SlideShare a Scribd company logo

SeaSec East: Green Locks For You & Me

Download as PPTX, PDF
Wendy Knox Everette
Wendy Knox Everette

Website and Email encryption

Internet
1 of 63
GREEN LOCKS FOR YOU & ME
Wendy Knox Everette Senior Security Advisor, Leviathan Security Group @wendyck SeaSec East September 5, 2018
WEBSITES WITHOUT HTTPS Chrome now labels these as “not secure”
https://www.blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/
SITES WITH HTTPS Green lock indicating SSL
HOW DO I SECURE MY WEBSITE? • Lets Encrypt and Cloudflare are two of the services offering free certificates to websites • Both work well with Github pages, which is what this talk will demonstrate • There are lots of other hosting options like WordPress as well
SETTING UP THE CERTIFICATE AND DOMAIN • Github Pages TLS with custom domains announcement: https://blog.github.com/2018-05-01-github-pages-custom-domains-https/ • Directions: https://help.github.com/articles/using-a-custom-domain-with- github-pages/
On GitHub, create your repo: [USERNAME].github.io
Check out the repo to your local machine (I like GitHub Desktop) create a index.html (your homepage!) and any other webpage files
Create a new text file named CNAME at the root of the repo and put your domain name into it
Go to the Settings for your new repo and scroll down to custom domain
SET UP NAME SERVERS • If you’re using Cloudflare, point to their DNS servers, and configure there • Make sure you set your domain on the repo on GitHub FIRST
GitHub directions: Apex Domain DNS Configuration: Create configure an ALIAS, ANAME, or A record at your DNS provider
Set the “A” record values to be the IP addresses that GitHub provides in their help pages (https://help.github.com/articles/setting- up-an-apex-domain/)
about the orange clouds there….
Sites behind Cloudflare’s CDN do not look like they’re configured correctly to GitHub
Site that is not behind Cloudflare’s CDN
CLOUDFLARE FREE ACCOUNT CERTIFICATE
A sidebar about DNS debugging tools
DNS lookup tools Mac/Linux: ● dig ● https://toolbox.googleapps.com/apps/dig Windows ● nslookup ● https://network-tools.com/nslook/
NEXT… SO YOU HAVE EMAIL ON YOUR PERSONAL DOMAIN: HOW DO PREVENT IT FROM BEING SPOOFED?
Why bother? Some statistics from a Usenix paper “email phishing has involved in nearly half of the 2000+ reported security breaches in recent two years, causing a leakage of billions of user records” Scanned Alexa top 1 million from February 2017 to January 2018 Found very low adoption rates of SPF and DMARC: ● SPF 44.9% ● DMARC 5.1% End-to-End Measurements of Email Spoofing Attacks Hang Hu and Gang Wang, Virginia Tech https://www.usenix.org/conference/usenixsecurit y18/presentation/hu
DO I NEED TO DO THIS? I'd assumed at first that since I was using Google Apps Gmail for my email that it couldn't be used to spoof. Turns out I was wrong
SPF - SENDER PERMITTED FROM • https://blog.returnpath.com/how-to-explain-spf-in-plain-english/ • Lets a domain owner specify the only IP addresses that can send email for that domain • Up to recipients to check for matches
DKIM - DOMAINKEYS IDENTIFIED MAIL • https://blog.returnpath.com/how-to-explain-dkim-in-plain-english-2/ • Allows us to cryptographically sign our emails! the elements of the email to be signed are encrypted with our private key….verification that email is legitimate through cryptographic authentication • Public key to decrypt is available in DNS • Unfortunately not really widely adopted yet - but GSuite supports it
DMARC - DOMAIN-BASED MESSAGE AUTHENTICATION, REPORTING & CONFORMANCE • Builds on DKIM & SPF • Ensures spoofed emails are blocked
https://dmarc.org/overview/
let’sbegin…. • We will figure out the IP addresses for SPF • Then get our private key for DKIM • Then create an initial DMARC policy • Finally, going back to Cloudflare, we will add some new DNS records- 3 TXT records to set up DMARC/DKIM/SPF using the information we generated
