If you recall earlier videos, some have been known to plant evidence, to attempt to silence Journalists, Lawyers, and Activists.
Allowing (est) 5,000 employees access to emails, phone numbers, and other contact information, opens up potential towards phishing attacks mentioned in the video below (hypothetically):https://www.youtube.com/embed/wo7maZzLeb8
A reminder of what can happen to those thinking “privacy doesn’t matter.”
Today it may be a lawyer defending Human Rights, tomorrow it could be anyone.. depending which direction political winds blow.
DISCLAIMER: Below I created a tutorial on ‘flashall’ method to get up and running with this firmware. I include 2 outside videos at the bottom for those who prefer GUI applications for upgrading firmware.
Modem recovery firmware available here, in case you mess up.
FLASHING MODEM FIRMWARE
Before following below, make sure to first install adb / android-tools. Required for ‘flashall’ script.
(see below screenshot to see above commands in action. Make sure to download the package.tar.gz into the ‘helpers’ directory, to allow ‘flashall’ to make use of it.)
After this, you will notice the modem going ‘down’. Then it will reappear / come back alive (reboots).
If you get an error, it can’t hurt to try ‘flashall’ again.
Just be sure you have android-tools / fastboot, and extract Biktor’s firmware into the same directory as tools/helpers (the location of the flashall script).
When all is successful, you should see a message from a dedicated number telling you about the success of your new modem firmware.
Notice problems with modem disappearing? Take a look at recommended settings here.
UPDATE: OUTSIDE VIDEO GUI RESOURCES BELOW
In this article I opted to share a quick commandline route.
For those who prefer a GUI tool (to upgrade the firmware), below I embedded 2 videos on this.
Scroll down to take this route.
RELATED: FIRMWARE UPDATER ON POSTMARKETOS
(Below offers 2 separate videos on the same tool – watch whichever you prefer.)
🔗THANKS FOR SHARING (one way to support is sharing links on Social Media, Telegram…)
(below, I share screenshots I put created, underlining key points)
WHISTLEBLOWER REPORT HIGHLIGHTS IMPORTANCE OF ANONYMITY ON SOCIAL MEDIA:
EARLIER 2022 STORIES OF CONCERN
Firehose Data Allows Real-Time Tracking (2022)
Mitto AG Abused SMS 2FA For Mobile Surveillance (2022)
TIP: Use a dedicated email for social media accounts. Don’t use the same email or phone number you have connected to a bank, or “big tech” platform accounts. Every account sharing information can be neatly linked together.
🛡️ Twitter Introduces A New Phone Number Badge
This ‘badge’ will allow users to demonstrate they have a phone number connected to their account.
I see no problem with this, as long as phone numbers stay voluntary. Although it could potentially open certain users up (with this badge) to more likely attacks (earlier bug: phone number reveal).
Given information covered in the above video, requiring a phone number / identification would create a serious safety risk to activists, journalists, lawyers, and others in a sensitive position.
Not only does a phone number tie directly to a user’s identity (more reliably so than other means), it also opens them up to a host of new targeted “spear phishing” attacks.
The whistleblower report states up to 5,000 Twitter employees have access to sensitive user data. And, a Twitter employee was arrested for using their access to spy for the Saudi gov.
A country that executes its own dissidents.
There is no “safe” way for activists to share their phone number (or other personally identifiable information).
Email would make for far more secure form of 2FA, with an added bonus of protecting user identity, personal safety.
Regardless of the whistleblower report, I do hope Twitter remains a success. As long as it remains a place allowing free flows of information.
The only way this remains possible is if anonymous accounts are allowed to stay. As long as they are, I will continue to support Twitter over other mainstream Social Media platforms (this way your data remains in your hands, depending on practices).
🧅 🔒 Twitter Now Has A Tor Hidden Service Onion Address
This one is a great move by Twitter. Nothing but good things to say about it.
We live in a world where power has become increasingly centralized…
🌎 A world where data contractors / monopolies can abuse access, power.
