![eb303623](https://pic-cc.com/data/avatars/m/150/150934.jpg?1733143058"){kind=avatar}
eb303623
MEMO
- Joined
- 01.05.24
- Messages
- 254
- Reaction score
- 5,245
- Points
- 93
Last time, we learn and covered about BASIC ENCRYPTION (DATA AT REST). In Today's guide, we shall look at what "Data In Motion" is ..
you are complying with the Digital Millennium Copyright Act, insert tracking codes into your data packets, or for other reasons. On the other end of the spectrum, data may be intercepted by an attacker. A malicious actor may sniff (intercept)
your packets, set up a man-in-the-middle attack, or launch an evil-twin attack, depending on what you are most vulnerable to. One of the most important steps you can take to protect yourself is to encrypt all of your data-in-motion to the extent possible. This is possible through a number of methods including Secure Sockets Layer (SSL), and Transport Layer Security (TLS), high quality modern Wi-Fi encryption protocols, and the use of Proxies, Virtual Private Networks and the Tor network. These factors working together can protect that data while it is in motion from one place to another.
protocols rely on asymmetric encryption. This is a form of encryption where the site to which you are connecting and your computer negotiate an encryption key for the information they will exchange, it usually have and uses 2 different keys: one for encryption (which is also called open (public)), the other for decryption (called closed (private)) or vice versa . Websites encrypted with SSL or TLS are “HTTPS” (Hypertext Transfer Protocol Secure) sites and are considered secure. In addition to websites, connections to mail clients, online calendars, data transferred between devices, and other services like Voice Over Internet Protocol (VOIP) and instant messaging applications are frequently encrypted with one of these protocols.
Transport Layer Security is an upgraded version of the aging SSL protocol and provides very robust encryption for data-in-motion. Most reputable sites should employ TLS, though some still rely on SSL 3.0. Despite the differences in the two
protocols, many still refer to both generically as “SSL”, making things somewhat confusing. (In order to simplify here, we will refer to all such connections as SSL/TLS). Until early 2014, security experts considered SSL/TLS to be fairly secure if implemented properly, but a litany of vulnerabilities was revealed in these protocols in recent years.
When using a site that is encrypted with SSL/TLS, it is a good idea to check the certificate of the site if you have any question whatsoever about its authenticity, or maybe even if you don’t. Clicking on the padlock icon (shown during encrypted connections) just to the left of the address bar of Chrome, Firefox, etc. will display a small amount of information about the site you are visiting.
Virtual Private Networks are not a perfect anonymity solution. It is important to note that VPNs offer you privacy, NOT anonymity. The best VPNs for privacy purposes are paid subscriptions with reputable providers. Though some providers
take anonymous payment in the form of Bitcoin/Monero or prepaid gift cards, it is difficult (though not impossible) to create an account with one of these providers without associating yourself in some manner. This will be discussed in detail later. If you log into an account that is associated with your true identity this login can be
associated with your VPN account. Additionally, if you use the VPN from your home’s internet connection, the VPN provider will be able to capture your IP which
can be used to identify you.
There are several excellent paid VPN providers out there and I strongly recommend them over free providers. Free providers often monetize through very questionable means, such as data aggregation. This compromises one crucial benefit of a VPN: privacy. Paid VPN providers monetize directly by selling you a service. Reputable providers do not collect or monetize data. Paid providers also offer a number of options that will increase your privacy and security. The first option you should pay attention to is the number of servers they have.
EXIT SERVERS:
Most reputable VPN service providers will have a number of
geographically remote servers from which your traffic will exit. When you visit a website, your traffic will appear as originating from the VPN’s server IP. VPN services with a number of servers to choose from give you the ability to switch
servers if one is exceptionally slow, as may be the case depending on the number of users on that server and your distance from it. Further, if you are traveling to a country that has internet restrictions and you cannot access certain websites,
connecting to a VPN server in another country can allow you to bypass these geographic restrictions. When using a VPN, ensure that you patch the WebRTC
vulnerability in your browser (See the other guide on web browser security in the previous chapters). This vulnerability allows websites that you visit to capture your true IP address despite the use of a VPN.
ENCRYPTION:
Another set of options a good VPN provider will offer is the ability to
choose between a variety of encryption and tunneling options. These will typically include OpenVPN, Wireguard, IPSEC, L2TP, and PPTP. This versatility is desirable because although most VPN services will work well cross-platform, some devices may not work with certain protocols. Further, some VPN providers even sell routers or allow you to set up your own with their VPN software built-in.
This allows all of your home’s traffic to be protected with a VPN connection. This is helpful, as not all devices (such as smart TVs and gaming systems or machines) have the ability to have VPN software installed. Though most VPN providers offer several options for encryption I recommend you use the OpenVPN or Wireguard protocol where available. Though I have previously used and recommended IPSec, recent months have demonstrated some successful pre-computation attacks against IPSec protocol. I now believe OpenVPN or Wireguard to be the most secure protocol currently available for virtual private networks.
A good VPN service provider will offer a totally transparent privacy policy about the information they collect on your usage. The best ones will retain only minimal
records, and although bound by law to cooperate with warrants and other legal instruments, if they do not store your information, they cannot turn it over. Minimal logging is actually used by most VPN providers to improve connection
speed, performance, reliability, troubleshoot customer problems, and protect the service from abuse such as spammers, port scanners, and the execution of DDoS
attacks across the service. It is crucial to note that paid providers are also vulnerable to financial and legal pressure from their host-nation governments to
cooperate with measures that may compromise security for all users. With that said, you should aim for VPNs hosted OUTSIDE the United States or Third World countries.
