Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

DNS Sinkhole Scripts Fixes/Update

Published: 2012-01-21
Last Updated: 2012-01-21 22:29:28 UTC
by Guy Bruneau (Version: 1)
4 comment(s)

In October 2011 [1], I released an update for the main parser script used to generate the BIND/PowerDNS configuration files. This release of the sinkhole_parser.sh script contains some important fixes, including a rewrite of the section that parses the multiple sites into 2 separate lists: site_specific_sinkhole.conf (host web list) and entire_domain_sinkhole.conf (domain wildcard web list). The script contains new lists that were not part of the 7 July 2011 release.

The script contains a fix for parsing and loading records into PowerDNS database where sometimes it would fail indicating that a record was already loaded. It has been fixed in both the sinkhole_parser.sh and powerdns_sinkhole_logs.sh (located in /usr/local/sbin) used in Webmin to load records from the GUI.

A new script, search.sh (/root/scripts) has been added to provide a search capability in Webmin (two files copied to /etc/webmin/dns-sinkhole) of the BIND DNS Sinkhole lists to verify if a particular host or domain is listed in the sinkhole.

The script is available on the handler's server here with the MD5 here. You can either untar the tarball in / or move the scripts in the location indicated in this diary.

[1] http://isc.sans.edu/diary.html?storyid=11818
[2] http://handlers.dshield.org/gbruneau/
[3] http://handlers.dshield.org/gbruneau/dns-sinkhole/dns-sinkhole-scripts.tgz

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

Keywords: DNS Sinkhole
4 comment(s)

The privacy hodgepodge and IP Addresses

Published: 2012-01-21
Last Updated: 2012-01-21 02:28:59 UTC
by Mark Hofman (Version: 1)
9 comment(s)

A comment on one of the articles earlier this week prompted me to dig around privacy legislation from various part of the planet, only to realise what a mess it is and I should probably just have mowed the lawn instead. It would have been easier on the brain.  So just to give you something to think about over the weekend, or discuss at a BBQ. Is an IP address personal data? If you are in a rush, the conclusion I came to was "it depends".    

Just before we go on I will start all of this with "I am not a lawyer" (IANAL), just a security guy trying to make sense of things and likely getting some of it wrong. So if you have a need to know for sure, I suggest you ask a lawyer.

Before we get to IP addresses we'll need to define what personal data is. This seems to be fairly consistent between countries. This is likely because most privacy legislation is based on the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data  first adopted in 1980 after almost 10 years of discussion.  Generally the definition of Personal data boils down to any information that can identify a particular individual.  Some countries expand this by explicitly stating things such as race, religion, sex and other information that most of us would consider personal. 

From an IP address perspective, do IP addresses fit that definition? This is where it starts getting very muddy. It appears that in some countries the answer is yes and in others it is no. To add a third option, some countries go with, only if it is combined with other items that identify a person. 

When we started discussing this Swa, one of the other handlers pointed out this document "Study of case law on the circumstances in which IP addresses are considered personal data"   It is a study of the various laws in the EU and how they relate to the EU directives regarding privacy (page 16 especially).   The rest of the document is a good read, but the table on page 16 makes it very clear how confused privacy laws can be.  The table shows, for example that in Austria there is no doubt, IP addresses are personal data. In the Netherlands they are not. In Bulgaria it is when combined with other information. In Italy it most certainly is. As for the rest of the world? In the US the answer seems to be no it isn't.  In AU, the approach tends to be, when combined with other personal data it is. If you happened to know your local situation add it to the comments.

When I read the study from Timelex other questions popped into my head. So if IP addresses are Personal Data can I have web logs? Can I use a third party to track visits? Probably not, at least not if I'm based in those countries that say IP Addresses are personal data. Mind you many countries do have exemptions for research and security related activities, so sharing log extract, etc is still OK (remember IANAL so check if you need to be certain).

Other questions that popped in. Can I outsource to other countries? Maybe I can share the data with them, but can they give it back? Whose laws apply when I place stuff in the cloud? For example the ammendments to India's laws, according to informationweek.com,  applies to data collected in India, but also data provided by overseas companies. What if you are a multinational? Which privacy laws apply?

Plenty to think about and I'm not suggesting that we should all become privacy experts or international privacy lawyers. What I am suggesting, however, is that you may need to point out that it needs to be thought about. After all our job is to help protect the organisation from risk. 

If you want more info Wikipedia has some good links from their Privacy Law page.  Some of the other resources around:

If you have some resources, preferably from official bodies, that you think others should know about, add them to the comments or send them in.

Enjoy the weekend.

Mark H

Keywords:
9 comment(s)
Diary Archives