AWS Shield Standard, free of charge, is activated by default
AWS Shield Advanced – 24×7 premium protetion, fee charged and access to AWS DRP DDOS Response Team v expensive about 3000 USD per month.
AWS WAF filters specific requests based on rules – layer 7 http – for app load balancer, api gateway and CloudFront
you can define web acl : geo block, ip address blocks, sql injection etc
CloudFront and Route 53: uses global edge network, combined with Shield can provide attack mitigation at the edge
You can utilize AWS AutoScaling to leverage up if there is an attack.
You get full DDOS protection by combining Shield, WAF, CloudFront and Route53.
Penetration testing can be carried out by customers for 8 services eg EC2, RDS, CF etc – you don’t need any authorization to do this but you cannot do simulated ddos attacks on your system or dns zone walking on route 53, nor flooding tests
important note:
for any other simulated attacks, contact aws first, to check, otherwise it is not authorized – and could be seen as an infrastructure attack on aws!
AWS Inspector:
chargable, first 15 days free. not cheap. cost per instance or image scanned.
does automated security assessments, eg for EC2
sends reports to security hub and event bridge
leverages the System Manager SSM agent
for Containers pushing to ECR – assesses containers as they are moved to ECR
it is ONLY for EC2 and container infra. But only done when needed.
checks packages against CVE – package vulnerability scan
exam question! LOGS can be analyzed using AWS Athena if stored on S3.
you should encrypt logs stored on S3 and control the access to them by deploying iam and bucket policies plus mfa.
and always remember: don’t log a server that is logging! otherwise you create an endless logging loop!
and move logs to glacier for cost saving
and also use glacier vault which locks the logs so they cant be tampered with.
AWS Guard Duty
this uses intelligent threat discovery and ML learning to detect
no need to install any software, works in the backend, only need to activate, but it chargeable
esp analyses cloudtrail, vpc flow logs, dns logs, kubernetes audit logs, looks for unusual api calls etc
you can set up cloudwatch events rules to connect to labda or sns
exam q also can protect against cryptocurrency attacks, has a dedicated function for it. – comes up in exam
AWS Macie
a fully managed data security and data privacy service which uses ML pattern matching to protect your data
helps identify and alert esp re PII – personal identifiable information
can notify event bridge
AWS Trusted Advisor – only need to know overview for the exam
no need to install, is a service
core checks and recommendations — available for all customers, these are free
can send you a weekly email notification
full trusted advisor for business and enterprise – fee based
and can then create cloudwatch alarms or use apis
cost optimization
looks for underutilized resources – but cost optimizn is not in the free core checks, so you need to upgrade for this.
performance
ec2s ebs cloud front
security
mfa security used or not, iam key rotation etc, exposed access keys
s3 bucket permissions, security group issues, esp unrestricted ports
The Metasploit Framework is the foundation on which commercial add-on products for Metasploit Pro are built.
It is an open source project that provides the infrastructure, content, and tools for performing system penetration tests and security auditing.
A quick overview of the basics:
Modules
A Metasploit module is a standalone piece of code that extends the functionality of the Metasploit Framework system.
A module can be an:
Exploit
Auxiliary
Payload
No operation payload (NOP)
Post-exploitation module
Encoder
For example, an exploit uses a payload to deliver code for running on another machine. The payload can open a shell or a Meterpreter session to run an exploitation module.
The encoder ensures the payload is delivered and the “no operation payload” or NOP ensures the payload size is kept consistent.
Metasploit comes pre-installed on Kali Linux. There are also pre-installed ready-to-use virtual machines with Kali Linux and Metasploit Framework available for download.
To install Metasploit on Ubuntu
First install Oracle Java 8
add the Oracle Java Package source:
sudo add-apt-repository -y ppa:webupd8team/java
sudo apt-get update
sudo apt-get -y install oracle-java8-installer
Then install dependencies that are needed by Metasploit Framework:
Metasploit tip: You can use help to view all
available commands
msf6 >
msf6 >
Set Up a Database for Metasploit
The first essential task is to set up a database for Metasploit:
Most of the database creation is now handled by the Metasploit installation routine.
After you’ve set up the database, you need to connect to it.
You will need to manually connect to the database each time you launch msfconsole.
So once you have completed the installation of Metasploit, start msfconsole and then run the following command in the console:
msf6 >
msf6 >
msfdb init
msf6 > msfdb init
[*] exec:
[?] Would you like to init the webservice? (Not Required) [no]: Clearing http web data service credentials in msfconsole
Running the ‘init’ command for the database:
Existing database found, attempting to start it
Starting database at /home/kevin/.msf4/db…success
msf6 >
msf6 >
and then you can connect with
db_connect msfdb
db_connect msfdb
[*] Connected to Postgres data service: /msfdb
msf6 >
You can then assemble commands and run exploits using msfconsole.
