Simple tricks to boost security
As always HTTPS is one of our greatest allies in the quest for privacy and security. Thanks in large part to Let’s Encrypt, millions of sites are now served with everything after the domain name encrypted.
This is far from a silver bullet, especially if it’s configured without Perfect Forward Secrecy (using ephemeral keys so that even if one is recovered it could only decrypt a fraction of any data harvested), but in some sense it’s the best that we’ve got. It does a good job of halting man-in-the-middle attacks, and it’s easy to explain to your parents: “Just look for the green padlock!” The EFF and Tor Project provide a browser plugin – HTTPS Everywhere – which ensures everything that can be served securely is.
Email is all well and good, and PGP (once you get your head around it) boosts security immensely. But can you really trust the recipient (or their client, www.theregister.co.
uk/2017/10/11/outlook_smime_bug) not to leave a decrypted copy lying around. End-toend encrypted messaging apps like Signal (WhatsApp uses the same encryption, but that’s owned by Facebook) are much more suited to this purpose. Our government may want to cripple this kind of communication, but no one can stop a sufficiently motivated coder from making a new platform.
Ultimately, if you’re relying on a VPN, or any one individual service, to provide privacy, you’re doing it wrong. Quoting Mulder, “Trust no one” and quoting Snowden “Use Tor. Use Signal.”
An individual’s traffic will use lots of different exit nodes, so in this sense Tor offers more anonymity than a VPN. That doesn’t mean it should be considered a free VPN. Bandwidth is scarce on the Tor network and so should be used considerately. It’s also worth noting that both Tor and a VPN could modify unencrypted traffic. The Tor Project actively monitors exit nodes and has strict guidelines against exit node operators harvesting data which could in any way impinge on users’ privacy. In particular, people who have attempted to generate lists of Tor Hidden Services have had their relays closed. This proactive monitoring has uncovered all manner of suspicious – but not outright incriminating – activity, which has seen the prudent removal of some nodes.
Since anyone can run a Tor node, then anyone with sufficient budget can run hundreds of them. If you’re running several hundred entry nodes and several hundred exit nodes, then eventually some poor user will be ingressing and outgressing via relays under your control. It’s far from trivial, but by looking at the size of requests, and getting timings just right, then you’ll be able to correlate entry traffic (which reveals the user’s IP) with exit traffic (which reveals where the user is connecting), deanonymising that user.
Back in June 2014, two researchers from Carnegie Mellon University (CMU) were scheduled to give a presentation on breaking Tor at the Blackhat security conference. The talk was pulled at the last minute. Earlier that year, the Tor project had noticed 115 relays appearing on the network all at once. But since these were middle-relays, they were thought to not be a concern. As it turns out, this was the result of a slightly unsavoury alliance between the Department of Defence and the researchers. Allegedly the researchers were paid $1 million for their efforts.
Some months after the relays’ anomalous appearance, Silk Road 2, a well-known darknet market place, was shut down. In the ensuing legal proceedings, it was confirmed that CMU provided information to the FBI. In a separate operation, the FBI took control of Playpen – a Tor site that hosted materials relating to paedophilia. During two weeks of operating it, the FBI was able to get the IP addresses of some 1,300 individuals, who were duly charged. However, many of these cases were dropped when courts sided with defence lawyers who wanted details of the Network Investigative Technique (NIT) the FBI used. Whether this was some JavaScript trickery, or a vulnerability in the Tor network, we may never know. But a cynical take is that the FBI values it more than prosecuting those involved in heinous crime.
Here, take my data!
It’s all well and good taking precautions to stop three - or fourletter agencies and ne’erdowells getting hold of your data, but consider the amount of personal data people voluntarily hand over to social media companies everyday. We haven’t discussed it here, but the relationship between Internet giants and governments is complex. On the one hand we saw Apple very publicly refusing to make custom firmware which the FBI could then use to decrypt a terrorist’s iPhone, and Microsoft refusing to turn over data (connected with a darknet marketplace suspect) stored on Irish servers to US authorities in 2013. But on the other hand disclosures by Snowden revealed programmes such as PRISM (latterly referred to as “downstream"), by which these same companies effectively handed data to the NSA, FBI and CIA.
We set up a wireless hotspot on a Raspberry Pi (it’s easy with hostapd), connected Jonni’s smartphone to it and ran
iftop , the connection monitor. You can see the results in the screenshot. Even when the phone was off, all manner of data flows to all manner of places. And this was with LineageOS – the situation will be far worse for Android. If you’re concerned that one of the machines on your network may be compromised, then putting it behind a device such as this is a good check. If an insidious-enough rootkit is installed then you can’t trust the output from programs on the machine, because all these things can be doctored. With a freshly installed Raspbian, there’s much less opportunity for malfeasance. It’s worth looking into making a Pi-powered Tor hotspot (see LXF196) too, it’s a nice way of obviating Tor dropouts and accidental deanonymisation.
US Spying programmes were legitimised in 2008 by Section 702 of the FISA Amendments Act, which doesn’t permit intentionally surveilling US citizens, but if their comms happen to be vacuumed up while agencies are eavesdropping on foreigners, then that’s fine. Not only do these programmes enable warrantless data collection in the name of “national security”, but any data collected (this numbers in the petabytes and these agencies have ample storage facilities) can be examined by other agencies investigating much lessserious matters. Special attention is likely being paid to encrypted data, in the hopes that G-men will be able to break the encryption in the future. This might involve new maths, vulnerabilities, or just good old-fashioned bloated budgets and determination. Section 702 was re-authorised by Congress in January, paving the way for another six years of bulk surveillance. You have been warned…
“A malicious VPN has the potential to spy on all of its users’ unencrypted traffic”