Tag: privacy

Cybersecurity tactics for small teams – Hardware Device Security – part 2

October 14, 2021 /

As you can see from the previous paragraphs, there are multiple ways to penetrate your devices. In the following sections, I shall list some methods of making your devices more secure. You can find the previous part – here.

Hardware Security

There are multiple options for physically securing your laptop and smartphone. At the end of the article, I shall give multiple variants for your budget, but ideally, the essential hardware security upgrades are:

  • Secured Notebook Backpack: There are multiple hardware vendors for securing your laptop backpack. It is essential to know the standard branded bags do not offer enough security options. For example, most backpacks do not provide RFID protection and proper locking mechanism.
  • USB Port Lockers: Port lockers can keep your laptop safe from Rubber Ducky-based attacks. At the same time, port lockers are pretty interesting because they make attackers’ lives more complicated in case of steal. To access the USB port of the device, they have to break the locker, which can damage the USB port and make it unusable.
  • Hardware Tokens: Bussines series laptops usually come with internal TPM chips, which can encrypt your entire hard drive. It is terrific, but if you want better security, it is advisable to encrypt your most critical files using external USB hardware tokens.

Antivirus Software

The average number of new malware programs per day is around 450 000. It is an astonishing number and almost destroys the necessity of antivirus software. Still, it is crucial to understand that the goal of your Antivirus Software is to stop the most critical pieces of malware, but not all of them. Let me list some of the mechanisms your Antivirus Software uses to keep you safe.

  • Malware Database: Every Antivirus program comes with a malware database with different strains of already analyzed computer malware. As we already understood, there are around 450 000 new strains per day. Antivirus companies’ teams keep only the most dangerous strains in the database to keep with the speed of making new strains.
  • Malware Scanner: Usually, every malware tries to gain access to resources, which are not part of its resources pool. Antivirus software can monitor your operating system for such activities and can block them and finally notify you.
  • Operating System Files Hash Check: Some antivirus software can check whether there are changes in your operating systems and notify you and revert the system files for the previous state. It is especially true with Red Hat-based Linux distros.

Open Source

One of the reasons people choose Open Source is the level of security it offers. You can perfectly set up your business to use an open-source stack from the beginning. And this is not only the applications but the operating system and even your hardware. Especially Linux is a beautiful example of how an Open Source ecosystem can increase its security by being open. Instead of using pirated software, you download it from a free repo, which has the source code of the app already reviewed. Every major Linux distro has all of its packages signed, and the repo can verify them. But let me list the different advantages an open-source operating system has.



On the diagram, you can see a sample architecture of a Linux system. Usually, SELinux and AppArmor are working on the Kernel level. After version 4.4, Android has SELinux enabled by default.
  • SELinux and AppArmor: SELinux and AppArmor are kernel modifications and user-space tools added to various Linux distributions. Its architecture strives to separate enforcement of security decisions from the security policy and streamlines the amount of software involved with security policy enforcement. Significantly, the fundamental concepts underlying SELinux can be traced to several earlier projects by the United States National Security Agency (NSA).
  • Open Source Repos: All the packages are part of the software repos, maintained by the distro authors. Bigger Linux distros such as Red Hat and SUSE support big security teams to find and patch holes.
  • Open Source Hardware: There are multiple open-source hardware initiatives, including PowerPC and ARM-based processors. It is essential to know those hardware devices attached to your PC come with drivers, and sometimes these drivers can be an entire operating system. For example, server-based Intel Xeon processors come with network-based remote access control.

Budget:

So after we have listed most of the penetration vectors which an attacker can take, we can finish the topic by creating a budget. We will focus the funding towards underfunded organizations with a limited budget for their cybersecurity program. The budget will be per employee.

  • Pacsafe Backpack (190$):  Pacsafe is a brand of travel equipment emphasizing anti-theft features. The company’s products include adventure backpacks, urban and leisure bags, women’s bags, photography bags, luggage, and travel accessories such as straps, cables, and locks. Their middle-end backpacks offer a pretty good level of security.
  • Business Series Laptop (1000$): For this one, I would choose Lenovo Thinkpad-based laptop. It supports TPM and will offer a good level of harddrive encryption. It is essential to mention here that you have to encrypt all of your storage drives, no matter SSD or HDD ones.
  • Laptop Operating System(0$): Here, we shall go with either CentOS or OpenSUSE. I would personally go with CentOS here because of the native SELinux support. If you want to use the Ubuntu operating system, you should live with AppArmor or set yourself SELinux. CentOS additionally support free Antivirus Sofware supporting all the listed features in the previous paragraphs.
  • Smartphone(200$): Here, we shall use any device, which supports LineageOS. LineageOS is an operating system for smartphones, tablet computers, and set-top boxes, based on Android with primarily free and open-source software. It is the successor to the custom ROM CyanogenMod, from which the devs forked it in December 2016. It offers a good level of privacy, including the complete removal of the Google Play Store for the most paranoid ones. Most of the devices officially supported are in the 200$ range.

