[Politics_Observer]

If you ever need to use a public Wi-Fi or a Hotel Wi-Fi, it's a good idea to use a reputable VPN. Here's why: the possibility you could be unknowningly accessing a rogue access point or what is commonly called an "evil twin" network (rogue access points and "evil twin" networks are two different things bear in mind). Hackers can buy routers online and use them to create a rogue access point within a public or hotel Wi-Fi. When you unknowingly log into that rogue access point, the hacker can use that router to steal any credentials you might type when using the internet.

An "evil twin" router is a separate network and not a rogue access point within the public Wi-Fi network. So, a hacker might know a hotel's or public Wi-Fi's Service Set Identifier (SSID) and it's password and set up an identical looking network and your computer can go into that "evil twin" network instead of the actual legitimate hotel or public Wi-Fi network. Any credentials you type into your browsers then become easy pickings for the hacker.

So, in a lot of cases, there is no way to know for sure if you are accessing an "evil twin" network set up by a hacker or a rogue access point within that public or hotel Wi-Fi network. Given that is the case, once you access a hotel or public Wi-Fi, using a VPN becomes important to secure your connection from such possible access points or "evil twin" networks.

If you immediately activate a good VPN upon entering a such networks, even if it is an evil twin or rogue access point unknown to you, that connection creates an encrypted tunnel to the VPN proxy server that cannot be read by the rogue access point or evil twin network. Your connection is encrypted in a tunnel from your device to the VPN proxy server. This assures that your credentials won't be stolen by a rogue access point or "evil twin" network. Hope that makes sense to those who read this post.

[Politics_Observer]

Here is a video explaining rogue access points and evil twins which are studied as part of cyber security. One thing to bear in mind about https connections is that not all these connections on various different websites are 100% secure. Hence another reason to use vpns when you must use public wi-fi or hotel wi-fi. Here is the video.

[Potemkin]

I use ExpressVPN. It seems to have the best mix of speed and security (there's usually a trade-off between the two). It was a doddle to set up. I think @Politics_Observer is right - the internet is like the Wild West out there, and having a VPN is like wearing a bullet-proof vest. Lol.

[Politics_Observer]

@Potemkin

It is like the Wild West out there my friend. Education is important so you can better protect yourself against those who are tech savvy with malicious intent. The original IPv4 TCP/IP protocols were not designed by engineers with security in mind at the time during the Cold War. IPv6 is a little more secure than IPv4 but is still heavily susceptible to being used for malicious intent. I have ExpressVPN but have recently been experimenting around with Mullvad VPN. Mullvad costs 5 bucks a month and you can mail them cash anonymously in the mail or pay with Bitcoin or credit card.

If you use a tumbler with your Bitcoin to obscure the source of your Bitcoin, a good determined digital investigator investigating the blockchain can still untangle the obscurity of tumbler use and trace it back to you. However, it's much more difficult for them to trace it to you when you use a tumbler but they can do it if they are determined enough.

However, paying cash makes you far more difficult to trace than using a tumbler with your Bitcoin and then paying with that Bitcoin afterwards. I mean I am not doing anything illegal to where I am worried about a digital investigator, but I think it's awesome that Mullvad offers the option to mail them cash and pay them that way. I tried it and it works. Plus, you don't have to give them your email, name or telephone number. They simply generate an account number and a payment token associated with your account number so you can anonymously mail them the cash. Pretty cool! I have enjoyed experimenting and using Mullvad.

Use OpenVPN protocols with your ExpressVPN, VPN. Mullvad is cheaper and they are radically transparent so you can chose to use servers that they own and have physical control over. Mullvad tells you which servers they own and which servers they rent. They claim to have a no logs policy but they could be lying to you (ExpressVPN has a no logs policy, but again, they could be lying too). You can also use multi-hopping via bridged connection when using Mullvad.

On your ExpressVPN software, if you check under settings, you can see where you can choose TCP OpenVPN and UDP OpenVPN. TCP is a more reliable but more heavy weight connection. So, it can be slower but more reliable. On the other hand UDP is faster, but less reliable. Generally, I would stick with TCP OpenVPN.

