/security

This page is currently undergoing revisions. If you can’t find what you are looking for, try here.

 This section is covers many aspects of exploring the interwebz more securely – for hacking (offensive) information see /hacking.

Obviously one of the main priorities of any Anonymous is to be, well… anonymous

Some good twitter accounts to follow for #opSec info:  @Samurai_Lucy and @Cryptostorm & @Crypto_Forums

Read first for overview: 

Once you are ready to get to work, use this detailed tutorial for two approaches to a very secure setup:

Don’t forget real life #opsec:  Security Culture and Security Culture for Activists

Other resources and options for improving security and privacy online

Electronic Frontier Foundation (EFF) Surveillance Self-Defense site

Tails – The Amnesic Incognito Live System / Download 

  • can be installed on a CD or USB stick and used from any computer
  • supported by EFF – Electronic Freedom Foundation

Security-in-a-box – tools and tactics for digital security (same tools as above, but the install versions)

Portable Security  The Portable Security section contains ‘portable’ versions of a few important Security in-a-box tools. These versions are meant to be extracted directly onto a USB memory stick so that you can use them from any computer.

anonymizing internet traffic

TOR and I2P

An Introduction to Tor vs I2P

Why Use Tor With A VPN Service

Tor & VPNs – comparing & contrasting network privacy tech

Additional warning about Tor, make sure it’s the most recent version

TOR is useful for anonymously surfing the internet:  http://www.torproject.org where you can download versions for the following operating systems: Mac, Windows, Linux, a USB version, and TorChat.

  • OnionCat - allows users to anonymously access Internet services. Its architecture guarantees that the real IP of users cannot be revealed in any way. Tor also provides so-called Hidden Services. Those are services which are hidden within the Tor network. This means that not only the user stays anonymous but also the service (destination). Hidden services have several benefits but unfortunately they are not very user-friendly and they have some protocol restrictions. OnionCat manages to build a complete IP transparent VPN based on those hidden services, provides a simple well-known interface and has the potential to create an anonymous global network which could evolve to a feature- and information-rich network like we know the plain Internet today.
  • Installing Torchat on BackTrack 5R1

I2P is a darknet or invisible internet (not accessible from the usual internet normally) on which you can anonymously set up and connect to I2P IRCS, some non-i2p IRCs, email, torrent, websites & forums. It can be used on the same computer with Tor for surfing the (outfacing) regular internet. Getting on i2p seems hard but it is worth the small amount of trouble. Download the multiplatform open-source software – works on Mac, Windows or Linux. Instructions for use and technical info can be found on their site.

proxies

While both a Proxy and VPN service will re-route your internet traffic and change your IP, they function slightly differently.

Think of a Proxy as a Web Filter. The proxy settings are applied to your internet browser whether you’re using MSIE, Chrome, Safari, Firefox, etc. When browsing the internet through a proxy server, all benefits with that server are used, for example, (Security, Speed, and Geographic Location). The proxy will only secure traffic via the internet browser using the proxy server settings.

Unlike a Proxy, a VPN service provider (Virtual Private Network) encrypts all of your traffic, replacing your ISP and routing ALL traffic through the VPN server, including all programs and applications. The VPN can be easily connected or disconnected with the click of a button.

In conclusion, a proxy server is completely browser based, and is not as compatible with certain web pages that use non-browser technology such as: Comedy Central, Zatoo, Fox OD, and Sky Player. However, a VPN will work with ALL internet based services, but will offer less choice on which applications will get run through your ISP, as with the VPN, everything is routed through that server when connected.

For more on the differences between a vpn and proxy, there is more information here, and a forum discussion here.

This site consistently has reliable proxies: http://spys.ru/en. Another one: http://proxies.org/

VPN – virtual private network

A VPN (Virtual Private Network) sends your internet traffic through a circuitous route to the destination and back, so that your traffic gets mixed in with lots of other traffic, making it more difficult to tell where it’s coming from. Because the company controls the trafficking, the Terms of Service are critical to how well your privacy/anonymity are handled. Many companies will comply with subpoenas for records. A bad VPN is possibly worse than not using one at all.