Remember that each time you restart msfconsole you first need to run the two commands:
msfdb init
db_connect msfdb
msf6 > msfdb init
[*] exec: msfdb init
[?] Would you like to init the webservice? (Not Required) [no]:
Clearing http web data service credentials in msfconsole
Running the ‘init’ command for the database:
Existing database running
msf6 > db_connect msfdb
[*] Connected to Postgres data service: /msfdb
msf6 >
to verify that you are connected to the database you can run this command at any time:
msf6 > help
Core Commands
=============
Command Description
------- -----------
? Help menu
banner Display an awesome metasploit banner
cd Change the current working directory
color Toggle color
connect Communicate with a host
debug Display information useful for debugging
exit Exit the console
features Display the list of not yet released features that can be opted in to
get Gets the value of a context-specific variable
getg Gets the value of a global variable
grep Grep the output of another command
help Help menu
history Show command history
load Load a framework plugin
quit Exit the console
repeat Repeat a list of commands
route Route traffic through a session
save Saves the active datastores
sessions Dump session listings and display information about sessions
set Sets a context-specific variable to a value
setg Sets a global variable to a value
sleep Do nothing for the specified number of seconds
spool Write console output into a file as well the screen
threads View and manipulate background threads
tips Show a list of useful productivity tips
unload Unload a framework plugin
unset Unsets one or more context-specific variables
unsetg Unsets one or more global variables
version Show the framework and console library version numbers
Module Commands
===============
Command Description
------- -----------
advanced Displays advanced options for one or more modules
back Move back from the current context
clearm Clear the module stack
favorite Add module(s) to the list of favorite modules
info Displays information about one or more modules
listm List the module stack
loadpath Searches for and loads modules from a path
options Displays global options or for one or more modules
popm Pops the latest module off the stack and makes it active
previous Sets the previously loaded module as the current module
pushm Pushes the active or list of modules onto the module stack
reload_all Reloads all modules from all defined module paths
search Searches module names and descriptions
show Displays modules of a given type, or all modules
use Interact with a module by name or search term/index
Job Commands
============
Command Description
------- -----------
handler Start a payload handler as job
jobs Displays and manages jobs
kill Kill a job
rename_job Rename a job
Resource Script Commands
========================
Command Description
------- -----------
makerc Save commands entered since start to a file
resource Run the commands stored in a file
Database Backend Commands
=========================
Command Description
------- -----------
analyze Analyze database information about a specific address or address range
db_connect Connect to an existing data service
db_disconnect Disconnect from the current data service
db_export Export a file containing the contents of the database
db_import Import a scan result file (filetype will be auto-detected)
db_nmap Executes nmap and records the output automatically
db_rebuild_cache Rebuilds the database-stored module cache (deprecated)
db_remove Remove the saved data service entry
db_save Save the current data service connection as the default to reconnect on startup
db_status Show the current data service status
hosts List all hosts in the database
loot List all loot in the database
notes List all notes in the database
services List all services in the database
vulns List all vulnerabilities in the database
workspace Switch between database workspaces
Credentials Backend Commands
============================
Command Description
------- -----------
creds List all credentials in the database
Developer Commands
==================
Command Description
------- -----------
edit Edit the current module or a file with the preferred editor
irb Open an interactive Ruby shell in the current context
log Display framework.log paged to the end if possible
pry Open the Pry debugger on the current module or Framework
reload_lib Reload Ruby library files from specified paths
time Time how long it takes to run a particular command
msfconsole
==========
`msfconsole` is the primary interface to Metasploit Framework. There is quite a
lot that needs go here, please be patient and keep an eye on this space!
Building ranges and lists
-------------------------
Many commands and options that take a list of things can use ranges to avoid
having to manually list each desired thing. All ranges are inclusive.
### Ranges of IDs
Commands that take a list of IDs can use ranges to help. Individual IDs must be
separated by a `,` (no space allowed) and ranges can be expressed with either
`-` or `..`.
### Ranges of IPs
There are several ways to specify ranges of IP addresses that can be mixed
together. The first way is a list of IPs separated by just a ` ` (ASCII space),
with an optional `,`. The next way is two complete IP addresses in the form of
`BEGINNING_ADDRESS-END_ADDRESS` like `127.0.1.44-127.0.2.33`. CIDR
specifications may also be used, however the whole address must be given to
Metasploit like `127.0.0.0/8` and not `127/8`, contrary to the RFC.
Additionally, a netmask can be used in conjunction with a domain name to
dynamically resolve which block to target. All these methods work for both IPv4
and IPv6 addresses. IPv4 addresses can also be specified with special octet
ranges from the [NMAP target
specification](https://nmap.org/book/man-target-specification.html)
### Examples
Terminate the first sessions:
sessions -k 1
Stop some extra running jobs:
jobs -k 2-6,7,8,11..15
Check a set of IP addresses:
check 127.168.0.0/16, 127.0.0-2.1-4,15 127.0.0.255
Target a set of IPv6 hosts:
set RHOSTS fe80::3990:0000/110, ::1-::f0f0
Target a block from a resolved domain name:
set RHOSTS www.example.test/24
msf6 >
Linux-PAM (Pluggable Authentication Modules) is a suite of shared libraries which dynamically authenticate users and access to applications or services.
IMPORTANT NOTE:
Accidental deletion or corruption of configuration files under /etc/pam.d/ or the /etc/pam.conf can lock you out of the system!
To deploy PAM an application needs to be “PAM aware“. This means it must be written and compiled to use PAM. To check whether a program is “PAM-aware”, run ldd.
The main configuration file for PAM is located at /etc/pam.conf.
The /etc/pam.d/ directory contains PAM configuration files for PAM-aware applications and services.
IMPORTANT: PAM will ignore the file if the directory exists.
Syntax for the main pam.conf configuration file
service type control-flag module module-arguments
where:
service: is the actual application name.
type: module type/context/interface.
control-flag: this defines the behaviour of the PAM-API if the module fails its authentication task.
module: the absolute or relative pathname of the PAM-API.
module-arguments: a space separated list of tokens used to control PAM module behavior.
Rules are written on a single line, with overflow onto the next line using the “\” escape character.
Comments are preceded with the hash sign “#” and apply to the next end of line.
Example of a RAM rule definition, defined in the /etc/pam.d/sshd file, to disallow non-root logins when /etc/nologin exists:
account required pam_nologin.so
PAM authentication tasks have four independent management groups.
These groups are responsible for different aspects of a user request for a service or application.
All modules are assigned to one of the following management group types:
account: this provides services for account verification. For example, it checks the validity of a user password
authentication: this service authenticates the user and defines user credentials.
password: the password service updates user passwords and works together with the authentication modules.
session: this service manages actions performed at the start and end of a login session.
The PAM loadable object files (the actual PAM modules) are located at /lib/security/ or /lib64/security depending on the Linux system architecture.
