EEVblog Electronics Community Forum

Computing => Security => Topic started by: rcampbellbassac on June 12, 2021, 03:49:41 pm

Title: Counter Measures
Post by: rcampbellbassac on June 12, 2021, 03:49:41 pm
Sabaidee! (aka Hello!)

Sorry for this being long.


I am a teacher, from USA. I used to teach English/ESL. (I hate teaching English). I've built a small computer lab to switch to teaching basic IT and electronics (repair, IoT, Arduino, etc). I'm just starting my hardware journey myself (getting into IoT, hardware repair, and the basics). At some point, I'd love to make my own custom hardware, for various IoT and sensor related projects. I'm not a total newb, but I'm no hardware expert, that's for sure.


I live and work in Laos, a communist country sandwiched between various other communist (Vietnam/China), somewhat communist (Cambodia/Myanmar), almost communist (Thailand) countries. I don't really have any grudges against communist governments, and whatnot. It's their place, not mine. They can do whatever they want (and they do anyways, regardless my feelings on matters). I'm apolitical in my work, and will remain that way.

In short, though I don't really care about politics; I do care about Laos and its people. Sometimes things can be strange and interesting...

IT Experience:
My education is in "network admin/IT" with an associates / 2-year degree, but I've touched just about every general topic, except advanced security. I have reasons for avoiding it, as a general rule (read bottom if curious why). Let's just say I've seen what the dark side of IT can do to people on a personal level.

That all said, I currently have some security concerns, but haven't been able to validate my concerns using anti-virus/malware detection software. I have some indicators that show something isn't quite right with a number of devices on my network, but can't clearly show the exact nature of any intrusion (though I have strong reasons to be suspicious). In short, something is fishy, and I can sure smell it, but I haven't quite found any fish as of yet. Paranoid? Maybe. Reasons to be? I think so.

Who knows? Maybe it's just the horrible electric grid burning up my stuff and causing my devices to be unstable (there are problems with the local grid here), or high humidity, or a coincidence of lots of software bugs, or all of it all at once... I'm not ignoring these as possibilities, but I'd like to rule out worst cases first.

I prefer not having people snoop around my network/devices, and cause problems (intentional or unintentional). I don't have great access to specialized equipment or specialized commercial software to deter them. I also have limits to what I can reasonably obtain, especially with mail problems due to COVID. In short, I'm looking for simple, open source, effective counter measures I can implement now, and ways I can monitor and verify what's going on, without having to break the bank or fly across the planet to get it.

Help Wanted:
The questions: What recommendations are there for software inclined people (I have some Linux server experience, can do some programming, Windows admin, firewall, whatnot) who want to build a strong defense against intrusions? How does one effectively create an IoT network with some questionable Chinese hardware (DVR and bunch of Sonoff's programmed with Tasmota), WiFi network, and limited remote access (Home Assistant) without being invaded? What kinds of deterrents are available to defend against attacks to WiFi? What can be done if your ISP shoves a Huawei FTTH router on you, that hasn't had a firmware update in half a decade, and runs on default passwords?

I've done some things already (limited ports, changed the default router password, double-nat with port forwarding, using non-standard ports, using OpenWRT with reasonable iptables settings, using DoH, and on and on). But, I'm not sure it's enough - and some of my computers show signs of virus infection (higher utilization than normal, and misrepresented/inconsistent resource usage). Not sure what the process needs to be to identify and rid computers of current intrusions.


For those curious, I used to hack (more like advanced script kiddie) in my younger years (mostly pranks). We are talking nearly two decades ago. It started out when I was taught at age 13 how to duplicate satellite card subscriptions using a Russian card programmer (aka carding). I started my curious adventures into computers. But, in terms of 'security', I mostly focused on the fun stuff... I'm talking like programming electric road signs to say "*** **** IT SLOW DOWN NOW!" (Safety first when driving people!). Or using netsend to broadcast messages across the whole domain of a college campus with the single word "penis" to every staff computer (it even waited until staff logged in later, and would show it on sign in - lol). Of course, remote admin teacher's and student's computers, change backgrounds, and all of that kid play stuff. Stuff hit the fan, I grew up quick, and it all stopped (even if I still own a 2600 t-shirt). Again, all fun and games until things hit home.

My first IT 'teacher' was an interesting 'fella' (a word which also rhymes with felon) Brett Shannon Johnson "Gollumfun". He was my brother-in-law as a kid. You can read more about his fall here: ( This is the same guy who got us pirated videos games galore as a kid, helped us watch LoTR before it was officially released, etc. So, I gave the whole hacking things up when I realized how pointless and painful fraud/black hat garbage is - it destroys people. I got out of the 'security' arena, only learning what I needed to know to keep myself/my family safe.

In short, I don't really want to get back into it either, but I can't shake that feeling that I'm being monitored, and that somebody/somewhere considers me and/or what I am doing to be a threat. I get frustrated, and am tempted to go down the street and have some 'phun' myself as payback, but A) it's not going to help, and B) I can't even 'prove' who it is - suspicions aside. Given where I am, state sponsored doesn't seem unfounded. America has a great reputation right now. ::) I know stories of people who caught government informants snooping on them (via somewhat traditional means). Yeah...

Any advice is greatly appreciated.
Title: Re: Counter Measures
Post by: David Hess on June 12, 2021, 06:57:00 pm
I would start by using a VLAN to isolate every LAN device and then a secured router to route only the necessary traffic between them.  Now untrusted devices can be given access to the internet, or restricted portions of it, as needed without giving them access to other devices on the LAN.  Further, specific devices on the LAN can be given access to other specific devices on the LAN, without the reverse.

The above leaves open the possibility of giving untrusted devices access to the internet only through a VPN, which would prevent them from even revealing your true IP and thereby location.

The next thing I would do is implement a backup system which works to *pull* backups from storage devices.  So the backup server can contact the devices to be backed up, but not the reverse, which helps prevent the backup server from being attacked and compromised.
Title: Re: Counter Measures
Post by: rcampbellbassac on June 15, 2021, 04:13:45 pm
Awesome tips! I'm going to work on implementing these changes. I've done some work with VLANs, but limited so I'll need to do some reading up...
Title: Re: Counter Measures
Post by: Nominal Animal on June 16, 2021, 09:27:38 am
One interesting technique you might wish to implement is honeypotting.

Simply put, you put a decoy device on your network that looks interesting to an attacker, but contains nothing of value to you.  Instead, its purpose to you is to be the proverbial canary in the mine: a way to detect intrusion and intrusion attempts.

Linux contains a number of useful tools for both monitoring machines and for honeypotting.  An important key detail is to redirect logging to an otherwise isolated box, reserved for the purpose.  For embedded devices, using a dedicated high baud rate UART is optimal for this; just connect to a dedicated logging machine without internet connection (so it cannot be compromised except via physical access).  For WiFi/Ethernet-connected devices, use a dedicated Linux machine (perhaps a cheap SBC; I suggest using a cheap USB-SATA bridge and a SATA SSD for log storage) that is stripped down to a local console with a fixed LAN IP address, with no Ethernet connectivity except for the incoming logging ports which are directly streamed to files without processing, and all other ports blocked via firewall rules.  (If you do decide to keep an SSH port open for remote access, use a nonstandard port, and install firewall rules that silently drop all incoming packets to that port except from local IP addresses.)

Then, on any machines – both actual and honeypots – direct/duplicate the logs to (different ports on) the logging machine, and use software like tripwire to monitor for intrusion.  Using a bit of care to hide the system log duplication remotely, attackers are hard pressed to notice that even if their intrusion succeeds and they manage to hide their tracks locally, the remote logging machine will still contain the original tracks.  Script kiddies and worms do not even bother to hide their tracks, though.

As to myself, I like to use an OpenWRT router at the edge of my network as a firewall.  I am currently in the progress of writing a simplified "fail2ban" (that does not rely on stored logs, and works with minimal RAM requirements) for OpenWRT, so that connection attempts to specific ports will automatically lead to the attemptee to be blocked at the firewall.  It will not be suitable for the "western world" use cases where people want stuff to work by just plugging them in –– so all sorts of automatic network discovery things must be passed through the "firewall" ––, but for people who use their outer edge router as a firewall and optionally OpenVPN bridge (for secure tunnels to other networks, with the connection encrypted at the edge and not at the host machine – so even IOT devices can be secured from internet access, even though within the LAN and at the other network they are still unsecured and plain-text visible), this would be definitely useful.  (It will also be freely licensed, if I ever complete it in a form I care to publish.)

An example device I am currently using within my LAN/WiFi network (not facing the internet) is an Asus RT-AC51U wireless router.  It is configured as a bridge between my wired network and 2.4GHz and 5GHz wireless networks, so other than WPA2 encryption (via passwords on connecting machines), my wireless is no more protected than my wired network is.
However, the router itself cannot be compromised unless there is a Linux kernel bug that can be exploited, because its management interface is not accessible from any of the three networks: the router itself does not have an IP address at all on any of the three networks.  To access the management interface, I need to connect a laptop or a Linux Single Board Computer to a dedicated Ethernet management port on it.
This is because adding a firewall inside my local network would be worthless to me, as I rely on the one at the edge of my network facing the internet, and I can add that remote logging if I feel like it – right now, even if I were compromised, I would just be annoyed at having to reinstall my machines, as I don't have any data worth protecting at all on these machines.  So, making sure the Ethernet-WiFi bridge cannot be compromised and used as a launching pad for attacks elsewhere, is more important to me; even as far as requiring a temporary Ethernet connection to the router if I want to make any changes to its settings.
I do use fail2ban (which monitors logs for connection attempts, and based on configurable rules, adds local firewall rules for a limited duration to block those IP addresses),  ufw (for Ubuntu and Debian derivatives) with relatively tight firewall rules, on every Linux machine I have.

The only thing I want to point out related to politics – and here in Finland we have absolutely no free speech, even explaining an opinion based on the Christian Bible in public can get you prosecuted for hate speech (I'm not kidding (, while our media claims they are the free'est in the world – is that when the offender has been chosen, the offense will be invented if it is not already obvious.  That applies to all human societies.  Because of that, I recommend an approach where you can choose to be transparent to investigations, and can show your security measures are solely against illegal exploitation (as defined by local jurisdictions) of yourself and your devices.
One way to implement that transparency, and also make things easier for your family and friends should something happen to you, is to prepare and maintain a hardcopy-only guide completely detailing your network configuration with full access and control.  Essentially, pen-on-paper, kept in a secure box.  (Remember, if anyone has physical access, they can replace/compromise any device they want anyway; it is just a matter of how much resources they are willing to invest to do so.)
If you find yourself say politically targeted, you can make yourself completely transparent by providing that guide to an investigator face to face.  While the information discovered might implicate you somehow, the act of cooperation usually is more important (due to "offense will be invented anyway if not obvious"), and may be the only way you can convince a paranoid political power that you are not a threat, and are not politically motivated at all; and are, in fact, useful to them.  It should be informative to see how people have dealt with such situations, and the results they got, during the last century or so; especially any well-known local figures.
Others may disagree, and it can be fully true that "stonewalling" is a better policy; but having the option ought to be useful.
Title: Re: Counter Measures
Post by: DiTBho on June 16, 2021, 02:14:45 pm
in Finland we have absolutely no free speech, even explaining an opinion based on the Christian Bible in public can get you prosecuted for hate speech

It's the same one I heard from my Soviet friends.
I don't have a definite opinion on this. I don't know if it's socially good or not.

I mean, free speech sounds like a good value when people abstract the concept of freedom.
But too free speech can cause all the problems I am in the process to solve with the AI ML.

So, probably free speech needs a compromise, super-visioning and monitoring (but by whom? (1)), otherwise it can derail in something completely unpleasant and useless.

I think it's somehow like free speech on Youtube: free speech as urban dictionary is accepted only if moderated and not offensive, otherwise the video will be removed, and the author will receive a strike.

