As I’ve been expanding my “cybersecurity” (or “cysec”, as I call it and am trying to get to catch on) knowledge, I’ve been very disturbed by what I’ve been finding.
I went from thinking: “most things are reasonably secure, I’d be surprised if someone could break into that” to “most things are wildly insecure, and I’d be surprised if someone hasn’t broken into that yet!”
In my travels, I’ve run across several recurring themes, of typical ways that end-user information can be stolen and/or is exploited. So, I’ve started adopting some easy, reasonable habits which can dramatically increase the security, and the privacy of my data. In fairness, 4 of the 5 are easy and free – the 5th one will be slightly more-complex, and may cost some money – but it’s an important step.
What is the problem we are trying to solve (from home / using the data plan on your phone)?
The problem is that just about everything we do on the internet is insecure, not-private, and only the bare-minimum is used for security. Let’s say you are a typical user, using your internet connection at home. When your network traffic leaves your cable modem and goes to your ISP (Comcast, Cox, RoadRunner, Brighthouse, etc) – here’s just some of the information they have about you:
- Every single domain name that anyone in the house has looked up (google.com, cnet.com, etc)
- Every HTTP request – which can include details like search strings. For example, if you go to http://www.bing.com/search?q=fluffy+kittens, that search string can be accessed, and then stored.
- Patterns of what sites you use, at which times. (e.g. Sally seams to shop at Amazon from 10-11pm on Tuesday nights)
- What kinds of devices are used in the home.
- Anything that is sent over the internet in clear-text, including usernames and passwords to unsecured sites.
- Etc, etc, etc…
So, basically, all of your internet traffic, including every site you visit, how long you’re there, and all of your usage patterns. This is the “problem” with both your home Internet Service Provider (ISP) as well as your cellular data provider, because they have all of this same access, except for data that you use via your phone!
So what? Who cares?!
Although it might seem innocuous, this metadata is very valuable – monetarily – to several other categories of people/companies. Your ISP is well within their legal rights to sell this data to marketing companies… or really anyone who will pay them. Since it’s “available” and likely not stored very securely, that also means it’s available to everyone, including:
- Marketing firms – your data is flat-out sold, for a profit.
- Your government – who only needs to ask for it.
- Other governments – who have the resources to hack anything.
- Non-state hackers – who can either use this data directly, or use it to blackmail you.
- The private investigator – that your enemy hired to find dirt on you?!
Even if you are not doing anything wrong, negligently leaving this “valuable” information out in the open can easily lead to problems. Just because this data doesn’t seem like it’d be valuable to you, doesn’t mean it’s not actually valuable. This is akin to you not locking your safe at home. Why not just lock it “just in case”.
There is no upside to leaving your data for literally everyone else to parse-through – just in case there is anything interesting!
I would guess that most ISP’s are too bloated and inefficient to really make the most out of your metadata; but what about Google? They were built from the ground-up with the idea of stalking people, monitoring their every move, storing that, and then monetizing it. Why do you think Google would want to get into the ISP business? https://fiber.google.com/about/ My guess is because it’s a treasure trove of exactly the kind of data which they already monetize – data about you. You, are what Google (and others) sell!
For every person in your house, and every device connected to your internet connection, this information is just silently being monitored and collected – and then sold, stolen, or exploited. Wouldn’t it be great if we could do something about that?
What is the problem we are trying to solve (while we’re mobile / using public Wi-Fi)?
We talked about how all of your data is readily available to your ISP while you are at home. But what about when you are mobile? Or if you are using “free” Wi-Fi, like at a coffee shop, car dealer waiting room, or hotel?
The problem is, of course, it’s not secure. You have many of the same vulnerabilities at home, but also:
- Hackers in the same room: MOST places that offer “free Wi-Fi” don’t have Wireless Access Point (WAP) Isolation. This means that when you connect to Wi-Fi, other people who are connected can see ALL of your network traffic. “Who’s doing that?” you might ask. Well, that is the de facto way that it is taught in books and on the internet: if you want to go and get usernames/passwords, bring your hacker laptop to public Wi-Fi and start listening. You should assume there is at least one person in that establishment who is vaccuuming your data.
- Metadata mining: Some companies will have newer equipment and will have WAP Isolation, but that still means that particular establishment can correlate all of your metadata.
This is a bad situation. You should really not ever use public/free Wi-Fi without a VPN (more on that in a minute).
Using public Wi-Fi at best: leaks lots of personal information. At worst: can effortlessly lead to identity theft.
So what is the answer?
