Insights For Success

Strategy, Innovation, Leadership and Security

Confidentiality

VPNs don't protect your privacy

GeneralEdward Kiledjian

A podcast is a great way to consume a large amount of new information in a short period of time. Every week, I listen to dozens of podcasts that cover topics such as tech, security, news, economics, psychology, and more. In the past year, I have been bombarded with host read advertisements sponsored by NordVPN and ExpressVPN. Many of these hosts are reading copy that is unreliable at best or purposefully misleading at worst.

This article aims to clarify misinformation regarding privacy improvements directly related to VPNs.

TL;DR: A VPN alone does not provide adequate privacy

The following article is intended for a general audience. Professionals in Information Security can devise solutions that incorporate VPNs to provide the level of privacy and security required by their customers (based on the customer's specific risk profile).

More Details

If you are not paying for a product or service, then you are that product. You should never utilize a free VPN service. Operating a VPN service is expensive, so they must recoup their costs somewhere (and they will probably make a large profit selling your information to data brokers).

The downside of a VPN is there are dozens of ways it can fail you, but you should understand that you are shifting all of your traffic through the VPN (which means if they are breached or decide to sell your data, they may have access to everything). Perhaps you do not want your large ISP to be able to see your Internet traffic, but would an unnamed VPN provider be any better?

The truth is that while many companies claim to operate on a zero-log basis, there is no way for a user to determine this for certain. Several providers have failed to meet their zero-log promises, resulting in a user being profiled or arrested.

Tracking you

Dozens of hosts are simply reading ad copy provided by the advertiser, and I have heard similar ads on dozens of other podcasts.

The first question is a valid one: would you prefer your ISP to view all of your traffic or the VPN provider. Despite the fact that most people dislike their services with the passion of a thousand suns, at least you have an understanding of what they are doing. I would trust only a few VPN services more than my Internet service provider.

The majority of websites now utilize HTTPS/TLS, which creates an encrypted tunnel between a user and a website. As an example, if you are using HTTPS/TLS to access Facebook (which is now the default), your ISP will know you visited Facebook and how long you spent there, but they cannot see what you did nor can they inject traffic info that flow or modify it in any way.

The other fallacy is that information brokers or large social media sites require your IP address in order to track you. VPNs do conceal your origin IP address, but very few trackers still rely on it to identify you. In addition, they take into account other factors, such as the operating system, plug-ins, display size, and resolution. Any website that has a Facebook-like button shares traffic information with Facebook. Any site using Google Analytics shares information with Google.

Use the EFF's Cover your Tracks website to find out how identifiable you are.

Alternatives

Option 1 - Apple PrivateRelay

Rather than using a general-purpose VPN, most users would be better served by configuring their browser security and using Apple's PrivateRelay (it's not perfect, but it's more secure than VPNs for the average user).

Option 2 - TOR

Tor remains the best alternative for someone that wants maximum privacy. TOR is free, open-source and trustless. It will be slower and you won’t be able to stream music or videos but it a good tool for someone looking to augment their privacy on the internet.

Option 3 - Break censorship

You may wish to consider using the censorship-busting VPN service called Psiphon if you are in an environment that uses technical controls to support its censorship efforts.

Conclusion

As soon as your packets hit the VPN provider's boundary gateway, the provider strips all encryption and then retransmits your data based on the technology available on the site (where you are browsing). HTTPS/TLS will be secure, HTTP/FTP will be insecure.

A VPN was originally designed to protect a company's data while its employees were working remotely. Consumer VPNs were a secondary market, and by default, VPNs are not designed to be log-free. Providers of VPN services must devise solutions in order to make their service more private by using technologies such as RAM-only servers, configuring the VPN to delete log files, etc. It is crucial that they have a sound architecture and that they deploy this architecture correctly without errors to protect your privacy.

Although VPNs remain useful in some situations, they are not the magic bullet that will allow the average (non-technical) user to become private. It is simply a tool that allows a tech professional to design an appropriate security program based on the risk profile of the user.

For the average user, the only good use of a VPN is to stream multimedia content that is geo-restricted (such as Netflix, Hulu, Peacock, etc.).

How to access tor sites without the tor browser

GeneralEdward Kiledjian

The last couple of articles I wrote referred readers to TOR (darknet/darkweb) sites. These sites are easy to identify because the terminating marker is .onion (instead of .com/.net/org).