GENERATE DKIM PUBLIC KEYS • This is will go into your DNS settings in a TXT record • For GSuite, go to the admin dashboard, then Apps (in the left sidebar) > Gmail > Authenticate email • https://support.google.com/a/answer/174124?hl=en
CREATE TXT RECORD • Name of the TXT record will be “google._domainkey” • Value will be the full contents of the string that starts with “v=DKIM1; k=rsa; p=…..”
CLOUDFLARE DNS ENTRY: Select TXT from the dropdown
DKIM DNS entry is all set:
DKIM TAGS Learn More: ● https://us.dmarcian.com/dkim-inspector/ ● https://support.symantec.com/en_US/article.TECH131385.html
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wendyk.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=J4wOdPKBCGKDJu2gipRt6L/Ys5LW5rWG1r1oeQZ/Woo=; b=dir909v+lNJ4mjzATO5fmgeXWdFzN6n+JNkPLtuxBcOeTF4JYYhMQR6s7JwN7k3/ou 67gPvacuG7ZZAn5v5aMv8TOI06XFCXv71CowSwfDz8rbF7B57RvoW5aog/vpy3s1/lPr hMT9Kk3MULXbJQF48Qv/LbpMRsJDzlIizpgIxxrgDjZyKH4oWxZlLfOl2g4FGBjNv5I3 wHmQu/Ewgm040IsC4kGvXyFEKG2Yvw6U5BV1auM0UCZKKk/MuncvQcKAVmEnfUPUarsS ioGBrncFJf4d2AEtGW18JXqnGNvfK2ZqB922hYLsxOcaMb6+tAWaXNUcBaym48xCgSpC k+FQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=J4wOdPKBCGKDJu2gipRt6L/Ys5LW5rWG1r1oeQZ/Woo=; b=G7F+urifcvii9E+0NH7fn86HjxzcpLkDtU6VFW/grlFM7v17RsMdGjb7JfIHujJzy4 sCywy2zRTodm5/erlaYBpvPlHNDZzKIJzOS+Ti/giwuRDd7usuybQdEFE+9FU+zO3xiL fwe2rSG0FsExe9LHR1arJaavE4oM12rKjC0BBuFgvcIyAnWEA3LIDK8BStXFD6F0OvvJ AftnZiR++4+zbBo0af9olLMVBIcdQD/Y1Z4F56CZu3nsozlTraRbd7P7ihgES+4EUueh gRjU02zfnIgXCR1XqG8UpLpDFNYN3KvNvxG96ppuNrxtVUM4Gfagc3s8LGfbSTNP/FQV O8mQ==
ENTER SPF SETTINGS Create an SPF record for your domain: “v=spf1 include:_spf.google.com ~all” https://support.google.com/a/answer/33786?hl=en
wait for those to propagate, and make sure nothing broke….
NOW WE’RE READY TO SET UP DMARC….
SIGN UP FOR DMARCIAN https://dmarcian.com/register/
ADD DMARC SECTION
DMARC OPTIONS https://www.dmarcanalyzer.com/how-to-create-a-dmarc-record/
DMARC “POLICY” • Tells webserver what to do with email that fails SPF & DKIM • Start with p=none - this will give you reporting with no action taken on emails. Important so you don’t block all your emails • once that works, move to p=quarantine • Can then move to p=reject https://dmarcian.com/start-dmarc/
REPORTING DMARC DATA • This is where reports of failures are sent. Can be any valid email address. • If we send reporting to a DMarcian email, will show up in your DMarcian account • rua=mailto:ditp3aec@ag.dmarcian.com
This is complicated! How do I build this string? https://dmarcian.com/dmarc-record-wizard/
VIEWING YOUR DMARC REPORTS
REPORTS • You could provide your own email in the “rua” tag to receive reports & crunch your own graphs…. • Or we can send reports to DMarcian and use their tools. You can see reports on DMarcian’s Monitor tab
Sources shows where email sent with your domain is from. Threat/Unknown are emails from servers that don’t match your SPF/DKIM settings
TROUBLESHOOTING • DMarcian’s Issues tab under “Monitor” is very helpful (and don’t forget about dig and nslookup)
IF YOU RUN YOUR OWN MAIL SERVER
MTA STRICT TRANSPORT SECURITY (MTA-STS) • Allows domains to require authentication and TLS encryption for SMTP
START-TLS • Allows your mail server to protect against downgrades • https://starttls-everywhere.org/ • Creating a list of email servers that use TLS
MORE RESOURCES • https://www.ftc.gov/news-events/blogs/business-blog/2017/03/want-stop-phishers-use-email- authentication • https://blog.returnpath.com/how-to-explain-spf-in-plain-english/ • https://blog.returnpath.com/how-to-explain-dkim-in-plain-english-2/ • https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/ • https://zakird.com/papers/mail.pdf • https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hu.pdf
Suggested Questions What happens with DMARC if you don’t have SPF and DKIM set up? What does SPF do again? What’s DKIM once more? What kind of encryption is going on with DKIM? I use <other technology> how can I <secure my website/email>?

