AntiSocial Blacklist – Community Version Launch

@rfdevere Blog

The AntiSocial Blacklist was a concept debated quickly in a passing idea, it quickly spiralled off into an obsession. The logic was obtained from working with victims of crime and our hands on experience of social engineering attacks.

We know that fraudulent emails and people being guided to a malicious website is the main reason for a breach in over 75% of affected UK businesses (1). We also know the second most common cause of a breach, after phishing is impersonations (2). But what always infuriated us is the fact you can go out and register google-payments.wang and not one system considers this to be malicious (until it’s too late).

The logical thing to do would be to block all possible permutations of a legitimate domain and consider them malicious – boy, is that a minefield!

Calling On Help

Like a scene from some crazed psycho thriller, we had whiteboards with maths on, diagrams on the walls. We were consumed with making this work. We reached out to Quad9’s CEO, we hired coders, we spoke to statisticians. The results were a mixed bag of awe and disappointment.

Then we noticed a ‘cyber accelerator’, a scheme ran by Wayra UK September 2018 that promised to connect ambitious UK startups with the technical minds of NCSC and Elevenpaths. It was a magical experience, we arrived hopeful that those that wear suits to work and are tasked with protecting the UK online would see this beautiful concept held by this dishevelled worn-out team and give it the help it needed to protect people. Wrong.

Nice idea, but way under-baked

NCSC

Onwards and Upwards

Are you even a social engineer if you listen to “No” and don’t make it work regardless? We were just spurred on to make the Blacklist work even more. Not only would we do it, but we could envision the rollout of the product and the end in sight. We worked harder and paid for our own clever people and development. The results were amazing.

We received guidance from Quad9’s CEO in a lengthy call, he agreed the concept was great, it was unique but advised us the false positives were going to be the fly in the ointment. Previously our blacklist tried to block all possible permutations – a massive mathematical oversight. He told us to focus on domains that could pose a risk – those registered with various DNS A, MX, NS elements.

That’s what we did.

Working Product

AntiSocial Blacklist got the redesign it always needed. We had maths now on our side and a more manageable list of domains for clients to work with. We were stronger for the whole ordeal.

Development continued and we further integrated the domains into a RestAPI and DNS systems for paid industry use.

Picture of the domain blocking page, really striking design with a way they can report false positives.
Users are guided to a block page. https://theantisocialengineer.com/blacklist/blocked-domain/

Back To Community

We came across the PiHole® near the start of the project and this is the software we trialled many earlier lists on. We had to leave PiHole® because nobody has 35 seconds to wait for a DNS request (Our fault, we did have nearly 40,000,000 domains loaded in once). Now we have resolved our errors we feel we can offer a useable, reduced size list, for free to the PiHole community. It’s not just PiHole either! Many devices and services can implement a blacklist of sorts. Hosts files, Routers, Office365, GSuite, Web Proxies, Firewalls etc

The list is focussed on UK businesses but future versions will have other locales.

1 – NCSC Cyber Breaches Survey 5.2 (here)

2 – NCSC Cyber Breaches Survey 5.2 (here)

Comments With Facebook