Simply Put: We simply can’t trust our personal data in the hands of strangers. No matter who they may work for.
When one has enough data, especially biometric data, one can use this in combination with AI, media, and various sensory applications / targeted experiences, to engineer future human behavior.
This is the very real future we are looking at. Don’t underestimate the power of data.
It’s why this page exists. Privacy (moreso anonymity) is vital to a free society, where people hold the power.
TIP: By proxying most of your internet data into mixnets, I2P / Tor (and newer options like Lokinet), you can make that data useless (instead of identifying).
Think of Tor as a haystack. Instead of the normal circuit your network packets route, Tor uses multiple layers of mixing / encryption to mix Tor browser client data into
In this world of increase, truly “free speech” cannot exist without the ability for anonymity.
💎 THANKS FOR SUPPORTING / SHARING THIS
Do You Think Twitter Really Fired Mudge For The Reasons They Stated?
It’s been over a month of dedicated TailsOS usage (due to main disk dying some bit ago).
I enjoy Tails, will continue using it (as with Debian, Whonix, Qubes, Arch).
But given restrictions found in privacy / anonymity focused operating systems, sometimes we need a longer term solution for working more productively (without driving ourselves crazy).
TODAY’S VIDEO
Decided to do a bit of ‘distrohopping’.
Installed Manjaro with (minimal) XFCE desktop. Downloaded XFCE ‘minimal’ image to try to make better use of older hardware.
Continuing to bring solutions and setup tips for all Linux distros (including Pop!OS).
Ubuntu has always been a tad heavy.
And so, nothing changing here. Will continue introducing ways you can customize your system in ways that protect your privacy, security. No matter the distro you run.
TRY XFCE
Ever get the urge for a full GNU/Linux desktop experience, on a lighter, faster level?
You may like to try XFCE.
Sure, it’s not the ‘lightest’ of all, but certainly lighter than KDE / Gnome.
SCREENSHOT:
This screenshot was taken the day of installation. Nothing has been changed. Wanted to capture the “post install moments” screenshot.
Always been a favorite of mine. XFCE desktop is actually what I’ve run most my years with Linux.
If you run Pop_OS (or any other distro), you can easily install XFCE.
When you add XFCE, it doesn’t automatically delete your old desktop! (you aren’t losing anything – as long as you don’t choose to remove your current)
After installing XFCE there is usually an option to select it at your login screen
It’s lighter than alternatives like KDE / Gnome
Nice option for older machinesThe great thing about Linux: tips here can be pretty universal. Sure, a few package manager commands are slightly different, but it’s generally a matter of either “apt” (Debian), “pacman” (Arch), or “dnf” (Fedora / Redhat / CentOS).
(I try to include command conversions on important tutorials)
TIP: Try out a lightweight XFCE desktop. No matter your operating system, XFCE is likely available.
Simply search your package manager (graphical or commandline) for xfce4, as a start.
Pop_OS / Debian: apt update && apt install xfce4
Manjaro / Arch Based: pacman -Ss xfdesktop
(if any of the above commands are wrong for your system (or you have trouble) comment)
Thanks for following and sharing this on Social Media, Telegram, everywhere.
Covers various (historical + present) backdoors found in hardware (including this week’s latest Asus motherboard UEFI firmware backdoor:”CosmicStrand”).
Important for both indivduals, gov, and small businesses to be familiar with the risk.
It doesn’t mean all ‘backdoors’ (ex: test accounts) are put there for ill intentions. Large networks require remote access, and server management.
It’s nothing new.
Intel AMT Briefing
Many are still unaware (most) computers come with 👾 Intel AMT (active management tech), a proprietary, remote access backdoor (has legitimate purposes, but by definition, acts as backdoor).
There are legitimate purposes, but functions mirror that of a hardware backdoor implant.
Computers with ME, can’t hold power without it: removal by design is very difficult (if not impossible – depending on hardware), remote access hides from PC owner’s purview). If you attempt to remove it completely, your PC will not power on for long.