The right way of accessing TOR sites is with the secure TOR browser designed and distributed by the TOR project. This purpose-built browser uses a hardened firefox to deliver maximum anonymity while browsing the "normal" web or tor sites.

There may be times when you are on a device that doesn't have the TOR browser and when speed is more important than privacy or security. In these situations, web-based services allow you to browse these tor (.onion) sites from a standard browser. That is the purpose of this blog article.

The following sites are web services that will allow you to access tor sites without using the tor browser (using a normal browser like Chrome, Firefox or Safari).

These services are called TOR gateways or TOR proxies. the TOR2WEB project was designed to allow users to access all onion services without using the TOR browser. The project site is here.

Remember that using these gateways means the gateway operator can see where you are going, and you lose all privacy and anonymity features of TOR.

To use use TOR2WEB gateways

Using most sites is very simple, you take your TOR address

Screen Shot 2021-03-06 at 5.47.52 PM.png

Here is the secushare onion service at http://secushare.cheettyiapsyciew.onion/

you append the gateways domain name to the end of the onion address. As an example, if you want to use the gateway called onion.ws you simply add .ws at the end of the URL like this

Screen Shot 2021-03-06 at 5.49.45 PM.png

http://secushare.cheettyiapsyciew.onion.ws

Some rare ones require you to remove the .onion at the end and replace it with their gateway url (e.g. like darkness.to) the above address would need to be

Screen Shot 2021-03-06 at 5.50.37 PM.png

http://secushare.cheettyiapsyciew.darknet.to

List of TOR2Web gateways

Be aware as free services, many of these sites are flaky and will periodically be down. Try another one or try later.

If you visit the main domain with your browser, most will provide instructions (in case you forget how to use them)

Screen Shot 2021-03-06 at 5.51.24 PM.png

New sites pop up everyday so if these sites don’t work for you, just search for tor2web gateway in your favourite search engine (startpage.com, duck.com, etc)

Warning

I mention above to only use these services when security and privacy aren’t a concern. You may be wondering why. Here is a list

Session leakage

This is the same risk you experience when using any VPN service. Because the service is the one routing you to your final destination, they see everywhere you go and everything you see. A malicious operator can log and record your entire session with all traffic send back and form (between you and the TOR service). Never enter login credentials (or anything personal) when using these gateways.

Service enumeration

When using the TOR browser with long random TOR URLs, your browsing is relatively private. When using these gateways, you are on the “normal” web and any dns server used by your browser will see the URL you are visiting (e.g. http://secushare.cheettyiapsyciew.darknet.to)

Assume any DNS in your configured DNS chain or the providers chain will know what URL you are trying to resolve through your TOR gateway service.

User correlation

When using these gateways, the gateway operator can log all of your publicly available user identifiers (IP address, browser, OS, fingerprint, etc) and then log that you visited X tor site.

Conclusion

Although these gateways aren’t considered secure, there is a use case for them and it is another tool in your online tools arsenal. If you use them knowing their limitations, you will be fine and they could save you a lot of frustration.

Browse public Instagram accounts anonymously

GeneralEdward Kiledjian
instagram-3319588.jpg

I wrote an article on how to browse Twitter anonymously using Nitter. I talk about the issues and dangers of tracking by Twitter, the Facebook owned Instagram takes all those risks and pumps them up 10 times.

Nitter is a consumption service for Twitter posts, well bibliogram.art is a consumption service for public Instagram posts.

Bibliogram is a website that scrapes Instagram public profiles and then displays it in a cleaner, faster loading interface that stops trackers, removes ads, generates an RSS feed and doesn’t require an account.

Obviously, because you are not logged in, you cannot post, comment, follow or perform other functions that require an account.

Here is the profile of vegan artisanal cheese maker Vegcheese on IG which consumes 1.81MB to load.

Untitled.png

Here is the Vegcheese IG profile via bibliogram and it consumes 748KB to load (less than half the size of the original IG page.

Untitled1.png

You can browse bibliogram from any web browser. Here are some instances for you to try:

There are many more instances around the world but I wanted to give you some examples. For me the fastest is the ENDL hosted site from Canada.

If you use Android, you can install the UnTrackMe app and force all Instagram links to open in bibliogram as well.