Many VPN services are free. These companies sell your data (generally) to pay for the service. So don’t use them for anything that could get you in trouble.

Advanced Privacy and Anonymity – Part 1 Introduction

Advanced Privacy and Anonymity – Part 2 Basic Setup Using VMs, VPNs and Tor

Advanced Privacy and Anonymity – Part 3 Planning Advanced VM and VPN Setup

Advanced Privacy and Anonymity – Part 4 Setting Up Secure Host Machines

Which VPN Providers Really Take Anonymity Seriously?

Only use a VPN provider that DOES NOT KEEP LOGS. Links to sign up are included in the article as well as VPN providers to avoid. Companies are subject to the laws of the country in which they are based.

Securing your privacy when your VPN fails

Ok, so you’ve purchased your VPN subscription, enabled the service, and you’re enjoying your new found levels of privacy. Then – disaster strikes. While you were away from your machine somehow and for some unknown reason your VPN disconnected and now snoopers have a clear view of your IP address.

Fortunately, there are solutions.

“To protect against the event of VPN failure/disconnection, disable any internet access that does not tunnel through your VPN service provider,” Andrew from PrivateInternetAccess told TorrentFreak. “This can be achieved using specific Firewall rules (Ubuntu) or bychanging TCP/IP routes.

But of course, not everyone wants to spend time with these manual configurations that could potentially cause problems if they’re not done properly. So, TorrentFreak spoke with the creators of two free pieces of software that do the job more easily.

VPNetMon

“VPNetMon continuously watches the IP addresses of your PC. If the IP address of your VPN is not detected anymore, VPNetMon closes specified programs instantly. The program reacts so quickly that a new connection through your real IP will not be established by these applications,” creator Felix told TorrentFreak.

VPNetMon (Windows) can be downloaded here.

VPNCheck

“VPNCheck helps you to feel safe if your VPN connection breaks, this is done by shutting down your main network connection or programs of your choice and showing a notification box,” Jonathan from Guavi.com told TorrentFreak. “Basically it constantly looks for a change in your VPN network adapter. You can connect to either PPTP or L2TP with VPNCheck.”

VPNCheck (Windows/Linux) can be downloaded here.

VPS

 

Stop DNS Leaks

When using a VPN service one might expect that all of the user’s traffic will go through the privacy network, but on rare occasions a phenomenon known as “DNS leakage” might occur. This means that rather than using the DNS servers provided by the VPN operator, it’s possible that the user’s default DNS servers will be used instead or otherwise become visible.

“A DNS leak may happen whenever a DNS query ‘bypasses’ the routing table and gateway pushed by the OpenVPN server. The trigger on Windows systems may be as simple as a slight delay in the answer from the VPN DNS, or the VPN DNS unable to resolve some name,” explains Paolo from AirVPN.

A tool for checking for leaks can be found at DNSLeakTest.com and a solution for fixing any problems can be found here. Alternatively, anyone using the pro version of VPNCheck will have this feature built in.

Double up your security for extra sensitive data transfers

What if you don’t have 100% trust in your VPN provider and worry that even they might snoop on your communications? Admittedly it’s a very unusual hypothetical situation, but one with an interesting solution.

“If you don’t trust your VPN provider 100%, use two VPNs,” explains Felix from VPNetMon. “This way you are tunneling your already encrypted connection through another tunnel.”

In Windows this is easily achieved. First, simply set up at least two VPN accounts as normal (if you’d like an extra one for testing purposes you can get a free limited account from VPNReactor). Then connect to one VPN, and when complete connect to another without disconnecting the first. Like magic, a tunnel through a tunnel.

Its also possible to VPN over TOR, but please please don’t use TOR for file-sharing traffic, it’s not designed for it.

“VPN over TOR gives several security advantages, for a performance price, above all partition of trust,” explains Paolo from AirVPN. “In case of betrayal of trust by one party, the anonymity layer is not compromised in any way.

A VPN over TOR tutorial can be found here, further discussion here.

Fix the PPTP / IPv6 security flaw

As revealed here on TorrentFreak in 2010, people using a PPTP VPN and IPv6 are vulnerable to a nasty security flaw which means that Windows and Ubuntu users could leak their real IP addresses. The following fix comes from Jonathan at VPNCheck.