HAP Bit
‘HAP bit’ (see me_cleaner), once set, partially ‘neuters’ Intel ME. Reportedly a solution for agencies who needed to meet the bar for a “high assurance platform” (HAP bit does not work for all models).
‘Normal’ customers are generally left with no choice in newer Intel with AMT / vPro model computers.
Newer computers are completely dependent on Intel ME co-processor. Remote communication OOB (Out-of-band), being most concerning
Why so few options for Intel models without? It’s worth asking.
Others might not be aware of servers (ie: cloud rental) having 👾 IPMI BMC hardware with remote OOB (out-of-band) access: in truth, this should be expected for large server mgmt – make sure you trust your providers. But it’s still not common knowledge to the average person, so I mention it.
What about 👾 Computrace? Familiar? Aware of Lojack? Computrace is another ‘backdoor’ styled security feature, covered in the video. It looks, acts, and feels like a backdoor for those performing system analysis (as the video shows).
Learn about the above and more, in today’s latest video.
(support original content: options – sharing, reposting links to content is the best way)
Could there be additional persistent undocumented features inside ISP routers?
You could like the idea of a simple, single board computer for routing at home, and at the office.
Avoid ISP routers – many problems over time, new innovations can add attack surface. Find another router (router advice towards bottom).
INFO: ISP’s in USA since 2017 have been legally allowed to sell customer data / identifiers “without explicit consent.” Other countries may vary in their data protection, but (in my option), we should assume abuse of this exists in the data broker industry.
(not all ISP’s reported to do this)
TIP: encryption helps prevent (potential) malicious redirection of personal devices.
DETAILS / MITIGATION EXAMPLE
Blocking hardware related backdoors locally (from local OS) won’t likely result in a plausible solution.
RING LAYERS AND SCOPE
The rings represent layers of privilege. Kernel, at the center (below), has access to everything outside of it. Repeating per ring.
Take Intel Hardware Example Here…
INTEL MGMT ENGINE RING LAYER (-3)
Additional rings add privileges that otherwise wouldn’t have existed, for ME, at Ring -3.
Meaning it has privileges over everything outside of it.
Intel ME runs at highest privileges, completely outside oversight (ie: Windows, Linux).
In some cases we may be able to mitigate, through a series of creative choices (where possible).
Use information you have on backdoor pathways / communication to mitigate on LAN.
One mentions in this example (see video): AMT requiring either built in Intel AMT capable ethernet, and / or Intel WiFi with OOB / TCP / IP stack. Otherwise an AMT capable device.
Alternative connection methods can become one of those mitigations.
Another option (depending on the backdoor location, access) would be reflashing (where applicable).
More Intel AMT options collected for the community, see: This Post.
Router Advice
I have been asked “what router to get”? Routers play a key role in home / business security. Devices will be guided, (“routed”) by your router. They can (also) be redirected (maliciously) by a router.
Choose carefully.
On the hardware end: if you aren’t DIY, and want something “ready to go”, see hardware reviews, search relevant vulnerabilities.
Sometimes a backdoor is not necessarily placed intentionally. It could be a single rogue employee, or other placement between you and the manufacturer.
Also: Watch out for counterfeit routers.
ex: July 2022: Arrest in scheme to sell Cisco Counterfeit routers – Florida Story
“Cisco Partners Sell Fake Routers To Military” Read Story Here
If you choose to buy a new router, 2 established projects trusted in the FOSS Community are Open-WRT firmware and PF Sense (FreeBSD based). Both provide controls for networking (read reviews; do a bit of vulnerability searching on hardware).
TIP: reputable hardware vendors, with strong FOSS community backing are your safest bet when looking at mass manufactured hardware.
(see if they have a forum; look for reviews inside FOSS community)
Or, you might choose flash one yourself. Either a single board computer, or one supporting Open-WRT firmware / PF Sense, or other choice.
related: Working on improvements to router related img. Sometimes shared with followers as a “surprise download”, or “thank you” to regular supporters (work in progress).
