Contents
• Armitage
• ARP spoofing
• Deep packet inspection
• Man-in-the-middle attack
• Metasploit Project
• Tor Security Guide
• Virtual private network
• Virtual private server
Template:Notability Template:Primary sources Template:Infobox software Armitage is a graphical cyber attack management tool for the Metasploit Project that visualizes targets and recommends exploits. It is a free and open source network security tool notable for its contributions to red team collaboration allowing for, shared sessions, data, and communication through a single Metasploit instance.<ref>Sexo</ref> Armitage is written and supported by Raphael Mudge.
Contents
1 History
2 Features
3 References
4 External links
History
Armitage is a GUI front-end for the Metasploit Framework developed by Raphael Mudge with the goal of helping security professionals better understand hacking and to help them realize the power of Metasploit.<ref>Sexo</ref> It was originally made for Cyber Defense Exercises, but has since expanded its user base to other penetration testers.<ref>Sexo</ref>
Features
Armitage is a scriptable red team collaboration tool built on top of the Metasploit Framework. Through Armitage, a user may launch scans and exploits, get exploit recommendations, and use the advanced features of the Metasploit Framework's meterpreter.
References
1 }}
| references-column-width
| references-column-count references-column-count-{{#if:1|{{{1}}}}} }}
| {{#if:
| references-column-width }} }}" style="{{#if:
| {{#iferror: {{#ifexpr: 1 > 1 }}
| Template:Column-width
| Template:Column-count }}
| {{#if:
| Template:Column-width }} }} list-style-type: {{#switch:
| upper-alpha
| upper-roman
| lower-alpha
| lower-greek
| lower-roman = {{{group}}}
| #default = decimal}};">
<references group=""></references>
ARP spoofing
File:ARP Spoofing.svg
A successful ARP spoofing (poisoning) attack allows an attacker to alter routing on a network, effectively allowing for a man-in-the-middle attack.
In computer networking, ARP spoofing, ARP cache poisoning, or ARP poison routing, is a technique by which an attacker sends (spoofed) Address Resolution Protocol (ARP) messages onto a local area network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host, such as the default gateway, causing any traffic meant for that IP address to be sent to the attacker instead.
ARP spoofing may allow an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks.<ref name="Ramachandran-2005-p239">Template:Cite book</ref>
The attack can only be used on networks that use the Address Resolution Protocol, and is limited to local network segments.<ref name="Lockhart-2007-p184">Template:Cite book</ref>
Contents
1 ARP vulnerabilities
2 Anatomy of an ARP spoofing attack
3 Defenses
3.1 Static ARP entries
3.2 ARP spoofing detection software
3.3 OS security
4 Legitimate usage
4.1 Tools
4.1.1 Defense
4.1.2 Spoofing
5 Notes
6 See also
7 References
8 External links
ARP vulnerabilities
The Address Resolution Protocol is a widely used communications protocol for resolving Internet layer addresses into link layer addresses.<ref group=note>ARP was defined by RFC 826 in 1982.</ref>
When an Internet Protocol (IP) datagram is sent from one host to another in a local area network, the destination IP address must be resolved to a MAC address for transmission via the data link layer.<ref name="Lockhart-2007-p184" /> When another host's IP address is known, and its MAC address is needed, a broadcast packet is sent out on the local network. This packet is known as an ARP request. The destination machine with the IP in the ARP request then responds with an ARP reply, which contains the MAC address for that IP.<ref name="Lockhart-2007-p184" />
ARP is a stateless protocol. Network hosts will automatically cache any ARP replies they receive, regardless of whether Network hosts requested them. Even ARP entries which have not yet expired will be overwritten when a new ARP reply packet is received. There is no method in the ARP protocol by which a host can authenticate the peer from which the packet originated. This behavior is the vulnerability which allows ARP spoofing to occur.<ref name="Ramachandran-2005-p239" /><ref name="Lockhart-2007-p184" />
Anatomy of an ARP spoofing attack
The basic principle behind ARP spoofing is to exploit the above-mentioned vulnerabilities in the ARP protocol by sending spoofed ARP messages onto the LAN. ARP spoofing attacks can be run from a compromised host on the LAN, or from an attacker's machine that is connected directly to the target LAN.
Generally, the goal of the attack is to associate the attacker's host MAC address with the IP address of a target host, so that any traffic meant for the target host will be sent to the attacker's host. The attacker may choose to inspect the packets (spying), while forwarding the traffic to the actual default gateway to avoid discovery, modify the data before forwarding it (man-in-the-middle attack), or launch a denial-of-service attack by causing some or all of the packets on the network to be dropped.
Defenses
Static ARP entries
IP address-to-MAC address mappings in the local ARP cache may be statically entered so that hosts ignore all ARP reply packets.<ref name="Lockhart-2007-p186">Template:Cite book</ref> While static entries provide some security against spoofing if the operating system handles them correctly, they result in maintenance efforts as address mappings of all systems in the network have to be distributed.
ARP spoofing detection software
Software that detects ARP spoofing generally relies on some form of certification or cross-checking of ARP responses. Uncertified ARP responses are then blocked. These techniques may be integrated with the DHCP server so that both dynamic and static IP addresses are certified. This capability may be implemented in individual hosts or may be integrated into Ethernet switches or other network equipment. The existence of multiple IP addresses associated with a single MAC address may indicate an ARP spoof attack, although there are legitimate uses of such a configuration. In a more passive approach a device listens for ARP replies on a network, and sends a notification via email when an ARP entry changes.Template:Citation needed
OS security
Operating systems react differently, e.g. Linux ignores unsolicited replies, but on the other hand users see requests from other machines to update its cache. Solaris accepts updates on entries only after a timeout. In Microsoft Windows, the behavior of the ARP cache can be configured through several registry entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, ArpCacheLife, ArpCacheMinReferenceLife, ArpUseEtherSNAP, ArpTRSingleRoute, ArpAlwaysSourceRoute, ArpRetryCount.<ref>Address Resolution Protocol</ref>
AntiARP<ref>AntiARP</ref> also provides Windows-based spoofing prevention at the kernel level. ArpStar is a Linux module for kernel 2.6 and Linksys routers that drops invalid packets that violate mapping, and contains an option to repoison/heal.
The simplest form of certification is the use of static, read-only entries for critical services in the ARP cache of a host. This prevents only simple attacks and does not scale on a large network, since the mapping has to be set for each pair of machines resulting in n2-n ARP entries that have to be configured when n machines are present: On every machine there must be an ARP entry for every other machine on the network, which are n ARP entries on every of the n machines.
Legitimate usage
The techniques that are used in ARP spoofing can also be used to implement redundancy of network services. For example, some software allows a backup server to issue a gratuitous ARP request in order to take over for a defective server and transparently offer redundancy.<ref>Template:Cite web, retrieved 2013-01-04</ref> <ref>Template:Cite web, retrieved 2013-01-04</ref>
ARP spoofing is often used by developers to debug IP traffic between two hosts when a switch is in use: if host A and host B are communicating through an ethernet switch, their traffic would normally be invisible to a third monitoring host M. The developer configures A to have M's MAC address for B, and B to have M's MAC address for A; and also configures M to forward packets. M can now monitor the traffic, exactly as in a man-in-the-middle attack.
Tools
Template:Columns-start
Defense
anti-arpspoof<ref>anti-arpspoofTemplate:Dead link
</ref>
Antidote:<ref>Antidote</ref> Linux daemon, monitors mappings, unusually large number of ARP packets.
Arp_Antidote:<ref>Arp_Antidote</ref> Linux Kernel Patch for 2.4.18 - 2.4.20, watches mappings, can define action to take when.
Arpalert: Predefined list of allowed MAC addresses, alert if MAC that is not in list.
ArpON: Portable handler daemon for securing ARP against spoofing, cache poisoning or poison routing attacks in static, dynamic and hybrid networks.
Arpwatch
Arpwatch/ArpwatchNG/Winarpwatch: Keep mappings of IP-MAC pairs, report changes via Syslog, Email.
DefendARP:<ref>Defense Scripts | ARP Poisoning</ref> A host-based ARP table monitoring and defense tool designed for use when connecting to public wifi. DefendARP detects ARP poisoning attacks, corrects the poisoned entry, and identifies the MAC and IP address of the attacker.
Prelude IDS: ArpSpoof plugin, basic checks on addresses.
Snort: Snort preprocessor Arpspoof, performs basic checks on addresses
XArp:<ref name="XArp">XArp</ref> Advanced ARP spoofing detection, active probing and passive checks. Two user interfaces: normal view with predefined security levels, pro view with per-interface configuration of detection modules and active validation. Windows and Linux, GUI-based.
Template:Column
Spoofing
Some of the tools that can be used to carry out ARP spoofing attacks:
Arpspoof (part of the DSniff suite of tools)
Arpoison
Subterfuge<ref>Template:Cite web</ref>
Ettercap
Seringe<ref>Template:Cite web</ref>
ARP-FILLUP -V0.1<ref name=l0t3k>Template:Cite web</ref>
arp-sk -v0.0.15<ref name=l0t3k/>
ARPOc -v1.13<ref name=l0t3k/>
arpalert -v0.3.2<ref name=l0t3k/>
arping -v2.04<ref name=l0t3k/>
arpmitm -v0.2<ref name=l0t3k/>
arpoison -v0.5<ref name=l0t3k/>
ArpSpyX -v1.1<ref name=l0t3k/>
ArpToXin -v 1.0<ref name=l0t3k/>
Cain And Able -v 4.3
cSploit -v 1.6.2<ref name=csploit>Template:Cite web</ref>
SwitchSniffer<ref name=l0t3k/>
APE - ARP Poisoning Engine<ref>Template:Cite web</ref>
Simsang<ref>Template:Cite web</ref>
zANTI -v2
Deep packet inspection
Deep Packet Inspection (DPI, also called complete packet inspection and Information eXtraction or IX) is a form of computer network packet filtering that examines the data part (and possibly also the header) of a packet as it passes an inspection point, searching for protocol non-compliance, viruses, spam, intrusions, or defined criteria to decide whether the packet may pass or if it needs to be routed to a different destination, or, for the purpose of collecting statistical information. There are multiple headers for IP packets; network equipment only needs to use the first of these (the IP header) for normal operation, but use of the second header (TCP, UDP etc.) is normally considered to be shallow packet inspection (usually called Stateful Packet Inspection) despite this definition.<ref name=Porter2005>Template:Cite web</ref>
There are multiple ways to acquire packets for deep packet inspection. Using port mirroring (sometimes called Span Port) is a very common way, as well as optical splitter.
Deep Packet Inspection (and filtering) enables advanced network management, user service, and security functions as well as internet data mining, eavesdropping, and internet censorship. Although DPI technology has been used for Internet management for many years, some advocates of net neutrality fear that the technology may be used anticompetitively or to reduce the openness of the Internet.<ref name=Lewis2009> Template:Cite web</ref>
DPI is used in a wide range of applications, at the so-called "enterprise" level (corporations and larger institutions), in telecommunications service providers, and in governments.<ref name=Bendrath2009> Template:Cite web</ref>
Contents
1 Background
2 DPI at the enterprise level
3 DPI at network/Internet service providers
3.1 Lawful interception
3.2 Policy definition and enforcement
3.3 Targeted advertising
3.4 Quality of service
3.5 Tiered services
3.6 Copyright enforcement
3.7 Statistics
4 Deep Packet Inspection by governments
4.1 United States
4.2 China
4.3 Iran
4.4 Russian Federation
4.5 Malaysia
5 DPI and net neutrality
6 Infrastructure security
7 Software
7.1 Comparison
8 Hardware
9 See also
10 References
11 External links
Background
DPI combines the functionality of an intrusion detection system (IDS) and an Intrusion prevention system (IPS) with a traditional stateful firewall.<ref name=Dubrawsky2003>Template:Cite web</ref> This combination makes it possible to detect certain attacks that neither the IDS/IPS nor the stateful firewall can catch on their own. Stateful firewalls, while able to see the beginning and end of a packet flow, cannot catch events on their own that would be out of bounds for a particular application. While IDSs are able to detect intrusions, they have very little capability in blocking such an attack. DPIs are used to prevent attacks from viruses and worms at wire speeds. More specifically, DPI can be effective against buffer overflow attacks, denial-of-service attacks (DoS), sophisticated intrusions, and a small percentage of worms that fit within a single packet.