With a total budget of around 1390$, we achieved a pretty good level of security. Still, a determined attacker can penetrate this setup, but it will take him more time and resources. If you want to improve this setup further, you can add USB locks and hardware tokens. But, again, the improvement will not be much because, in case of hardware steal, hackers would have to break your TPM module, and the TPM modules are designed to resist this kind of attack.

To be continued

Cybersecurity tactics for small teams – Hardware Device Security – part 1

September 1, 2021 /

Please check the previous part – here.

After we already discussed how to assure your physical security and your network perimeter. The topic for the following two parts is the security of your hardware devices. And especially, I shall give you some ideas on how to secure your personal computer and your mobile phone. I shall provide a sample budget for a security-oriented personal computer, laptop, and mobile phone at the end of the parts. In the budget, I shall put the software appliances as well.

But before doing this, let’s have a short discussion of what a computer is and how we use it. The formal definition of a computer is:

A computer is a machine that can be programmed to carry out sequences of arithmetic or logical operations automatically. Modern computers can perform generic sets of operations known as programs. These programs enable computers to perform a wide range of tasks.

In other words, we have a machine, which works with data and can perform operations on it. It is similar to what our brains do for us but in a different way. In terms of computer security, it is essential to understand that your computer is a data carrier and data generator. The goal of your security awareness model is to protect the data and the generator logic. So we have to treat our computers the same way we treat our brains when we don’t want to share data. Aka by making sure we took all the necessary steps to secure access to our information.

So let’s do it. We start with:

Personal Computer/Laptop

We shall discuss the security of laptop computer because it has a more significant amount of attack vectors. We can apply the same list of attacks to workstations.

By definition – A laptop, laptop computer, or notebook computer is a small, portable personal computer (PC) with a screen and alphanumeric keyboard. It is important to note that a laptop is a total nightmare for your computer security policy in the physical security realm. It inherits the traits of all the hardware devices, including the ones related to garbage. Securing laptops is almost impossible, and a dedicated attacker most probably will manage to penetrate the defenses of your laptop one way or another. But let’s list the different attack vectors your laptop has.

On the diagram, you can see a standard data exfiltration workflow. The attacker makes the victim network sending data to a malicious service and, after that, reroute the data to his/her infrastructure
  • Theft: By being mobile, any laptop is a mobile data carrier similar to your paper documents and USB flash sticks. And by that, a dedicated attacker can steal the computer and gain access to your data. It is essential to mention that any encryption mechanism can slow down your attacker, but you can not determine whether it will stop him.
  • Location-based attacks: Companies such as Hak5 promote an exciting set of tools used for location-based attacks. They can penetrate your WiFi network, and even there are devices named RubberDucky. They look like a standard USB flash, but essentially they are cheating your computer that they are keyboard devices and execute a penetration script.
  • Malware: There are many types of malware, but these are most dangerous in terms of cybersecurity: trojan horses and ransomware. Both of them steal your data. In case of ransomware, you have to pay, and at least you receive notification that something wrong happened. In the case of trojan horses, you have no idea what is going on with your data.
  • Misconfiguration: Most of the laptops do not come with proper security configuration by default. Users without formal training can not configure the system, and it remains unsafe until a hacker penetrates it.
  • Pirated Software: Torrent trackers are a terrible place to download software. Usually, the cracked versions of the popular software come with already preinstalled malware. It is highly advisable to use open source or paid products.

Listed threats are only part of a long list of attack vectors an organization must take care of. Still, they are a good starting point, and if your small team manages to stop them, it can reach a good cybersecurity level.

Smartphones

After the introduction of IBM Simon, the smartphone industry had rapid growth. These days, devices are as powerful as a ten-year-old computer and can perform various tasks, which people kept only for computers for a long time. It is fantastic, but they are even worse in terms of cybersecurity than your laptop. They inherit all of your laptop’s problems with even smaller size and limited control over the hardware. They are a nightmare in terms of computer security. But let me list the different attack vectors which your smartphone can introduce:

  • Outdated Operating System: To further push technical progress, hardware vendors usually discount older than four years old devices. And by discount, it means that these devices do not receive security patches and the latest version of their operating system. This approach leaves thousand of people without proper cybersecurity defenses.
  • Laptop Attack Vectors: As a less powerful computer, every smartphone inherits a laptop’s security problems. Even worse, once you store your data in your smartphone’s internal memory, it is almost impossible to erase it securely.
  • Conversation Sniffing: Hackers can use your smartphone to sniff your daily conversations by being constantly held near to you. Many hardware vendors implement security measures versus this kind of attack, but people must still be aware that such an attack is possible.

