Internet Security – distantdark

Pi-hole DNS Server

I have had a Pi-hole set up near my cable modem for at least 1-2 years now? Time moves differently for me for the last 18 months. Regardless, my Pi-hole device just sits there, filtering out ads from the network. I highly recommend setting up a Pi-hole for your home. It’s cheap, easy, effective and efficient!

What is it?
A cheap Raspberry Pi computer with an SD card. Gets power from a phone charger and connects with a simple Ethernet cable. Runs passively without any fans at about 37 degrees C.

How do you use it?
You can set it up as a Wifi source, or you can add the IP address in your wifi settings for DNS server. Use the same IP address in your web browser to see a web interface. From there you can modify the whitelist/blacklist and see in real time how many ads are being rejected.

Pi-Hole on Docker using OMV Raspberry Pi 4 "Network Wide ...

How do you set it up?
There are many guides. Here is a good one:
https://www.instructables.com/Pi-Hole-Setup-Guide/

Essentially, what is involved?
You flash a linux OS for Raspberry Pi onto your SD card using something like the Balena Etcher. I prefer “dietpi”, which is a low resource Debian distro.
https://dietpi.com/
A simple 8GB or higher card will suffice. Then you install Pi-hole on it.

How do you maintain it?
Every now and then, it’s good to log into it with SSH and run a “sudo apt update/upgrade” (if you choose a Debian distro). That’s it.

I have over 4 million domains on my blocklist and it makes a HUGE difference when I load websites without Pi-hole DNS configured in my wifi settings.

Bonus: You can SSH into it and install lynx, mc and any other useful linux terminal programs and have fun with it. As a double-bonus, you could even host web services like subsonic or ftp using it!

My next cellphone

My next cellphone will not be an Apple iPhone.
I will not be using Google either.
After the app store app removals, de-personing, de-platforming, labeling, banning, demonizing, data-sharing, general manipulation and censorship by big tech companies like Facebook, Twitter, Google, Apple, Amazon and others, I’m OUT.

Once my current phones (an iPhone 11 and a Samsung Galaxy S9) run their course, I’ll be de-googling a Pixel or Moto phone, buying one from Rob Braxman, buying a Pine64, OR just using a flip phone. I’ll keep you posted.

My Galaxy phone has been factory reset and I’m running it with neither Samsung nor Google Play stores. I’m using open source apps from F-Droid. That’s the best I can do for now. With the iPhone it will have to be enough to run certain apps for my job and a handful of others.

Big tech has revealed themselves to be a part of a corrupt establishment. The only way to defeat them is by opting out. Half-measures will not do anything long term. It’s obvious the government will do nothing to stop the corruption of these companies; they are coming from the same perspective and batting for the same team. This includes canceling streaming and cloud accounts as well. Take back your privacy, your data and your dignity!

Using ProtonVPN with Ubuntu 20.04

If you are using ProtonVPN for your cell phone, you can also use it on an Ubuntu Linux installation. Here is the official guide, and I can confirm that it works and the guide is excellent.

Essentially installation on Ubuntu 20.04 involves going into your Ubuntu settings and selecting “network”, and hitting the “+” at VPN. From there you will “Import from file” and select the VPN config file you downloaded from the official guide. Once this file is selected, you can enter in your ‘OpenVPN / IKEv2 username’ from the ProtoVPN Dashboard “Account” section. Your new VPN configuration is ready and can be selected in the upper right-hand network icon.

Private Internet Access VPN for Ubuntu

I can confirm that this method works for Ubuntu 20.04 and looks and works very different from the old method of connecting to Private Internet Access on Ubuntu.

https://www.privateinternetaccess.com/installer/x/download_installer_linux

Ubuntu Server: Configure the firewall with “ufw”

Ubuntu Server’s firewall is called ufw. If you are running an Ubuntu Server, you definitely want to enable some kind of firewall to keep intruders out of your ports. They likely will perform a port scan and try to find weaknesses. You can prevent this by enabling ufw and then configuring it to open ports that need access and close ones that don’t.

Enable ufw:

sudo ufw enable

Check ufw status:

sudo ufw status

Allow a service to run (example: ftp, telnet, ssh, http):

sudo ufw allow http

Open a port:

sudo ufw allow 22

Close a port:

sudo ufw deny 22

Open a range of ports and specify TCP or UDP:

sudo ufw allow 300:310/tcp

Close a range of ports and specify TCP or UDP:

sudo ufw deny 300:310/tcp

Delete a service:

sudo ufw status numbered
#creates a numbered list of services, example:

[ 1] 21/tcp                     ALLOW IN    Anywhere                  
[ 2] 22/tcp                     ALLOW IN    Anywhere                  
[ 3] 80/tcp                     ALLOW IN    Anywhere     

sudo ufw delete 3
#replace 3 with the service you want to delete

List applications that ufw can open service for:

sudo ufw app list
#will generate a list similar to this:
Available applications:
  Apache
  Apache Full
  Apache Secure
  CUPS
  OpenSSH
  plexmediaserver
  plexmediaserver-all
  plexmediaserver-dlna

Enable an application such as Apache. This is extremely important for a WordPress installation!

sudo ufw allow in "Apache Full"

Disable ufw:

sudo ufw disable

If you somehow screwed your ufw permissions up, you can reset them all. If you are configuring with SSH, make sure to enable your SSH service before re-enabling ufw!

sudo ufw reset

Hopefully, you have configured all of your services appropriately and have a good working firewall. If somehow this exercise is messing your server up, you can always disable it with “sudo ufw disable” until you can get more help or have more time to experiment. Happy and safe computing!