The Solution – to all of it:
In the complex world of computers, there are several players. To “fix” these problems, there are things your ISP could do, there are things your operating system on your computer can do, and there are things you can do.
Now, I put “fix” in quotes because all of the things I described above are not “problems” for your ISP or for your computer maker. These are profit centers and streams of revenue! So, they have no incentive to make your data more-private. So then, what can you YOU do? In my professional opinion, there are FIVE things you can do which will dramatically increase your privacy whether you are using your phone, home computer, or tablet – and whether you are at home or using public Wi-Fi:
- Use a more secure search engine. Just about all search engines correlate your searches with you and your marketing profile.
- Install the EFF HTTP-Everywhere plug-in. EFF is extremely reputable, and this plug-in basically attempts to always go to a secure (https) version of a website, which will not be readable to anyone observing your network traffic.
- Install the EFF Privacy Badger. This eliminates and shows you all of the (many) advertising trackers that websites use to correlate and compile your browsing habits. Ever do an Amazon search for “power supply”, and now all you see are power supply ads on several unrelated sites? That’s advertisements tracking you.
- Using a public DNS. Instead of your ISP correlating every website name that you’ve asked for, and adding that to your profile – you can talk to any number of public DNS servers instead, so that your ISP will be kept out of the loop.
- Use a VPN service. This is the biggie. This can either cost you money (if you want quality), or you can set up your own where in some circumstances, it may not cost anything.
Below we’ll cover a brief overview of each…
STEP 1: Change your search engine
Hopefully you are seeing that every player involved in Internet access is mostly interested in gather as much information about you as they can. Search engines are no different, and that’s how most people use the Internet.
Just about all search engines DO correlate your searches with you. If you are “logged in” as an account, then that makes it even easier for them. In other words, don’t be logged-in to Google when you are doing a Google search. That search word will forever be correlated with your name. They don’t have to guess that it’s the same person, they now know. So, what do you do about that?
The link above shows how they started out with the exact opposite goals of Google, Bing, and Yahoo. They wanted to create a search engine that gave you the results you want, but where it didn’t track you too. So, take a minute to go into your browser settings. Change your default home page and default search engine to https://duckduckgo.com
And by the way, you don’t need to be militant about it. If you search for something on DDG and can’t find it, add a !g in that search box and it will kick off a search on Google. So, Google can get bits and pieces of your metadata, but at least their not getting ALL of it anymore.
STEP 2: Install EFF HTTPS-Everywhere
The Electronic Frontier Foundation (EFF) is an extremely reputable non-profit organization, focused on electronic privacy and security. They’ve created a browser plug-in which basically attempts to go to the secure (https) version of every website, by default. If not, it fails over the non-secure (http). This is different than the default on your computer where you go to the http version of the site, unless you specifically ask for https.
This is available as an add-in for Chrome, Firefox, Opera, and Firefox on Android. If you have an iOS or Windows Phone device, I don’t know of an equivalent.
STEP 3: Install EFF Privacy Badger:
The EFF also wrote a 2nd browser plug-in called Privacy Badger. This basically scours every webpage you go to, and looks for non-visible advertisement trackers which are present on nearly every website. It blocks what it can, and reports all of it’s findings to you. It’s actually pretty disturbing to see just how many sites aggressively try to track you!
This is available as an add-on for Firefox and Chrome only, as of this writing.
STEP 4: Set up public DNS
I’ve discussed this in detail in other posts here, and here – but that was for Linux. For regular end-user computing, here’s how you might approach this. First, go find some public DNS’. I would recommend www.opendns.com – specifically, you can get the IP addresses of their DNS here: https://store.opendns.com/setup/#/, or they are just: 184.108.40.206 and 220.127.116.11.
You can also find a bunch of valid alternatives by a searching for public dns.
Typically, your computer “asks for an IP address” on the network via Dynamic Host Configuration Protocol (DHCP). The DHCP server will reply with an address you can use, and DNS settings. However, you override these in your networking settings screen on Windows
Or on Mac:
but you often can’t set this manually on mobile devices or tablets. So, in that case you may just want to change it at your router level. When you set up DHCP on your router, instead of telling clients to go to the router (and consequently to your ISP) for DNS< you can manually set up the public DNS instead. It will be different on every router, but on my Arris modem/router, this is what that looks like:
In other words, when computers on your network get an IP address from your router, they will get a valid address and the router will tell them to go to those public DNS servers, and your ISP DNS servers will no longer be in-play.
How do you verify this is working correctly? Probably the simplest way is to navigate to:
and then click on the Standard Test button. You should see something like this:
what you should NOT see is any reference to your ISP. If you see: Comcast, Cox, Brighthouse, etc where “Direct Media LLC” is, that means you are still using your ISP DNS servers.