Next part is here

Is vaccination certification the way to go?

July 22, 2021 /

We are almost two years into the COVID-19 world, and we saw a good number of ways to control the pandemic. We now have vaccines, which will hopefully become better and better with time, and finally, the pandemic will be over. With the bright light in the tunnel, there are some disadvantages to our privacy. Many governments decided to issue digital vaccination certificates and grant access to part of the locked-down social services such as cinemas, bars, hotels, concerts, etc. However, we need to understand that such a solution comes with its burden, especially if it is not appropriately designed.

But what are the different methods of actually issuing a digital certificate for any data? We need a CA (certification authority) to sign somehow our data. In the paper world, this happens using the signature and the stamp of a notary. In the digital world, the certificate is signed by a computer machine using modern cryptography methods. There are different mediums for this digitally signed certificate, and I shall cover them in a shortlist:

On the diagram, you can see a standard NFC solution technical diagram. The reader is sending energy and data using electric magnetic fields. The NFC data storage is passive and usually does not have a battery.
  • A printed certificate with QR code: For many years, the aviation industry has used QR codes for authentication purposes and a faster onboarding experience. The QR code contains a signed data read by the boarding gate, and if adequately verified, the gate allows the passenger to pass through. This method gives good privacy from a privacy point of view, but you will need to keep the paper with you constantly. And this is especially true in the case of a vaccination certificate. Additionally, everyone can read the QR code.
  • A digital record based on your data: Almost every person on the Earth has a personal identification number issued by his/her country of origin. The government could use this data to base the vaccination certificate on it and record your number of shots into an online server. However, this is the most terrible method in terms of privacy, because usually vaccination plan is personal data and must have a proper authentication mechanism defending it.
  • NFC-based certificate: Modern digital ID cards use this technology to keep a signed copy of your data. This way, everyone with an NFC reader can read the data from your card and verify it using the stored digital x509 certificate. As opposed to the paper solution, the NFC one is reprogrammable, which means we could reuse the same card/chip to update the data with more medical information, and everything stays locally in the card. This option is the best in terms of privacy. However, you will need an NFC reader-protected purse or backpack to keep the data safe.

In conclusion, digital vaccination certificates can help governments control the pandemic. However, there are many privacy issues in the long term, which could affect the general population. For example, what happens if hackers manage to collect data for everyone, whether vaccinated or not, and create illegal lists with people, which employers can later use to decide whether to hire or not a given candidate. There are already cases with illegal chronic diseases-based lists distributed on the black market. We could easily see a similar future for our vaccination passports data.

Where cyber criminals store their data?

July 8, 2021 /

Tracking hackers is not a fast and straightforward activity these days. Yes, most governments’ monitoring and data analytics capabilities are indeed becoming better and better. However, the privacy tools are becoming better and better, as well. There is a constant debate whether people must give more of their online privacy for safety. On the other side giving more power to centralized authorities can lead to dystopian states and not functional societies.

One scientific branch helping the governments to catch cybercriminals is cyber criminology. As a discipline, cyber criminology encompasses a multidisciplinary field of inquiry – criminology, sociology, psychology, victimology, information technology, and computer/internet sciences. But in short, its primary goal is to standardize the way we catch cybercriminals. As we can see, most of these disciplines are coming from the social criminology world, and they are primarily used to make a psychological profile of the attacker. On the other side, the technical aspects are crucial if we want to catch the hacker and how he/she managed to hack the system. Without cyber forensics and, most notably, computer science, we don’t have a proper way to understand what happened and how to catch hackers.

One of the main ways to hit criminal organizations properly is to target and track their infrastructure. Without a decent infrastructure, one can not do much in cyberspace. Sure, a hacker attack can steal a lot of data and create havoc, but they need computers, servers, and other equipment for all of this. The stolen data must be stored somewhere, analyzed, and eventually used for blackmail or released to the public. Like cloud providers, hackers need backup and retention plans for the stolen data, and nothing is for free.