DPI-enabled devices have the ability to look at Layer 2 and beyond Layer 3 of the OSI model. In some cases, DPI can be invoked to look through Layer 2-7 of the OSI model. This includes headers and data protocol structures as well as the payload of the message. DPI functionality is invoked when a device looks or takes other action, based on information beyond Layer 3 of the OSI model. DPI can identify and classify traffic based on a signature database that includes information extracted from the data part of a packet, allowing finer control than classification based only on header information. End points can utilize encryption and obfuscation techniques to evade DPI actions in many cases.
A classified packet may be redirected, marked/tagged (see quality of service), blocked, rate limited, and of course, reported to a reporting agent in the network. In this way, HTTP errors of different classifications may be identified and forwarded for analysis. Many DPI devices can identify packet flows (rather than packet-by-packet analysis), allowing control actions based on accumulated flow information.
DPI at the enterprise level
Initially security at the enterprise level was just a perimeter discipline, with a dominant philosophy of keeping unauthorized users out, and shielding authorized users from the outside world. The most frequently used tool for accomplishing this has been a stateful firewall. It can permit fine-grained control of access from the outside world to pre-defined destinations on the internal network, as well as permitting access back to other hosts only if a request to the outside world has been made previously.<ref name=Amir2007>Template:Cite web</ref>
Vulnerabilities exist at network layers, however, that are not visible to a stateful firewall. Also, an increase in the use of laptops in enterprise makes it more difficult to prevent threats such as viruses, worms, and spyware from penetrating the corporate network, as many users will connect the laptop to less-secure networks such as home broadband connections or wireless networks in public locations. Firewalls also do not distinguish between permitted and forbidden uses of legitimately-accessed applications. DPI enables IT administrators and security officials to set policies and enforce them at all layers, including the application and user layer to help combat those threats.
Deep Packet Inspection is able to detect a few kinds of buffer overflow attacks.
DPI may be used by enterprise for Data Leak Prevention (DLP). When an e-mail user tries to send a protected file the user may be given information on how to get the proper clearance to send the file.Template:ClarifyTemplate:Examples<ref>Template:Cite web</ref>
DPI at network/Internet service providers
In addition to using DPI to secure their internal networks, Internet service providers also apply this technology on the public networks provided to customers. Common uses of DPI by ISPs are lawful intercept, policy definition and enforcement, targeted advertising, quality of service, offering tiered services, and copyright enforcement.
Lawful interception
Service providers are required by almost all governments worldwide to enable lawful intercept capabilities. Decades ago in a legacy telephone environment, this was met by creating a traffic access point (TAP) using an intercepting proxy server that connects to the government's surveillance equipment. This is not possible in contemporary digital networks. The acquisition component of this functionality may be provided in many ways, including DPI, DPI-enabled products that are "LI or CALEA-compliant" can be used - when directed by a court order - to access a user's datastream.<ref name=Anderson2007>Template:Cite web</ref>
Policy definition and enforcement
Service providers obligated by the service-level agreement with their customers to provide a certain level of service and at the same time, enforce an acceptable use policy, may make use of DPI to implement certain policies that cover copyright infringements, illegal materials, and unfair use of bandwidth. In some countries the ISPs are required to perform filtering, depending on the country's laws. DPI allows service providers to "readily know the packets of information you are receiving online—from e-mail, to websites, to sharing of music, video and software downloads".<ref name=Chester2006>Template:Cite web</ref> Policies can be defined that allow or disallow connection to or from an IP address, certain protocols, or even heuristics that identify a certain application or behavior.
Targeted advertising
Because ISPs route the traffic of all of their customers, they are able to monitor web-browsing habits in a very detailed way allowing them to gain information about their customers' interests, which can be used by companies specializing in targeted advertising. At least 100,000 United States customers are tracked this way, and as many as 10% of U.S. customers have been tracked in this way.<ref name=wapo/> Technology providers include NebuAd, Front Porch, and Phorm. U.S. ISPs monitoring their customers include, Knology,<ref>Template:Cite web</ref> and Wide Open West. In addition, the United Kingdom ISP, British Telecom, has admitted testing technology from Phorm without their customers' knowledge or consent.<ref name=wapo>Sexo</ref>
Quality of service
Applications such as peer-to-peer (P2P) traffic present increasing problems for broadband service providers. Typically, P2P traffic is used by applications that do file sharing. These may be any kind of files (i.e. documents, music, videos, or applications). Due to the frequently large size of media files being transferred, P2P drives increasing traffic loads, requiring additional network capacity. Service providers say a minority of users generate large quantities of P2P traffic and degrade performance for the majority of broadband subscribers using applications such as e-mail or Web browsing which use less bandwidth.<ref>Template:Cite web</ref> Poor network performance increases customer dissatisfaction and leads to a decline in service revenues.
DPI allows the operators to oversell their available bandwidth while ensuring equitable bandwidth distribution to all users by preventing network congestion. Additionally, a higher priority can be allocated to a VoIP or video conferencing call which requires low latency versus web browsing which does not.<ref>Template:Cite web</ref> This is the approach that service providers use to dynamically allocate bandwidth according to traffic that is passing through their networks.
Other Vendors claim that DPI is ineffective against P2P and that other methods of Bandwidth Management are more effective.Template:ClarifyTemplate:ExamplesTemplate:Citation needed
Tiered services
Mobile and broadband service providers use DPI as a means to implement tiered service plans, to differentiate "walled garden" services from "value added", “all-you-can-eat" and "one-size-fits-all” data services.<ref>Template:Cite web</ref> By being able to charge for a "walled garden", per application, per service, or "all-you-can-eat" rather than a "one-size-fits-all" package, the operator can tailor his offering to the individual subscriber and increase their Average Revenue Per User (ARPU). A policy is created per user or user group, and the DPI system in turn enforces that policy, allowing the user access to different services and applications.
Copyright enforcement
ISPs are sometimes requested by copyright owners or required by courts or official policy to help enforce copyrights. In 2006, one of Denmark's largest ISPs, Tele2, was given a court injunction and told it must block its customers from accessing The Pirate Bay, a launching point for BitTorrent.<ref>Template:Cite web</ref> Instead of prosecuting file sharers one at a time,<ref>Template:Cite web Template:Dead link</ref> the International Federation of the Phonographic Industry (IFPI) and the big four record labels EMI, Sony BMG, Universal Music, and Warner Music have begun suing ISPs such as Eircom for not doing enough about protecting their copyrights.<ref>Template:Cite web</ref> The IFPI wants ISPs to filter traffic to remove illicitly uploaded and downloaded copyrighted material from their network, despite European directive 2000/31/EC clearly stating that ISPs may not be put under a general obligation to monitor the information they transmit, and directive 2002/58/EC granting European citizens a right to privacy of communications. The Motion Picture Association of America (MPAA) which enforces movie copyrights, on the other hand has taken the position with the Federal Communications Commission (FCC) that network neutrality could hurt anti-piracy technology such as Deep Packet Inspection and other forms of filtering.<ref>Template:Cite web</ref>
Statistics
DPI allows ISPs to gather statistical information about use patterns by user group. For instance, it might be of interest whether users with a 2-Mbit connection use the network in a dissimilar manner to users with a 5-Mbit connection. Access to trend data also helps network planning. Template:Clarify
Deep Packet Inspection by governments
In addition to using DPI for the security of their own networks, governments in North America, Europe, and Asia use DPI for various purposes such as surveillance and censorship. Many of these programs are classified.<ref>Template:Cite web</ref>
United States
Template:Main
FCC adopts Internet CALEA requirements: The FCC, pursuant to its mandate from the U.S. Congress, and in line with the policies of most countries worldwide, has required that all telecommunication providers, including Internet services, be capable of supporting the execution of a court order to provide real-time communication forensics of specified users. In 2006, the FCC adopted new Title 47, Subpart Z, rules requiring Internet Access Providers meet these requirements. DPI was one of the platforms essential to meeting this requirement and has been deployed for this purpose throughout the U.S.
The National Security Agency (NSA), with cooperation from AT&T Inc., has used Deep Packet Inspection technology to make internet traffic surveillance, sorting, and forwarding more intelligent. The DPI is used to find which packets are carrying e-mail or a Voice over Internet Protocol (VoIP) telephone call.<ref name=Nelson2006>Template:Cite web</ref> Traffic associated with AT&T’s Common Backbone was "split" between two fibers, dividing the signal so that 50 percent of the signal strength went to each output fiber. One of the output fibers was diverted to a secure room; the other carried communications on to AT&T’s switching equipment. The secure room contained Narus traffic analyzers and logic servers; Narus states that such devices are capable of real-time data collection (recording data for consideration) and capture at 10 gigabits per second. Certain traffic was selected and sent over a dedicated line to a "central location" for analysis. According to Marcus’s affidavit, the diverted traffic "represented all, or substantially all, of AT&T’s peering traffic in the San Francisco Bay area," and thus, "the designers of the ... configuration made no attempt, in terms of location or position of the fiber split, to exclude data sources Template:Sic primarily of domestic data."<ref name=Bellovin2008>Template:Cite journal</ref> Narus's Semantic Traffic Analyzer software, which runs on IBM or Dell Linux servers using DPI technology, sorts through IP traffic at 10Gbit/s to pick out specific messages based on a targeted e-mail address, IP address or, in the case of VoIP, telephone number.<ref name=Poe2006>Template:Cite web</ref> President George W. Bush and Attorney General Alberto R. Gonzales have asserted that they believe the president has the authority to order secret intercepts of telephone and e-mail exchanges between people inside the United States and their contacts abroad without obtaining a FISA warrant.<ref>Sexo</ref>
The Defense Information Systems Agency has developed a sensor platform that uses Deep Packet Inspection.<ref>Template:Cite web</ref>
China
Template:Main
The Chinese government uses Deep Packet Inspection to monitor and censor network traffic and content that it claims is harmful to Chinese citizens or state interests. This material includes pornography, information on religion, and political dissent.<ref>Template:Cite web</ref> Chinese network ISPs use DPI to see if there is any sensitive keyword going through their network. If so, the connection will be cut. People within China often find themselves blocked while accessing Web sites containing content related to Taiwanese and Tibetan independence, Falun Gong, the Dalai Lama, the Tiananmen Square protests and massacre of 1989, political parties that oppose that of the ruling Communist party, or a variety of anti-Communist movements<ref>Template:Cite web</ref> as those materials were signed as DPI sensitive keywords already. China also blocks VoIP traffic in and out of their countryTemplate:Citation needed. Voice traffic in Skype is unaffected, although text messages are subject to DPI, and messages containing sensitive material, such as curse-words, are simply not delivered, with no notification provided to either participant in the conversation. China also blocks visual media sites such as YouTube.com and various photography and blogging sites.<ref>Template:Cite web</ref
DPI and net neutrality
People and organizations concerned about privacy or network neutrality find inspection of the content layers of the Internet protocol to be offensive,<ref name=Anderson2007/> saying for example, "the 'Net was built on open access and non-discrimination of packets!"<ref name=cybertelecomnn2>Template:Cite web</ref> Critics of network neutrality rules, meanwhile, call them "a solution in search of a problem" and say that net neutrality rules would reduce incentives to upgrade networks and launch next-generation network services.<ref name=cybertelecomnn1>Template:Cite web</ref>
Deep packet inspection is considered by many to both undermine the infrastructure of the internet and is considered illegal under United States constitution.<ref>http://www.projectpact.eu/documents-1/%231_Privacy_and_Security_Research_Paper_Series.pdf</ref>
Infrastructure security
Traditionally the mantra which has served ISP's well has been to only operate at layer 4 and below of the ISP model. This is because simply deciding where packets go and routing them is comparably very easy to handle securely. This traditional model still allows ISP's to accomplish required tasks safely such as restricting bandwidth depending on the amount of bandwidth that is used (layer 4 and below) rather than per protocol or application type (layer 7). There is a very strong and often ignored argument that ISP action above layer 4 of the OSI model provides what are known in the security community as 'stepping stones' or platforms to conduct man in the middle attacks from. This problem is exacerbated by ISP's often choosing cheaper hardware with poor security track records for the very difficult and arguably impossible to secure task of Deep Packet Inspection.
