This guide will walk you through setting up Pi-hole on an AWS Lightsail instance that acts as your VPN thanks to OpenVPN. It’s a more succinct version of the official Pi-hole docs for OpenVPN, made specifically for Lightsail with a few tips and tricks added in, because you deserve it.
Log in or sign up to AWS and create a Lightsail Instance.
Under Select a platform, choose Linux/Unix.
Under Select a blueprint, choose the OS Only button.
Select the latest officially supported Ubuntu server.
You can save a tidbit of effort by putting the following into the Launch script box:
# Update installed packages
sudo apt-get update
sudo apt-get upgrade -y
Create a new SSH key for this server and ensure you download the .pem
.
Choose your plan. The $3.50 USD instance is sufficient.
Give it a name then click Create instance.
Stare eagerly at the page until the instance status is Running, then go to the Networking tab.
Create a Static IP and attach it to your new instance. Remember that static IP addresses are free only while attached to an instance.
Click on your instance name to return to its dashboard. Go back to the Networking tab. It’ll look a bit different now.
Under IPv6 networking, click the toggle to turn it off (unless you know what you are doing and you want IPv6 for some reason. Most of y’all don’t need it).
Under IPv4 Firewall, delete the rule for HTTP
.
Click Add rule. In the Application dropdown, choose Custom.
1194
, which you can choose to use, but you might like a different number for security purposes. Port range is 0-65535
.)Connect using SSH and your new key pair, either in your terminal or on the Connect tab with the browser-based client.
After connecting to your server using SSH, install OpenVPN on your server.
# Download OpenVPN
wget https://git.io/vpn -O openvpn-install.sh
chmod 755 openvpn-install.sh
sudo ./openvpn-install.sh
You’ll see:
Welcome to this OpenVPN road warrior installer!
This server is behind NAT. What is the public IPv4 address or hostname?
Public IPv4 address / hostname [x.xx.xxx.xxx]:
…where the default option is your static IP that you set up earlier. Hit return to accept this. Then:
Which protocol should OpenVPN use?
1) UDP (recommended)
2) TCP
Protocol [1]: 1
Choose 1
or hit return. Then:
What port should OpenVPN listen to?
Port [1194]: #####
Enter the UDP port number you chose earlier. Then:
Select a DNS server for the clients:
1) Current system resolvers
2) Google
3) 1.1.1.1
4) OpenDNS
5) Quad9
6) AdGuard
DNS server [1]: 1
Choose 1
or hit return. Then:
Enter a name for the first client:
Name [client]: pihole
The Pi-hole will be the client. Name it as you like then Press any key to continue...
OpenVPN will set itself up. Confirm that tun0
has the interface address 10.8.0.1/24
with the following command:
ip addr show tun0
This ensures that the Pi-hole will be set up properly. Now, about that:
On your Lightsail instance, install Pi-hole.
# Download and install Pi-hole
curl -sSL https://install.pi-hole.net | bash
This runs the Pi-hole automated installer. You’ll see some prompts which you can answer using the enter key, arrow keys, tab, and space bar for selecting an option.
The important things:
tun0
. It isn’t the default selection.ip addr
command: 10.8.0.1/24
. This ensures the Pi-hole uses the VPN.At time of writing, the second item above wasn’t presented as an option in the automated installer. After the Pi-hole installer finishes, manually change the IP address by editing the configuration file:
> sudo vim /etc/pihole/setupVars.conf
Change the
IPV4_ADDRESS
to10.8.0.1/24
and save the file. Restart the Pi-hole with:pihole restartdns
.
If you mess up, you can redo the configuration with pihole reconfigure
.
Finally, you’ll configure the VPN to use the Pi-hole.
Confirm the address of the tun0
interface with:
ip a | grep -C 1 'tun0'
You should see: inet 10.8.0.1/24
in there.
Edit the OpenVPN config file with:
sudo vim /etc/openvpn/server/server.conf
Change the line that starts with push "dhcp-option
… to use the Pi-hole’s IP address that you confirmed above:
push "dhcp-option DNS 10.8.0.1"
If any other lines start with push "dhcp-option
…, comment those out.
If you want to log OpenVPN traffic, add these lines to the end of the file:
log /var/log/openvpn.log
verb 3
Save the config. If you forgot to open Vim with sudo
, use the tee
trick: :w !sudo tee %
, then O
, then :q!
.
Restart OpenVPN with sudo systemctl restart openvpn-server@server
.
Run the following to control traffic to the server as described here.
sudo iptables -I INPUT -i tun0 -j ACCEPT
sudo iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
sudo iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --destination-port 1194 -j ACCEPT
sudo iptables -A INPUT -p udp --destination-port 1194 -j ACCEPT
sudo iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -I INPUT -i lo -j ACCEPT
sudo iptables -P INPUT DROP
# Optionally, also block HTTPS advertisements while you're here.
sudo iptables -A INPUT -p udp --dport 80 -j REJECT --reject-with icmp-port-unreachable
sudo iptables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset
sudo iptables -A INPUT -p udp --dport 443 -j REJECT --reject-with icmp-port-unreachable
You can review the results with sudo iptables -L --line-numbers
.