The supported control-flags are:
requisite: a failure instantly returns control back to the application and indicates the nature of the first module failure.
required: the module must return a positive successful result in order for libpam to return a success result back to the application.
sufficient: provided all preceding modules have succeeded, the success of this module results in an immediate and successful return back to the application (while failure of this module is ignored).
optional: success or failure of this module is not recorded or required.
There are also two control flag directives used for PAM:
include: this directive includes all lines of given type from the configuration file specified as an argument for this control.
substack: this directs PAM to include all lines of given type from the configuration file specified as an argument for this control.
A Practical Example of How To Deploy PAM
In this example, we will use PAM to restrict root access to the SSH service for certain users.
The following defined PAM rule will tell PAM to consult the /etc/ssh/deniedusers file and deny access to the SSH and login services for any user listed in this file.
For this we use the /lib/security/pam_listfile.so module.
required: is the control-flag. This means that if the module is used, then it must succeed or else the overall result will be a fail, regardless of the status of any other modules.
pam_listfile.so: is the PAM module which enables services to be denied or permitted based on an arbitrary file list.
onerr=succeed: the module argument.
item=user: a module argument which specifies what is to be listed and checked for in the file.
sense=deny: this module argument specifies the action to take if it is found in the file. If the item is not found in the file, then the opposite action will result.
file=/etc/ssh/deniedusers: the module argument specifying the file to be referenced.
Following this we now create the file /etc/ssh/deniedusers and add the name (in this case root) to it:
nano /etc/ssh/deniedusers
Finally set the permissions:
chmod 600 /etc/ssh/deniedusers
An overview of PAM modules and PAM man pages
root@intel:/# apropos pam
PAM (7) – Pluggable Authentication Modules for Linux
capability.conf (5) – configuration file for the pam_cap module
faillock.conf (5) – pam_faillock configuration file
group.conf (5) – configuration file for the pam_group module
limits.conf (5) – configuration file for the pam_limits module
pam (5) – portable arbitrary map file format
pam (7) – Pluggable Authentication Modules for Linux
pam-auth-update (8) – manage PAM configuration using packaged profiles
pam.conf (5) – PAM configuration files
pam.d (5) – PAM configuration files
pam_access (8) – PAM module for logdaemon style login access control
pam_cap (8) – PAM module to set inheritable capabilities
pam_debug (8) – PAM module to debug the PAM stack
pam_deny (8) – The locking-out PAM module
pam_echo (8) – PAM module for printing text messages
pam_env (7) – PAM module to set/unset environment variables
pam_env.conf (5) – the environment variables config files
pam_exec (8) – PAM module which calls an external command
pam_extrausers (8) – Module for libnss-extrausers authentication
pam_faildelay (8) – Change the delay on failure per-application
pam_faillock (8) – Module counting authentication failures during a specified interval
pam_filter (8) – PAM filter module
pam_ftp (8) – PAM module for anonymous access module
pam_getenv (8) – get environment variables from /etc/environment
pam_group (8) – PAM module for group access
pam_issue (8) – PAM module to add issue file to user prompt
pam_keyinit (8) – Kernel session keyring initialiser module
pam_lastlog (8) – PAM module to display date of last login and perform inactive account lock out
pam_limits (8) – PAM module to limit resources
pam_listfile (8) – deny or allow services based on an arbitrary file
pam_localuser (8) – require users to be listed in /etc/passwd
pam_loginuid (8) – Record user’s login uid to the process attribute
pam_mail (8) – Inform about available mail
pam_mkhomedir (8) – PAM module to create users home directory
pam_motd (8) – Display the motd file
pam_namespace (8) – PAM module for configuring namespace for a session
pam_nologin (8) – Prevent non-root users from login
pam_permit (8) – The promiscuous module
pam_pwhistory (8) – PAM module to remember last passwords
pam_rhosts (8) – The rhosts PAM module
pam_rootok (8) – Gain only root access
pam_securetty (8) – Limit root login to special devices
pam_selinux (7) – PAM module to set the default security context
pam_sepermit (8) – PAM module to allow/deny login depending on SELinux enforcement state
pam_shells (8) – PAM module to check for valid login shell
pam_succeed_if (8) – test account characteristics
pam_systemd (8) – Register user sessions in the systemd login manager
pam_tally (8) – The login counter (tallying) module
pam_tally2 (8) – The login counter (tallying) module
pam_time (8) – PAM module for time control access
pam_timestamp (8) – Authenticate using cached successful authentication attempts
pam_timestamp_check (8) – Check to see if the default timestamp is valid
pam_tty_audit (8) – Enable or disable TTY auditing for specified users
pam_umask (8) – PAM module to set the file mode creation mask
pam_unix (8) – Module for traditional password authentication
pam_userdb (8) – PAM module to authenticate against a db database
pam_warn (8) – PAM module which logs all PAM items if called
pam_wheel (8) – Only permit root access to members of group wheel
pam_xauth (8) – PAM module to forward xauth keys between users
pamcut (1) – cut a rectangle out of a PAM, PBM, PGM, or PPM image
pamdeinterlace (1) – remove ever other row from a PAM/PNM image
pamdice (1) – slice a Netpbm image into many horizontally and/or vertically
pamfile (1) – describe a Netpbm (PAM or PNM) file
pamoil (1) – turn a PAM image into an oil painting
pamon (1) – Play back or record raw or encoded audio streams on a PulseAudio sound server
pamstack (1) – stack planes of multiple PAM images into one PAM image
pamstretch (1) – scale up a PNM or PAM image by interpolating between pixels
pamstretch-gen (1) – use pamstretch and pnmscale to scale by non-integer values
pgmoil (1) – turn a PAM image into an oil painting
pnminterp (1) – scale up a PNM or PAM image by interpolating between pixels
pnminterp-gen (1) – use pamstretch and pnmscale to scale by non-integer values
sepermit.conf (5) – configuration file for the pam_sepermit module
time.conf (5) – configuration file for the pam_time module
root@intel:/#
PAM Services
Applications that require authentication can use PAM for this by means of a service name.