I also fully recommend that you, as the user, conduct your own research and find the provider that works best for your situation. There are also times when it may
be appropriate to have several different VPN services simultaneously. You may
wish to have one on which you do personal tasks like banking and email, and another across which you do internet browsing that you would not wish to be associated with your true name or identity. You may also wish to use different VPN
service providers from time to time to limit the amount of information that could possibly be collected by a single provider, rogue employee working at that provider, or government agency with a backdoor into their servers. For this
reason, Mullvad Vpn meet all of the criteria list above and I personally recommend.
Two other factors that are definitely worth considering when choosing a VPN are bandwidth restrictions and speed limitations, both of which can be annoying. It is also possible to build your own VPN, but I do not recommend that. It does not
protect anything leaving your home, which would leave you vulnerable to Wi-Fi sniffing, packet inspection by your ISP or government agency, tracking, and other forms of interception and monitoring.
ENHANCED VPN PRIVACY:
If you do desire a stronger level of privacy than a "standard” VPN setup affords there are some steps you can take to make your
VPN more private. You will notice I did not say it will make you “anonymous”. If you access a true name account with it, you should assume that it is now tied to
your true name. You can still be browser-fingerprinted. You can be exploited through Java and Flash. Cookies on your machine can still leak data from one browsing session to the next. A pseudo-anonymous VPN can create an excellent privacy layer but it does not create true anonymity.
Each of these steps will require additional expense and effort, and a tremendous effort will be required to maintain this privacy. To have a pseudo-anonymous VPN you must first register for it anonymously. This is a difficult part; the internet
connection from which you register it can compromise your privacy. I personally recommend you go to a public Wi-Fi and register with your VPN provider through that public Wi-Fi. Paying for a VPN may be somewhat easier. You can pay for the VPN listed above with Bitcoin or Monero, but make sure you’re paying with CLEAN Bitcoins or Monero that are already mixed and properly cleaned. That way it would be impossible to ever correlate that VPN with your real identity. Mullvad VPN will also accept Monero, which would be an even further security layer. After you have registered with the VPN provider, you must exercise extreme caution to maintain your privacy.
accidentally. I also recommend you create 2 of those VPN VMs or 3 depending on your threat model, and chain them together for maximum anonymity. https://github.com/tasket/Qubes-vpn-support
Once you have installed your VPN on Qubes, make sure it is not leaking any of your traffic, by going to the websites below and running tests on your connection.
1 Browserleaks.com
2.Whoer.net
3.dnsleaktest
4.IPleak.net
If your real location doesn’t appear in any of these websites, then your setup is perfect.
As it was pointed out in the introduction to this tutorial, security and convenience are inversely related. Wi-Fi is an undeniable convenience. Negating the need for a physical cable, Wi-Fi allows us to access the internet from just about anywhere at just about any time. Intrinsic to this convenience, however is a great deal of insecurity, especially when compared with wired internet connections.
Wi-Fi is nothing more than a radio transmission that carries data packets between your computer’s Wi-Fi card and the wireless router. Because of this anyone with a
capable radio can “listen” in on your traffic. Simply listening in by capturing your packets as they travel to and from your computer is called sniffing. Sniffing requires some specialized (but free) software and a Wi-Fi card that can be placed in promiscuous mode (the ability to “listen” to all Wi-Fi traffic while not broadcasting). USB Wi-Fi antennas can be purchased very inexpensively and require only very little technical know-how.
While some of the techniques I will discuss below are changes made to your operating system, the majority of this chapter will deal with securing your wireless signal and best practices when using Wi-Fi. Before continuing with the security of Wi-Fi I will digress for just a moment to talk about how it is exploited.
WI-FI EXPLOITATION
Capturing packets is not terribly technically demanding and can even be beneficial. Seeing first-hand how Wi-Fi is exploited can underscore the point of how insecure Wi-Fi truly is and help you understand the importance of good encryption. Sniffing your home network is also a good way to see what vulnerabilities you have. If you
are interested in learning how to do this, you will need the following:
o Software. There are various Wi-Fi sniffing programs and many of them are free. Using them often requires using a Linux operating system. Kali Linux is a penetration-testing specific Linux operating system that comes with an
incredibly capable suite of Wi-Fi exploitation tools built-in.
o Hardware. The only specialized hardware you need is a promiscuous-capable Wi-Fi card. These are available online for as little as $30 on Amazon. As
long as your computer has an optical drive or you can boot from a USB flash drive you will not need a new computer. Kali can be booted from optical or USB flash media. Or you can use it with Qubes OS itself by following the tutorial in the Qubes docs (https://forum.qubes-os.org/t/creating-a-kali-linux-templatevm/19071)
o Technical know-how. Though hacking Wi-Fi is relatively simple it does require some specific knowledge. The graphic user interfaces for most of the programs consist mostly of a command prompt, so good working knowledge of Linux command line is necessary, though most of these commands can be found online.
WI-FI SECURITY MEASURES
Wi-Fi should be turned off when your computer is not actively connected to a network, and the computer should not be set to connect automatically to
networks. When your computer is not connected to your network (e.g. when you are traveling), it will actively search for networks it is set to automatically connect to. This searching is not passive. Other computers can detect this searching and see the name of the network(s) with free software. If your networks are all being
broadcasted through probes it is trivially easy for an attacker to set up an “evil twin” or “rogue access point” attack. To execute this form of a man-in-the-middle attack, an attacker will set up a network that has the same name as one of your
trusted networks. When your device recognizes this name, it will connect to the rogue network automatically (unless you have disabled automatic connections)
allowing your traffic to be routed through his or her device and potentially compromising it. Even SSL/TLS-encrypted traffic is vulnerable to a technique called
“SSL Stripping”. If, on the other hand, you have disabled automatic connections, the names of your stored networks will not be available to the hacker. Even if they
were, your computer would not connect to them automatically.