Static IP address for Ubuntu Server 18.04 “netplan”

If you are using Ubuntu Server version 18.04 LTS and want to configure a static IP address, the procedure has changed for network interface configuration.

We used to configure /etc/network/interfaces but now the system uses something called netplan. If you try to configure the old “interfaces” file, it will point you to this new netplan network configuration.

Here’s how we change the network interface to use a static IP address. Edit “50-cloud-init.yaml“, replacing the text with the text below. Replace the IP address with your own (192.168.1.100 used as an example) and then save:

sudo nano /etc/netplan/50-cloud-init.yaml

# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    ethernets:
        enp0s3:
            addresses: [192.168.1.100/24]
            gateway4: 192.168.1.1
            nameservers:
              addresses: [8.8.8.8,8.8.4.4]
            dhcp4: no
    version: 2

Apply the changes and then reboot.

sudo netplan apply
sudo reboot

iPhone & Safari Ad Tracking

Despite what Apple says about privacy (“What happens on your iPhone, stays on your iPhone”), ads most definitely track you on your iPhone and iPad. They also track you in every web browser, including Safari. False advertising from Apple regarding ads.

The Verge published a nice piece that shows how to limit some of that tracking. Emphasis on ‘limit’; this will not eliminate ads. Still, it’s good to do everything you can to minimize or eliminate all forms of intrusion.

To limit ad tracking on your IOS device:
Go into “Settings” on your iPhone/iPad
Select “Privacy”
Select “Advertisements”
Turn on the “Limit ad tracking”

To limit ad tracking in Safari:
Go into “Settings” on your iPhone/iPad
Find the section titled “Privacy & Security”
Turn on “Prevent Cross-Site Tracking”
Turn on the “Block All Cookies”

Block apps from phoning home when you aren’t using them:
Go into “Settings”
Select “General”
At the top, select “Background App Refresh”
From here you can allow apps to phone home via wifi, cellphone data or not at all.
Select the back button and make sure all apps are turned off.

Beyond all this, it’s better to use a VPN and Firefox, along with the Firefox addons: “Ghostery”, “https everywhere” and “Noscript Security Suite.” Regarding the “Noscript” add on, you can select it to allow scripts on pages you trust.

Internet Security Habits, tips and tricks

Urban Knish discusses some good internet security habits in the age of data collection and man-in-the-middle attacks.

Relevant links:
Firefox Browser, Ghostery Plugin, HTTPS Everywhere, NoScript
ProtonVPN, AstrillVPN, Private Internet Access VPN
Tor Browser for the computer
Tor Browser for IOS
Tor Browser for Android
TailsOS

Biometric data rollout and the implications of being chipped

Comerica Park baseball field in Detroit, MI is featuring a new way for sports fans to get through the lines quicker: fingerprint scanning. You can order a hot dog and a beer without carrying your wallet! Just register your biometric data and you are now in the system. They are promising the ability to use your fingerprint in other venues…

The company contracted out for the biometric data scanning is called Clear. Their biggest contract is with the Transportation Security Administration. This technology has been installed at airports, including Detroit Metro Airport. The company also specializes in eye scanning equipment.

What are the implications of mass use of biometric data? Sure the convenience is attractive, but can the technology be misused? Once you register your fingerprint and eye scan, you are in the system. The NSA and other government organizations will be able to run searches for individuals through this database. The more the system is in use, the more they can keep track of you and monitor what you are buying, who you are visiting and what events you attend. This data can be sold to advertising firms. They know you go to Jazz concerts and you love hockey. They also know that you like to buy expensive mixed drinks and go a chiropractor. Once all these pieces of information are indexed, they have a profile on you. Are you likely to commit a crime, get divorced, buy a new home, become delinquent with credit cards or need car repairs? They can tweak their ads, affect how much you pay for insurance and raise/lower your interest rates. Your value as a consumer or a citizen, not a human being will become a score. There will be no where to run or hide. Are you more likely to cheat on your taxes? The IRS will know. If you are trying to get custody of your children, the court system will access your data to find out if you can pay more and whether or not you are worthy enough to take care of your children. Imagine what it might be like to be on parole. They will be watching every location you visit, everything you buy etc.