🎉 Nextcloud Hidden Service ‘Updater’ Command (Initial Share)
Interested in Nextcloud selfhosting: this post is for you. If not, feel free to skip this post / script.
⚠️ NOTE: Tested / Written for commands / locations / services on ‘privacybox img’, Nextcloud automated hidden service setup (currently existing as a “thank you” to regular supporters.
SUGGESTION: Back everything up before trying (at this time). Comments welcome. 👍
📁 UPDATED (Aug 7th, 2022): Now creates backup, and more attuned to run more than once.
Hopefully this helps those interested in selfhosting Nextcloud.
Why Selfhost? One of the top ways to truly have control of your (and friends) data / privacy, is to run the hosting server hardware yourself.
While cheap virtual hosting brings forth plenty of convenience, renting server space from strangers does not ensure data privacy rights online (ex: unless volumes are ‘pre-encrypted’ locally before uploading).
There are some cases where cheap hosting can be a perfect solution (say a personal page, public blog, or small business – things you want public), and then there are more personal things (like storage, routing, communication) where you want as much control and knowledge on who can access, and / or modify our data.
Selfhosting is the best suggestion for storing personal data.
Get started in Selfhosting posts section. Suggestions for future content welcome.
Why This Script?
Recently a friend in the community asked if there were plans for upgrading Nextcloud hidden service in a more automated fashion. I had been considering working on this already. Having been acustomed to upgrading on the commandline.
Today sharing an (early draft) automated script solution with everyone. 🎆 Making upgrades easier.
(cautious: may not match other setups locations, commands, and files if you have a different Nextcloud setup. I may make it a more universal Nextcloud upgrade script in future revisions.)
✅ UPGRADE NEXTCLOUD: UPDATER COMMAND
Upgrading Nextcloud:
See Issue #1 (At Gitea Onion: Use Tor Browser To View)
Previously implemented Debian automatic upgrades service (turn ‘on’ and ‘off’ within boxshell menushell).
One thing missing has been upgrading Nextcloud in a more straight forward way. This script is an early draft at fulfilling that feature.
Today I finished the initial first draft of a tested Nextcloud Updater command.
💾 Check out an ‘early’ release ‘updater’ command here (view in Tor Browser)
Stuck Upgrades?
Traditionally, there are a few ways to upgrade Nextcloud. One place is within the web interface itself.
At times, steps may ‘get stuck’ (common issue). Some of this relates to built in default timeouts, size, and access restrictions, or even excess files not recognized by Nextcloud, etc.
The idea here is a simple, single use command, assisting the process along, backing up, and escaping potentially stalled upgrades.
⚠️ WARNING: Strongly recommended backup before trying something new that makes major changes, especially in regard to server upgrades. When dealing with automated upgrades (tested a couple times), depending on software changes / variance, it’s not always going to have the same outcome.
Certain times you may try upgrading a version “too far ahead”, where server software is not properly aligned to take on a far advanced upgrade (version).
I’m simply saying: it’s a good idea to back things up, just in case. 😉 But this has been tested a few times on a test server.
Plan: Add additional safety checking.
Install Updater Command
Once you download it in Tor Browser (or use git clone), you can follow the 3 commands below to add the script as a new shell command:
Intent on putting more ‘safety checks’ into more finalized revision (in future). Use cautiously at this time. Tested on a test server.
Running ‘updater’ More Than Once?
Each time the ‘updater’ command is run, Nextcloud downloads and installs the next available (ahead) upgrade version.
You can run the updater command a couple times to check for yet another updated version (in testing, I was able to upgrade twice finishing up with Nextcloud 23.0.7 [stable]).
Keep in mind future versions of Nextcloud are not guarunteed to support applications from previous Nextcloud versions. Eventually, most apps catch up.
TIP: Keep dependencies up to date to make sure you grab the newest Nextcloud possible.
This script / command should be used as your own risk. Once again, I encourage backing up (script performs some of this temporarily, but never hurts to have another, longer term copy (may add this)).
