really nice tutorial about hiding myself. Thanks On Wed, Feb 20, 2008 at 11:45 PM, Bipin Gautam <[EMAIL PROTECTED]> wrote:
> > Firstly, please don't expect this reply as a walkthrough on the > topic... just a small push in the right direction to the curious few, > if any. As said earlier, this topic is very vague and beyond the scope > of this text for an in-depth explanation. > > Nevertheless anonymous and secure communication in the world today is > still possible, it's just that the bar has been slightly raised… ;) > > Rule 1: hide everything you can, best you can all the time and of > create decoys in things you are intentionally revealing… > > Let's begin: > Topic: Anonymous Communication (web, mail) > > 1). Os of choice > a). anonymos-shmoo.iso, live CD. It is a hardened OS and transparently > tunnels all your communication via TOR. > OS in r/w medium it leaves back track of your activities in details > in the storage. > > b).Check and disable self updating components (softwares, plugin etc) > in your OS that might bypass proxy rules, leak confidential > information. It includes disabling self updates from your hardware > firewall. At OS use application level firewall. Use snifters to > monitor your tools of choice over time and ensure they are following > proxy/vpn rules. > > 2). Place/means > > a).behind NAT. better someone else/different MAC address, auth, IP > b). Free hotspot : hotel, office, …..? > c). Cyber, public computer > If it's not the place you own, better. > Check for cctv or other logging / monitoring device around. Appear > common. Too many unfamiliar screens on your computer screen draw > attention of side by. Get the idea… > > Technology: > Consider chaining anonymous technologies listed below (google about it > in details). Always insure 1 or few layers of encryption on content > you are trying to hide using different tools that follow different > protocols and use different encryption algorithm to secure your data > as you may not want to relie the confidentiality of your entire > procedure on the strength/weakness of just one tool, one protocol and > one algorithm. Is performance and work overhead of using these > multiple layers worthwhile? > > If you are selecting multiple encryptions and hashing algorithm make > sure your choice is redundant… i.e. don't just use algo approved by > American standard, consider using European standard as well (eg: > Whirlpool hashing algorithm adopted by NESSIE, SHA512 American > Standard, NIST. > Rijndael (latter to be chosen as AES) was chosen over Serpent (despite > added security in serpent) for performance reasons. Though both > algorithm are similar and has no known attack that has broken them > till date. You may want to use other algorithms as well. In properly > designed software encrypted output doesn't leak the name of algorithm > used to produce the content which means attacker can just assume > tools, protocols and algorithms used to produce the content to start > brut forcing. Considering 'just this fact' as stated above Truecrypt > is better over PGP disk encryption suit. > > Make sure to hide trivia things like file extensions, meta-data, > timestamp (?) even with encrypted output. > > -For some ssh tunnel to the private mail server listening on loopback > to access gpg encrypted mail is enough security... but it might not > guarantee enough anonymity. Route your traffic through f2f and TOR and > proxy chaining. Use port knocking to temporarily redirect port 80 to > 22 locally(example) so that you can access port 22 via proxy chaining > will add a layer of anonymity. Think creative. > > Research on these terms: > > -F2F network (example: Freenet, anoNet) > > -TOR (run in server mode if you use it too often, some plausible > deniability feature as it is difficult for the attacker to insure if > the traffic being transmitted is generated locally or being relayed > from another node) > TOR servers don't relay standard SMTP traffic by default. But many > mail providers/ servers listen to different except the standard. > > -Proxy Chaining > > -Open SMTP relay, have email account on servers in third world > > -Open Proxy Servers > > Though above technologies are vulnerable to traffic analysis from > observers who can watch both ends of a user's connection and it has no > defend against timing analysis. > > If you can enforce a particular routing of your data across > predetermined servers, better. Though routing table can change often. > Its better if you can insure your anonymous data is routed across > several countries with different legal and political jurisdictions > (rivals!.... better ;) > > Establish strict protocol between sender and receiver in a way... what > to use to communicate, how to use, in what order and change it every > few month including secret key, private/public key, passwords etc and > medium and pattern of communication including changing of email > address etc. Destroy everything you send/receive unless NECESSARY to > store. > > -Data destruction would mean shredding the storage medium to not > larger than 1mm and smelting (NIST standard for secure data disposal) > > -Software disk Wiping: > Wipe KEY, header of your encrypted storage volume (first few mb, ref > specific manual) Ref using Peter Gutmann standard of data wipeing (35 > wipes) > And wipe entire storage using U.S. DoD 5200.28-STD (7 wipes) > > OS keep multiple copies of partition header and store it in different > places of hdd to insure recovery incase of data corruption, virus > infection etc. This fact depends on the file-system use. (ref FS and > OS specific manual) > > Avoid solid state memory for data storage when possible, prefer > magnetic storage. > Note: Though, pen drives (solid state memory) can be quickly hammered > to pieces and flushed. They are economically