Exodus Privacy will help you identify the trackers embedded in your favorite android apps

GeneralEdward Kiledjian
Screenshot_20200720-212130.jpg

Companies large and small are always looking for new and creative ways to violate your privacy.

One popular tool of the trade is to embed trackers and ask for more permissions than necessary to "steal" user data. The question is, how do you know what trackers are embedded in your installed Android apps? This is were The Exodus Privacy Report tool comes in.

Here is a sample report for the Adobe Acrobat app

Screenshot_20200720-212208.jpg

When you click on one of the trackers, it gives you interesting information

Screenshot_20200720-212702.jpg

Clearly they want to acquire as much information about you as possible to track your device. You can then decide if the app is worth giving up all this information or if you want to use another app that is less invasive.

Are iPhone users safe? The answer is no, but researchers don't have permission to analyze IOS apps. We know that many of the worst offending apps are on both platforms and use cross-platform Software Development Kits.

So what do you do? Remove any apps from your smartphone that you don't use regularly. Before installing any application, make sure you read and understand the permissions being requested by the app. If a game wants your location, access to your camera or other weird permission, pick something else.

Are there "good" apps?

Yes, there are. Protonmail is an example of an app that only has crash analytics trackers built-in. Another example of a "good" app is the DuckDuckGo Privacy browser; it contains zero trackers.

I was disappointed to see NordVPN with its six trackers. NordVPN is tracking user behaviour.

Screenshot_20200720-214155.jpg

You can access the database online here.

How to secure a smartphone

GeneralEdward Kiledjian

Smartphone hacking is a very lucrative business “threat actors”. Vulnerability broker Zerodium is now paying as much as $2,500,000.00 for an Android full chain (Zero-Click) with persistence.

https://zerodium.com/program.html

The increased payouts and interest in smartphone hacking isn’t because they are easy targets but because they are valuable. For most users, the smartphone is like a second brain. It contains personal data and insights like nothing ever has in the past. Access into your smartphone is almost like gaining access into your brain, your thoughts, your beliefs and your habits.

There is this misguided belief in the market than an iPhone is more secure than an Android device. That is not the case. An adequately secured Android can be as (or more) secure than a normally configured iPhone. And Android offers more options to heighten your security where you may need it (whereas iPhone is one size fits all).

As you read through this article, I will try to explain some of the differences.

Who is this tutorial for?

As a security professional, my recommendations are designed based on the threat model of the customer I am advising. This article aims to help a general consumer or business user, that is trying to mitigate the most common and general types of risks. This means that their typical attacker will be a low-resource individual using conventional attack techniques such a stalkerware, scams, social engineering and easily accessible hacking tools.

This article is not for an individual that is targeted by a nation-state or well-funded criminal organization. This last category requires custom attention that cannot be addressed via an article.

What is the goal of strong security?

Total, complete and unbreakable security does not exist. The goal of this article is to set up enough roadblocks that the type of adversary you are dealing with will likely give up and move on to another target. The best analogy is to think of this in terms of a door lock. A good door lock will keep out common criminals but won’t deter a determined, skilled and well-funded adversary.

Is Security the same as privacy?

Privacy is becoming more and more talked about because of very public breaches (Marriott, Equifax, etc.) and new regulations like GDPR or CCPA. Security often will support privacy but not always. There are times when you have to choose one of the other. Where such a choice is required in this article, know that I have chosen the secure option.

Encryption

Most modern devices are encrypted during the initial setup but you should double-check just to be sure.

The EFF published an article explaining how to encrypt IOS devices (from version 4-11).

To maximize the protection encryption offers, you should choose a long (but memorable) alphanumeric password or a 6-8 digit passcode.

  • An example of a long memorable alphanumeric passphrase is: I3at@ppl3sAtMidn1ght

  • An example of an 8 digit secure passcode is: 72046290

You should also configure your device to erase all contents after a certain number of failed login attempts. This will protect you from a brute force attack.

Device encryption is a tool to secure your data when someone has physical access to your device but does not have the password (loss or theft of your device). It offers no protection from malware, viruses, or other related nasties.

Find my device

The iPhone and Android offer free tools to find a lost or stolen device. More importantly, they offer the option to remotely wipe your device if you are sure it is lost (not misplaced). For this remote feature to work, you have to ensure that the option is enabled on your device.

