Health Status Data on Cloud Services

From the current News we hear that insurances offers humans to save the complete health status at a Cloud based App.
This is by DEFAULT insecure!

  • Smartphones get less OS Security Updates by Manufacter
  • Users do NOT know to handle Updates
  • Users can’t update Firmwares by default
  • Apps most located at App Stores (Google, Apple)
  • App Stores Analyse downloads and usage of Apps, with this getting personal Data to SELL!!
  • No Health Insurance knows to securing Data Pools especially Clouds !!
  • No one will help Humans if Cloud App Keys abused and Data stolen
  • Humans can be forces to offer own health Status for new Contracts and Services

NO i don’t support this!!

..if you are forced to use Apps for personal Health Data Management then CHANGE the Company or cancel the Contracts!

Android Hidden Location Tracker

If you use a Android device google can track you via scanned and known wifi Networks without any connection! Android scans your area, shops, stores for public wifi networks, via LTE / GSM the OS verify the Data online at Google. As Result Google Maps sends you Popups to VOTE the last visited Places at Google Maps.

That’s all WITHOUT GPS and WIFI connected only LTE/GSM !

Purge Google Account! (disconnect!) and disable all unwanted Google Apps especially Uploaders (Backups) then go Android Settings -> Wifi -> Advanced Wifi Settings!

Disable the “local wifi scan” option switch at Android!

android hidden location tracker wifi

Remark:

  • There’s no guarantee that google or other company’s can re activate it again or run the service as hidden tool!
  • No one knows which apps do run this tools at Standby Mode on Background!
  • To be safe remove the Battery of the Phones! or put it into a Metalbox (Copper Faraday Cage)

Apache MEMCACHED UDP Protection

Current a lot of sites blogging about memcached attacks on Servers here some details:

  • Memcached Servers need a installed and running Service called “memcached”
  • Websites need a php-plugin like php7.0-memcached to connect via API to the memcached Service
  • The Memcached Service uses a own Config File at debian /etc/memcached.conf
  • By default it MUST listen to localhost or socket
  • Admins MUST setup a FIREWALL like “ufw” (iptables) and MUST check own Server for OPEN PORTS with nmap
  • The Problem is that Attackers can run Scripts against to your Server in a 10^6 Range like a BOTNET !! with ONE PC cause MEMCACHED supports this high count of REQUESTS without going down.
  • DO NEVER HOLD CONFIDENTIAL DATA ON WEBSERVERS!!!

Test to open Port using nmap Port Scan with UDP Option NOT TCP:

sudo nmap -sU -p 11211 www.myserver.xyz

If the scan echo this YOU MUST check or install a FIREWALL!:
Host is up (0.10s latency).
PORT      STATE         SERVICE
11211/udp open|filtered unknown

if Echo shows this you are safe:
PORT      STATE    SERVICE
11211/udp filtered unknown

check your current Apache PHP Modules:

$sudo php -m

if memcached listed, the php api is active time to check more..

check for memcached service:

$sudo dpkg -l |grep mem

is memcached listed the service is installed, then do:
$sudo ps aux|grep mem

if the echo shows:
memcache ... /usr/bin/memcached -m 64 -p 11211 -u memcache -l 127.0.0.1 -P /var/run/memcached/memcached.pid

the Service is active an listening..

Sample Config:
/etc/memcached.conf

# memcached default config file
# 2003 - Jay Bonci <jaybonci@debian.org>
# This configuration file is read by the start-memcached script provided as
# part of the Debian GNU/Linux distribution.

# Run memcached as a daemon. This command is implied, and is not needed for the
# daemon to run. See the README.Debian that comes with this package for more
# information.
-d

# Log memcached's output to /var/log/memcached
logfile /var/log/memcached.log

# Be verbose
-v

# Be even more verbose (print client commands as well)
-vv

# Start with a cap of 64 megs of memory. It's reasonable, and the daemon default
# Note that the daemon will grow to this size, but does not start out holding this much
# memory
-m 128

# Default connection port is 11211
-p 11211

# Run the daemon as root. The start-memcached will default to running as root if no
# -u command is present in this config file
-u memcache