You can also bypass the VPN blockers that Netflix uses to prevent people from viewing content in different countries using ExpressVPN but as far as I know you can't do it with Mullvad VPN. Mullvad can bypass the Great Firewall of China using the Shadowsocks proxy via bridged connections and my understanding is the ExpressVPN has the same capabilities though I am not sure if they are using the Shadowsocks proxy to do so. ExpressVPN can certainly bypass the VPN blockers of Netflix though.

I wrote my own website to help me get a job as a cyber security professional once I graduate from earning a Master's degree in Information Security with a concentration in Operations. I wrote this website myself from scratch. You can check it out if you like. It's designed to hopefully help me get a job when i get closer to graduation: http://www.davenportresume.com .

[Politics_Observer]

@Potemkin

Here are some authoritative sources for you to consider:

One source from the UK government:
https://www.ncsc.gov.uk/collection/mobi ... e-networks

Another source from Singapore's government:
https://www.tech.gov.sg/media/technews/ ... need-a-vpn

[Politics_Observer]

@Potemkin

Here is another important thing to consider. Some people will say "hey, all I need to use is https to defeat an evil twin attack." But that assumes ALOT. It assumes that EVERY single https website you use is using solid TLS encryption. It assumes that EVERYTHING on EVERY website you visit IS encrypted. It assumes that the website even has https instead of http working or will automatically redirect you to using https if you type in http in the URL bar of your browser.

It also assumes that you have NO apps on your mobile smart phone or laptop computer that is using the network unencrypted. Do you know for sure that none of your apps on your smart phone is using the network? If you know they are using the network, do you know for sure if those apps are encrypted properly? So, it's pretty risky to go without a VPN on what potentially could be a malicious network you could be connecting to when using public hotspots or hotel Wi-Fi. Make sense?

Some might wonder, do hackers still use an evil twin attack? Russian hackers from the GRU have here recently back in 2018.

The US Department of Justice charged hackers within the Russian military agency, GRU, with implementing Evil Twin access point (AP) attacks to pull sensitive data right out of the air. From the details provided so far, the Russian GRU members would park a car nearby target buildings from organizations including anti-doping agencies in Colorado, Brazil, Canada, Monaco, and Switzerland, the Westinghouse Electric Company’s nuclear power operations, the Spiez chemical testing laboratory in Switzerland, and the Organization for the Prohibition of Chemical Weapons in the Netherlands to perform their Evil Twin attacks. Inside the car was:

*Batteries to power their gear
*A Wi-Fi Pineapple to become the Evil Twin AP, broadcasting the same or similar SSID as inside the target building
*A high gain directional Wi-Fi antenna to boost the signal all the way into the building
*A 4G modem to provide internet access to the Wi-Fi pineapple and all victims connected to it
*A small computer with storage to collect information stolen from victims

Anatomy of the Evil Twin AP Attack

The Evil Twin AP attack takes advantage of a fundamental problem in Wi-Fi security that has existed since the very beginning of Wi-Fi. Devices connecting to a Wi-Fi network — like laptops, tablets, and smart phones — have no way to distinguish between two APs broadcasting the same SSID name. This enables hackers to set up malicious APs that can eavesdrop on the traffic and extract sensitive information.

Attackers initiate the attack by boosting their signal strength using Wi-Fi power amplifiers and high gain antennas, and then send deauthentication frames to momentarily disconnect the target client from the legitimate AP. The client device immediately attempts to re-connect to the same SSID to preserve a seamless connection experience for the end-users. Because the Evil Twin AP is broadcasting the same SSID, but with a higher signal strength, the client auto-connects to it and re-establishes internet access. Now, the attacker can intercept the all the traffic flowing through the device. Also, malicious payloads like malware, botnets, and backdoors can also be loaded onto the victims devices while connected to the Evil Twin AP.

If you find it shocking that a nearly 20 year old Wi-Fi attack is still this effective, you should be! The hard truth is that the Wi-Fi vendor community has found solving these layer 2 Wi-Fi security issues difficult and has since focused on optimizing things such as throughput, range, and client density.

