At CryptoAUSTRALIA we are always asking ourselves the question: How can we teach everyone in Australia to defend their privacy? We believe in the “learning-by-doing” approach, so what could be more fun and engaging than a hands-on workshop? Once we realised how many excellent privacy-related tools are available for the Raspberry Pi, we began looking into dozens of these projects. So we hand-picked a shortlist of the interesting ones from the plethora of RPi projects available and got together on the long weekend to trial them.
We planned to get together on a glorious Saturday to eat as many hot dogs as humanly possible and to showcase the shortlisted projects to each other. The goal was to pick the best project by day’s end and turn it into an exciting series of CryptoAus workshops for the benefit of the community. The clear winner was the ad and malware blocking project ‘Pi-Hole’ and here is why.
The Shortlisted Raspberry Pi Projects
We picked the project candidates a couple of days before the get-together. Our selection criteria was simple: if the project had something to do with privacy, we gave it a go.
The final list of candidates we settled on was the following:
- Pi-Hole – Ad-blocking service on your home LAN
- Tor/VPN gateway – Protect the privacy of your network traffic from the ISP
- e2guardian/squidGuard – Block malware and phishing websites on your devices
- CIRCLean – USB flash drive sanitiser
- Bro IDS – Detect if you have a malware-infected computer on your network
Getting Our Hands Dirty
So everyone got together around 10 am at my apartment along with their RPis and a few other accessories. Nick brought an LCD screen and keyboard with him, which turned out to be a good idea. Ed brought an old Raspberry Pi Model 1, so we were able to test how a project would run on a Pi Zero (they both have the same CPU and memory). Aiza got her USB card reader, and Roland brought his charming smile.
We spent the first hour setting up a second switch that Ed had smuggled in from the UK. My home router only had two available Ethernet ports for the five Raspberry Pi devices, so we desperately needed at least an additional four Ethernet ports. Ed fired up his shoddy BT router, which was probably full of unpatched vulnerabilities, and it was ready to go after a few missteps. We concluded that we would need a proper 8 or a 16-port purpose-built switch for an actual CryptoAus workshop to avoid long troubleshooting sessions.
In the meantime, we flashed a few SD cards with Raspbian Stretch and NOOBS. Raspbian Lite can run on a 2 GB card, while NOOBS requires at least 8 GB. Once the wired and wireless networks were up and running, we quickly hooked up our RPis on the LAN and popped the freshly-written SD cards into the devices.
Raspbian has SSH disabled by default for security reasons unless an empty file named ‘ssh’ is written on the boot partition. Raspbian was then ready for action. We discovered NOOBS needed some user interaction and additional package downloads to get ready. As we are short on both network bandwidth and time on CryptoAus workshops, NOOBS will not be our choice of OS this time.
Once the Pis all booted up, we began installation of the projects, except for CIRCLean, but more about this later.
Pi-Hole
Pi-Hole is essentially a DNS server with a friendly web interface. The premise is that you run a DNS service on the local network, and use the Raspberry Pi as the server. Pi-Hole will take care of the DNS resolution by proxying the DNS traffic to third-party DNS services and blocking requests that feature on its blacklist.
Pi-Hole can be installed with a single command: curl -sSL https://install.pi-hole.net | bash. While this approach makes the installation process very simple, it is a bit scary as we were piping unknown Linux commands from a remote script file as the root user. However, we like to live life dangerously, so we did it anyway.
Nonetheless, the installation only took a couple of minutes. Once it was complete, we were able to connect to the admin panel with a web browser. We navigated to the ‘Settings’ tab and changed two things: the upstream DNS servers and the blocklists.
The default upstream DNS servers on the Pi-Hole are Google DNS (8.8.8.8, 8.8.4.4), which offers neat things like DNSSEC signature validation. Some people, however, may prefer privacy-respecting DNS services like OpenNIC. Other built-in options available like Comodo, Norton ConnectSafe) offer advanced security features, such as phishing protection. Paid upstream DNS services such as Strongarm or Cisco Umbrella can be added to enjoy the benefits of advanced malware protection and web content filtering capabilities.