very cheap too. Your > choice of cost vs level of security for data disposal depends on what > is the value of information you are trying to hide and how far would > you go to assure what are you trying to accomplish? > > > Don't choose passwords that matches with your interests, backgrounds, > music, bike, sports, quotes etc This information can be used to create > specific password dictionary for brutforce. > Using password (something you know) + key (something you have) > better. i.e. two ways token for authentication. > Some ideas generating/using a secure key: > • Generate SHA hash and MD5 hash of two-three secure passwords that > is > easy to remember and XOR it simultaneously, then append or delete some > characters on the output. Use this final output as your password. > • Or how about using hash of Google's logo as password starting from > byte x to byte y… (avoid file headers, footers) If the logo of the > search engine changes ref search engine cache, archive.com etc ;) This > way you have a secure key but you don't have to store it locally.Just > remember few things. > Get creative about choosing your password. See, you can easily create > passwords easy to remember but difficult to predict/ brutforce. Be > cautious while choosing a key/password. If a attacker cant attack a > design flaw he second thing they will try to attack is the key. > > - WASTE (ref unofficial release) it is a chat and file sharing f2f > network and support some degree of anonymity even on standalone use. > It has the some capability of evading Traffic Analysis by masking the > channel by sending dummy encrypted traffic keeping the channel 100% > busy. > > > Using different browsers per unique work is good. Say, using safari to > access web mail and online transaction, internet explorer for trusted > site, firefox for regular searching, and opera for browsing etc. > Maintaining separation of duties per browser ensures cookie > information even when leaked can be confined to particular > work/interest. > > Embedded contents like audio, video, flash, pdf, docs, java, js, > exploits :P may-or may not follow proxy rules. Some applications cant > be forced to follow proxy rules. They leak vital and unique > information about your system, browser activity and internal network. > So know what you'd installed, know what is running. Tracking plug-in > and their activity can be difficult so be it for your browser, or your > media player or your word processor or your IM. > > Example how anonymity breaks: > Suppose you are searching something anonymously in google and > meanwhile you logon to your GMAIL that has your actual identity. Now > your web search, this gmail account, and the webpage you visited from > Google add sense can all be tied to point a single person, you! The > anonymity of your activity is blown right away. > > Further your web browsing patterns, your topic of interests, > bookmarks, time you come online, internet speed, browser and OS > fingerprint, plugins and features your browser support, your > language/interest pattern etc can all serve as a intelligent > fingerprint REGARDLESS OF YOUR IP address and you can be tracked > uniquely in the internet regardless of the IP. > > Clear cookie, cache as you close your browser window, clearing all > cache is necessary, not just cookie as they can have capabilities as > that of cookie. Disable auto reloading content, advertisement etc > Things as such, messenger (away in 5 minutes of interactivity) > behavior etc can leak your uptime, bandwith utilization etc! > > (ask.com (ask eraser), customize google plugin, noscript) > > Another example: > There are browser plugins, tools… that can be use to change your user > agent but BAD thing about using such tools are instead of hiding your > identity they make you stand like an ostrich in swarm of crow. > Let me explain, suppose opera released critical update to all versions > of its browser today so most of the computer user that are online with > opera browser is sure to auto update their browser within few weeks... > but as you are just changing your user agent appearing as some version > of opera you will stand infront of intelligence analyst like a > gentleman appears to be using opera but your user agent dates back to > opera released 3 year ago, unique features of browsers indicate you > are forging user-agent using patterns of tool x that has opera user > agent with version y hard coded which you are using. Further, an > attacker can know what plug-in your browser supports and what browser > specific features you have disabled combination of all intelligence > analysis data can create a unique fingerprint making tools you used to > be more anonymous, more secure backfire and these information can be > used by the attacker (Big Brother?) to instead create a unique pattern > of your identity makes you less anonymous even if you are able to use > different IPs all the time. > > Real IP is something that can be associated to you if discovered. But > if you use anonymous technology haphazardly you give away unique > identity/behavior pattern that can be as good as obtaining real IP > information. Know to strike the right balance… or am I being too > paranoid? > > See, Intelligence analysis is very hard to fool. > > > > Anonymous email: > > 1). Encrypt and base64 encode the content securely to guarantee > point-to-point (p2p) confidentiality. > > 2). While sending and receiving email, force the final output to be > read as ASCII as text format can be OS specific: DOS (CRLF), UNIX (LF) > and Macintosh (CR) which can leak your OS. Grammar and spelling > correction in text can be analyzed to know which version of word > processor is used to create it; it can leak OS specific information > even with normal plain text! > > 3). Re-mailers > Google: Mixminion /mixmaster /Cyberpunk remailers > Basically, they route you email through several mail relay servers of > your choose striping headers that can leak the source of the email as > they pass by from one server to another. They provide feature of > redundancy that can assure delivery of email to higher degree and > employ random delays and random message padding before forwarding > message. > > Notes: > - Don't trust the server blindly assuming they will guarantee your > anonymity needs. Operators have to comply with local law all the time. > Assume, they can be monitored, logged, hacked and bugged. Use other > intermediate means of anonymity before you choose to these services. > - Keep message size normal. > -consult re-mailer statistics sites to know about history of the > operator, security track record of the OS they use, country in which > these servers are situated etc > > 4). User should take great care stripping meta data while emailing > images, audio, video files, documents etc as they may embed and store > information within them about the user or system that created/modified > the file. This information can be retrieved when transmitted and can > be uniquely associated to you. > Like, they might store and leak registered Unique IDs of a product > that created the content, embed your hardware serial number (like > Ethernet MAC address CPU info etc) this information can be used to > track you down to a country or region where the particular sales > happened. Microsoft Windows Activation, Microsoft Office… infamous > example. > > 5). Technologies as f2f network, open proxies that cross different > geographical boundaries etc can be chained together so that you can > relay your communication through open smtp relays from china :P ,free > mail servers from third world where logging, monitoring and technical > capabilities are primitive or you could use your own SMTP server to > route your (encrypted) mail directly to the destination. There are > online sites that claim to provide disposable email address for email > delivery or retrieval. > > Anonymous-Sender.com, Pookmail.com (Research…) > Example: [EMAIL PROTECTED] is common emails add. How about you write > an article about features pookmail in dig with a test example, > [EMAIL PROTECTED] While [EMAIL PROTECTED] gets thousand of hits you send > your private encrypted content in that crowd for delivery to your > receiving party, or how about using steganography and posting a secret > content to a website/forum embedding it as pornography. This can act > as a drop zone. The content can be retrived by the receiving party. > Think creative… its not necessary text communication should happen > through @email_address! You could use free file upload server to > accomplish the same. Upload 10 files of similar size using > steganography. Embed one video with encrypted content and rest 9 > videos just random data (decoy). The receiver who knows the key can > easily extract the encrypted content while an attacker will have to > try and brut force all the obtained files. Similar can be used for > encrypted volume. > > 6). While sending anonymous email make sure trivia things like > X-Mailer string, your time zone (GMT) doesn't gets leaked or best > forged if intentionally leaked. Version info of encryption technology > you use can sometime serve as a advantage to the attacker. Example, > GPG software version you are using can leak from your Public Key. > > Conclusion: > Anonymous and secure communication is not about just using the right > tools and its not just about focusing on application layer, link laye > bla… bla….:P > It's about truly knowing what you are doing in fine details. > Flexibility and security is always like opposite poles of a sea-saw. > > There are many of things I skipped which are beyond the scope of this > email but this should be a good push to the curious starters. All I > recommend you if to prioritize on is right intelligence and in-depth > understanding of the subject matter over any tools or technologies > because no matter what technologies you use it only stands a slim > chance over intelligence analysis in right direction. > > Thanks, > -bipin > > > On Mon, Feb 18, 2008 at 8:41 PM, Bipin Gautam <[EMAIL PROTECTED]> > wrote: > > On Feb 18, 2008 6:36 PM, nepbabu <[EMAIL PROTECTED]> wrote: > > > Thus spoke Bipin Gautam on Sunday, 17 February 2008 at 20:38:16 +0545: > > > > > > > > On Feb 17, 2008 6:02 AM, nepbabu <[EMAIL PROTECTED]> wrote: > > > > > Thus spoke Bipin Gautam on Saturday, 16 February 2008 at 9:45:14 > +0545: > > > > > > ............. > > > > > > > alright, > > > > secure communication as in.... ? > > > > > > > > - voice communication (telecom: say mobile) > > > > - email communication > > > > - Chat ? ( a vague topic) > > > > - ...........or fill in as you prefer > > > > > > The 2,3 are application layer except for the 1st one. Would you like > to tell us about anonymous secure communication used on the whole > application layer [ that includes email, chat, www etc..]. Thanks! > > > > > > > you don't understand > > > > The protocol you will use to communicate will largely governs what > > means and technology you will use to "securely" communicate. > > > > Enough of the GIRLY talks on an mailing list largely governed to > technology..... > > > > i am choosing the topic "email communication" and will be explaining it > shortly > > > > thanks, > > -bipin > > > > > ___________________________________________________________________________________ > > > > -- HACKER VS CRACKER --~--~---------~--~----~------------~-------~--~----~ FOSS Nepal mailing list: [email protected] http://groups.google.com/group/foss-nepal To unsubscribe, e-mail: [EMAIL PROTECTED] Community website: http://www.fossnepal.org/ -~----------~----~----~----~------~----~------~--~---
