Additional detection of being hacked

Probably need a better title for this post.

Current advice starts with; Being hacked can involve the home router (or so I read) The recommendation being to keep your personal home modem/Router an up to date and a model that does not have an easy way to hack. To keep the firmware/software in the Modem/Router up to data. Encrypt the devices with a decent password. Be Aware of who might be using your home connection, and none of you go to- sketchy websites. Such as I know person from Asia who likes downloading Asian movies (Phim), from free sites in Asia. I can think of other examples of places one should be careful of going.

I notice NitroKey has a hardware FireWall.

As a hunch of what to do to detect a hack. Feed my computer connection through a home Server, which looks at all, watches all, where connections are going to and coming from. Such as the US Air Force having computers, especially built for them, sending information to Mainland China was discovered by someone seeing a lot of activity going to an internet address in mainland China.

While using a FireWall, and watching connections from an especially designed Qube is interesting. If the firmware of my Computer had been -modified to sent information elsewhere. I can hope that the second computer, acting as a server, would see internet connections that the Qube was not in a position to see.

Down sides. I would need a trustworthy computer to use for this. As I would say, a sterile computer to start. Then I know nothing about the software which needs to be on it. So I could easily contaminate the sterile environment. This is not very portable. It does not catch all the possible problems. I might have to purchase some software and services. Using this home Server might reveal information I do not want revealed.

I suspect ISP’s, particularly public WiFi, have moved ahead in surveillance technology and can, at will, add identifiers to packets of information from a connection, and watch where it goes.

Or like, thinking of a Tor relay as a black box, the ISP surrounding the Tor relay can see packets when they come in and leave, formulate an analysis pattern locating first entry to Tor, to where it finally goes. Would need a lot of resources.

Not knowing that is happening. ISP’s are likely developing means built into their servers which may end some of our best efforts to be anonymous.

My question is: Has anyone out there accomplished using a single computer to be a home server, watcher? Might call it a Firewall. A less expensive abbreviation of this?

Any of those more tech experienced, tech knowledgeable out there want to make comments? Give a bit of information on the how this is not going to work? How to make it work?

I don’t have your use case, but current state of the art on security models is based on what is known as zero trust. In essence, zero trust means that you don’t have any implicit trust on anything (router, network, other devices, etc.) and that you harden every component based on a threat modeling exercise that you perform about reasonable (or not) threat vectors. Zero trust also authenticates and authorizes every connection at the time they are needed and relies on strong multi-factor authentication to do so (for a user connection, for example, it may require a cryptographic authenticator or security token device independent of the client computer).

I’m not saying that you should not update the firmware in your router to the latest version and harden its configuration as much as possible. What I’m saying is that doing so may not be enough, depending on your threat model. You also need to do the same for the server/client devices. Qubes OS, provides additional security through compartmentalization (isolation), which is also another principle frequently associated with Zero Trust: if a component is compromised, you limit the blast radius (the opportunity that the attacker has to pivot from that compromised component to any other component).

Now, everything that I said has to do with security, not necessarily privacy (ISPs monitoring your connections, etc.). For that, there are specific tools such as Tor, which can provide a reasonable degree of privacy but, in general, you should assume that anything that you do in the internet can be discovered by others. Yes, you can obfuscate things, but security through obscurity is not best practice.

Qubes OS provides enough isolation to allow you to use a single computer as firewall, router, Intrusion Protection System, server and client, all in one, if configured correctly. The default configuration is reasonably secure too. But only you can make a determination and know if that’s sufficient for your use case or not. Given a resourceful formidable adversary, most individuals would have no protection anyway, no matter what they do. At the end of the day, they can always go to your home and point a gun at you. Qubes OS will not protect you against this.

In sum, Qubes OS is reasonably secure for most purposes but it may not be enough to provide certain level of privacy guarantees. For example, if you use Tor, your ISP can see your (encrypted) connections going into Tor. Will that be enough for them to know what you are doing through Tor? Probably not but, hey, they can be creative. Perhaps they will convince you to use their “secure tor bridges” or their latest “free privacy enhancing VPN” offering and, if you are gullible enough, they could manage to decrypt and see everything you do.

Keep in mind that most successful sophisticated attacks have a non-technical component and leverage the weakest link in the security chain. And that link may be sitting on your chair as you read this :slight_smile:

(Aside: this topic is probably better suited for the “All Around Qubes” section than “General Discussion” because it’s not focused on Qubes-specific discussion, but is likely to be of interest to people invested in QubesOS)

As I understand it, you have two main concerns: that an ISP might monitor and log your activity and that a malicious website might try to break into your computer (either the PC you are working on or the router that you are relying on).

