Advice for Ukrainians
Cyber warfare is not to be taken lightly especially for the Ukrainians! A good samaritan security researcher gives valuable advice to the Ukranian people on how they can stay safe on the internet!
What's going on in Ukraine is nothing new to our readers. Seeing what's happening in Ukraine also should be of great interest to everyone in the infosec community. With that said, I have recognized some "real" weaknesses (give or take) in the way the Ukrainian population is utilizing their choices of communication with messenger apps and email due to a lack of knowledge or misinformation. Here is my advice to the Ukranian people to stay safe on the internet while cyber warfare is happening in realtime, so please take it seriously.
Disclaimer
This article is meant to be practical, and it doesn't dive deep into each topic. My recommendation for you is to search for answers to the questions you may have on the internet. Or you can simply read more about the topics and services I'm going to be talking about to have a better grasp about them or learn more.
Telegram is not a smart choice
If you've ever taken just a little closer look at Telegram, it's really not that great for many reasons. I want to focus on solutions instead of complaining, so I'm just going to leave these two Twitter threads for you to read. This is for informational purposes in case you want to know why Telegram is so bad or also if you may not trust me, which in this particular situation is fair enough.
It's amazing to me that after all this time, almost all media coverage of Telegram still refers to it as an "encrypted messenger."
— Moxie Marlinspike (@moxie) December 23, 2021
Telegram has a lot of compelling features, but in terms of privacy and data collection, there is no worse choice. Here's how it actually works:
1/
Apropos Moxie’s thread, Telegram’s E2E is so obviously homebrewed, it’s like sending a chat to the late 1990s. https://t.co/Rmz5lSdh47
— Matthew Green (@matthew_d_green) December 27, 2021
Way better alternatives
Just to name a few, your best options probably are the following.
All of them have their right to exist, and all of them have their individual strengths and weaknesses. Signal for example requires a phone number. Although this makes communication with people whose number you already have way easier, it is just something to consider.
It's always important to consider who is a threat to you, or what is a deal breaker feature for you concerning these messenger apps and in a variety of software too.
E-Mail, but better
Many people in Ukraine use common E-Mail providers, which is really not that different from what you've used in your country. I'm not going to list examples since I personally don't want to be sued by any of these E-Mail providers. Therefore, I'm just going to say what doesn't apply to most "common" E-Mail providers. Namely, that feature would be E2EE or good security and privacy in general.
In this regard, I'd like to recommend the following E-Mail providers.
Mailfence
As with the previous recommendations, they all do something better than the others, but they are probably better in every regard in terms of security and privacy than your current E-Mail provider.
A robust social network
Everyone has their own favourite social network, and nothing is shocking about that statement. Unfortunately, as the war on Ukraine and Ukrainian citizens continues, it's probably a good idea to look for a social network as an alternative to centralized services. In this particular case, I'm not even really up against the social networks themselves, but rather the way they're structured and how they could be taken down. The Russian government is not a beginner in hybrid warfare and while (strong emphasis on the following) I'm not a military strategist, I wouldn't be surprised if Russia were to block access to common social media sites in Ukraine. As far as my knowledge goes, I only see Mastodon as an actual resistant social media network. This is due to its decentralized nature and everything around it. I'm not saying, that you should stop using the social media networks, you're using now, but you shouldn't be surprised if they eventually won't work.
A link to Mastodon is here:
Isolate yourself from Pro-Russian government idiots
Finally, I'd like you to take preventive measures against Pro-Russian government supporters, specifically the more technically skilled adversaries.
To achieve this, you need to follow my instructions, and most importantly always think twice and be very cautious. This sentence in itself might be a paradox, but you get it.
The best isolation from technical threats is simply speaking virtualization, as in using a virtual machine or virtualizing an application.
Since there are too many options to list and too many platforms to cover, I can't really make a direct suggestion of what you should use for every platform.
Since the most vulnerable and critical information is stored on laptops and desktops though, I'm going to give you some advice.
You should create a virtual machine for everything that connects to the internet since the internet is obviously the main source for almost every digital evil. What you should especially separate is your browser, e-mail program, password manager, document reader and messenger services. You can also try remote browser isolation for this.
Also here are some practical resources about virtualization:
Beau Carnes
If creating a virtual machine may be too complex, try remote browser isolation (RBI) like WEBGAP. It isolates your local machine or computer from the external internet, and it lets you safely use a remote browser to surf the web, check email, and other activities you normally do on the web without exposing your computer. Use coupon code HACKERSAGAINSTPUTIN to get it for free.
Lastly, I would like to emphasize (again) that you should never click on any link without verifying it is safe, and be extra cautious about strange or odd events on your digital devices that seem suspicious. If you have any technical questions, your best bet is to ask them on an open forum about the issues you're encountering.
Stay safe and alert
Remember to be very cautious and aware of strange activity on your devices, and do not click on strange links or give your information to anyone on the internet. Always verify that the person you're communicating with is truly them. Be very mindful that the messenger apps and E-mail providers you are using may also be doing more harm than good for you.
Recap
Virtualization:
Using a virtual machine (VM) is very important and helpful because you can use it like a normal computer on the internet without exposing your local computer and its contents. For beginners who are very new to virtualization, this link explains what is a VM and how to install it on Windows, Linux, or Mac.
You can choose any of these links to download your Windows VM of choice: Windows 7, 8.1, or 10 VM
Windows 10 vm with Hyper-V
Windows 11 Enterprise VM
Remote browser isolation:
RBI such as WEBGAP is also another alternative to use which may be less complicated to set up, which separates your local machine from the internet, and it's free when you apply the coupon code HACKERSAGAINSTPUTIN.
Messenger apps:
Take a look at Matrix, Session, and Signal as safer alternatives to Telegram.
E-mail providers:
Take a look at Tutanota, Mailbox.org, and Mailfence.
Stay safe Ukrainians!