OpenBSD's packet filter specifically avoids DPI for the very reason that it cannot be done securely with confidence.
This means that DPI dependent security services such as TalkTalk's HomeSafe are actually trading the security of a few (protectable and often already protectable in other more effective ways) at a cost of decreased security for all where users also have a far less possibility of mitigating the risk. The HomeSafe service in particular is opt in for blocking but it's DPI cannot be opted out of, even for business users.
Software
OpenDPI<ref>Opendpi</ref> is the open source version for non-obfuscated protocols. PACE, another such engine, includes obfuscated and encrypted protocols, which are the types associated with Skype or encrypted BitTorrent.<ref>Deep packet inspection engine goes open source</ref> As OpenDPI is no longer maintained, an OpenDPI-fork named nDPI<ref>nDPI</ref> has been created, actively maintained and extended with new protocols including Skype, Webex, Citrix and many others.
L7-Filter is a classifier for Linux's Netfilter that identifies packets based on application layer data.<ref>L7-Filter home page</ref> It can classify packets such as Kazaa, HTTP, Jabber, Citrix, Bittorrent, FTP, Gnucleus, eDonkey2000, and others. It classifies streaming, mailing, P2P, VOIP, protocols, and gaming applications.
Hippie (Hi-Performance Protocol Identification Engine) is an open source project which was developed as Linux kernel module.<ref>Hippie Project download page on SourceForge</ref> It was developed by Josh Ballard. It supports both DPI as well as firewall functionality.<ref>Hippie reference page</ref>
SPID (Statistical Protocol IDentification) project is based on statistical analysis of network flows to identify application traffic.<ref>SPID project on SourceForge</ref> The SPID algorithm can detect the application layer protocol (layer 7) by analysing flow (packet sizes, etc.) and payload statistics (byte values, etc.) from pcap files. It is just a proof of concept application and currently supports approximately 15 application/protocols such as eDonkey Obfuscation traffic, Skype UDP and TCP, BitTorrent, IMAP, IRC, MSN, and others.
Tstat (TCP STatistic and Analysis Tool) provides insight into traffic patterns and gives details and statistics for numerous applications and protocols.<ref>Tstat project home</ref>
Libprotoident introduces Lightweight Packet Inspection (LPI), which examines only the first four bytes of payload in each direction. That allows to minimize privacy concerns, while decreasing the disk space needed to store the packet traces necessary for the classification. Libprotoident supports over 200 different protocols and the classification is based on a combined approach using payload pattern matching, payload size, port numbers, and IP matching.<ref>Libprotoident project home</ref>
The French company, Amesys, designed and sold to Muammar Gaddafi an intrusive and massive internet monitoring system, called Eagle.<ref>Spy-Gear Business to Be Sold - Amesys to Sell Business That Provided Surveillance Technology Used by Gadhafi, the Wall Street Journal, German edition, friday, march the 9th of 2012.</ref>
Comparison
A comprehensive comparison of various network traffic classifiers, which depend on Deep Packet Inspection (PACE, OpenDPI, 4 different configurations of L7-filter, NDPI, Libprotoident, and Cisco NBAR), is shown in the Extended Independent Comparison of Popular Deep Packet Inspection (DPI) Tools for Traffic Classification.<ref name=extendedindependentcomparisonofpopulardpitools>Template:Cite web</ref>
Hardware
There is a greater emphasis being placed on deep packet inspection - this comes in light after the rejection of both the SOPA and PIPA bills. Many current DPI methods are slow and costly, especially for high bandwidth applications. More efficient methods of DPI are being developed. Specialized routers are now able to perform DPI; routers armed with a dictionary of programs will help identify the purposes behind the LAN and internet traffic they are routing. Cisco Systems is now on their second iteration of DPI enabled routers, with their announcement of the CISCO ISR G2 router.<ref>Application Visibility and Control. (n.d.). In Cisco Systems. Retrieved from http://www.cisco.com/en/US/prod/routers/application_visibility_control.html.</ref>
Man-in-the-middle attack
Template:About Template:Refimprove
In cryptography and computer security, a man-in-the-middle attack (often abbreviated to MITM, MitM, MIM, MiM attack or MITMA) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. Man-in-the-middle attacks can be thought about through a chess analogy. Mallory, who barely knows how to play chess, claims that she can play two grandmasters simultaneously and either win one game or draw both. She waits for the first grandmaster to make a move and then makes this same move against the second grandmaster. When the second grandmaster responds, Mallory makes the same play against the first. She plays the entire game this way and cannot lose. A man-in-the-middle attack is a similar strategy and can be used against many cryptographic protocols.<ref>Template:Cite book</ref> One example of man-in-the-middle attacks is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle.<ref>Template:Cite web</ref>
As an attack that aims at circumventing mutual authentication, or lack thereof, a man-in-the-middle attack can succeed only when the attacker can impersonate each endpoint to their satisfaction as expected from the legitimate other end. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, TLS can authenticate one or both parties using a mutually trusted certification authority. Template:Citation needed
Contents
1 Example of an attack
2 Defenses against the attack
3 Forensic analysis of MITM attacks
4 Quantum cryptography
5 Beyond cryptography
6 Implementations
7 See also
8 References
9 External links
Example of an attack
File:Man in the middle attack.svg
An illustration of the man-in-the-middle attack
Suppose Alice wishes to communicate with Bob. Meanwhile, Mallory wishes to intercept the conversation to eavesdrop and optionally deliver a false message to Bob.
First, Alice asks Bob for his public key. If Bob sends his public key to Alice, but Mallory is able to intercept it, a man-in-the-middle attack can begin. Mallory sends a forged message to Alice that claims to be from Bob, but instead includes Mallory's public key.
Alice, believing this public key to be Bob's, encrypts her message with Mallory's key and sends the enciphered message back to Bob. Mallory again intercepts, deciphers the message using her private key, possibly alters it if she wants, and re-enciphers it using the public key Bob originally sent to Alice. When Bob receives the newly enciphered message, he believes it came from Alice.
Alice sends a message to Bob, which is intercepted by Mallory:
Alice "Hi Bob, it's Alice. Give me your key." → Mallory Bob
Mallory relays this message to Bob; Bob cannot tell it is not really from Alice:
Alice Mallory "Hi Bob, it's Alice. Give me your key." → Bob
Bob responds with his encryption key:
Alice Mallory ← [Bob's key] Bob
Mallory replaces Bob's key with her own, and relays this to Alice, claiming that it is Bob's key:
Alice ← [Mallory's key] Mallory Bob
Alice encrypts a message with what she believes to be Bob's key, thinking that only Bob can read it:
Alice "Meet me at the bus stop!" [encrypted with Mallory's key] → Mallory Bob
However, because it was actually encrypted with Mallory's key, Mallory can decrypt it, read it, modify it (if desired), re-encrypt with Bob's key, and forward it to Bob:
Alice Mallory "Meet me at the van down by the river!" [encrypted with Bob's key] → Bob
Bob thinks that this message is a secure communication from Alice.
This example <ref>MiTM on RSA public key encryption</ref><ref>How Encryption Works</ref><ref>Public-key cryptography</ref> shows the need for Alice and Bob to have some way to ensure that they are truly using each other's public keys, rather than the public key of an attacker. Otherwise, such attacks are generally possible, in principle, against any message sent using public-key technology. Fortunately, there are a variety of techniques that help defend against MITM attacks.
Defenses against the attack
Template:Multiple issues
All cryptographic systems that are secure against MITM attacks require an additional exchange or transmission of information over some kind of secure channel. Many key agreement methods have been developed, with different security requirements for the secure channel.Template:Citation needed Interlock Protocol attempts to address this.
Various defenses against MITM attacks use authentication techniques that include:
DNSSEC: Secure DNS extensions
Public key infrastructures: Transport Layer Security is an example of implementing public key infrastructure over Transmission Control Protocol. This is used to prevent Man-in-the-middle attack over a secured HTTP connection on internet. Client and Server exchange PKI certificates issued and verified by a common certificate authority.
PKI mutual authentication: The main defense in a PKI scenario is mutual authentication. In this case applications from both client and server mutually validates their certificates issued by a common root certificate authority. Virtual Private Networks do mutual authentication before sending data over the created secure tunnel, however mutual authentication over internet for HTTP connections are seldom enforced.
Certificate pinning
A recorded media attestment (assuming that the user's identity can be recognized from the recording), which can either be:
A verbal communication of a shared value for each session (as in ZRTP)
An audio/visual communication of the public key hash (which can be easily distributed via PKI)<ref>Template:Cite arXiv</ref>
Stronger mutual authentication, such as:
Secret keys (which are usually high information entropy secrets, and thus more secure), or
Passwords (which are usually low information entropy secrets, and thus less secure)
Latency examination, such as with long cryptographic hash function calculations that lead into tens of seconds; if both parties take 20 seconds normally, and the calculation takes 60 seconds to reach each party, this can indicate a third party
Second (secure) channel verification
Testing is being carried out on deleting compromised certificates from issuing authorities on the actual computers and compromised certificates are being exported to sandbox area before removal for analysisTemplate:Citation needed
Quantum Cryptography
The integrity of public keys must generally be assured in some manner, but need not be secret. Passwords and shared secret keys have the additional secrecy requirement. Public keys can be verified by a certificate authority, whose public key is distributed through a secure channel (for example, with a web browser or OS installation). Public keys can also be verified by a web of trust that distributes public keys through a secure channel (for example by face-to-face meetings).
See key-agreement protocol for a classification of protocols that use various forms of keys and passwords to prevent man-in-the-middle attacks.
Forensic analysis of MITM attacks
Captured network traffic from what is suspected to be a MITM attack can be analyzed in order to determine if it really was a MITM attack or not. Important evidence to analyze when doing network forensics of a suspected TLS MITM attack include:<ref>Template:Cite web</ref>
IP address of the server
DNS name of the server
X.509 certificate of the server
Is the certificate self signed?
Is the certificate signed by a trusted CA?
Has the certificate been revoked?
Has the certificate been changed recently?
Do other clients, elsewhere on the Internet, also get the same certificate?
Quantum cryptography
Quantum cryptography protocols typically authenticate part or all of their classical communication with an unconditionally secure authentication scheme e.g. Wegman-Carter authentication.<ref>Template:Cite web</ref>
Beyond cryptography
A notable non-cryptographic man-in-the-middle attack was perpetrated by a Belkin wireless network router in 2003. Periodically, it would take over an HTTP connection being routed through it: this would fail to pass the traffic on to destination, but instead itself respond as the intended server. The reply it sent, in place of the web page the user had requested, was an advertisement for another Belkin product. After an outcry from technically literate users, this 'feature' was removed from later versions of the router's firmware.<ref>Sexo</ref>
In 2013, the Nokia's Xpress Browser was revealed to be decrypting HTTPS traffic on Nokia's proxy servers, giving the company clear text access to its customers' encrypted browser traffic. Nokia responded by saying that the content was not stored permanently, and that the company had organizational and technical measures to prevent access to private information.<ref>Template:Cite web</ref>
Implementations
Notable man-in-the-middle attack implementations include the following:
DSniffTemplate:Snd the first public implementation of MITM attacks against SSL and SSH
Fiddler2 HTTP(S) diagnostic tool
NSA impersonation of Google<ref>Template:Cite web</ref>
Opendium Iceni Content-control software, used to perform inspection of HTTPS traffic at the gateway.
SubterfugeTemplate:Snd a framework to launch multiple MITM attacks
Superfish malware
Websense Content GatewayTemplate:Snd used to perform inspection of SSL traffic at the proxy
wsniffTemplate:Snd a tool for 802.11 HTTP/HTTPS based MITM attacks
See also
Template:Div col
Aspidistra transmitterTemplate:Snd a British radio transmitter used for World War II "intrusion" operations, an early man-in-the-middle attack.
Babington PlotTemplate:Snd the plot against Elizabeth I of England, where Francis Walsingham intercepted the correspondence.
