Professional Documents
Culture Documents
andAntiForensics
Abstract
WherethereisadataleakthereisahelpfulLEOtopickupthe slackandthrowyouinjailforit.Thisguideattemptsto educateyouonsomeofthebestsecuritypracticesandanti forensicstechniquessothatdoesnthappen.Fromnews reporterstopeoplewhowanttodownloadandwatchchild porn;thisguidewillhelpkeepyousafe.
byMISSIONMAN|V2|FINAL
P a g e |1
Dedication
ThisguideisdedicatedtothewonderfulLawEnforcementAgenciesof theworld;iftheydidnttrytofuckusoverallthetime,Iwouldntcare enoughtomakethisguideinthefirstplace.
P a g e |2
Table of Contents
Dedication.....................................................................................................................................................1 Chapter1 _TheCIATriad........................................................................................................................... 5 Chapter2 _Recommendations................................................................................................................. 6 Chapter3 _Encryption............................................................................................................................ 10 3.1. 3.2. 3.3. 3.4. 3.5. 3.6. 3.7. 3.8. 3.9. EncryptionDealingwithConfidentiality..................................................................................... 11 EncryptingFilesortheHardDrive.............................................................................................. 12 SecurelyExchangingMessagesorData...................................................................................... 15 Steganography............................................................................................................................ 17 AuthenticationFactors ................................................................................................................ 18 PasswordAttacksandAccountRecoveryAttacks...................................................................... 18 CreatingSecurePasswords......................................................................................................... 19 Hashing,HashingCollisions,andBirthdayAttacks..................................................................... 19 ColdBootAttacks........................................................................................................................ 21
Chapter4 _Data......................................................................................................................................22 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 DeletedData............................................................................................................................... 23 DeletingDataSecurely................................................................................................................ 24 FileSlack......................................................................................................................................25 WheretoHideYourData............................................................................................................ 26 WindowsSwapFiles,ReadyBoost,TemporaryInternetFilesandBrowserCache .....................26 TemporaryApplicationFilesandRecentFilesLists.................................................................... 28 Shellbags.....................................................................................................................................32 PrefetchingandTimestamps...................................................................................................... 33 EventLogs...................................................................................................................................34 Printers,PrintJobs,andCopiers................................................................................................. 34 Cameras,Pictures,andMetadata............................................................................................... 36 USBInformation.......................................................................................................................... 37
Chapter5 _Continuity............................................................................................................................. 40 5.1 5.2 5.3 5.4 SecurityConcernswithBackups................................................................................................. 41 SecurityConcernswithSleepandHibernation........................................................................... 41 EnsuringInformationandServiceContinuity............................................................................. 41 DoSandDDoSattacks................................................................................................................. 42
Chapter6 _SystemHardening................................................................................................................ 45 6.1. 6.2. 6.3. 6.4. 6.5. UninstallUnnecessarySoftware................................................................................................. 46 DisableUnnecessaryServices..................................................................................................... 46 DisableUnnecessaryAccounts................................................................................................... 47 UpdateandPatchWindowsandOtherApplications.................................................................48 PasswordProtection................................................................................................................... 48
Chapter7 _Antivirus,Keyloggers,Firewalls,DLPs,andHIDs ................................................................50 7.1. 7.2. 7.3. 7.4. 7.5. 7.6. Antivirus......................................................................................................................................51 HardwareKeyloggers.................................................................................................................. 51 Firewalls......................................................................................................................................52 DLPs............................................................................................................................................52 HIDSsandNIDs.......................................................................................................................... 53 OtherConsiderations.................................................................................................................. 53
Chapter8 _Networks.............................................................................................................................. 54 8.1. 8.2. 8.3. 8.4. 8.5. 8.6. 8.7. Privatevs.PublicIPAddress....................................................................................................... 55 MACAddress............................................................................................................................... 55 PublicWireless............................................................................................................................ 56 SecurityProtocols....................................................................................................................... 58 ChatSitesHowAttackersAttack ............................................................................................... 59 OtherConsiderations.................................................................................................................. 61 Extra:MACAddressSpoofingandARPAttacksHowtheywork ..............................................62
Chapter9 _WebBrowserSecurity.......................................................................................................... 64 9.1. 9.2. 9.3. 9.4. 9.5. DownloadingandUsingtheTorBrowserBundle....................................................................... 65 ConfiguringWebBrowsersandApplicationstoUseTor ............................................................67 WhatisSandboxingandWhatisJITHardening,andWhyDoICare?........................................68 JavaScript....................................................................................................................................68 CookieProtectionandSessionHijackingAttacks....................................................................... 69
P a g e |4 9.6. 9.7. 9.8. 9.9. 9.10. 9.11. 9.12. 9.13. Chapter10 Chapter11 Caching........................................................................................................................................69 Referers.......................................................................................................................................70 CSRF/CSRFAttacks(XSSAttack).................................................................................................. 71 ProtectBrowserSettings............................................................................................................ 71 DNSLeaks................................................................................................................................71 UserAwareness,AccidentsandSystemUpdates................................................................... 72 Limitations ............................................................................................................................... 73 Extra........................................................................................................................................73 _StandardAcronyms.......................................................................................................... 75 _DownloadLinks................................................................................................................ 76
