Security: Protection Against Cryptware Wannacry

You heard perhaps last day’s about the major problems of Attacks to Systems with the „WannaCry“ Crypto Ware

Howto protect yourself?

  • Enable the Firewall on Windows Systems!! Always!
  • Update daily the Virus Scanners and Windows Patches!
  • Disable and CLOSE Ports you never need! SMB Protocol is a open unencrypted Transfer Protocol!
  • Use a second Router with Firewall behind your ISP Router or Modem! (openwrt, pfsense)
  • Check with nmap Portscanner Tool the taken Rules and check if the work!
  • For Network Access use ALWAYS SFTP with Authentification over KEYs Logins (Two Factor: Key and Password for unlock the Keyfiles id_rsa)
  • For fresh installed Systems do a Full Backup of the Disk.
  • To Save your work files use USB Drives or USB Sticks which can be unplugged, if you don’t need them.
  • Backup weekly the Windows Disk to a external USB Disk 1TB sold for less than 50$
  • ..last but not least use a Live CD of Linux like ubuntu to access the Internet..

Update:

  • The Linux Windows Share Service called Samba is also under attack CVE-2017-7494
  • to fix enter smb.conf with a Editor:

nt pipe support = no

  • restart the Service with:

$service samba stop && service samba start

  • Don’t use reload, to be secure that the config is really reloaded!! A „systemd“ Problem!
  • Check the Samba Share for write and read access!

Android: Get back Privacy and Security

If you use a Android Smartphone (other Mobile-OS same) you should take a minute to get back your privacy and security!

This points helps to prevent, but there is no warranty for 100% protection!

  • First every Smartphone offers a Factory Reset, search it on Settings and DO it! This prevent you from Firmware Spam by the Reseller! (Samsung, HTC..)
  • Boot the Phone without inserting a SIM card, create a fake account to get Updates and Software over a PUBLIC WIFI Network (Coffee Shop, Freifunk)
  • Install wanted Apps, then go to Settings now to accounts, PURGE the fake account.
  • Disable / Purge Apps on the Settings, of Apps that you never will use.
  • Check on Settings which App is running by timer, if not needed disable it.
  • Check Webbackup Apps and disable or prevent them from calling home, (Default builtin Android Firewall)
  • DON’T setup your REAL Email Account which is used for Home Banking or Online Shopping, CAUSE the OS is open like a Swiss Cheese with holes! (Less Updates by Manufacterer) or to PROTECT your phone from being hijacked by a E-Mail Virus
  • Encrypt the Phone, and SET Screenlock with Password longer than 8 Digits, same on SIM Unlock Code!
  • Backup the Smartphone by USB Cable Monthly to a full encrypted PC!
  • If you are not a newbie, look for Browsers like icecat-apk on the Open Source F-Droid Shop which are more secure
  • Try Tor Browser later! For more Security!
  • DON’T Enter words, names, numbers who are CONFIDENTIAL! Cause Smartphones are like papers on a public table without real protection!
  • Try to use the „Quick Switches“ of the „Screen Pull Down Menu“ of the Home Screen where Data, Autosync and Flightmode can be used.
  • If you use Messenger Apps check their Settings to disable Download of „Video, Images, Files“ this can be a Backdoor too!
  • Disable „Video Autoplay“ on Apps like G+ or Facebook.
  • Use every App with a own fake Account.
  • NEVER leave your Phone on a public table, cause the USB Port is always open and AUTO Connect every plugged in Cable!
  • Put a black Strip on the Camera lens if you don’t need them! especially the Front Camera!
  • Call your Phone Provider, to disable the transmission of MMS/SMS! This prevent Messages with bad links.
android account removal
android account removal

Owncloud: Howto harden owncloud access with a ssh tunnel and squid

If you want to use a private secure owncloud (WebDAV Space Server) as Backup for all your devices you can harden the access thru a openssh Login with key auth and a squid as relay.

  • Install apache2, php5, mysql-Server, openssh, squid3
  • config Apache2 to listen on https://localhost:443
  • setup squid3  and config the Proxy to listen only on localhost:3128
  • install owncloud to /var/WWW with forced „https“ settings at the config.php
  • create ssh-keys to auth with password protected key to the SSH Server

If done, you can access the private Backup-Server via a Terminal/ Putty with the Tunneling Options

  1. $ssh -L 3128:localhost:3128 username@owncloudserver.home
  2. Open your Browser on your Client/PC with enabled Proxy usage = localhost 3128
  3. Connect the WebDAV by the URL https://localhost/ the owncloud Login should be displayed! Same with the WebDAV URL possible!

Advantage? You have a two factor protected Owncloud Access, with encryption inside a encrypted SSH Tunnel! Nobody should see files which are transmitted! Thats a tube inside a tube ..

 

Debian Ubuntu Laptop mods for SSD HDD and a full encrypted with luks

Major INFO 06-2015: Do not set tmpfs on ubuntu 15.XX or Systems with systemd!!! This block PC boot !!

If you want to setup a Ubuntu/Debian Laptop with a full encrypted HDD use a „alternate“ CD/DVD.
After Setup you have to change some little Parameters to extend the lifecycle of the SSD Chips

  • disable Swap if you have more than 4GB Ram
  • enable a RAMDISK with tmpfs for logs, caches of Browsers
  • install cpufrequtils for CPU freqscaling
  • install laptop-mode-tools to set powersave mode for hardware modules
  • install xbacklight to reduce backlight energy

Steps:

  • open a Console and change to root user, enter „$sudo -s“ and password,
  • now we have to disable swap, edit with $nano /etc/rc.local and insert a „swapoff -a“  before „exit“
  • edit with „$nano /etc/fstab“ insert and set „#“ at line with older „/tmp“ entry  :
    tmpfs  /tmp  tmpfs  nosuid  0  0
    tmpfs /var/run tmpfs nosuid,mode=0755 0 0
    tmpfs /var/lock tmpfs noexec,nosuid,nodev 0 0
    tmpfs /var/log tmpfs noexec,nodev,nosuid 0 0
  • remove /var/tmp and create a symlink „$ln -s /var/tmp /tmp“
  • reboot
  • login as User to Config the Firefox / iceweasel Browser to use the RAMDISK as Cache with „firefox -P“ Command
  • delete the default Profile, create new named „ram“ and let the Profilemanager create the  new Profile to /tmp
  • restart Firefox / iceaweasel with „-P“ option, now all is hold inside the RAMDISK!! (after a reboot all is History and Cookies are deleted!)
  • if you use other applications with CACHE do same with EVERY Applications (read the readme.txt of Apps)

Enjoy the new very secure Internet Laptop with builtin steal protection and secure private permanent browsing!