The age of easy privacy on the internet is over. Or, rather, it was never there, and we have learned over the last few months that it is far far worse than your most paranoid friend could have ever imagined. There are government entities and other "Advanced Persistent Threats" that will attack your computer, your phone, your modem and router, and they have schemed and plotted their way into the most basic of control systems for your devices.
This article is about understanding the data supply chain, and how complex defending your devices can be.
First, we must look at how data moves around the internet.
I am doing a HUGE amount of generalizing here, but this is a simple overview of how data moves. It begins at your device, and travels through your home network via a wired or Wifi Ethernet connection. There it hits your router, which sends it to your modem, and out to the internet. Once on the 'net, it travels along various routers to reach it's destination, which is often a website or server hosting a service.
This entire trip makes up the "data supply chain". With what we know about the sophistication of the attacks that are going around we can visualize how data is moved around, intercepted, and manipulated.
So if we start with our client, we can look at the vulnerabilities of the client, and take steps to harden it against intrusion.
Security Problems With Clients by Prevalence
(closer to the top means it is a more common threat)
Viruses and Malware - This is software that is installed either unknowingly by the user or some background process that injects itself into your computer and does some undesired activity like logging your keystrokes or stealing your website cookies.
Worms - Worms are a specific type of virus. One that can infect your system without interacting with the user at all. They are typically used to build large botnets that are then used for large scale attacks on network infrastructure. Although less common today, they still exist. They are most common in devices that are not properly updated to current with security patches and hotfixes.
Covert Direct Access - This is when the attacker has direct hardware access to the PC without the owners knowledge. There are a huge array of attacks that can be levied against a computer that you have direct access to. You can physically remove the hard drive and copy it. You can use cryptanalysis on password files. You can try to brute force passwords based on what you know about the person. You can install malware or keylogging software. You can inject code into firmware of the individual parts, so even a format of the hard drive won't fix it and virus scanners will never see anything wrong with the system.
Overt Direct Access - This is when your device is taken from your person, with your knowledge and against your consent, and data extraction is attempted. This is usually for a person trying to steal personal information or accessing data that is confidential to the person it was stolen from.
OS Backdoors - These can be either bugs or deliberate holes in the security of the Operating System. These are commonly used to take complete control of a computer remotely to either steal data or to use the computer as a "zombie" to attack other computers. Typically the term "backdoor" is reserved for intentionally placed holes in Operating Systems or software that allow someone unfettered access to user data without their knowledge or consent.
Countermeasures - Defending Your Device
Here is a list of countermeasures for each type of device vulnerability. When used together you can dramatically increase the difficulty for someone trying to gain access to your systems. Some of these concepts are very advanced and take a significant amount of time to learn and adapt to. I have listed them in order of increasing difficulty.
- Use strong passwords. Make sure your passwords are long and complex. If some crappy website won't accept the password, you shouldn't be using it to secure your private data. Do not reuse passwords.
- Do not open E-mail attachments and do not travel to links inside of E-mail. This is the number one way that viruses propagate. Infected accounts will send out emails that appear to be benign and coerce users into opening viruses. If you get an email that appears to be from a legitimate source, it is still best to manually go to the site via your browser rather than click links within your email.
- Keep your software and your operating system up to date. When security patches are released, it is giving attackers a manual on how to intrude into systems that have not kept up to date.
- Get a virus scanner with a high detection rate. They are not all created equal and the quality of the various scanners changes every year. Read multiple reviews and come to your own conclusions about which one is best for you. Here is a PDF on detection rates of known viruses among the various scanners.
- Install and manage your own firewall. Learn what ports the apps you are using, and block all other traffic. Do not trust an app to manage it for you.
- Disable all unused services. More services running in the background means more services that have to the be vulnerability free. If you don't have a printer, why is the print spooler running?
- Encrypt all of your data, including your OS. This will prevent stolen data from ever being readable without also stealing your passwords to decrypt the data. Some operating systems support this natively, others require outside applications to make it work. Because of Microsoft's relationship with various clandestine services, we do not recommend Bitlocker. Truecrypt or one of the proprietary solutions from the various Linux vendors is definitely a better choice.
- Abandon insecure operating systems. This is the hardest one to do, and probably the most effective one against viruses and worms. Moving to operating systems renowned for security like OpenBSD (permanent install) or Tails (Amnesia OS) is highly effective against most forms of infection, because the systems are so different that they are invulnerable to software written for Windows and OSX. There is progress being made for mobile devices, but they are behind the curve. Custom versions of Android like Cyanogenmod are implementing better firewall and disk encryption services. Mozilla and Ubuntu also have mobile operating systems in the works. There are also a select few for-profit companies abroad that are working on more secure phones like the GSMK Cryptophone.
- Set up an intrusion prevention system. System level intrusion prevention systems (S-IPS) are complex and often expensive to implement. There are a few open source S-IPS systems but they are typically dated and require a lot of configuration and customization. Properly implemented they can be very effective at preventing intruders from getting to your critical data.
Security problems with routers.
Weak Passwords - Having a weak password on your router is as bad if not worse than having a weak password on your end-user devices. A compromised router can reroute or intercept traffic at will and forward all of the data to an interloper anywhere in the world. Many people do not change their password from the defaults from the factory.
Allowing Remote Access - If you allow your router to managed remotely (from the internet) then you open yourself up to being attacked. Most ISPs that provide modems with routing functionality allow remote access so they can manage your network settings at will.
Poor Wireless Encryption - Many consumer (and even professional grade) routers allow wireless encryption settings that are easily broken with today's technology. Weak encryption is almost as bad as no encryption at all. Your data can be pulled by anyone within range of your router (or even further with the right equipment).
Weak Firewalls - Your router firewall is your first layer of defense against attack on your home network. Weak firewalls are common with consumer-grade routers and ISP-modified routers that they distribute. They come with generic settings that block only the most common types of attacks and leave the user with very little control over them.
Vulnerable Firmware - Router firmware is rarely updated. It is hard to find updates for most consumer-level routers. Documentation on security fixes that are rolled in to updates is poor. When there are updates, the procedure isn't always clear, and power loss during a firmware update can lead to "bricking" the router. Many routers are running firmware that is years old and with firmware versions that have known vulnerabilities to attack.
Firmware Backdoors - Router firmware is almost always closed-sourced and is not audited by outside parties for security or backdoors.
Here is a list of countermeasures for each type of router vulnerability. When used together you can dramatically increase the difficulty for someone trying to gain access to your network. Some of these concepts are very advanced and take a significant amount of time to learn and adapt to. I have listed them in order of increasing difficulty.
- Use a strong username and password to log in to your router. This one is pretty self-explanatory.
- Do not allow remote management of your router (changing the settings via the internet).
- Do not use broken encryption suites. This means don't use WEP, WEP2, WPA, or WPS. Only use WPA2 (also known as WPA-Enterprise or WPA2-Enterprise) because it uses an AES-256 cipher.
- Enable your network firewalls and configure them to block all ports that your devices do not use. This creates a 2nd wall for attackers to cross to try to get to your systems. Even if they have a back door into one of your firewalls, they may not have a back door into both.
- Keep your router firmware up to date. This will close known security gaps that can be exploited.
- Do not allow automated updates to firmware. These automated downloads may not use proper encryption for transit over the internet, and may not properly check for injection attacks. Manually download firmware updates and install them yourself, after manually checking the hash.
- Install open-source firmware. Installing something with the source-code widely available means that security holes are actually being looked at and plugged. This also means that slipping a back door into the firmware is much harder as it would show up in the source-code.
- Build your own secure router. Build a low-end server to use as a router from scratch. This allows you to control the Operating System, firewalls, and network settings in a total control fashion.
- Protect all devices behind the router. This is the hardest step. You have to ensure that all devices that connect to the network are as secure as possible. Losing total control of a single device can lead to compromising the network from the inside-out. It is a cascading effect. If you lose control of a PC inside of the network, an attacker can take control of that PC and install a keylogger. The next time you log into your router from that PC, they have access to your router and can modify it to be updated remotely. From there, they can inject firmware to the router or further modify settings to compromise the security of the network and all devices on the network.
Security problems with the unencrypted internet (AKA "the clearnet").
EVERYTHING - To put it bluntly, the clearnet is dead. It is dead to the point where it cannot be recovered with any amount of patching. Once your packets leave your router, you are to assume that the data is captured and looked at. If it is unencrypted, that data is analyzed, categorized, and stored away for "safe keeping". If your data is encrypted, it is checked for vulnerabilities in the encryption on the fly. If the encryption is vulnerable, it is brute forced or cryptoanalyzed, decrypted, analyzed, categorized, and stored away for "safe keeping" with an extra ominous flag on the data because it was encrypted. The clearnet is also broken to the point where amateurs and professionals make a living off of snooping on your traffic. This goes from tracking cookies and profiling all the way down to the depths of fraud and hacking for profit.
Here is a list of things you can do to combat the wholly insecure nature of the clearnet. They are listed in order of increasing difficulty.
- Install Firefox and configure it for secure browsing. Firefox is Open-Source. Configuring Firefox for secure browsing means enabling TLS1.2, installing noscript, installing HTTPS everywhere, and your preferred tracking cookie blocker. Always browse in incognito mode when you can. Here is a guide on setting up secure browsing.
- Keep your browser up to date. Updates close security holes. It is that simple.
- Get an OpenVPN based privacy service. OpenVPN based privacy services have the strongest encryption and security models. They foil metadata snooping and greatly enhance wireless security on your devices. Make sure the service you select uses the open-source client (do not trust closed-source custom clients), is fast enough that you can leave it on all the time without getting annoyed, and uses strong encryption settings. They should also have knowledgeable staff and take security very seriously. I happen to know of a good one.
- Do not ignore certificate warnings when visiting secure sites. A problem with a certificate can mean you are being redirected to a dangerous site that will attempt to inject code onto your computer.
- Avoid websites that do not have an HTTPS option when you can. If a service you enjoy has an HTTPS alternative, switch to that. Voting for secure services by giving secure sites your traffic will encourage everyone to take security seriously.
Endpoint security is crucial. This is the place your data lands and is stored away, presumably with your permission. Endpoints are everything your data lands on, from websites like Google and Facebook to game servers like World of Warcraft and Angry Birds to automated data like error reporting and updates. Here are a list of things to consider when you are considering using any services that handle your personal data.
- Does the company have a history of taking security seriously? Have they had any major data breaches?
- Is the company transparent? Do they tell you what they do with your data? Do they appear to communicate in a clear and concise manner? A 56 page end-user license-agreement in legalese should not inspire confidence that a company is acting in your best interests. They are hoping that you simply don't read it.
- App permissions consistency. With the rise in popularity of "Apps" on iOS and Android and the access permissions systems built into those, you should also see if the things that the program is trying to access coincide with what the app says it does. A flashlight app should not need access to your Wifi, Email, SMS messaging, and contact lists. A calendar app does not need to know who are calling and when.
This comprehensive article is a work in progress. I will be updating it periodically with new threats and links to guides for the various countermeasures i recommend in the article. If i am unable to find a good guide for a countermeasure, I will create one and link to that.