For Windows Vista and above:
Open cmd prompt and type:
netsh interface teredo set state disabled.

For Ubuntu 10+:
Copy and paste all four lines into a terminal:
echo “#disable ipv6″ | sudo tee -a /etc/sysctl.conf
echo “net.ipv6.conf.all.disable_ipv6 = 1″ | sudo tee -a /etc/sysctl.conf
echo “net.ipv6.conf.default.disable_ipv6 = 1″ | sudo tee -a /etc/sysctl.conf
echo “net.ipv6.conf.lo.disable_ipv6 = 1″ | sudo tee -a /etc/sysctl.conf

Pay for your VPN with untrackable currency

“When anonymity is a factor, pay with an un-trackable currency,” explains Andrew from PrivateInternetAccess.

“For example, signup for an anonymous e-mail account using Tor and use a Bitcoin Mixer to send Bitcoins to a newly generated address in your local wallet. Alternatively, use theBitcoin-OTC to purchase Bitcoins ‘over the counter’ from a person, rather than an exchange.

“Then, use a patched Bitcoin client, such as coderrr’s anonymity patch to avoid linking the newly generated address to any of your pre-existing Bitcoin addresses.”

Only use VPN providers that take your privacy seriously

We’ve said this before but it’s worth repeating. VPN providers who heavily log are useful if all you’re concerned about is securely communicating with the Internet through an open public WiFi connection, but not beyond that. For a run down of providers who do not log any data which would enable a 3rd party to identify a user, see our previous article here.

Do you have a helpful security tip for VPN users? If so, feel free to add it to the comments below.

How to Chain VPNs for complete anonymity

from Null Byte “the aspiring grey hat and security awareness playground”

Big name individual hackers and hacker groups everywhere in the news are getting caught and thrown in jail. Everytime I see something like this happen, I won’t lie, I get a little sad. Then I wonder, how are these guys getting caught? If a group like LulzSec, with all the fame and “1337-ness” can get caught, I think my hacker comrades are doing something wrong.

When members of LulzSec started getting captured, it was because proxy and VPN services complied to federal request and handed over the private information of its users. I think this is wrong for a number of reasons—foremost, people should be able to have their own privacy respected. Today’s Null Byte will be demonstrating one of the methods around this: Chaining VPNs.

A VPN allows you to connect to a remote network, and over all ports, encrypt and forward your traffic. This also changes your IP address. Chaining VPNs is a tricky task, though there is a simple and uncommon method I know of. Using multiple VPNs together has the huge perk of being completely anonymous.

  • How Does Chaining VPNs Work?

First, a person would connect to the VPN. Then, when connected to the first VPN, you chain to the second, and since a bunch of people share the same IP, the second VPN has no way of knowing who tunneled to it. An even better scenario is where you use an eastern VPN as your first, because our country has no jurisdiction to retrieve the logs from them, thus increasing your security.

However, to chain VPNs, the second VPN would need to know how the first VPN’s traffic was encrypted. This flaw makes it impossible to chain them in this method, unless you own both VPNs (not very likely).

So, how can we chain VPNs then? I’ll show you how by using a virtual machine!

Requirements

  • Step 1 Install OpenVPN & a VirtualBox Computer

Text in bold is a terminal command.

First, we need to install the VPN client for Linux users. Windows users can download the program here and here, and run the installer normally. Mac users can use this GUI for OpenVPN for Mac.

  1. Change to the Downloads directory.
  2. Configure the installation../configure
  3. Compile and install.make && sudo make install
  4. Now we need to install VirtualBox. This will allow us to have a virtual operating systems running from within our computer. Download VirtualBox: Windows, Mac, Linux.
  5. Install a virtual machine of your choice for Windows or Linux and Mac, then install OpenVPN to it.
  • Step 2 Chain the VPNs

Start up your virtual machine, and configure them both.

  1. For Windows users using the default VPN client, use this guide to connect to a VPN. Linux and Mac users, go here.
  2. Connect to VPN A with your host OS.
  3. Start up your virtual machine of choice, and connect to VPN B with it.
  4. Operate from within your virtual machine, and you will be safe from prying eyes. If you need to delete the virtual machine, make sure you securely delete it, and your information will be safe.

