A hacker’s perspective: social media account takeover prevention guide

“If you watched the SEC Twitter account hack that moved markets yesterday and wondered how to prevent account takeover for your personal, business, or high profile social media account, here’s an Account Takeover Prevention Guide for you and/or your organization.” @racheltobac neatly summarises the steps you should take to prevent the hijacking of your online accounts.

www.linkedin.com

European Comission gives EU-US data transfers third round at CJEU

“This third attempt to pass largely the same unlawful decision also raises questions as to the larger role of the European Commission being the guardian of the EU treaties. Instead of upholding the ‘rule of law’ the Commission simply passes an invalid decision over and over again, despite clear rulings by the CJEU.” By agreeing the Data Privacy Framework with the US, the European Commission likely prioritised diplomatic and business interests over the rights of Europeans.

noyb.eu

Nichts zu verbergen? Ein moderner Mythos und 12 Argumente dagegen

“Aber der Satz und seine Verbreitung schaden viel mehr der Gesellschaft und anderen Menschen, als jenen, die ihn aussprechen. Deshalb sind mir die sozial orientierten Antworten darauf am liebsten: Weil man Menschen damit stigmatisiert, sie unsolidarisch behandelt, ihre Diskriminierungserfahrungen negiert, und weil es Demokratie und Widerstand untergräbt.” @reticuleena legt offen, wie wir unsere Vertrauenswürdigkeit aufs Spiel setzen.

www.kuketz-blog.de

Install and configure SSH on Debian or Ubuntu

SSH is a protocol that enables secure connections over unsecured networks. It supports the use of asymmetric encryption for user authentication. Private keys are kept locally, while public keys are stored on the remote machine.

The following configuration disables root logins on the remote machine. Only users belonging to the group ssh-users may establish a connection. Access to the remote machine is tied to the local user’s private key.

In this example, the name of the remote machine is debian-server, which has the address 192.168.1.10 on the network. sid is a user on debian-server, whereas bookworm is a user on the local machine. Choose an encryption passphrase to secure the private key that you will generate in Step 5.

On the remote machine

Step 1

Install the secure shell server with the following command:

$ sudo apt install --yes openssh-server

Step 2

If you are using ufw as a host-based firewall

Configure ufw to allow connections to the secure shell server.

$ sudo ufw limit ssh

If you are using firewalld as a host-based firewall

Configure firewalld to allow connections to the secure shell server.

$ sudo -- bash -c 'firewall-cmd --zone=public --add-service=ssh --permanent && firewall-cmd --reload && firewall-cmd --info-zone=public'

Step 3

Restrict access to the remote machine to members of a specific group. Start by creating the group ssh-users.

$ sudo addgroup --system ssh-users

Add the user sid to the group ssh-users.

$ sudo adduser sid ssh-users

On the local machine

Step 4

Install the secure shell client with the following command.

$ sudo apt install openssh-client

Step 5

Generate a new key pair for the local user bookworm:

$ ssh-keygen -t ed25519 -o -a 100

Save the key pair to the directory /home/bookworm/.ssh/. Choose a name that facilitates easy identification.

Enter file in which to save the key (/home/bookworm/.ssh/id_ed25519): ~/.ssh/id_ed25519-debian-server

The use of an appropriate passphrase to secure the private key is mandatory.

Step 6

Create the file ~/.ssh/config to configure the secure shell client.

$ nano ~/.ssh/config

Add the follwing minimal entry for the host debian-server.

Host debian-server
   Hostname 192.168.1.10
   IdentitiesOnly yes

Step 7

Deploy the public key with the following command.

$ ssh-copy-id -i ~/.ssh/id_ed25519-debian-server.pub sid@debian-server

Step 8

Log into the remote machine.

$ ssh -i ~/.ssh/id_ed25519-debian-server sid@debian-server

When prompted to confirm the authenticity of the host debian-server, type yes and press [Enter].

The authenticity of host 'debian-server (192.168.1.10)' can't be established.
ED25519 key fingerprint is SHA256:C9RxLLVbvFwVJc0L4JHzcuHQSaPHJZe/GrRDvqy6rAG.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? 