These are only stored in memory before you save them, so test out your set up on your client now to see if it all works as expected.
To test your configuration, try adding a client (the phone or computer that will connect to the VPN).
sudo ./openvpn-install.sh
and choose 1) Add a new client. Give it a name; you may find it helps to name it by the device, e.g. “phone”. This creates a file that ends in .ovpn
. You need to place this file on your client to use it..ovpn
file you just obtained to the device if you haven’t already. (See future tasks for a way to copy the file to your host machine.) Follow instructions in your app (try under FAQ) for importing the .ovpn
file and activating the VPN.Try browsing for a while. You can also view the Pi-hole dashboard by visiting http://pi.hole/admin/
on this device.
If everything seems all right, go on to saving the configuration on your instance.
iptables
Save the iptables
you created earlier using the tee
command to achieve the second permission.
sudo iptables-save | sudo tee /etc/pihole/rules.v4
You’re finished with configuration on your Lightsail instance. If you wish to disconnect now, you can just type exit
.
You’re done with the set up! You now have your very own personal VPN with a Pi-hole keeping you safe from nasty trackers. Here are some references for operations you might like to come back to in the future:
ssh -i /path/to/private-key.pem ubuntu@public-ip-address
pihole -a -p
http://pi.hole/admin/
pihole -up
.ovpn
file for a client to your host machine (run on the host machine):
ssh -i /path/to/private-key.pem ubuntu@public-ip-address 'sudo cat /path/on/lightsail/client.ovpn' > /path/on/host/client.ovpn
Enjoy your new, more secure and peaceful Internet! If you found this guide helpful, please share it with someone else.
]]>If a move towards privacy is what we’re after, we know a new off-the-shelf Google phone isn’t a better answer – but there are more options.
If you don’t want the details, jump straight to The TL;DR at the end.
Unless you’re a rather tolerant tech-savvy tinkerer, a Linux phone isn’t one of these options… yet. I’ve personally been very excited about the bevy of emerging options in this space, from freedom-oriented hardware to fully open source, crowd-developed operating systems.
The current state of these efforts is that this magical mashup just isn’t ready yet. Most Linux phone OS such as Ubuntu Touch, Mobian, Pure OS, etc, are in a “mostly working” state, with the missing features ranging from “lack of reliable push notifications” to “intermittent Bluetooth connectivity” to “camera.”
If all you need is text messaging and a web browser, yes, you can probably go this route. For most users however, this isn’t going to make daily-driver status.
If a Linux phone would suit you, I recommend getting your hands on a PinePhone and running Arch Linux ARM (releases on GitHub) with Plasma Mobile.
For a daily-driver, “de-googled” Android is your best bet. Android itself (specifically, the Android Open Source Project source code) is based on a modified Linux kernel and is free and open source software. When we typically think of “Android phones,” we refer to Android devices with Google’s proprietary software added to the mix, including Google Play Services. A “de-googled” Android phone is essentially the Android OS without Google’s spyware services included by default.
Keep in mind that this route still involves some DIY. You’ll need to install an OS on a device yourself. Don’t worry, there are step-by-step guides available – the most technical thing you’ll likely have to do is copy and paste some commands into your terminal.
Free and open source Android OS comes in multiple flavors, and the choice isn’t arbitrary. Your selection of a “de-googled” phone is going to be determined by a couple factors: the hardware device you have or that you want to use, and the apps (software) you want to run on it.
The phone you may already have (or the one you’re willing to purchase) will influence your choice of operating system (OS).
At the time I’m writing this, if you have an older Pixel or another model of Android phone, your best bet for a hassle-free OS with A-class support will be Lineage. Here’s a link to the LineageOS list of supported devices. Clicking on your device here will get you to some installation instructions for your phone.
If you have a newer Pixel (generation 3 up to the newer 5) then GrapheneOS could be the way to go. Here are the devices officially supported by GrapheneOS. They also have easy-to-follow installation instructions and help via chat. It is possible to run GrapheneOS on other phones, but not without substantial DIY for which technical knowledge would help.
Generally speaking, GrapheneOS is intended to be a security-hardened operating system targeted at individuals who won’t be miffed if there are tradeoffs for mitigating vulnerabilities. If you don’t have those requirements or intend to use Google Apps on your phone (see Software), then LineageOS will likely suit you better.
If you’re looking to purchase a new phone, you have some flexibility. My general recommendation is to pick up last-season’s version of the model you want. Not only will this likely be cheaper (and often a great deal if you buy refurbished) but the open source community that develops these operating systems will have had more time to work with the device itself, which could help ensure better compatibility and a smoother set up.
Consider buying a refurbished phone (sometimes called “renewed”) locally when you can. This can help fund the small businesses that offer them.
What do you need to do on your phone? Privacy and convenience are typically at odds (a far larger topic I won’t dig into right now) so it can help to narrow down the functionality you need. If your needs look something like:
Then you’re good to go, right out of the box, with either LineageOS or GrapheneOS. They’ll both include free and open source apps that let you do all these things.