Long story short, we decided on free OpenDNS service because of its essential security features. OpenDNS can block malware, phishing and botnet domains, as well as dodgy website categories like ‘Web Spam’.
The gist of Pi-Hole is the DNS-based blacklist, which is compiled from third-party blocklists. If a client makes a DNS request to Pi-Hole, and the requested hostname is on the blacklist, Pi-Hole will hijack the DNS response and will respond with a faux DNS record. The tampering is a good thing in this context, as the connecting clients will not be able to connect to third-party advertising servers or malicious websites to display ads or execute malware.
The default blocklist is not too restrictive. Depending on your personal preferences, you may only want to block ads and malware traffic, while others prefer blocking inappropriate websites at home. We found two excellent blacklist sources for malicious domains: The Big Blocklist Collection and Fabrice Prigent’s list.
The Big Blocklist Collection features various feeds compiled for the Pi-Hole. Feeds such as Easylist feature in the well-known browser plugins like uBlock andAdBlock. Other feeds sourced from malware researchers such Zeus Tracker are also available. In the end, we picked Easylist and Disconnect.me’s “simple ad” and “simple malvertising” lists. Interestingly, there is also a list for Samsung SmartTV owners who wish to block the chatty “smart” features of their TV’s.
Fabrice Prigent maintains the other blocklist. His list is utilised by proxy servers such as squidGuard or e2guardian. Prigent maintains a website categorisation list, similar to commercial proxy appliances (e.g. BlueCoat. IronPort), where unwanted websites can be blocked by categories such as pornography, gambling, games or malware. Depending on your preferences, you may also prefer protecting your family from certain website categories.
We concluded that Pi-Hole is relatively straightforward to install and operate. The web UI is very intuitive and easy to use. We all agreed that this project is ideal for a CryptoAus workshop because our guests could just take their devices back home (or rebuild them in no time) and be up and running very quickly blocking ads and malware. The security and privacy benefits of a Pi-Hole device are immediate.
Tor Gateway
The second project we have looked into is a secure gateway using Tor. The premise of the project is that you could run the Tor client on a Raspberry Pi and create a new Wifi Access Point (AP). The traffic from the devices connected to this AP are then tunnelled through the Tor network.
We thought that the project could potentially be useful for privacy-enthusiasts, who wish to minimise their metadata or penetration testers who prefer to keep their IP address hidden. OPSEC mistakes happen all the time with computer-based Tor clients, and this device would protect the user from IP and network traffic leaks.
The word ‘project’ is a bit of an exaggeration here because the Tor guides were more like ad-hoc write-ups than comprehensive and well-maintained projects. Nevertheless, we managed to source a few of these write-ups and gave them a try:
- http://makezine.com/projects/browse-anonymously-with-a-diy-raspberry-pi-vpntor-router/
- https://learn.adafruit.com/onion-pi/what-youll-need
- https://www.lifehacker.com.au/2017/03/how-to-anonymise-your-browsing-with-a-tor-powered-raspberry-pi/
- https://pimylifeup.com/raspberry-pi-tor-access-point/
The problem we found with the guides was that they were not updated. Some of them were written for the Raspberry Pi 1 or 2 – which does not come with a built-in wifi device. Others were built on previous editions of Raspbian, where the wireless configuration was a bit different.
Long story short, we spent a good amount of time reading the various HOWTOs and trying to adopt them for Raspberry Pi 3 and Raspbian Stretch. There were a few issues with doing this. The first was that the various guides used different IP addressing, NAT and firewall rules, although we managed to overcome this. The real killer was the Wifi AP configuration. Even though we followed the official guide to install hostapd, our devices were not able to connect to the new access point for some reason. They just kept connecting and connecting, but the process never completed.