P a g e |5
P a g e |6
Chapter 2_ Recommendations
indows was not built with security in mind, therefor should not be used. Tails is recommended as it is a live DVD or USB that was created to preserve your anonymity and privacy. It allows you to browse the internet anonymously and safely as all applications are preconfigured to run through Tor. Other uses includes encrypting your files, sending and receiving emails and instant messaging, photo editing, document editing and more. Tails also operates completely in RAM so it does not leave a trace on your computer. RAM is Random Access Memory and iswipedwhenthemachineshutsdown.Everythingthatyouwantsavedisdonesoinsecure,encrypted persistent storage. Tails link: Here. A stepbystep for installing Tails can be found here. If you cannot useTailsorbetteryetdonotwanttouseTails,youshouldmakesurethatWindowsissecure. Windows: TruecryptIwoulddownloadTrueCryptandenableFDE(FullDiskEncryption)tomakesurethat allevidenceisencryptedthusallowingyoutoskipChapter4.IfyoudonotwanttoenableFDE,I wouldcreateacontainerandhaveaVirtualMachineinsidethecontainer.Otherwise, EVIDENCECANBEEASILYGATHEREDBYINVESTIGATORS.(Section3.2) TorBrowserBundleThisallowsyoutobrowsetheinternetanonymously.UsingTBBwillalso allowyoutovisit.onionsitesaswellastojointhe.onionIRCserverswithTBBsinstanceorTor. (Section9.1) AntiVirus(AV)andaFirewallThiswillkeepyourcomputerprotectedfromvirusesaswellas remoteintruders(mostallinoneantivirussoftwarehasthesefeatures).(Section7) Ihavedecidedtomovearecommendationfromlateroninthisguidetouphere.Onegood recommendationistocreateanduseastandardaccountwithnoAdministrativeprivileges.This way,ifavirusisexecuted,itonlyhastheprivilegesoftheaccountthatyouarein.Also,Iwould makesureyourusernamedoesnotcontainyourfullnameasmanyapplicationssuchasPidgin cansharethisinformation.Furthermore,makesurethatyoucreateaWindowspasswordthat isdifficulttoguess/attack,asyourcomputercanbeexploredusingthatpassword,overthe network. (Optional)TorChatTCisachatapplicationthatrunsoverTortoprovideananonymouswayto chat.(Section2) (Optional)IRCClientAnIRCclientallowsyoutoenterTorchatroomstotalktomany individualsatonetime.Youwillneedonewithproxysettingssoyoucanruntheclientthrough Tor.MakesuretoNOTuseDCCasitcanexposeyourIPaddress.ThereareseveralIRCservers
Try it out Set up IRC client for Tor 1. DownloadyourIRCclient.Personally,IusePidgin.Thelinkisprovidedforyou: http://pidgin.im/.ThereisaportableversionofPidginavailableifyouplanonusingtheclienton severalmachines(whichisnotrecommendedasthecomputercancontainspyware).Also, Pidginallowsyoutoconnecttoseveralserversatonceinthechanceyougetdisconnectedfrom aserveroranetsplitoccurs. 2. Tocreateanaccount,ClickAccountsfollowedbyManageAccounts.Youcanaddasmany accountsasyouwant;IcreatedafewaccountstoconnecttothedifferentIRCserversforthe reasondescribedabove. 3. SelectAdd.UnderBasic,yoursettingsshouldlooklikethis:ProtocolIRC,Usernameyour username,ServerIRCserver(listedbelow),Localaliasyourusername.Again,youcanuse anyoftheseveralTorIRCserversastheyareallconnected.Alternatively,youcanuseoneof theseveralIRCrelaysinsteadofconnectingtotheTorserversdirectly. 4. UnderAdvanced,yoursettingsshouldlooklikethis:Port6667,Usernameyourusername. InPidgin,ifyoudonotspecifyausernameundertheAdvancedsettings,yourusernamewillbe exposed.Whenyouenterorleavethechatroomtheusernamewillappearbeforethe hostname.Forexample,ifyourIDisTheBestandyourusernameisBob,thenitwillappearas TheBest[Bob@OnionNet]. 5. UnderProxy,yoursettingsshouldlooklikethis:ProxytypeSOCKS5,Host127.0.0.1,Port 9050(TorPort).IfyouareusingPrivoxy,theportwillbe8118. 6. ClickBuddiesandJoinaChattojoinachannel.AddChatwillpermanentlyaddthechannelsto theChatslistsoyoudonthavetorememberthechannelnameeverytime.Rightclickingthe chatunderChatswillgiveyouahostofoptions.IselectedPersistenttoreceivethemessagesin thechatroomeventhoughtheyarenotcurrentlyopen.Youcanuse/listtogetalistofallthe channelsoryoucanuse/join#roomtojoinaspecificroom.#securityand#publicaretwogood channelswhenaskinggeneralquestionsorquestionsrelatedtoprivacyorsecurity. 7. Youcanusethe/msgusernamecommandtosendaprivatemessagetosomeoneorusethe /queryusernamecommandwhichwillopenanewwindowinbothclientsforprivate messaging.IwouldadviselookinguptheIRCclientcommandsforfullfunctionality.Also,even thoughIrecommendeddisablingDCC,theserversdisablethefunctionalityaltogether. 8. Lastly,youshouldknowthatmostifnotallIRCclientscacheyourusernameforfunctionality. Pidgin,takesthisfurtherbycreatinglogsforspecificchannelsandindividualusersthatyouchat withusingprivatemessagingbydefault.UnderPreferences>Logging,youshoulddisableLog allinstantmessagesandLogallchats.
IRC Channels HereisalistofsomeofthepopularTorIRCchannels(orderedbyusercountatthemomentofwriting): #boys! #pedo #cams #mjb #girls Try it out TorChat: 1. DownloadTorChatfromgithubasitisnowtheofficialsourcefortheTorChatproject.Atofthe timewritingthearticle,thedirectlinkishttps://github.com/prof7bit/TorChat.Oncethepageis loaded,clicktheDownloadsbuttonoverontheright.Selectthelatestbuildasdenotedbythe versionnumber.MakesuretodownloadtheWindowsexecutableversionforWindows, Debian/UbuntupackageforDebian/Ubuntu,orthePidginpluginifthatiswhatyouwantto do.IfthebuildisinAlpha,thenitisnotrecommended. 2. Thefilewillbedownloadedasa.zipfile.Oncethefileisfullydownloaded,openthefileand extractthecontentswithyourfavoritearchivefilemanager.Iextractedthefiletothedefault locationinWindowswhichistheDownloadsfolder.Youcanmovethefolderatanytimeas TorChatisportable. 3. OpentheTorChatfolder,expandthebinfolder,andruntorchat.exetostartTorChatforthefirst time.Onceloaded,youwillbeprovidedyourTorChatID(16charactersthatarecomprisedof lettersandnumbers). 4. Toaddacontact,justrightclickinthewhitespaceoftheprogramandclickAddContact Alternatively,youcaneditthebuddylistfileinthebindirectory.Doubleclickingacontactwill initiateachat(rightclickingandselectingChat,willaccomplishthesamething).Youcanalso editanddeleteacontactbyRightClickingtheuserandselectingtheappropriatefunction. Sendingafileisassimpleasdraggingthefileintothechatwindoworrightclickingthe usernameandselectingSendfile(Windowscanonlysendonefileatatimewhereas Debian/Ubuntucansendmanyatonetime). 5. IfyouareupgradingyourversionofTorChatthanmakesuretobackupandcopyover bin\buddylist.txt,bin\Tor\hidden_service\hostname,and bin\Tor\hidden_service\private_key.Ifyoudonotcopyoverthelattertwofiles,youwillbe providedanewTorChatID. #knaben #torchan #public #security #hackbb
P a g e |9 Try it out Installing Tails: 1. DownloadTailsfromtheofficialTailswebsite.YoucaneitherdownloadTailsviathedirectlink ortheTorrent;whichmightbefaster.However,thedirectlinkisrecommendedasis downloadingandverifyingtheTailsSignature.ThelinktotheTailsdownloadpageishere: Here.Underoption2,selectthelatestreleasetostartdownloading.Toverifythedownload, useGPGtoverifytheTailssignaturetoensurethatyourimagehasnotbeenmodifiedinany way 2. Oncedownloadedyouhaveacoupleofoptions:youcanburntheimagetoaDVDoraUSB(the imageistoobigtofitonaCD).IfyouburntheimageonaDVDR,anattackercannotmodifythe contentsasthediskisreadonly.Thisalsomeansthatyoucannotsaveanythingormakeany permanentchangesonthedisk.DVDRWandtheUSBcanbewrittentoandrewrittento, meaningfilesandsettingscanbesavedinpersistentstorage.But,thiscomesatariskasan attackercanmaliciouslymodifyTails 3. InstallinganimagetoaDVDiseasy,allyouneedistherightsoftware.ISOImageBurnerisa goodsoftwareforWindowsthatcandothisforyou.MacsandcomputersrunningUbuntucan burntheimagenatively.OnceyourISOburningprogramisopen,inserttheblankDVDintothe diskdriveandburntheTailsISOimagetotheblankdisk(oraDVDRWdisk) 4. WheninstallingtheTailsISOimageontoaUSB,itisrecommendedthatyoudownloadand installOracleVMVirtualBox,andusethatvirtualizationprogramtobootintoTails.Otherwise, youcannotcreatepersistentstorageforsavingfilesandsettings.Onceyousuccessfullyboot intoTails,youcanusethebuiltinTailsUSBinstallertoinstallTailsontheUSBdevice 5. IdownloadedandinstalledVirtualBoxfromhere.Onceinstalled,startVirtualBoxandClick NewtocreateanewVM.FillouttheNametextbox,selectLinuxfortheType,andselectOther Linuxfortheversion.ProceedpastthenextpageandselectDonotaddavirtualharddriveand clickCreate.AtthetopoftheOracleVMVirtualBoxManagerclickonSettingstomodifythe settingsoftheVMyoujustcreated.SelectStorageandnexttoController:IDEclickonthelittle diskicontoaddaCD/DVDdevice.ClickChoosediskandselecttheTailsISOyoujust downloaded.UnderController:IDEyoushouldseetheimageyoujustselected.Selectedthat imageandcheckLiveCD/DVDoverontherightunderAttributes.ClickOK.StarttheVMto bootintoTails. 6. Atthispointyoushouldbeaskedifyouwouldliketoviewmoreoptions.Iamgoingtokilltwo birdswithonestoneandcoverhowtoinstallTailsonaUSBaswellaswhatIrecommendafter youinstalltheISOontheUSB.SelectYesonthisscreenandcreateanAdministratorpassword onthenextscreen.UnderApplications>Tailsyoucancreateapersistentvolumeaswellasuse theTailsUSBInstaller.Whencreatingapersistentvolume,Iwouldselectalltheapplications youwilluseaswellasifyouaregoingtosaveanymaterials.