Examples of the PAM services currently available on this machine:
Each of the files at /etc/pam.d represents a PAM service. PAM will use a configuration file named as the service if
the /etc/pam.d directory exists.
Alternatively, if PAM is configured using the single file /etc/pam.conf then the service name is defined in the configuration file in the first column.
Once installation is completed, the fail2ban service will start automatically. Verify with:
root@gemini:/home/kevin# systemctl status fail2ban
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/lib/systemd/system/fail2ban.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-06-03 11:34:32 BST; 4min 7s ago
Docs: man:fail2ban(1)
Main PID: 543825 (f2b/server)
Tasks: 5 (limit: 2280)
Memory: 14.9M
CGroup: /system.slice/fail2ban.service
└─543825 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
Jun 03 11:34:32 gemini systemd[1]: Starting Fail2Ban Service...
Jun 03 11:34:32 gemini systemd[1]: Started Fail2Ban Service.
Jun 03 11:34:32 gemini fail2ban-server[543825]: Server ready
root@gemini:/home/kevin#
The default Fail2ban installation comes with two configuration files, /etc/fail2ban/jail.conf and /etc/fail2ban/jail.d/defaults-debian.conf. It is not recommended to modify these files as they may be overwritten when the package is updated.
fail2ban reads the configuration files in the following order. Each .local file overrides the settings from the .conf file:
To harden ssh and protect against ssh-hacker attempts, make following modifications to sshd_config:
root@gemini:/etc/ssh# cat sshd_config
PermitRootLogin no
#Port 22
#AddressFamily any
#we only allow access from our zonetier-one vpn (IP commented out here for security reasons):
ListenAddress 10.******
# Disable password authentication forcing use of keys only to login:
PasswordAuthentication no
Then restart sshd.
From then on ssh logins can only be made from inside the Zonetier VPN. And they cannot in any case be done using root, nor with password-entry logins, only with ssh keys.
Users must first of all transfer their ssh keys from their client to the server either using ssh-copy-id if authorized, or alternatively copy-pasting their id_rsa.pub to the authorized_keys file located in their /home/<user>/.ssh directory.
This means non-users do not have any admittance to the server.
In addition to these measures, I also installed and activated fail2ban and reviewed all ports in the ufw /iptables firewalling.
I used to think of computer security largely in terms of preventing hackers from stealing my bank account data.
But the Snowden revelations about NSA data snooping has made me change my thinking.
Your Computer Security – Or Why You Should Escape From PRISM
The activities of the US NSA and the PRISM project make it clear that the US government is conducting mass surveillance.
Not only of US citizens, but also of pretty well everyone else in the world who is connected to the Internet.
The Net Brings Convenience – But Also Danger
Most people in developed countries now rely on the Net to conduct their business and many aspects of their daily life.
We have the Web, we have online software services, we have cloud storage, information services, data storage. All accessible through our PCs, laptops, tablets and mobile phones.
All of this brings us great benefits and convenience. But it also makes it easy for the ultimate holders of power – in other words governments, to tap into and utilize for their own purposes.
Having access to all this data and the ability to monitor people so much more easily and precisely than in the past is an extremely dangerous power.
I have no problem with governments tracking terrorists and criminals and stopping their activity. What I do object to is for everyone to be treated as a potential criminal or terrorist, and the government and their agencies being able to nose through and copy and archive my data at will.
Innocent People Have Nothing To Fear?
The standard response when anyone objects to any government or police control is: “innocent people have nothing to fear.”
This response is extremely dangerous because it surrenders away your privacy and freedom in one stroke. You may think you have nothing to hide. Your government may think otherwise. And if not today, then maybe tomorrow. And whether or not someone is considered “innocent” is always subjective.
In a democracy, governments should never be given carte blanche access to everyone’s data. Would you allow me and all your neighbours the freedom to come into your office or house and nose through all your desk drawers, diary, cupboards and everything else whenever they want to?
This is the power that the US government and many other governments around the world have now granted themselves.
Data is being intercepted, recorded and stored by US intelligence authorities as a matter of routine. Not only data of US citizens, but that of non-US citizens as well. It was revealed that even German Chancellor Angela Merkel’s mobile phone was tapped.
Big IT Corporates Work Hand-in-Glove With The Security Services
The security agencies now place back-doors in the software and online services of the top providers.
The companies themselves may deny this. But that’s part of the nature of security intelligence.
You aren’t permitted to admit the existence of these links and activities. Non Disclosure Agreements of the non-commercial kind. In Britain it’s called the “Official Secrets Act” which requires that people do not divulge any information about surveillance activities to third parties on threat of imprisonment. It’s the nature of the beast.
The convergence of computer technology, digitalization, the Internet, the cloud, and mobile phones all make mass surveillance extremely easy.
We are sleepwalking into a disaster here.
Present Day US Mass Surveillance Exceeds Even KGB and Stasi Expectations
On the one hand we gain the benefits of these innovations in our lives.
But these innovations also open up a degree and extent of mass surveillance and control that even Orwell did not imagine.
It’s revealing that a retired top ex-East German Stasi secret service officer said he regards the level of digital mass surveillance to now be in excess of anything the Stasi could have dreamt of in old Eastern Bloc days.
That’s how “far” we have come.
Russia Now Champions Digital Libertarian Richard Stallman
It’s interesting that the Russians are now giving publicity to US digital libertarian Richard Stallman. The Russian international tv channel RT (Russia Today) has been carrying a number of features, reports and interviews with Stallman.
It’s ironic Russia should apparently be so concerned about digital freedoms and championing Stallman 20 years after the end of the USSR.
Though I wonder why they are doing this. Perhaps it suits their political agenda against the US and EU at present.