WI-FI SETTINGS IN QUBES OS
On Qubes, disabling automatic connections is fairly simple. You navigate to the network-manager icon, on the bottom right corner of your Qubes toolbar, it should be a little red icon. Then you go to your connection, and make sure
“Connect to this network automatically when available” is disabled. It’s as simple as that. So, from that point on, you will always connect to a network manually
yourself, which increases your security considerably and leaves you safe against these kinds of attacks.
settings will require that you be physically connected to the router via an Ethernet cable.
CHANGE MANAGEMENT ACCOUNT CREDENTIALS :
The first step you should take
when setting up your home’s network is to change the management account credentials. This account is the account you log into to change the router’s
settings. Anyone having access to it can turn off your encryption, view your usage logs, or take other malicious actions. The default credentials that are preset on the
router are openly available information and could allow anyone connecting to your network to make changes to your router. To change these settings, log into your
router by typing the router’s internal Internet Protocol (IP) address into the address bar while connected via a wired or wireless connection to the router. The
internal IP address for most Linksys routers is 192.168.1.1, while most D-Link and NetGear routers use an IP of 192.168.0.1. This will bring you to the administrator login page. If you have never changed your router’s login credentials they are probably set to the default. Conduct an internet search for the default username and password, then change these credentials immediately using a randomly
generated username and a good, strong password. By the way, sometimes the router’s login instructions are written on the router itself.
You can also make it more difficult to change the settings on your router by changing the IP address used to log into it. Login credentials can be defeated, so this step makes it more difficult for an attacker to connect to the router. The IP address can be changed to anything between 192.168.0.0 and 192.168.255.255 but ensure you recall what you change it to. As soon as this change is saved
and takes effect, you will need the new IP to log back into the router to make additional changes.
DISABLE REMOTE MANAGEMENT :
Remote management give you the ability to log into and change the router’s management system without physically accessing the router or being connected to the router’s network. When this function is disabled you may be required to physically connect to the router with an Ethernet cable to
log into the management account. Though slightly inconvenient, you shouldn’t have to make changes to the router very often and the security upgrade is well worth it.
ENCRYPT THE SIGNAL:
Next, encrypt the wireless signal using WPA2-PSK
encryption. There are several options on many routers for encryption, including
WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), and WPA2 but the
only one you should consider using is WPA2-PSK. WEP has been broken for years
and is extremely easily defeated through an attack known as a “statistical attack”. WPA has serious vulnerabilities, especially with its Temporary Key Integrity
Protocol (TKIP). WPA2 is a re-engineered version of WPA offering AES (Asymmetric encryption Standard) and the greatest security for wireless networks currently available. If your router does not offer WPA2-PSK (Pre-Shared Key) (802.11n) upgrade your router as soon as possible. Do not neglect to assign a good password to your network. Though it may take some time and effort to enter the password on your devices, it only has to be done once.
CHANGE YOUR SSID:
You should also change the SSID, the name of your network that is broadcast to your devices. Though it is possible to (and some recommend this) hide the SSID, this is a fairly ineffective technique. Wi-Fi sniffers (programs designed to detect and exploit Wi-Fi networks) can easily find hidden networks.
Instead, rename the network with a name that does not leak information about you.
Renaming your network is an excellent opportunity to provide some disinformation about your home. There are websites that map every known wireless network (https://wigle.net). Anyone seeing your true name attached to a network can make a reasonable assumption about the location of your residence, while false name on these websites could obscure your home address. Instead of naming your network something personally relatable to you like “NicoSellNet” or "NSell_Wi-Fi”, use one of the most common names from the website above like “NETGEAR5”, or “xfinity-wifi”. If anyone is looking for your house based on WI-FI
networks, this will make it much more difficult to locate.
OPT-OUT OF WI-FI MAPPING :
Wi-Fi networks are now mapped in tandem with other street mappingq efforts such as Google Street View. This means that if your network name is collected, it can be looked up as an overlay on a map. This allows anyone to map your location, based on your Wi-Fi networks, by capturing the SSID
that your computer broadcasts when searching for a network to connect to. To prevent your home network from being mapped (at least by Google), an option
you can take is to terminate your router’s SSID with the suffix “_nomap” (for example: Luna_wifi_nomap). This is the opt-out for Google’s Wi-Fi network
mapping. Any router SSID containing this suffix will not be included on Google map overlays that display Wi-Fi networks. Alternatively, assign your Wi-Fi network an SSID that creates disinformation as described in the previous paragraph.
DISABLE WI-FI PROTECTED SETUP (WPS) :
Wi-Fi Protected Setup is a convenience feature that is intended to make it easier to connect to a wireless device. Rather than entering the password when connecting to an encrypted network the use can physically push the WPS button on the router or enter a six-digit WPS code when
connecting for the first time. Unfortunately, the WPS protocol is broken. No matter how strong the password on your network is, cracking the simple six-digit
WPS code can grant access to the network. Disable WPS completely, even though it makes logging into your network more time consuming (though again, you only have to do this on your home network on initial setup and when you change the
password).
TURN OFF THE SIGNAL WHEN NOT IN USE :
In the setup menu for most routers,
you can elect to turn the router’s signal off between certain hours and on certain days, at times when everyone in your home is typically asleep or everyone is gone,
for example. Unless you rely on wireless IP cameras or other Wi-Fi devices as part of your physical security system, there is no need to leave your router on when you are going out of town; simply unplug it. Powering the router off lowers it
profile; the less time it is on and broadcasting, the smaller its attack surface.
SCAN YOUR HOME NETWORK:
Though this does not pertain to router setup specifically, it is a good step to take after setting up your home router. My antivirus application of choice (Avast) can conduct a home network scan. It will test to see if your devices are visible from the internet, check router security configurations, and ensure that your wireless signal is encrypted. You can run this
scan on any network to which you are connected to give you an idea of the security of the network before you use it to transmit sensitive information.
MAC (MEDIA ACCESS CONTROL) FILTERING:
One security measure that is sometimes touted but is largely
ineffective is MAC filtering. A MAC address (Media Access Control) is a number unique to your device, analogous to its electronic ID. Filtering MAC addresses allows connections only from devices on a “whitelist” (a preapproved list of trusted devices). While MAC filtering is good in theory, it is very easily defeated through MAC spoofing, a technique used by attackers to capture your MAC and assign it temporarily to their device. This technique is not especially difficult to do, especially by anyone with the ability to crack your (WPA2) encryption. Additionally, MAC filtering requires you to log into the router and update the
whitelist each time you need to connect a new device.
A technique that is allowed on many routers similar to MAC filtering, though slightly less onerous, is to limit the number of devices that may connect at a given
time. This is intended to keep networks uncrowded to manage bandwidth, though you will occasionally hear it listed as a security measure.
practices when using these networks (if you must use them) can make your browsing much more secure.
1. ABSOLUTE BEST PRACTICE DON’T USE THEM:
Again, Wi-Fi is terribly convenient
and it can be hard to resist the urge to connect and watch YouTube, download your podcasts, or log in and get some work done while you wait to board your flight. The risks of using untrusted networks are very high though. If at all possible
avoid using them and instead tether your phone or better yet, wait until you can use a trusted connection. If you can wait to use the internet until you get home or
at least to your hotel, where you can likely use a wired connection, do so. If not, do not enter any sensitive information (like login credentials) on that network, and
follow the steps listed below.
2. CONNECT TO THE RIGHT NETWORK: Every day criminals and hackers set up fake wireless access points to lure the unsuspecting into connecting to them. This is
often done in public spaces where dozens of Wi-Fi networks exist and a free hotspot does not raise much suspicion. With names like “Free Wi-Fi” or “Public Hotspot”, these insecure connections are used naively by many who treat them no
differently than their home network. Unfortunately, many of these are merely traps to capture login, bank/credit card, and other sensitive information. When
you check into a hotel, visit a coffee shop or bookstore, or use Wi-Fi at a public library, ask someone who works there which network you should use. If two or more networks have very similar names, take a closer look at the names. If you
have any doubt whatsoever, do not connect. It is worth the hassle to ensure you are on a legitimate network.
3. USE A WIRED CONNECTION IF AVAILABLE: Many hotels offer in-room, hard-wired connections. Some coffee shops offer wired connections, too. Using a wired
connection will not make you invincible, but because of the switching involved in transmitting and receiving packets it does make intercepting and exploiting your
traffic much more difficult. It also reduces the likelihood of you connecting to a phony network to almost nil. Capturing Wi-Fi packets is notoriously easy and can
be pulled off by even unskilled attackers, but attacking a wired network is much more difficult. There are still many exploits against wired connections, but they are far fewer in number and require far more technical know-how. Also, be aware that even if traffic over a wired network is not being maliciously attacked, your packets
are still vulnerable to inspection on the router to which you are connection, and by the internet service provider. This is a major consideration if you are working in a country where your threat model adversary is a nation-state actor who monitors the country’s internet, such as Egypt, Iran, North Korea, or the United States.
4. USE A VPN OR TOR: Using a virtual private network or Tor is one of the best security measures you can take if you must connect to any untrusted network, wireless or wired. While it does not prevent your packets from being captured, it will ensure your traffic is encrypted from your device to the exit server. Any packets that are captured on the local wireless network will be encrypted and
therefore unusable. Using one of these measures will protect you against inspection by both the owner of the router (i.e. the coffee shop or hotel) and the internet service provider (ISP). If you have a VPN for work that you must log into to access your office’s server, you can probably connect to it before accessing the internet from an unsecured Wi-Fi. Even though it will not protect your traffic from your office’s IT department, it will secure your connection and prevent the packets from being captured in plaintext locally.
5. DO NOT OPEN FILES: Running more applications means presenting more attack surface. When using an untrusted network, you should be exceedingly cautious
about opening any attachments you download or running any applications other than the web browser you are using on the network. This will lessen the chances of information being automatically sent by these applications over an unsecure
connection.
If you will be using a certain network frequently in the future and would like to leave it as a known network, change the settings so that you must manually
connect to it. This will eliminate your attack surface for evil twin attacks, and reduce information leaked about your Wi-Fi networks.
internet service providers (ISP), wireless hotspots, and public tracking systems collect these details at all times. There are numerous ways to spoof a MAC address. Some prefer a terminal solution with system commands. Many prefer applications that automate the process. Below is the tutorial for anonymizing your MAC address on Qubes.
https://forum.qubes-os.org/t/anonymizing-your-mac-address/19072
CONCLUSION :
Now, we have come to the conclusion of Data In Motion. We learnt about setting up VPN, WIFI, BASIC ROUTER SETUP amd Spoofing of MAC ADDRESS. Even though you can't be 100% anonymous but hope this guide will help give you privacy while, connecting and browsing or doing tasks on the Internet.
GOOD LUCK!
WHAT IS DATA IN MOTION?
Data-in-motion is information that is in transit from one device to another. This data is vulnerable to a number of potential exploits. Your traffic may be intercepted by “legitimate” entities to serve you advertising information, ensureyou are complying with the Digital Millennium Copyright Act, insert tracking codes into your data packets, or for other reasons. On the other end of the spectrum, data may be intercepted by an attacker. A malicious actor may sniff (intercept)
your packets, set up a man-in-the-middle attack, or launch an evil-twin attack, depending on what you are most vulnerable to. One of the most important steps you can take to protect yourself is to encrypt all of your data-in-motion to the extent possible. This is possible through a number of methods including Secure Sockets Layer (SSL), and Transport Layer Security (TLS), high quality modern Wi-Fi encryption protocols, and the use of Proxies, Virtual Private Networks and the Tor network. These factors working together can protect that data while it is in motion from one place to another.
SECURE SOCKET LAYER (SSL) AND
TRANSPORT LAYER SECURITY (TLS)
Two protocols, Secure Sockets Layer (SSL) and Transport Layer Security (TLS), are the first line of defense in securing your data-in-motion. These two encryption TRANSPORT LAYER SECURITY (TLS)
protocols rely on asymmetric encryption. This is a form of encryption where the site to which you are connecting and your computer negotiate an encryption key for the information they will exchange, it usually have and uses 2 different keys: one for encryption (which is also called open (public)), the other for decryption (called closed (private)) or vice versa . Websites encrypted with SSL or TLS are “HTTPS” (Hypertext Transfer Protocol Secure) sites and are considered secure. In addition to websites, connections to mail clients, online calendars, data transferred between devices, and other services like Voice Over Internet Protocol (VOIP) and instant messaging applications are frequently encrypted with one of these protocols.
Transport Layer Security is an upgraded version of the aging SSL protocol and provides very robust encryption for data-in-motion. Most reputable sites should employ TLS, though some still rely on SSL 3.0. Despite the differences in the two
protocols, many still refer to both generically as “SSL”, making things somewhat confusing. (In order to simplify here, we will refer to all such connections as SSL/TLS). Until early 2014, security experts considered SSL/TLS to be fairly secure if implemented properly, but a litany of vulnerabilities was revealed in these protocols in recent years.
When using a site that is encrypted with SSL/TLS, it is a good idea to check the certificate of the site if you have any question whatsoever about its authenticity, or maybe even if you don’t. Clicking on the padlock icon (shown during encrypted connections) just to the left of the address bar of Chrome, Firefox, etc. will display a small amount of information about the site you are visiting.
VIRTUAL PRIVATE NETWORKS
A Virtual Private Network (VPN) provides a good mix of both security and privacy by routing your internet traffic through a secure tunnel. The secure tunnel goes to the VPN’s server and encrypts all the data between your device and that server. This ensures that anyone monitoring your traffic before it reaches the distant server will not find usable, unencrypted data. Privacy is also afforded through the use of a distant server. Your traffic that exits the VPN’s server does so in plain text (or ideally, still encrypted with HTTPS if you are visiting an SSL/TLS capable site) en route to the destination site, but it is mixed in with the traffic of scores or hundreds of other users. This makes it much more difficult to distinguish your traffic from all the rest. Also, because your traffic appears to be originating from the VPN’s server, websites will have a more difficult time tracking you, aggregating data on you, and pinpointing your geographic location.Virtual Private Networks are not a perfect anonymity solution. It is important to note that VPNs offer you privacy, NOT anonymity. The best VPNs for privacy purposes are paid subscriptions with reputable providers. Though some providers
take anonymous payment in the form of Bitcoin/Monero or prepaid gift cards, it is difficult (though not impossible) to create an account with one of these providers without associating yourself in some manner. This will be discussed in detail later. If you log into an account that is associated with your true identity this login can be
associated with your VPN account. Additionally, if you use the VPN from your home’s internet connection, the VPN provider will be able to capture your IP which
can be used to identify you.
There are several excellent paid VPN providers out there and I strongly recommend them over free providers. Free providers often monetize through very questionable means, such as data aggregation. This compromises one crucial benefit of a VPN: privacy. Paid VPN providers monetize directly by selling you a service. Reputable providers do not collect or monetize data. Paid providers also offer a number of options that will increase your privacy and security. The first option you should pay attention to is the number of servers they have.
EXIT SERVERS:
Most reputable VPN service providers will have a number of
geographically remote servers from which your traffic will exit. When you visit a website, your traffic will appear as originating from the VPN’s server IP. VPN services with a number of servers to choose from give you the ability to switch
servers if one is exceptionally slow, as may be the case depending on the number of users on that server and your distance from it. Further, if you are traveling to a country that has internet restrictions and you cannot access certain websites,
connecting to a VPN server in another country can allow you to bypass these geographic restrictions. When using a VPN, ensure that you patch the WebRTC
vulnerability in your browser (See the other guide on web browser security in the previous chapters). This vulnerability allows websites that you visit to capture your true IP address despite the use of a VPN.
ENCRYPTION:
Another set of options a good VPN provider will offer is the ability to
choose between a variety of encryption and tunneling options. These will typically include OpenVPN, Wireguard, IPSEC, L2TP, and PPTP. This versatility is desirable because although most VPN services will work well cross-platform, some devices may not work with certain protocols. Further, some VPN providers even sell routers or allow you to set up your own with their VPN software built-in.
This allows all of your home’s traffic to be protected with a VPN connection. This is helpful, as not all devices (such as smart TVs and gaming systems or machines) have the ability to have VPN software installed. Though most VPN providers offer several options for encryption I recommend you use the OpenVPN or Wireguard protocol where available. Though I have previously used and recommended IPSec, recent months have demonstrated some successful pre-computation attacks against IPSec protocol. I now believe OpenVPN or Wireguard to be the most secure protocol currently available for virtual private networks.
A good VPN service provider will offer a totally transparent privacy policy about the information they collect on your usage. The best ones will retain only minimal
records, and although bound by law to cooperate with warrants and other legal instruments, if they do not store your information, they cannot turn it over. Minimal logging is actually used by most VPN providers to improve connection
speed, performance, reliability, troubleshoot customer problems, and protect the service from abuse such as spammers, port scanners, and the execution of DDoS
attacks across the service. It is crucial to note that paid providers are also vulnerable to financial and legal pressure from their host-nation governments to
cooperate with measures that may compromise security for all users. With that said, you should aim for VPNs hosted OUTSIDE the United States or Third World countries.
I also fully recommend that you, as the user, conduct your own research and find the provider that works best for your situation. There are also times when it may
be appropriate to have several different VPN services simultaneously. You may
wish to have one on which you do personal tasks like banking and email, and another across which you do internet browsing that you would not wish to be associated with your true name or identity. You may also wish to use different VPN
service providers from time to time to limit the amount of information that could possibly be collected by a single provider, rogue employee working at that provider, or government agency with a backdoor into their servers. For this
reason, Mullvad Vpn meet all of the criteria list above and I personally recommend.
Two other factors that are definitely worth considering when choosing a VPN are bandwidth restrictions and speed limitations, both of which can be annoying. It is also possible to build your own VPN, but I do not recommend that. It does not
protect anything leaving your home, which would leave you vulnerable to Wi-Fi sniffing, packet inspection by your ISP or government agency, tracking, and other forms of interception and monitoring.
ENHANCED VPN PRIVACY:
If you do desire a stronger level of privacy than a "standard” VPN setup affords there are some steps you can take to make your
VPN more private. You will notice I did not say it will make you “anonymous”. If you access a true name account with it, you should assume that it is now tied to
your true name. You can still be browser-fingerprinted. You can be exploited through Java and Flash. Cookies on your machine can still leak data from one browsing session to the next. A pseudo-anonymous VPN can create an excellent privacy layer but it does not create true anonymity.
Each of these steps will require additional expense and effort, and a tremendous effort will be required to maintain this privacy. To have a pseudo-anonymous VPN you must first register for it anonymously. This is a difficult part; the internet
connection from which you register it can compromise your privacy. I personally recommend you go to a public Wi-Fi and register with your VPN provider through that public Wi-Fi. Paying for a VPN may be somewhat easier. You can pay for the VPN listed above with Bitcoin or Monero, but make sure you’re paying with CLEAN Bitcoins or Monero that are already mixed and properly cleaned. That way it would be impossible to ever correlate that VPN with your real identity. Mullvad VPN will also accept Monero, which would be an even further security layer. After you have registered with the VPN provider, you must exercise extreme caution to maintain your privacy.
QUBES OS : VPN SET UP
For Qubes, I personally recommend you go to the website below and follow the steps to install a custom-made VPN VM, that will block all traffic leaking from your VPN. That way, we can be sure that our true location is not being leakedaccidentally. I also recommend you create 2 of those VPN VMs or 3 depending on your threat model, and chain them together for maximum anonymity. https://github.com/tasket/Qubes-vpn-support
Once you have installed your VPN on Qubes, make sure it is not leaking any of your traffic, by going to the websites below and running tests on your connection.
1 Browserleaks.com
2.Whoer.net
3.dnsleaktest
4.IPleak.net
If your real location doesn’t appear in any of these websites, then your setup is perfect.
WI-FI ( Wireless Fidelity) SECURITY
As it was pointed out in the introduction to this tutorial, security and convenience are inversely related. Wi-Fi is an undeniable convenience. Negating the need for a physical cable, Wi-Fi allows us to access the internet from just about anywhere at just about any time. Intrinsic to this convenience, however is a great deal of insecurity, especially when compared with wired internet connections.
Wi-Fi is nothing more than a radio transmission that carries data packets between your computer’s Wi-Fi card and the wireless router. Because of this anyone with a
capable radio can “listen” in on your traffic. Simply listening in by capturing your packets as they travel to and from your computer is called sniffing. Sniffing requires some specialized (but free) software and a Wi-Fi card that can be placed in promiscuous mode (the ability to “listen” to all Wi-Fi traffic while not broadcasting). USB Wi-Fi antennas can be purchased very inexpensively and require only very little technical know-how.
While some of the techniques I will discuss below are changes made to your operating system, the majority of this chapter will deal with securing your wireless signal and best practices when using Wi-Fi. Before continuing with the security of Wi-Fi I will digress for just a moment to talk about how it is exploited.
WI-FI EXPLOITATION
Capturing packets is not terribly technically demanding and can even be beneficial. Seeing first-hand how Wi-Fi is exploited can underscore the point of how insecure Wi-Fi truly is and help you understand the importance of good encryption. Sniffing your home network is also a good way to see what vulnerabilities you have. If you
are interested in learning how to do this, you will need the following:
o Software. There are various Wi-Fi sniffing programs and many of them are free. Using them often requires using a Linux operating system. Kali Linux is a penetration-testing specific Linux operating system that comes with an
incredibly capable suite of Wi-Fi exploitation tools built-in.
o Hardware. The only specialized hardware you need is a promiscuous-capable Wi-Fi card. These are available online for as little as $30 on Amazon. As
long as your computer has an optical drive or you can boot from a USB flash drive you will not need a new computer. Kali can be booted from optical or USB flash media. Or you can use it with Qubes OS itself by following the tutorial in the Qubes docs (https://forum.qubes-os.org/t/creating-a-kali-linux-templatevm/19071)
o Technical know-how. Though hacking Wi-Fi is relatively simple it does require some specific knowledge. The graphic user interfaces for most of the programs consist mostly of a command prompt, so good working knowledge of Linux command line is necessary, though most of these commands can be found online.
WI-FI SECURITY MEASURES
Wi-Fi should be turned off when your computer is not actively connected to a network, and the computer should not be set to connect automatically to
networks. When your computer is not connected to your network (e.g. when you are traveling), it will actively search for networks it is set to automatically connect to. This searching is not passive. Other computers can detect this searching and see the name of the network(s) with free software. If your networks are all being
broadcasted through probes it is trivially easy for an attacker to set up an “evil twin” or “rogue access point” attack. To execute this form of a man-in-the-middle attack, an attacker will set up a network that has the same name as one of your
trusted networks. When your device recognizes this name, it will connect to the rogue network automatically (unless you have disabled automatic connections)
allowing your traffic to be routed through his or her device and potentially compromising it. Even SSL/TLS-encrypted traffic is vulnerable to a technique called
“SSL Stripping”. If, on the other hand, you have disabled automatic connections, the names of your stored networks will not be available to the hacker. Even if they
were, your computer would not connect to them automatically.
