Products > Security

Counter Measures

(1/2) > >>

Sabaidee! (aka Hello!)

Sorry for this being long.


I am a teacher, from USA. I used to teach English/ESL. (I hate teaching English). I've built a small computer lab to switch to teaching basic IT and electronics (repair, IoT, Arduino, etc). I'm just starting my hardware journey myself (getting into IoT, hardware repair, and the basics). At some point, I'd love to make my own custom hardware, for various IoT and sensor related projects. I'm not a total newb, but I'm no hardware expert, that's for sure.


I live and work in Laos, a communist country sandwiched between various other communist (Vietnam/China), somewhat communist (Cambodia/Myanmar), almost communist (Thailand) countries. I don't really have any grudges against communist governments, and whatnot. It's their place, not mine. They can do whatever they want (and they do anyways, regardless my feelings on matters). I'm apolitical in my work, and will remain that way.

In short, though I don't really care about politics; I do care about Laos and its people. Sometimes things can be strange and interesting...

IT Experience:
My education is in "network admin/IT" with an associates / 2-year degree, but I've touched just about every general topic, except advanced security. I have reasons for avoiding it, as a general rule (read bottom if curious why). Let's just say I've seen what the dark side of IT can do to people on a personal level.

That all said, I currently have some security concerns, but haven't been able to validate my concerns using anti-virus/malware detection software. I have some indicators that show something isn't quite right with a number of devices on my network, but can't clearly show the exact nature of any intrusion (though I have strong reasons to be suspicious). In short, something is fishy, and I can sure smell it, but I haven't quite found any fish as of yet. Paranoid? Maybe. Reasons to be? I think so.

Who knows? Maybe it's just the horrible electric grid burning up my stuff and causing my devices to be unstable (there are problems with the local grid here), or high humidity, or a coincidence of lots of software bugs, or all of it all at once... I'm not ignoring these as possibilities, but I'd like to rule out worst cases first.

I prefer not having people snoop around my network/devices, and cause problems (intentional or unintentional). I don't have great access to specialized equipment or specialized commercial software to deter them. I also have limits to what I can reasonably obtain, especially with mail problems due to COVID. In short, I'm looking for simple, open source, effective counter measures I can implement now, and ways I can monitor and verify what's going on, without having to break the bank or fly across the planet to get it.

Help Wanted:
The questions: What recommendations are there for software inclined people (I have some Linux server experience, can do some programming, Windows admin, firewall, whatnot) who want to build a strong defense against intrusions? How does one effectively create an IoT network with some questionable Chinese hardware (DVR and bunch of Sonoff's programmed with Tasmota), WiFi network, and limited remote access (Home Assistant) without being invaded? What kinds of deterrents are available to defend against attacks to WiFi? What can be done if your ISP shoves a Huawei FTTH router on you, that hasn't had a firmware update in half a decade, and runs on default passwords?

I've done some things already (limited ports, changed the default router password, double-nat with port forwarding, using non-standard ports, using OpenWRT with reasonable iptables settings, using DoH, and on and on). But, I'm not sure it's enough - and some of my computers show signs of virus infection (higher utilization than normal, and misrepresented/inconsistent resource usage). Not sure what the process needs to be to identify and rid computers of current intrusions.


For those curious, I used to hack (more like advanced script kiddie) in my younger years (mostly pranks). We are talking nearly two decades ago. It started out when I was taught at age 13 how to duplicate satellite card subscriptions using a Russian card programmer (aka carding). I started my curious adventures into computers. But, in terms of 'security', I mostly focused on the fun stuff... I'm talking like programming electric road signs to say "*** **** IT SLOW DOWN NOW!" (Safety first when driving people!). Or using netsend to broadcast messages across the whole domain of a college campus with the single word "penis" to every staff computer (it even waited until staff logged in later, and would show it on sign in - lol). Of course, remote admin teacher's and student's computers, change backgrounds, and all of that kid play stuff. Stuff hit the fan, I grew up quick, and it all stopped (even if I still own a 2600 t-shirt). Again, all fun and games until things hit home.