If you want a particular application that doesn’t come pre-installed, here’s where we get into some nuance. Your choices depend on the level of privacy you’d like to maintain. Here are your avenues for installing apps, listed in order of preference.
Some particularly privacy-focused applications offer an Android Package Kit (APK) that you can download directly in order to install the app. You should only download these when you’ve navigated directly to a domain that the organization owns. Here are my favorites:
You can download and install APKs whether you choose LineageOS or GrapheneOS.
If you can’t find an APK for something you want, search for it on F-Droid.
The F-Droid software repository allows you to download and install apps in much the same way that the Google Play store does, with a couple notable differences. All the apps here are free and open source, and no account or profile is required to download them. The F-Droid APK itself can be downloaded and installed from f-droid.org directly on either LineageOS or GrapheneOS.
Just like any open source software, it’s up to the user (you) to ensure that you’re downloading and installing software you trust. If you want help or advice, F-Droid has a healthy community that you can interact with in lots of ways, including via IRC, Matrix, and the Fediverse.
You can find an app for pretty much anything here: from your general-store type functions such as to-do lists, music players, and maps; to specific niche security applications, and even a tea timer. Here are some well-known choices I can easily recommend:
If you need an app that isn’t available on F-Droid, your next stop is the Aurora Store. This is an unofficial client for the Google Play Store that lets you download free applications anonymously, without signing into a Google account. Most applications found in the larger stores can be downloaded this way, without requiring Google’s proprietary stuff on your phone.
When loading Aurora Store for the first time, be sure to choose the “Anonymous” option instead of signing in.
The Aurora Store itself can be installed via F-Droid or auroraoss.com. It works on either LineageOS or GrapheneOS – however, apps that require less private permissions or access will probably work better on LineageOS.
Keep in mind that your phone OS in no way supports these apps directly, or knows what’s in them, or what sort of tracking and information exchange they may be up to. It’s a slight privacy downgrade, but still better than a fully Google-ified OS.
If this will be your only phone and you simply must have Google Apps on it (think Google Play Store, Gmail, Calendar, Photos, etc) then go with LineageOS. You can choose to try emulating Google Play Services using LineageOS for microG, or install the Google Apps add-on when you install LineageOS.
Here’s the “Internet personality quiz” version of everything above. You are…
Whichever route you choose, my advice is to treat this like a learning experiment. You’re sort of building your own phone, after all, and gaining all the technological independence that comes with that knowledge. If possible, don’t ditch your current phone until you try out one (two?) of these paths. The one you end up liking most could surprise you! It’s great to have options.
]]>Signal is experiencing technical difficulties. We are working hard to restore service as quickly as possible.
— Signal (@signalapp) January 15, 2021
The small team responded impressively quickly, especially given that a 4,200% spike in new users was utterly implausible before it occurred.
The downside of so many people moving onto this fantastic application is that it caused a brief outage. If you rely solely on a certain application for your communications, brief outages can be debilitating. Even when it seems implausible that your favorite chat, email, or website service could just – poof – vanish overnight, recent events have proved it isn’t impossible.
Have a backup plan. Have several. Here’s how you can improve your digital resiliency for things like websites, messaging, and email.
I recommend Signal because it is open source, end-to-end encrypted, cross-platform, and offers text, voice, video, and group chat. It’s usually very reliable; however, strange things can happen.
It’s important to set up a backup plan ahead of any service outages with the people you communicate with the most. Have an agreement for a secondary method of messaging – ideally another end-to-end encrypted service. Avoid falling back on insecure communications like SMS and social media messaging. Here’s a short list for you to explore:
If you’re particularly technically inclined, you can set up your own self-hosted chat service with Matrix.
Having a go-to plan B can help bring peace of mind and ensure you’re still able to communicate when strange things happen.
Do you know the phone numbers of your closest contacts? While memorizing them might not be practical, storing them solely online is an unnecessary risk. Most services allow you to export your contacts to vCard or CSV format.
I recommend keeping your contacts locally on your device whenever you can. This ensures you still know how to contact people if your cloud provider is unavailable, or if you don’t have Internet access.
Full analog redundancy is also possible here. Remember that paper stuff? Write down the phone numbers of your most important contacts so you can access them if your devices run out of battery or otherwise can’t turn on (drop your phone much?).
If your email service exists solely online, there’s a big email-shaped hole in your life. If you can’t log in to your email for any reason – an outage on their end, a billing error, or your Internet is down – you’ll have no way to access your messages for however long your exile lasts. If you think about all the things you do via email in a day, I think the appropriate reaction to not having local copies is 🤦.
Download an open source email client like Thunderbird. Follow instructions to install Thunderbird and set it up with your existing online email service. Your online service provider may have a help document that shows you how to set up Thunderbird.
You can maximize your privacy by turning off Thunderbird’s telemetry.
To ensure that Thunderbird downloads your email messages and stores them locally on your machine:
You may need to visit each of your folders in order to trigger the initial download.
Some other settings you may want to update:
You don’t need to start using Thunderbird for all your email tasks. Just make sure you open it up regularly so that your messages sync and download to your machine.
I strongly believe you should have your own independent website for reasons that go beyond redundancy. To truly make your site resilient, it’s important to have your own domain.