We spent more than an hour trying to debug the AP issue, the Wifi was simply not working. In this project’s current state we thought it was unacceptable for a real-workshop. Getting the wifi AP working needs some work. Even though we still reckon a Tor gateway is really useful, we called it quits and gave up on the idea of running this as a workshop.
e2guardian / squidGuard
This project was an ad-hoc idea that stemmed from the success with Pi-Hole earlier that day. We thought, Pi-Hole is something great, but its main purpose is ad-blocking and not content filtering. Pi-Hole has limitations because it can only do DNS blocking. In circumstances where we want to protect kids from accessing inappropriate content, we need URL filtering. So we thought we’d looked at a proxy service for a more sophisticated protection.
I vaguely remembered squidGuard, which is an add-on to the open-source Squid proxy. After some quick research, we found two ways to block website categories with open-source tools: squidGuard and e2guardian.
The first pick was squidGuard, which runs Squid proxy under the covers. Now both squidGuard and Squid need to be configured from the command-line and it can get a bit messy. The complicated configuration process was a bit worrying considering the mixed experience levels of participants we get at CryptoAus workshops. Secondly, we only have about 1 to 1.5 hours before guests start to lose interest. We concluded that this would not work because of lots of manual steps and time constraints.
We also gave e2guardian a try. The project is a fork of the stale Dansguardian project. Sadly, the configuration experience was very similar to squidGuard.
The final nail in the coffin was when we discovered that almost every single free third-party website categorisation project had been abandoned. The heart of these projects are the third-party feeds with lists of inappropriate websites and URLs assigned into the unwanted website categories.
Although we thought a proxy is a good method for filter offensive content at home, we found the projects inappropriate for the workshops because of complexity and project inactivity. The installation and configuration should be automated or be easy to be a viable choice for a CryptoAus workshop. Simple web GUIs are ideal, where users can just tick and untick website categories(e.g. malware, gambling). Both these projects require configuration file editing.
CIRCLean
This project is an interesting one: CIRCLean is a USB sanitiser tool created by CERT Luxembourg. A CIRCLean device can potentially be used by those receiving files on USB drives frequently such as journalists.
A USB drive with malicious intent could:
- Trick the computer into recognising the device as a keyboard and type a pre-written set of keystrokes. For example, a USB Rubber Ducky could open a Terminal, then download and install a backdoor on the computer in under a minute. Computers can be disguised as flash drives, too.
- Autorun, AutoPlay or exploits run a malicious file automatically
- The files themselves may also hide malicious content
What a CIRCLean device does is transfer the files from an untrusted USB flash drive to a second USB device. CIRCLean merely copies text and audio files from one to the other. On the other hand, files with active content (Word documents with macros) are flagged as ‘dangerous’ once they are copied to the second device. Executable files are also renamed to DANGEROUS_filename_DANGEROUS.
Once we downloaded the latest CIRCLean image from GitHub, we dd’d the image file onto the memory card. As opposed to the other projects, the image already comes with an older edition of Raspbian, so it should have started working out of the box – as we thought.
Once we popped the card in, we tried to figure out what to do now. We wanted to SSH into the device to download the latest updates, but the device just did not respond. We had a second look at the CIRCLean instruction manual, and apart from a short HOWTO guide, we found the documentation quite brief. We managed to find a few other files under the doc/ folder on GitHub, but we did find the documentation neither self-explanatory nor relevant.
We ended up wondering what to do now with the device. We probably should have connected the Raspberry Pi to LCD screen at this point to see what was going on. However, we got a bit demotivated by then, so we gave up after a few additional SSH attempts and moved on to the next project.
Nonetheless, we think this is an admirable project and would probably give it another try on a separate occasion. The documentation, however, could be a bit more extensive. Perhaps a video guide would lower the bar for everyone, especially if the target audience does not necessarily possess advanced tech skills such as journalists.
Bro IDS
We ran out of hot dogs our attention had started to shift to the AFL Grand Final by the time we got to this last one. The premise of this idea was to install a homebrew Intrusion Detection System (IDS) on a Raspberry Pi for detecting malware activity on your home network. This would allow users to identify and disconnect an infected device from your network before valuable files and sensitive passwords would start leaving your computer.
But first, what is an IDS? A typical IDS is usually an appliance that big corporates buy for a fortune, the incident handler team wastes their time with false positive alerts and years later the device ends up in the bin.