Maybe Moscow feels it’s losing out on the digital surveillance “arms race” compared to the advanced stage it’s reached in the US and so are using him as an attack puppet.
Perhaps they also think that by apparently siding with Stallman it makes them look whiter than white versus the USA and wins them moral publicity credit points here for themselves amongst the public.
Stallman points out that mobile phones, especially smartphones, which are more or less the standard now, make excellent surveillance and tracking devices.
Also that the microphone and transmitting and receiving circuitry – and this includes the cameras, can be active even if you have switched them off – or think you have. Same too with laptops.
These digital web tools of convenience are very useful to us. And they are also a security services man’s (or woman’s) dream come true.
Social networks like Facebook invite to enter all your personal details and build your own personal profile, search engines in which you enter the search phrases which reveal what you are interested in, cloud storage where you store your data with third parties. And of course, password services which store all your passwords off your computer at another destination.
All these services can act as convenient front shop windows for the intelligence agencies. The public even come and enter the data for you. No need to go out there and have to request the information from them. They provide it all willingly themselves with hardly any prompting.
Google Streetview’s Wi-Fi Password “Accident”
We saw the scandal a few years back of Google collecting up everyone’s wifi login details – admin name and password – as their Streetview service vehicles drove around the streets photographing the landscape.
When this fact was later discovered by the public, we were told by Google that it had happened “by accident”.
Protect Your Digital Privacy and Freedom!
I’m a fan of digitalization. I appreciate the benefits of the Web, of new ways of conducting business, of utilizing the internet in our lives.
Convenience when using the Web is uppermost for many people. But we should be wary of sacrificing our own privacy in exchange for convenience. Too many of us have fallen for this deal.
The potential consequences of this technology and innovation for being used against us and for restricting our personal freedom are terrifying. In our desire to prevent “acts of terror” democratic countries are throwing the baby out with the bathwater.
Once our freedom and data privacy is gone, it’s gone. Once “no freedom” and”no privacy” become the new standard, it will be very hard to prise it back from the state.
We might expect surveillance of this kind back in Communist USSR or North Korea. Surely we should not expect it in a democracy?
De-Google Your Computer!
I’ve decided to take action to protect my digital freedom. I’ll talk more about the measures I’ve taken in a later post. But what I’ve done is basically to “de-Google” my computing.
This means I no longer use, or try not to use, the services of the NSA’s big corporate friends. Such as Google, Yahoo, etc. I also try to avoid services based on US territory or under US jurisdiction. Where possible I’ve substituted alternatives which have more likelihood of being more private and secure.
I’m still in the process of “de-Googling”. It’s going to take a little time. And I’m aware that the alternatives are also not necessarily fully secure.
It is true you can’t fully prevent the security intelligence agencies from accessing your data if they really want to. But you can make it harder for them to carry out routine and casual data snooping on innocent people. You don’t have to leave your front door wide open for strangers to simply walk in and snoop around.
If you care about your privacy and freedom – and the privacy and freedom of your fellow citizens, then you should consider doing the same.
For some revealing insights into the current state of play with the US NSA and PRISM, see the presentations by EFF (Electronic Frontier Foundation) and ACLU (American Civil Liberties Union) speakers at the Chaos Computer Club Annual Communications Convention in Hamburg, Germany (in English). See the YouTube links below:
Shellshock is a vulnerability bug in the Bash shell used by many Unix, Linux, as well as Apple Mac computers.
Shellshock gives attackers access to run commands and programs on a system.
Microsoft Windows machines are not affected.
If your system has not updated it’s Bash shell since September 28 2014 you may be vulnerable.
This vulnerability affects Bash shell versions 1.14 (released in 1994) up to the most recent version 4.3
Some analysts have warned that the “Shellshock” bug could be worse than the SSL Heartbleed bug which theoretically allowed attackers to take over websites. The bug has actually been existence since the early days of the Bash shell back in 1994 – some 20 years.
The US government National Vulnerability Database rates Shellshock at 10/10 for severity.
Note that the Bash bug is not a virus or trojan. It’s a bug in the program code of the Bash shell which can be exploited by intruders.
Bash is an acronym for “Bourne Again Shell”. It’s a command line “shell” or interface rather like MS-DOS or the CMD box in Windows, which permits users to issue commands to launch programs by typing in text.
The Bash shell is mostly used by programmers and system administrators.
As Apple Mac computers running OS X are also largely based on a variant of Unix, they also use the Bash shell. This means Apple machines are also at risk from the Shellshock bug.
The bug enables an attacker to execute commands or run programs via the Bash shell on the affected machine.
In theory this can mean almost anything is possible – reading, modifying or deleting data, emailing or transferring data across the Internet to other machines, deleting programs, running programs, installing programs or trojans to attack other computers.
In practice the possible damage an intruder can do may be limited. Having shell access is not the same as having root or admin access. But it’s a first step in that direction and one you definitely don’t want an intruder gaining on your computer.
What Should I Do About Shellshock?
Check your system and if it is shown to be vulnerable, update your Bash shell now.
You can use the online test tool at shellshocker.net to test if your system is vulnerable, and to find out how to patch your system so that you are no longer at risk.
Here’s a Simple Test You Can Run To See If Your Computer Is Affected By Shellshock
If you are familiar with the command line shell interface, then there is a simple test you can apply to see if your computer is vulnerable.
If you see the word “vulnerable”, then your system is at risk. If not, then either your Bash is fixed or else your shell is using a command interpreter other than Bash.
There’s a worldwide hacker attack going on against many WordPress websites.
The attack is a so-called “brute force attack” which aims to test different password and admin user id combinations to try and gain access to your WordPress administration dashboard.
Then the attack installs a bot which is then used to launch attacks on other servers or else perform other illicit activity.
How To Secure WordPress Against Brute Force Password Attacks
To help protect your site against this attack, you can add a secondary layer of administrator login security to WordPress sites.