💓 THANKS FOR HELPING GROW THIS CONTENT
No pressure, but one tip to help content creators you like is by sharing content on social media / ‘trending’ comments sections.
(originally posted on bmac July 25th, 2022 (where posts organized by category, are searchable by title)
But is an App the RIGHT choice… for everything?
Thanks for following along (thanks to those sharing links to videos / tutorials).
Every company wants us to “get the app“…
But is the app the RIGHT choice… for everything?
Should you REALLY get the app? (probably no 😛)
Is the App:”Just trying to offer new features / help“? Or seeking new paths of access for information gathering? In most cases, there are no additional features on the app compared to the website.
(So why get the app? 🤔)
Should You “Get The App”?
Answer: depends. We know various apps track us (numerous techniques).
SUMMARY: DO NOT GET THE APP
Compared To Permissive Apps, Privacy Can Be Improved In Browser Accessing Services Through Apps Adds Variables:
Apps request unnecessary permissions (beware: some apps even have permission to modify other permissions)
access to sensitive parts of the phone– microphone, camera, pictures, files, SMS text messages…
Apps with microphone access communicate using hidden ultrasonic sounds- SmartTV’s come with a microphone – television broadcasting may communicates with apps on your phone (using combined speakers and microphone access)
APP DANGER: ULTRASONIC TRACKING
Beware apps that request microphone access without actually “needing” microphone access (ulterior motives likely at play… from recording conversation, to ultrasonic tracking)
STORY: 234 Android Apps Requiring Microphone Access Were Identified To Be Listening For Ultrasonic Beacons Constantly, Without User Knowledge (Braunschweig University of Technology in Germany). READ THE STORY HERE
CONSIDER. . .
Tor, I2P, Lokinet, may be tools offering protective measures for privacy online…
But, have you considered the risk of coordinated ultrasound (tracking through methods humans are unable to detect via senses)?
Running Tor Browser (ie: with Javascript enabled) could be sending hidden tracking beacon communications to your Android phone apps (remember the ones asking for microphone permissions? 🤫), coordinating to compromise user anonymity.
TIP: Tor Browser On “Safest” Mode When Anonymity Is Key (if not, at least disable javascript where possible).
When To Get An App?
Consider a financial app (for example) may be designed with additional security features, vs normal web browser..
This is where an (isolated) App could be a better option (isolate app maximally)
Outside that, we should focus on finding privacy friendly FOSS alternatives, where we can.
Avoid Apps:
That exist to collect permissive access for major corporations
That offer website access (allowing you to control browser environment
Not everyone will catch a browser attack in the act (ie: phishing)
Not sandboxing leads to tracking (a ‘sandbox’ allows you to run something inside controlled environment space, separated from sensitive system files and hardware)
What To Install
If Android / iPhone user, install only apps you really need (take advantage of transparent, FOSS licensed apps where possible to meet needs) Example: consider an open source internet radio app, instead of alternative music apps pushing for many permissive requirements
Apps can be are our greatest privacy risk (some have access SMS txt messages, photos, calls, cameras – many sell your location data)
If you have a dedicated PC you feel trustworthy, accessing personal services via this device can be ideal.
try sandboxing for personal services (browsers offering this / Bubblewrap / Firejail)-allows you to choose if you wish to share your identity and other interests / browser history
SOLUTION: Old Smartphone / Tablet Device For App Isolation
Install apps on old Android tablet / phone (as I have been doing last few yr for ‘work’ related apps) I have one Android I have used for recording video / photos.Another one is dedicated to apps I don’t trust (isolating access, data from the app)
This may be a potential solution for you if you have old smartphones with no sim card.
TIP: Reset phone to factory FIRST. This ensures no old data connects you to it.
If using standard Google based Android, setup with a BRAND NEW gmail account, connected to nothing associated with you.
