Top 5 Cyber Security Concerns for Amateur Radio Operators

27 Sep, 2020

There were 14 data breaches each day of 2018 and 19 each day in 2019. 15 billion records were lost last year. A few years ago, you could populate a good infographic with a year’s worth of high-profile hacks. Nowadays, all it takes is one day. If you got your hands on this document, you may have heard me talk about computer security. Thanks, I hope you enjoyed it and learned a few things. To help you put some of it into practice, I created this little guide with some of the most important tips from my talk. In order of importance, here are my top five cyber security tips for amateur radio operators.

Tip 1: Protect Against Malicious Free Software

Amateur radio operators use a lot of free and open source software. Much of this software comes from questionable sources. People you may not know and have never met. Some examples are executables downloaded from links on Groups.io, PDFs posted on eHam, or Word and Excel files exchanged via Google Drive boxes. More often than is comfortable, open source projects have been discovered to be vehicles for malware. From ransomware, crypto currency mining, to plain information stealing, free software sometimes comes with extra “features” that make it a bad deal.

We all need to use free and open source software as amateur radio operators. We can’t avoid it, so my number one recommendation is to keep that stuff off your computers that have sensitive financial and personal data. Invest in a cheap second laptop or desktop that runs a modern operating system. Linux, Windows 10, and MacOS all fit the bill. Using a second system to run all your ham software will mitigate the damage if you accidently end up with malware.

Another recommendation is to always double check that you’re downloading software from the author’s official website. A simple way to do this is to search for the software with your favorite search engine. I’ll usually check Wikipedia for the correct link and cross-reference that to other search results to make sure they’re all pointing to the same place. It is not foolproof, but offers more assurance than clicking a random link fed to you on a discussion board.

If possible, double check the software hashes (MD5 or SHA1) to make sure that the software you are downloading matches what the author posted. MD5 and SHA1 hashes are mathematical calculations that the computer performs on the entire file to come up with a unique string of characters. Theoretically, no two programs should have the same hash. Authors post the hashes of their files so users can check that they have received an unaltered file. 

Tip 2: Secure the Network That Connects Radios to the Web

Connecting your radio to the Internet directly, through Teamviewer, or Remote Desktop Protocol opens your network to outside connections. Radios directly connected to the web are Internet of Things devices, similar to Alexa, Roku, or your web-enabled refrigerator. IoT devices have a bad reputation for being full of vulnerabilities that are left unpatched. Consider banishing them to their own untrusted network. If a hacker takes over an unpatched device on your home network, it is generally easy to pivot and invade your PC.

A Y Router Configuration uses three routers to create two isolated networks. Put your sensitive computers on one and your untrusted IoT devices and ham radio computer on the other.

Once you secure your home network, look at how you connect on the road. Free WiFi is convenient, but risky. Anyone could be listening to our data on these unsecured connections at coffee shops and hotels. When you have to do work in hotels, consider turning your cell phone into a hot spot instead of using the hotel’s insecure connection. Think of wireless security in three layers. The first layer is the connection to the device. When you go out, try to only connect to WiFi that requires a password and says “secured” when connected. The second layer is the type of web connection. Use HTTPS connections in the browser search bar. Anything with “http” is NOT encrypted. Missing both of these layers, your communications are easily intercepted and read. If you are really worried, the third layer is using a VPN service, which creates a secure tunnel back to a trusted network. However, take care in choosing a VPN provider. Do research to ensure the company you choose has a good reputation and can be trusted. The more paranoid may choose to use a solution like outline.org or create their own VPN. Services such as Outline allow you to host your own VPN server for $5/month.

Tip 3: Limit the Use of Old Software and Hardware

Amateur radio has a tradition or reusing old equipment. Reuse is great, but it is best to avoid reusing old computer equipment that will be connected to the internet. This includes computers, routers, and phones that no longer received security updates.

Whether it is Microsoft Windows, Mac OSX, Apple iOS, or Android, turn on Automatic Updates and always download the most recent updates as soon as they come out. If you have Windows 7 or older, know that you have an insecure system. Only Windows 8.1 and 10 continue to receive security updates and are safer to connect to the Intenet. The nice thing about these new versions of Windows is that they include antivirus right out of the box. There are also free antivirus programs like Avira or AVG Free. I also recommend using a browser that automatically updates, like Firefox, or Edge. Chrome is off my list because it tends to use more memory than other browsers, causing the computer to get sluggish after a while. There have also been increasing privacy concerns with Chrome. Mac OSX does a decent job updating applications automatically, but Windows could do better.