Said this way, it sounds like a fair compromise  :-//

(1) who controls the controller?
Title: Re: Counter Measures
Post by: dietert1 on June 16, 2021, 02:16:52 pm
Recent news was US and other agencies trapped and arrested criminals all over the world after selling them backdoored communication equipment some years ago.
In my opinion the best security device is the one you invent and make yourself. An example: Some years ago, after publicity about the hidden communication capabilities of USB storage devices, i made a USB device that allows me to safely transfer data across the air gap we have between production and web. E.g. an Arduino type thing that you can make within a week. This is nothing cryptographic but it is safe with a very restricted set of supported actions and with monitoring of those actions. Of course i won't explain any details and even the term Arduino is probably misleading..
I think you can easily beat others using your special capabilities.

Regards, Dieter
Title: Re: Counter Measures
Post by: David Hess on June 16, 2021, 02:55:10 pm
Recent news was US and other agencies trapped and arrested criminals all over the world after selling them backdoored communication equipment some years ago.

I thought the most interesting part of that story was the confirmation that the FBI and other US agencies outsource monitoring of US citizens to other countries that they cannot legally perform themselves.
Title: Re: Counter Measures
Post by: Fraser on June 16, 2021, 03:07:08 pm
A word of advice....

if you find yourself under the surveillance of a countries Government, do not try to 'get smart' (stupid?) with them. You will most definitely regret such action. If a Government agency wants to monitor you, they will, simple as that. If you attempt to prevent them doing so, you will become of greater interest as well as an annoyance to them and your life will become far more 'complicated'.

Feel free to ignore this advice but remeber you are in their 'back yard' and you would be ill advised to mess with Government agencies. It is best to make yourself of little or no interest to them rather than try to be 'smart'. You will not win, no matter what you do ;)

And remember…. This is not a ‘game’ and poorly considered actions can have unforeseen consequences.

Title: Re: Counter Measures
Post by: Bicurico on June 16, 2021, 03:14:48 pm
Honestly? I think you are being just paranoid.

Who cares if you cloned PayTV smartcards (technically it was not clonining, but using the keys on an emulator written for some smartcard with embedded PIC or Atmel chip). Been there, done that (not commercially, though). By the way, this has been replaced with a newer technology called "card sharing". Go to AliExpress and search for CCCAM subscription. You will be amazed how cheap it is to have most PayTV packages open for 3, 6 or 12 months...

The other pranks? Mainly harmless. I did not mess with computers of public services, but I did mess with the computers on the University. One of the hacks was to invert the keys for the original DOS based Tetris game: the teachers were quite increadulous seeing students "working" with the keyboard flipped 180 degrees!

What I mean is: I doubt your past has the slightest interest for any democratic or dictatorship regime.

I would either bet that you are suspicious for being a US citizen!

Also, I don't think your small computer lab with IoT focus has the slightest interest for any intelligence agency. Who cares about what you do with your Arduinos and Raspberry Pies.

As long as you are not setting up a propaganda mesh network in Laos capital, of course.

And yes all the gear you describe is prone to failure and misfunction, especially in tropical environment. Note that Arduino and Raspberry Pi (and alike) are NOT certified for industrial use.

Finally, if you want to know what is going on, just install and run Wireshark to monitor your network traffic.

If you really require more than that and if the secret service is really spying on you, you must be doing something highly illegal (in the eyes of the regime) or their secret service simply sucks big time.

EDIT: And I do agree with Fraser. You better think if you are indeed not doing anything offensive to the regime. If not, let them spy. open the doors to them. If you might be doing something offensive, get the hell out of there.

Title: Re: Counter Measures
Post by: David Hess on June 21, 2021, 03:24:08 am
if you find yourself under the surveillance of a countries Government, do not try to 'get smart' (stupid?) with them. You will most definitely regret such action. If a Government agency wants to monitor you, they will, simple as that. If you attempt to prevent them doing so, you will become of greater interest as well as an annoyance to them and your life will become far more 'complicated'.

It is my duty as a patriotic citizen to waste as much of their time as possible.