Insights For Success

Strategy, Innovation, Leadership and Security

Your ISP is always watching, tracking and profiling you

GeneralEdward Kiledjian

The media loves stories about how Google, Facebook and Microsoft are tracking users and profiling them. These stories sell papers and draw in eyeballs. What they don't tell you is that your ISP actually has more visibility into what you do online than any of those giant service providers. 

If you don't see what the big problem is, read this article : How Target knows you are pregnant through data analytics. You may not realize it but the bread crumbs you leave behind are incredibly valuable to marketers, insurers and anyone else interested in using psyops to trick you.

Choose your ISP wisely

The most important fist step is choosing an ISP that will stand up for user privacy. When I moved to Toronto, I went with Teksavvy that seemed to have a more open corporate policy regarding the protection of customer information and at least says they try to limit data collection.

Choose an ISP (if possible) that has policies protecting you.

HTTPS

I have been extolling the virtues of SSL/TLS for 10+ years and Google gave the machine a kick in the but when it started favoring secure connection in its search results. Anytime you see https and that green lock icon near the URL, it means all traffic to and from that site is encrypted and cannot be modified, copied or eavesdropped on. All very good things.

A group of small to medium sites still didn't want to go through the cost and hassle of implementing TLS but a consortium called Let's Encrypt made the process easy through automation and free. Large internet site providers like Wordpress and Squaresapce jumped on-board and offered this as a checkbox addon to any site they host. So now there i no excuse.

As a user, you have to remember to force the connection to the secure https protocol (since most sites still support both and not all automatically redirect to the secure version.) Enter the free browser plugin called HTTPS Everywhere

 

HTTPS Everywhere

EFF makes this browser extension so that users connect to a service securely using encryption. If a website or service offers a secure connection, then the ISP is generally not able to see what exactly you’re doing on the service. However, the ISP is still able to see that you’re connecting to a certain website. For example, if you were to visit https://www.eff.org/https-everywhere, your ISP wouldn’t be able to tell that you’re on the HTTPS Everywhere page, but would still be able to see that you’re connecting to EFF’s website at https://www.eff.org

While there are limitations of HTTPS Everywhere when it comes to your privacy, with the ISP being able to see what you’re connecting to, it’s still a valuable tool.

If you use a site that doesn't have HTTPS by default, email them and ask them to join the movement to encrypt the web.

VPNs

In the wake of the privacy rules repeal, the advice to use a Virtual Private Network (VPN) to protect your privacy has dominated the conversation. However, while VPNs can be useful, they carry their own unique privacy risk. When using a VPN, you’re making your Internet traffic pass through the VPN provider’s servers before reaching your destination on the Internet. Your ISP will see that you’re connecting to a VPN provider, but won’t be able to see what you’re ultimately connecting to. This is important to understand because you’re exposing your entire Internet activity to the VPN provider and shifting your trust from the ISP to the VPN.

In other words, you should be damn sure you trust your VPN provider to not do the shady things that you don’t want your ISP to do.

VPNs can see, modify, and log your Internet traffic. Many VPN providers make promises to not log your traffic and to take other privacy protective measures, but it can be hard to verify this independently since these services are built on closed platforms. For example, a recent study found that up to 38% of VPN apps available for Android contained some form of malware or spyware.

Below, we detail some factors that should be considered when selecting a VPN provider. Keep in mind that these are considerations for someone who is interested in preventing their ISP from snooping on their Internet traffic, and not meant for someone who is interested in protecting their information from the government—a whistleblower, for instance. As with all things security and privacy-related, it’s important to consider your threat model.

  • Is your VPN service dirt-cheap or free? Does the service cost $20 for a lifetime service? There’s probably a reason for that and your browsing history may be the actual product that the company is selling to others.

  • How long has your VPN provider been around? If it is relatively new and without a reliable history, you’d have to trust the provider a great deal in order to use such a service.

  • Does the VPN provider log your traffic? If yes, what kind of information is logged? You should look for one that explicitly promises to not log your Internet traffic and how active the VPN provider is in advocating for user privacy.

  • Does the VPN provider use encryption in providing the service? It’s generally recommended to use services that support a well-vetted open source protocol like OpenVPN or IPSec. Utilizing these protocols ensures best security available.  

  • If your VPN provider uses encryption, but has a single shared password for all of the users, it’s not sufficient encryption.

  • Do you need to use the VPN provider’s proprietary client to use the service? You should avoid these and look for services that you can use with an open source client. There are many clients that support the above-mentioned OpenVPN or IPSec protocols.

  • Would using the VPN service still leak your DNS queries to your ISP?

  • Does the VPN support IPv6? As the Internet transitions from IPv4 to the IPv6 protocol, some VPN providers may not support it. Consequently, if your digital device is trying to reach a destination that has an IPv6 address using a VPN connection that only supports IPv4, the old protocol, it may attempt to do so outside of the VPN connection. This can enable the ISP to see what you’re connecting to since the traffic would be outside of the encrypted VPN traffic.

Now that you know what to look for in a VPN provider, you can use these two guides as your starting point for research. Though keep in mind that a lot of the information in the guides is derived from or given by the provider, so again, it requires us to trust their assertions.

Tor

If you are trying to protect your privacy from your Internet company, Tor Browser perhaps offers the most robust protection. Your ISP will only see that you are connecting to the Tor network, and not your ultimate destination, similar to VPNs.

Keep in mind that with Tor, exit node operators can spy on your ultimate destination in the same way a VPN can, but Tor does attempt to hide your real IP address, which can improve anonymity relative to a VPN.

Users should be aware that some websites may not work in the Tor browser because of the protections built in. Additionally, maintaining privacy on Tor does require users to alter their browsing habits a little. See this for more information.

 

It’s a shame that our elected representatives decided to prioritize corporate interests over our privacy rights. We shouldn’t have to take extraordinary steps to limit how our personal information can be used, but that is clearly something that we are all forced to do now. EFF will continue to advocate for Internet users’ privacy and will work to fix this in the future.

New US Border Control rules for Canadians

GeneralEdward Kiledjian

Since the tightening of US border entry rules, readers have been emailing asking:

What should I do when crossing the USA / Canada border?

Canadian readers (and non-US) travelers to the US wanted to know what the new tighter controls mean when crossing into the US. 

The first important truth most travelers need to accept is that "entering another country is a privilege and not a right". Although the controls may have tightened a bit, they haven't changed materially. Having visited over 40 countries in the last 30 years, I accept the fact that anytime I cross a national border, I am subject to the controls of that country and prepare accordingly.

The cardinal rule of information security is "know your risk". The first step is to determine all your risk factors (status entering that country, data you will be traveling with, travel history, your background, travel risk level of the region you are entering, etc).

Before you leave

  1. Minimize the amount of information you travel with. People often forget the treasure trove of information they carry on a daily basis. Your smartphone (as an example) contains all your contacts, login information for all your social networks, health information, GPS location history, networks you have connected to, etc. Anytime you cross a border (not just the USA but this applies to any national border crossing), the agents are tasked with protecting that county and may "take" any information you are entering the country with to determine your traveler risk. Do not take anything you wouldn't want to hand over.
  2. Minimize the amount of devices you travel with. This may sound stupid but I have seen business travelers cross the border with a personal smartphone, work smartphone, a personal tablet, a work tablet and a work laptop. Understand that anything you enter the country with can be seized or taken  for analysis. With all the Snowden, Vault7, Wikileak dumps, its clear that if a border agent touches your device, you shouldn't use it anymore. You should assume it has been permanently hacked. Where possible, do not bring devices with you. If you do, try to bring "disposable" devices you wouldn't mind throwing away if need be.

What should I do before crossing the border?

  1. Remove all information from your devices that you do not absolutely need to bring with you.
  2. Anything you could need, try to move it to the cloud and securely delete your local copy.
  3. Delete any apps from your smartphone for which you don't want to hand over login credentials to.
  4. If you use a password vault solution synchronized with the cloud, you may want to delete that (Lastpass, 1Password) and reinstall it after you enter the country.
  5. If you use a cloud synchronized 2-factor authentication solution, you may want to delete that (Authy) and reinstall it after you enter the country.
  6. If you can, leave the device at home. If you have a work phone, bring it with you but leave your personal back home.  Instead of bringing a tablet, try to load your content on the smartphone.
  7. If you can, travel with the least complex device possible (chromebook instead of a laptop or tablet instead of a laptop)
  8. Ensure device encryption is turned on.
  9. Turn off your devices before crossing the border.
  10. Switch the unlock mechanism from fingerprint to password based.

At the border

Never lie to a border agent. Never! Ever! Ever!

Any foreigner that refuses to comply with a border agent request (any border not just the USA) will likely be turned away and sent back to their home country. In extreme cases, you can even be bared from entering that country again.