P a g e |10
Chapter 3_ Encryption
ncryption is the process of encoding messages (or information) in such a way that eavesdroppers or hackers cannot read it, but that authorized parties can. Using cryptography three purposes are fulfilled: confidentiality, integrity, and nonrepudiation. Encryption has long been used by militaries and governments to facilitate secret communication. It is now commonly used in protecting informationwithinmanykindsofciviliansystems.Also,manycompliancelawsrequireencryptiontobe used in businesses to ensure that confidential client data be secured if the device or data is stolen. In this section I will be talking about using encryption for confidentiality and integrity. Nonrepudiation is used,butisnotnormallyimplementedforourpurposes.
Topics
ThisChapterwillcoverthefollowingtopics: EncryptionDealingwithConfidentiality EncryptingFilesortheHardDrive SecurelyExchangingMessagesorData Steganography AuthenticationFactors PasswordAttacksandAccountRecoveryAttacks CreatingSecurePasswords Hashing,HashingCollisions,andBirthdayAttacks ColdBootAttacks
P a g e |11
3.1.
Computer encryption is based on the science of cryptography, which has been used as long as humans have wanted to keep information secret. The earliest forms of encryption where the scytales and the creation of cipher texts. These forms of cryptography would rely on both parties knowing the key used orthecorrectcipherbeforethemessagecouldbedelivered.Here'sanexampleofatypicalcipher,with agridoflettersandtheircorrespondingnumbers:
1 2 3 4 5 1 A F L Q V 2 B G M R W 3 C H N S X 4 D I/J O T Y 5 E K P U Z
If a general wanted to send the message I love ponies he would write the series of corresponding numbers: 42 13 43 15 51 53 43 33 42 51 34. Only the person with this cipher text would be able to reach the message. Now obviously, to make the message more difficult to decipher, the letters inside the table would be arranged differently. Computer encryption uses algorithms to alter plain text information into a form that is unreadable. Most people believe that AES will be a sufficient encryption standard for a long time coming: A 128bit key, for instance, can have more than 300,000,000,000,000,000,000,000,000,000,000,000 key combinations. Todays AES standard is AES 256bitencryptionwhichhas256^2possiblecombinations. As we said before, there are many reasons for encryption. One purpose of encryption is the act of transforming data from a state that is readable to a state that cannot be read by a third party that does nothavepermission.Theresultoftheprocessisencryptedinformation(incryptography,referredtoas ciphertext). The reverse process, i.e., to make the encrypted information readable again, is referred to as decryption (i.e., to make it unencrypted). It is also important to know that the word encryption can implicitly refer to the decryption process. For example, if you get an encryption program, it encrypts informationaswellasdecryptsit. There are two types of encryption that should be used for two different purposes: symmetric (private key encryption) and asymmetric (public key encryption). Symmetric encryption is used the most becauseitisfast,easytouse,andisthemostwidelyneeded.Youwillusethisformofencryptionwhen there is only one password being used (such as TrueCrypt or another simple file encryption utility). Asymmetric encryption on the other hand uses two keys, one to encrypt information and the other to decrypttheinformation.
P a g e |12
SymmetricEncryption
AsymmetricEncryption
3.2.
You will most commonly want to encrypt files for storage or if you want to upload them to several people securely. There are a couple of programs that support this type of encryption and most of you probably already heard of them. These programs I am referring to are TrueCrypt and WinRAR and they both provide symmetric file encryption. TrueCrypt is a program that allows you to encrypt your entire harddriveortocreateanencryptedcontainer.WinRARontheotherhandisaprogramthatallowsyou to create an encrypted archive. Remember that symmetric file encryption has only one key for the encryptionanddecryptionprocess.Soyouwillneedtosharethekeyifyouplanonsharingthefiles. Note:WinRARcanbecrackedandtheremightexistabackdoortoyourencryptedfiles.Thisprogram is only meant to exchange material in the public without any individual to see what is contained. DO NOTSTORESENSITIVEDATAENCRYPTEDWITHWINRARONYOURCOMPUTER.USETRUECRYPT. BelowisanexampleofaverysimpleencryptionprocessknownastheCaesarsCipher:
P a g e |13 In this example, as with the fundamentals of the Caesar Cipher, all the characters are shifted, usually by 3 characters. If he wanted to say "You will never guess this," for instance, he'd write down "BRXZLOO HYHU JXHVV WKLV" instead. As you can see, the text is also broken up into even groups in order to make the size of each word less obvious. You can change the orders of the letters and change the numberofshiftsperlettertocomplicatetheprocessfortheattackerevenfurther. Creating an encrypted container with TrueCrypt will allow you to store data within the encrypted container. When mounted, it will look as another drive on your computer. TrueCrypt containers are secure but using them still comes with the risks of leaving your recent files lists, thumb files, and other temporary and cache data exposed. It is recommended that you use TrueCrypt and encrypt the entire diskformaximumsecurity.Investigatorscannotdeterminewhetherornotyouhaveahiddenvolumein your TrueCrypt container unless you tell them. You can also use TrueCrypt to encrypt portable drives using the Traveler Disk Setup. For information about using TrueCrypt on SSDs, please reference SSD SolidStateDrives(section4.10). Try it out Create TrueCrypt Container 1. StartTrueCrypt 2. ClickonVolumes(menuitem)inTrueCrypt 3. ClickonCreateNewVolume...(menuitem) 4. SelectCreateanencryptedfilecontainer(radiobutton)andclickNext>(button) 5. SelectHiddenTrueCryptvolume(radiobutton)andclickNext>(button) 6. SelectNormalmode(radiobutton)followedbyNext>(button) 7. ClickSelectFile...(button) 8. InthisstepyouwillspecifythenameandlocationofyourTrueCryptcontainer.Ifyoutrytosave thefileandgetanaccessdeniederror,trycreatingthecontainerinyourDocumentsfolderor elsewhere.ChoosethelocationintheExplorerwindowandspecifytheFilename:(edit)in SpecifyPathandFileName[...].ClickSave(button)intheSpecifyPathandFileNamedialog box 9. ClickNext>(button)followedbyNext>(button)onthenextpage 10. Inthedropdown,IselectedAES(listitem)fortheEncryptionAlgorithm.Thisisthemostsecure andprovides256bitencryptionwhichisa32characterpassword.Youcanreadupontheother encryptionalgorithmsforfurtherexplanation.SHA512(listitem)wasmychoicefortheHash Algorithm.Youcanalsoreadfurtheronthehashingalgorithms.ClickNext>(button) 11. InthisstepyouwanttospecifythesizeoftheTrueCryptcontainer.Mostlikelyyouwillwantto selectGB(radiobutton)tospecifyyouwanttosizetobeinGigabytes.Thisisrecommendedif youaregoingtostorepicturesorvideos.Inthetextbox,enterthetotalsizethatyouwantto containertobeandnotjustthesizeofyourOuterVolume.So,ifyouwantyourOuterVolume tobe50GBandyourInnerVolumetobe25GB,youwillneedtoenter75here.ClickNext 12. EnterandreenteryourpasswordfortheOuterVolumePassword.Thisisthepasswordthat youwillbeabletorevealifyouareforcedtodoso.Youareallowedtoenterapasswordupto 64characters
