IP addresses and information security

[want2c]

Here is the new 2014 list of "Who has your Back".



https://www.eff.org/who-has-your-bac...-requests-2014




There are a lot of programs that will mask your IP,,

Online proxy servers
Virtual Private Network (VPN) software that encrypts your online sessions.
Hotspot Shield from AnchorFree
Tor "The Onion Router"
SurfEasy Private Browser. " tiny USB key that you can carry with you

[mike.anthony1983]

Quote:

Originally Posted by TX_JD

Actually this is starting to happen already, fulltime recording of all traffic that at some point crosses the US backbone. This is what the giant datacenter in Utah was built for. One of the largest crossovers for the US backbone to the internet is outside of Vegas, where they were able to add a "hidden" room, much like the hidden AT&T room in SF years ago.

The goal (at least at the time of construction) was to start recording all traffic that they could (and build subsequent datacenters near the other crossovers), and basically build a google like interface for all the 3 letter agencies to be able to search on a persons web history. The big deal with doing this, is that SSL is no longer secure. What makes SSL a secure encryption method for web usage is how hard it is to break in realtime without having some sort of man in the middle attack in play. With that data "recorded" they can "replay" your webtraffic in their environment to break the SSL, almost at will. Its quite a frightening proposition.

Now....what does this have to do with coming to EECIE? Not much. Unless you are into some really big time shit (human trafficking, big time dealing, etc) you likely arent going to be target with one of these systems. That said, you never know. And the problem isnt who is watching us, it is who is watching the watchers. We arent far from the days (in my opinion) of when they use these systems, and otherwise minor cromes, if crimes at all, against us. When they decide they want to go after you for something else, and they tell you that you can talk, or they can expose to your family how you post on a hooker board. Or they start prosecuting people based on the books they buy from amazon, etc. We have already seen the start of this with the IRS going after people that attack our current administration, its not a stretch to think that using our web history against us isnt the next step.

I could go on and on, but theres not a whole lot of gain in me doing so, and I dont want to sound like a tin foil hat crazy.....I just happen to work in InfoSec, and I know how such things can be used, and with the convergence of what our govt is doing to monitor us, the way they have been going after people for differing opinions, and how human nature tends to act when they have such tools at their disposal, it frightens me.

Last thing: protect yourself. Use any tools you can. But also know NONE are 100%, but just because there is nothing that is a 100% solution, doesnt mean you shouldnt use anything. Do what you can to make it harder to gain information on you, and be proactive in protecting yourself. Just remember, convenience and security are nearly antonyms - its VERY hard to have both, so every time you want something "easy", say keeping in touch with old friends via facebook, remember, that comes at a cost. I cant tell you which pieces are worth the trade off, because that is a personal thing, and there is nothing wrong with using such systems, as long as you know what you are giving up to do so.

Just like everything else, be educated.

JD, you seem like someone who might know, so what do you think of DNSCrypt? I was thinking of implementing it this weekend if it makes sense to do it.

http://www.opendns.com/about/innovations/dnscrypt/
http://lifehacker.com/how-to-boost-y...rypt-510386189
http://www.linksysinfo.org/index.php...preview.37031/

So far I feel at my end my local computer is very secure but I want to see what I can do to improve my external connections.

My security solution is to use a good VPN that at least claims not to log inside a VM shell that I shred and remake from time to time. I used to have this VM inside a TrueCrypt file but it was just too much hassle for someone who just hobbies off and on and downloads music... lol. I use Bitcoin to purchase annual subscriptions at a time. Sometimes I use TOR, sometimes not, depending on what I want to do. It's not as though I have a lot to hide but internet security, personal privacy and net neutrality are important topics to me.

The VPN I use does prevent DNS leaks and has a built-in kill switch that disconnects the internet entirely so I'm wondering if DNSCrypt might be overkill, what's your take on it?

[Guest121014]

Quote:

Originally Posted by mike.anthony1983

JD, you seem like someone who might know, so what do you think of DNSCrypt? I was thinking of implementing it this weekend if it makes sense to do it.

http://www.opendns.com/about/innovations/dnscrypt/
http://lifehacker.com/how-to-boost-y...rypt-510386189
http://www.linksysinfo.org/index.php...preview.37031/

So far I feel at my end my local computer is very secure but I want to see what I can do to improve my external connections.

My security solution is to use a good VPN that at least claims not to log inside a VM shell that I shred and remake from time to time. I used to have this VM inside a TrueCrypt file but it was just too much hassle for someone who just hobbies off and on and downloads music... lol. I use Bitcoin to purchase annual subscriptions at a time. Sometimes I use TOR, sometimes not, depending on what I want to do. It's not as though I have a lot to hide but internet security, personal privacy and net neutrality are important topics to me.

The VPN I use does prevent DNS leaks and has a built-in kill switch that disconnects the internet entirely so I'm wondering if DNSCrypt might be overkill, what's your take on it?

First I have really heard of it to be honest, but I havent been keeping up as much as I used to. My only concern would be can you really trust OpenDNS and their implementation. To be honest, I dont know enough about their reputation, where they started, and who backs them.

IMO your only concern with DNS is 3 letter agency attacks to redirect you to a mirrored site that is designed to install malware to facilitate spying on your machine. If you can trust OpenDNS / DNSCrypt, then this should help protect you, but in reality it only protects MITM DNS attacks, and they have been known to compromise DNS in other ways as well, which should be protected by also using DNSSEC - provided again that DNSSEC is truly secured, which we cant know.

It basically the same as VPNs, you have to judge how much you can trust the provider vs how much security does the service add. You HAVE to trust someone, you just have to take your best guess.

IMO, unless you are involved in big time crime, then it cant hurt to use DNSCrypt and DNSSEC. If one, or both, are already compromised or run by a 3 letter agency, they arent coming after hobbyists. Which runs contrary to my previous post, of having to protect everything because you never know what MIGHT be used against you. That said, as previously stated, its a balance and a trade off. As long as you know what privacy you might be trading, and you act accordingly, then you are good.

IMO, just as important is not using that same VM to do ANYTHING that is tied to your name, such as checking an email account that is tied to your real name, facebook, twitter, etc. You should be separating your internet usage into 2 groups: traffic you dont want tied to you, and traffic that is tied to your real name in some fashion - then use 2 VMs or a VM and your machine depending on the traffic type.

I also, personally, would go with a VM that doesnt store information at all, so that it never needs to be rebuilt, and is wiped on power off. If you are using a windows VM (which certainly isnt preferable) use something like deep freeze to prevent writing of any data back to the VM, if you are using a linux distro, use a live cd distro. For the later, if you dont know linux really well, and you dont want to jack with having to figure out how to run software everytime that isnt included in the live CD, go with something like puppy linux, which I love. You can start with a completely bare distro, add all the software you need, get it configured, and remaster the live CD. It becomes your own personal live distro. You can also save data from a session in the VM if you want to a file. Basically the live distro loads, reads your file, and applies any changes you have made, be it files, configs, OS additions, etc. You can always store that file on an encrypted removable disk, just for safety.

And I would encrypt the VM personally. Trucrypt can be a pain, but I would use something like TC for whole disk encryption.

[mike.anthony1983]

Very insightful, thank you very much. Yes, I do have a basic familiarity with Linux but I'm so comfortable with Win7 that I find myself defaulting to that anyway. I'll give puppy a try and try to make my own live distro. I do keep all traffic separate.

[Guest121014]

Quote:

Originally Posted by mike.anthony1983

Very insightful, thank you very much. Yes, I do have a basic familiarity with Linux but I'm so comfortable with Win7 that I find myself defaulting to that anyway. I'll give puppy a try and try to make my own live distro. I do keep all traffic separate.

Just remember that win7 (and all recent windows releases) are likely compromised, at least at the 3 letter agency level. Windows also leaks a LOT of information, and it can be VERY hard to lock that down. Also remember that unless you are using a pirated key, the license key can be tied to you as well. I used to have a VERY locked down XP install, and I had a very good HIDS / Firewall, and I still couldnt stop the leak of traffic, some I didnt even know about. When I put in our new webfilter at work last year it became even more clear how much windows talks to the internet without you knowing, its non-stop, and you cant stop it from inside windows, even with a good HIDS or FW, because to stop chatter in one way will break other parts of windows. Youd be shocked if I showed you a traffic log for a day from a computer that sits untouched in a guest office....and one of those things that chatters all day is the microsoft crypto-API, which scares the crap out of me. Its already believed (google windows nsakey) that the encryption in windows is compromised, but based on that chatter, it makes me wonder if anything that uses ANY part of the windows crypto suite is also compromised.

Im not a windows hater at all, in fact, until a year ago, all i ran was windows at home. Now I am a mac guy, and it has nothing to do with security, just preference. That said, there is really NO way to secure windows when you are talking about privacy.

There are some great puppy distros out there, or as discussed, you can build one, which if you have the time and interest, is the way to go. I just like puppy because its small, it works, its actively developed, and you dont need to be a linux master to customize / remaster it.

Also, I thought about this last night laying in bed....you cant forget to secure your browser as well!!! I still use firefox, for a number of reasons. IE, well sucks. Chrome I dont trust (I dont trust the google world AT ALL), opera is under developed, and as much as I like safari, it doesnt have enough plugins and on my windows machine it leaks memory so badly that I cant use it. Firefox, while not without problems, can be totally customized if you choose, and has so many plugins that you dont need to customize it if you dont want.

You need to make sure you are using a number of basic plugins, the ones I will list are for firefox:

Adblock plus / adblock edge / adblock popup / element hiding helper for adblock - blocks most ads, but also allows you to block parts of sites you dont want to see (for example, I dont see ANY ads on the left side of eecie because I blocked them)

BetterPrivacy - cookie management

Block sneaky redirects - finds links that tracks your browsing activity and blocks redirecting via their sites.

Click and clean - easy tool to wipe browsing history traces

Disconnect - stops trackers and encrypts trafffic when possible

Disconnet search - allows you to search google (and others) without being tracked. FAR better than using one of the secure search sites like duck duck go, because disconnect actually submits your search to google, so you get real google results

DoNotTrackMe - AWESOME plugin. Helps block trackers, but also gives you free disposable email addresses to hide your real email and to help filter spam

Ghostery - one of the best at blocking hidden trackers with ease of use to allow certain types on certain sites (also notifies you of trackers which is a BIG wakeup)

HTTPS-Everywhere - forces https on sites that support it

IE Tab 2 - not a security tool, but nice to have for sites that break without IE or just break due to the FF config

Lastpass - I like lastpass of all password managers. I have to trust that they dont have any 3 letter agency backdoors, and thats the choice I make. I used to use keepass, which i LOVE, but I needed something that was EASY to keep synced between my computer and phone. (I also use 2 factor authentication for lastpass, I used to use a yubikey one time password token, which i LOVED but I had my bag stolen and I havent replaced it. Now I used google authenticator)

Noscript - disables all scripting in webpages. Takes some time to get used to and to get used to know how to allow certain things for certain pages, but worth getting to know

Priv3 - blocks social networking tracking

Privacy Badger - similar to ghostery / donottrackme, just blocks hidden ads and trackers

quickjava - I really like this one too. it can add a bar to your toolbar to allow single click to turn on / off: javascript, java, flash, silverlight, css, images, canimated images, cookies. You can toggle them 1 by 1 or all at once. You can also decide which to have on / off by default when you open FF (ex I keep javascript, java, flash, and silverlight off on FF start, i then enable them as needed)

self destructing cookies - self explanatory

trackmenot - sends random searches to google in the background to help distort any google tracking that gets through

WOT (world of trust) - informational plugin that gives you a rating for sites based on their safety for viruses and other content

Lightbeam - this is a cool plugin to see who and what tracks you. You need to disable any plugins that block trackers, and then surf the web as you normally would for a day. then open lightbeam and you can see all the tracking going on and how sites relate to each other. neat to see, i have it disabled and I havent used it more than once, but is an eye opener.



Im sure there are plenty more, and some of mine are redundant, but like with the trackers, they overlap, so i get a bit of extra protection with each because each blocks something the other didnt.

If you have other security questions, feel free to let me know, I dont mind throwing my thoughts out there.

[jframe2]

Hats Off to TX JD-
That is a great list and description of things one can use to be safe. Some I am aware of, some I did not feel safe using. I may revisit some of them and try again.

If I may add for the benefit of the group- before adding any program, plug-in, etc to your computer/phone do a bit of research to see what is being said about the intended program, plug-in, etc. The tech security community and knowledgeable people are not shying away from announcing any potential security backdoors they find in a program. You just have to do a little research.

Back to the coffee....

[Guest121014]

Quote:

Originally Posted by jframe2

Hats Off to TX JD-
That is a great list and description of things one can use to be safe. Some I am aware of, some I did not feel safe using. I may revisit some of them and try again.

If I may add for the benefit of the group- before adding any program, plug-in, etc to your computer/phone do a bit of research to see what is being said about the intended program, plug-in, etc. The tech security community and knowledgeable people are not shying away from announcing any potential security backdoors they find in a program. You just have to do a little research.

Back to the coffee....

Concur.

At this point my security posture has changed from where it used to be. I used to have a good reason to need to hide everything I could, and I was much more careful with what plugins I used. Today, I dont have that same concern, and while I absolutely dont want to be compromised, my attack surface has changed, thus my adoption rates have changed as well. Today I protect for privacy and privacy alone, whereas I used to have an actual need to hide what I was doing.

[Guest121014]

Good resource for tools:
https://www.pwnieexpress.com/privacy...ces-and-links/

Great story on how one reporter was (voluntarily) hacked, and what information was given up, and how. (Theres a ton of links, but worth the read and listen)
https://www.pwnieexpress.com/pwnie-e...-behind-story/

BTW of my FF plugins, many are on the EFF's list of must haves, here are the ones the EFF (Electronic Frontier Foundation) recommends everyone use:

• HTTPS Everywhere
• DoNotTrackMe
• Track Me Not
• Ghostery
• Better Privacy
• User agent switcher
• Ad Block Plus
• Search Engine Security

IIRC track me not and donottrackme dont play well together - I believe both are by albine, and having both is redundant, but i cant fully remember.

[garythemfm]

hidemyass.com is the most popular IP masking tool in the marketing world, I sure it will be useful here as well.

I use it to see ads or website in different countries or states to get more data. Its also useful for people who try to hide info based on IP such as a Japanese youtube page that only wants Asian traffic. Just switch your IP to one in Japan and bam! Your in...

[gigi_gypsy]

Quote:

Originally Posted by want2c

Here is the new 2014 list of "Who has your Back".



https://www.eff.org/who-has-your-bac...-requests-2014




There are a lot of programs that will mask your IP,,

Online proxy servers
Virtual Private Network (VPN) software that encrypts your online sessions.
Hotspot Shield from AnchorFree
Tor "The Onion Router"
SurfEasy Private Browser. " tiny USB key that you can carry with you

I use Ironkey:
Perhaps most notable is the Secure Sessions Service, which lets users stealthily surf through insecure wireless networks, public Wi-Fi hotspots, and ISPs while hiding their IP address and other identifiable information. Owners can also use a computer without leaving behind any footprints, passwords, or other personal information.

I don't sign into hobby sites on my phone, but I do answer my gmail account.

[Guest121014]

Quote:

Originally Posted by gigi_gypsy

I use Ironkey:
Perhaps most notable is the Secure Sessions Service, which lets users stealthily surf through insecure wireless networks, public Wi-Fi hotspots, and ISPs while hiding their IP address and other identifiable information. Owners can also use a computer without leaving behind any footprints, passwords, or other personal information.

I don't sign into hobby sites on my phone, but I do answer my gmail account.

I would be hardpressed to trust the IK SS network now that imation owns them, and IIRC imation pulled the SS offering from the IK's you can purchase now.

While SS was a decent product (I used to do testing for IK back before imation bought them), it was pretty slow and unreliable, because it was nothing more than a private TOR network. I went with VPN over using SS back when I had all my IKs

[austin_voy]

Quote:

Originally Posted by fragtasticator

The answer to all this tomfoolery, of course, is Airplane mode, right? I mean, theoretically that shuts down all incoming and outgoing signals, yes? Or you could just turn the phone off.

Or buy a non-smart phone, I guess.

I still have my motorola razor flip phone from 2003, lol.

Who knows, something like that might be a hot commodity in the future!

Hate to disappoint, but being in airplane mode does not turn your phone "quiet". On some phones the GPS can be enabled and occasional location queried. Putting your phone in one of those bags that you get static electric sensitive electronics in does work. I have an app on my 5s that logs my location by GPS AND triangulation every 5 minutes. I drove around town and got nothing. At one point my GPS reported 6 satellites in view, but nothing. I got the two ring "your phone is off network/in airplane mode/totally powered off" rather than the four ring "I really don't want to talk to you" passthru to my voice mail. Try this at home.

[austin_voy]

I use and recommend TOR. If you use encryption and the recipient does, encrypt. Although your ISP logs the address you've sent to, that IP address has nothing to do with your destination. And the destination machine has no idea that it's actually replying to your IP address.

Of course, you could get your own OC12 connection. :-)

[Guest121014]

Quote:

Originally Posted by austin_voy

I use and recommend TOR. If you use encryption and the recipient does, encrypt. Although your ISP logs the address you've sent to, that IP address has nothing to do with your destination. And the destination machine has no idea that it's actually replying to your IP address.

Of course, you could get your own OC12 connection. :-)

TOR is good, sometimes great, but dont use it as an end all be all, its not. LE operates a number of TOR exit nodes, and has compromised a number of TOR nodes, and even when they dont, there are tons of cases of them dropping a subpoena on someone operating an exit node, and getting all the info they need. Dont think someone that is running a TOR node at home is going to protect you if THEY are in jeopardy.

[Stanfeld]

How do you get much use from TOR is JavaScript is disabled?