Recommended

Green Locks for You and Me
Green Locks for You and MeGreen Locks for You and Me
Green Locks for You and MeWendy Knox Everette
 
Http to Https Get your WordPress website Compliant!
Http to Https Get your WordPress website Compliant!Http to Https Get your WordPress website Compliant!
Http to Https Get your WordPress website Compliant!Lynn Dye
 
Mind the gap - Troopers 2016
Mind the gap - Troopers 2016Mind the gap - Troopers 2016
Mind the gap - Troopers 2016Casey Smith
 
Integrating WP Ultimo with Zapier using Webhooks
Integrating WP Ultimo with Zapier using WebhooksIntegrating WP Ultimo with Zapier using Webhooks
Integrating WP Ultimo with Zapier using WebhooksWP Ultimo
 
RabbitMQ 101 : job scheduling, micro service communication, event based data...
RabbitMQ 101 : job scheduling, micro service communication, event based data... RabbitMQ 101 : job scheduling, micro service communication, event based data...
RabbitMQ 101 : job scheduling, micro service communication, event based data...Quentin Adam
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...DTM Security
 

Recommended

Green Locks for You and Me
Green Locks for You and MeGreen Locks for You and Me
Green Locks for You and MeWendy Knox Everette
 
Http to Https Get your WordPress website Compliant!
Http to Https Get your WordPress website Compliant!Http to Https Get your WordPress website Compliant!
Http to Https Get your WordPress website Compliant!Lynn Dye
 
Mind the gap - Troopers 2016
Mind the gap - Troopers 2016Mind the gap - Troopers 2016
Mind the gap - Troopers 2016Casey Smith
 
Integrating WP Ultimo with Zapier using Webhooks
Integrating WP Ultimo with Zapier using WebhooksIntegrating WP Ultimo with Zapier using Webhooks
Integrating WP Ultimo with Zapier using WebhooksWP Ultimo
 
RabbitMQ 101 : job scheduling, micro service communication, event based data...
RabbitMQ 101 : job scheduling, micro service communication, event based data... RabbitMQ 101 : job scheduling, micro service communication, event based data...
RabbitMQ 101 : job scheduling, micro service communication, event based data...Quentin Adam
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...DTM Security
 
Massive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on RailsMassive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on Railsibelmonte
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsGabriella Davis
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud HackNotSoSecure Global Services
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSDeploy360 Programme (Internet Society)
 
Let's Encrypt: Better Security through Automation
Let's Encrypt: Better Security through AutomationLet's Encrypt: Better Security through Automation
Let's Encrypt: Better Security through AutomationAPNIC
 