Boy-in-the-browserTemplate:Snd a simpler type of web browser MITM
Computer securityTemplate:Snd the design of secure computer systems.
CryptanalysisTemplate:Snd the art of deciphering encrypted messages with incomplete knowledge of how they were encrypted.
Digital signatureTemplate:Snd a cryptographic guarantee of the authenticity of a text, usually the result of a calculation only the author is expected to be able to perform.
Evil Maid AttackTemplate:Snd attack used against full disk encryption systems
Interlock protocolTemplate:Snd a specific protocol to circumvent a man-in-the-middle attack when the keys may have been compromised.
Key managementTemplate:Snd how to manage cryptographic keys, including generation, exchange and storage.
Key-agreement protocolTemplate:Snd a cryptographic protocol for establishing a key in which both parties can have confidence.
Man-in-the-browserTemplate:Snd a type of web browser MITM
Mutual authenticationTemplate:Snd how communicating parties establish confidence in one another's identities.
Password-authenticated key agreementTemplate:Snd a protocol for establishing a key using a password.
Quantum cryptographyTemplate:Snd the use of quantum mechanics to provide security in cryptography (while older methods rely on one-way functions).
Secure channelTemplate:Snd a way of communicating resistant to interception and tampering.
Spoofing attack
Metasploit Project
Template:Infobox software
The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
Its best-known sub-project is the open source<ref name="bsdlicense" /> Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.
The Metasploit Project is well known for its anti-forensic and evasion tools, some of which are built into the Metasploit Framework.
Contents
1 History
2 Metasploit Framework
3 Metasploit interfaces
3.1 Metasploit Framework Edition
3.2 Metasploit Community Edition
3.3 Metasploit Express
3.4 Metasploit Pro
3.5 Armitage
3.6 Cobalt Strike
4 Payloads
5 Contributors
6 See also
7 References
8 Further reading
9 External links
History
Metasploit was created by H. D. Moore in 2003 as a portable network tool using Perl. By 2007, the Metasploit Framework had been completely rewritten in Ruby.<ref>Template:Cite web</ref> On October 21, 2009, the Metasploit Project announced<ref>Template:Cite web</ref> that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions.
Like comparable commercial products such as Immunity's Canvas or Core Security Technologies' Core Impact, Metasploit can be used to test the vulnerability of computer systems or to break into remote systems. Like many information security tools, Metasploit can be used for both legitimate and unauthorized activities. Since the acquisition of the Metasploit Framework, Rapid7 has added two open core proprietary editions called Metasploit Express and Metasploit Pro.
Metasploit's emerging position as the de facto exploit development framework<ref>Template:Cite web</ref> led to the release of software vulnerability advisoriesTemplate:Vague often accompanied by a third party Metasploit exploit module that highlights the exploitability, risk and remediation of that particular bug.<ref name="VMwareNAT">Sexo</ref><ref name="MOKB-11-11-2006">Sexo Template:Dead</ref> Metasploit 3.0 began to include fuzzing tools, used to discover software vulnerabilities, rather than just exploits for known bugs. This avenue can be seen with the integration of the lorcon wireless (802.11) toolset into Metasploit 3.0 in November 2006. Metasploit 4.0 was released in August 2011.
Metasploit Framework
The basic steps for exploiting a system using the Framework include:
Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 900 different exploits for Windows, Unix/Linux and Mac OS X systems are included);
Optionally checking whether the intended target system is susceptible to the chosen exploit;
Choosing and configuring a payload (code that will be executed on the target system upon successful entry; for instance, a remote shell or a VNC server);
Choosing the encoding technique so that the intrusion-prevention system (IPS) ignores the encoded payload;
Executing the exploit.
This modular approach – allowing the combination of any exploit with any payload – is the major advantage of the Framework. It facilitates the tasks of attackers, exploit writers and payload writers.
Metasploit runs on Unix (including Linux and Mac OS X) and on Windows. The Metasploit Framework can be extended to use add-ons in multiple languages.
To choose an exploit and payload, some information about the target system is needed, such as operating system version and installed network services. This information can be gleaned with port scanning and OS fingerprinting tools such as Nmap. Vulnerability scanners such as Nexpose or Nessus can detect target system vulnerabilities. Metasploit can import vulnerability scan data and compare the identified vulnerabilities to existing exploit modules for accurate exploitation.<ref>Template:Cite web</ref>
Metasploit interfaces
There are several interfaces for Metasploit available. The most popular are maintained by Rapid7 and Strategic Cyber LLC.<ref name="Metasploit editions">Template:Cite web</ref>
Metasploit Framework Edition
The free version. It contains a command line interface, third-party import, manual exploitation and manual brute forcing.<ref name="Metasploit editions" />
Metasploit Community Edition
In October 2011, Rapid7 released Metasploit Community Edition, a free, web-based user interface for Metasploit. Metasploit Community is based on the commercial functionality of the paid-for editions with a reduced set of features, including network discovery, module browsing and manual exploitation. Metasploit Community is included in the main installer.
Metasploit Express
In April 2010, Rapid7 released Metasploit Express, an open-core commercial edition for security teams who need to verify vulnerabilities. It offers a graphical user interface, integrates nmap for discovery, and adds smart bruteforcing as well as automated evidence collection.
Metasploit Pro
In October 2010, Rapid7 added Metasploit Pro, an open-core commercial Metasploit edition for penetration testers. Metasploit Pro includes all features of Metasploit Express and adds web application scanning and exploitation, social engineering campaigns and VPN pivoting.
Armitage
Armitage is a graphical cyber attack management tool for the Metasploit Project that visualizes targets and recommends exploits. It is a free and open source network security tool notable for its contributions to red team collaboration allowing for shared sessions, data, and communication through a single Metasploit instance.<ref>Sexo</ref>
Cobalt Strike
Cobalt Strike is a collection of threat emulation tools provided by Strategic Cyber LLC to work with the Metasploit Framework. Cobalt Strike includes all features of Armitage and adds post-exploitation tools, in addition to report generation features.<ref>Sexo</ref>
Payloads
Metasploit offers many types of payloads, including:
Command shell enables users to run collection scripts or run arbitrary commands against the host.
Meterpreter enables users to control the screen of a device using VNC and to browse, upload and download files.
Dynamic payloads enables users to evade anti-virus defenses by generating unique payloads.
Contributors
Metasploit Framework operates as an open-source project and accepts contributions from the community through GitHub.com pull requests. Submissions are reviewed by a team consisting of both Rapid7 employees and senior external contributors. The majority of contributions add new modules, such as exploits or scanners.<ref>Sexo</ref>
Tor Security Guide
This is a Tor security guide for maximum protection.
Contents
1 Homepage
2 Blocking Scripts Globally
2.1 Blocking Embeddings
2.2 Blocking Javascript directly (about:config)
2.3 Blocking HTTP Referrer headers. (about:config) (Optional)
2.4 Plugins/Addons/P2P/Torrents/Webcam Sites
3 Downloading
4 TorChat
5 Tails
6 Shredding history/cache/cookies and other footprints left behind
6.1 Ccleaner (for Reg Users)-https://www.piriform.com/ccleaner
7 Accessing Tor on other devices
8 Using Public/Hacked WiFi
9 Windows 8 is not recommended at all!
10 Media Players
11 TOR Exit Nodes
12 Cookies - How NSA is using Cookies to Track Tor users ?
12.1 How you can avoid Cookie tracking ?
13 Tor2Web
14 VPNs/Proxies services (non-Tor)
15 Spyware/Malware protection (Windows Only)
16 Encryption
17 Bitcoins
18 Image Metadata/EXIF Removal
19 See Also
Homepage
Tho it is plain and boring dont change your homepage from about:tor It will advice you as soon as you open Tor if there is a TBB Update and will keep you ahead of the game. I changed my own homepage before a new TBB was released and didn't find out about the new one until three days later. And from now on i will be keeping my homepage on default about:tor, I advice you do the same and you'll never miss updates.
Blocking Scripts Globally
When you first install Tor Browser bundle, scripts via NoScript are globally allowed. This is very dangerous to your privacy and should be turned OFF. you can right click the no script icon (S icon next to address bar) and select options,in general tab, uncheck the scripts globally allowed tab.
Blocking Embeddings
After you do that, you need to block embedded scripts (which again are allowed by default) click on the S again and go to Options>Embeddings then click all the boxes to forbid Java, Flash, Silverlight, Plugins, <Audio/video>, Iframe, Frame and font-face and click OK
Blocking Javascript directly (about:config)
After you have done this you still need to block JavaScript in firefox incase Noscripts ever fails to protect you, or another exploit comes to light in the future. To block Javascripts in the Tor browser, Type about:config into the address bar, click 'yes you know what you are doing' scroll down (or type in the search box) javascript.enabled and change it to false by double clicking it.
Blocking HTTP Referrer headers. (about:config) (Optional)
Again Tor Project fail to have another security issue off by default. Referrers (for those that dont know) provide information to sites your visiting about what site you came from eg: the full internet address. This should be OFF to protect your privacy. If your not still the "about:config" option repeat what you did to block javascript by typing about:config in the tor browser address bar. Then Look for network.http.sendRefererHeader and double click on it and change the value from 2 to 0. So next time you open up a link, it’ll block the referrer URL to be passed to that website.
Please Note: This is optional, and turning Referrers off may prevent you downloading from some clouds like anonfiles etc.
Plugins/Addons/P2P/Torrents/Webcam Sites
As stated already addons/plugins should be blocked and/or not installed at all. This includes 'DownThemAll' NONE are supported by the TorProject and ALL run the risk of bypassing the Tor Network and accessing the net directly, which runs the risk of leaking your real IP Address. Personally i'd rather slower downloads and no knock on the door by LEA than faster downloads and having my collection taken from me anyways. Also worth mentioning Torrents and all P2P like GigaTribe etc are VERY unsafe and will see you exposing your real IP addresses. LEA head to GigaTribe whenever they want to get easy Convictions (which is daily) so don't be one of them. As for webcam sites people still try to use them to try to get kids to do stuff on cams for them. All these sites these days are strictly monitored (even text only ones). All the cam sites require Javascript/Flash etc to be installed and ON, so you will be revealing your real IP address if you use these sites. Also many people used to use software like ManyCams etc to display a video onto the cam site that the victim could see, and be tricked into thinking it was who they were talking to. All major cam-sites now detect such third-party software and warn the viewer/victim your using third party apps. As said IPs are logged, you cant use tor securely over them, and old trick methods no longer work, so cam-sites are low results and VERY high risk. After P2P, Webcam sites are LEA's second fav place to catch people and get easy convictions.
Downloading
A lot of people keep asking about the download warning in Tor, when you click to download something your given a warning followed by two options, one is to OPEN the file, While the other is to SAVE it. You should NEVER pick the option to 'open', this would expose your real IP address (not Tor IP) to the website. So ALWAYS select Save and you remain hidden. If you go to TorBrowser Options (by clicking on the top left corner of your browser) Then go to Options>Options>Applications tab you can change the settings automatically. This will prevent you from accidentally opening a file in the browser instead of saving it. Since opening files will expose your IP address, you don't want to make that mistake. And change 'Portable Document Format (PDF)' from 'Preview in tor browser' to 'Save File' and click ok. You could also as the warning message says use a VM such as Tails to help protect your downloads even more.
TorChat
TorChat is a free Decentralized anonymous instant messenger, that runs of course via the Tor Network. No need to sign up or give out personal information or registration process. Its currently the ONLY true anon messenger available and allows private chat and sharing. Torchat has not been updated in some time, so its advised to follow the update advice below after first installing Torchat and every time Tor Browser bundle is updated as well.
The only issues with TorChat is you can't block users - This could be an issue is theres an exploit to this that we dont know about, because someone could try to DDoS the connection. It also allows people who know your TorChat ID to see when your online, that is when TorChat is active at your end. So for extra safety don't give out your TorChat ID to anyone and everyone, like displaying it in forum posts etc. And Don't keep TorChat active all the time, this will reduce the chance of someone trying to work out your country etc from the times they can see your Torchat active.
TorChat Download - https://github.com/prof7bit/TorChat
Updating TorChat
Torchat suggests to all windows users to upgrade tor engine inside torchat each time a new tor browser is released following these simply instructions:
1. Close TorChat 2. Download the official Tor Browser Bundle from Tor Project 3. Extract Tor Browser Bundle to: c:\ 4. Copy: C:\Tor Browser\Tor\tor.exe to c:\TorChat\bin\Tor\ 5. Copy: C:\Tor Browser\Tor\libeay32.dll to c:\TorChat\bin\Tor\ 6. Copy: C:\Tor Browser\Tor\libevent-2-0-5.dll to c:\TorChat\bin\Tor\ 7. Copy: C:\Tor Browser\Tor\libssp-0.dll to c:\TorChat\bin\Tor\ 8. Copy: C:\Tor Browser\Tor\ssleay32.dll to c:\TorChat\bin\Tor\ 9. Copy: C:\Tor Browser\Tor\zlib1.dll to c:\TorChat\bin\Tor\ 10. Start TorChat: c:\TorChat\bin\torchat.exe
Tails
Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to: use the Internet anonymously and circumvent censorship; all connections to the Internet are forced to go through the Tor network; leave no trace on the computer you are using unless you ask it explicitly; use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.
Its an extra layer of protection that a lot of people trust and use, to learn more go to https://tails.boum.org/
Shredding history/cache/cookies and other footprints left behind
I personally use Ccleaner to delete and overwrite such files (there are tons of other programs out there tho) its free and covers a lot of software footprints. If you do use it i would recommend going to Options> Settings then clicking on the drop down menu and selecting 'Complex Overwrite (7 passes)' and selecting 'secure file deletion'. And make sure all boxes are ticked on the 'Cleaner' tab on the main program screen. Tick all boxes on the 'Windows' and the 'Applications' Tab. Then hit 'Analyze and Run cleaner. I would recommend using this before connection to tor and after you left Tor, to wipe all cookies etc. I have also been told about a Add-on if you like, for ccleaner this addon adds 100s more applications/cache/history/log files to ccleaners applications list. I would advise caution when using CCEnhancer tho, its NOT supported by the company that makes ccleaner, so its not beta tested like ccleaner is. And its use may lead to bugs or errors with windows. I would suggest if your not an advanced user then just keep using ccleaner on its own. If you're an advanced user then CCEnhancer is great however not all on the new "application list" are even needed, so please read every application and check that its needed before checking its box in ccleaners app list. Some of the logs are simply screen resolution settings etc, and don't need to be removed to protect privacy and would mean having to set your screen resolution etc on every reboot. So read the warnings carefully.
Ccleaner (for Reg Users)-https://www.piriform.com/ccleaner
CCEnhancer (for Advanced Users) - http://singularlabs.com/software/ccenhancer (Put in same folder as cclearner is in, then click the 'download latest' button on CCEnhancer and then check the new application boxes in ccleaner). Credit to TP @ BV4 for CCEnhancer info.
PrivaZer - http://privazer.com/download.php Compatible with: XP, Vista, Win7, Win8/8.1, 32bits & 64bits only.
Accessing Tor on other devices
People keep asking if its safe to access Tor from phones/ipods and Tablets such as ipad, the answer is No.
Yes there is software that allows you to connect to Tor from such devices, however its not full software and has a lot more weaknesses. Not to mention these type of devices have java and other software that can not be turned off, and well as backdoors and regularly send logs and check for app updates etc, again which have no settings to turn them off. Which mean's its highly likely at some point they will expose your real ip address, and even if you don't have the device registered or not registered in your name, they all send back GPS info to the makers servers. This info is (in most countries US/EU) legally kept for two years, so they know where you go, where you live,work or go to school. So ignore the BS developers who say these Tor apps are safe, because they're far from safe.
Using Public/Hacked WiFi
Using someone else's Wifi connection technically is no less safer than using your own (if accessing both over Tor and following the norm security advice). keep in mind i only mean the encrypted data is no less safer on public connection, not the act of doing it. However I wouldn't advice using public or hacked wifi for the following reasons.
1. The connection would still be encrypted from the wifi owner, but they could still work out where you were from from the wifi signal strength. And they could also know that your using Tor (from the packets) as well as how much data you're using. Which could lead to them investigating you more closely. They will also get your MAC address (Physical Address) of your Ethernet adapter (auto logging process when you access someone else's router), which could be used against you in court, if they ever get physical access to your computer.
2. As said public places have the Public, I read 20+ news reports of people using public or hacked wifi in public places as well as outside someones house (who's had their wifi hacked) and been caught red handed by chance mostly. One guy traveled 40 miles to hack someones wifi late at night in his car to download cp, however his screen was spotted by a dog walker who called police and the guy was arrested. You can never be sure who can see your screen, or who may come up to your computer/ look over your shoulder to get a peek or ask a question.
3. Eyes in the sky is also a risk since most public places these days have a lot of security camera's that are hidden and others in plain view. As well as the public with camera on their cellphones etc, so you can never be 100% sure your screen cant be viewed. Or if someone can take a quick photo proving what you've been up to and using it as evidence against you later or even blackmail you.
4. It came out last year that an encryption company ran a test on computer encryption and basically broke what was said to be the worlds strongest encryption. How? By simply using audio devices to LISTEN to the sounds the computers made while someone was inputting their encryption passphase. Tho this would be unlikely to be used often even with the 100% success rate its claimed to have, and probably only used on terrorists under surveillance. However if you use the same public wifi connections often and have raised suspicion in the past, its possible this new technique could be used against you. Which would basically render even full disk encryption useless. This only breaks computer encryption when inputting passwords for it and do not however break any tor encrypted data traveling over the wifi.
5. Another thing people forget about when accessing someones WiFi connection for illegal purposes is Cell Phones. And you can bet LEA will contact all phone companies to order a list of all phones that where on and in that area at the time (If a criminal investigation is started). Even if a person hasn't registered the phone itself the person can still be traced in many ways. The main being they know and log all a phones movements via their phone signals, they can determine where the person is living from those records alone. On top of that the phone company still retains ownership over the SIM card in peoples phones, so if a person has contacts saved on SIM card, the phone company can send that information back to themselves, thus getting peoples home phone numbers, work numbers etc. As well and more than likely being about to trace how the cellphone was topped up, eg where the person brought the credit from and with what method.. So the key point is don't have a cellphone with you if you use other peoples WiFi for illegal purposes, or if you do turn it off before going near the WiFi area. Keep in mind some older phones don't totally turn off when you switch them off, it's been said some older phone basically go into power saving mode and are still on and check for updates etc. So best not to bring them at all or remove the battery instead.
Windows 8 is not recommended at all!
All Windows 8 machines contain a chip called Trusted Platform Module (TPM), this chip is meant to block access to software and hardware which could be harmful to your system or avoid software conflicts (that's the good news). The bad news is it also allows Microsoft FULL access to every Win 8 machine remotely, the chip cannot be turned off in win 8 nor will a firewall, anti-virus protect your system from Microsoft having full control over your system. Which of course means NSA and alike can also get access to machines/monitor cams, take screen shots and record users, undermine other security programs like encryption. The NSA tried making a backdoor chip, law years ago, meaning it would be illegal to own a machine without such a backdoor chip, however due to privacy the courts didn't allow this law to pass. And now with Windows 8 comes with the chip that does just what the NSA wanted. Its not law that you have to use it, so don't. If you doubt this or think I'm being paranoid have a read of this.
http://rt.com/news/windows-8-nsa-germany-862/
Please Note: If you want to check if your PC has TPM chip you can hold the Windows button and press R. That should bring up the "Run" console. then type in "tpm.msc". Now you should have a form which tells you wether or not you have a TPM installed in your PC. Credit to Raykom @ H2TC for info.
Media Players
When playing on topic stuff in your media player its recommended to be offline OR have that program blocked in your firewall from outgoing connections. Media players have a nasty habit of connecting directly to the internet (by passing tor network). They're normally checking for updates, but can also in some cases send back information including Real IP Address, file names, descriptions, and Hash codes of the files themselves. Some offer free built-in subtitle searches, which basically copy to hash code of the file your playing, send it to their server and they scan it for a match to provide subtitles. However Interpol and other agency's offer some large and small companies lists of all hash codes of known cp files to Microsoft and alike, and when they do a subtitle search they could also check the hash code of the file your playing against the known cp hash database as well. Microsoft are already using this Technology to search cloud servers like Skydrive for CP hash matches, This could apply to all media players not just Microsoft's, so its recommended to be offline or block outgoing connections from media player/s you use for topic stuff in firewalls. If you pick to block the media player instead of being offline while viewing topic stuff on it, don't forget to check for updates for the player (since blocking outbound connections will prevent auto updates).
TOR Exit Nodes
All traffic over Tor is encrypted and ISP's cant see what your doing, however after your requests have been bounced around to the different tor nodes the last node/computer on the tor network your connected to (known as a Exit Node), can see the traffic in plain text. They Do NOT see your real IP address, that is still hidden and was replaced with a tor ip from the first node (on connecting to the tor network you were given). But the exit node can find out where you have been, what sites you have been looking at and if you input usernames/passwords they can see them as well. Some exit nodes have no logs, some however are run by companies and people who actively record/log the exit node data. And of couse it's known some exit nodes are run by Governments around the world. So keep in mind they can see the information you request however cannot see your real ip address. So its advised not to link your tor identity to your real identity, so NO shopping online or logging into your real email accounts etc. As from there they can see the information and link you to your real identity, or LEA can for example request your account information/ip address of the user who owns that Amazon/ebay/youtube/gmail or other accounts. They can only see this information if the connection was not over a https (encrypted), so if there is a second layer of encryption they cant view that information. However its always my advice to avoid using tor even over https connection to access accounts that could possibly be linked back to your real identity.
Update: NSA & GCHQ have broken/cracked SSL encryption used for 'https' connections and can decrypt that data. The information was leaked by Ed Snowden. So again don't mix up personal life with tor life even over https/SSL connections its not safe, and we know this for a fact now.
Cookies - How NSA is using Cookies to Track Tor users ?
Let's suppose that there is a famous online shopping website, owned or controlled by NSA. When a normal user will open that website from his own real IP address, the website creates a cookie on the user ' browser and stores real IP address and other personal information about the user. When the same user will again visit the same NSA owned website, enabling Tor this time on the same browser - website will read last stored cookies from browser, which includes the user' real IP address and other personal Information. Further website just needs to maintain a database of Real IP addresses against the Tor Proxy enabled fake IP addresses to track anonymous users. More Popular the site is, More users can be tracked easily. Documents show that the NSA is using online advertisements i.e. Google Ads to make their tracking sites popular on the internet.
How you can avoid Cookie tracking ?
One browser can't read the cookies created by other browser (As far as we know at the moment but this may change in the future, or become public). So Don't use Tor on the same browser, that you use for regular use with your real IP address. Only use the standard Tor Browser Bundle instead for Anonymous activities. You should always clear the cookies (with ccleaner or alike) after you’re done so any stored information, such as login information – will not be stored on that computer. If you're doing something very interesting, you should use Tor on a virtual machine with the live OS so that cookies and cache and other OS data are dumped when the machine is closed.
Tor2Web
Have seen this talked about a few times so to remind people about the risks of this. Tor2Web is basically a clearnet site/service that gives non-tor users access to Tor hidden services from a normal browser. However just to remind people this site gives no protection whatsoever to visitors, your accessing on clearnet so your ISP can see everything you do (which is legally logged for at least two years). No encrypting connection is given to visitors and the site doesn't even have a privacy policy in place so you don't even know if they themselves log searches. However they do give the following warning : WARNING: tor2web only protects publishers, not readers. As a reader installing Tor will give you much greater anonymity, confidentiality, and authentication than using tor2web. Using tor2web trades off security for convenience. I suggest following their advice and ONLY access tor services on Tor/TBB itself, for protection against logs/ and prying eyes from tracking cookies and ISP's/LEA.