(Android with Google asks for your gmail address to sync. By using the brand new gmail account, nothing connects back to you)
For those able, another flashed Android OS is an option.SOLUTION: Separate Data Using Containers (Librewolf [Firefox Fork] Pictured)
Utilize built in containers inside a browser like Librewolf, a privacy focused browser based on Firefox:
Linux Users SOLUTION: Sandbox Browser Sessions With Firejail:
Run Firefox Inside Temp Dir (restricts access outside):
Today let’s talk a bit about what are commonly referred to universally as: “Stingrays” (popular model), and for Linux phone (Pinephone tested) users, sharing a small service for “4G Only” persistence (every boot): here).
Why? After noticing downgrades, wanted to see if it will affect my service over the long run (good coverage). Opted to try “4G only” for a while.
4G only restricts 2G / 3G and could cause service interruption during moments lacking 4G availability.
Includes tips for Android users. iPhone, not having as many options, does carry a “4G Only app“.
Cell Site Simulators (examples: “Stingrays”, “IMSI Catchers”): False Cell Towers appeal as “strongest signal in the area” for phones in nearby area (ex: 10,000 phones per device in some cases). Once connected, phone location can be tracked, and on lower security (ex: 2G), SMS / calls can be more easily captured)
SUMMARY:most Cell Site Simulators rely on downgrade attacks to cause your phone to connect to the less secure (encryption) 2G services (and other times 3G). We talk about how to mitigate for Linux phones (Pinephone service), Android, and iPhone (briefly).
INTRODUCTION
Video (older) introducing an Android tool for detection and mitigation of “cell site simulators”.
A basic introduction to what these devices are designed to do (mimic cell towers), and what various models may look like (including homemade), from the smallest (fitting in the palm of the hand), to the flying…
Downgrading phones to 2G service makes content easier to intercept (ie: calls and SMS txt, due to weak security in the 2G).
4G Cell Site devices run more expensive (comparing to 2G / 3G), generally offering location tracking.
Previously, price quotes (released a couple years back) marked “Hailstorm” devices for over $450,000.
Ultimately, for both criminal and official purposes, most rely on “downgrade” attacks.
Some may notice 4G blocked during certain areas of protest.
See: here, here, and here as examples where 4G was blocked during protest. Nearly all serious protests deal with this, (possibly) forcing connection to cell site simulators.
VULNERABILITY: SYMPTOMS OF ATTACK (Then Again… There Aren’t Always Signs)
Quicker than normal battery drain (push max battery usage)
High power usage forced on phones (amplification can allow farther operation distances)
Downgraded service to 2G, 3G (from stable 5G, 4G)
Service disruptions (problems sending SMS txt, calls, internet)We should ask ourselves: Why is there no tower provider authentication, to protect our phones from these devices? If providers desired so, it would be so.
Why Do Downgrade Attacks From 4G To 2G, 3G Happen?
Downgrade attacks occur to move phones to a more ‘receptive’ environment.
Since said false malicious cell spy towers utilize downgrade attacks to force all phones in the area to connect to their malicious cell site simulator…
We can attempt to mitigate downgrade attacks by forcing 4G only (keep in mind not all settings are saved after reboot – that is the idea of trying the 4g-only service for the Pinephone service: it forces 4G/LTE only, each reboot)
Set Your Preferred Network Type To LTE Only for 4G only (keep in mind this settings holds until reboot)
iPhone Users: 4G / LTE Only There is a reported 4G only app.
You can also access iPhone service options by following this page.
Pinephone / Linux Phone Users
Today I am writing today to intro a small example “4G Only” Service.
It’s something I wanted on my Pinephone (Linux phone) to prevent downgrade attacks.
Symptoms Of Malicious Intent
Phone jumps from its reliable 4G, down to 2G, or 3G
Phone has service disruption after this connection change
Internet may lose reliability, texts and calls may show issue / stalling
Apps like Android’s “Cell Spy Catcher”: take 24hr to map out all current cell towers (and locations), alerting you to towers which move or behave suspiciously, such as changing tower information, and location (ie: true cell towers are not moving around, changing location 😤)
RELATED STORY: In some areas, attacks could even be of foreign interests, even criminal networks.
Mitigation (For Most Cases / Devices): Force 4G Only.
Sure, settings in the Gnome / Phosh allow you to momentarily selecting 4G only, issue here is, it resets to allow 2g, 3g, 4g on the next boot. This service ensures 4G is the only available service to the modem (during service downgrade attempt).
Setting Up 4g-only Service
The service is simple to setup.
Simply download / clone package from Gitea onion (use torify git clone, or Tor Browser to view and download), and run the install.sh script (using sudo). This moves everything where it belongs, making a new command in our execution path, and enabling the service (by default starting 1st on your next reboot).
If you would like the service to start right away, you can run the command installed:
sudo 4g-only
Or (once running install.sh), you can start the service without reboot by issuing:
sudo systemctl start 4g-only.service
To avoid having to reboot.
What Does It Do?
First detects your current modem location (does change), setting “4G / LTE Only” for that modem, every reboot.
Running:
sudo 4g-only
forces 4g-only from the commandline.
If you need access to 3G as well, there is a single argument:
sudo 4g-only reset
Personally, I recommend 4G-only (not the reset) to prevent connection to these lower services linked to most malicious cell site simulators (note: during downgrade attack you may lose service – but at least you may know why..)
Checking Status Of 4g-only.service
Once installed (after a reboot), you can check the status of 4g-only.service.
sudo systemctl status 4g-only.service
Once you have run the install.sh, you will have 4g only every single boot 100% of the time.
If you need access to 4G + 3G (not recommended for most areas), I added the ability in the systemctl ‘stop’ command of the service.
And so:
sudo systemctl stop 4g-only
Won’t just allow 3G, it keeps 4G preferred.
But for myself, and most people, I do recommend leaving the service as is, allowing 4G Only (not including 3G), if you wish to mitigate downgrade maximally.
If you notice service disruptions on 4g Only, this could be a sign of downgrade attacks. That alone IMHO, can be useful to know.
Will share more options as tested in future (check back).
Hope you find useful. ❤️ 📱 🐧
🙂 Thanks for following this page and spreading the word!
Learning to check SSH fingerprints is a staple for using remote ssh safely. Failure to match fingerprints opens us to potential MiTM.
[ Did you miss ssh writeup Part I? We discuss how default Linux OS hostnames can sometimes give away default password, pitfalls in numerical passwords (changing default passwords should be priority #1).
First we identified the OS by default hostname, then we used a “most common numerical pin number wordlist” to crack the default SSH password in seconds, demonstrating how successful ssh cracking (using Hydra) looks, and offering solutions/advice HERE) ]
INTRODUCTION
Do you accept “new” ssh client key fingerprint prompts without checking them against the server in question’s own key fingerprint?
If you accept ssh key fingerprints (without verification), you may be setting yourself up to be an unwitting victim of a MITM (Man In The Middle Attack).
[This topic is covered in PART II (scroll down for Tutorial]
Additionally in PART II, we swap out weak default password authentication, to a much stronger (passwordless) RSA key authentication login assisted by ssh-keygen (we use to generate strong keys).
After which, we disable the password login option altogether (to prevent brute force attackers), and finally, we restart SSH for all changes to take effect.
As a Bonus, a video covers converting SSH server to a Tor Hidden .onion service, adding additional security/encryption benefits (without need for open ports).
(REFRESHER) PART I:
Part I video is below, covering weak default password examples in real Pinephone operating systems (applying to all Linux / UNIX machines / default logins).
In this scenario, we first scan machines on the LAN (as an attacker would), immediately identifying operating systems by their default hostname. After which we use Hydra (brute force cracker) to run known default username/pin number lists against the SSH server identified OS of our Pinephone.
After demonstrating how easy it can be to identify and crack SSH logins on machines sharing the same connection/LAN, we then go in to tighten up sshd_config settings to prevent future brute force attacks. As well as talk password security.
Today’s Video continues on from this SSHD Config angle.