Fighting Email Abuse with DMARC
Fighting Email Abuse with DMARCFighting Email Abuse with DMARC
Fighting Email Abuse with DMARCKurt Andersen
 
A Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM ConnectionsA Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM ConnectionsICON UK EVENTS Limited
 
A hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connectionsA hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connectionsSharon James
 
2010 5 xpg collaboration
2010 5 xpg collaboration2010 5 xpg collaboration
2010 5 xpg collaborationGuus Disselkoen
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityCloudVillage
 
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Tietoturvallisuuden_kevatseminaari_2013_Jarno_NiemelaTietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Tietoturvallisuuden_kevatseminaari_2013_Jarno_NiemelaValtiokonttori / Statskontoret / State Treasury of Finland
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)cgmonroe
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyAmazon Web Services
 
Operations: Security
Operations: SecurityOperations: Security
Operations: SecurityAmazon Web Services
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtubeDhruv Sharma
 
DIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseDIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseNathan Case
 
Ubuntu And Parental Controls
Ubuntu And Parental ControlsUbuntu And Parental Controls
Ubuntu And Parental Controlsjasonholtzapple
 
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...Mithi SkyConnect
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerMuhammad Moinur Rahman
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteHow to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteWP Engine
 
FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)Wendy Knox Everette
 
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Wendy Knox Everette
 

More Related Content

Similar to SeaSec East: Green Locks For You & Me

Massive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on RailsMassive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on Railsibelmonte
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsGabriella Davis
 
Let's Encrypt: Better Security through Automation
Let's Encrypt: Better Security through AutomationLet's Encrypt: Better Security through Automation
Let's Encrypt: Better Security through AutomationAPNIC
 
Fighting Email Abuse with DMARC
Fighting Email Abuse with DMARCFighting Email Abuse with DMARC
Fighting Email Abuse with DMARCKurt Andersen
 
A Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM ConnectionsA Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM ConnectionsICON UK EVENTS Limited
 
A hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connectionsA hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connectionsSharon James
 
2010 5 xpg collaboration
2010 5 xpg collaboration2010 5 xpg collaboration
2010 5 xpg collaborationGuus Disselkoen
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityCloudVillage
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)cgmonroe
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyAmazon Web Services
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtubeDhruv Sharma
 
DIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseDIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseNathan Case
 
Ubuntu And Parental Controls
Ubuntu And Parental ControlsUbuntu And Parental Controls
Ubuntu And Parental Controlsjasonholtzapple
 
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...Mithi SkyConnect
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteHow to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteWP Engine
 

Similar to SeaSec East: Green Locks For You & Me (20)

Massive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on RailsMassive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on Rails
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation Requirements
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
 
Let's Encrypt: Better Security through Automation
Let's Encrypt: Better Security through AutomationLet's Encrypt: Better Security through Automation
Let's Encrypt: Better Security through Automation
 
Fighting Email Abuse with DMARC
Fighting Email Abuse with DMARCFighting Email Abuse with DMARC
Fighting Email Abuse with DMARC
 
A Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM ConnectionsA Hitchhiker's Guide to troubleshooting IBM Connections
A Hitchhiker's Guide to troubleshooting IBM Connections
 
A hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connectionsA hitchhiker’s guide to troubleshooting ibm connections
A hitchhiker’s guide to troubleshooting ibm connections
 
2010 5 xpg collaboration
2010 5 xpg collaboration2010 5 xpg collaboration
2010 5 xpg collaboration
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
 
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Tietoturvallisuuden_kevatseminaari_2013_Jarno_NiemelaTietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
Cisco umbrella youtube
Cisco umbrella youtubeCisco umbrella youtube
Cisco umbrella youtube
 
DIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident responseDIY guide to runbooks, incident reports, and incident response
DIY guide to runbooks, incident reports, and incident response
 
Ubuntu And Parental Controls
Ubuntu And Parental ControlsUbuntu And Parental Controls
Ubuntu And Parental Controls
 