To do this you basically create a .wpadmin file in the top home directory of your server system or in your server account home user area if you are on a shared server.
You then add a username and password pair, encrypt the password and then activate the security in the .htaccess file in your server space.
Here are the steps in detail:
(The following instructions are for server accounts that use cPanel, which is the most commonly used web-hosting account admin interface). 1. Create the .wpadmin file
Create a file with the name .wpadmin in your home directory. It’s important to name the file with the . (dot) before the file name, ie: .wpadmin.
eg. /home/username/.wpadmin (“username” is your cPanel admin account username)
2. Create an encrypted password for a new user name/password combination.
The easiest way to do this is to use the htpassword generator at htaccesstools.
Note this combination should NOT be the same as the ones you currently use, neither for your cPanel login, nor for any of your WordPress sites. It should be a totally new user name and password combination.
Make sure you note down temporarily (and securely) or at least don’t forget what you have entered. You’ll need to know this in order to login each time later.
The password generator will then output an encrypted version of the password you entered for the user name that you entered. Copy and paste this into the .wpadmin file you have just created. That’s you need in the .wpadmin file.
Note that the .wpadmin file ONLY contains the user name (non-encrypted) and the encrypted version of your password. You do not add the non-encrypted version of the password.
Make sure you don’t forget the non-encrypted version of the password, else you won’t be able to log in!
For example:
user name: steve non-encrypted password: abcdefg (by the way, a very poor password, so don’t ever use it. I’m just using it for the sake of this example)
The htpassword generator will create something like this:
steve:gjodWDQ8944qfr
The field after the colon, in this case: gjodWDQ8944qfr is the encrypted version of the password abcdefg.
You enter this line into the .wpadmin.php file. Then save and close the file.
3. Finally, update the .htaccess file
Cut and paste the following lines into your /home/username/.htaccess file. : ErrorDocument 401 “Unauthorized Access” ErrorDocument 403 “Forbidden” <FilesMatch “wp-login.php”> AuthName “Authorized Only” AuthType Basic AuthUserFile /home/username/.wpadmin require valid-user
Make sure you substitute your own username int the line AuthUserFile /home/username/.wpadmin.
Your secondary login wall of defence is now complete.
From now on, when you want to access a WordPress Admin dashboard on your web server, it will first prompt you for the username and the (non-encrypted) password combination that you configured as above.
For example, in this case, that will be:
login: steve password: abcdefg
It will then let you pass and direct you to the normal standard admin login for the WordPress site you requested. You then log yourself in on the WordPress dashboard as normal.
Note that if you have WordPress pages that are password-secured using the standard WordPress password protect functionality, then the above procedure will require you to perform the double login using your secondary username/password for these pages as well.
This may be a feature you are happy to live with – or it might be an irritation and complication that you’d rather not have.
In this case, you’ll have to weigh up the pros and cons of implementing this additional security versus the extra login overhead involved.
With the continued growth of online services and e-commerce, digital security is as important as ever.
So here’s my round-up of digital security threats in 2017 to watch out for.
Digital Security Threats in 2017
1. IoT Attacks
The variety and volume of consumer IoT or “Internet of Things” devices on the market is now increasing fast. It’s estimated that there will be around 50 million or more IoT connected devices in operation by 2020.
Unfortunately at the same time, the number of hacker attacks whether direct or via sophisticated distributed “botnets” is also increasing. This constitutes a serious threat to these devices and to IT infrastructure that then gets attacked by the botnets created and steered by means of these devices.
The problem at the moment is that many of these IoT devices still have very weak security. The IoT industry has a great deal of catching up to do to avoid increasingly serious headline hacker attacks on their devices.
2. Smart-Home Attacks
Attacks on “smart home” Internet-based devices – including IoT devices are now starting to appear.
Smart home attacks are going to be a major problem in the future as digital security concerns tend to lag behind in the consumer device sector.
To counter attacks on smart home devices, consumers will have to install proper high-protection routers such as those from Intel, Symantec, and BitDefender.
3. DDoS Attacks
Denial-of-service or DDoS attacks continue to be a serious and increasing threat. Partly this is due to more and more IoT devices coming online which have inadequate security protection.
Terrorists and malevolent state authorities are taking advantage of this attack vector. Large infrastructure systems such as power utilities, public transportation and even media (such as the TV5 attack in France in 2016) are not immune.
Infrastructure operators will have to substantially up their digital security precautions.
4. Ransomware
Ransomware is another serious threat and both consumers and businesses are under attack. Ransomware causes damage to data and hardware as well as financial loss for those who submit to their payment demands.
Users need to become more aware of the dangers posed by ransomware. Robust anti-virus and trojan protection software should always be installed and active and always kept up to date. Prevent scripts and apps from auto-executing in Web-browsers and emails.
5. Social Engineering
Social engineering attacks are becoming more and more sophisticated and with that harder for the average user to detect. Social engineering relies especially on email vector attacks, but they are also increasingly using website and app-based attack strategies.
To counter social engineering, increased user awareness is crucial. Always be careful when opening emails, and acting on any instructions contained in them. And of course be especially wary of clicking on any links contained in emails.
6. Identity Theft
Identity theft is also becoming more frequent.
Identity theft can occur via social engineering attacks, but increasingly it relies on break-ins of servers run by cloud computing and online services.
Businesses will have to take a more robust approach to protecting the customer and consumer data that they hold on their servers and storage systems. This will include such things as data encryption and more secure procedures for access.
7. Attacks on Online Services Infrastructure
Attacks on cloud computing and online services infrastructure such as banking and payment systems as well as e-commerce and other services are continuing to increase.
These type of attacks can lead to substantial financial loss – as well as loss of confidence for the services affected. Time and again we hear of an online service somewhere or other being broken into. Even the biggest banks are not secure.