If you know that my website is at the address victoria.dev
, for example, it doesn’t matter whether I’m hosting it on GitHub Pages, AWS, Wordpress, or from a server in my basement. If my hosting provider becomes unavailable, my website won’t go down with it. Getting back up and running would be as simple as updating my DNS configuration to point to a new host.
Price is hardly an excuse, either. You can buy a domain for less than a cup of coffee with my Namecheap affiliate link (thanks!). Namecheap also handles your DNS settings, so it’s a one-stop shop.
With your own domain, you can build resiliency for your email address as well. Learn how to set up your custom domain with your email provider. If you need to switch providers in the future, your email address ports to the new service with you. Here are a few quick links for providers I’d recommend:
I hope you’ve found this article useful on your path to building digital resiliency. If you’re interested in more privacy topics, you might like to learn about great apps for outsourcing security.
If your threat model includes anonymity or censorship, building digital resiliency is just a first step. The rest is outside the scope of my blog, but here are a few great resources I’ve come across:
]]>You can create your own self-hosted Matrix chat for as little as $3.50 USD per month on an AWS Lightsail instance. Your homeserver can federate with other Matrix servers, giving you a reliable and fault-tolerant means of communication.
Matrix is most widely installed via its Synapse homeserver implementation written in Python 3. Dendrite, its second-generation homeserver implementation written in Go, is currently released in beta. Dendrite will provide more memory efficiency and reliability out-of-the-box, making it an excellent choice for running on a virtual instance.
Here’s how to set up your own homeserver on AWS Lightsail with Dendrite. You can also contribute to Dendrite today.
Spin up a new Lightsail instance on AWS with Debian as your operating system. It’s a good idea to create a new per-instance key for use with SSH. You can do this by with the SSH key pair manager on the instance creation page. Don’t forget to download your private key and .gitignore
your secrets.
Click Create Instance. Wait for the status of your instance to change from Pending to Running, then click its name to see further information. You’ll need the Public IP address.
To enable people including yourself to connect to the instance, go to the Networking tab and add a firewall rule for HTTPS. This will open 443
so you can connect over IPv4. You can also do this for IPv6.
Give your instance a catchier address by buying a domain at Namecheap and setting up DNS records.
Add an A Record
to your Lightsail Public IP. You can use a subdomain if you want one, for example,
A Record
matrix
13.59.251.229
This points matrix.example.org
to your Lightsail instance.
Change permissions on the private key you downloaded:
chmod 600 <path/to/key>
Then SSH to your Public IP:
ssh -i <path/to/key> admin@<public ip>
Welcome to your instance! You can make it more interesting by downloading some packages you’ll need for Dendrite. It’s a good idea to use apt
for this, but first you’ll want to make sure you’re getting the latest stuff.
Dec 2021 update: As the good people of Mastodon point out, you might like to ensure you’re choosing the stable version for Debian. For instance, replace buster
below with what’s “stable” at the moment.
Change your sources list in order to get the newest version of Go:
sudo vim /etc/apt/sources.list
Delete everything except these two lines:
deb http://cdn-aws.deb.debian.org/debian buster main
deb-src http://cdn-aws.deb.debian.org/debian buster main
Then replace the distributions:
:%s/buster main/testing main contrib non-free/g
Run sudo apt dist-upgrade
. If you’re asked about modified configuration files, choose the option to “keep the local version currently installed.”
Once the upgrade is finished, restart your instance with sudo shutdown -r now
.
Go make some coffee, then SSH back in. Get the packages you’ll need with:
sudo apt update
sudo apt upgrade
sudo apt install -y git golang nginx python3-certbot-nginx
You’re ready to get Dendrite.
Clone Dendrite and follow the README instructions to get started. You’ll need to choose whether you want your Matrix instance to be federating. For simplicity, here’s how to set up a non-federating deployment to start:
git clone https://github.com/matrix-org/dendrite
cd dendrite
./build.sh
# Generate a Matrix signing key for federation (required)
./bin/generate-keys --private-key matrix_key.pem
# Generate a self-signed certificate (optional, but a valid TLS certificate is normally
# needed for Matrix federation/clients to work properly!)
./bin/generate-keys --tls-cert server.crt --tls-key server.key
# Copy and modify the config file - you'll need to set a server name and paths to the keys
# at the very least, along with setting up the database connection strings.
cp dendrite-config.yaml dendrite.yaml
Modify the configuration file you just copied:
sudo vim dendrite.yaml
At minimum, set:
server name
to your shiny new domain name, e.g. matrix.example.org
disable_federation
to true or falseregistration_disabled
to true or falseYou might like to read the Dendrite FAQ.
Get the required packages if you didn’t already install them above:
sudo apt install nginx python3-certbot-nginx
Create your site’s configuration file under sites-available
with:
cd /etc/nginx/sites-available
ln -s /etc/nginx/sites-available/<sitename> /etc/nginx/sites-enabled/<sitename>
sudo cp default <sitename>
Edit your site configuration. Delete the root
and index
lines if you don’t need them, and input your server name.
