- Aaron – 8/7/2024
Introduction
“If you can’t secure your connection in some dingy hotel, nothing else downstream will matter.”
That’s the answer I received when I asked if I could use a Raspberry Pi to remote start a car, like a total noob.
Looking back it was the perfect answer for a stupid question, but like a LOT of other dudes, I was tech savvy enough to know something ought to be possible without knowing how much knowledge goes into an undertaking like that.
Also like a lot of other dudes, I’d seen videos of the early-phase Flipper Zero and started to imagine all the cool stuff I could do with it.
One of my good friends, enamored with the small town closeness he saw when visiting in the Ozarks, had bought a place right across the road from me, and brought with him 20+ years of networking and scripting experience, so with Raspberry Pi and Flipper Zero in hand, I knew just enough to be dangerous to myself… but with the safety net of having a techy friend nearby.
Several years later, I know enough to not be dangerous to myself. I still have a lot to learn, but with some of the newness knocked out of me by a degree plan and a good mentor, it’s time to pass on what I think are some of the most important steps you can take with regards to cyber security… and ways of incorporating it into our existing framework for problems solving.
Radio Frequency and over-the-counter explosives
Comparing Notes
When I think of cyber security, I think of it in terms of “Understanding Emergencies”. After all, cyber attackers may cause inconveniences, but they were not generally “Type I: Direct Threat” variety. That’s changed now, and we’ll get to that, but first, I think it’s best to frame our digital security efforts as analogous to our physical security efforts.
The very first thing we discuss is always awareness. In the physical space, this means being able to rapidly categorize things as safe, unknown, or threatening. We do this by assessing the physical appearance of the subject and then observing facts about them, from demographics to posture.
In the digital realm, we don’t have the visual cues, so we have to rely more on the “GUN” principle of “generally, usually, and never”… as in “generally, public internet connections are vulnerable, usually point of sale terminals are safe, and never click the @#&!ing link”
We know that we shouldn’t expect privacy on public WiFi, that most of our transactions on PoS terminals are safe… but skimmers exist, and that a huge number of attacks require clicking a link, but there are exceptions. To say we will NEVER click a link would be absurd, so we should build in a framework that allows us to verify something is trustworthy before we decide to use it or not.
These kinds of threats should look to us like some shadowy figure in an alleyway. It could be some drunk peeing on a wall, but it could also be a dude looking to crack you over the head with a bottle and take your wallet.
With that in mind, what’s our “EDC” for digital security? How about our sustainment?
This is going to be a longer one, but one that’s imminently important. Given the state of the world and the asymmetry of conflict going on in cyberspace, your chances of being hit with a digital attack is probably greater than a physical one.
Executive Summary
If you don’t do anything else, buy a travel router and use Proton’s VPN. These are your “flashlight” and “multitool” of your digital EDC. They’ll get daily use if you use them. Having a battery bank is like having a lighter. You don’t always need it, but when you do it’s nice to not have to bum one.
Tools like the Flipper Zero are the “handgun” of our cyber EDC – they’re offensive tools that require some training and skill, but they’re also fun and interesting.
First Line: EDC
Our first line equipment is that which is on us when were up and dressed. It’s meant to deal with the “Type I: immediate threat” situation that requires good planning, awareness, and the right tools.
VPN – the first item is the VPN, or virtual private network. Privacy and anonymity is the first step in staying safe and the VPN plays a crucial role. By encrypting your internet connection and masking your IP address, the VPN helps ensure that your online activities are private. Essentially, the VPN creates an anonymous tunnel through which your data passes.
While it’s a good practice for normal times, when dealing with spurious, public WiFi hot-spots that can easily host a man-in-the-middle attack, or provides you no anonymity from anyone else on that network. As important, it can be had on your smartphone, laptop, desktop, or anything in between.
Proton VPN is the current Gold Standard. Go ahead and make an email while you’re at it. If you like privacy.
MFA – The next step is Multi-factor authentication, or MFA. MFA creates an additional layer (or layers) of verification that make at attempt at hacking an account more difficult. MFA ensures that as long as you have physical control of your verification device, it’ll be VERY difficult to crack the password and get the verification.
There are excellent social engineers out there though, so general awareness is required. Remember to never, for any reason, share verification codes!
Browser Selection and Search Engine – Now that we’ve dealt with the immediate threat of attacks, let’s talk a bit about the collection of data that can be used against you that’s collected by big tech, or used by hackers to view your online habits and exploit you by using them.