In the next step, enter the passphrase for your private key.

Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':

Step 9

On the remote machine, download a file to harden the ssh server. You are encouraged to inspect its contents.

$ sudo -- bash -c 'wget -P /etc/ssh/sshd_config.d/ --show-progress https://edafe.de/debian/sshd_config.conf'

Activate the modifications on the remote machine.

$ sudo systemctl restart ssh.service

Step 9

On the local machine, open a new terminal window and run the following command.

$ ssh -i ~/.ssh/id_ed25519-debian-server sid@debian-server

In the next step, enter the passphrase for your private key.

Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':

Display the active configuration for the remote ssh server and verify its settings, paying particular attention to options for maxauthtries, permitrootlogin and passwordauthentication.

$ sudo sshd -T

All done!

For more in-depth information, please see stribika’s post-Snowden advice on hardening OpenSSH server installations.

The book SSH The Secure Shell by Daniel Barrett, Richard Silverman and Robert Byrnes is still useful today and has information on other clever stuff you can do with SSH.

Install and configure nullmailer using Fastmail as a smarthost

If you want to receive status updates from your Debian or Ubuntu system, you need to employ the help of a mail tansfer agent (MTA). nullmailer is a relay-only forwarding MTA that can be used as an alternative to more complex MTAs such as Exim, Sendmail or Postfix.

nullmailer can be configured to use Fastmail as a smarthost and hence ensure the deliverability of your messages. In principle, these instructions should also be applicable to service providers other than Fastmail.

In the following example configuration, debian is the hostname, bookworm the local username and linus.torvalds@fastmail.com the Fastmail username.

Step 1

Log into your Fastmail account and set up a new app password for SMTP authentication.

Step 2

Create the new directory /etc/nullmailer and the file /etc/nullmailer/adminaddr.

$ sudo mkdir /etc/nullmailer && sudo nano /etc/nullmailer/adminaddr

Your Fastmail username is the only entry in /etc/nullmailer/adminaddr.

linus.torvalds@fastmail.com

Step 3

Install the required packages.

$ sudo apt-get install --yes nullmailer mailutils

Step 4

Perform the initial configuration using debconf. Reconfigure nullmailer at any time after the initial installation using the following comand.

$ sudo dpkg-reconfigure nullmailer

Setting the mail name

Set the system mail name. If you are setting up on a home network, you should use home.arpa as the domain name.

Configuring nullmailer

Mailname of your system:

debian.home.arpa

Ok

Configuring the smarthost

Set the Fastmail server as the smarthost. Use the app password you set in Step 1.

Configuring nullmailer

Smarthosts:

smtp.fastmail.com smtp --port=587 --auth-login --starttls --user=linus.torvalds@fastmail.com --pass=password

Ok

Step 5

Test your configuration with the following command.

$ echo "Test mail from nullmailer on debian.home.arpa to the local root user and forwarded on to Fastmail" | mail -s "Test nullmailer" root

Check your Inbox, Linus!

The process of security

“Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products.” Bruce Schneier acknowledges that in information technology perfect security probably doesn’t exist.

www.schneier.com

Trust the process, Tina!

Das Fediverse: Social Media losgelöst von den Fesseln kommerzieller Interessen

“Soziale Medien werden von Plattformbetreibern dominiert, die das eigene Interesse in den Vordergrund rücken und jede Entscheidung daran messen, wie sich eine Profitmaximierung erzielen lässt. Hat man das einmal verinnerlicht, wirft sich einem unweigerlich die Frage auf, was an sozialen Medien eigentlich sozial ist. Sozial bedeutet anderen zu helfen, was auch bedeuten kann, die eigenen Interessen zurückzustellen. Also im Grunde genau das Gegenteil dessen, wie kommerziell ausgerichtete Plattformen wie Twitter, Facebook und Co. agieren.” @kuketzblog erklärt die Idee des Fediverse und unterstreicht damit, warum es sich so grundlegend von Platformen wie Twitter und Facebook unterscheidet. Dieser Beitrag ist von großer Wichtigkeit, nicht nur für Nutzer sozialer Medien.

www.kuketz-blog.de

Click to copy