Your location
block should look like:
location / {
proxy_pass https://localhost:8448;
}
Remove the default
with: sudo rm /etc/nginx/sites-enabled/default
.
You can use Certbot to generate self-signed certificates with Let’s Encrypt.
sudo certbot --nginx -d <your.site.address>
If you don’t want to give an email, add the --register-unsafely-without-email
flag.
Test your configuration and restart nginx with:
sudo nginx -t
sudo systemctl restart nginx
Then start up your Matrix server.
# Build and run the server:
./bin/dendrite-monolith-server --tls-cert server.crt --tls-key server.key --config dendrite.yaml
Your Matrix server is up and running at your web address! If you disabled registration in your configuration, you may need to create a user. You can do this by running the included dendrite/bin/createuser
.
You can log on to your new homeserver with any Matrix client, or Matrix-capable applications like Pidgin with the Matrix plugin.
If you get an error such as:
... [github.com/matrix-org/dendrite/internal/log.go:155] setupFileHook
Couldn't create directory /var/log/dendrite: "mkdir /var/log/dendrite: permission denied"
You’ll need to create a spot for your log files. Avoid the bad practice of running stuff with sudo
whenever you can. Instead, create the necessary file with the right permissions:
sudo mkdir /var/log/dendrite
sudo chown admin:admin /var/log/dendrite
# Build and run the server:
./bin/dendrite-monolith-server --tls-cert server.crt --tls-key server.key --config dendrite.yaml
If you see: Unable to decrypt: The sender's device has not sent us the keys for this message.
you may need to verify a user (sometimes yourself).
I hope you found this introduction to setting up your own Matrix homeserver to be helpful! If you have anything to add, feel free to reply via Webmention.
]]>For those of you seeing relatives this season, chances are that you’re the designated family tech support. If part of your time home for the holidays is spent on software updates and troubleshooting WiFi, here are a few other quick wins to help boost your family’s online privacy and security.
Using a VPN is Online Safety 101. Choose a reputable provider with a strict no-logging policy, or if you’re up for it, roll your own.
If your family member uses the same password everywhere (<petname>
+<house number>
, same as last year) because passwords are hard to remember, introduce them to their new best friend, 1Password. Help your family get set up with secure passwords they don’t have to write down on Post-It notes – just one master pass(phrase) is all you need.
When choosing a passphrase, avoid using information easily found on social media accounts, like pet names, favorite sports teams, favorite brands, or birthdays.
Help fight the Internet search monopoly by getting your family to use a search engine that respects their privacy. Go to your browser Settings and set your Default Search Engine (that uses the URL bar) to DuckDuckGo. Break the ice with an instant answer feature, like searching “calendar” so you can count down to Christmas.
(You might want to search for “classic cocktails cheat sheet” after all this.)
While I prefer a Pi-hole, setting one up can be complex. Instead, help set up a privacy-preserving browser like Firefox or a wide-spectrum blocking extension like uBlock Origin (GitHub source).
Your family will get faster page load times, less advertisements interrupting articles and videos, and fewer sneaky trackers leaking browsing habits to big tech, all with near-zero maintenance.
Help improve your family’s security posture this holiday season. A little beefed-up cybersecurity may be one of the best gifts you can give!
I’m keeping it short-and-sweet this week. My annual Christmas post drops on December 24, full of warm fuzzy goodness and a tech tip or two. Thank you for being a subscriber – stay tuned!
]]>Cybersecurity can be fiddly and time-consuming. You might need to reset forgotten passwords, transfer multifactor authentication (MFA) codes to different devices, or deal with the fallout of compromised payment details in the event one of your accounts is still breached.
Thankfully, most of the work necessary to keep up our cybersecurity measures can be outsourced.
Here are three changes you can make to significantly reduce the chances of needing to fiddle with any of these things again.
I’ve historically avoided password managers because of an irrational knee-jerk reaction to putting all my eggs in one basket. You know what’s great for irrational reactions? Education.
To figure out if putting all my passwords into a password manager is more secure than not using one, I set out to see what some smart people wrote about it.
First, we need to know a thing or two about passwords. Troy Hunt figured out almost a decade ago that trying to remember strong passwords doesn’t work. In more recent times, Alex Weinert expanded on this in Your Pa$$word doesn’t matter. TL;DR: our brains aren’t better at passwords than computers, and please use MFA.
So passwords don’t matter, but complicated passwords are still better than memorable and guessable ones. Since I’ve next to no hope of remembering a dozen variations of p/q2-q4!
(I’m not a chess player), this is a task I can outsource to 1Password. I’ll still need to remember one, long, complicated master password - 1Password uses this to encrypt my data, so I really can’t lose it - but I can handle just one.
Using 1Password specifically has another, decidedly obvious, advantage. I chose 1Password because of their Watchtower feature. Thanks to Troy Hunt’s Have I Been Pwned, Watchtower will alert you if any of your passwords show up in a breach so you can change them. Passwords still don’t completely work, but this is probably the best band-aid there is.
One last bonus is that using a password manager is a heck of a lot more convenient. I don’t need to take a few tries to type in a complicated password. I don’t end up spending time resetting passwords I’ve forgotten on sites I only rarely use.