VPNs/Proxies services (non-Tor)
A virtual private Network (VPN) service basically are meant to do the same job as tor but offer faster speeds (normally), they're job is to replace your IP address with one of their own and encrypt your connection. The very important difference with VPNs vs Tor is that VPN know your real IP address, Tor does not. VPN's are required by law to hand over your information if demanded to do so by the courts. VPN services are also required by law in most counties to log users data, just like other ISPs are for currently a min of two years. So you see using VPN's for illegal purposes doesn't work as you would think. Some VPNs try to hide they keep no logs by saying 'We hold no content logs', content logs are basically all the URLs you visited and data you uploaded and downloaded while using the service. LEA don't need 'content logs' all they need and want are you persons IP address, and IP addresses are logged by law and not part of the 'content logs' the VPNs refer to. So they will and do mislead paying users, even lulzsec members (hacking group) got busted because they too trusted a VPN called 'HideMyAss'. 'HideMyAss' also claimed to have no logs, after they handed over IP addresses to the UK police who then handed over the data to the FBI, this VPN admitted it legally still had to keep ip address data. Some will also mislead people by saying they use IP-sharing services, meaning 10-30 customers will be given the same VPN IP address at the same time. And the VPNs that use this claim this will protect the users, because LEA may come to them and say for example this IP address was downloading CP on this date and time. And the VPN then can say well 20 people where using that same IP address at the same time, so we don't know which one was downloading the CP. However LEA can then simply legally order all logs for those IP addresses on the list that shared that same IP connection. From there they can then match other CP downloads at different times and see which real IP address keeps coming up on the list of people using the VPN to download CP. So basically it may take LEA a bit longer to work out but even if the VPN uses shared ip-address services the people behind them can still be found out. So Tor is still your best bet for the reasons given, some people may use free VPNs AFTER connecting to tor, which means the VPN only ever gets your Tor ip address and since its free it holds no subscriber info as well. Keep in mind if you use tor with other proxies/VPNs then your connection speeds will be slower tho. NEVER trust VPNs or subscribe to them or connect to them before connecting to Tor. Some VPN services now ask for min details or even fake name, address etc and offer payments via Bitcoins etc. Again this is misleading since yet again they will and do by law keep your real IP address on record, which is all the LEA normally need or want to locate the person under investigation.
Spyware/Malware protection (Windows Only)
Of course you should have an anti-virus and firewall product updated and installed on your system, but as an extra layer of protection you should always have and use at least one spyware scanner program. I cant recommend software for other operating systems because i dont use them so wont recommend something i havent used. However if your not using windows i'd recommend doing a search yourselves and see whats out there for your operating system. As said spyware scanners are an extra layer of protection and often find things that could be a threat to your privacy that a AV product wont. If your only going to use one I'd say malwarebytes is currently the best free anti-malware product available for windows at the moment. Spy-Bot used to be the best years ago and i used to love it, however since they started doing a paid for version as well as a free one, the free one is more bloated and doesn't ofter the same detection rates it used to.
Malwarebytes Anti-Malware - https://www.malwarebytes.org/downloads/ System requirements: Windows 8.1®, Windows 8®, Windows 7®, Windows Vista®, Windows XP® (32-bit, 64-bit)
Spybot - Search & Destroy - http://www.safer-networking.org/mirrors/ Available on Windows 7/8/Vista/XP
Please note: You should use any spyware scanner while Offline, just in case they ever start searching for MD5 child porn matches in the future. Always backup registry before removing suspect files with anti-malware products and send items to Quarantine instead of deleting suspect files. Spyware scanner's do often result in a lot of false positives, so you may need to recover files that may have been ID'ed as Malware by mistake. So always use caution when using products like this, just as you would with registry cleaners and alike. Also if you use keygens or hacking software (port scanners etc) just like AV software spyware/malware scanners will normally flag/give false positives for such software/programs.
Encryption
In this game Encryption is a must! I would recommend Truecrypt to encrypt your Whole hard disk. Truecrypt doesn't offer full disk encryption for Linux only containers, in which case for Linux users use Linux Unified Key Setup (LUKS) instead for full encryption. Full hard drive encryption will encrypt all files on your HDD (doh) but that also includes all deleted files as well. If you have files deleted that were not shredded/overwritten before installing turecrypt then you need to run the 'free space' shredder option. This option will come up during the encryption process when using the program to encrypt your drive for the first time. There are step by step instructions how to use the full disk encryption on the net. Again full disk encryption can be used to encrypt everything including any footprints/history/cache etc (which is good), some people only bother to use encrypted 'containers', which will NOT encrypt logs and other footprints by itself. Personally I use Truecrypt full disk encryption and also have encrypted container with my topic stuff in it, two layers of encryption is best.
Update: Leaked by Ed Snowden that Both NSA & HCHQ have broken 'https' SSL based encryption used for banking/shopping/clouds/mail sites. It's also possible they have broken TLS based encryption (used for tor connections). But if they have broken internet connections encryption its also possible they're trying to use the same methods to break AES encryption. AES is used with all major encryption packages including truecrypt, given this information i'd advice anyone who has encrypted their drives with AES-only encryption to change the type of encryption used as a precaution. Truecrypt and alike allow you to use different types of encryption when encrypting drives, at the moment the combo of AES/Twofish-Serpent Algorithm is probably the strongest to use. Keep in mind if you do opt for combo algorithm then its safer, however the read/writing of that disk will be slower since it has more work to do by encrypting/decrypting data (which is why most just use AES because it was strong years ago and fast). Also that even if they could break AES as well as SSL (which has not been confirmed nor mentioned by Snowden), I doubt they would use this crack very often against AES. I'm guessing like with other things, this would only be used against top level targets like drug lords/ other counties communications or terrorists than us, to prevent public knowledge that they could break AES. (Information pre-dated Heartbleed bug going pubic by at least 3 months).
Windows Users Only - Truecrypt's homepage is http://www.truecrypt.org Download version 7.1a from TC fork project after TC site stopped the project (Do NOT download version 7.2 from TC site its a suspect decryption version only) 7.1a is and the bottom of this page - http://truecrypt.ch/downloads
Linux Users Only - Linux Unified Key Setup (LUKS) - https://code.google.com/p/cryptsetup Credit to Prince@H2TC
Mac Users only - Currently unavailable, TC doesnt offer full disk encryption to Mac users only unsafe containers, and LUKS doesn't work on Macs. So without an open source full disk encryption software available to Mac users it's unsafe.
Also a side note there is only one loophole in Truecrypt, and that's one option is not on as default. This can be manually changed/corrected in seconds. After installing the prog and installing the full disk encryption, click on the Truecrypt icon task manager click on Settings>Preferences then tick the boxes 'user logs off','Screen Saver is launched' and 'Entering Power saving mode' and click ok. This now means that truecrypt will also encrypt/protect the hibernate file (which could store/leak passwords).
EDIT: Windows Hibernate file can save things in memory like passwords and usernames (even TrueCrypt password) to the hibernate file in plain text (unencrypted). You can turn the Hibernate file off in Windows altogether for extra safety. Press Windows button then type 'cmd', cmd should pop up in the programs list then right click it and select 'Run as Administrator'. Then type 'powercfg /hibernate off' this should turn the hibernate file off, Credit to TP @ BV4.
Bitcoins
Bitcoins etc are meant to be an anon way to pay for services and are used regularly by people all over Tor for sites/services like Silk Road. Please keep in mind Bitcoins are NOT truly anon currency and there are indeed ways to track transactions. Bitcoins like all the e-currencies have public records that shows people what address/account number holds how many bitcoins, and this public record can be followed by LEA etc to the time you payout the coins into a bank account.
Bitcoins are also regularly targeted by hackers and indeed bitcoin banks themselves have been suspected of just stealing the coins they where meant to be looking after. Bitcoins are not backed by any governments, so they're not insured like normal money is in banks and such. So once stolen, that's it you lost your money.
There are "services" on Tor that offer to Launder your coins for a fee, these services can also just steal your coins or take a cut for their 'service' and give you back the same coins without laundering them at all. So use them at your own risk.
Image Metadata/EXIF Removal
For anyone producing original images or videos one of the post-process jobs you should carry out before uploading/sharing them is to remove metadata. Metadata can include clues that could help LEA in trying to track down people, even to the point it leads them straight to your door. Metadata in images contains the make and camera model, date the image was taken, the software used to edit the images, with videos it can also include the language version or editing software used. And by far the worst is GPS location data, being included in images metadata taken with internet accessing devices such as cellphones. We've seen so many producers spending years being careful what they say and do only for them to share a few images they took on their IPhones that included GPS data. And remember this is not only important to producers, i recently saw a tactic used asking for pedos to post dick pix of their own dicks. Again NEVER forget to remove metadata from images shared even if they're only of body parts of yours or kids. Its a common LEA tactic to ask for dick photos of pedos on Tor, and thats the reason why. They hope you will take an image on a cellphone and will have GPS data embedded within the photo that you share with them, and thus being traced.
There are many programs that will remove metadata just listing one as an example - xnview - xnview.com
As for video recording its harder to remove their more hidden metadata because there is currently no set standard with dealing with video formats metadata. But that data can be very revealing as well and can include language information about the editing software used, as well as the date of creation listed within the data. And if downloaded of places like Youtube etc youtube embed their own unique ID within videos that are uploaded, so that they can be tracked. The only current way i know of to remove video metadata is to convert the videos file format, which wipes the metadata clean.
Virtual private network
A virtual private network (VPN) extends a private network across a public network, such as the Internet. It enables a computer or network-enabled device to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security and management policies of the private network.<ref>Template:Cite book</ref> A VPN is created by establishing a virtual point-to-point connection through the use of dedicated connections, virtual tunneling protocols, or traffic encryptions. Major implementations of VPNs include OpenVPN and IPsec.
A VPN connection across the Internet is similar to a wide area network (WAN) link between websites. From a user perspective, the extended network resources are accessed in the same way as resources available within the private network.<ref>Template:Cite web</ref> One major limitation of traditional VPNs is that they are point-to-point, and do not tend to support or connect broadcast domains. Therefore communication, software, and networking, which are based on layer 2 and broadcast packets, such as NetBIOS used in Windows networking, may not be fully supported or work exactly as they would on a real LAN. Variants on VPN, such as Virtual Private LAN Service (VPLS), and layer 2 tunneling protocols, are designed to overcome this limitation.
VPNs allow employees to securely access their company's intranet while traveling outside the office. Similarly, VPNs securely connect geographically separated offices of an organization, creating one cohesive network. VPN technology is also used by individual Internet users to secure their wireless transactions, to circumvent geo restrictions and censorship, and to connect to proxy servers for the purpose of protecting personal identity and location.Template:Cn
Contents
1 Type
2 Security mechanisms
2.1 Authentication
3 Routing
3.1 Provider-provisioned VPN building-blocks
3.2 OSI Layer 2 services
3.3 OSI Layer 3 PPVPN architectures
3.4 Unencrypted tunnels
4 Trusted delivery networks
5 VPNs in mobile environments
6 VPN on Routers
7 Networking limitations
8 See also
9 References
10 Further reading
Type
Early data networks allowed VPN-style remote connectivity through dial-up modems or through leased line connections utilizing Frame Relay and Asynchronous Transfer Mode (ATM) virtual circuits, provisioned through a network owned and operated by telecommunication carriers. These networks are not considered true VPNs because they passively secure the data being transmitted by the creation of logical data streams.<ref>Cisco Systems, et al.. Internet working Technologies Handbook, Third Edition. Cisco Press, 2000, p. 232.</ref> They have been replaced by VPNs based on IP and IP/Multiprotocol Label Switching (MPLS) Networks, due to significant cost-reductions and increased bandwidth<ref>Lewis, Mark. Comparing, Designing. And Deploying VPNs. Cisco Press, 20069, p. 5</ref> provided by new technologies such as Digital Subscriber Line (DSL)<ref>International Engineering Consortium. Digital Subscriber Line 2001. Intl. Engineering Consortium, 2001, p. 40.</ref> and fiber-optic networks.
VPNs can be either remote-access (connecting a computer to a network) or site-to-site (connecting two networks). In a corporate setting, remote-access VPNs allow employees to access their company's intranet from home or while traveling outside the office, and site-to-site VPNs allow employees in geographically disparate offices to share one cohesive virtual network. A VPN can also be used to interconnect two similar networks over a dissimilar middle network; for example, two IPv6 networks over an IPv4 network.<ref>Template:Cite web</ref>
VPN systems may be classified by:
the protocols used to tunnel the traffic.
the tunnel's termination point location, e.g., on the customer edge or network-provider edge.
whether they offer site-to-site or network-to-network connectivity.
the levels of security provided.
the OSI layer they present to the connecting network, such as Layer 2 circuits or Layer 3 network connectivity.