Bro IDS, on the other hand, is a robust system that features a powerful scripting language and lots of functionality straight out of the box. Simply put, it inspects network traffic on the LAN and looks for signs of suspicious activity. For example, if one of your laptops starts connecting to a malware command-and-control (C2) domain, it is very likely that the device has been compromised. So, we thought it might be a good idea to put Bro IDS on a Raspberry Pi for policing your devices on your home LAN.
We found a few promising projects with varying levels of maturity:
- https://github.com/TravisFSmith/SweetSecurity
- https://www.tripwire.com/state-of-security/security-data-protection/sweet-security-part-2-creating-a-defensible-raspberry-pi/
- https://github.com/musicmancorley/BriarIDS
- http://www.binorassocies.com/en/blogs/2016/03/brostash.html
- https://www.sneakymonkey.net/2016/10/30/raspberrypi-nsm/
- https://bløgg.no/2015/11/installing-bro-the-network-security-monitor-on-raspberry-pi/
The most promising one was SweetSecurity, which is a collection of scripts to install Bro IDS and other tools with a few commands. Once a fresh installation of Raspbian was up and running, we cloned SweetSecurity and ran the installer.
Unfortunately, we ran into problems again. First of all, the full install requires at least 2 GB of RAM, while the Raspberry Pi Model 3 only has 1 GB. No worries, we re-ran the installer and picked ‘Sensor Install’ which is supposed to only deploy Bro IDS. It turned out that the scripts install Bro from source, so compilation on an RPi would have taken too long. Normally, this is not an issue. However, we would hit the 1-1.5 limit on the CryptoAus workshop. At this point in the afternoon we were all exhausted, so we started to wrap this up.
What Did We Choose and Why
By the end of the session, we all felt that Pi-Hole was the strongest contender for the CryptoAus workshop.
We found that Pi-Hole was very easy to install and configure, and it provides a great deal of privacy and security benefits for the user and their families. Pi-Hole installs and configures itself with just a minimal user interaction. Although the default configuration just works fine, it was easy to fine-tune the device with a web browser. We found the admin panel was easy to use and every configuration option was just self-explanatory. Finally, Pi-Hole ran perfectly on older RPi devices with slower processors and lower memory, such as the original Model 1 (also Pi Zero).
Furthermore, we thought that the additional value CryptoAUSTRALIA could bring to the workshop was the know-how around:
- the third-party DNS servers
- the ad and malware blocklists
- the website category filters
Different DNS services offer different benefits: while some of them focus on privacy, others provide protection from phishing and other malicious websites. Same goes for the blocklists: some of them can blackhole ads, while others can block other things like URL shorteners or phishing sites. Certain lists and the website category filters could help protect the family from inappropriate content such as adult content. We have all this experience accumulated in the team, and we are ready to hand it over.
What About the Others?
We found the other five projects also had benefits, but unfortunately, the constraints of the workshop would not allow us to feature any of them. We would give CIRCLean a try again probably at an event for journalists. We would reconsider the Tor gateway one if a HOWTO were available for Raspberry Pi 3 or the process would be automated with scripts or Ansible. Sadly, e2guardian and squidGuard seem to be too complicated, and Bro just takes too much time to set everything up.
What Is Next?
We still have to figure a few details out, like do we provide hardware at the workshop or we let everyone to bring their own? Should we provide memory cards with Raspbian on it, or do we even include time at the event for writing the OS onto the card? Will we have enough time remaining then? Or what blocklists to suggest and why? If you are keen answering these questions or volunteering with this up-coming workshop, please drop us a line.
Otherwise, keep an eye on our event page and our Twitter feed, as we will be publishing more details about the upcoming CryptoAus workshop in the forthcoming weeks.
If you are interested in the upcoming Raspberry Pi workshop, make sure to follow us on Twitter and subscribe to our Meetup groups at https://blog.cryptoaustralia.org.au/events
Disclaimer: None of the brands on the photos nor Raspberry Pi has sponsored CryptoAUSTRALIA