When tasked with remembering all their own passwords, people typically create simpler passwords that are easier to remember – and easier to hack. This occurs most frequently on sites that are considered unimportant. Using 1Password and generated passwords, those sites are now also first-class citizens in the land of strong passwords, instead of being half-abandoned and half-open attack vectors.
So, yes, all my eggs are in one basket. A well-protected, complex, and monitored basket.
Okay - so it’s more like one-and-a-half baskets. 🤷🏻
Authy, from the folks over at Twilio, provides a 2FA solution that’s more secure than SMS. Unlike Google Authenticator, you can choose to back up your 2FA codes in case you lose or change your phone. (1Password offers 2FA functionality as well - but, you know, redundancies.)
With Authy, your back up is encrypted with your password, similarly to how 1Password works. This makes it the second password you can’t forget, if you don’t want to lose access to your codes. If you reset your account, they all go away. I can deal with remembering two passwords; I’ll take that trade.
I’ve tried other methods of MFA, including hardware keys, which can make accessing accounts on your phone more complicated than I care to put up with. I find the combination of 1Password and Authy to be the most practical combination of convenience and security that yet exists to my knowledge.
Finally, there’s one last line of defense you can put in place in the unfortunate event that one of your accounts is still compromised. All the strong passwords and MFA in the world won’t help if you open the doors yourself, and scams and phishing are a thing.
Since it’s rather impractical to use a different real credit card every place you shop, virtual cards are just a great idea. There’s no good reason to spend an afternoon (or more) resetting your payment information on every account just to thwart a misbehaving merchant or patch up a data breach from that online shop for cute salt shakers you made a purchase at last year (just me?).
As a bonus, a partnership between 1Password and Privacy.com lets you easily create virtual credit cards using the 1Password extension.
By setting up a separate virtual card for each merchant, in the event that one of those merchants is compromised, you can simply pause or delete that card. None of your other accounts or actual bank details are caught up in the process. Cards can have time-based limits or be one-off burner numbers, making them ideal for setting up subscriptions.
This is the sort of basic functionality that I hope, one day, becomes more prevalent from banks and credit cards. In the meantime, I’ll keep using Privacy.com. That’s my referral link; if you’d like to thank me by using it, we’ll both get five bucks as a bonus.
All together, implementing these changes will probably take up an afternoon, depending on how many accounts you have. It’s worth it for the time you’d otherwise spend resetting passwords, setting up new devices, or (knock on wood) recovering from compromised banking details. Best of all, you’ll have continual protection just running in the background.
We have the technology. Free up some brain cycles to focus on other things - or simply remove some unnecessary stress from your life by outsourcing the fiddly bits.
Want to give the gift of cybersecurity to someone you know? Get them started with a cybersecurity starter pack.
]]>Like proper hand washing and getting a flu shot, good habits can lower your risk of inadvertently allowing cybergerms to spread. Since the new year is an inspiring time for beginning new habits, I offer a few suggestions for ways to help protect yourself and those around you.
Recognizing a delivery method for cyberattack is getting more difficult. Messages with malicious links do not always come from strangers. They may appear to be routine communications, or seem to originate from someone you know or work with. Attacks use subtle but deeply-engrained cognitive biases to override your common sense. Your natural response ensures you click.
Thankfully, there’s a simple low-tech habit you can use to deter these attacks: before you act, follow-up.
You may get an email from a friend that needs help, or from your boss who’s about to get on a plane. It could be as enticing and mysterious as a direct message from an acquaintance who sends a link asking, “Lol. Is this you?” It takes presence of mind to override the panic these attacks prey on, but the deterrent itself is quick and straightforward. Send a text message, pick up the phone and call, or walk down the hall, and ask, “Did you send me this?”
If the message is genuine, there’s no harm in a few extra minutes to double check. If it’s not, you’ll immediately alert the originating party that they may be compromised, and you may have deterred a cyberattack!
When individuals in a neighborhood get the flu shot, others in that neighborhood are safer for it. Encryption is similarly beneficial. Encourage your friends, coworkers, and Aunt Matilda to switch to an app like Signal. By doing so, you’ll reduce everyone’s exposure to more exploitable messaging systems.
This doesn’t mean that you must stop using other methods of communication entirely. Instead, think of it as a hierarchy. Use Signal for important messages that should be trusted, like requests for money or making travel arrangements. Use all other methods of messaging, like SMS or social sites, only for “unimportant” communications. Now, if requests or links that seem important come to you through your unimportant methods, you’ll be all the more likely to second-guess them.
You wouldn’t brush your teeth with a toothbrush you found on the sidewalk. Why would you plug in a USB device if you don’t know where it’s been?! While we might ascribe putting a random found USB drive in your computer to a clever exploitation of natural human curiosity, we’re no sooner likely to suspect using a public phone-charging station or a USB cable we bought ourselves. Even seemingly-innocuous USB peripherals or rechargeable devices can be a risk.
Unlike email and some file-sharing services that scan and filter files before they reach your computer, plugging in via USB is as direct and unprotected as connection gets. Once this connection is made, the user doesn’t need to do anything else for a whole host of bad things to happen. Through USB connections, problems like malware and ransomware can easily infect your computer or phone.