Again – online service providers will have to substantially up their digital security precautions and protective infrastructure.
Well that rounds off this very quick look at what I see as the seven most serious digital security threats in 2017.
If you use your laptop for your business or your profession, then you need to make sure your business data is kept as secure as possible.
How to Secure Your Laptop
Securing your laptop is especially important if you’re a digital nomad or if you are location independent.
Get a Lock For Your Laptop
The first thing you need to do is use a good laptop lock. I know these locks aren’t infallible; a determined thief can still cut through them with strong enough cutters, but they will at least deter opportunistic thefts.
But you need to do more than this. You need to prevent unauthorized access to your laptop and protect the data contained on it.
As in real life, it’s possible for a determined thief to crack even the most secure safe or break and enter into the most highly secured building. But the more difficult you make it, the less chance there is of this happening.
The best way therefore to approach computer security is to consider it as a series of hurdles that you set up to deter intruders and thieves.
There are a number of things you can do. What follows below is the procedure I use for my own laptop.
Secure the BIOS
Set the BIOS password on your laptop. The BIOS (Basic Input Output System) is the lowest level part of the computer.
The BIOS is the first thing that flashes up on the screen when you switch it on. Usually it’s accessed by pressing one of the function keys. Exactly which function key varies from laptop to laptop.
You need to check the messages that appear at the very beginning when you power up your laptop to find out which key you need to press to get access to the BIOS on your particular laptop.
If you set the BIOS boot-up password, then no-one will be able to start Windows, Linux or whatever operating system you have installed on your laptop without first entering this password correctly.
You should also disable external booting in your BIOS system. This will prevent people from getting round your security by trying to install a fresh version of Windows or Linux.
Just make sure you know what you set your BIOS password to – and don’t forget it either. Without this no-one can access your laptop, including you. There are ways round this, but they involve resetting the BIOS chip one way or another, which involves a lot of hassle.
Secure Access to the Operating System
So, having secured the BIOS, the next thing you should do is to secure the access to your operating system.
Be it Windows or Linux, you should make sure you have set a user password as well as an administrator or root password. Anyone trying to start up Windows or Linux will then first have to enter the appropriate password.
Again: don’t forget what you entered for the password or you’ll find yourself locked out as well and things can get complicated.
Install a Device-Tracking System
Next you should install a software program called Prey.
This is a small piece of software known as a device tracker. It sits on your computer waiting to be activated by you by remote control if your laptop is stolen. You wake up Prey by sending a message via the web or by SMS.
Prey then responds by sending you the information about where the laptop is currently located (provided the thief connects the laptop to the Internet – which most of them do sooner or later).
All this happens without the thief knowing. You can then use the information to assist in taking action to recover the laptop.
Prey is available in both free as well as paid-for versions with more functionality. You need to make sure you install it on every operating system on your laptop. So if like me your laptop runs both Windows and Linux, then you need to install it on both.
Read the installation instructions carefully at the Prey site first at preyproject.com
Bear in mind though that Prey will only be able to do its work if the thief is able to get past your Windows or Linux user/root passwords to actually start the system.
Install a Data Encryption Program
Now you need to think about your data. If your laptop gets stolen, then a thief would have access to whatever you have stored on your hard drive. Credit card and bank details, other financial and business information, passwords etc. So you need to make sure this data is secure.
The best way to do this is to use a data encryption program. There are a number of such programs out there, but the best one is a freely available Open Source system called Truecrypt. It’s available for both Windows and Linux.
Truecrypt allows you to encrypt your data – both individual folders or directories as well as whole disk partitions. Even if you access your data both from Windows and Linux using a common data partition you can still encrypt it with Truecrypt.
It can also encrypt external USB drives and USB flash thumb drives. You can also use Truecrypt to hide a partition or folder from public view. Don’t forget to encrypt external USB drives – they are even easier than laptops to steal.
Truecrypt is a little complicated at first and the website is a bit on the geeky side and old fashioned in style, but the program is well worth it.
Keep a backup of your important data in the cloud at all times.
There are now a whole heap of cloud storage systems. Many of these provide a couple of gigabytes worth of data free of charge.
They vary in ease of use, but the most widely known ones right now are Amazon S3 and Clouddrive, iDrive, Dropbox, Mozy, Carbonite and SugarSync. Most of these give you a couple of GB at least free of charge. Clouddrive currently ofer 5GB free, Dropbox only 2GB.
There’s also a cloud system called Symform which is worth taking a look at.
Symform is a different system to all the others because it uses a distributed cloud system. Data is encrypted and stored throughout participating computers throughout the Symform system. This gives you a higher level of reliability rather like a RAID system because you are not dependent on one single server.
Symform offers 10GB of storage free of charge. You can add to the storage using your own machine and receive cloud storage in return. You can also purchase additional cloud storage.
Amazon S3 is practically the quasi industry standard for cloud storage. It has a good reputation for reliability. Amazon S3 doesn’t itself provide free storage, you pay on a monthly basis for the storage that you use, but there is no limit and the fees are reasonable.
Amazon S3’s user interface isn’t the easiest to use. The service is targeted primarily at the commercial business to business sector and professional IT users rather than the consumer or domestic user market.
However, you can use Amazon’s Clouddrive service, which is web-based and easy to use and which provides 5 GB free of chrage.
You should use at least two different providers for your most important data, in case of any problems with data loss or access with the one or the other. Even if nothing else, there’s also always the possibility that one or the other could one day go bust and go out of business.
For myself I currently use Amazon S3, Dropbox, and Symform.
A Warning About USB Thumb Drives
Finally, a word about USB thumb drives.
These are neat little devices, a great invention for transferring data from one computer to another when they aren’t networked. But whilst their small size is an advantage, it’s also their biggest disadvantage. USB thumb drives are all too easy to lose, go astray or get stolen.
For that reason I don’t put valuable business or personal data on a USB thumb drive.