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
Webinar Mastery Series: How Security & Compliance become easier with SkyConne...
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteHow to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael Tremante
 

More from Wendy Knox Everette

FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)Wendy Knox Everette
 
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Wendy Knox Everette
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
 
BSidesPDX "An update from the crypto wars 2.0"
BSidesPDX "An update from the crypto wars 2.0"BSidesPDX "An update from the crypto wars 2.0"
BSidesPDX "An update from the crypto wars 2.0"Wendy Knox Everette
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Incident Response and the Attorney Client Privilege - ShmooCon 2019
Incident Response and the Attorney Client Privilege - ShmooCon 2019Incident Response and the Attorney Client Privilege - ShmooCon 2019
Incident Response and the Attorney Client Privilege - ShmooCon 2019Wendy Knox Everette
 
Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018Wendy Knox Everette
 
Fingerprints, Passcodes, and Self Incrimination - BSides Nova
Fingerprints, Passcodes, and Self Incrimination - BSides NovaFingerprints, Passcodes, and Self Incrimination - BSides Nova
Fingerprints, Passcodes, and Self Incrimination - BSides NovaWendy Knox Everette
 
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Wendy Knox Everette
 
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...Wendy Knox Everette
 

More from Wendy Knox Everette (12)

FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)
 
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
BSidesPDX "An update from the crypto wars 2.0"
BSidesPDX "An update from the crypto wars 2.0"BSidesPDX "An update from the crypto wars 2.0"
BSidesPDX "An update from the crypto wars 2.0"
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Incident Response and the Attorney Client Privilege - ShmooCon 2019
Incident Response and the Attorney Client Privilege - ShmooCon 2019Incident Response and the Attorney Client Privilege - ShmooCon 2019
Incident Response and the Attorney Client Privilege - ShmooCon 2019
 
Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018
 
An Encyclopedia of Wiretaps
An Encyclopedia of WiretapsAn Encyclopedia of Wiretaps
An Encyclopedia of Wiretaps
 
Fingerprints, Passcodes, and Self Incrimination - BSides Nova
Fingerprints, Passcodes, and Self Incrimination - BSides NovaFingerprints, Passcodes, and Self Incrimination - BSides Nova
Fingerprints, Passcodes, and Self Incrimination - BSides Nova
 
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
 
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
 

Recently uploaded

₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...Diya Sharma
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts servicesonalikaur4
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.soniya singh
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 

Recently uploaded (20)

₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Porur Phone 🍆 8250192130 👅 celebrity escorts service
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 

