Google is watching you :)

Yes you know Google is watching you, but where and how?

There’s Google Ads, and Google commerce features, including to push you ads on the e-commerce website you came but didn’t buy anything. I see that each and everyday with ssense.ca (and sometimes open it on another tab, just for the fun!). But there are two weapons to follow you, know your point of interest and then finally get you caught on the Google spider web.

First is Google Analytics, too easy, efficient, a great tool. I use it too, and plan to remove it from there when I will talk about security and go full https (TLS naturally dudes!). It not only see which URL you are looking for, but it also have access to which content you actually watch, oups!

Secondly it’s the marvellous Google Fonts, it’s prfect for any web site, and at first you could easily download the fonts and use them. Now it’s an hidden choice, with a clear natural choice to link to Google website instead, making it a first-choice to have great web fonts in your website. with a hint, each time someone is looking at it, Google knows what page page the user is looking, it’s another interesting way to spy what your are looking for…

So my point is, I have to remove Google Analytics and checks Web Fonts are downloaded from this site, to be sure everything is clear from spying from Google, and thus from any agency that have legal and direct access to Google’s data.

Advantage of a self-signed certificate

There are many drawback to use a self-signed certificate, as it don’t depend on a “trusted” source, and nobody except you could trust it.

But there’s an awesome value on a self-signed certificate, for your own back-end: it doesn’t depend on these so called “trusted” CA. When you set it, accept it on your browser, each time you connect, you know there’s no man-in-the-middle attack (or even man in the side as NSA seems to be found of)…

When attacked, you have a clear warning from your browser (don’t know what Microsoft Internet Explorer tell you in this case, not my flavour!), then you know someone is playing on your connection. Exactly what I had today. Maybe kids don’t have to play men games!

Now you will know that someone is messing with my website and your certificate, by MiM or MiS attack. I know it is much more powerful than a script-kiddy (play outside, try football, soccer, handball or baseball kids!), but stupid enough to get caught, so it’s probably not the NSA.

And this is the point, when you don’t use a certificate that is issued by a recognized CA, you could accept it on your browser, and then it’s really difficult for attackers to use it without your knowledge (until you use IE, your choice!).

PS: I will do full https this summer, for readers too, and will orient more on security subjects, as I think this is a troublesome matter today. That include hardening a wordpress settings (yes I know! WordPress! lol), but also everything from your home things to the whole Internet.

TV5 Monde hacked

This time it is a TV channel that was hacked, but not your casual TV-series channel or even a local news channel, it was a country-size TV channel that is used to spread news around the world, for French emigrant, and people that care about France.

This is a political act, not an hacking one. By taking control over what a country world-wide TV channel is displaying to people around the world, it takes control of the information and may even control what YOU are thinking.

I don’t like it. I think there’s a clear need for an Internet World-wide task force to serve and protect us.

2-step or 2-factor authentification?!?

When some websites announced they offered 2-factor authentifications, sending you a text-message on your cell to authentificate you, they called it “2-factor” authentification: nothing was more misleading than that.

With many of them being primarily accessed by a smartphone, there are no other factor than your phone involved, so it was just a lie.

Today, I saw that Google and Apple changed their phrasing to “2-step authentification” and it’s clear, it’s longer and much less easy to connect on them, while not necessarily adding security, depending on your smartphone settings!

I am happy that at some point they recognized they are far far way from 2-factor authentification, and hope that Apple and Samsung (and others) will work on that to have a real 2-factor authorization to connect to your accounts, using your cellphone as one factor, and you fingerprint as another (other options are allowed, let’s see how creative smartphone makers could be!).

Server setup – ssh with private/public key pair

Notice: this serie is targeted at Ubuntu GNU/Linux servers, still the ideas apply to any other distribution, as well as other Unix-like OS, as BSD flavors or OS X.

I suppose you know ssh, that enable to access command-line interface of Unix-like based servers, you might even know how to setup a private/public key pair to connect without using a password to your server. If not, follow this link to know how to setup ssh on Ubuntu, then do it immediatly!

Now, you should have your 2 keys on your client(s) computer(s) and the public key on your server(s). You are still not protected.
Your password still works, and even if it’s a 23-character long random string, your server is exposed to brute-force attack on ssh.

You might see a growing number of attacks on the ssh server, consuming CPU mainly, and many warnings messages on your console, that makes your work much more complicated when setting up your server.
Naturally, with a strong password, brute-force attack on ssh is of no use, but the attacker don’t know about it, and the next step is to tell them that we are not an interesting target: they will stop immediatly.

We will setup sshd to refuse any login with a password, leaving only private/public key pair allowed, and brute-force attack is ineffective with this security schema:

sudo nano /etc/ssh/sshd_config

Do the change on the file, if a key is not present, add it (such a PasswordAuthentification that is yes by default) :

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Now reload the configuration:

sudo /etc/init.d/ssh reload

You might test to connect from a computer or an account that don’t have an authorized private key, the connection should be refused with a “Permission denied (publickey).” error message.

Now, you won’t be bothered by people trying attacks on ssh using brute-force password generation.

Wednesday, I will explain how to setup a minimalist firewall with ufw, you will have to install it before any http or db server that might be exposed to Internet.