This means that you are "forced" to comply with any request made by the border agent. If asked for your device password, you can provide it and cooperate or defy them. If you defy the request, they will likely take the device and send it for investigation while denying you entry (maybe even keeping you for secondary questioning). Either way, once you "lose control" of your device, you should assume it has been permanently hacked and that a clean re-install will not make it trustworthy again.

They may also ask you for your social media login information. Even if you do not have the app installed on your devices, they know you have an account and can ask for the credentials. Never lie. Refusing to cooperate can cause you to be detained for additional questioning and given an entry ban.

What should I do while crossing the border?

  1. Always be polite and respectful. Remember the agent is doing his/her job.
  2. Never lie. Always be truthful. 
  3. If asked to hand over a device or password, I would do it without putting up a fight. Once you are at the border, you have decided you are engaged and have to cooperate. 

After crossing the border

If your work device was accessed at the border, notify your company information security group immediately. 

If your personal device was accessed, you have to think long and hard about what you want to do. Know that there may be a permanent (un-removable) backdoor or tracker installed on the device. In some cases even a complete factory reset won't remove it. What do you want to do? In the security space, we recommend throwing the device away and buying a new one but this is a personal decision especially with a $1000 smartphone, tablet or laptop.

Also if they accessed your device or asked for your social media login information (username/password), assume they downloaded you social graph (all of your contact info and the contact info of your contacts). I would change all my social media passwords and double check my account information (email address, recovery phrases, telephone numbers, etc). Also notify your network that you lost control of your social media account and to be extra vigilant with requests and the information being shared with you. 

Other recommendations

If you travel to the US regularly, think about applying for a Nexus card (if you are a Canadian). Having a Nexus card means you have been deeply vetted and all of your fingerprints are on file. My experience has been that the Nexus has made crossing into the USA much easier. 

If you are a tech neophyte, take the time to read up on device security and security best practices. The truth is you are solely responsible for your privacy and security.

The hidden dangers of using public WIFI

GeneralEdward Kiledjian

There are plenty of reasons to love WIFI (over wireless). It's free, fast and usually reliable. Often times though, its not a WIFI network you control (think coffee shop, retail store, mall, fast food joint, etc). Sure WIFI is ubiquitous but most of it is controlled by someone else which means is could and should be considered a hostile environment.

WIFI is a hacker playground

Man In The Middle Attack

A Man In The Midle (MITM) attack is an oldie but goodie. It allows a third party to intercept your communication. If successfully performed, an attacker can present a fake "hacker version" of a site you are trying to visit in the hopes of infecting your machine or harvesting your credentials.

An innocent use of this technology is when a WIFI provider intercepts your web browsing request (when you first connect to their network) and injects a logon or terms acceptance page (captive portal). This is a benign use of the technology but bad actors can use this to inject malicious code to infect your computer or trick you.

What you should do: Ensure any site you visit requiring a login or requesting private information is using an encrypted SSL/TLS connection (aka the green lock icon in Chrome). Look for a URL that starts with https instead of just http. Make sure the lock icon is green. 

We are seeing more and more sites switch to encrypted https but many have not made the jump yet. You should also add a free browser plug-in called HTTPS Everywhere. It is a free plug-in developed by the Electronic Frontier foundation and the TOR project which automatically rewrites requests to the secure https protocol when supported by the site. 

Fake WIFI networks

This is a very easy to use trick that is successful any time I have tested it. I basically setup a very strong signal WIFI network with carefully chosen (trustworthy sounding names) that get users connecting to it and then I simply do what I want to do and resend the traffic to the local establishment's free WIFI network thus performing a Man In The Middle attack. 

I can even use the same WIFI name as the local establishment's and your device will automatically connect to my rogue network if my signal is stronger (that's why automatic connections to untrusted WIFI networks can be a very bad thing unless you are always on VPN). I can create one of these network with cheap devices but my preferred tool is the WIFI pineapple. 

What you should do: Be weary if you see multiple networks with the same name at your local coffee shop. It doesn't always mean there is an attack happening but it should give you pause. The real solution is to always use a VPN network when connecting to a WIFI network you don't directly control.

Collecting your wireless information

Sniffing network traffic is a technique used by corporate network administrators to collect information to perform debugging and to try and identify system issues. Sniffing is basically collecting all (some or most) traffic flowing over a network. In the wireless world, this is made incredibly easy and can be done by hackers without anyone's authorization. All it requires is a special (cheap) wireless network card configured to startup in a special mode and then they can capture all the traffic flowing over the wireless network. Once you had the hardware, you simply need a free software like Wireshark to start capturing all wireless traffic. 