SeaSec East: Green Locks For You & Me

  • 2. Wendy Knox Everette Senior Security Advisor, Leviathan Security Group @wendyck SeaSec East September 5, 2018
  • 3. WEBSITES WITHOUT HTTPS Chrome now labels these as “not secure”
  • 5. SITES WITH HTTPS Green lock indicating SSL
  • 6. HOW DO I SECURE MY WEBSITE? • Lets Encrypt and Cloudflare are two of the services offering free certificates to websites • Both work well with Github pages, which is what this talk will demonstrate • There are lots of other hosting options like WordPress as well
  • 7. SETTING UP THE CERTIFICATE AND DOMAIN • Github Pages TLS with custom domains announcement: https://blog.github.com/2018-05-01-github-pages-custom-domains-https/ • Directions: https://help.github.com/articles/using-a-custom-domain-with- github-pages/
  • 8. On GitHub, create your repo: [USERNAME].github.io
  • 9. Check out the repo to your local machine (I like GitHub Desktop) create a index.html (your homepage!) and any other webpage files
  • 10. Create a new text file named CNAME at the root of the repo and put your domain name into it
  • 11. Go to the Settings for your new repo and scroll down to custom domain
  • 12. SET UP NAME SERVERS • If you’re using Cloudflare, point to their DNS servers, and configure there • Make sure you set your domain on the repo on GitHub FIRST
  • 13. GitHub directions: Apex Domain DNS Configuration: Create configure an ALIAS, ANAME, or A record at your DNS provider
  • 14. Set the “A” record values to be the IP addresses that GitHub provides in their help pages (https://help.github.com/articles/setting- up-an-apex-domain/)
  • 16. Sites behind Cloudflare’s CDN do not look like they’re configured correctly to GitHub
  • 17.
  • 18. Site that is not behind Cloudflare’s CDN
  • 19.
  • 20.
  • 22.
  • 23. A sidebar about DNS debugging tools
  • 24. DNS lookup tools Mac/Linux: ● dig ● https://toolbox.googleapps.com/apps/dig Windows ● nslookup ● https://network-tools.com/nslook/
  • 25. NEXT… SO YOU HAVE EMAIL ON YOUR PERSONAL DOMAIN: HOW DO PREVENT IT FROM BEING SPOOFED?
  • 26. Why bother? Some statistics from a Usenix paper “email phishing has involved in nearly half of the 2000+ reported security breaches in recent two years, causing a leakage of billions of user records” Scanned Alexa top 1 million from February 2017 to January 2018 Found very low adoption rates of SPF and DMARC: ● SPF 44.9% ● DMARC 5.1% End-to-End Measurements of Email Spoofing Attacks Hang Hu and Gang Wang, Virginia Tech https://www.usenix.org/conference/usenixsecurit y18/presentation/hu
  • 27. DO I NEED TO DO THIS? I'd assumed at first that since I was using Google Apps Gmail for my email that it couldn't be used to spoof. Turns out I was wrong
  • 28. SPF - SENDER PERMITTED FROM • https://blog.returnpath.com/how-to-explain-spf-in-plain-english/ • Lets a domain owner specify the only IP addresses that can send email for that domain • Up to recipients to check for matches
  • 29. DKIM - DOMAINKEYS IDENTIFIED MAIL • https://blog.returnpath.com/how-to-explain-dkim-in-plain-english-2/ • Allows us to cryptographically sign our emails! the elements of the email to be signed are encrypted with our private key….verification that email is legitimate through cryptographic authentication • Public key to decrypt is available in DNS • Unfortunately not really widely adopted yet - but GSuite supports it
  • 30. DMARC - DOMAIN-BASED MESSAGE AUTHENTICATION, REPORTING & CONFORMANCE • Builds on DKIM & SPF • Ensures spoofed emails are blocked
  • 32. let’sbegin…. • We will figure out the IP addresses for SPF • Then get our private key for DKIM • Then create an initial DMARC policy • Finally, going back to Cloudflare, we will add some new DNS records- 3 TXT records to set up DMARC/DKIM/SPF using the information we generated
  • 33. GENERATE DKIM PUBLIC KEYS • This is will go into your DNS settings in a TXT record • For GSuite, go to the admin dashboard, then Apps (in the left sidebar) > Gmail > Authenticate email • https://support.google.com/a/answer/174124?hl=en