The article continues by stating some of the additional risks of associated with public hot spots:

1. Rogue APs– bypass perimeter security
2. Evil Twin APs– Lure users to connect to it so as to spy on traffic, steal data, and infect systems
3. Neighbor APs– Risks infection from connecting to other SSIDs while in range of the Authorized APs
4. Rogue Clients– Delivers malware payloads to the network after connecting to malicious APs
5. Ad-Hoc Networks– Uses peer-to-peer connections to evade security controls and risk exposure to malware
Misconfigured APs– Opens network to attack as a result of configuration errors

https://www.secplicity.org/2018/10/07/r ... explained/

Wired magazine wrote an article about the Russian hack and the GRU agents charged in the hack: https://www.wired.com/story/russian-spi ... i-hacking/

[Potemkin]

@Potemkin
Use OpenVPN protocols with your ExpressVPN, VPN. Mullvad is cheaper and they are radically transparent so you can chose to use servers that they own and have physical control over. Mullvad tells you which servers they own and which servers they rent. They claim to have a no logs policy but they could be lying to you (ExpressVPN has a no logs policy, but again, they could be lying too). You can also use multi-hopping via bridged connection when using Mullvad.

On your ExpressVPN software, if you check under settings, you can see where you can choose TCP OpenVPN and UDP OpenVPN. TCP is a more reliable but more heavy weight connection. So, it can be slower but more reliable. On the other hand UDP is faster, but less reliable. Generally, I would stick with TCP OpenVPN.

I've installed ExpressVPN on my router, as well as on each device I use, using TCP OpenVPN. It's also set up to break my connection to the internet if the VPN ever goes down. Belt and braces. Lol.

[Politics_Observer]

@Potemkin

Yeah, the best cyber security instructors I had that taught my classes were from none other than the UK. They were very brilliant cyber security professionals. They were really on their game and knew their stuff.

[Politics_Observer]

I am on my Linux partition of my laptop and I installed Shadowsocks on Linux. Not sure if it was necessary. Mullvad has a bunch of various different pages that describe how to use their service via Linux Bash shell. They have a GUI you can use, but being the nerd that I am, I want to do things the hard way and use the Linux Bash Shell to do everything. I am a firm believer in using the Linux command line and not relying too much on GUIs or windows. It's how my professors molded me. So, strictly using the Linux CLI (short for command line interface which is another way of saying you are using a Linux shell), I got a bridged connection using shadowsocks on one of their bridged servers in Sweden and chose a server in Switzerland as my exit location. I am like a nerd kid who has got a new toy! I am loving it! Linux and shadowsocks all the way baby!

[Rich]

I am on my Linux partition of my laptop

I consider separate (preferably PCi-e) drives for Linux and Windows, the basics for a civilised existence in 2021. Ideally with an HDD or large SSD as a third drive for big data like Films and music.

My big struggle at the moment is I'd like to get a new laptop (17.4 inch min), but I can't seem to find anything decent without a Nvidia GPU, which would force me to use the closed source drivers on Linux.

[Potemkin]

I would advise installing a VPN on the router itself rather than (just) on the clients. Asus routers are the best for this, especially if you install the open-source Merlin firmware instead of the stock closed-source Asus firmware. It is then trivially easy to install a VPN on it, which will protect every client which uses that router. You should install the VPN on the clients too, just to be doubly sure. Belt and braces, belt and braces. Lol.

[Politics_Observer]

@Potemkin

Depending on what sort of encryption your router is using, I am not sure if it is necessary to have the VPN installed on your home router for security purposes. If you look at the bottom of your router, it should give you what sort of encryption it is using. You want it to be using WPA2 or Wi-Fi Protected Access2 with 256 bit AES (Advanced Encryption Standard) encryption. Do NOT use a router that is using WEP (Wired Equivalent Privacy). WEP is not secure to use with your router. WPA2 with AES 256 bit encryption is secure. If you have that on your router, then it's not necessary for you to have the VPN installed on your router.

You also want to disable uPnP (Universal Plug n Play) and WPS (Wi-Fi Protected Setup) on your router as these are security vulnerabilities. All of your devices that go through your router that has WPA2 with 256 bit AES will be encrypted. You can log in to your router to find your WPS and uPnP settings. Depending on the router you have, you can set up a guest network and an internal network. The guest network is what the guests of your home can use for internet access while the members of your household use your home network (or in other words, your internal network). Plus, you give only your guest network password out to gets and not your home network password out (that way nobody knows it outside of you or members of your household), make sense?