Anyone interested in WIFI testing should buy a WIFI Pineapple. You can't call yourself a real security pro without one. I'll wait while you go and buy from from here. (no that is not an associate link and I do not get anything for recommending them. It is just an awesome product).

What you should do: Ensure any site you visit requiring a login or requesting private information is using an encrypted SSL/TLS connection (aka the green lock icon in Chrome). Look for a URL that starts with https instead of just http. Make sure the lock icon is green. Encrypted traffic can be captured but is all garbled up and useless to the attacker. Or you can use a VPN service (which I will talk more about later).

Stealing cookies

No.. not cookies from a coffeeshop but cookies used by websites to authenticate your session. Most websites drop a session cookie in your browser after you log in so you don't have to log-in every-time you visit the site operators page. Most major sites go to great lengths to protect this cookie but many don't and attackers will try to steal these when patrons use unencrypted websites. By stealing the cookie and using it from the same location, many sites will be tricked into thinking the user is logged in and will allow him/her to perform actions without additional checks.

What you should do: Ensure any site you visit requiring a login or requesting private information is using an encrypted SSL/TLS connection (aka the green lock icon in Chrome). Look for a URL that starts with https instead of just http. Make sure the lock icon is green. Encrypted traffic can be captured but is all garbled up and useless to the attacker. Or you can use a VPN service (which I will talk more about later).

Peekaboo I see you

When organizing a security test for a company, my preferred method of attack is attacking the bag of mostly water (aka the human). Humans are usually careless, clumsy and easy to trick. It is much easier to compromise a human than an IT system.

Shoulder surfing is the art of looking over someone's "shoulder" as they type protected information info a computer system. This could be a building entry code, the PIN for your ATM card or a site password. 

This is an especially easy attack when you are in a crowded area where it feels normal to have people close by (packed coffee shop with tight tables, a bus, etc).

What you should do: When I travel, I have a 3M privacy filter on my computer screen to make it more difficult for people around me from seeing my private on-screen information from onlookers. Additionally I always cover any keypad when entering my PIN and never enter passwords when in a crowded area. The important thing is to realize this could happen and pay attention to your surroundings. 

What about that VPN option

My next article will be about 1 or 2 VPN providers that I trust and use but for now, I'll write about what a VPN is. A Virtual Private Network is a special technology that creates a secure connection between your device and that of the VPN provider. That means anyone eavesdropping (digitally) on your WIFI or LTE connection will only see garbled 

Of course the VPN provider will see all of your traffic as they send it to the general internet from their servers but at least you protect yourself from local WIFI attacks. Additionally, anytime you use an https site, that traffic is protected and even your VPN provider cannot see the content of that traffic.

As an example: 

I am sitting in a coffee shop browsing facebook via their mobile website. Their mobile website is protected because it uses TLS (https). I distrust public WIFI, I also have a VPN active.

This means that my connection (all traffic to and from the internet to my device) is encrypted inside that protected VPN tunnel [from my device until the server of the VPN provider] thus no one in the local coffee shop sees where I am browsing and what I am sending/receiving. This protects you from all those local attacks.

Because I am using the facebook website on my device, it is also using protected https which means traffic for that site is encrypted a second time between me and Facebook. This means that the VPN provider knows I visited facebook but can't see anything else.

Obviously you have to trust the VPN provider not to profile you but this is much better than trusting a coffee shop WIFI or even your wireless LTE carrier.

The US Government is moving to kill a law preventing carriers from selling user data to the highest bidder. This means even your home internet provider or wireless carrier will probably start tracking your every move on the internet and selling it to marketing companies. Many people should start thinking about running a permanent VPN from their home router to the internet to protect themselves from this type of profiling.

For those that want a fast, easy and reliable VPN appliance, read my review of the InvizboxGO here

Invizbox GO Review

GeneralEdward Kiledjian

As we learn more about how much data the intelligence community collects and what their capabilities are (Vault7), it reinforces the mantra of having good security hygiene. If you weren't using VPN while on (untrusted) WIFI connections, then you should be. 

I consider untrusted any WIFI network I don't directly control. I even use VPN (normally) when on LTE because I don't trust my wireless carrier.

VPN hardware galore

Appliances properly designed and maintained should make most tasks easier and safer. VPNs and TOR are no exception. Kickstarter and IndieGogo are full of entrepreneurs promising easy security. Unfortunately most fall flat because they are simply re-badged Chinese products with a crappy interface. 