  • 34.
  • 35. CREATE TXT RECORD • Name of the TXT record will be “google._domainkey” • Value will be the full contents of the string that starts with “v=DKIM1; k=rsa; p=…..”
  • 36. CLOUDFLARE DNS ENTRY: Select TXT from the dropdown
  • 37. DKIM DNS entry is all set:
  • 38. DKIM TAGS Learn More: ● https://us.dmarcian.com/dkim-inspector/ ● https://support.symantec.com/en_US/article.TECH131385.html
  • 39. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wendyk.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=J4wOdPKBCGKDJu2gipRt6L/Ys5LW5rWG1r1oeQZ/Woo=; b=dir909v+lNJ4mjzATO5fmgeXWdFzN6n+JNkPLtuxBcOeTF4JYYhMQR6s7JwN7k3/ou 67gPvacuG7ZZAn5v5aMv8TOI06XFCXv71CowSwfDz8rbF7B57RvoW5aog/vpy3s1/lPr hMT9Kk3MULXbJQF48Qv/LbpMRsJDzlIizpgIxxrgDjZyKH4oWxZlLfOl2g4FGBjNv5I3 wHmQu/Ewgm040IsC4kGvXyFEKG2Yvw6U5BV1auM0UCZKKk/MuncvQcKAVmEnfUPUarsS ioGBrncFJf4d2AEtGW18JXqnGNvfK2ZqB922hYLsxOcaMb6+tAWaXNUcBaym48xCgSpC k+FQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=J4wOdPKBCGKDJu2gipRt6L/Ys5LW5rWG1r1oeQZ/Woo=; b=G7F+urifcvii9E+0NH7fn86HjxzcpLkDtU6VFW/grlFM7v17RsMdGjb7JfIHujJzy4 sCywy2zRTodm5/erlaYBpvPlHNDZzKIJzOS+Ti/giwuRDd7usuybQdEFE+9FU+zO3xiL fwe2rSG0FsExe9LHR1arJaavE4oM12rKjC0BBuFgvcIyAnWEA3LIDK8BStXFD6F0OvvJ AftnZiR++4+zbBo0af9olLMVBIcdQD/Y1Z4F56CZu3nsozlTraRbd7P7ihgES+4EUueh gRjU02zfnIgXCR1XqG8UpLpDFNYN3KvNvxG96ppuNrxtVUM4Gfagc3s8LGfbSTNP/FQV O8mQ==
  • 40. ENTER SPF SETTINGS Create an SPF record for your domain: “v=spf1 include:_spf.google.com ~all” https://support.google.com/a/answer/33786?hl=en
  • 41. wait for those to propagate, and make sure nothing broke….
  • 42. NOW WE’RE READY TO SET UP DMARC….
  • 43. SIGN UP FOR DMARCIAN https://dmarcian.com/register/
  • 46.
  • 47. DMARC “POLICY” • Tells webserver what to do with email that fails SPF & DKIM • Start with p=none - this will give you reporting with no action taken on emails. Important so you don’t block all your emails • once that works, move to p=quarantine • Can then move to p=reject https://dmarcian.com/start-dmarc/
  • 48. REPORTING DMARC DATA • This is where reports of failures are sent. Can be any valid email address. • If we send reporting to a DMarcian email, will show up in your DMarcian account • rua=mailto:ditp3aec@ag.dmarcian.com
  • 49. This is complicated! How do I build this string? https://dmarcian.com/dmarc-record-wizard/
  • 51. REPORTS • You could provide your own email in the “rua” tag to receive reports & crunch your own graphs…. • Or we can send reports to DMarcian and use their tools. You can see reports on DMarcian’s Monitor tab
  • 52. Sources shows where email sent with your domain is from. Threat/Unknown are emails from servers that don’t match your SPF/DKIM settings
  • 53.
  • 54.
  • 55.
  • 56.
  • 57.
  • 58. TROUBLESHOOTING • DMarcian’s Issues tab under “Monitor” is very helpful (and don’t forget about dig and nslookup)
  • 59. IF YOU RUN YOUR OWN MAIL SERVER
  • 60. MTA STRICT TRANSPORT SECURITY (MTA-STS) • Allows domains to require authentication and TLS encryption for SMTP
  • 61. START-TLS • Allows your mail server to protect against downgrades • https://starttls-everywhere.org/ • Creating a list of email servers that use TLS
  • 62. MORE RESOURCES • https://www.ftc.gov/news-events/blogs/business-blog/2017/03/want-stop-phishers-use-email- authentication • https://blog.returnpath.com/how-to-explain-spf-in-plain-english/ • https://blog.returnpath.com/how-to-explain-dkim-in-plain-english-2/ • https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/ • https://zakird.com/papers/mail.pdf • https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-hu.pdf
  • 63. Suggested Questions What happens with DMARC if you don’t have SPF and DKIM set up? What does SPF do again? What’s DKIM once more? What kind of encryption is going on with DKIM? I use <other technology> how can I <secure my website/email>?