Security mechanisms
To prevent disclosure of private information, VPNs typically allow only authenticated remote access and make use of encryption techniques.
VPNs provide security by the use of tunneling protocols and through security procedures such as encryption. The VPN security model provides:
confidentiality such that even if the network traffic is sniffed at the packet level (see network sniffer and Deep packet inspection), an attacker would only see encrypted data
sender authentication to prevent unauthorized users from accessing the VPN.
message integrity to detect any instances of tampering with transmitted messages.
Secure VPN protocols include the following:
Internet Protocol Security (IPsec) as initially developed by the Internet Engineering Task Force (IETF) for IPv6, which was required in all standards-compliant implementations of IPv6 before RFC 6434 made it only a recommendation.<ref name=rfc6434>RFC 6434, "IPv6 Node Requirements", E. Jankiewicz, J. Loughney, T. Narten (December 2011)</ref> This standards-based security protocol is also widely used with IPv4 and the Layer 2 Tunneling Protocol. Its design meets most security goals: authentication, integrity, and confidentiality. IPsec uses encryption, encapsulating an IP packet inside an IPsec packet. De-encapsulation happens at the end of the tunnel, where the original IP packet is decrypted and forwarded to its intended destination.
Transport Layer Security (SSL/TLS) can tunnel an entire network's traffic (as it does in the OpenVPN project and SoftEther VPN project<ref>SoftEther VPN: Using HTTPS Protocol to Establish VPN Tunnels</ref>) or secure an individual connection. A number of vendors provide remote-access VPN capabilities through SSL. An SSL VPN can connect from locations where IPsec runs into trouble with Network Address Translation and firewall rules.
Datagram Transport Layer Security (DTLS) - used in Cisco AnyConnect VPN and in OpenConnect VPN<ref>Template:Cite web
</ref> to solve the issues SSL/TLS has with tunneling over UDP.
Microsoft Point-to-Point Encryption (MPPE) works with the Point-to-Point Tunneling Protocol and in several compatible implementations on other platforms.
Microsoft Secure Socket Tunneling Protocol (SSTP) tunnels Point-to-Point Protocol (PPP) or Layer 2 Tunneling Protocol traffic through an SSL 3.0 channel. (SSTP was introduced in Windows Server 2008 and in Windows Vista Service Pack 1.)
Multi Path Virtual Private Network (MPVPN). Ragula Systems Development Company owns the registered trademark "MPVPN".<ref>
Trademark Applications and Registrations Retrieval (TARR)</ref>
Secure Shell (SSH) VPN - OpenSSH offers VPN tunneling (distinct from port forwarding) to secure remote connections to a network or to inter-network links. OpenSSH server provides a limited number of concurrent tunnels. The VPN feature itself does not support personal authentication.<ref>OpenBSD ssh manual page, VPN section</ref><ref>Unix Toolbox section on SSH VPN
</ref><ref>Ubuntu SSH VPN how-to</ref>
Authentication
Tunnel endpoints must be authenticated before secure VPN tunnels can be established. User-created remote-access VPNs may use passwords, biometrics, two-factor authentication or other cryptographic methods. Network-to-network tunnels often use passwords or digital certificates. They permanently store the key to allow the tunnel to establish automatically, without intervention from the user.
Routing
Tunneling protocols can operate in a point-to-point network topology that would theoretically not be considered a VPN, because a VPN by definition is expected to support arbitrary and changing sets of network nodes. But since most router implementations support a software-defined tunnel interface, customer-provisioned VPNs often are simply defined tunnels running conventional routing protocols.
Provider-provisioned VPN building-blocks
Depending on whether a provider-provisioned VPN (PPVPN)Template:Clarify operates in layer 2 or layer 3, the building blocks described below may be L2 only, L3 only, or combine them both. Multiprotocol label switching (MPLS) functionality blurs the L2-L3 identity.Template:Citation neededTemplate:Or
RFC 4026 generalized the following terms to cover L2 and L3 VPNs, but they were introduced in RFC 2547.<ref>Sexo</ref> More information on the devices below can also be found in Lewis, Cisco Press.<ref>Template:Cite book</ref>
Customer (C) devices
A device that is within a customer's network and not directly connected to the service provider's network. C devices are not aware of the VPN.
Customer Edge device (CE)
A device at the edge of the customer's network which provides access to the PPVPN. Sometimes it's just a demarcation point between provider and customer responsibility. Other providers allow customers to configure it.
Provider edge device (PE)
A PE is a device, or set of devices, at the edge of the provider network which connects to customer networks through CE devices and presents the provider's view of the customer site. PEs are aware of the VPNs that connect through them, and maintain VPN state.
Provider device (P)
A P device operates inside the provider's core network and does not directly interface to any customer endpoint. It might, for example, provide routing for many provider-operated tunnels that belong to different customers' PPVPNs. While the P device is a key part of implementing PPVPNs, it is not itself VPN-aware and does not maintain VPN state. Its principal role is allowing the service provider to scale its PPVPN offerings, for example, by acting as an aggregation point for multiple PEs. P-to-P connections, in such a role, often are high-capacity optical links between major locations of providers.
User-visible PPVPN service
This section deals with the types of VPN considered in the IETF.
OSI Layer 2 services
Virtual LAN
A Layer 2 technique that allows for the coexistence of multiple LAN broadcast domains, interconnected via trunks using the IEEE 802.1Q trunking protocol. Other trunking protocols have been used but have become obsolete, including Inter-Switch Link (ISL), IEEE 802.10 (originally a security protocol but a subset was introduced for trunking), and ATM LAN Emulation (LANE).
Virtual private LAN service (VPLS)
Developed by IEEE, VLANs allow multiple tagged LANs to share common trunking. VLANs frequently comprise only customer-owned facilities. Whereas VPLS as described in the above section (OSI Layer 1 services) supports emulation of both point-to-point and point-to-multipoint topologies, the method discussed here extends Layer 2 technologies such as 802.1d and 802.1q LAN trunking to run over transports such as Metro Ethernet.
As used in this context, a VPLS is a Layer 2 PPVPN, rather than a private line, emulating the full functionality of a traditional local area network (LAN). From a user standpoint, a VPLS makes it possible to interconnect several LAN segments over a packet-switched, or optical, provider core; a core transparent to the user, making the remote LAN segments behave as one single LAN.<ref>Bombus<ref name="xeps-dnock">Template:Citation</ref></ref>
In a VPLS, the provider network emulates a learning bridge, which optionally may include VLAN service.
Pseudo wire (PW)
PW is similar to VPWS, but it can provide different L2 protocols at both ends. Typically, its interface is a WAN protocol such as Asynchronous Transfer Mode or Frame Relay. In contrast, when aiming to provide the appearance of a LAN contiguous between two or more locations, the Virtual Private LAN service or IPLS would be appropriate.
Ethernet over IP tunneling
EtherIP (RFC 3378) is an Ethernet over IP tunneling protocol specification. EtherIP has only packet encapsulation mechanism. It has no confidentiality nor message integrity protection. EtherIP was introduced in the FreeBSD network stack <ref>Glyn M Burton: RFC 3378 EtherIP with FreeBSD, 03 February 2011</ref> and the SoftEther VPN<ref name="net-security.org">net-security.org news: Multi-protocol SoftEther VPN becomes open source, January 2014</ref> server program.
IP-only LAN-like service (IPLS)
A subset of VPLS, the CE devices must have L3 capabilities; the IPLS presents packets rather than frames. It may support IPv4 or IPv6.
OSI Layer 3 PPVPN architectures
This section discusses the main architectures for PPVPNs, one where the PE disambiguates duplicate addresses in a single routing instance, and the other, virtual router, in which the PE contains a virtual router instance per VPN. The former approach, and its variants, have gained the most attention.
One of the challenges of PPVPNs involves different customers using the same address space, especially the IPv4 private address space.<ref>Address Allocation for Private Internets, RFC 1918, Y. Rekhter et al.,February 1996</ref> The provider must be able to disambiguate overlapping addresses in the multiple customers' PPVPNs.
BGP/MPLS PPVPN
In the method defined by RFC 2547, BGP extensions advertise routes in the IPv4 VPN address family, which are of the form of 12-byte strings, beginning with an 8-byte Route Distinguisher (RD) and ending with a 4-byte IPv4 address. RDs disambiguate otherwise duplicate addresses in the same PE.
PEs understand the topology of each VPN, which are interconnected with MPLS tunnels, either directly or via P routers. In MPLS terminology, the P routers are Label Switch Routers without awareness of VPNs.
Virtual router PPVPN
The Virtual Router architecture,<ref>RFC 2917, A Core MPLS IP VPN Architecture</ref><ref>RFC 2918, E. Chen (September 2000)</ref> as opposed to BGP/MPLS techniques, requires no modification to existing routing protocols such as BGP. By the provisioning of logically independent routing domains, the customer operating a VPN is completely responsible for the address space. In the various MPLS tunnels, the different PPVPNs are disambiguated by their label, but do not need routing distinguishers.
Unencrypted tunnels
Template:Main Some virtual networks may not use encryption to protect the privacy of data. While VPNs often provide security, an unencrypted overlay network does not neatly fit within the secure or trusted categorization. For example, a tunnel set up between two hosts that used Generic Routing Encapsulation (GRE) would in fact be a virtual private network, but neither secure nor trusted.
Native plaintext tunneling protocols include Layer 2 Tunneling Protocol (L2TP) when it is set up without IPsec and Point-to-Point Tunneling Protocol (PPTP) or Microsoft Point-to-Point Encryption (MPPE).
Trusted delivery networks
Trusted VPNs do not use cryptographic tunneling, and instead rely on the security of a single provider's network to protect the traffic.<ref>Template:Cite book </ref>
Multi-Protocol Label Switching (MPLS) often overlays VPNs, often with quality-of-service control over a trusted delivery network.
Layer 2 Tunneling Protocol (L2TP)<ref>Layer Two Tunneling Protocol "L2TP", RFC 2661, W. Townsley et al.,August 1999</ref> which is a standards-based replacement, and a compromise taking the good features from each, for two proprietary VPN protocols: Cisco's Layer 2 Forwarding (L2F)<ref>IP Based Virtual Private Networks, RFC 2341, A. Valencia et al., May 1998</ref> (obsolete Template:As of) and Microsoft's Point-to-Point Tunneling Protocol (PPTP).<ref>Point-to-Point Tunneling Protocol (PPTP), RFC 2637, K. Hamzeh et al., July 1999</ref>
From the security standpoint, VPNs either trust the underlying delivery network, or must enforce security with mechanisms in the VPN itself. Unless the trusted delivery network runs among physically secure sites only, both trusted and secure models need an authentication mechanism for users to gain access to the VPN.
VPNs in mobile environments
Template:Main Mobile VPNs are used in a setting where an endpoint of the VPN is not fixed to a single IP address, but instead roams across various networks such as data networks from cellular carriers or between multiple Wi-Fi access points.<ref name="Phifer">Phifer, Lisa. "Mobile VPN: Closing the Gap", SearchMobileComputing.com, July 16, 2006. </ref> Mobile VPNs have been widely used in public safety, where they give law enforcement officers access to mission-critical applications, such as computer-assisted dispatch and criminal databases, while they travel between different subnets of a mobile network.<ref>Willett, Andy. "Solving the Computing Challenges of Mobile Officers", www.officer.com, May, 2006. </ref> They are also used in field service management and by healthcare organizations,<ref name="Cheng">Cheng, Roger. "Lost Connections", The Wall Street Journal, December 11, 2007. </ref> among other industries.