The guest network segregates your home network, or internal network from your guest network. So, if your guests bring malware on their devices into your network, the risk of it spreading to other devices stays on your guest network and doesn't spread to your devices on your home network. So, setting up a guest network on your router will ensure that any guest who brings malware on their devices into your network won't spread to your devices on your home network given that you will give the guests the password to the guest network of your network while your devices are on a seperate network within that one router which is your internal network.

However, when you go to public Wi-Fi hotspots, I strongly encourage you to use the VPNs on your devices given the security risks involved in using public Wi-Fi hotspots such as in a hotel, airport or coffee shop. Make sure that VPN is turned on and working before you do anything on that public Wi-Fi hotspot. Another thing, if you use a VPN on a client in your home network, it's generally used for privacy to where it's more difficult for websites to identify your true IP address given that you are going through the proxy server of your VPN service. Make sense? You also need to make sure your WPA2 password on your router is strong and tough to crack. Here is a website you can use to test the strength of a potential password you might be considering using on your WPA2 router (your devices will need the WPA2 password to use your router and benefit from it's encryption):

https://www.security.org/how-secure-is-my-password/

So, given all this I want to leave you with a source explaining why WPS is a security vulnerability on your router and why you should turn it off here:

A visitor to your home/office illustrates one aspect of why WPS is a bad idea The visitor only needs to turn your router upside down, take a cellphone picture of the label on the bottom and they can, thereafter, get into your WiFi network. The WPS password (they use a different term, but its a password) on the router label is the equivalent of a get out of jail card in Monopoly. It over-rides the WPA2 password.

Have a really long WPA2 password? It doesn't matter, WPS lets the visitor in anyway. Change the WPA2 password every week? It still doesn't matter, WPS continues to let the one-time visitor into your network.

But, a visitor with a cellphone is only part of the security problem with WPS.

https://routersecurity.org/wps.php

Here are some of the security issues related to uPnP:

UPnP (Revised Jan 12, 2019)
Universal Plug and Play (UPnP) can be a security problem in two ways. It was designed to be used on a LAN where it lets devices poke a hole in the firewall. It is how IoT devices make themselves visible on the Internet, where many of them get hacked, either due to security flaws or the use of default passwords. UPnP was never meant to be used on the Internet, but some routers mistakenly enabled it there too. Most routers let you disable UPnP on the LAN side.

Is UPnP enabled on the LAN side? As a rule, consumer routers have UPnP enabled, while business routers have it disabled. Can you disable it? If not, throw out the router. The D-Link DIR-880L is the rare router that does not let you disable UPnP. Early releases of Luma routers did not let you disable UPnP. As of a software update from August 2016, UPnP can be disabled.

Is UPnP enabled on the WAN side? Steve Gibson's UPnP exposure test is the only way that I know of to test for UPnP being enabled on the WAN/Internet side of a router. Start at his ShieldsUP!, then click they gray "Proceed" button. On the next page click the big orange button labeled "GRC's Instant UPnP Exposure Test". I would take any router that fails this test out of service.

If you must use UPnP, then look for a router that offers detailed status information about the state of forwarded ports, such as the app that made the UPnP request and details on the currently active port forwarding rules. Some port forwarding rules come from UPnP and some don't. It is best to use a router that clearly shows which port forwarding rules came from UPnP requests. Synology routers display a UPnP client list. The TP-LINK Archer C7 has an online demo of the C7 user interface. Click on Forwarding, then UPnP to see its display of UPnP information, which includes a description of the application that initiated a UPnP request, the external port that the router opened for the application, the IP address of the LAN device that initiated the UPnP request, and more. Netgear KB article, How do I enable Universal Plug and Play on my NETGEAR router? describes a UPnP Portmap Table that displays the IP address of each UPnP device accessing the router, which ports that device opened and what type of port is open and whether that port is still active for each IP address.

https://routersecurity.org/checklist.php#upnpdisable

Also DO NOT use the WPA2 password that comes with your router. Change that default router password to your own strong password and only give it out to those in your household that use your home network (make sure your router guest network has a different password than your router home internal network and that your home devices only connect to your router internal home network and not your router guest network). There is password cracking software out there that uses default router passwords that come with routers to try to crack into home networks. It's also a good idea to change your SSID (Service Set Identifier) of your network so that nobody can identify it as "hey that SSID would indicate it's Potemkin's network." You don't want to use a SSID that would enable somebody scanning home networks in your local area to be have a good idea which network is yours for example.