There’s no need to swear off the convenience of USB connectivity, or to avoid these devices altogether. Instead of engaging in questionable USB behavior, don’t cheap out on USB devices and cables. If it’s going to get plugged into your computer, ensure you’re being extra cautious. Buy it from the manufacturer (like the Apple Store) or from a reputable company or reseller with supply chain control. When juicing up USB-rechargeables, don’t plug them into your computer. Use a wall charger with a USB port instead.
Keeping your devices healthy and happy is a matter of practicing good habits. Like battling the flu, good habits can help protect yourself and those around you. Incorporate some conscientious cybersecurity practices in your new year resolutions - or start them right away.
Have a safe and happy holiday!
]]>Like puppies, IoT devices are still young. Many contain known vulnerabilities that remote attackers can use to gain access to device owners’ networks. These attacks are sometimes as laughably simple as using a default username and password that the device owner cannot change.
Does all this mean you shouldn’t give Grandma Mabel a new app-enabled coffee maker or Ring doorbell for Christmas? Probably, although not necessarily. Like puppies, properly-maintained IoT devices are capable of warming your heart without causing too much havoc; but they take a lot of work to care for. Here are a few responsibilities to keep in mind for the care and feeding of an IoT device.
Many manufacturers of IoT devices have not made security a priority. There aren’t yet any enforced security requirements for this industry, which leaves the protection of your device and the network it’s connected to in the hands of the manufacturer.
It’s not just obscure no-name toasters, either; malicious third-party apps have snuck onto Amazon’s and Google’s more reputable devices and enabled attackers to eavesdrop on unsuspecting owners.
Until security regulations are put in place and enforced, it’s buyer beware for both devices and third-party applications. To the extent possible, potential owners must do ample research to weed out vulnerable devices and untrustworthy apps.
If you think hackers aren’t likely to find your device in the vast expanse of the Internet, you might be wrong. These days, obscurity doesn’t provide security. It’s no longer left up to a potential attacker’s fallible human eyes to find your insecure front door camera in a cacophony of wireless traffic; IoT search engines like Shodan will do that for them. Thankfully, these search engines are also used for good, enabling white hat hackers and penetration testers to find and fix insecure devices.
Just like locking your own front door, IoT owners are responsible for locking down access to their devices. This may mean searching through device settings to make sure default credentials are changed, or checking to make sure that a device used on your private home network doesn’t by default have public Internet access.
Where the options are available, HTTPS and multifactor authentication should be enabled. The use of a VPN can also keep your devices from being found.
Unlike puppies, many IoT devices are “headless” and have no inherent way of interfacing with a human. An app-controlled lightbulb, for example, may be all but useless without the software that makes it shine. As convenient as it may be to have your 1500K mood lighting come on automatically at dusk, it also means automatically ceding control of the device to its software developers.
When vulnerabilities in your phone’s operating system are discovered and patched, it’s likely that automatic updates are pushed and installed overnight, possibly without you even knowing. Your IoT device, on the other hand, may have no such support. In those cases, it’s completely up to the user to discover that an update is needed, find and download the patch, then correctly update their device. Even for owners with some technical expertise, this process takes significant effort. Many device owners aren’t even aware that their software is dangerously outdated.
In practical terms, this means that users without the time, knowledge, or willingness to keep their devices updated should reconsider owning them. Alternatively, some research can help prospective owners choose devices that receive automatic push updates from their (hopefully responsible) manufacturers over WiFi.
Raising a healthy and happy IoT device is no small task, especially for potential owners with little time or willingness to put in the required effort. With the proper attention and maintenance, your Internet-connected appliance can bring joy and convenience to your life; but without, it introduces a potential security risk and a whole lot of trouble.
Before getting or giving IoT, be sure the potential owner is up to the task of caring for it.
You can learn more about basic cybersecurity for IoT (as a user or maker) by reading NIST’s draft guidelines publication.
]]>The OWASP Top 10 is a comprehensive guide to web application security risks. It is relied upon by technology professionals, corporations, and those interested in cybersecurity or information security. The most recent publication lists Sensitive Data Exposure as the third most critical web application security risk. Here’s how the risk is described:
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
“Sensitive Data Exposure” is a sort of catch-all category for leaked data resulting from many sources, ranging from weak cryptographic algorithms to unenforced encryption. The simplest source of this security risk, however, takes far fewer syllables to describe: people.
The phrase “an ounce of prevention is worth a pound of cure,” applies to medicine as well as secure software development. In the world of the latter, this is referred to as “pushing left,” a rather unintuitive term for establishing security best practices earlier, rather than later, in the software development life cycle (SDLC). Establishing procedures “to the left” of the SDLC can help ensure that the people involved in creating a software product are properly taking care of sensitive data from day one.
Unfortunately, a good amount of security testing often seems to occur much farther to the right side of the SDLC; too late for some security issues, such as sensitive data leakage, to be prevented.