STEP 5: Use a VPN service:
This is one of the bigger things to do, but it also has a big impact too. The idea here is that instead of your network traffic coming out of your home internet connection, and immediately starting to route to it’s destination – you create a secure tunnel to some faraway place. Your internet traffic then enters the open Internet from the there. For the most part, companies that offer this, are selling the service specifically because they don’t track anything that you do. You are paying for privacy, basically. It’s not so much for anonymity though – well, from regular people/hackers, yes, but governments can likely compel the company to turn over some limited information like: it was you who was connected at this particular time.
The concept is to get past all of the prying-eyes at your ISP, and enter the internet from a place where you are paying the company to not observe your traffic.
Couple that with your public DNS (which also doesn’t track), and you have what to me, is a baseline level of privacy which should’ve existed all along. Here’s how that might look:
Default connection from home:
Your ISP can and does observe every bit of data that goes through your modem!
With a VPN service:
With a VPN service, you can skip right past your ISP, get out to your VPN server, and then enter the internet from there.
In a public Wi-Fi scenario, it can be worse, because if there is someone watching your network traffic, they are almost definitely going to do something with it immediately after. Here’s how that might look:
Other people on that public Wi-Fi can actively observe quite a bit about your internet traffic. Compare that to over VPN:
As you can see, by VPN’ing through the public WiFi, you can get past the prying eyes of hackers, and come out onto the internet relatively anonymously (or at least, less-tracked). You might say this is similar to a celebrity sneaking out of the back exit of a building to avoid the paparazzi.
Build vs Buy – Choosing a pay VPN service:
”Pay VPN?”, you ask. Yes, because it costs real money to offer VPN. If you find free VPN, it’s either going to be low-bandwidth, or it’s a honeypot who is trying to capture network traffic, looking for things to hack.
I wouldn’t send actual, personal, valuable information over a free VPN connection.
“But build vs buy? How do you BUILD a VPN?”, you then ask. Well, you can stand up a virtual machine in Amazon Web Services (AWS) or in Microsoft Azure. Send all of your network traffic there, and you’d be entering the internet with your network traffic FROM those Amazon or Microsoft data centers. I’ve done this with both AWS and Azure and I will do an upcoming blog post on the details.
What about “buy”? Well, there are a LOT of VPN services out there. How do you choose a good one? In short, I don’t know. I read a lot of reviews and tried several which offered a free tier. The one constant is that I always got very poor performance. What I mean is, I normally have about a 175mbps internet connection. The BEST pay service I tried, I got around 28mbps of network throughput. That means I lose 84% of my internet connection speed – simply by using a VPN.
In comparison, the best I got was when I spun up an AWS instance using OpenVPN. In that scenario, I got about 80mbps. So the best-case was that I’d lose 54% of my internet connection speed. Plus, it does cost money. If you have MSDN/Bizspark where you can host a VM in Azure, you can likely host it for free. However, if you don’t, it’s still going to cost some money.
You can test your Internet connection speed from www.speedtest.net
If you are looking for the short answer, from my research, it looks like these are probably 3 of the better VPN service providers (in no particular order):
- www.PrivateTunnel.com – this is the official service of OpenVPN
- www.HideMyAss.com – despite the company name having a curse word, they have great features.
- www.PureVPN.com – seems well-established and gets good reviews, here is a deal to get a lifetime subscription for $69 (expires in 4 days though)
I haven’t purchased any of these because I’m still evaluating the Azure vs AWS options. Again, I’ll have an upcoming blog post with all of those details. However, if you just want to pay for an existing service, check out the above or just search for “VPN service reviews” and start looking at reviews. None appear to be stellar!
What’s the the bottom line, here? Isn’t this a little paranoid? Isn’t this a little over-the-top? I don’t know, you tell me? How valuable is your privacy? There are entire industries based around the concept of quietly collecting every drop of your digital footprint. It’s correlated and paints an unbelievable accurate profile of you.
Do you shred physical pieces of paper before you throw them in the trash? Would you mind if several companies were constantly observing every member of your family and writing down all of your habits? Consider that most of our modern life leaves a digital footprint nowadays.
Some people are OK with all of this. If you are not, these are 4 easy steps you can take today which don’t cost anything – and the 5th one, will likely cost you money ($7-9/month) – and I still haven’t found a solution that I love, yet.
If your ISP’s and your computer operating system aren’t going to do anything about you having no privacy, these are some steps you can take that will make a big difference.