The gold standard for browsers is still Mozilla’s Firefox (or the offshoot IceWeasel), while Brave offers some of the benefits with a Chromium based architecture, making it more compatible with certain browser features and plug-in’s. It’s still going to have Google as a backend, though, so for protecting any data you may want kept private, it’s best to use FireFox with a privacy-foward search engine like DuckDuckGo or Startpage. These search engines don’t track you or log your search queries, and thus, can’t create profiles that will target you with ads.
Flipper Zero – While these little tools were hyped in the media for being a portable hacking device that threatened to upend security as we know it, the truth is… it kind of is, but not without a LOT of technical experience. And, in the meantime, there are a lot of useful tasks it can help with.
While it deserves it’s own article, the long and the short is that it’s excellent for looking at wireless communications on sub-GHz frequencies, RFID, NFC, Bluetooth, and IR – all of which are major connectivity methods for IoT devices.
The Flipper can not only act as an insanely handy digital multi-tool/key, but it can help you look for and fix vulnerabilities in your own security posture.
Don’t expect it to do much with the stock firmware, but if you’ve got some basic skills you can once again be a danger to yourself.
…Just don’t leave it on and in your pocket unless you don’t want kids.
Strong Passwords – Here’s one that’s going to sting, but change your password, use a strong password, and don’t use patterns. Short sentences with unique characters, numbers and a mix of capital and lower case are a good bet.
I love this image because it has 800,000 years in yellow. I think you’re probably good to go with that personally.
Awareness/Security Hygiene – Finally, BE AWARE! it’s a beat to death topic, and it’s generally well-meaning but useless advice if people don’t have a clear understanding of the expectation. As it relates to this topic, though, it means keep your eyes peeled for skimmers, don’t let people put strange devices near your wallet, and don’t use public charging ports.
As well, keep your software security patches up to date. Exploits happen daily, so keeping current makes sure you don’t have an old, easy, well-documented vulnerability just kicking around for some script kiddie to exploit.
It’s hard to go over all the best practices related to awareness in a longer article, but in general, don’t assume that any public infrastructure is going to be clean. The best advice I can give you is that which was given to me: treat all public infrastructure as if it were radioactive.
You don’t want it on you.
Second Line: Sustainment
So we’ve got the absolute basics down, what about daily use? How do we keep our devices clean and protected when we’re traveling, in public, or the like?
This is where we start getting into the hardware and software to support deliberate efforts… like going to the coffee shop to use their WiFi, or traveling to the aforementioned hotel.
Travel Router – my first line of defense against the wasteland of public WiFi is a travel router. I’ve been using a GliNet Beryl router to set up a secure WiFi network that connects to a public network, and then gives me a clean signal on the other end, complete with a Firewall and a VPN. It’s easy to configure, and is only a little bigger than a couple decks of cards. As well, there is now a newer model (the “Slate”) that is available with some pre-installed security features, and that we’re moving towards. Gino got his last week and has been really impressed.
The Gli-Net Beryl and the Anker power bank
Yubico YubiKey 5 – These devices provide an NFC authentication for your device that you can carry on a keychain, these devices are a physical passkey to ensure that your MFA efforts require a physical component. Gino’s used, and highly recommends, these.
USB Condom – If you DO have to use public charging ports, such as at the airport, there are devices that can nullify the data transfer capability of the public USB port. While we used to (crudely) call them USB Condoms, they’ve been rebranded boring old “data blockers“. These can be kept handy with whatever kit you keep your tablet or laptop in.
Better than this, though, is just get yourself a good battery bank. I’ve been using several (A Techsmarter ruggedized, an Anker Power bank , and a Aukey bank – all of which have been great), and the technology has only improved since I bought my last.
Consider getting one with a standard 12V connector, even if they cost a little more.
Third Line: Big Picture
The third line here would be your home computer, IoT devices, and your network itself. This is a DEEP and kinda dark well, given that our routers themselves can be used to log human bodies in rooms, and that IoT devices can be exploited to give attackers access to devices inside your home. Like our third line in emergencies, this often requires a more concerted effort to isolate the risks and pull expertise from a variety of sources in order to best address the threats. It would also be reasonable to be concerned about DDoS, Infrastructural attacks (and planning to work around them), drones and their impact on the conflict space of the future, and threats such as code that is “living of the land” and may either fail, or feed your data to potential adversaries, such as China.
For now though, let’s consider those as a part of a much broader threat profile that’s not solved in isolation, like our other, more present concerns.
Conclusion
I hope this serves as a good primer for where to start with some digital security practice, some items you can buy to facilitate the effort, and the conceptual framework to recognize the threats. While there’s still a lot to learn and discuss, now you know enough to not be dangerous to yourself.
Cheers,
Aaron