Mobile phones also need to be current with security updates. With easy access to your email, contact list, Facebook, text messages, PayPal, and maybe even your bank accounts, a crook could take over your life with your phone! Here are several things you can do to make your phone more secure.

1. Most phones require at least a 4 digit code to open, but is that really enough to protect everything you hold dear? Increase it to 8 or more characters for better security.
2. Turn on two-factor authentication for your Apple ID and Google IDs. These will make it more difficult for an attacker to take control of your mobile devices.
3. Connect the phone to your computer and back it up.
4. Install security updates immediately to ensure you are protected from the newest vulnerabilities. Remember that your phone’s usable lifetime ends when it stops receiving security updates. Once the updates stop, your device has a compromised immune system. Recently, Google made a change requiring all new Android phones to receive security updates for two years. That’s great if you are a new owner. Apple has set the standard though. The iPhone 5S received security updates from September 2013 to September 2019, a total of six years after it was released.
5. Do not jailbreak your phone and only download apps from the Google Play store, Apple App Store, or Amazon App Store. Jailbreaking is talked up as a way to get extra features out of your phone, but you have to install untrusted software in order to do it. Once jailbroken, you have no idea how secure the phone is and you should not use it for anything you want to keep private, like email or banking.
6. Tweak your privacy and security settings. Every few months, a new blog post comes out helping people ensure the newest version of their mobile operating system is secure. You can search for those posts for the full story, but here are some tips to get your started.
   1. When you download or update an app, look closely at the permissions it is asking for. Does the app really need those permissions? Consider that there are several flashlight apps in the Google Play store that ask for access to your pictures, GPS location, and full network access. What does any of that have to do with a flashlight? When an app asks you for permission to access information or phone functionality, be careful. Does Twitter need access to your contacts? Does Facebook need to know your location?
   1. Limit what is visible on you lock screen. If a stranger gets hold of your phone, is it a good idea for them to see emails and texts without knowing your code?
   1. Use a mobile ad blocker like Purity to limit ads.
   1. Don’t let your Android phone install apps from unknown sources.
   1. Use an Android antivirus program.

Tip 4: Surf the Web Smart

If you are going to surf the web, your best option is to use a Chromebook or tablet. They are less likely to get infected by viruses and do a better job isolating applications from each other. If you must use a computer or laptop, use a fully updated browser, preferably one that automatically updates like Firefox. Now that Mac and Windows also automatically update, Edge and Safari will work, too. I suggest adding an ad blocker to your web browser. Many of the year’s sneakiest attacks showed up as ads on websites! The uBlock Origin extension gets great reviews.

Email links and attachments are some of the easiest ways to be compromised. If you get a link, hover over it to inspect it before clicking. Is it going where you thought or is the domain name misspelled or unrecognizable? You could be one click away from having a completely compromised computer. I usually copy the link and paste it into the browser to see where it is going BEFORE pressing enter to go there.

If you get a call from a company or see a popup on your screen that says you have a virus on your computer and a phone number to call, it is fake. This is the common Tech Support Scam. While we’re on the subject, the IRS doesn’t call threatening to arrest you. They also don’t send emails. Do not give sensitive information to anyone who calls you. Find the company’s phone number and call them back yourself.

Tip 5: Use strong passwords and two factor authentication

Good passwords are long, can be remembered, and are only used on one website. The more often you reuse passwords, the more vulnerable your accounts become. A breach of any one site will compromise them all. Instead, use a password manager (with a really long master password) to store your unique passwords. Well known password managers are 1Password, Lastpass, and KeePass. A recent study showed that poetic passwords were easiest to remember. Consider that the following password is long, contains capitals and special characters, and is easy to remember: The RAIN in SPAIN falls MAIN-ly in the PLAIN. Recent guidance from the National Institutes of Standards & Technology (NIST) says that passwords should be longer phrases that contain different kinds of characters instead of just short and complex. NIST also says that you only need to reset your password when it is forgotten or compromised.

Many websites can require two factors of authentication before giving you access to your account. The types of authentication factors are:

1. something you know (password)
2. something you have (cell phone, tablet), and
3. something you are (retina scans, fingerprints).

Typically, the sites use a password and send a text message code to your cell phone. Text message is better than nothing, but the latest advice is to use an authenticator application instead. Authenticator applications generate the codes within your phone, so you don’t need to receive a text at all. Google Auth and Authy are two well known ones. It is a really, really good idea to turn this feature on for every account that has it, especially banking and email. To see companies that offer two-factor authentication, go to twofactorauth.org.