers, volunteers, vendors and various agencies.