By Gerard Best
IBM Security, Packet Clearing House (PCH) and Global Cyber Alliance (GCA) unveiled a free Domain Name System (DNS) service designed to protect all Internet users from a wide range of common cyber threats. Launched on November 16 with simultaneous press events in London, Maputo and New York, the public DNS resolver has strong privacy and security features built-in, and can be enabled with a few changes to network settings, as outlined on the organization’s website.
Using the IP address 184.108.40.206, the aptly named Quad9 service leverages IBM X-Force threat intelligence and further correlates with more than a dozen additional threat intelligence feeds from leading cybersecurity firms, in order to help keep individual users’ data and devices safe. It automatically protects users from accessing any website or internet address identified as dangerous.
“Leveraging threat intelligence is a critical way to stay ahead of cybercriminals,” Jim Brennan, Vice President Strategy and Offering Management, IBM Security, said in a release. “Consumers and small businesses traditionally didn’t have free, direct access to the raw data used by security firms to protect big businesses. With Quad9, we’re putting that data to work for the industry in an open way and further enriching those insights via the community of users. Through IBM’s donating use of the 220.127.116.11 address to Quad9, we’re applying these collaborative defense techniques while giving users greater privacy controls.”
The open, free service became the latest to provide security to end users on a global scale by leveraging the DNS system to deliver a smart threat intelligence feed.
“Quad9 is a free layer of protection that can put the DNS to work for all Internet users,” said John Todd, executive director of Quad9. “It allows optional encryption of the query between the user and the server, and it minimises the amount of data that can leak to unknown destinations. And it uses DNSSEC to cryptographically validate the content of the DNS answers that it’s passing back to users for domain names that implement this security feature.”
It allows users to select from secure and unsecured service, the latter being for more advanced users who may have specific reasons they want to get to malware or phishing sites, or who want to perform testing against an unfiltered DNS recursive resolver. The service can also be extended to IoT devices, which face vulnerabilities such as botnet command-and-control requests.
Not only does Quad9 help Internet users avoid millions of malicious websites, but it also promises to help keep their browsing habits private. Deep-pocketed online advertisers are constantly investing in ways to take personal data from unsuspecting Internet users, in order to edge out competitors and expand markets. Frequently, low-security DNS servers are used to build extensive personal profiles of Internet users, including their browsing habits, location and identity. Many DNS providers, including many larger ISPs, are already in the lucrative business of storing personal data for resale to market research firms or digital advertising groups.
A further blow was struck in April when the US Federal Communications Commission repealed broadband privacy rules that would have required Internet service providers to get consumer consent before selling or sharing personal information with advertisers and other companies. But the fight is far from over. With the launch of Quad9, a group of Internet non-profits has made available a free service specifically designed to put Internet users back in control of their personal data.
The service is deliberately engineered to not store or analyze personally identifiable information (PII). Todd said that decision was, in part, a deliberate stance against the ingrained practice among Internet service providers (ISPs) who collect and resell private information to commercial data brokers such as online marketers.
“Our foremost goal is to protect Internet users from malicious actors, whether the threat be from malware or fraud or the nonconsensual monetization of their privacy. Quad9 doesn’t collect or store any PII, including Internet Protocol addresses. We don’t have accounts or profiles or ask who our users are. Since we don’t collect personal information, it can’t be sold or stolen,” he said.
The new service comes at a time when better protection of consumer data and Internet user privacy are being demanded by stakeholders, including governments. In May 2018, the European Union will adopt the General Data Protection Regulation (GDPR), a set of sweeping regulations meant to protect the personal data and privacy of its citizens.
Like their counterparts in Europe and USA, Caribbean stakeholders also stand to gain from these security and privacy benefits. By some estimates, global cybercrime will cost approximately $6 trillion per year on average through 2021. For businesses in developing economies of the Caribbean, cybercrime is a major concern. Around the region, legislators, law enforcement officials and security experts are locked in a struggle to keep pace with the escalating sophistication of transnational cybercriminal operations. The high cost typically involved in protecting against attacks by blocking them through DNS could explain why that technique has not been used widely by Caribbean businesses and Internet users.
“Sophisticated corporations can subscribe to dozens of threat feeds and block them through DNS, or pay a commercial provider for the service. However, small to medium-sized businesses and consumers have been left behind — they lack the resources or are not aware of what can be done with DNS. Quad9 solves these problems. It is memorable, easy to use, relies on excellent and broad threat information, protects privacy and security, and is free,” Phil Reitinger, president and CEO of GCA, said in a release.
The new Quad9 service shares the global infrastructure of PCH, a US-based non-profit which has over the last two decades established the world’s largest authoritative DNS service network, extending from heavily networked parts of North America, Europe and Asia to the less well-connected areas of sub-Saharan Africa and the Caribbean. PCH hosts multiple root letters and more than 300 TLDs on thousands of servers in 150 locations across the globe.
Quad 9 has 100 points of presence in 59 countries, including 12 in the Caribbean, and plans to double that location count by 2019. Leveraging the expertise and global assets of PCH, the new DNS service promises to offer security and privacy to users in the Caribbean, without compromising speed. Bill Woodcock, executive director of Packet Clearing House, said Quad9 users in those regions could actually experience noticeable improvements in performance and resiliency.
“Many DNS service providers are not sufficiently provisioned to be able to support high-volume input/output and caching, and adequately balance load among their servers. But Quad9 uses large caches, and load-balances user traffic to ensure shared caching, letting us answer a large fraction of queries from cache. Because Quad9 shares the PCH DNS infrastructure platform, all root and most TLD queries can be answered locally within the same stack of servers, without passing query onward and making it vulnerable to interception and collection by others. When Quad9 does have to pass a query onward to a server outside of our control, unlike other recursive resolvers, we use a variety of techniques to ensure that the very minimum necessary information leaves our network and users’ privacy is maximised,” he said.
“This is a service that is squarely aimed at improving the Internet security and privacy situation for the global Internet user base, not just the developed world,” he added. “The fact that we can do it faster is just icing on the cake.”
Written by Gerard Best, Development Journalist
Follow CircleID on Twitter
Read more here:: feeds.circleid.com/cid_sections/blogs?format=xml
Italtel, a telecommunications company in IT system integration, managed services, Network Functions Virtualisation (NFV) and all-IP solutions, has launched an Open Innovation program, which will see it collaborate with start-ups and new businesses to leverage emerging technologies for applications such as Industry 4.0, Smart Cities and Digital Healthcare.
The program will see Italtel collaborate with start-ups and smaller enterprises to develop and test their solutions, with the goal of jointly commercialising them. It will initially focus on the Internet of Things (IoT), Blockchain and cybersecurity technologies.
“Italy has a rich entrepreneurial fabric which stimulates creativity and innovative ideas, but start-ups and small businesses are often limited in what assets they have to develop these ideas further,” said Luca Ferraris, head of Strategy, Innovation & Collaboration, at Italtel. “This is why this program is so important; it provides an innovation network and an opportunity to collaborate which is not limited to the laboratory.”
The use of physical spaces, test plants and IT resources are among the resources Italtel can offer to program participants in Settimo Milanese and Carini (Palermo). In exchange for this support, Italtel will be able to utilize the technologies and applications created under the program and quickly bring them to market.
Since the launch of the program six-months ago, 60 participating companies have already received appraisal for their ground-breaking work, leading to new opportunities in Industry 4.0.
“The scheme is a great opportunity for our partners to receive support in overcoming key industry hurdles frequently faced when launching new products and to have a platform which enables them toreach global markets,” added Ferraris.
For more details about Italtel’s Open Innovation program, including how to join click here.
Comment on this article below or via Twitter: @IoTNow_OR @jcIoTnow
Read more here:: www.m2mnow.biz/feed/
Italtel, a leading telecommunications company in IT system integration, managed services, Network Functions Virtualization (NFV) and all-IP solutions, has launched an Open Innovation program, which will see it collaborate with start-ups and new businesses to leverage emerging technologies for applications such as Industry 4.0, Smart Cities and Digital Healthcare. The program will see Italtel […]
Read more here:: iot.do/feed
In a joint project, IBM Security along with Packet Clearing House (PCH) and The Global Cyber Alliance (GCA) today launched a free service designed to give consumers and businesses added online privacy and security protection. The new DNS service is called Quad9 in reference to the IP address 18.104.22.168 offered for the service. The group says the service is aimed at protecting users from accessing malicious websites known to steal personal information, infect users with ransomware and malware, or conduct fraudulent activity.
Quad9 is said to provide these protections without compromising the speed of users’ online experience. From the announcement: “Leveraging PCH’s expertise and global assets around the world, Quad9 has points of presence in over 70 locations across 40 countries at launch. Over the next 18 months, Quad9 points of presence are expected to double, further improving the speed, performance, privacy and security for users globally. Telemetry data on blocked domains from Quad9 will be shared with threat intelligence partners for the improvement of their threat intelligence responses for their customers and Quad9.”
— The Genesis of Quad9: “Quad9 began as the brainchild of GCA. The intent was to provide security to end users on a global scale by leveraging the DNS service to deliver a comprehensive threat intelligence feed. This idea lead to the collaboration of the three entities: GCA: Provides system development capabilities and brought the threat intelligence community together; PCH: Provides Quad9’s network infrastructure; and IBM: Provides IBM X-Force threat intelligence and the easily memorable IP address (22.214.171.124).”
— Philip Reitinger, President and CEO of the Global Cyber Alliance: “Protecting against attacks by blocking them through DNS has been available for a long time, but has not been used widely. Sophisticated corporations can subscribe to dozens of threat feeds and block them through DNS, or pay a commercial provider for the service. However, small to medium-sized businesses and consumers have been left behind — they lack the resources, are not aware of what can be done with DNS, or are concerned about exposing their privacy and confidential information. Quad9 solves these problems. It is memorable, easy to use, relies on excellent and broad threat information, protects privacy, and security and is free.”
Follow CircleID on Twitter
Read more here:: feeds.circleid.com/cid_sections/news?format=xml
I have been working on getting a Kerlink IoT Station to work with GPRS/3G as its primary uplink path.