My first IT 'teacher' was an interesting 'fella' (a word which also rhymes with felon) Brett Shannon Johnson "Gollumfun". He was my brother-in-law as a kid. You can read more about his fall here: This is the same guy who got us pirated videos games galore as a kid, helped us watch LoTR before it was officially released, etc. So, I gave the whole hacking things up when I realized how pointless and painful fraud/black hat garbage is - it destroys people. I got out of the 'security' arena, only learning what I needed to know to keep myself/my family safe.

In short, I don't really want to get back into it either, but I can't shake that feeling that I'm being monitored, and that somebody/somewhere considers me and/or what I am doing to be a threat. I get frustrated, and am tempted to go down the street and have some 'phun' myself as payback, but A) it's not going to help, and B) I can't even 'prove' who it is - suspicions aside. Given where I am, state sponsored doesn't seem unfounded. America has a great reputation right now. ::) I know stories of people who caught government informants snooping on them (via somewhat traditional means). Yeah...

Any advice is greatly appreciated.

David Hess:
I would start by using a VLAN to isolate every LAN device and then a secured router to route only the necessary traffic between them.  Now untrusted devices can be given access to the internet, or restricted portions of it, as needed without giving them access to other devices on the LAN.  Further, specific devices on the LAN can be given access to other specific devices on the LAN, without the reverse.

The above leaves open the possibility of giving untrusted devices access to the internet only through a VPN, which would prevent them from even revealing your true IP and thereby location.

The next thing I would do is implement a backup system which works to *pull* backups from storage devices.  So the backup server can contact the devices to be backed up, but not the reverse, which helps prevent the backup server from being attacked and compromised.

Awesome tips! I'm going to work on implementing these changes. I've done some work with VLANs, but limited so I'll need to do some reading up...

Nominal Animal:
One interesting technique you might wish to implement is honeypotting.

Simply put, you put a decoy device on your network that looks interesting to an attacker, but contains nothing of value to you.  Instead, its purpose to you is to be the proverbial canary in the mine: a way to detect intrusion and intrusion attempts.

Linux contains a number of useful tools for both monitoring machines and for honeypotting.  An important key detail is to redirect logging to an otherwise isolated box, reserved for the purpose.  For embedded devices, using a dedicated high baud rate UART is optimal for this; just connect to a dedicated logging machine without internet connection (so it cannot be compromised except via physical access).  For WiFi/Ethernet-connected devices, use a dedicated Linux machine (perhaps a cheap SBC; I suggest using a cheap USB-SATA bridge and a SATA SSD for log storage) that is stripped down to a local console with a fixed LAN IP address, with no Ethernet connectivity except for the incoming logging ports which are directly streamed to files without processing, and all other ports blocked via firewall rules.  (If you do decide to keep an SSH port open for remote access, use a nonstandard port, and install firewall rules that silently drop all incoming packets to that port except from local IP addresses.)

Then, on any machines – both actual and honeypots – direct/duplicate the logs to (different ports on) the logging machine, and use software like tripwire to monitor for intrusion.  Using a bit of care to hide the system log duplication remotely, attackers are hard pressed to notice that even if their intrusion succeeds and they manage to hide their tracks locally, the remote logging machine will still contain the original tracks.  Script kiddies and worms do not even bother to hide their tracks, though.

As to myself, I like to use an OpenWRT router at the edge of my network as a firewall.  I am currently in the progress of writing a simplified "fail2ban" (that does not rely on stored logs, and works with minimal RAM requirements) for OpenWRT, so that connection attempts to specific ports will automatically lead to the attemptee to be blocked at the firewall.  It will not be suitable for the "western world" use cases where people want stuff to work by just plugging them in –– so all sorts of automatic network discovery things must be passed through the "firewall" ––, but for people who use their outer edge router as a firewall and optionally OpenVPN bridge (for secure tunnels to other networks, with the connection encrypted at the edge and not at the host machine – so even IOT devices can be secured from internet access, even though within the LAN and at the other network they are still unsecured and plain-text visible), this would be definitely useful.  (It will also be freely licensed, if I ever complete it in a form I care to publish.)