For Null Byte news, follow me on Twitter. Also, join the IRC and come hang out with us!

spoofing your MAC address

Each device (computer, printer) has a unique identification called a MAC address which is transmitted when you interact with the Internet. This ID can be spoofed, and should be changed regularly if you are engaging in activities that might lead to seizure of your equipment. Spoofing your MAC address on Windows 7 is pretty easy with either of these free programs:

communications and creating anonymous accounts

After setting up anonymous browsing, social media and email accounts, create real-looking fake people on facebook, for example, that some of your fake accounts trace back to, so that if you do get d0xed, it’s not really you. Note: If you DO get d0xed, don’t “disappear” because that just confirms that it’s you. Do the opposite of what is expected.

If you have a mobile computer:

  1. Go to a public wifi spot to download and install Tor. Visit www.whatsmyip.org to check your current ip address. It should not say the same thing as it does when you don’t have tor running. That site has some other useful things, including password generators. Here is another site with a lot of useful information about ip addresses, mac addresses, email ip tracing and more.
  2. Sign up for a non-free VPN and pay for it with the most anonymous means possible. If you can, get an anonymous debit card or use Liberty Reserve or BitCoin. If you have to use a real name method of payment, choose your VPN carefully. We recommend CryptoCloud because they do not keep any logs. Consider the privacy laws of the country in which the VPN company is located (see below). One in a country which does not extradite to your country or have other legal reciprocity agreements is worth considering, so what is safest for each person is somewhat dependent on location. Once you have it installed, check your ip again to make sure you are actually using it properly.

If you do not have a mobile computer:

  1. Download the programs onto a USB drive from a public Internet cafe or somewhere else that won’t be traced to you.
  2. When ready to install on your desktop, first disconnect from the Internet before installing the programs. Once installed, check your ip with and without tor and/or the VPN running at www.whatsmyip.org. Do not connect to your new anonymous email or other accounts until you are sure your VPN or Tor is working correctly.

EPIC Electronic Privacy Information Center  for info on snoop-proof emails, chatting, voip, surfing, encryption. Once you’ve decided what you’re going to set up then begin.

Snoop Proof Email | Anonymous Remailers | Surf Anonymously | HTML Filters | Cookie Busters | Voice Privacy | Email & File Privacy | Secure Instant Messaging | Web Encryption | Telnet Encryption | Disk Encryption | Disk/File Erasing Programs | Privacy Policy  Generators | Password Security | Firewalls | Other

Pidgin + off-the-record messaging

How to Use OTR to Initiate a Secure Messaging Session in Pidgin

3.0 About Pidgin and OTR
3.1 How to Configure the Pidgin-OTR Plugin
3.2 The First Step – How to Generate a Private Key and Display its Fingerprint
3.3 The Second Step – How to Authenticate a Messaging Session
3.4 The Third Step – How to Authenticate the Identity of Your Correspondent

Instructions

  1. Download Pidgin for Windows, Mac, Ubuntu, or source code, and install it
  2. Open Pidgin, then choose Add Account. Instructions for making a new account on jabber.org or jabber.ccc.de: http://schoolofprivacy.eu/post/25180153194/how-to-set-up-a-jabber-xmpp-account
  3. Download OTR add-on and install
  4. In Pidgin, go to Tools > Plug-ins > Off-the-record messaging <- click that, you may need to restart Pidgin to see that option
  5. When you want to have an off-the-record conversation, choose that option in the menu of the chat window, also option to generate and use key to ensure identity of participants

Note:  the OTR ONLY works for one-on-one chatting. If you are in a jabber chatroom, the conversation is NOT encrypted.

Cryptocat encrypted multi-user chat. Messages are encrypted before leaving your screen. Download and install Cryptocat FireFox add-on.

Chatcrypt is another option for browser-based encrypted multiuser chat (may be less secure).

smartphones

If you use a phone for anon work, get a cash phone with cash or an an anonymous store-activated debit card. Remember that your GPS location may still be tracked.