  • Here is the Apple article explaining how to enable Find My Phone on IOS devices.

  • Here is the Google article explaining how to enable Find My Phone on Android devices.

Remember that this option needs to be enabled before you lose your device (it cannot be done afterwards).

Both IOS and Android require that the phone be powered on and connected to the internet for this feature to work. If you want to remotely wipe your device, do it before you report your phone lost to your carrier (they will immediately deactivate your line and remote wiping won’t work).

Enable two-factor authentication

A chain is only as strong as its weakest link. Today’s smartphone is a powerful network-connected computer. Most smartphones connect back to either an Apple or Apple account. Any compromise of these accounts can lead to a compromise of your smartphone.

Two-factor authentication may sound scary but it is very simple to implement with Apple and Google. By doing this you secure your online presence by making your account more difficult to compromise and more resilient to unauthorized access.

  • Here is a Google article on how to enable two-factor authentication for a Google account.

  • Here is an Apple article on how to enable two-factor authentication for an Apple ID.

The modern implementation of this system is that your phone will be pinged by the service (when you are logging in from a computer) or another device connected to your account (when logging in from a mobile device).

When setting up, you will be asked to choose a backup authentication mechanism and you should choose a Time Based One Time Password (TOTP) option. Never choose SMS or email (as those are very easy to compromise).

You will be asked to download a TOTP application and scan the barcode they show during the setup of two-factor authentication. This barcode is a one-time thing and will never be shown again. A good cross-platform TOTP app that synchronize your codes across multiple devices is Authy. Authy is a trusted well-designed app and is completely free.

  • You can download Authy from the Google Play store (for Android) here

  • You can download Authy from the iTunes store (for IOS) here

Another good app (that is available on both platforms) is the Google Authenticator app. The Google app does not sync TOTP tokens across devices so if you change your smartphone, you have to revisit each site and reset the two-factor authentication process to get a new seed (aka the barcode).

Another good backup option is using a USB security token. The best option right now is the Yubikey product. It does cost money but is solid and unbroken (as I write this). I am not recommending the Google Titan key because many third party sites that allow two-factor authentication (see the list here) do not support the Google Titan but do support the Yubikey products.

Update, Update, Update

I had to write update three times because it is critically important. Make sure you configure your phone to download and install updates automatically for both the operating system AND the applications.

95% of hacks are made possible because people use insecure passwords, don’t enable two-factor authentication and don’t update their applications & operating systems.

Reboot regularly

We have seen a healthy number of non-persistent malware in the wild. This means that the hack used does not persist after a reboot (aka a reboot get’s rid of the hack). This isn’t always the case but nevertheless, it is a good idea to regularly reboot your device.

Application firewalls

Know that hackers that crack software are not benevolent and that cracked app probably contains malware. Unless you know what you are doing, never download applications from third-party app stores or web sites (this is a problem on Android but not on IOS since Apple does not allow users to side-load applications).

Even apps on the app stores can sometimes become malicious when the original developer sells the app and the new owners push a change containing malware. Apple and Google work hard to prevent this but we have seen examples of this in the real world on both platforms.

Application firewalls are an easy way to control which apps can have access to mobile or WIFI data.

  • On Android, you can use the NetGuard application available on the Google Play store.

  • On IOS, you can use the Lockdown application available on the Apple AppStore.

There are other apps available but these are the easiest for the general user. Here is a quick tutorial and overview of NetGuard

Take the time to install and configure one of those apps. Remember that attackers love using loose application permissions to steal information from your device.

As you set this up, take the time to review all of your installed apps and uninstall any that you no longer require (we call this reducing your attack vector). If you use an app once a quarter, install it and use it, then uninstall it.

Some apps request a lot of permissions but will still work if you restrict some of the more worrisome ones (think about access to your location, photos, microphone, etc). As an example, read this article documenting the time Uber switched when it collected user location data and started collecting it all the time.

The app update (it’s 3.222.4, for those keeping track) changes the way Uber collects location data from its users. Previously, Uber only collected location information while a user had the app open – now, Uber asks users to always share their location with the ride-hailing company. - TechCrunch

Android 10 and IOS 13 both allow you to choose when an app can access your location so ensure you make the right choice and don’t just share your location (or other data) all the time when it may not be required).