An example device I am currently using within my LAN/WiFi network (not facing the internet) is an Asus RT-AC51U wireless router.  It is configured as a bridge between my wired network and 2.4GHz and 5GHz wireless networks, so other than WPA2 encryption (via passwords on connecting machines), my wireless is no more protected than my wired network is.
However, the router itself cannot be compromised unless there is a Linux kernel bug that can be exploited, because its management interface is not accessible from any of the three networks: the router itself does not have an IP address at all on any of the three networks.  To access the management interface, I need to connect a laptop or a Linux Single Board Computer to a dedicated Ethernet management port on it.
This is because adding a firewall inside my local network would be worthless to me, as I rely on the one at the edge of my network facing the internet, and I can add that remote logging if I feel like it – right now, even if I were compromised, I would just be annoyed at having to reinstall my machines, as I don't have any data worth protecting at all on these machines.  So, making sure the Ethernet-WiFi bridge cannot be compromised and used as a launching pad for attacks elsewhere, is more important to me; even as far as requiring a temporary Ethernet connection to the router if I want to make any changes to its settings.
I do use fail2ban (which monitors logs for connection attempts, and based on configurable rules, adds local firewall rules for a limited duration to block those IP addresses),  ufw (for Ubuntu and Debian derivatives) with relatively tight firewall rules, on every Linux machine I have.

The only thing I want to point out related to politics – and here in Finland we have absolutely no free speech, even explaining an opinion based on the Christian Bible in public can get you prosecuted for hate speech (I'm not kidding), while our media claims they are the free'est in the world – is that when the offender has been chosen, the offense will be invented if it is not already obvious.  That applies to all human societies.  Because of that, I recommend an approach where you can choose to be transparent to investigations, and can show your security measures are solely against illegal exploitation (as defined by local jurisdictions) of yourself and your devices.
One way to implement that transparency, and also make things easier for your family and friends should something happen to you, is to prepare and maintain a hardcopy-only guide completely detailing your network configuration with full access and control.  Essentially, pen-on-paper, kept in a secure box.  (Remember, if anyone has physical access, they can replace/compromise any device they want anyway; it is just a matter of how much resources they are willing to invest to do so.)
If you find yourself say politically targeted, you can make yourself completely transparent by providing that guide to an investigator face to face.  While the information discovered might implicate you somehow, the act of cooperation usually is more important (due to "offense will be invented anyway if not obvious"), and may be the only way you can convince a paranoid political power that you are not a threat, and are not politically motivated at all; and are, in fact, useful to them.  It should be informative to see how people have dealt with such situations, and the results they got, during the last century or so; especially any well-known local figures.
Others may disagree, and it can be fully true that "stonewalling" is a better policy; but having the option ought to be useful.


--- Quote from: Nominal Animal on June 16, 2021, 09:27:38 am ---in Finland we have absolutely no free speech, even explaining an opinion based on the Christian Bible in public can get you prosecuted for hate speech

--- End quote ---

It's the same one I heard from my Soviet friends.
I don't have a definite opinion on this. I don't know if it's socially good or not.

I mean, free speech sounds like a good value when people abstract the concept of freedom.
But too free speech can cause all the problems I am in the process to solve with the AI ML.

So, probably free speech needs a compromise, super-visioning and monitoring (but by whom? (1)), otherwise it can derail in something completely unpleasant and useless.

I think it's somehow like free speech on Youtube: free speech as urban dictionary is accepted only if moderated and not offensive, otherwise the video will be removed, and the author will receive a strike.

Said this way, it sounds like a fair compromise  :-//

(1) who controls the controller?


[0] Message Index

[#] Next page

There was an error while thanking
Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod