ShadowTrackr Android app available in Google Play Store

It's been on the planning for a while and now it is finally released: the ShadowTrackr Android app. It has the same functionality as the iOS app and the webversion of ShadowTrackr. There is still a way to go to improve the mobile user experience, but all the important functionality is there. The most handy thing of course are push notifications for your security problems.

It's a version 1.0, it's Android, and it's developed and tested on a Samsung device. The diversity in the Android world is huge and I expect there to be bugs on non-Samsung devices that don't show up on the test device. Please do not hesitate to submit your bugs and feedback. And while you're at it, send in any bugs or complaints you have on ShadowTrackr. For a developer nothing beats feedback from real users. Not everything might be solved straight away, but everything will end up on the list. The more users ask for something, the higher up on the list the item goes.

Tricky new feature: ignore some of your urls

If you have lots of urls, not all of them will be equally interesting. Some might be for testing, and some might not even be yours to worry about. I've been thinking about creating some form of order for assets, but haven't really figured out a good solution yet. You don't want to be hacked through a test server just because you missed a warning. If it's yours, and it has a problem, then ShadowTrackr should let you know.

There are some edge cases where you might want to ignore a url. Imagine you own and run the pay level domain shadowtrackr.com, but have one of your subdomains contracted out to another party (something like thirdparty.shadowtrackr.com). That other party runs the server for it, and you agreed that they do their own security and monitoring. Anything related to this subdomain is now just noise on your timeline, and if you have lots of these subdomains, you might not see the forest for the trees on your timeline.

For this specific problem, you can now ignore a url. The option is available on the url page (go to assets and click on the edit link next to the url). From the moment you set a url to ignore, no new data is logged for it and no alerts will be sent. The historical information will still be available but no longer be updated. If the ignored url pops up in search results it will be marked as 'ignored' in red letters. The ignored urls (if you have them) are shown at the bottom of the url tab on your assets page.

If you have lots of subdomains that you need to ignore , setting each and everyone to ignored by hand is no fun. For this, there is a shortcut called the ignore list. If you have more than 10 subdomains you will see a link "ignore list" next to the pay level domain when you click it open (with the +) on the assets page.

Before you go ignoring some of your urls, be warned: you should only ignore urls if you are absolutely sure they pose no risk or someone else is monitoring them. Even if it's just a historic url or currently nothing runs on it, someone could hijack or spoof the DNS record, put a website on it and start phishing you users or spamming the world. It wouldn't be the first time this happened.

DNS hijack detection

Disclaimer: this is about the detection of a specific attack. It does not catch all DNS hijacks.

FireEye recently blogged about a Global DNS hijacking campaign and a client requested detection for this in ShadowTrackr. As of today, it's live on all accounts.

A DNS hijack happens when someone logs in to your domain registrar and changes the legitimate ip address for one of your websites to the ip address of a server they control. After this, the attacker can do all sorts of evil to your users. This ranges from simply setting up a phishing site on your domain to more complex attacks like the one that happened at Fox-IT (which is also a good example of how to handle an incident).

ShadowTrackr does log all your ip changes, which means that the exact start and end of the attack will be recorded for you. The problem is that there is no way that ShadowTrackr can know if an ip change is legitimate or not. It's not uncommon for clients with many assets to regularly have ip address changes. We would love to send you a warning instead of just logging it, but so far we didn't know how to properly detect trouble.

The specific attack fireEye and Talos blog about concerns the situation where the attacker takes over your website and consequently has to issue a new certificate for it. Chances are that this new certificate will be from a different issuer. Talos warns specifically for changes from any other issuer to Let's Encrypt. Now this is something we can work with!

When a new certificate is isued for one of your domains and it's from a different issuer than the previous certificate, ShadowTrackr will send you a warning. Also, in the certificates report you can now see if you have multiple certificates from different issuers for the same url.

So, you should all check these reports and see if the certificates found where issued by yourself or not. You should also still check unexpected ip changes, since this method of detection does not detect all hijacks. And of course, above all, use two factor authentication for your login at domain registrars!