WI-FI SETTINGS IN QUBES OS
On Qubes, disabling automatic connections is fairly simple. You navigate to the network-manager icon, on the bottom right corner of your Qubes toolbar, it should be a little red icon. Then you go to your connection, and make sure
“Connect to this network automatically when available” is disabled. It’s as simple as that. So, from that point on, you will always connect to a network manually
yourself, which increases your security considerably and leaves you safe against these kinds of attacks.
BASIC ROUTER SETUP
When setting up your home’s network there are some basic steps you can take to make your account much more secure than the average account. Some of these settings will require that you be physically connected to the router via an Ethernet cable.
CHANGE MANAGEMENT ACCOUNT CREDENTIALS :
The first step you should take
when setting up your home’s network is to change the management account credentials. This account is the account you log into to change the router’s
settings. Anyone having access to it can turn off your encryption, view your usage logs, or take other malicious actions. The default credentials that are preset on the
router are openly available information and could allow anyone connecting to your network to make changes to your router. To change these settings, log into your
router by typing the router’s internal Internet Protocol (IP) address into the address bar while connected via a wired or wireless connection to the router. The
internal IP address for most Linksys routers is 192.168.1.1, while most D-Link and NetGear routers use an IP of 192.168.0.1. This will bring you to the administrator login page. If you have never changed your router’s login credentials they are probably set to the default. Conduct an internet search for the default username and password, then change these credentials immediately using a randomly
generated username and a good, strong password. By the way, sometimes the router’s login instructions are written on the router itself.
You can also make it more difficult to change the settings on your router by changing the IP address used to log into it. Login credentials can be defeated, so this step makes it more difficult for an attacker to connect to the router. The IP address can be changed to anything between 192.168.0.0 and 192.168.255.255 but ensure you recall what you change it to. As soon as this change is saved
and takes effect, you will need the new IP to log back into the router to make additional changes.
DISABLE REMOTE MANAGEMENT :
Remote management give you the ability to log into and change the router’s management system without physically accessing the router or being connected to the router’s network. When this function is disabled you may be required to physically connect to the router with an Ethernet cable to
log into the management account. Though slightly inconvenient, you shouldn’t have to make changes to the router very often and the security upgrade is well worth it.
ENCRYPT THE SIGNAL:
Next, encrypt the wireless signal using WPA2-PSK
encryption. There are several options on many routers for encryption, including
WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), and WPA2 but the
only one you should consider using is WPA2-PSK. WEP has been broken for years
and is extremely easily defeated through an attack known as a “statistical attack”. WPA has serious vulnerabilities, especially with its Temporary Key Integrity
Protocol (TKIP). WPA2 is a re-engineered version of WPA offering AES (Asymmetric encryption Standard) and the greatest security for wireless networks currently available. If your router does not offer WPA2-PSK (Pre-Shared Key) (802.11n) upgrade your router as soon as possible. Do not neglect to assign a good password to your network. Though it may take some time and effort to enter the password on your devices, it only has to be done once.
CHANGE YOUR SSID:
You should also change the SSID, the name of your network that is broadcast to your devices. Though it is possible to (and some recommend this) hide the SSID, this is a fairly ineffective technique. Wi-Fi sniffers (programs designed to detect and exploit Wi-Fi networks) can easily find hidden networks.
Instead, rename the network with a name that does not leak information about you.
Renaming your network is an excellent opportunity to provide some disinformation about your home. There are websites that map every known wireless network (https://wigle.net). Anyone seeing your true name attached to a network can make a reasonable assumption about the location of your residence, while false name on these websites could obscure your home address. Instead of naming your network something personally relatable to you like “NicoSellNet” or "NSell_Wi-Fi”, use one of the most common names from the website above like “NETGEAR5”, or “xfinity-wifi”. If anyone is looking for your house based on WI-FI
networks, this will make it much more difficult to locate.
OPT-OUT OF WI-FI MAPPING :
Wi-Fi networks are now mapped in tandem with other street mappingq efforts such as Google Street View. This means that if your network name is collected, it can be looked up as an overlay on a map. This allows anyone to map your location, based on your Wi-Fi networks, by capturing the SSID
that your computer broadcasts when searching for a network to connect to. To prevent your home network from being mapped (at least by Google), an option
you can take is to terminate your router’s SSID with the suffix “_nomap” (for example: Luna_wifi_nomap). This is the opt-out for Google’s Wi-Fi network
mapping. Any router SSID containing this suffix will not be included on Google map overlays that display Wi-Fi networks. Alternatively, assign your Wi-Fi network an SSID that creates disinformation as described in the previous paragraph.
DISABLE WI-FI PROTECTED SETUP (WPS) :
Wi-Fi Protected Setup is a convenience feature that is intended to make it easier to connect to a wireless device. Rather than entering the password when connecting to an encrypted network the use can physically push the WPS button on the router or enter a six-digit WPS code when
connecting for the first time. Unfortunately, the WPS protocol is broken. No matter how strong the password on your network is, cracking the simple six-digit
WPS code can grant access to the network. Disable WPS completely, even though it makes logging into your network more time consuming (though again, you only have to do this on your home network on initial setup and when you change the
password).
TURN OFF THE SIGNAL WHEN NOT IN USE :
In the setup menu for most routers,
you can elect to turn the router’s signal off between certain hours and on certain days, at times when everyone in your home is typically asleep or everyone is gone,
for example. Unless you rely on wireless IP cameras or other Wi-Fi devices as part of your physical security system, there is no need to leave your router on when you are going out of town; simply unplug it. Powering the router off lowers it
profile; the less time it is on and broadcasting, the smaller its attack surface.
SCAN YOUR HOME NETWORK:
Though this does not pertain to router setup specifically, it is a good step to take after setting up your home router. My antivirus application of choice (Avast) can conduct a home network scan. It will test to see if your devices are visible from the internet, check router security configurations, and ensure that your wireless signal is encrypted. You can run this
scan on any network to which you are connected to give you an idea of the security of the network before you use it to transmit sensitive information.