A client asked me to do this configuration because they did not have the resources to it themselves. No problem. I have been working with LoRa and Kerlinks for a while now doing a consultancy job for another client (a big telco). They did not want to connect the Kerlink to their local network for security reasons. They wanted to add their gateway to TheThingsNetwork.org (TTN), a global open crowdsourced Internet of Things data network that started in The Netherlands. Reading the forums, I noticed that many trying to do the same have run into issues. The documentation is sometimes incomplete and scattered so it takes a bit of effort to get it to work.
IoT lab at the home office
The task at hand:
Configure a Kerlink IoT station to use its GPRS/3G modem as its uplink path and connect it to TheThingsNetwork.org. The SIM provided was a PukData M2M SIM which uses the KPN mobile network in The Netherlands.
Normally, the Kerlink will use its ethernet (eth0) uplink as its default path. The basic idea here is that, if configured correctly, an autoconnect mechanism will trigger the GPRS bearer, establishes a PPP connection and set a default route and DNS.
I had already installed the TTN firmware with the polypacket forwarder on the Kerlink and got it to work using the ethernet uplink. I used a LoRaMote to check if packets actually showed up in the TTN api. For the next step, I basically followed the GPRS/3G guide on the TTN Wiki which boils down to:
- Set the GPRS options to match your SIM and telco’s APN settings (i.e. APN name, pincode, username and password).
- Configure auto connect in the knet monitor.
- Set the bearers priority.
- Because no username/password is set for this APN, and empty username/password fields trigger a bug, I also installed the patched GPRS init script.
I ran into a couple of things so these considerations may be useful:
- If your SIM comes with a pin code (usually 0000), set it with ‘GPRSPIN=<your pin here>’.
- If your APN username and password are to be left empty, replace the GPRS init script with the patched version as mentioned at the bottom of the guide.
- Carefully choose your ip_link address in /knet/knetd.xml depending on your requirements. This address is pinged periodically to determine if the GPRS auto connect needs to be activated. In my case I wanted one that is only reachable over the GPRS APN (e.g. for KPN use their DNS server: 126.96.36.199) to force it to bring up the ppp0 interface whenever possible. If you’re using GPRS as a backup path this should be different (I guess an address only reachable via eth0 but make sure the PPP session is terminated as soon as the primary path becomes available again). Use tcpdump (e.g. tcpdump -i ppp0 -n -v port 1700 or icmp) to check if it is pinging the correct address and if status updates are sent.
- I chose not to use peerdns (GPRSDNS=no) because the default DNS servers are not restored in case of a GPRS connection failure, thus breaking eth0 as a fallback path. I used the Google public DNS servers in stead as they work on both paths. This could also be fixed in /etc/ppp/ip-down.
- Remember that your default gateway will be set to the ppp0 interface whenever that interface comes up. You may want to be able to connect through eth0 for maintenance…
- The (poly) packet forwarder needs to be restarted whenever there is an interface change to make sure it binds to the right source address. If it isn’t you will see packets going out the ppp0 interface with the eth0 source address (or vice versa). I added ‘/usr/bin/killall poly_pkt_fwd’ to /etc/ppp/ip-up and /etc/ppp/ip-down.
- The firewall is not enabled by default. Make sure to edit /etc/init.d/firewall to your needs and turn it on in /etc/sysconfig/network (FIREWALL=yes). Don’t forget IPv6 although dropbear for instance does not listen on a v6 socket.
Tests to do to make sure it all works:
- Check if the gateway is still active (is sending status updates) and node messages are received in the TTN API after unplugging the ethernet uplink cable. If you’re using an ethernet power injector, make sure to unplug the cable going into the injector rather than the one going out to the Kerlink. Duh! 😉 Remember that you can’t log in to the gateway anymore, assuming access to the GPRS/3G address is blocked.
- Plug the ethernet cable back in and see if you can log in again. Then check if updates/messages are still being sent over the ppp0 interface using tcpdump.
- Power cycle the Kerlink while leaving the ethernet uplink cable unplugged. This will make sure the Kerlink will boot successfully in stand-alone mode, which was the whole purpose of this exercise.
# Selector operator APN GPRSAPN=internet.access.nl # Enter pin code if activated GPRSPIN=0000 # Update /etc/resolv.conf to get dns facilities GPRSDNS=no # PAP authentication GPRSUSER= GPRSPASSWORD= # Bearers priority order BEARERS_PRIORITY="ppp0,eth0,eth1"
<!-- ############## connection parameters ############## --> <!-- nb of second to retry to connect to server if connection failed--> <CONNECT retry_timeout="10" /> <!-- port nunmber for local application kms connection --> <CONNECT kms_port="35035" /> <CONNECT auto_connection="YES" /> <!-- frequency of connection monitoring -ping- (in seconds) --> <CONNECT link_timeout="30"/> <!-- DNS servers will be pinged if commented or deleted. Some operators can block the ping on there DNS servers --> <CONNECT ip_link="188.8.131.52"/>
Don’t hesitate to leave a comment below or send a message.