P a g e |14 13. FortheLargeFilesstep,IselectedYes,soitwouldformatasNTFS;itisuptoyouthough.Click Next>(button) 14. Onceallthesettingsareset,moveyourmousearoundtoaddsecurity.ClickFormat(button)to startformattingthevolume.Dependingonthesizeandyourharddrivespeedandother factors,thisprocesscouldtakeseveralhours.OncecompleteclickNext>(button) 15. YouwillnowcreateyourHiddenVolume,orthevolumethatyoudonotwantotherstofind. SelectNext>(button)tostarttheprocess 16. Iusedthesamesettingsasbefore.ClickNext>(button)untilyouarepromptedtocreatethe HiddenVolumeSize.ThissizeislessthantheOuterVolumeSizeandshouldleaveampleroom soyoucanstoreenoughnonprivatedatainyourOuterVolumewhilstallowingplentyofroom forprivatematerialinthisHiddenVolume.ClickNext>(button) 17. CreateaHiddenVolumePassword.Thispasswordshouldbeassecureasthiscontainerwill holdyourprivatedata.Themaximumpossiblelengthforapasswordinthisstepisalso64 characters.Thisisthepasswordthatyoudonotwanttogiveoutunderanycircumstances.The governmentcannotdetermineifahiddencontainerexiststhereforetheywillnotknowthatthis passwordevenexists.Donotfallvictimtosocialengineeringattackswhereassomeonetricks youintogivingthemthepassword. 18. SelectNext>(button),choosewhetherLargeFilesaregoingtobeusedinthenextwindow,and clickFormat(button)tofinalizetheprocess(again,makesuretomoveyourmousearoundon thatstepforbettersecurity) 19. OpenTrueCryptagainandmounttheOutercontainer.Tostart,IwouldmounttheOuter Containersowecanaddsomedecoydatainthereincaseyouareforcedtogivethepassword. Todothis,justselectthedriveletter,clickSelectFile(button),selecttheTrueCryptfileyou createdinStep8,andpressMount.Simply,youwillentertheOuterVolumepasswordorthe HiddenVolumepassworddependingonwhichvolumeyouwanttomount.Makesurewhen movingdecoydataoverthatitiscompletelylegalandthatitCANNOTbeconfusedfor somethingillegal.Also,makesureitwouldbesomethingyouwouldtrulywanthidden.Porn, databackups,andetc.aregoodideas.Tomovethefilesovertoeitherofthesevolumesyou willsimplyopenWindowsExplorerandnavigatetothedriveletter. Try it out WinRAR: 1. IfyouareintheWinRARprogramwindow,selectthefile(s)andclicktheAddbutton.Thisis denotedasaniconofastackofbookswithbindingaroundthem.Alternatively,youcanright clickthefile(s)intheexplorerwindowandclickAddtoarchive 2. TheArchivenameandparameterspagewillopen.Pleasenotethesizeofthefileyouareabout touploadandthesizelimitthatyouareallowedtouploadoneachsite. 3. IntheSplittovolumes,bytesinputfieldundertheGeneraltab,entertheappropriatesizeof eacharchive.Forexample:Ifyouhaveafilethatis200MB(or204800KB)andthefileupload sizelimitis50MB,fortheSplittovolumes,bytesinputfield,youwillenter50MB.Inthiscase fourfileswillbecreated,each50MBapiece. 4. SelecttheAdvancedtabandhittheSetPasswordbutton.Enterthepasswordinthefirstfield andreenterthepasswordforverification.Rememberthispassword;ifitislostthefileisNOT recoverable.MostpeoplealsoselectEncryptfilenamesforextrasecurity.
P a g e |15 When using TrueCrypt, as presented in the Try it out section, it is a good idea to use a hidden container. Heres why Lets say you have two videos: video A and video B. Video A is of your pet hamsterfrolickingaroundinthefishtankwithyourpreciousnessgoldfishnamedGarry(thefish,notthe hamster). On the other hand, Video B is a recording of your grandmother doing the naughty with the pizza delivery man. Now, I am going to make a sweeping assumption in claiming that you don't mind other people seeing video A, so it is deemed that the video can be "public" or "not hidden." Video B on the other hand is just plain nasty and if the pizza delivery man were 12, and you needed to hide that video at all costs, this video would need to be "private" or "hidden." So, you would stick Video A in the container that you could give the key away to and Video B would go in a container that you would protectatallcosts.IfyouusethekeyforVideoA,youcanseevideoAandsoforth. So, on the same lines, a hidden container (or, a hidden OS), is a hidden, encrypted container that the LEA cannot prove exists. So, you have two keys: a key for the public container and a private container.Youcanunlockoneortheotheratonetime,butnotbothatthesametime.So,youcangive the LEA the key that opens up your public container whilst hiding the key for your private container.TheLEAcannotdetermineifyouhaveaprivate,hiddenOS,oraprivatecontainer.Ifyouuse thekeyforyournonsensitivecontainer,youwillbootintocontainer. In essence (when dealing with hidden OSs), think of two Operating Systems on one computer and you can choose which one to boot into depending on the password. A hidden OS, is hidden and the LEA cannot prove that it exists. The advantage of this is you can have one OS for normal data whilst hiding your other material and use it when you need it. A hidden OS also has all the sensitive data leaks inherent with any OS. So, instead of antiforensic techniques or saying, "opps, I forgot the password", youcanviewallsensitivematerialinthehiddenOSandnotworryaboutanythingsensitivebeingleaked (paging, recent file lists, db files, caching, etc). Remember this: if you are forced to give the encryption key,youcandosowhilstkeepingyourhiddencontainerhiddenwhichisthemainadvantageofahidden container.
3.3.
The problem with symmetric encryption is that it only uses one password to encrypt and decrypt data. But what if you wanted to send a message to somebody? Somehow, you will need to share the key while reducing the risk of anyone being able to intercept the password and use it to decrypt the data. Asymmetric encryption tackles this problem by implementing a secure key exchange. With this form of encryption there are two keys used, a public key and a private key. The public key is given to the world and is used to encrypt data whereas the private key is used to decrypt the data and to verify the data being received is legitimate. A popular program to securely share data and messages between two people(usingasymmetricencryption)isPGPorGPG(GPGbeingafreereplacementforPGP).
P a g e |16 Try it out GPG: ForWindows(sincethisisaWindowsguide),IrecommenddownloadingandinstallingGpg4win.Ifyou areusingLinuxyoucansimplyusegpgandstickwithcommandline.Hereisaguidefromtheirwebsite onhowtoinstalltheprogram:http://gpg4win.de/handbuecher/novices_5.html.WhenGpg4winis installed,followthesestepstocreateyourkeypairforencryption/decryption(note:thefollowing instructionsareforcreatingakeysizeof4096whichIrecommend.Youcancreatea2048bitencryption keyusingtheprogramKleopatra): 1. Startthecommandprompt:Start>Run>cmd>OK*WindowsVista/7,typecmdinSearch ProgramsandFeatures.Ablackboxshouldpopup 2. Typeingpggenkey 3. Enter1andpressEnter 4. Thedefaultkeyis2048,Irecommend4096 5. Setthevalueto0here.Ifyousetthekeytoexpire,youwillneedtogothroughthissame processofcreatingandredistributingyourpublickeys.Whenisasksforaconfirmation,entery 6. Yourrealnamewillmostlikelybeyourscreenname.Iwillentermissionmanhere 7. Forthisstep,inputanemailaddress.ForthisIenteredmytormailemailaddress. 8. Enteracommentifyouwish,thisstepisoptional 9. Ifyouwishtochangesomething,nowisthetimetodoit.EverythingiscorrectandIamdoneso Iwillentero 10. Atthispointyoushouldseeapopuppromptingyoutocreateasecretkey.Thisisalsoreferred toasaprivatekey.Makesurewhencreatingthispasswordthatitconformstostrong passwordguidelines 11. Reenterthepasswordtoconfirmyouentereditcorrectly 12. Youwillnowwanttotypealotofrandomdatainatextprogramofyourchoiceormoveyour mousearoundthescreensothekeycanbegenerateduntilthekeygenerationiscomplete 13. Iftherearenoerrors,thenyouhavesuccessfullycreatedyourpublicandprivatekey! 14. Now,togivepeopleyourPublickey(whichtheyusetoencryptdatatheywanttosendtoyou) youwilltypeingpgexportausername>c:\public.key.ForexampleItypedingpgexport amissionman>c:\missionman.key Encrypting and decrypting a message/file: 1. First,findthelocationofyourfileorsaveamessagetoatextdocument 2. Thecommandtoencryptafileisgpgeoutput"outputfile"localuser"yourusername"r "recipient"armorsign"filename".Forexample,ItypedingpgeoutputC:\encrypted.txt localusermissionmanrtestuserarmorsignclear.txt.detachsigwillcreateaseparate signaturefile 3. Todecryptafileyouwillsimplyentergpgdlocaluserusernameooutputfileinput file.Forexample,IenteredgpgdlocalusermissionmanoC:\decrypted.txt C:\encrypted.txt.
