Category: Security

Adding DKIM with Haraka

This is the 3rd post in a series about setting up an outbound SMTP server with DKIM signing and smart host forwarding. Here you will learn how to configure an existing Haraka server to sign all outbound emails with a DKIM header.

After setting up the libraries, config files, system service, and smart host forwarding, adding the DKIM plugin should seem like a breeze. I’m including a couple extra steps where the documentation didn’t quite get me all the way to the finish line.

DomainKeys Identified Mail, in case you weren’t familiar with it, allows the sending server to use a cryptographic signature, storing the public decryption key in a DNS record. The receiver can then verify the signing server has a key for that domain.

Continue reading Adding DKIM with Haraka

External Link Security Broken in Excel

Excel Security Warning About Linked Workbooks

After linking two local Excel files by a simple reference to a cell in another workbook, I began seeing an ominous error:

SECURITY WARNING  Links to external sources could be unsafe. If you trust the links, click Update. Click for more details.

This behavior was observed in version 1907 of Excel from the Office 365 software package.

Warnings of this nature should be taken seriously.  In this case, however, the message has been seriously mislabeled.  Clicking into the details brings up an ancient Help page for Excel 2007.  Searching for similar situations online brings up some misleading instructions.

If you are experiencing the situation described above, continue reading below for a simple workaround and more background information.

Continue reading External Link Security Broken in Excel

OpenVPN tls-auth Option is Critical

Someone attempted a very noisy attack against my router’s built-in OpenVPN server today.  While there was no chance this person could guess my encryption parameters to gain access, he or she did manage to cause a denial of service.

The log excerpt looks like a whole lot of these:

Sep  6 12:40:15 vpnserver1[535]: 148.163.126.72:22475 TLS: Initial packet from [AF_INET]148.163.126.72:22475 (via [AF_INET]%eth0), sid=6a22eb44 5adb63fe
Sep  6 12:40:15 vpnserver1[535]: 148.163.126.72:57036 TLS: Initial packet from [AF_INET]148.163.126.72:57036 (via [AF_INET]%eth0), sid=6a22eb44 5adb63fe
Sep  6 12:40:17 vpnserver1[535]: 148.163.126.72:20089 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep  6 12:40:17 vpnserver1[535]: 148.163.126.72:20089 TLS Error: TLS handshake failed
Sep  6 12:40:17 vpnserver1[535]: 148.163.126.72:20089 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep  6 12:40:18 vpnserver1[535]: 148.163.126.72:35987 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep  6 12:40:18 vpnserver1[535]: 148.163.126.72:35987 TLS Error: TLS handshake failed
Sep  6 12:40:18 vpnserver1[535]: 148.163.126.72:35987 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep  6 12:40:19 vpnserver1[535]: 148.163.126.72:55183 TLS: Initial packet from [AF_INET]148.163.126.72:55183 (via [AF_INET]%eth0), sid=6a22eb44 5adb63fe
Sep  6 12:40:19 vpnserver1[535]: 148.163.126.72:12142 TLS: Initial packet from [AF_INET]148.163.126.72:12142 (via [AF_INET]%eth0), sid=6a22eb44 5adb63fe
Sep  6 12:40:20 vpnserver1[535]: 148.163.126.72:50926 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep  6 12:40:20 vpnserver1[535]: 148.163.126.72:50926 TLS Error: TLS handshake failed
Sep  6 12:40:20 vpnserver1[535]: 148.163.126.72:50926 SIGUSR1[soft,tls-error] received, client-instance restarting

Continue reading OpenVPN tls-auth Option is Critical

How to Filter Xfinity Script Injections

Is your Xfinity ISP injecting horrible scripts and dialog messages into every unencrypted website that you visit?  It might look like this:

Xfinity XSS Garbage

We’ve increased Internet speeds in your area.

Update your modem to start enjoying them.

We’ve noticed you have an older modem that can’t keep up with faster Internet speeds now available in your area.

To start enjoying faster Internet, you can:

Buy from a retailer

Before you make your purchase, visit mydeviceinfo.xfinity.com to view a list of modems certified on our network.

Lease an XFINITY Gateway (Comcast lease fees would apply)

Call 1–855–242–2876 to order a Wireless Gateway and we will send you everything you need to get set up.

Thank you for choosing XFINITY. Ensuring that you get the most from your Internet service is part of our commitment to improving your overall experience.

In the Chrome web browser, you can block this with the ComcastBlocker extension.  The Xfinity script still loads, but its effects are minimized by removing all the display elements.

Virus Infected Email

Screenshot of a fake Office 365 error message.
Danger! Do Not Touch!

If you see a Word document containing the following phrase, it is fake and should be deleted immediately:

This document created in online version of Microsoft Office Word

There is no such message ever issued by legitimate software.

Instructions included with the file asking the user to “Enable content” should raise red flags and serious concerns about the file’s origin.

A quick scan using an online virus checker confirmed this file is infected.  Be careful out there.

How to Block the Amazon AWS EC2

Years ago, I found it necessary to start maintaining a list of Amazon’s subnets so that I could block them easily.  This list can be used in .htaccess and firewalls that can block access using CIDR subnet addresses.

This topic was formerly hosted on the forumpostersunion.com website, which now appears to be gone.  The AWS Forums and AWS re:Post threads are also obsolete.

For current information, see: Amazon EC2 Public IP Ranges

Photo Privacy Broken on Facebook Timeline

Have you ever added one of your photos to a Facebook group?  If yes, you might want to delete your photo albums right now.  I discovered today that the Facebook privacy settings for photos do not work.

Inspired by a discussion about social media I heard on NPR, I went into Facebook to do a thorough check and re-check of all of my privacy settings.  Guess what?

Dozens of photos I have on my Timeline are now publicly available.  >:{  Every one of those photos is set to “Friends” only privacy.  When I click the “View As…” option and then “Public”, all of those photos are now appearing on my public Timeline profile.

To confirm this, I registered a fake account that has no friends.  I viewed my own profile using that new account and a different web browser.  When I scrolled down far enough on the Timeline, my old photos started showing up to this newly registered user!

The fake user gets nothing by clicking on the “Photos” section near the top, suggesting this bug is specific to the new Timeline profile feature.

In an unsuccessful attempt to hide the photos, I used my real account to reset the album privacy to “Only Me”.  At this point, the photos were still appearing in the public preview as well as the fake account viewing my real profile.

Continue reading Photo Privacy Broken on Facebook Timeline