Orbot is a free Tor app for Android phones, and it is extremely easy to download and install. It doesn’t even slow down surfing noticeably. You can set up your Twitter account to use Orbot as a proxy, but be sure to read the potential problems with this approach due to Twitter’s permissions to view all Google account information.

Redphone makes an app for encrypted calls and texting on Android and iPhone.

IRC

What is IRC? IRC or Internet Relay Chat is like a very early version of IM or TinyChat. The IRC might be on one server or multiple ones, it doesn’t require a fast connection to use, and it looks like a group chat on IM or TC.

You can access many IRCs via a weblink like Mibbit, using a FireFox add-on Chatzilla, or using a fully functional IRC “client” software program like XChat, IceChat, mIRC, etc. The Anonymous Sekrit Guide #1 has an excellent section on setting up and using IRC. It’s probably easiest to use the weblink first, then try Chatzilla or a client after you get used to IRC. Both methods can be used on smartphones using either the links or various apps like Linkinus (iPhone), Colloquy (Mac and iPhone)  or Andchat (Android). Remember that unless you are using a VPN on your phone, your phone ip will be traceable.

IRC guide - somewhat advanced info for using irc more securely

Many IRCs, including AnonOps IRC, do not allow you to connect through the Tor network without the completing the following steps. Read the guide on Anonops.com. The instructions are for the mIRC client only. Presumably you can use other clients but if you decide to try using Tor, just get mIRC. Setting up and using a VPN is probably easier.

Why you might want to be anonymous on IRC - Most IRC channels are public, and include literally anyone (also using anonymity techniques) from CIA and Interpol operatives to any number of state-sponsored haxrs and everything between. Think how amusing it might be having your neighbors or employer reading about you being “a member of the Anonymous hacker collective” in your local newspaper – j/s.

connecting to IRC via a web based link

    • use Mibbit or other web-based access if available, to get used to navigating IRC

connecting to IRC via an IRC client

Once you’re comfortable with IRC, download an IRC client (software for connecting to IRCs) like xChat, MIRC, Irssi, Pidgin…

Note:  If you have any trouble with this, go to AnonOps IRC  http://webchat.anonops.com

There is an extensive IRC tutorial on the AnonOps Anonymous Operations site for connecting with ipv6 and tor, as well as help connecting to any IRC. The menu links are here:

Navigation menu for the AnonOps client (IRC) tutorial

  1. Introduction
  2. Tech info and prerequisites
    1. About SSL
    2. About IPv6
    3. About TOR
  3. Connecting to IRC using mIRCMore client explanations coming soon
    1. Connecting using a standard connection
    2. Connecting using SSL
    3. Connecting using IPv6
    4. Configuring your client and connecting over TOR
    5. Connecting using SSL on IPv6

There are many IRC “clients” but we recommend HexChat or it’s predecessor XChat-WDK because they are free and open-source. Also more secure (see above).

  1. Download and install the client
  2. Follow the specific set-up instructions (see Security Guide for specific information on common clients). Mainly this is just putting in your nick, user name, and password, as well as the irc “address” into the appropriate boxes, very easy.

HexChat

HexChat is an IRC chat program, or “client” that allows you to join multiple IRC channels (chat rooms) at the same time, talk publicly, private one-on-one conversations etc.

HexChat is based on XChat, but unlike XChat it’s completely free for both Windows and Unix-like systems. Since XChat is open source, it’s perfectly legal. For more info, please read the Shareware Background.

HexChat was originally called XChat-WDK which in turn was a successor of freakschat. You can still get XChat-WDK here and here.  For more info, please read this announcement.

Benefits of registering on IRC

When you log onto an IRC for the first time, you will be using an unregistered nickname. If you plan on becoming a regular user, it is advisable to register your nick. This is important for several reasons:

  • It ensures that nobody can impersonate you.
  • It grants you various abilities which non registered users do not have.
  • (Most importantly) It allows you to use a vhost – this hides your location and ISP information from other users. Most IRCs also mask your IP from other users, though the IRC ops can still see it, so in that case, a vhost isn’t necessary. You can /whois yourself and see your own IP but others can’t.

