Category : Security

/system script
#CREATE DOWNLOAD BLACKLIST SCRIPT
add comment=Firewall name=Blacklist_SquidBlacklist_Download_drop.bogons.rsc policy=read,test source=”:log warning \”START – Download bogons list (sbl-bogons.rsc) updates.\”;\r\
\n/tool fetch address=www.squidblacklist.org host=www.squidblacklist.org mode=http src-path=/downloads/sbl-bogons.rsc dst-path=/disk1/blacklists/sbl-bogons.rsc\r\
\n:log warning \”END – Download bogons list (sbl-bogons.rsc) updates.\”;”

#CREATE IMPORT BLACKLIST SCRIPT
add comment=Firewall name=Blacklist_SquidBlacklist_Import_drop.bogons.rsc policy=read,write source=”:log warning \”START – Import blacklist (sbl-bogons.rsc) update.\”;\r\
\nimport /disk1/blacklists/sbl-bogons.rsc\r\
\n:log warning \”END – Import blacklist (sbl-bogons.rsc) update.\”;”

/system scheduler
#CREATE DOWNLOAD BLACKLISTS SCHEDULER
add comment=Firewall interval=1d name=Blacklist_SquidBlacklist_Download_drop.bogons.rsc on-event=”/system script run Blacklist_SquidBlacklist_Download_drop.bogons.rsc” policy=read,write start-date=jan/01/2017 start-time=02:00:00 disabled=yes

#CREATE IMPORT BLACKLISTS SCHEDULER
add comment=Firewall interval=1d name=Blacklist_SquidBlacklist_Import_Import_drop.bogons.rsc on-event=”/system script run Blacklist_SquidBlacklist_Import_drop.bogons.rsc” policy=read,write start-date=jan/01/2017 start-time=02:15:00 disabled=yes

/ip firewall filter
#CREATE DROP RULES FOR BLACKLISTS
add action=drop chain=forward src-address-list=”sbl bogons” log=yes log-prefix=”BL_sbl blocklist.de” comment=”Squild Blacklist: SBL Bogons.”

If you need help with your Mikrotik router go to wisp.net.au for all the latest gear and knowledge.

Author: 6 months ago

Mikrotik with 2 WAN connections:

  1. DSL for standard web browsing, etc
  2. LTE for voip

Firstly create the Address list with the IP addresses of voip devices, then make NAT for them via the LTE connection:

/ip firewall nat

add action=masquerade chain=srcnat out-interface=LTE src-address-list=SIP-LTE

/ip firewall mangle
add action=accept chain=prerouting in-interface=LTE
add action=accept chain=prerouting in-interface=dsl

add action=mark-packet chain=prerouting comment=”SIP via LTE packet” \
new-packet-mark=SIP_packet passthrough=yes src-address-list=SIP-LTE
add action=mark-connection chain=prerouting comment=”SIP via LTE connection” \
new-connection-mark=SIP-conn packet-mark=SIP_packet passthrough=yes \
src-address-list=SIP-LTE
add action=mark-routing chain=prerouting comment=”SIP via LTE route” \
connection-mark=SIP-conn new-routing-mark=SIP-LTE passthrough=no \
src-address-list=SIP-LTE

/ip route
add distance=1 gateway=192.168.36.254 routing-mark=SIP-LTE scope=255

Author: 8 months ago

As google promised last year, they have release an update for Chrome that introduces a stronger pop-up blocker that protects against sneaky tactics that lead users to unwanted content through hidden redirects. These abusive experiences that users complained about where often used by shadier sections of the web where the ads or parts of the page included fake site warnings and error messages and “close” button that redirected that page.

Google has also stated that from Feburary 15, Chrome will remove ads that don’t comply with standards overseen by the coalition for better ads.

Chrome 64 also contains 53 various security fixes, and also bring some of Google’s fixes for the Spectre attack that can be used against browsers. Google has also detailed that they will be adding more mitigations in the future.

 

 

 

 

 

Author: 10 months ago

WPA3 has been announced

Wi-Fi Alliance has announced the introduction new security-based features for its family of Wi-Fi Certified technologies at CES 2018. After more than a decade, the WiFi Alliance has released the next specification of the security protocol known as WPA3. As well as addressing the issues surrounding KRACK, WPA3 is claimed to offer four key new capabilities over its predecessor: the introduction of techniques for improving security even when users pick too-simple passphrases, simplified configuration for headless devices which lack display capabilities, per-client rather than per-network encryption, and a new 192-bit security cipher suite created to align with the US Committe on National Security Systems’ Commercial National Security Algorithm (CNSA) requirements.

WPA3 employs individualized data encryption, which scramble the connection between each device on the network and the router, ensuring secrets are kept safe and sites that you visit haven’t been manipulated. The most notable problem for WPA2 was the recent discovery of several key management vulnerabilities in the 4-way handshake of its security protocol (aka – KRACK or Key Reinstallation Attacks). “Finally, a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, will further protect Wi-Fi networks with higher security requirements such as government, defense, and industrial”.

Apparently WPA3 will contain four new capabilities for personal and enterprise Wi-Fi networks. These are usually open and unencrypted, which means whoever uses them is quite vulnerable to snooping and data theft.

 

Author: 11 months ago

Meltdown and Spectre
vulnerabilities impacts a large number
of computing systems

As we are all aware the newer generations of Intel and AMD CPU are vulnerable for both of the latest exploits.

Below are the quick fixes for major OS:

MacOS High Sierra 10.13.2+, Sierra 2017-002 security update, and El Capitan 2017-005 security update mitigate meltdown:
https://support.apple.com/en-us/HT208394
https://support.apple.com/en-us/HT208331

iOS 11.2+ mitigates meltdown:
https://support.apple.com/en-us/HT208394
https://support.apple.com/en-us/HT208334

Windows 7, 8, 10 patches are out, mitigating meltdown:
https://support.microsoft.com/help/4073119

Android “January 2018” security patch level mitigates meltdown:
https://support.google.com/faqs/answer/7622138#android

Fx 57 patched, mitigating spectre
https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/

Chrome 64 (January 23) will mitigate spectre; can optionally mitigate now — “Strict Site Isolation” in chrome://flags
https://support.google.com/faqs/answer/7622138#chrome

Safari update “in the coming days” to mitigate spectre
https://support.apple.com/en-us/HT208394

Ubuntu kernel updates by Jan 9, for 17.10, 16.04 LTS, 14.04 LTS, mitigating meltdown:
https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/

Debian stable has an updated kernel out, mitigating meltdown:
https://www.debian.org/security/2018/dsa-4078

AWS has patched the host hardware for EC2 boxes:
https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

Author: 11 months ago