Goodbye Mediawiki and thanks for all the fish..

So here we are in 2017 and I noticed that the wiki has not had an edit for around 3 years, but I still have had to bring it down every few months for security fixes. 
So the time has come to kill the Whale - all the wiki content is now moved to articles on the CMS or deleted or published elsewhere and mediawiki has gone to feed the fishes.
It was a great collaborative tool in 2004 but I can do everything in a google doc these days and someone else is keeping that secure and patched (I hope!) .

Maltesers

I love Maltesers and can easily consume a large bag or even a box all by myself. Lately though I've noticed that the quality has lapsed. The little things are not round any more. Instead they now look like asteroids: they have irregular surfaces all over them.
Pretty annoying given that on the TV adverts they roll around on desks etc!
Try and contact Masterfoods (Mars) about this: You can't! The website is awful and has not one single contact (Yes, none!)
Bah! Roll on cheaper lookalike product manufacturers prepared to make maltesers round again.

And Dumb Security Company of the day goes to.....

Argh, dammit, I can't tell you.  But the imaginary conversation goes like this.
Me: "Hi security company, I see that you have an enterprise grade security product that my client has put at the heart of their enterprise?"
Dumb Security Company (DSC) "Yes, can I tell you about it, its great - it has elements that ..."
Me: "No, no, please stop.  Anyway, the client tells me that your security products runs on Windows"
DSC: "Yes, that's right we have a strategic realationship with Mi..."

Certificate CA pinning

With many MITM attacks, you get fake certs.  CA pinning would help to fix this: The browser would retain a copy of every cert that it gets in a local DB and if it gets a different cert next time you visit the same domain or if the signing CA is different, it gives you a warning.  Carry on at your peril.   This kind of attack is mainly the state sponsored threat actor: they have the resources and the clout to persuade a CA operator to sign a bogus cert and\or onsert themselves in DNS traffic.

Tricks and Tips #1 Block 'em. Block 'em all.

One way that TurboTas.co.uk stops unwanted shite turning up on the website is with massive IP block lists.
As this is a very small blog, available in English only, I can take some pretty radical steps to prevent Eve from getting into my system.
The subject is somewhat evocative but I'll lay it out for you.  People visiting my website speak English and are mainly from the United Kingdom or the US.  Web logs and analytics support this.

Spammers Blocking Day

A day to stop spammers today with quite a few direct connections not picked up by the server.
189.194.93.86.  Looks like an insecure web application with an open PHP mailer script.  DOH!
186.51.53.86.  Another email spammer.
SSH attempts from 82.165.129.71 and 149.3.143.187.  Blocked both of those.
Spotted 89.67.253.49 in the HTTP logs and a check of project Honeypot shows them as massive spammers.  46.37.165.127 in same boat, also 78.157.192.24 and 46.37.189.182

USB Firewall

I have not found one of these,  but can't beleive it doesn't exist: A little USB dongle that plugs into your work desktop and will charge your mobile phone but without making the desktop see your phone as a device.   Basically, connect the volts, but not the data.  Obvious really.  Someone tell me why it won't work?

Another Day, Another set of IP blocks

Quite a big set of IP addresses today because I've been scanning the logs for the evening.  Rather an alarming list building up of stuff that needs fixing.
 
Chinese email spammers.  I spotted them via attempts to web spider sites that are now offline.  60.173.10.0/24  Block them while you can! Drat, just noticed a bunch from the class c under that one too, so best block .9. too!  Oh and .26.0.  Actually this is looking like a problem with a much larger block, No? 
 
Spanish hacking attempt via the Apache Logs: 81.44.219.18
 

7 Jan 13: Email Spamming from Poland

Do yourself a favour and block the following range: 91.236.74.128/25.   I was led to this block of addresses after noting access attempts from 91.236.74.144.  Oddly, the activity I saw was on a website that I no longer run and from host 144 in the range, so lots of errors in the access log for the main server, but it seems that this might be harvesting email addresses as the http://www.stopforumspam.com/ service shows mosts of the hosts above 128 are generating massive amounts of email spam.