One interesting case for such infrastructure is a former NATO bunker used to host Dark Net websites. The German police stormed the place allegedly used to host websites offering drugs, child pornography, and devices to breach computers. Over 600 police personnel were involved in the raid on what they termed a “cyber bunker data center” in the western German city of Traben-Trarbach. Seven people were arrested, with 13 more sought, although none were taken into custody at the site. The arrests occurred at a local restaurant and in the town of Schwalbach, near Frankfurt. Other raids co-occurred in Poland, the Netherlands, and Luxembourg.

This case is quite interesting because cybercriminals usually do not have so many resources to create a whole data center. Hacking has an asymmetric nature, and most of the time, attackers have fewer resources than the defenders. And these smaller criminal cells are targeting SMEs. In that case, a significant criminal group, most probably part of the mafia, owned a whole data center.

You can see how a standard privacy-oriented user would store their data in the cloud on the diagram. Criminals use the same techniques to ensure everything stored in the cloud is adequately encrypted and hard to track

In conclusion, we should track and hit cybercriminals by finding their data infrastructure and destroy it. Acquiring infrastructure is one of the most expensive parts of a hacker operation. It can take months to years to accumulate it. And here comes the cyber criminology value. We can use this interdisciplinary field to find where the infrastructure is located and destroy it.

Why You [Don’t] Need a VPN in 2021?

May 13, 2021 /

In 2021, the VPN users are in their billions, with an average user growth of 8%. According to a recent study conducted in early 2021, 50% of the respondents claimed to be using a VPN regularly to access usually restricted entertainment content. These VPN users were predominantly younger, and 62% identified as male by gender. Geographically users in the Asia-Pacific region make up a majority of all those who access a VPN with 30%, compared with Europe and North America, who combined made up 32% of those accessing a VPN worldwide.

VPNs are getting pushed as a must-have multi-service product. Are they?

VPN stands for Virtual Private Network, and it gets used for a variety of things. It can protect your online privacy by hiding your traffic and location. It masks your IP address making it easier to bypass censorship and geo-blocks. But its primary purpose is to provide your organization an encrypted tunnel to your enterprise network.

On the diagram, you can see how different users connect to a VPN (black is for the local user network, and red is for the connection to the VPN). After that, the VPN server redirects your connection to the website you want to use. The website will see your IP as the VPN’s IP (blue connections).

A remote-access VPN creates a connection between individual users and a remote network.

Remote access VPNs use two key components: Network Access Server (NAS), a dedicated server, or a software application on a shared server connected to the business’s internal network. And the second component is VPN client – software installed on a user’s computer or mobile device.

VPN protocol secures the data you input when registering on websites and creating accounts. It ensures that even if attackers manage to sniff data from you, they will need more resources to decrypt it. Some VPNs even block malicious ads, trackers, and websites that stealthily download malware on your device without you even realizing it. That’s how VPNs get advertised, and on the surface, all that sounds useful, right? The critical thing is, you don’t need a VPN to do everything listed above.

With all that they do, many people wonder if VPNs are even legal. VPNs are legal in most countries, with only a few exceptions. Places that either regulate or outright ban VPNs are China, Iraq, North Korea, Oman, Russia, and the UAE, to name a few. A downfall of using a VPN is that your connection speed will suffer slightly. Many will also admit that setting up a VPN, especially for some specific business needs, could be time-consuming and may challenge your tenacity.

A negative aspect of VPNs is that while you may be keeping your data encrypted and safe from hackers, that doesn’t apply to the VPN company. Whichever provider you’re using, it has access to all of your information – location, IP address, which sites you frequent, all manner of sensitive data. Do you think it wise to trust a company with such private information?

You can ensure your online security without turning to the services of a VPN. There are a few key steps to follow.

As already mentioned, make sure only to visit secure websites – starting with HTTPS:// instead of HTTP://. Next, two-factor authentication is your best friend when logging into a site. Add an extra layer of protection. Physical keys are an excellent option for that task. They vary in price, but there are affordable options. If you can’t manage to get one, use an SMS or email authentication. Use whatever you can to ensure a two-step verification when accessing sites. It can save you a ton of trouble. A username and password aren’t enough.

Another helpful step to ensure security is not to use shared devices. Sharing a laptop or a PC with a third party is a terrible idea as it can open the floodgates to malware, keyloggers, and who knows what else. And, lastly, update regularly. That may sound like a no-brainer, but people tend to postpone updates indefinitely. Don’t do that. Timely updates go a long way.

But, if you want to use VPN, please use providers, which offer VPN over Tor and anonymous registration. They must take payments in cryptocurrencies as well. This setup provides you some privacy and a way to avoid firewalls. However, this setup can be categorized as a grey or black hat technique in many countries and could bring you troubles.