Increasingly, mobile VPNs are being adopted by mobile professionals who need reliable connections.<ref name="Cheng"/> They are used for roaming seamlessly across networks and in and out of wireless coverage areas without losing application sessions or dropping the secure VPN session. A conventional VPN cannot survive such events because the network tunnel is disrupted, causing applications to disconnect, time out,<ref name="Phifer"/> or fail, or even cause the computing device itself to crash.<ref name="Cheng"/>
Instead of logically tying the endpoint of the network tunnel to the physical IP address, each tunnel is bound to a permanently associated IP address at the device. The mobile VPN software handles the necessary network authentication and maintains the network sessions in a manner transparent to the application and the user.<ref name="Phifer"/> The Host Identity Protocol (HIP), under study by the Internet Engineering Task Force, is designed to support mobility of hosts by separating the role of IP addresses for host identification from their locator functionality in an IP network. With HIP a mobile host maintains its logical connections established via the host identity identifier while associating with different IP addresses when roaming between access networks.
VPN on Routers
With the increasing use of VPNs, many have started deploying VPN connectivity on routers for additional security and encryption of data transmission by using various cryptographic techniques. Setting up VPN services on a router will allow any connected device(s) to use the VPN network while it is enabled. This also makes it easy to set up VPNs on devices that do not have native VPN clients such as Smart-TVs, Gaming Consoles etc. Provisioning VPN on the routers will also help in cost savings and network scalability.
Many router manufacturers like Cisco Linksys, Asus and Netgear supply their routers with built-in VPN clients. Since these routers do not support all the major VPN protocols, such as OpenVPN, many tend to flash their routers with alternative open source firmwares such as DD-WRT, OpenWRT and Tomato which support multiple VPN protocols such as PPTP and OpenVPN.
Limitations:
Not every router is compatible with open source firmware which depends on the built-in flash memory and processor. Firmwares like DD-WRT require a minimum of 2 MiB flash memory and Broadcom chipsets. Setting up VPN services on a router requires a deeper knowledge of network security and careful installation. Minor misconfiguration of VPN connections can leave the network vulnerable. Performance will vary depending on the ISP and their reliability.
<ref>Template:Cite web</ref>
Networking limitations
One major limitation of traditional VPNs is that they are point-to-point, and do not tend to support or connect broadcast domains. Therefore communication, software, and networking, which are based on layer 2 and broadcast packets, such as NetBIOS used in Windows networking, may not be fully supported or work exactly as they would on a real LAN. Variants on VPN, such as Virtual Private LAN Service (VPLS), and layer 2 tunneling protocols, are designed to overcome this limitation.
Virtual private server
A virtual private server (VPS) is a virtual machine sold as a service by an Internet hosting service.
A VPS runs its own copy of an operating system, and customers have superuser-level access to that operating system instance, so they can install almost any software that runs on that OS. For many purposes they are functionally equivalent to a dedicated physical server, and being software-defined, are able to be much more easily created and configured. They are priced much lower than an equivalent physical server, but as they share the underlying physical hardware with other VPSs, performance may be lower, and may depend on the workload of other instances on the same hardware node.
Contents
1 Virtualization
2 Hosting
3 Cloud servers
4 See also
5 References
Virtualization
The force driving server virtualization is similar to that which led to the development of time-sharing and multiprogramming in the past. Although the resources are still shared, as under the time-sharing model, virtualization provides a higher level of security, dependent on the type of virtualization used, as the individual virtual servers are mostly isolated from each other and may run their own full-fledged operating system which can be independently rebooted as a virtual instance.
Partitioning a single server to appear as multiple servers has been increasingly common on microcomputers since the launch of VMware ESX Server in 2001. The physical server typically runs a hypervisor which is tasked with creating, releasing, and managing the resources of "guest" operating systems, or virtual machines. These guest operating systems are allocated a share of resources of the physical server, typically in a manner in which the guest is not aware of any other physical resources save for those allocated to it by the hypervisor. As a VPS runs its own copy of its operating system, customers have superuser-level access to that operating system instance, and can install almost any software that runs on the OS, however due to the number of virtualization clients typically running on a single machine, a VPS generally has limited processor time, RAM, and disk space.<ref>Template:Cite web</ref>
Although VMware and Hyper-V dominate in-house corporate virtualization, because of their cost and limitations they are less common for VPS providers, which instead typically use products such as OpenVZ, Virtuozzo, Xen or KVM. Template:Citation needed
Hosting
Template:Main
Many companies offer virtual private server hosting or virtual dedicated server hosting as an extension for web hosting services. There are several challenges to consider when licensing proprietary software in multi-tenant virtual environments.
With unmanaged or self-managed hosting, the customer is left to administer his own server instance.
Unmetered hosting is generally offered with no limit on the amount of data-transferred on a fixed bandwidth line. Usually, unmetered hosting<ref>Template:Cite web</ref> is offered with 10 Mbit/s, 100 Mbit/s or 1000 Mbit/s (with some as high as 10Gbit/s). This means that the customer is theoretically able to use 3.33~ TB on 10 Mbit/s, 33~ TB on 100 Mbit/s and 333~ TB on a 1000 Mbit/s line per month (although in practice the values will be significantly less). In a virtual private server, this will be shared bandwidth and (should) mean there is a fair usage policy involved. Unlimited hosting is also commonly marketed but generally limited by acceptable usage policies and terms of service. Offers of unlimited disk space and bandwidth are always false due to cost, carrier capacities and technological boundaries.
Cloud servers
Template:Main
A VPS which is dynamic (that is, it can be changed at runtime) is often referred to as a cloud server. Key attributes for this are:<ref name="really">Template:Cite web</ref>
Additional hardware resources can be added at runtime (CPU, RAM)
Server can be moved to other hardware while the server is running (automatically according to load in some cases)
Web related leakage
Your web browser leaks a frighteningly large amount of information about you. For example, even after you protect yourself by concealing your IP address through Tor, it is still possible for someone to use a Java program to obtain your actual source IP and hostname. And this is only the beginning. An excellent test utility to test all the different types of information that can be obtained from your browser is available at BrowserSpy. Most of these can be handled by the excellent Firefox extension NoScript. You are encouraged to test out your browser there in addition to looking over the following material.
Contents
1 Cookies
2 Browser User Agent And Capability Info
3 Referrer Url
4 Browser History
5 Web bugs
6 Desktop and Web Browser Extensions
Cookies
Cookies can be used to track your web usage across even a Tor session, where each connection originates from a different IP. This can be both a blessing and a curse. A blessing because if you are actually logged in, you usually won't have to keep doing so. But a curse in that if someone then obtains your computer, they can use the cookie values to prove you were at a given website at a given time. They are also extremely dangerous if you have a tendency to turn off Tor or your proxy config from time to time, and then wander back to a site that has a unique ID for you.
In particular, sites with ad banners can catch you off guard, since often they can have a small ad banner with a piece of javascript you don't notice. If they set a cookie in this banner, they can easily correlate your Tor traffic with your non-Tor traffic. For sites like these, the best thing you can do allow cookies from the originating website only in your web browser preferences window.
There also are a few Firefox extensions you can use to mitigate an arbitrary site's ability to track you via cookies. The first, Cookie Culler provides a toolbar button that allows you to purge all but selected "protected" cookies, and also provides you with the option of blocking cookies you have deleted before. Add N' Edit Cookies will allow you to search for cookies by site, modify, remove, and add them. Also useful is CookieButton, which is a handy toolbar option that allows you do access control and clear cookies for a given site right off of the toolbar. You can permanently disable cookies for entire domains, such as doubleclick.net or google.com.
Browser User Agent And Capability Info
Sometimes a very unique User Agent string (Ex: "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 RealMedia 1.1.3") can be a giveaway. How many people will have that Gecko build date combined with that version RealMedia? On Linux? The solution is the User Agent Switcher, which will allow you to set your user agent to whatever you wish (be sure to pick something common to avoid fragmenting your anonymity set). Be sure to check the "Reset User Agent When Browser Closes" option, or bad things will happen. Even still, you may find yourself stuck with a browser that doesn't want to start. In which case, you might have to edit prefs.js by hand, and remove all the lines that contain "agent".. It's been a while since this has happened for me, so perhaps they've finally gotten all the edge cases where it can exit with the wrong agent set.
As mentioned above, another possibility is a malicious site can use Javascript to detect all sorts of information about your browser. This can also be used to track you. The best defense against this is to use NoScript.
Referrer Url
Likewise, your referrer can be used to track your session path from page to page as well. In order to prevent Firefox from transmitting referrer information, go to [about:config about:config] and set network.http.sendRefererHeader to the value 0.
Tab Mix Plus can also be used to block referrer forwarding for the lifetime of any given tab. Simply right click on the tab, and go down to Permissions. The option to block referrer is there, along with several other options we will use later.
Sometimes, however, it is useful to outright lie about where you came from. For example, if you frequently visit your own blog/website by typing in the URL, those visits are distinguishable by the lack of referrer URL. In those instances, you may wish to use refspoof instead. Refspoof adds the ability to specify your referrer in a URL. For example, spoof://nytimes.com;ref://google.com connects you to the New York Times, making them think you came from google.
Browser History
This should be obvious. Delete your browser history, cache, cookies and other personal information after doing sensitive things. A frightening javascript hack] can actually reveal if you have been to select sites, which can be used to fingerprint you. The best way to deal with this is to run NoScript.
Web bugs
A common technique (used by the FBI and others) to discover someone's identity is to send them an email with an image or some other document attribute that their email client or browser will attempt to load. Usually, this image will be located on a server that the sender controls, which means they will then have your IP address once your browser makes the connection. Of course, for normal images, these will obey your proxy settings. However, note that even using Tor is sometimes insufficient. Make sure your proxy settings have an entry for FTP, especially.
You need to be particularly careful about Java plugins. Have a look at this clever java applet that turned up at this odd website. This is an improvement on previous Java bugs in that it is able to select one of several potential ways to make an external internet connection and bypass your proxy settings based on capability information provided by the JVM. Even if the JVM has been secured (most, including Sun's, are not), it can still query the local interface of your machine and get the IP address without even making an internet connection. It then submits results back to the server that served the applet. In the case where the JVM is not secure, the JVM will IGNORE YOUR PROXY SETTINGS AND MAKE A DIRECT CONNECTION TO THE ORIGINAL WEBSITE.
You basically have two options when dealing with web bugs of this nature. One is to install the NoScript Firefox Extension, which allows you to whitelist Java, Javascript, and Flash objects on an as-needed basis. This is the recommended option, as it covers all your bases all the time unless you say so. The one downfall is that if you enable permissions on a site, you enable it for everything. This means that if you enable Javascript for your email provider (most don't work too well without it), and they do not scrub HTML properly, someone could still feed you this Java applet. According to the NoScript Website, the ability to split permissions for Java from Javascript is being developed for an upcoming release. Your best bet until then is to globally disable Java from your Firefox preferences.
The other option is to use Tab Mix Plus tab permissions to disable plugins on the current tab (right click on the tab). You get finer granularity here, but your choice only persists in the current tab. This is annoying and easy to forget.
Also be aware that some media objects can reveal your IP address, depending on how the plugin was written. On Windows, I have tested Windows Media Player, Realplayer, Quicktime, and Flashplayer. Of those, I have discovered that only Realplayer did not honor proxy settings, since it launched an entirely new application. I have tested mplayer-plugin and Flash on Linux, and unfortunately the mplayer plugin does not obey browser proxy settings (but does obey the http_proxy environment variable). In general, the best way to determine if a plugin/media type is obeying your proxy settings is to use [www.wireshark.org/about.html Wireshark] to watch network traffic. The display filter 'tcp.port == 80 or tcp.port == 443 can make it easier to find traffic that is bypassing Tor, though note that some media apps will use other ports and possibly even UDP.
Desktop and Web Browser Extensions
The major threat with web browser extensions and desktop plugins is that they will transmit a unique user id over the same Tor circuit that you happen to be using to anonymously access a website. Weather monitoring extensions are particularly dangerous because they can transmit zip codes or even address information to retrieve local weather conditions. Likewise for link collection services such as delicious, stumbleupon, and flickr.
It is also possible to install a malicious Firefox extension to track your whereabouts on the web. The most surefire way to watch for this is to manually view the Extensions.rdf file in your extensions directory under your Firefox profile. Each cryptically named subdirectory of the extensions directory should have an entry in the RDF file. Make sure that the plugin name is something you remember installing..
Comments
Post a Comment