Public WIFI is evil

Many companies and venues use WIFI and Bluetooth to track you as you walk around their establishments. Many malls use tools from companies like AisleLabs to track you thus enabling them to target you more accurately. Attackers can use WIFI or Bluetooth to compromise your device as well.

The easiest approach is to assume that all public WIFI is evil.

When not absolutely required, turn off WIFI and Bluetooth.

Do not automatically connect to WIFI networks. I won’t get into the details here (because this is a more general article) but hackers can find out what your home network is called and trick your device into connecting to them (thinking it is that trusted home network).

Anytime you connect to a public (aka not your own WIFI) network, use a VPN to protect your traffic.I won’t discuss which VPN to choose here but stay away from free or very cheap VPNs.

If you aren’t paying for the product, you are the product.

Chose a solid well known provider whose policies and practices have somehow been reviewed.

You can run TOR to secure your traffic but that will be too slow and cumbersome for most users.

Secure backup and cloud

August 31, 2014, hackers released tones of celebrity personal photos and videos (many naked and pornographic in nature). This event was called the fapening and this was made possible because the icloud accounts, used to back up those photos from the smartphones, had been compromised. We don’t believe Apple was compromised but the attackers somehow managed to find the usernames and passwords for these users. Another reason you should enable two-factor authentication now.

Beyond 2 FA, most users may not realize that their information is being backed up to the cloud. Remember that cloud backup is an easy way for attackers to steal your data. Once you have two-factor authentication enabled on your accounts, ask yourself what you should be backing up to the cloud and where it should be backed up.

Remember that if you choose to trust the backup of your default provider (Apple or Google), you are not in control of your data. In most cases, we now the data is saved unencrypted on those services.

  • Apple has given police data backed up from an iPhone to icloud

  • Google, Dropbox and others routinely scan your content looking for malware or copyrighted material

I recommend choosing a secure end-to-end encrypted cloud backup service (if you want to use one). Although there are a bunch in the market, I recommend looking at Sync.com. They offer an end to end encrypted product (using the Trust No One Model). This means that as long as you use two-factor authentication and a long passphrase, your content should be relatively secure.

Your Browser

So your browser is one of the most dangerous apps on your smartphone because it is designed to run code from a remote server (aka a webpage). In the worst-case scenarios, a browser can load a malicious zero-click compromise that would take over your phone without you having to do anything and without you even realizing it. Most of these are non-persistent which is why I recommended regularly rebooting your device earlier.

On Android, I recommend you take a look at a browser called Bromite. Unfortunately due to app store rules, they do not offer a version on the Google Play store and you have to sideload it if you want it. Bromite supports ad-blocking natively and it uses the Ublock Origin model.

It also supports DNS over HTTPS (DOH). You can also enable HTTPS Everywhere and configure it to block unencrypted traffic. You should also disable Javascript and sparingly re-enable it for some sites that you absolutely need but that break without Javascript.

On IOS, I recommend the Brave browser (which is also available on Android but Bromite is more secure). You can download Brave from the Apple AppStore here.

Stalkerware

Stalkerware is a category of badware installed on your device by a third party to spy on you and often to track you.

The EFF is spearheading an initiative to fight Stalkerware (read this) because it is often used to victimize you. Think of it as commercial spyware that covertly steals your data and sends it to the stalker. In some cases, the stalker can be an ex but remember that many companies use Mobile Device Management software that often can perform the same function (normally if the device is owned or is allowed to access the corporate network.) In the case of companies, it is most often done for security reasons. Otherwise (in the private space), it is used to victimize or control someone.

If you are not using a corporate phone and suspect something may be going on (in most cases you won’t realize it), the only way to secure your device is to perform a factory reset and restart the set up from scratch.

Remember that the threat actor (partner, ex, etc.) has to access your device to install the stalkerware so never leave your device unlocked, never leave it unattended and choose a long and complicated passphrase.

Other settings

On IOS, choose to Limit Ad Tracking, instructions can be found here. Choose to reset your Advertising ID (instructions here) periodically.

On Android, choose Opt-Out of Interest-based Ads, instructions can be found here.

Conclusion

I know this was probably a dry and long article for most of you but I needed to get it out. This is a question I receive regularly and I wanted to write about it rather than respond individually to each of you. If you have questions or want to send me a note, do it on twitter (my handle is @ekiledjian).

Hope you found this article interesting and useful.