P a g e |17
HereisanexampleofaGPGencryptedmessage:
-----BEGIN PGP PUBLIC KEY BLOCK----Version: GnuPG v2.0.17 (MingW32) mQINBFAisdkBEADQeOmbSJ5acqwBAxAEKicWg50sPSR0oO0roRsrSziDpnJf+nxC Y5uUDPOCs/KDHeSv1XIvK0yv5rpesh7lZeIESpJSyBG9IlEl8vQhmt+Bohy53xWs r5NJIktmeU+whCil8X9SYndc63UrdOoEVlKLApLDrskR91NDbx/YAv/YeNYQO4iB jP38E0bRliO5yxHENZLdP0PAhksBnC/rYXOiilBHqUFMKZJzaH1flTBjpiawojb1 9jOQPcIQ8eNC3EKl0LkaZs9dzlmF69ore8A3swck+bHnII9dhzmJS09iMc1KQDHb xjeF3XzvaQzwq6TtZcRyzEpcHtnIBe2w6LNgSEzuEIPKHVLKqDWfzbuAL6/+DPGf -----END PGP PUBLIC KEY BLOCK-----
Whenyougivesomeonethemessageorkeyorsignatureyouwanttocopyallthetextincluding everythingyouseeintheexampleabove.
3.4.
Steganography
Another good form of encryption is steganography which is the act of hiding data within text, graphic files, or audio files. The purpose of this method is so that nobody will know that there is a private message inside the medium (photo, document, etc.) because it is hidden. Lets say Bob wants to send private messages to Steve over a public forum read by numerous people. Bob grabs a picture, puts a hidden message inside and uploads it to the website. Nobody knows the message is there except for Steve, which is able to save the picture to his computer and read the message hidden inside. Forensic examinerswillneedtobelookingateachindividualfiletodetermineifsteganographywasused.Sofor exampleifyouhave1000pictures,theywillneedtogothrougheachandeveryonetodeterminewhich oneshavesteganographyandwhichonesdonot.
P a g e |18 Using steganography is as easy as downloading the right software from the internet. I started out by downloading one of the more popular freeware tools out now: F5, then moved to a tool called SecurEngine,whichhidestextfileswithinlargertextfiles,andlastlyatoolthathidesfilesinMP3scalled MP3Stego. I also tested one commercial steganography product, Steganos Suite. These tools may contain backdoors as with all encryption programs therefor should not be used with data you are trying tohidefromanypartythatmayholdthedecryptionkey.
3.5.
Authentication Factors
There are three common authentication factors in the security field that people refer to often. This is somethingyouknow,somethingyouhave,andsomethingyouare.Ausernameand passwordfallsinto the something you know category. This is because you know in your mind what your username and password is. Something you have is a physical device such as a smart card or token. Finally, something youarereferstoafingerprint,anirisscan,oranotherphysicalfeature. When setting up TrueCrypt most people only use a password, which is adequate for most scenarios. Another feature of TrueCrypt allows for multifactor authentication, which is as it implies, when the user uses two or more authentication factors. Multifactor authentication relies on both factors when trying to decrypt the file or get into your system and is recommended to provide the best security. The link provided will elaborate more on key files, security tokens, and smart cards when using TrueCrypt: Click here
3.6.
Case:TheSarahPalinemailhackoccurred onSeptember16,2008,duringthe2008 UnitedStatespresidentialelection campaignwhentheYahoo!personalemail accountofvicepresidentialcandidate SarahPalinwassubjectedtounauthorized access.Thehacker,DavidKernell,had obtainedaccesstoPalin'saccountby lookingupbiographicaldetailssuchasher highschoolandbirthdateandusing Yahoo!'saccountrecoveryforforgotten passwords.
P a g e |19 Another common attack that people do not usually think of is account recovery attacks. This is when someone is trying to login into your account by attempting to reset your password by using your accountrecoveryquestions.Forthisreasonyoushouldmakesurewhencreatingsecurityquestionsand answersthattheyarenoteasilyguessed(orfound).Agoodrecommendationistomaketheanswersas complicatedasthepasswords,butstillcanbeeasilyremembered.
3.7.
The problem with passwords is they are usually too easy to crack or they are too hard for the users to remember. Therefore, both of these problems should be considered when creating a new password. Start by creating a password that is at least 16 characters. Use as many different types of characters as possible, including: lowercase letters, uppercase letters, numbers, and symbols. Never reuse a previous password and never use the same password for more than one account. Dont use passwordstorage tools, whether software or hardware. Make sure that your password does not include anything identifiable such as: names, usernames, pet names, or words in a dictionary. Lastly, make sure that the password is not too hard for you to remember so you dont forget the password or have to write it downorsaveit.Hereisanexampleofasitethatcancreateasecurepassword:clickhere.
3.8.
When people refer to hashing, they are referring to a type of encryption. Hashing is the process of creating an encrypted output that cannot be decrypted (it performs a oneway encryption) and is used to ensure that a message or file was not modified from the original copy. Hashing is also commonly used to help authenticate somebody. For example, many websites store a hashed copy of your password instead of the password in the clear. There are several types of hashing algorithms and the newer versions are better than the outdated versions for security purposes. SHA256 is the newest versionandisrecommendedasofrightnowwhenyouarecheckingfileormessagehashes. Using asymmetric encryption provides integrity as well as the already explained confidentiality. When you successfully decrypt a message that another user sent you, you have verified its integrity. Another way to ensure integrity is to create the hash of a file or a message and allow people to check the hash theygenerateagainstthehashyougavethem.Forexample:letssayBobuploadsafileforSteve.Bob uploads a file and generates a hash (lets say a value of 456) so Steve can make sure that when he downloads the file, it was not changed along the way. After downloading and saving the file, Steve also generates a hash of the saved file. If Steve generates the same hash, the file was not altered. But if Steve generates a different value (lets say 334), than the file has been changed. Personally, I use HashMyFilesbecauseitiseasytouseandisastandaloneprogram.