The worst of the bunch are un-maintained products with tones of exploitable vulnerabilities leaking your data with every transaction. Invizbox was a Kickstarter funded company and their first product, a small gumbox sized WIFI anonymization router worked as advertised. It's major drawback was the requirement to have a physical connection to the internet and it was slow. Oh so slow. 

The design team came back with a vengeance and released the InvizBoxGO late last year.  The invizboxGo is a small battery powered device that will secure your WIFI connections and work as a battery backup if you need it. 

TL;DR The InvizboxGO is now part of my every day carry kit (EDC Kit).

The InvizboxGo is sold with an optional "white labelled" VPN service. When you buy the VPN service, you receive the "enhanced" TOR experience which basically means it uses VPN for the first hop to the TOR network thus protecting even that flow of traffic.

It also supports "pluggable transport" (description). Basically pluggable transport is a technology which allows you to change how the TOR traffic looks thus allowing you to bypass anonymity blocking tools (corporate or governmental).

A coming soon feature to force connections to htts when available (like a hardware implementation of https everywhere). 

You can also review the Invixbox firmware sourcecode on . The team hopes that this transparency will:

  • prove there are no backdoors
  • allow researchers to find and highlight vulerabilities
  • give the team immediate trust

InvizBoxGo Easy Setup

 

The testing

I ran the InvizboxGo through a gauntlet of technical tests (while on VPN) and it passed every single one:

  • does not leak DNS queries when in VPN mode (go here to test)
  • does hide your actual IP address (go here to test)
  • does not leak IP or DNS information via JAVA or Flash ( Go here to test)
  • protecting P2P traffic. Although I do not condone or encourage the use of P2P tools to steal protected media, there are dozens of legitimate uses for P2P technology. It is important to ensure your VPN product protects you while using P2P and Invizbox did. You go to this site and the find the Torrent Address Detection. You download their magnet link into your P2P client of choice then activate the test. If it shows your real IP or DNS, you are not protected. You should only see your VPN address here.
  • InvizboxGo is not subject to WebRTC leaks when in VPN mode (go here to test

I conducted my tests via VPN because that is what most users will likely use. If you are technical enough to use TOR, you can do your own testing.

Yes it did slow down my connection to the internet but that depends on a tone of factors. The amount of slowdown will be based on your ISP (potential throttling of VPN traffic), connectivity between you and your chosen VPN endpoint, number of hops, traffic on the net, encryption overhead, etc Overall there was a slowdown (which is normal) but not enough for me to panic.

The killer feature

The InvixboxGo was delivered with the promise of auto-update. The creators promised to keep the device updated to add functionality and patch vulnerabilities. This update should be automatic if you keep your device connected regularly. 

So far I have received one update (during my 2 months of testing) and think this is a big plus if they keep it up.

Issues with the InvizboxGo

My first complaint is that it works well for most captive portals (hotel and airport) but I have not been able to connect it to a corporate portal or WIFI requiring username/password to connect. I was told this issue is logged and that they will investigate.

The second issue is that the device doesn't have a physical ethernet port. Most of my connections are WIFI but recently I have stayed in top tier hotels that have only had Ethernet in the rooms which meant I had to use another Ethernet to WIFI device then use Invizbox to secure my connection. 

I would have liked some kind of additional add on that would allow me to use an Ethernet connection (for WAN) when required.

Conclusion

Overall this is a fantastic unit  that I enjoy using. It is fairly speedy, reliable and easy to use.

The Workflow IOS Automation app is now free

GeneralEdward Kiledjian

Automation can be help with simple tasks like converting a webpage to PDF or can become a complex monster saving you hundreds of hours a year. Until the Workflow app came to IOS, true automation was an Android only benefit.

The $5 app is now permanently free because Apple acquired them

The Workflow app has been around for a couple of years and is a distant cousin (functionally) to IFTTT. It allows users to string together a series of actions, tasks, conditions and inputs and perform all kinds of useful tasks.

It can:

  • Encode media
  • Record Audio
  • Post on social media
  • Automate app functionality where a URL scheme is exposed
  • Send emails
  • Pull RSS feeds
  • much much more

What we don't know yet is what Apple will do with the team and the app. It was made free but there is always the risk Apple will kill the app and move some of the functionality to:

  • a new Apple branded app
  • into a new version of IOS
  • into a new service running on iCloud