Now imagine the implications of having a chip implanted in your hand. Threesquare Market, a technology company that makes devices for break rooms and small markets is in the process of implanting microchips in their employee’s hands. The employees will be able to enter secured areas, pay for food and access computers with the chips. Once this system is studied and the bugs worked out, how long before large companies like GE, IBM and Apple require this of their employees? How long before prisoners, government employees and school children be required to have them? Will newborn babies be implanted for their security? Once the ball is rolling, will it even be possible to live life without a chip implanted? Will the chip allow for universal access or we have multiple chips?

The chips use RFID technology. Your every movement can be tracked. Imagine if your employer had access to this kind of information. The implications of bio-metric data and implanted chips are incredible. Without a push-back from the public, a future where privacy is a myth is inevitable.

Android Security

Here are some tips for keeping your Android phone or tablet safe. As you may know, the Android phone platform is not very secure. It can be hacked/compromised through a variety of methods which I will get into through subsequent posts.

Is an iPhone safer? Out of the box, yes. But the advantage with the Android OS is that there are many security programs in the Google Play Store. There are many options not available in the walled garden we call the Apple iTunes App Store. iPhones are still subject to hacking, fishing, wifi and http spoofing, etc.

Use a Virtual Private Network (VPN)

A Virtual Private Network (VPN) is a secure connection to a remote server that allows you to hide your IP address. This is beneficial for a variety of reasons. Region-restricted websites can be reached, your location and personal IP is masked from spies and trackers, bypass internet censorship for users outside of the United States (and U.S. residents who are on restricted WiFi access) and for downloading files over Bit Torrent.

Most VPN connections are made on a mobile platform through an app. It is usually easy to use – a simple click of a virtual button/switch and you are off the races. Make sure you add a bookmark in your browser to check your IP address to verify that you are really masking your IP address.

Most security-minded tech users are well aware of this first line of defense. There are many VPN options, most of which are pay-to-use, including Private Internet Access (PIA), KeepSolid, PureVPN, and IPVanish. I encourage you to look into all the options and consider that you do get what you pay for. Avoid “free” options as you are likely to be looking at a faulty service that may sell your data, show ads and create a false sense of security. Personally, I use Private Internet Access VPN, which does not store logs of your use, works on your PC, Mac, iPhone, and Android platforms. There’s even a linux Ubuntu option. The service at the time of this post is $6.95/mo and $39.95/yr, which is divides out to $3.33/mo.

TOR

What is TOR?

I can’t explain it better than Wikipedia:

Tor is free software for enabling anonymous communication. The name is derived from an acronym for the original software project name “The Onion Router”.^[8]^[9] Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than seven thousand relays^[10] to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult for Internet activity to be traced back to the user: this includes “visits to Web sites, online posts, instant messages, and other communication forms”.^[11] Tor’s use is intended to protect the personal privacy of users, as well as their freedom and ability to conduct confidential communication by keeping their Internet activities from being monitored.

Tor is often used without VPN but I encourage you to use it with VPN. While Tor was seen as uncrackable, both governments and bad actors have discovered ways to unmask your Tor connection. This has scared many away from Tor, but rest assured that if you use an underlying VPN and aren’t up to devious/criminal behavior, you are likely safe to use Tor as a valuable privacy/security tool. If you are unmasked, the VPN will still show your VPN IP address. Here’s my humorous way of looking at it: Orbot is like pants, VPN is like underwear.

How do you use it with Android?

Using Tor is a two step app process. Download Orbot and Orfox from the Google Play Store. Both are free apps and were created by the Tor Project. Once downloaded, you will want to click on Orbot first which will create your Tor connection. Click start once in and the app will let you know if you are connected. This app will encrypt your internet traffic and will work with other Android apps, including Twitter, chat apps, web surfing, etc. Next you will want to open your Orfox app, which is a version of Firefox created by the Tor Project that will make sure your web communications are routed through your Tor proxy connection. Use this rather than Chrome, Firefox and your default web browser for private browsing. It is generally frowned up to log into bank accounts and other accounts that can compromise your personal security. If you need to check your bank account, do so with your real IP before you log into VPN and Orbot.

Noscript and HTTPS Everywhere

Once you are in your Orfox browser, you will see links to “noscript” and “https everywhere.” You will want to install these Firefox add-ons. Orfox will by design block the installation and will ask you if you want to proceed. Noscript is open source software that blocks JavaScript, Java, Flash and other plugins from untrustworthy sources from running and hijacking your Android device. Https everywhere will attempt to force all website connections on Orfox to connect with https, which creates an encrypted connection between your android device and the destination.

D-Vasive Pro by John McAfee

John McAfee, the notorious creator of McAfee Anti-virus, legendary internet security pioneer and expert created this $5 app on the Google Play Store that blocks bad actors from accessing your bluetooth, wifi, camera, and microphone. If something attempts to open a connection to these things, the app will prompt you. If you want to use the wifi or camera, you can override the software as needed. Very valuable tool in a day when these things can be remotely activated to spy on you in real time! Highly recommended app.