P a g e |20 Try it out Hashing 1. Downloadingandsavethisfile:http://ocrlwkklxt3ud64u.onion/files/1343933815.txt.Ifthefile opensupinyourbrowser,thensaveeverythingtoatextfileandsaveashash.txt 2. DownloadtheprogramHashMyFilesandstartitwhenthatiscomplete 3. ClickFile>AddFilesandselecthash.txt 4. Recordthehashofthefile(pressF7onyourkeyboard)*IusedMD5forthistest 5. CompareyourhashtothehashIgeneratedbeforeuploadingthefile (83a814a08b5edfa57c003415224f8b46) Another good method of ensuring that a file is actually sent from someone who claims they sent it is if they digitally sign a message using their private key. What you need to know is that you can digitally signamessageorfilewithoutactually sendingthe messageorfile.Thisishelpfulifyouwanttosharea file in which everybody knows what the password is whilst allowing them to confirm that it came from you. Try it out Digital Signatures 1. IamassumingthathavealreadysetupGPGandhavecreatedyourPrivate/Publickeypair 2. Startthecommandprompt:Start>Run>cmd>OK*WindowsVista/7,typecmdinSearch ProgramsandFeatures.Ablackboxshouldpopup 3. Thecommandtocreateadigitalsignatureisgpgoutputoutputfilelocaluserusername detachsigninputfile.Forexample,Itypedingpgoutputfinal.siglocalusermissionman detachsigntest.txt 4. Toverifythedigitalsignature,typegpgverifysignaturefilename.Forexample,Itypedin gpgverifyfinal.sigc:\test.txt While talking about hashing, I should mention Hashing Collisions. Hashing Collisions occur when two distinctly different messages produce the same hash result. Birthday attacks attempt to exploit this vulnerability byrelyingon thelikelihoodofthecollisionsoccurredbetweentherandomattackattempts andthenumberofpermutations.As anexample, considerthe scenarioinwhicha teacherwithaclass of 30 students asks for everybody's birthday, to determine whether any two students have the same birthday. Intuitively, this chance may seem small. If the teacher picked a specific day (say September 16),thenthe chancethatatleastonestudentwasbornonthatspecificdayis1(364/365)^{30},about 7.9%. However, the probability that at least one student has the same birthday as any other student is around70.
P a g e |21
3.9.
In cryptography, a cold boot attack (or to a lesser extent, a platform reset attack) is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keysfromarunningoperatingsystemafterusingacoldreboottorestartthemachine.Theattackrelies on the data remanence property of DRAM and SRAM to retrieve memory contents which remain readable in the seconds to minutes after power has been removed. Basically, when a computer is restarted,theencryptionkeys(passwords)mightstillexistinRAMandmayberecoverabletotheextent thattheycanbeusedtodecryptyourdevice. There are a few ways to mitigate this risk. The best method is to make sure to dismount the drive before ending the program or shutting the computer down. Most software programswillerasethekeyfrommemoryafteryouperform this action. This method is the best way to prevent cold boot attacks. Shutting the computer down cleanly should also ensure that the key is erased from memory. Another mitigation technique is with using a security token or smart card.Thiscanbefooledthoughiftheattackergrabsthekey andhasthetoken/smartcardinhand. Note:Manyforensic investigatorscarryacanof compressedairwiththemto acrimescenetofreezethe RAMstickforfurtheranalysis.
P a g e |22
Chapter 4_ Data
his section will talk about data in general: how it gets stored and what happens when it is deleted. Furthermore, we will take about recent file lists and data caching. Knowing how Windows and other applications handle these files will help eliminate the risks associated with evidence left over after your session. You will learn how to find and remove this data completely and securely from your computer. In some instances, you will also learn how to prevent these risks from happeningaltogether.
Topics
ThisChapterwillcoverthefollowingtopics: DeletedData DeletingDataSecurely FileSlack WindowsSwapFiles,ReadyBoost,TemporaryInternetFilesandBrowserCache TemporaryApplicationFilesandRecentFilesLists EventLogs Printers,PrintJobs,andCopiers Cameras,Pictures,andMetadata USBInformation SSDSolidStateDrive WheretoHideYourData
P a g e |23
4.1
Deleted Data
A common misconception that computer users have is, when you delete a file, it is completely removed from the hard disk. However, you should know that highly sensitive files such as pictures, passwords, chat logs, and so forth still remain on the hard disk. Even after they are deleted from your recycle bin, they are still located on the hard drive and can be retrieved with the right software. Take for example when you use WinRAR to extract the file that someone sent you. The program extracts the data to a temporaryfilebeforeitreachesitsdestinationonyourharddisk;thismayleadtoadataleak.
Note:YoucanchangethelocationwhereWinRARextractsthetemporarydatato.Navigate toOptions>Settings>Paths.YoucanchangethepathunderFolderfortemporaryfiles.
Any time that a file is deleted from a hard drive, it is not erased. What are erased are the bits of information that points to the location of the file on the hard drive. The operating system uses these pointerstobuildthedirectorytreestructure(thefileallocationtable),whichconsistsofthepointersfor everyotherfileontheharddrive.Whenthepointersareerased,thefileessentiallybecomesinvisibleto theoperatingsystem.Thefilestillexists;theoperatingsystemjustdoesn'tknowhowtofindit. Shadow data is the fringe data that remains on the physical track of storage media after it is deleted, sweeped, or scrubbed. A mechanical device called a head is used to write the data, and it is stored electronically in magnetic patterns of ones and zeros. The patterns are in the form of sectors which are written consecutively in concentric rings called tracks. However, head alignment is just a little bit different each time an attempt is made to erase data, and data remnants sometimes bleed over the tracks. This is the reason why government agencies require multiple scrubs or burning, because there is noguaranteeofcompleteeliminationoffringe,orshadow,data. Theonlywaythatyoucanpermanentlydeletethisdataistooverrideitwithspecialsoftwareorwaitfor the operating system to overwrite the data. There are files on the hard disk that do not have any pointers in the file allocation table so it will eventually be overridden with something new. Even files that are fragmented or are partially written over are recoverable and can be used against you. Special software will overwrite these files securely and immediately. One such recommended software that securely cleans the white space is CCleaner. As a word of note, people suggest that's simply defragging a hard drive will overwrite these pointers; this is not true. Drives formatted using NTFS are especially not affected using this method. This is because of the way NTFS stores data; it essentially makes defraggingtheharddriveuseless.
P a g e |24 Try it out CCleaner 1. DownloadandinstallCCleanertoyourmachine.MakesurewhenyoudownloadCCleanerfrom theinternet,aswithallprograms,youdownloadfromthemanufacturerswebsiteonly.Thelink hasbeenprovidedforyou:http://www.piriform.com/ccleaner/download/standard 2. OpenCCleanerpressToolsontheleft 3. SelectDriveWiper 4. SelectFreeSpaceOnlyinthedropdownboxnexttoWipe 5. Inthesecuritydropdownbox,Irecommendselectingthecomplexoverwrite 6. ChoosethedriveletteryouwishtocleanandpressedWipe
4.2
As mentioned before, when you delete data, it is not actually deleted and can be easily recovered. To prevent data from being recovered you must secure erase (or shred) the data. What special programs dotosecurelyerasecontentsfromacomputeristheyenumeratethrougheachbitofdataandreplaceit with a random bit. The shredding method I recommend is 7 passes. This process makes the bits unknownasrecoveryofthisdatadifficult,ifnotimpossible.Thiscanbedonewithfileeraserprograms, oritcanbedonetotheentiredrivewithbootablesoftware.DBANisrecommendedifyouaretryingto erase your entire drive. Note however, DBAN does not erase bad sectors or HPA/DCO areas. Some programs such as Blancco implement HPA/DCO wiping by default, other tools could allow the user to choosewhetherornottowipeHPA/DCOwhileothertoolsarenotabletowipeHPA/DCOatall. HPA stands for Host Protected Area and is a section of the hard drive that is hidden for the operating system and the user. The HPA is often used by manufacturers to hide a maintenance and recovery system for the computer. For this reason, the HPA is not a big concern, but you can securely remove data here nonetheless. A DCO is a Device Configuration Overlay and is another hidden area of todays harddrives.SimilartotheHPA,theDCOscanbesecurelyerasedinsuchthesameway. While recovery of information wiped out in this manner is far more difficult, and in many cases impossible, some recovery techniques exist that specialists can employ to retrieve some of the data. Factorssuchasthesizeoftheharddrive,theaccuracyofthemechanicalsysteminthedrive,thepower with which the information was recorded, and even the length of time the information was left on the drivepriortowipingallwillhaveaneffectontheprobabilitiesforrecovery.