As the introductory paragraph details, first we check key fingerprints shown by our ssh client against the server side’s ssh key fingerprint. We must ensure these fingerprints match, otherwise we risk MITM attack. Never accept new fingerprints without verifying.
ADD SSH KEY AUTHENTICATION (NO PASSWORD NEEDED)
(ssh more securely)
Have you ever accepted a fingerprint and wished to start over to be sure? (to: delete all saved keys for host / server and reconfirm fingerprint?)
REMOVE PREVIOUS KEY FINGERPRINTS (CLIENTSIDE):
ssh-keygen -R HostHere
CHECKING FINGERPRINT (SERVERSIDE):
ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub
NOTE: THE ABOVE COMMAND IS ECDSA. LATEST AND GREATEST ADVICE IS FOR ED25519. CHECK THIS:
ssh-keygen -lf /etc/ssh/ssh_host_25519_key.pub
NEXT:
Connect (from clientside) to our SSH server to check the fingerprint output. Does it match the above “CHECKING FINGER (SERVERSIDE)” output?
See the screenshot below to watch this comparison in action.
SCREENSHOT CHECKING FINGERPRINT (COMMANDS ABOVE):
IMPORTANT: I felt the need to explain 01:56 — do not accept the key (unless you previously recognize it). This key fingerprint acceptance is to demonstrate the plain ‘password: ‘ prompt itself (fingerprint acceptance required to show). Follow below for fingerprint checking instruction (or follow video after 3min).
TIP #1 FINGERPRINT CHECKING: Check the server’s fingerprint from a separate network (if working remotely from it), or if you have physical access + a monitor, even better. By using a separate network to check the fingerprint upon connection, you are compartmentalizing both client checks from one another, further verifying fingerprints match from multiple networks.
Running the fingerprint checking locally (serverside) is always the best method (when possible).
TIP #2 FINGERPRINT CHECKING:
write hosts/fingerprints down , post them on your wall/corkboard/office: no risk in having a written list of your machines hostname/ip + correct ssh fingerprints. This can save you from having to check.
Why? You may one day need to login from a new machine without physical access to the server. Having record can help you check without risking the login/accepting fingerprints remotely.
After working on fingerprint checks, we add the key to our server, allowing our client machine to automatically login upon connection.
GENERATE RSA KEY PAIR
ssh-keygen -t rsa -b 4096
PASSWORD-FREE KEY AUTH: MORE SECURE SSH ACCESS
COPY KEY TO SERVER:
ssh-copy-id username@host
SEE SCREENSHOT BELOW FOR ABOVE STEPS IN ACTION
After successfully copying our key, we then connect by ssh to test it, if it lets us in without problem or password, we did it!
TESTING PASSWORD FREE KEY AUTHENTICATION
TIGHTEN UP SSHD_CONFIG (SERVERSIDE)
We add a few more lines to /etc/ssh/sshd_config, ensuring only our machine can login: (disabling password guessing by relying on our newly minted key alone)
/etc/ssh/sshd_config:
PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no
Restarting SSH allows our configuration changes to take effect:
sudo systemctl restart ssh
[Timestamps are found inside the video description]
* BONUS: PART III: Tor SSH .Onion (Hidden Service):
This 3rd (optional) video shows how to setup SSH access as a Tor Hidden Service.
BENEFIT #1: By disabling ssh locally and allowing only the Tor ssh we prevent unknown machines from attempting brute force attacks (if we failed to follow previous videos). The only ssh attempts will be from those you give the onion address to.
BENEFIT #2: Additional layer of end to end encryption between the tor clients on ssh client and server side. Add to this the ssh encryption keys/fingerprints themselves on your client/software side, and you have a much more secure ssh setup.
Comments/Questions Welcome below:
Like content/videos like this? Share it with Linux users (Reddit, Telegram, Discord, IRC).
❤️ If you appreciate content like this and want to ☕ Buy Me a Coffee hit ‘support’ button on: Home Page
Thoughts, comments and any questions welcome below.
HowTo: Privacy & Infosec 