I’m one of the authors contributing to the upcoming OWASP Testing Guide and recently expanded a section on search engine discovery reconnaissance, or what the kids these days call “Google dorking.” This is one method, and arguably the most accessible method, by which a security tester (or black hat hacker) could find exposed sensitive data on the Internet. Here’s an excerpt from that section (currently a work in progress on GitHub, to be released in v5):
Search Operators
A search operator is a special keyword that extends the capabilities of regular search queries, and can help obtain more specific results. They generally take the form of
operator:query
. Here are some commonly supported search operators:
site:
will limit the search to the provided URL.inurl:
will only return results that include the keyword in the URL.intitle:
will only return results that have the keyword in the page title.intext:
orinbody:
will only search for the keyword in the body of pages.filetype:
will match only a specific filetype, i.e. png, or php.For example, to find the web content of owasp.org as indexed by a typical search engine, the syntax required is:
site:owasp.org
… Searching with operators can be a very effective discovery reconnaissance technique when combined with the creativity of the tester. Operators can be chained to effectively discover specific kinds of sensitive files and information. This technique, called Google hacking or Google dorking, is also possible using other search engines, as long as the search operators are supported.
A database of dorks, such as Google Hacking Database, is a useful resource that can help uncover specific information.
Regularly reviewing search engine results can be a fruitful task for security testers. However, when a search for site:myapp.com passwords
turns up no results, it may still be a little too early to break for lunch. Here are a couple other places a security tester might like to look for sensitive data exposed in the wild.
The self-declared “#1 paste tool since 2002,” Pastebin allows users to temporarily store any kind of text. It’s mostly used for sharing information with others, or retrieving your own “paste” on another machine, perhaps in another location. Pastebin makes it easy to share large amounts of complicated text, like error logs, source code, configuration files, tokens, api keys… what’s that? Oh, yes, it’s public by default.
Here are some screenshots of a little dorking I did for a public bug bounty program.
Thanks in part to the convenience of using Pastebin and similar websites, it would appear that some people fail to think twice before making sensitive data publicly available.
Granted, non-technical employees with access to the application may not have an understanding of which items should or should not be freely shared. Someone unfamiliar with what encrypted data is or what it looks like may not realize the difference between an encrypted string and an unencrypted token made up of many random letters and numbers. Even technical staff can miss things, make mistakes, or act carelessly after a hard day at work. It may be easy to call this a training problem and move on; however, none of these rationalizations address the root cause of the issue.
When people turn to outside solutions for an issue they face, it’s usually because they haven’t been provided with an equally-appealing internal solution, or are unaware that one exists. Employees using pastes to share or move sensitive data do so because they don’t have an easier, more convenient, and secure internal solution to use instead.
Everyone involved in the creation and maintenance of a web application should be briefed on a few basic things in regards to sensitive data protection:
When it comes to third-party services, ensure people are aware that some transmission may not be encrypted, or may be publicly searchable. If there is no system currently in place for safely sharing and storing sensitive data internally, this is a good place to start. The security of application data is in the hands of everyone on the team, from administrative staff to C-level executives. Ensure people have the tools they need to work securely.
Developers are notorious for leaving sensitive information hanging out where it doesn’t belong (yes, I’ve done it too!). Without a strong push-left approach in place for handling tokens, secrets, and keys, these little gems can end up in full public view on sites like GitHub, GitLab, and Bitbucket (to name a few). A 2019 study found that thousands of new, unique secrets are leaked every day on GitHub alone.
GitHub has implemented measures like token scanning, and GitLab 11.9 introduced secret detection. While these tools aim to reduce the chances that a secret might accidentally be committed, to put it bluntly, it’s really not their job. Secret scanning won’t stop developers from committing the data in the first place.
Without an obvious process in place for managing secrets, developers may tend too much towards their innate sense of just-get-it-done-ness. Sometimes this leads to the expedient but irresponsible practice of storing keys as unencrypted variables within the program, perhaps with the intention of it being temporary. Nonetheless, these variables inevitably fall from front of mind and end up in a commit.
Having a strong push-left culture means ensuring that sensitive data is properly stored and can be securely retrieved long before anyone is ready to make a commit. Tools and strategies for doing so are readily available for those who seek them. Here are some examples of tools that can support a push-left approach:
.gitignore
file that everyone on the team can contribute to and use.We also need not rely entirely on the public repository to catch those mistakes that may still slip through. It’s possible to set up Git pre-commit hooks that scan for committed secrets using regular expressions. There are some open-source programs available for this, such as Talisman from ThoughtWorks and git-secrets from AWS Labs.
A little perspective can go a long way in demonstrating why it’s important to begin managing sensitive data even before any sensitive data exists. By establishing security best practices on the left of the SDLC, we give our people the best chance to increase the odds that any future dorking on our software product looks more like this.
Another great resource for checking up on the security of our data is Troy Hunt’s Have I Been Pwned, a service that compares your data (such as your email) to data that has been leaked in previous data breaches.
To learn about more ways we can be proactive with our application security, the OWASP Proactive Controls publication is a great resource. There’s also more about creating a push-left approach to security in the upcoming OWASP Testing Guide. If these topics interest you, I encourage you to read, learn, and contribute so more people will make it harder for sensitive data to be found.
]]>