P a g e |25 Another method is to physically destroy the hard drive to a state that is irreparable. The best method for this is to open the hard disk and grind the platters to obliterate all data. Another method for hard drives that use disks is to use an industrial strength magnet to remove the data. Optical disks (CDs, DVDs, etc.) can be shredded if they are not writable. Also, optical disks can be destroyed be cooking them and is the best method for destroying data on optical media. Cooking them however is not recommendedforpracticingoreverydayuseastheyreleaseatoxicfume.
4.3
File Slack
To understand file slack, one first needs to understand how disks are organized at the lowest level. As can be seen in the diagram below, disks are subdivided into a set of tracks. These tracks are further subdividedintoasetofsectorsandcollectionofsectorsformtogetherto makea cluster. Ifyouwritea 1 KB file that has a cluster size of 4 KB, the last 3 KB is wasted. This unused space between the logical endoffileandthephysicalendoffileisknownasslackspace. The perhaps somewhat unexpected consequence from this is that the file slack contains whatever data was on the disk before the cluster was allocated, such as data from previously deleted files. Using file slack, it would be possible not only to recover previously discarded (and potentially sensitive information) information, but also to effectively hide data. The ability to hide data arises because the operating system does not modify data within a cluster once it has been allocated. Thismeans that any datathatisstoredintheslackissafe(providedthefilessizedoesnotchange).
P a g e |26
4.4
Location HPA
MBR Partitionslack
Volumeslack
Fileslack Unallocatedspace
4.5
Windows Swap Files, ReadyBoost, Temporary Internet Files and Browser Cache
A swap file allows an operating system to use hard disk space to simulate extra memory. When the system runs low on memory, it swaps a section of RAM that an idle program is using onto the hard disk tofreeupmemoryforotherprograms.Thenwhenyougobacktotheswappedoutprogram,itchanges places with another program in RAM. This feature ensures that Windows is usable when memory runs out.Eventhoughthisfeatureishelpful,sensitiveinformationmightbecontainedwithintheswapspace thatcouldincriminateyou.
P a g e |27 Letssayyoudownloadsensitivematerialandafteryouweredonewithit,youdeleteitsecurely.Ifyou ran out of memory (RAM) the temporary data might have been saved to swap space thereby rendering your method of removing the file useless. The best way to attack this problem is to disable paging altogether while viewing sensitive information. If you are using applications that use large amounts of memory,youcanturnpagingbackonduringyoursession. Try it out Disable paging 1. OpentheStartMenuandgotoControlPanel 2. ClickontheSystemicon 3. SelecttheAdvancedtab 4. UnderPerformance,clickSettings 5. GotoAdvanced 6. UnderVirtualMemory,clickChange 7. SelectNoPagingFileandthenclickSet 8. ClickOKinallthemenus 9. Restart 10. Toenablepagingagain,simplyselectAutomaticallymanagepagingfilesizeforalldrives ReadyBoostisanothercachingfeatureintroducedinWindowsVistaandwascontinuedwithWindows7. It works by using flash memory, a USB flash drive, SD card, CompactFlash or any kind of portable flash mass storage system as a cache. Data that is written to the removable drive is encrypted using AES 128bitencryptionbeforewrittentothedrive.Thismeansthatanexaminerwhorecoversthedrivewith theReadyBoostinformationwillfinditdifficulttodecipherthisdata. Another way that Windows operates under the surface is when creating temporary internet files. Temporary Internet Files is a folder on Microsoft Windows which holds browser caches. The directory is used by Internet Explorer and other web browsers to cache pages and other multimedia content, such as video and audio files, from websites visited by the user. This allows such websites to load more quickly the next time they are visited. Not only web browsers access the directory to read or write, but alsoWindowsExplorerandWindowsDesktopSearch. You can see how this is a problem if you ever want to download (or view) pictures or files that contain sensitive material. Furthermore, other applications might use temporary files when handling content. For example, when I talked about WinRAR earlier, I explained that when you unpack data from an archive, the program creates a temporary file on your file system before it is moved to its destination. The only way around this (excluding internet cache) is to periodically wipe slack data as stated before. Whendealingwithinternetdata,youshouldbeconcernedwithdeletinginternetcacheandcookies.
P a g e |28 Try it out Delete internet cache 1. StartFirefox 2. ClickTools(ifyoudonotseethemenubarpresstheAltkeyonyourkeyboard.Themenubar shouldappear.) 3. ClickOptions 4. ClickPrivacy 5. SelectTorBrowserwill:UsecustomsettingsforhistoryandcheckClearhistorywhen TorBrowsercloses
4.6
Every time you open up a file from Windows Explorer or the Open/Save dialog box, the name of the file is recorded by Windows. This feature was introduced into Windows and other applications to make those applications more user friendly by allowing easy access to those recently used files. Such the same, some applications create cache that is stored on your computer so the application can run faster thenexttimeitisloadedoraspecificprojectisbeingworkedon. Recent file lists and application caching does make the experience more friendly, but it also added security risks. If for example, someone took a video and loaded it into a video editing software. The softwaremighttakepiecesofthevideoandsaveittoyourharddriveforfastaccess.Thesamegoesfor viewing videos/images that are sensitive by nature. Whoever is looking at the recent files list for your computer,willknowwhatthenamesoffilesareaswellaspossiblyknowingthelocationofthosefiles. First we are going to talk about what is known as thumbnail caching. Thumbnails are the little pictures that are loaded for every file in Windows Explorer as a little preview of sorts. A thumbnail cache is used to store thumbnail images for Windows Explorer's thumbnail view. This speeds up the display of thumbnailsasthesesmallerimagesdonotneedtoberecalculatedeverytimetheuserviewsthefolder. You can see where this is a problem when you open a folder containingsensitivepicturesorvideos.Thumbnailcachesarestored in thumbs.db files and the locations will vary depending on the Operating System. In Windows XP, the thumbs.db files will be Note:JumpListsappearon storedineveryfolder. theStartmenuaswellason theTaskbarwhenyouright clickonanicon.Youcanuse ittoperformspecific Windows 7 and Vista saves all the thumbnails in a central location. actions, butforsecurity The cache is stored at %userprofile%\ AppData \Local \Microsoft purposes,itcanrecordfiles \Windows \Explorer as a number of files with the label thatwererecentlyopened. thumbcache_xxx.db (numbered by size); as well as an index used to find thumbnails in each database. This makes it easier for us to
P a g e |29 locate and remove the caches of these thumbnails. You can use CCleaner to remove the existing cache. Irecommendusingthispagetoenable/disablethumbnailcaching.Clickhere Another feature of Windows and several applications is recent files lists. There are several locations where these lists can appear, yet there are only two ways they are saved: the registry or as a file. Windows XP saves file names in the registry and a centralized location in Windows Explorer whereas Windows 7 introduces yet another list known as a jump list which can also be cleaned by using CCleaner. Try it out Disable jump lists 1. RightclicktheStartMenuandclickProperties 2. ExpandtheStartMenutab 3. UncheckStoreanddisplayrecentlyopeneditemsintheStartmenuandthetaskbar 4. ClickOK CCleaner erases most all (if not all) of the recent file lists for Windows as well as for a few other applications.Listedbelowarecommonlocationswheretheserecentfilelistsandapplicationcachescan befoundat(Iwouldlookintowinapp2.iniformorelocationswhichisanaddonforCCleaner): Registry(allareinHKEY_CURRENT_USER): (Windows)Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs (Windows)Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU (Windows)Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU (Windows)Software\Microsoft\MediaPlayer\Player (Windows)Software\Microsoft\InternetExplorer\TypedURLs (MediaPlayerClassic)Software\Gabest\MediaPlayer Classic\RecentFileList (MediaPlayerClassic)Software\Gabest\MediaPlayer Note:Otherapplications Classic\Settings includePrivaZerfor Files: WindowsandBleachbit for Linux. (Recentfilelist)%appdata%\Microsoft\Windows\Recent (Jumplist)C:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Recent\ AutomaticDestinations (TempdataVista/7)C:\Users\<username>\AppData\Local\Temp (TempdataXP)C:\DocumentsandSettings\<username>\LocalSettings\temp