MAC (MEDIA ACCESS CONTROL) FILTERING:
One security measure that is sometimes touted but is largely
ineffective is MAC filtering. A MAC address (Media Access Control) is a number unique to your device, analogous to its electronic ID. Filtering MAC addresses allows connections only from devices on a “whitelist” (a preapproved list of trusted devices). While MAC filtering is good in theory, it is very easily defeated through MAC spoofing, a technique used by attackers to capture your MAC and assign it temporarily to their device. This technique is not especially difficult to do, especially by anyone with the ability to crack your (WPA2) encryption. Additionally, MAC filtering requires you to log into the router and update the
whitelist each time you need to connect a new device.
A technique that is allowed on many routers similar to MAC filtering, though slightly less onerous, is to limit the number of devices that may connect at a given
time. This is intended to keep networks uncrowded to manage bandwidth, though you will occasionally hear it listed as a security measure.
BEST PRACTICES FOR UNTRUSTED/UNENCRYPTED
NETWORKS
There are times when it may be necessary to use an untrusted, unencrypted wireless network. While ideally you would never use such a network, the convenience of such networks makes them hard to resist and there may be situations in which you have no choice but to work from one. Some basic best NETWORKS
practices when using these networks (if you must use them) can make your browsing much more secure.
1. ABSOLUTE BEST PRACTICE DON’T USE THEM:
Again, Wi-Fi is terribly convenient
and it can be hard to resist the urge to connect and watch YouTube, download your podcasts, or log in and get some work done while you wait to board your flight. The risks of using untrusted networks are very high though. If at all possible
avoid using them and instead tether your phone or better yet, wait until you can use a trusted connection. If you can wait to use the internet until you get home or
at least to your hotel, where you can likely use a wired connection, do so. If not, do not enter any sensitive information (like login credentials) on that network, and
follow the steps listed below.
2. CONNECT TO THE RIGHT NETWORK: Every day criminals and hackers set up fake wireless access points to lure the unsuspecting into connecting to them. This is
often done in public spaces where dozens of Wi-Fi networks exist and a free hotspot does not raise much suspicion. With names like “Free Wi-Fi” or “Public Hotspot”, these insecure connections are used naively by many who treat them no
differently than their home network. Unfortunately, many of these are merely traps to capture login, bank/credit card, and other sensitive information. When
you check into a hotel, visit a coffee shop or bookstore, or use Wi-Fi at a public library, ask someone who works there which network you should use. If two or more networks have very similar names, take a closer look at the names. If you
have any doubt whatsoever, do not connect. It is worth the hassle to ensure you are on a legitimate network.
3. USE A WIRED CONNECTION IF AVAILABLE: Many hotels offer in-room, hard-wired connections. Some coffee shops offer wired connections, too. Using a wired
connection will not make you invincible, but because of the switching involved in transmitting and receiving packets it does make intercepting and exploiting your
traffic much more difficult. It also reduces the likelihood of you connecting to a phony network to almost nil. Capturing Wi-Fi packets is notoriously easy and can
be pulled off by even unskilled attackers, but attacking a wired network is much more difficult. There are still many exploits against wired connections, but they are far fewer in number and require far more technical know-how. Also, be aware that even if traffic over a wired network is not being maliciously attacked, your packets
are still vulnerable to inspection on the router to which you are connection, and by the internet service provider. This is a major consideration if you are working in a country where your threat model adversary is a nation-state actor who monitors the country’s internet, such as Egypt, Iran, North Korea, or the United States.
4. USE A VPN OR TOR: Using a virtual private network or Tor is one of the best security measures you can take if you must connect to any untrusted network, wireless or wired. While it does not prevent your packets from being captured, it will ensure your traffic is encrypted from your device to the exit server. Any packets that are captured on the local wireless network will be encrypted and
therefore unusable. Using one of these measures will protect you against inspection by both the owner of the router (i.e. the coffee shop or hotel) and the internet service provider (ISP). If you have a VPN for work that you must log into to access your office’s server, you can probably connect to it before accessing the internet from an unsecured Wi-Fi. Even though it will not protect your traffic from your office’s IT department, it will secure your connection and prevent the packets from being captured in plaintext locally.
5. DO NOT OPEN FILES: Running more applications means presenting more attack surface. When using an untrusted network, you should be exceedingly cautious
about opening any attachments you download or running any applications other than the web browser you are using on the network. This will lessen the chances of information being automatically sent by these applications over an unsecure
connection.
If you will be using a certain network frequently in the future and would like to leave it as a known network, change the settings so that you must manually
connect to it. This will eliminate your attack surface for evil twin attacks, and reduce information leaked about your Wi-Fi networks.
SPOOFING MAC (MEDIA ACCESS CONTROL) ADDRESS
Every internet connection possesses a MAC address. It is assigned to the hardware element of the connection such as the Ethernet port or the Wi-Fi chip. This is hard-coded into the boards and broadcasted to the first router connection. It is unlikely for online services, such as websites, to ever see this information. However,internet service providers (ISP), wireless hotspots, and public tracking systems collect these details at all times. There are numerous ways to spoof a MAC address. Some prefer a terminal solution with system commands. Many prefer applications that automate the process. Below is the tutorial for anonymizing your MAC address on Qubes.
https://forum.qubes-os.org/t/anonymizing-your-mac-address/19072
CONCLUSION :
Now, we have come to the conclusion of Data In Motion. We learnt about setting up VPN, WIFI, BASIC ROUTER SETUP amd Spoofing of MAC ADDRESS. Even though you can't be 100% anonymous but hope this guide will help give you privacy while, connecting and browsing or doing tasks on the Internet.
GOOD LUCK!