In any case I can’t see the point. The cloud is safer than a USB thumb drive can ever be. It’s possible to encrypt a USB thumb drive using Truecrypt. But in practice it’s a complex matter eg it requires you to have root or admin access to the PC or laptop you want to connect up the USB thumb drive to. This isn’t always possible to guarantee in practice.
The best advice in my opinion is not to use USB thumb drives for storing or backing up important data. Always use the cloud and your encrypted hard drive.
If you implement the measures I described above, then you’ll be doing more to secure your laptop and it’s data than many corporate computer users out there. In my experience a lot of them don’t take the trouble to configure anywhere near that level of security for their laptops and their data.
Good luck – and keep your laptop and your business data secure!
Image Attribution: Pixabay.com – Free for commercial use, no attribution required.
If you have a website for your business, then there’s a good chance it will be a WordPress website.
WordPress is a mature and secure Website Content Management System or CMS which is used by millions of websites all around the world.
But like all websites and webservers, WordPress can also be hacked and compromised by intruders if you don’t pay attention to basic security aspects.
A Practical Guide To Basic WordPress Security
Website security is a complex area and to discuss all the aspects of web server security I would end up filling a whole book (perhaps I’ll write it one day).
What I’m going to do here is provide you with the essential and most important basics of WordPress security which will go a long way in providing you with an acceptable level of security for your website and which involve relatively low overhead from yourself to implement.
The most common problem websites around the world face are attacks launched by so-called “script kiddies”.
Script kiddies are the most common – and fortunately also the least competent, types of computer hackers. Script kiddies are people – they may indeed be “kids”, but are actually often adults, who rely on running freely available hacking tools and program scripts to try and identify and break into websites which have lax basic security.
These scripts and hacker tools look for websites which have weak administrator accounts and especially passwords, unpatched, bug-ridden or outdated WordPress plugins or databases, or web-hosting providers that have security holes in their systems.
The majority of successful break-ins occur simply through script-kiddie hackers finding and exploiting these weaknesses.
So, what you need to do first of all is to make sure you eliminate these weaknesses from your website.
Take A Look At Your Web-Hosting
First of all, take a look at your web-hosting.
Make sure you are hosting your site with a web-hosting provider who takes web server security seriously. They should ensure that proper security measures are taken at all times and that their system and those of their customers are backed up properly and are properly protected against intruders.
It’s especially important that operating system and web server system software is updated whenever new versions are released. This can usually close most security holes straight away.
The good news is that most web-hosting providers do look after their systems fairly well, but there are still some out there who are lax in this area.
The best advice is to check the reviews of your web-hosting provider to gauge what their level of reliability is like in practice.
WordPress and Web-Hosting User Accounts
Always use secure passwords for both your Web-Hosting and your WordPress accounts.
There’s a lot that can be said about what makes for a secure password.
But basically a secure password follows these fundamental rules:
The longer the password the better.
Use a combination of lower and uppercase letters, alphanumeric, and other characters such as hyphens, dots, dollar, hash, percentage signs and so on.
Use “nonsense” words – NEVER use a word from a dictionary.
Never reuse a password.
Never use the same password on more than one site.
Never write your passwords down on paper – and be careful about where you store them on your computer or online. DON’T store passwords in an email inbox.
Never use any password obviously based on some aspect of yourself or your business. That’s too easy to guess.
Use separate editor and administrator accounts for WordPress – with different passwords and user names for each.
Do not use obvious login names for your WordPress user accounts. Do not use “admin” or “administrator” names for your root or admin accounts for WordPress.
You can randomize your WordPress user account names for both administrator and editor accounts just as you can with the passwords. You can set the displayed editor name in your pages and posts to the one you want the public to see. Make sure your chosen randomized user names are not displayed as page or post authors.
Use a password storage and retrieval tool such as LastPass or Roboform. These tools also generate random, long and complex passwords for you on demand which are then encrypted and stored for you. They provide a local and an online instance of your own password database. Make sure you always remember your master password for your password database – and keep it safe.
If you can accept the extra inconvenience involved, add two-factor authentication to your login systems. These tend to involve an email or mobile phone check – sometimes even both.
WordPress Security Plugins
Install a couple of reputable WordPress security plugins on your site. There are a number of these available, but it’s best to stick to the most popular, proven, tried and tested security plugins.
The two security plugins I recommend in most cases for WordPress websites are Bulletproof Security and WordFence.
You can also install the Stealth Login Page Plugin which will add a second tier of security to your login procedure, requiring you to enter a previously set Authentication Code along with your user name and password when you want to login to your WordPress Dashboard.
WordPress Themes
Only install WordPress themes from reliable theme design providers. I recommend taking a look at Woo Themes but there are also many other quality theme publishers. .
Make sure you apply updates to the themes promptly as and when they become available.
WordPress Core Updates
Make sure that you also apply all WordPress Core Platform version updates immediately they become available. This can be crucial in ensuring that any new security exploit is prevented.
WordPress Plugin Policy
Be careful when choosing your WordPress plugins. Plugins can contain bugs and vulnerabilities. It’s important that the plugin should be actively maintained by the developer so that bugs and security weaknesses can be resolved quickly.
The best rule to follow with plugins is to use only as many as necessary and as few as possible.
Access Policy
It’s best not to access your website’s WordPress dashboard through a public wi-fi system, because your user name and password can be intercepted by anyone using Internet sniffer software. A safer way to do this on a public wi-fi network is to use a trusted VPN service.
WordPress and Server Backups
Finally, make sure you backup your website regularly. Both your web server and your WordPress website, including the database should all be separately backed up on a regular basis.
Always maintain more than one copy of your backups – and keep these backups on a separate machine and location to your web server.
By following these basic security rules you will be able to thwart many of the attempts of hackers to attack and compromise your web server and your website.
There’s a worldwide hacker attack going on against many WordPress websites. 