# Specify which IP address to listen on. The default is to listen on all IP addresses
# This parameter is one of the only security measures that memcached has, so make sure
# it's listening on a firewalled interface.
-l 127.0.0.1

# Limit the number of simultaneous incoming connections. The daemon default is 1024
-c 300

# Lock down all paged memory. Consult with the README and homepage before you do this
# -k

# Return error when memory is exhausted (rather than removing items)
-M

# Maximize core file limit
# -r

# Use a pidfile
-P /var/run/memcached/memcached.pid

Setup Firewall (ufw):

$sudo apt-get install ufw
$sudo ufw allow 80/tcp
$sudo ufw allow 443/tcp
$sudo ufw enable

Retest with NMAP Port Scan your OPEN Ports! Do this monthly! Cause sometimes the Firewall can have unknown Problems!!

Check the Memcached Log at /var/log/memcached.log for Events

ENFORCE Google to DuckDuckgo SEARCH

If you want to enforce the use of DuckDuckgo.com instead of google.com do:

Edit at the PC the “hosts” File on:

Linux /etc/hosts
Windows C:\Windows\System32\drivers\etc

insert at last:

54.229.105.92  google.com  #ip of duckduckgo or 176.34.131.233
54.229.105.203 google.com #ip of duckduckgo
176.34.131.233 bing.com #ip of duckduckgo or 176.34.131.233
176.34.131.233 yahoo.com #ip of duckduckgo or 176.34.131.233

..reboot and test on a Browser Session after google.com you see duckduckgo.com

Remark:

  • Most DSL Routers do offer the edit of the hosts File too, do same there and ALL devices redirected!
  • Don’t forget to reboot!
  • This Solution works only on IPv4 Networks, to enforce the local net, disable IPv6 forwarding on your ISP Router!
  • Test the “addressbar” search, there the redir does not work, cause compiled in IP’s or IPv6 broadcast, then remove uneeded Search Engines on the Browser Settings!
  • Use the free fork of Firefox named icecat Browser

Nextcloud Owncloud Opensource Risk’s

If you are current using Nextcloud / Owncloud or other PHP-Kits for File Handling you should know these remarks:

Based on this Article

You must know:

  • Details of Security about your current used PHP Versions (7.X)
  • Details of your used Database Version (MySQL..)
  • Details of hardened OS and Webserver Version (Apache,Firewall,fail2ban,file policys, selinux, apparmor filter)
  • See ALWAYS PHP-Kits of opensource with the trust of NON HARDENED SOFTWARE (prefer NON-PUBLIC ACCESS)
  • You can ACCESS this Software thru SSH TUNNELS with a local running non-caching PROXY (privoxy)
  • Use the SSH Tunnels on unknown Ports and Login via Key Files which must be unlocked by LONG PASSWORDS
  • Public ACCESS is ALWAYS a RISK if YOU didn’t have the KNOWLEDGE of the SOURCE CODE!

Howto read here

Ubuntu 16.04 Compiz Hang Kernel

After Ubuntu published the latest Kernel Patches for Meltdown and Spectre the Kernel 4.4.0-104/109-generic let Intel Graphics freeze or hang on Compiz with Unity.

Howto fix:

Install the latest Kernel 4.4.0-112-generic

do:
sudo apt-get install linux-image-4.4.0-112-generic
sudo apt-get install linux-image-extra-4.4.0-112-generic

reboot

then:

sudo apt-get autoremove --purge -y

This removes older kernels and save Space! Do test the PC for hanging again!!!

Meltdown Spectre VM Hosting

Thru current IT News you may have heard about the major Security Problem of x86 Technology.

If your Websites current hosted on VM at VM Providers, contact them to get current news about their bug handling of their VM Host Servers. If you get no details, then shutdown your sites temporarily, or look for a other solution which isn’t running on x86 Technology.

Otherwise you can try to switch from php-kits to static HTML Websites. On the Net there are very helpful tools to do this easy. For WordPress is a WP to HTML Plugin available. This dumps your blog to HTML static paket where you can use a raspberry Pi with ligttpd as litte Webserver instance up to the time the x86 Manufacter fixes the nasty problems. Remark Debian runs on other CPUs like Sparc64 Mips too..