For the first concern, as far as I know TOR is the best defense against surveillance. I replied to your specific point about ISP monitoring TOR connections below.

For the second concern, a malicious website is probably going to be attacking your browser, not your router. It is theoretically possible that it could send some packet that exploits a bug on your router, but it would have to traverse many routers before it reaches yours (and some of those routers might be configured to reject suspicious-looking packets) and they would have to be exploiting a bug that specifically exists on the router which you have. It’s not very likely. Bugs in browsers are a significant concern so major browsers (Chromium/Firefox/Safari) tend to be responsive to legitimate bug reports. As @flavio noted, QubesOS’s compartmentalization reduces the impact that a browser bug will have on your system, so long as you use it thoughtfully.

This component of an attack has been studied for a long time, and the TOR network has implemented some countermeasures for specific implementations of the attack. If you want to learn more, search for “TOR correlation attack”.

There are a number of network monitoring software projects which can inspect packets for suspicious activity, although as you have noted you will need a separate piece of (trusted) hardware in front of your router to use it. These systems are generally designed for use by large organizations with complex networks rather than home use.

Also, if you do set up something like this, keep in mind that lots of things happen to keep the internet and internet-connected devices running which are not necessarily malicious. For example, if you see your router periodically pinging an unknown server it might simply be checking for updates. It might also be reporting metrics (hopefully anonymized metrics), which you may or may not consider malicious, but is different than spying on the contents of the sites that you visit.

Pardon me for saying so, but referring to privacy as “security through obscurity” is misleading and unhelpful. The term does not mean that the idea of keeping secrets is invalid. For example, modern cryptography relies on keeping a piece of information secret (the decryption key) but this is not considered “security through obscurity”. Rather, an encryption algorithm that only works if the algorithm itself is kept secret would be “security though obscurity” because any message could be decrypted with this general knowledge of how the software operates, rather than the specific knowledge of the private key which is an input to the algorithm.

1 Like

Good point. I was not referring to encryption here, which I consider primarily security (even if it can lead to better privacy too). I was referring specifically to attacks to disclose the source of traffic through correlation or otherwise. Tor, for example, when used to access the public internet (not .onion sites) could be seen as analogue to a massive “privacy through obfuscation” engine: you can add many encryption layers, but still if you can correlate the traffic to the inbound gateway from a given IP address and the traffic to the sites, you can potentially extract circumstantial evidence of that access, even if you can’t decrypt the actual connections at the source (but, with control of the destination, you may be able to decrypt them there, of course). The same can be said about cryptocurrency mixers. Modern encryption and, especially, PKI, is not “security through obscurity” by any stretch of imagination, in particular when you consider key lengths that would require, on average, the lifetime of the universe for an attack to succeed (quantum computers using Shor’s factorization may invalidate this statement when considering existing encryption ciphers based on discrete logarithm and large integer factorization problems).

I hope this clears out any confusion that my earlier statement could have created.

I intended for this to be in the I have been hacked section. Because it is a thought of a tool to discover if Firmware might be behind some kind of internet connections besides the one, that as Flavio said, could be accomplished inside Qubes itself.

Such as if the Boot Sector was altered. Or the LogoFAIL might create a hack. And yes, if ME, the bad part was activated on my computer, then it might show up as a connection in a separate server, when not inside Qubes itself.

Yes, I am reaching, in an area I am not technically knowledgeable.

Thanks for the clarification! If it’s about tamper detection, the best methods that we have today are using cryptographic hashes (SHA-512, for example). Since it’s very hard to deterministically alter the integrity of a system in a way that a particular hash value results from it, hashes are a fairly good way to verify each and every component in the system (and this should include, of course, BIOS/UEFI, CPU firmware updates, etc., in addition to the operating system components). With some ingenuity, one could have all those hashes and the hashing algorithm stored in an independent read-only device and compare the results with the reference values at boot time. Of course, if you are absolutely paranoid, you could suspect that a highly skilled attacker compromised your CPU in a way that it will arbitrarily return certain values to fool you into thinking that the system’s integrity is intact, but this is probably more in the sci-fi realm.

I moved the topic to Support / Help, I’ve been hacked. All topics in this category get an automated 30-min delay between posts (called slow-mode) to encourage everyone to be mindful with their replies. I removed that delay because it doesn’t seem necessary, but I can re-establish it if needed @catacombs, just let me know either here or in a private message. :slightly_smiling_face: