[ t a b l e o f c o n t e n t s ]
01 - table of contents
02 - introduction
03 - first tips
04 - about proxies
05 - cookies
06 - ftp transfers
07 - secure transactions
08 - SSL tunelling
09 - anonymity on irc
10 - mail crypto (and pgp usage)
11 - icq privacy
12 - spyware
13 - cleaning tracks
14 - ending words
[ introduction ]
Nowadays, everyone wants privacy on the web, because no matter where
you go, someone could be watching you. Someone like your employer,
someone trying to hack your system, companies gathering all your info to
sell to yet other companies, or even the government, may be on your
track while you peacefully surf the web. Thus, anonymity on the web
means being able tu use all of its services with no concern about
someone snooping on your data.
Your computer being connected to the net has an IP [Internet Protocol]
address. If you have a dial-up connection, then your IP changes every
time you connect to the internet (this is not always true, though. There
are dialup isps, specially for university students, that do have static
ips). Cable modems and DSL connections have a static IP, which means
that the IP address does not change. One of the goals of getting
anonymous is to make sure your ip, either static or dynamic) isn't
revealed to other users of the internet, or to server administrators of
the servers you roam around when using internet services.
This text tries to give you some hints on how to maintain your anonimity
on the web. Some of the hints may sound banal, but think of, if you
really abide them in every situation.
[ first tips ]
When chatting on IRC, ICQ, AIM (etc..), do not give out personal information about yourself, where you live, work, etc.
Do not use your primary email address (the one your ISP gave you)
anywhere except to family members, close friends or trusted people.
Instead create for yourself a web-based email account such as yahoo,
hotmail, dynamitemail, mail.com, etc. and use this e-mail address to
signing up for services, when in the need to give your mail to download
something, or to publish on your homepage.
When signing up for services on the web, don't give your real
information like address, phone number and such unless you really need
to do so. This is the kind of information that information gathering
companies like to get, so that they can sell out and fill your mailbox
with spam.
Use an anonymous proxy to surf the web. This makes sure your ip doesn't
get stored on the webserver logs. (Webservers log every GET request
made, together with date, hour, and IP. This is where the proxy comes
in. They get the ip from the proxy, not yours)
Use a bouncer to connect to IRC networks, in case you don't trust the
administrators, or the other users. A bouncer is a program that sits on a
permanently connected machine that allows you to connect there, and
from there to the irc server, just like a proxy works for webservers.
Use anonymous remailers to send out your e-mails.
Cryptography can also help you by making sure the material you send out
the web, like by email, etc, is cyphered, not allowing anyone that
doesn't have your key to read it (in key-based cryptography). Programs
like PGP (pretty good privacy) are toolkits with all you need to cypher
and uncypher your stuff.
Delete traces of your work with the computer including history files, cache or backup files.
[ about proxies ]
Proxies are caches that relay data. When you configure your web
browser to use a proxy, it never connects to the URL. Instead it always
connects to the proxy server, and asks it to get the URL for you. It
works similarly with other type of services such as IRC, ICQ etc.
There'll won't be direct connection between you and the server, so your
real IP address won't be revealed to the server. When you view a website
on the server, the server won't see your IP. Some of web proxies do not
support forwarding of the cookies whose support is required by some of
the websites (for ex. Hotmail).
Here are some anonymous proxies that you can use to surf anonymously (notice that some of these may be a payed service):
Aixs - http://aixs.net/
Rewebber - http://www.anon.de/
Anonymizer - http://www.anonymizer.com/
The Cloak - http://www.the-cloak.com/
You'll highly probably find many websites that provide the lists of
unauthorised proxies and remailers . Such lists are being compiled
usually with the help of port scanners or exploit scanners, scanning for
computers with wingate or other proxies' backdoors. Using these proxies
is illegal, and is being considered as unauthorized access of computer.
If you get such list to your hands, check if the info is legal or
compiled by script kiddie, and act acordingly.
If you anyhow decide not to use proxy, at least do not forget to remove
your personal information from your browser. After you remove details
like your name and e-mail address from your browser, the only info a Web
site can sniff out is your ISP's address and geographical location.
Also Java and JavaScript applets can take control of your browser
unexpectedly, and if you are surfing to unknown and potentially
dangerous places you should be aware of that. There are exploitable
browser bugs (mainly Internet explorer ones) reported ever week.
[ cookies ]
Maybe you're not aware of the fact that if you have the "allow
cookies" feature in your browser on, websites can store all sorts of
information on your harddrive. Cookies are small files that contain
various kind of information that can be read bt websites when you visit
them. The usual usage is to track demographics for advertising agencies
that want to see just what kinds of consumers a certain site is
attracting. Web sites also use cookies to keep your account information
up-to-date. Then for instance when you visit your e-mail webbased
account without being unlogged some hours later, you find yourself being
logged on, even if you turn off your computer. Your login and password
was simply stored on your harddrive in cookie file. This is security
threat, in case that there is more persons who have the access to your
computer.
Most of the browsers offer the possiblity to turn off the cookies, but
some of sites like Hotmail.com require them to be turned on. In case you
decided to allow cookies, at least never forget to log off from the
websites when you're finishing visiting them.
[ ftp transfers ]
When using an FTP client program to download files, assure yourself, that it's giving a bogus password, like guest@unknown.com, not your real one. If your browser lets you, turn off the feature that sends your e-mail address as a password for anonymous FTP sessions.
[ secure transaction ]
Everything being sent from the web server to your browser is usually in plain text format. That means, all transferred information can be easily sniffed on the route. Some of the web servers support SSL (which stands for Secure Socket Layer). To view and use these websites you'll need SSL support in your browser as well. You recognize, that the connection is encrypted, if URL starts with https:// instead of usual http://. Never use web server without SSL for sending or receiving sensitive private or business information (credit card numbers, passwords etc.)
[ SSL tunelling ]
What is SSL?
SSL stands for Secure Socket Layer. The ?Secure? implies an encryption,
while Socket Layer denotes an addition to the Window Socket system,
Winsock. For those that don?t know, a Socket is an attachment to a port
on a system. You can have many sockets on one port, providing they are
non-blocking (allowing control to pass through to another socket aware
application which wishes to connect to that port).
A Secure Socket Layer means that any sockets under it, are both secure
and safe. The idea behind SSL was to provide an encrypted, and thus,
secure route for traffic along a socket based system, such as TCP/IP
(the internet protocol). Doing this allows security in credit card
transactions on the Internet, encrypted and protected communiqué along a
data line, and overall peace of mind.
The SSL uses an encryption standard developed by RSA. RSA are a world
respected American organisation that specializes in encryption and data
security. Initially, they developed a cipher length of only 40 bits, for
use with the Secure Socket Layer, this was considered weak and
therefore a longer much more complicated encryption cipher was created,
128 bits. The reasoning behind it was simple: it needs to be secure.
The RSA site puts the advantage of a longer encryption length pretty
clearly: because 40-bit encryption is considered to be relatively weak.
128-bits is about 309 septillion times (
309,485,000,000,000,000,000,000,000 ) larger than 40-bits. This would
mean it would take that many times longer to crack or break 128-bit
encryption than it would 40-bit.
If you want more information on the technicalities or RSA?s SSL
encryption engine, visit their site:
http://www.rsasecurity.com/standards/ssl.
But what does all this encryption and security have to do with you?
Well, that?s a simple question. No matter how hard you try, at times
your privacy will need to be knowingly invaded so you can make use of
the product offered for doing so. If you think about food, for example,
one cannot eat without swallowing. When we wish to make a transaction or
view a site on the internet, where we have to give enough information
away so that it happens, we also want to be assured no one else along
the line gathers that data. An encrypted session would mean our data is
not at the hands of any privacy perpetrators unless they knew how to
decode it ? and the only ones in the know, are those you specifically
wish. SSL uses public key encryption as explained in the PGP section.
To put this at a head: if you use an encrypted connection or session,
you can be relatively assured that there are no prying eyes along the
way.
And how do I implement SSL with SSL Tunnelling?
We know that a Secure Socket Layer is safe, but what we don?t know is
what a Tunnel is. In the most simplistic form, a tunnel is a proxy. Like
proxy voting in general elections, a tunnel will relay your data back
and forth for you. You may be aware though, that there are already
?proxies? out there, and yes, that is true. Tunnelling is done via
proxies, but it is not considered to be the same as a standard proxy
relaying simply because it isn?t.
Tunnelling is very special kind of proxy relay, in that it can, and does
relay data without interfering. It does this transparently and without
grievance or any care for what is passing its way.
Now, if we add this ability to ?tunnel? data, any data, in a pipe, to
the Secure Sockets Layer, we have a closed connection that is
independent of the software carrying it; and something that is also
encrypted. For those of you wanting to know a little more about the
technicalities, the SSL layer is also classless in the sense it does not
interferer with the data passed back and forth ? after all, it is
encrypted and impossible to tamper with. That attribute means an SSL
capable proxy is able to transfer data out of its ?proxied? connection
to the destination required.
So to sum up, we have both a secure connection that does the job and
relays things in the right direction; and we have direct tunnel that
doesn?t care what we pass through it. Two very useful, and almost blind
entities. All we need now is a secure proxy that we can use as the
tunnel.
Proxies:
Secure proxies are alike standard proxies. We can either use an HTTP
base SSL equipped proxy - one specifically designed for security HTTP
traffic, but because of the ignorant nature of SSL communication, it can
be bent to any needs ? or we can use a proper SSL service designed for
our connection ? like you would use a secure NNTP (news) program with a
secure proxy on port 563 instead of taking our long way - which would
probably work as well.
A secure HTTP proxy operates on port 443. Host proxies are not public,
that means they operate for, and allow only traffic from their subnet or
the ISP that operates them ? but, there are many badly configured HTTP
proxies and some public ones out there. The use of a program called
HTTrack (available on Neworder) will aid you in scanning and searching
for proxies on your network or anywhere on the Internet if your ISP does
not provide you with one.
Neworder also features a number of sites dedicated to listing public
proxies in the Anonymity section. While it?s often hard to find a
suitable fast proxy, it?s worth the effort when you get one.
So how can I secure my connections with SSL Tunnelling?
That?s a big question, and beyond the scope out this tuition as it must
come to and end. I can however, point you in the right direction of two
resources that will aid you in tunnelling both IRC, and most other
connections via a HTTP proxy.
For Windows, the first stop would be http://www.totalrc.net?s
Socks2HTTP. This is an SSL tunnelling program that turns a normal socks
proxy connection into a tunnelled SSL connection.
The second stop, for both Windows and Unix is stunnel. Stunnel is a GNU
kit developed for SSL tunnelling any connection. It is available for
compile and download as binary here: Stunnel homepage -
http://mike.daewoo.com.pl/computer/stunnel
[ anonymity on irc ]
A BNC, or a Bouncer - is used in conjunction with IRC as a way of
hiding your host when people /whois you. On most IRC networks, your host
isnt masked when you whois, meaning the entire IP appears, like
194.2.0.21, which can be resolved. On other networks, your host might be
masked, like IRCnetwork-0.1 but it can still give valuable information,
like nationality if your host is not a IP, but a DNS resolved host,
like my.host.cn would be masked to IRCnetwork-host.cn but this would
still tell the person who whoised you, that you are from China.
To keep information such as this hidden from the other users on an IRC
network, many people use a Bouncer, which is actually just a Proxy. Let
us first draw a schematic of how a normal connection would look, with
and without a BNC installed.
Without a BNC:
your.host.cn <> irc.box.sk
With a BNC:
your.host.cn <> my.shell.com <> irc.box.sk
You will notice the difference between the two. When you have a BNC
installed, a shell functions as a link between you and the IRC server
(irc.box.sk as an example). You install a BNC on a shell, and set a port
for it to listen for connections on. You then login to the shell with
your IRC client, BitchX/Xchat/mIRC, and then it will login to the IRC
server you specify - irc.box.sk in this case. In affect, this changes
your host, in that it is my.shell.com that makes all the requests to
irc.box.sk, and irc.box.sk doesn't know of your.host.cn, it has never
even made contact with it.
In that way, depending on what host your shell has, you can login to IRC
with a host like i.rule.com, these vhosts are then actually just an
alias for your own machine, your.host.cn, and it is all completely
transparent to the IRC server.
Many servers have sock bots that check for socket connections. These
aren't BNC connections, and BNC cannot be tested using a simple bot,
unless your shell has a socket port open (normally 1080) it will let you
in with no problem at all, the shell is not acting as a proxy like you
would expect, but more as a simple IRC proxy, or an IRC router. In one
way, the BNC just changes the packet and sends it on, like:
to: my.shell.com -> to: irc.box.sk -> to: my.shell.com from:
your.host.cn The BNC simply swaps the host of your packet, saying it
comes from my.shell.com. But also be aware, that your own machine is
perfectly aware that it has a connection established with my.shell.com,
and that YOU know that you are connected to irc.box.sk. Some BNCs are
used in IRC networks, to simulate one host. If you had a global IRC
network, all linked together, you could have a local server called:
cn.myircnetwork.com which Chinese users would log into. It would then
Bounce them to the actual network server, in effect making all users
from china have the same host - cn.myircnetwork.com, masking their
hosts. Of course, you could change the host too - so it didn't reveal
the nationality, but it is a nice gesture of some networks, that they
mask all hosts from everyone, but it makes life hard for IRCops on the
network - but its a small price to pay for privacy.
Note: Even if you do use IRC bouncer, within DCC transfers or chat, your
IP will be revealed, because DCC requires direct IP to IP connection.
Usual mistake of IRC user is to have DCC auto-reply turned on. For an
attacker is then easy to DCC chat you or offer you a file, and when IRC
clients are connected, he can find out your IP address in the list of
his TCP/IP connections (netstat).
How do I get IRC bouncer?
you download and install bouncer software, or get someone to install it
for you (probably the most known and best bouncer available is BNC,
homepage : http://gotbnc.com/)
you configure and start the software - in case it's bouncer at Unix
machine, you start it on your shell account (let's say
shell.somewhere.com)
you open IRC and connect to the bouncer at shell.somewhere.com on the port you told it to start on.
all depending on the setup, you may have to tell it your password and
tell it where to connect, and you're now on irc as shell.somewhere.com
instead of your regular hostname
[ mail crypto ]
Usually the safest way to ensure that your e-mail won't be read by
unauthorised persons is to encrypt them. To be compatible with the rest
of the world I'd suggest to use free PGP software.
PGP (Pretty Good Privacy) is a piece of software, used to ensure that a
message/file has not been changed, has not been read, and comes from the
person you think it comes from. Download location: http://www.pgpi.org/
How does pgp Work?
The whole idea behind PGP is that of Public and Private keys. To explain
the algorithm PGP uses in order to encrypt the message would take too
much time, and is beyond the scope of this, we will however look at how
it ensures the integrity of the document. A user has a password, this
password has to be chosen correctly, so don't choose passwords like
"pop" or "iloveyou", this will make an attack more likely to succeed.
The password is used to create a private key, and a public key - the
algorithm ensures that you can not use the public key to make the
private key. The public key is sent to a server, or to the people you
send e-mails/files, and you keep the private key secret.
We will use a few terms and people in this introduction, they are: Pk -
Public Key, Sk - Secret Key (private key). Adam will send an e-mail to
Eve, and Rita will be a person in between, who we are trying to hide the
content of the mail from. Rita will intercept the email (PGP doesn't
ensure that Rita cant get her hands on the package, she can - its not a
secure line like other technologies) and try to read it/modify it. Adam
has a Sk1 and a Pk1, and Eve has a Sk2 and a Pk2. Both Adam, Eve, and
Rita have Pk1 and Pk2, but Sk1 and Sk2 are presumed to be totally
secret. First, here is a schematic of how it all looks:
PUBLIC SERVER
Pk1, Pk2
Adam Eve Sk1 ^ Sk2
|
|
|
|
Rita
So Adam wants to send a packet to Eve, without Rite reading it, or editing it. There are three things that we need to make sure:
That Rita cant read the text without permission
That Rita cant edit it in any way, without Eve and Adam knowing
That Even knows that Adam sent it
First thing is making sure Rita cant read the text. Adam does this by
encrypting the message with Eves Pk2 which he has found on the server.
You can only Encrypt with the Pk, not decrypt, so Rita wont be able to
read the data unless Eve has revealed her Sk2.
The second thing to make sure, is that Rite cant edit the message. Adam
creates a hash from the message he has created. The hash can be
encrypted using Pk2, or sent as it is. When Eve gets the message, she
decrypts it, and creates a hash herself, then checks if the hashes are
the same - if they are, the message is the same, if its different,
something has changed in the message. The Hash is very secure, and it is
in theory impossible to make a change, and get the hash to remain the
same.
The third, and probably one of the most important things to ensure, is
that Rita hasn't grabbed the mail, made a new one, and sent it in Adams
name. We can ensure this by using Public key and Private key too. The Sk
can be used both to encrypt and to decrypt, but Pk can only encrypt.
When Adam normally sends a message M to Eve, he creates the encrypted
message C by doing: C=Pk2(M). This means, Adam uses Pk2 (Eves Pk) on
message M to create message C. Image this: Adam can encrypt the message
with his Sk1, because it is impossible to derive Sk1 from the message,
this is secure and without any danger, as long as no one knows the
password used to make Sk1 with. If the message M is encrypted with Sk1,
he gets a message called X, Eve can decrypt the message using Pk1 which
is public. If the message decrypts to something that makes sence, then
it must be from Adam, because Sk1 is considered as secret, and only Adam
knows it.
The entire process looks like this, when sending message C: Adam signs
his digital signature on C, and hashes C: X=Sk1(C). Then Adam encrypts
the message for Eve: M=Pk2(X). The message is sent, and looks all in all
like this: M=Pk2(Sk1(C)). Rita can intercept M, but not decrypt, edit,
or resend it. Eve receives M, and decrypts it: X=Sk2(M). Then she checks
the digital signature: C=Pk1(X) and checks the Hash on the way.
This way, the PGP Public/Private key system ensures integrity and
security of the document e-mail, but PGP is not the only algorithm that
uses the Public/Private key theory, Blowfish, and RSA are among the many
other technologies that use it, PGP is just the most popular for e-mail
encryption, but many don't trust it because of rumors of backdoors by
the NSA (I don't know if its true though). PGP comes in a commercial,
and a freeware version for Windows, and is available for Linux as well.
What ever encryption you use, it will be better than none.
[ anonymous remailers ]
Remailers are programs accessible on the Internet that route email
and USENET postings anonymously (i.e., the recipient cannot determine
who sent the email or posted the article). This way the sender can't be
traced back by routing headers included in the e-mail. There are
different classes of remailers, which allow anonymous exchange of email
and anonymous posting to USENET and often many other useful features.
Resources:
Chain is a menu-driven remailer-chaining script:
http://www.obscura.com/crypto.html
Raph Levien's remailer availability page offers comprehensive information about the subject
http://www.sendfakemail.com/~raph/remailer-list.html
The Cypherpunks Remailers are being developed to provide a secure means
of providing anonymity on the nets. Here you can find out about the
available remailers, those which have been standard in existance for a
long time as well as the new experimental remailers and anonymous
servers.
http://www.csua.berkeley.edu/cypherpunks/remailer/
[ icq privacy ]
How can I keep my privacy at ICQ?
Send and receive messages via ICQ server, not directly. Every direct
connection enables attacker to learn your IP. Encrypt your messages by
dedicated software, encryption addons.
How to encrypt ICQ messages?
There are addons which enhance your ICQ with possibility to encrypt
outcoming messages. The user on the other side needs to have the addon
as well in order to decrypt your message.
Resources:
http://www.encrsoft.com/products/tsm.html
Top Secret Messenger (TSM) - trial version has only weak 8-bit encryption
http://www.planet-express.com/sven/technical/dev/chatbuddy/default.html
Chat Buddy - a freeware Windows application for encrypting chat sessions
http://www.algonet.se/~henisak/icq/encrypt-v5.txt
how encryption works in ICQ protocol v5
[ spyware ]
As we all work hard to become more savvy about protecting our
personal information and keeping as anonymous as possible on the web,
advertising companies are working just as hard to come up with new ways
of getting our personal information. One of the ways they accomplish
this is through spyware.
Spyware are applications that are bundled along with many programs that
you download for free. Their function is to gather personal information
about you and relay it back to advertising firms. The information is
then used either to offer you products or sold to other advertisers, so
they can promote THEIR products. They claim this is all they do with
this information, but the problem is nobody really knows for sure.
Spyware fits the classic definition of a trojan, as it is something that
you did not bargain for+when you agreed to download the product. Not
only is spyware an invasion of your privacy, but (especially if you have
a few different kinds on your machine) it can also chew up bandwidth,
making your internet connection slower.
Sometimes, these spies really are harmless, merely connecting back to
the home server to deliver+you more advertising. Some, like Gator for
instance, send out detailed information about your surfing habits,
operating system, income, age demographic et cetera.
Avoiding spyware
Avoiding spyware is getting harder and harder, as more software
distributors are choosing it as a method of profiting from freeware and
shareware distributions. Be leery of programs with cute+little icons
like Gator. Also, watch those Napster wannabes like AudioGalaxy,
Limewire, and Kazaa. I've yet to find one that didn't include spyware.
Before you download, check to see if the program is known to contain
spyware.
For a list of most known spyware, the best I've found is here:
http://www.infoforce.qc.ca/spyware/enknownlistfrm.html
Getting rid of spyware
In most cases, you can remove the spyware from your system and still use
the application you downloaded. In the case of Gator and Comet Cursor,
the the whole program is spyware an it must be completely removed to
stop the spying.
There are several ways to get rid of spyware on your system. You can use
a firewall to monitor outgoing connections. The programmers that put
these things together, however, are getting sneakier and sneakier about
getting them to circumvent firewalls. Comet Cursor, for instance uses an
HTTP post command to connect without the intervention of a firewall.
You can also install a registry monitor such as Regmon to monitor your
registry for unwanted registry registry changes, but this is not
foolproof either.
Probably the best method of removal is to download a spyware removal
program and run it like it was a virus scanner. The best examples of
these programs are:
Lavasoft's Adaware. Available at http://www.lavasoftusa.com/ Or
professional cybernut Steve Gibson's OptOut. Available at:
http://grc.com/optout.htm Both of these programs are free and are
updated regularly.
Here are some links, if you wish to learn more about spyware:
http://www.spychecker.com/
http://grc.com/optout.htm
http://www.thebee.com/bweb/iinfo200.htm
[ cleaning tracks ]
Resources:
Burnt Cookies - allows automatic detection and optional deletion of Cookies deposited by Banner Ad web-sites
http://www.andersson-design.com/bcookies/index.shtml
Surfsecret - automatically kills files like your Internet cache files,
cookies, history, temporary files, recent documents, and the contents of
the Recycle Bin.
http://www.surfsecret.com/
Note: One sidenote on cleaning tracks. When you delete some files on
your machine, these aren't actually deleted. Only the reference to their
location in the hard drive is deleted, which makes the OS think that
that location on the HD is free and ready to take things. Thus, there
are ways to recover data even after you delete them.
There are however, several ways to _wipe_ this information. Programs
that fill hard disk locations with zeros, then with 1s, on several
passes are your best bet to make sure no document goes to the wrong
hands. One of such programs is PGP. PHPi now comes with a utility that
does this work, and you can even select the number of passes to wipe
files. For *nix, there is also the "wipe" program. Use these when you
feel you have data that needs secure cleaning.
Comments
Post a Comment