IMPORTANT! It is recommended that you type all of these commands in the server window (the window that shows you logging in) NOT IN THE CHANNEL, so in case you mess up other people can’t see your password, etc.

  • First time using a nick: to register your nick just type: /msg nickserv register yourpassword yourfake@email.com
  • Logging in again with a registered nick: to identify type: /msg nickserv identify yourpassword or just: /ns identify yourpassword

IRC user guide:  http://www.ircbeginner.com/ircinfo/ircc-commands.html also lots of YT videos on specific IRC client setup

    • many IRCs will use the same or very similar software so the commands are the same
    • unless you have operator status (a symbol or colored dot in front of your nick) you cannot kick or ban anyone
    • when you’re new on an IRC or channel, it’s best to observe (lurk moar) that is, don’t chat for a while to get the feel of it, some channels will get annoyed and ban you without warning for unintentional violations of their norms
    • read the TOPIC (top of the page) and any included LINKS first, before asking questions and getting yelled at
    • in the event you are kicked or banned for *no reason whatsoever* (lolkicks & b&s) don’t take it personally ::b& =love:: laughing at others’ expense is part of anon culture so #getoveritalready.
    • DO NOT TRUST *ANYONE* EVER. Most exposures are the result of a “social engineering” attack (trusting someone then giving them information and/or access, or even just accepting material from them (emails, pdfs, image files, etc.) which have imbedded malware.DO NOT TRUST ANYONE, EVER. Not kidding.An estimated 75% of internet-related arrests are the result of social engineering attacks (trusting someone).
      • DO NOT OPEN LINKS THAT PEOPLE POST IN THE CHANNEL. This is a very good way to get hacked.
      • Set your IRC client to refuse DCC requests by default. Failure to do this is another good way to get hacked.
      • Human nature <YOURS> is the oldest, EASIEST, MOST-DIFFICULT-TO-PATCH exploit.
    • Now the fun part- the most common commands you need to know:in the server window type: /cs help or /ms help etc to get exhaustive lists of command syntax, most of which you will not need to use unless you are a channel operator
      • /nick newnick changes your current nick to the new one
      • /list lists all the non-hidden channels
      • /join #channelname or simply /j #channelname
      • /away you’re still there but people will know that you are afk = away from keyboard
      • /back reverses /away, or alternatively sometimes just repeating /away will bring you back
      • /ignore nick if you want a particular person’s chatting to be invisible to you
      • /me does something
      • /part disengages you from the #channel you are currently in
      • /quit disengages you from the entire IRC (logs you off)
    • on most IRCs you can use shorthand for the various functionsMaking a new #channel: on most IRC’s, if you are a registered user, you can form a #channel without asking permission, though it doesn’t hurt to ask, to be sure. To do so, type: #newchannelname then type /j #newchannelname to enter, like usual. You will probably eventually want to register it, though this isn’t immediately necessary. Once it’s registered (use /cs help for instructions) you will be the “owner” of that channel, unless you piss off an IRCop and they eliminate it (and possibly your nick along with it).
      • /msg nickserv -> /ns
      • /msg chanserv -> /cs
      • /msg memoserv -> /ms

Remember that while IRC is a virtual “public space” the servers are owned and operated by people who are often working incredibly hard to keep them running and secure from attacks from any number of directions, so be respectful and appreciative. If a misunderstanding arises, try not to take things personally. You don’t know what kind of pressures might be going on behind the scenes so just be cool.

7 thoughts on “/security

  1. I’m extremely impressed with your writing talents and
    also with the format for your weblog. Is this a paid subject or did you modify it yourself?
    Anyway keep up the excellent high quality writing, it’s uncommon to see a nice blog like this one today..

  2. This is quite lovely. I defend the Constitution. Im prepared to enlist in the Armed Forces. If our political correctness defines our country overall our military, we will be a defenseless nation. We must prepare, we must make a difference. Thank you ANON for your work. You can make a difference, we can make a difference.

    • The US Constitution is a remarkable document, an Idea made manifest, not an iconic but incomprehensible piece of old paper. Hopefully more citizens will read, debate, and embrace it, in order that it once again becomes so.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s