P a g e |30 Try it out Setting up CCleaner 1. DownloadandinstallCCleanertoyourmachine.MakesurewhenyoudownloadCCleanerfrom theinternet,aswithallprograms,youdownloadfromthemanufacturerswebsiteonly.Thelink hasbeenprovidedforyou:http://www.piriform.com/ccleaner/download/standard 2. OncetheprogramisopenclicktheOptionsbuttononthelefthandsideofthewindow 3. Next,clickonSettings 4. MakesurethatSecurefiledeletion(Slower)ischecked,ComplexOverwrite(7passes)is selectedinthedropdownboxandWipeMFTFreeSpaceischecked.VeryComplexOverwrite canbeselectedinsteadofComplexOverwrite.TheComplexOverwriteistheminimumyou shouldchoose 5. ClickCleanerontheleft 6. MakesuretheyalltheitemsarecheckedunderWindowsExplorer Another thing I do is set CCleaner to perform a clean whenever I log into the machine and every hour thereafter. Cleaning your computer automatically will help with managing this program as you will not have to remember to manually run the program every so often. One drawback with this method however is if an application is using temporary data that is erased by CCleaner, the application might performincorrectlyorstopworkingaltogether. Try it out Setting up CCleaner to automatically run (Windows Vista/7) 1. StartCCleanerandselectOptionsontheleft 2. CheckSaveallsettingstoINIfileundertheAdvancedtab 3. OpentheStartMenuandenterTaskSchedulerintothesearchbox 4. ClickontheActionheaderinthemenubarandselectCreateBasicTask 5. Followthestepsofthewizardtocreatethetask.Inthefirstwindow,namethetaskandgiveita descriptiontohelpyourememberwhatitislater 6. Onthenextpage,selecthowoftenyouwantthistorun.IcheckedtheWhenIlogoncheckbox 7. SelecttheoptionlabeledStartaprogramonthenextpage 8. HitBrowseandnavigatetothedirectoryyouinstalledCCleanerto.Add/AUTOtothetextfield labeledAddarguments 9. ClickFinish Finally, for those of you who switched to Windows 8 should know about the app data. Windows 8 for starters has made significant strides over Windows 7 in respects to the interface. They have added the Metro interface which hosts a plethora of apps that can possibly leak important data. Two such apps aretheWindowsPhotosandWindowsVideo.Whenviewingaphotoorvideo,youcanimmediatelysee that the photo or video cap is cached as they are still apparent even after the material is deleted. Obviously,youcanseetheglaringissuewiththiswhenitconcernssecurity.
P a g e |31 I have not too much research on the matter, so I am going to be brief. For starters, all your apps are locatedinyourappdatafolder.Specifically,thefolderpathsareasfollows(perusersettings): Locationofallyourapps:C:\Users\Username\AppData\Local\Packages. WindowsPhotos: C:\Users\Username\AppData\Local\Packages\microsoft.windowsphotos_8wekyb3d8bbwe\ LocalState When the app is closed the cached images no longer appear on the Metro interface. Furthermore, the cached images dont appear when you open the app again. I did some more investigating into Windows Photos and notice thatseveralfilesgetincreasinglylargerafterIviewimages intheWindowsPhotosappevenaftertheappisclosed. Specifically,thosefilesarethe: Microsoft.WindowsLive.ModernPhotos.etl, Microsoft.WindowsLive.ModernPhotosLast.etl,and ModernPhoto.edb. Other files exist that show the last 5 images that were cycledthroughontheWindowsPhotosMetroapp. These files are LargeTile1(through 5) and SmallTile1(through 5). The latter files should not be an issue unless they containedsensitiveimages. I cannot read what is actually contained within the files themselves, but I can be reasonably sure that with everything Windows, image previews are being cached and stored to limit I/O usage and speed up theloadingprocess.Sayingthis,itisrecommendedthatyoudeletethesefilessecurelyifyouaccidently orpurposelyopenpicturesusingtheWindowsPicturesapp(anditisgoingtohappen,trustme).To do this you should close the Pictures app (from the gesture on the left side or the task manager) and securelyerasethosefilesusingaprogramofchoice. When setting up a user profile in Windows 8, if you gave your actual name when creating the Hotmail profile you used when logging into Windows 8, that name will be automatically embedded as metadata in a variety of documents. So make sure that you have a metadata cleaner if you plan on uploading anything sensitive. If you use Bing which is the default search provider and included preinstalled as an app, you should know that Bing creates a separate web history of its own and stored the data over the internet. So make sure that anything sensitive gets purged. People also expressed concerns with ReFS, which is not used on Windows 8 devices moreso is it used with Windows Server 2012 (Windows Server 8). Also, with the advent of Office 2013, the default location that the documents will be saved is Windows Skydrive;so you can see how that might be a security concern if you save something sensitive withoutlooking.ConcerningcontentsavedtoWindowsSkydrive,hereispartofMicrosoftsTOA:
P a g e |32 Youwillnotupload,post,transmit,transfer,distribute,orfacilitatedistributionofany content(includingtext,images,sound,video,data,informationorsoftware)or otherwiseusetheserviceinawaythat: 1. depictsnudityofanysort,includingfullorpartialhumannudity,ornudityin nonhumanformssuchascartoons,fantasyartormanga. 2. incites,advocates,orexpressespornography,obscenity,vulgarity,profanity,hatred, bigotry,racism,orgratuitousviolence. So,theyscanyourdocuments(andpictures)foranythingthatviolatesitsTOA,andiftheyfindanything, you are banned and possibly facing criminal charges. Hotmail accounts and Windows 8 account will have to be recreated, your XBOX live and Skydrive account will be disabled as well. They also actively scan for child pornography so make sure you don't accidentally save to a Skydrive account either. This seems like a huge invasion of privacy digging deep within all your documents and pictures (even if it is automatic)andtherepercussionscanbeimmense.
4.7
Shellbags
WhenyouopenafolderinWindowsExplorerandcustomizetheGUIdisplayWindowsusestheShellbag keystostoreuserpreferences.Everythingfromvisiblecolumnstodisplaymode(icons,details,list,etc.) tosortorderaretracked.Ifyouhaveevermadechangestoafolderandreturnedtothatfoldertofind yournewpreferencesintact,thenyouhaveseenShellbagsinaction.InthepaperUsingshellbag informationtoreconstructuseractivities,theauthorswritethat"Shellbaginformationisavailableonly forfoldersthathavebeenopenedandclosedinWindowsExploreratleastonce.Sobasically,ifyou visitthatfolder,ashellbagiscreated. ThankstothewondersofWindowsRegistrylastwritetimestamps,wecanalsoidentifywhenthatfolder wasfirstvisitedorlastupdated(andcorrelatewiththeembeddedfolderMACtimesalsostoredbythe key).Insomecases,historicalfilelistingsareavailable.Thismeansthatevenifyoudismountadrive (letssayyouareonlyusingaTrueCryptcontainer)ordeleteafolder,thefoldersthatyouopenedwill stillberecorded.Normally,thiswouldnotbeanissuebecausejustthefoldernamesarerecordedhere, butifyounameyourfoldertothatofsomethingsensitiveandthenamealludestocriminalactivity,you willbeintrouble.
P a g e |33 Registry Keys Ifyouarecuriousastowhatforensicdatacanbefoundoutbyusingshellbags,agoodprogramtoview alloftheahellbagscanbefoundhere.Youcanalsoremovetheshellbagsthatcontainsensitive informationthatyouwishnotbefound. Todisablethemalltogetheryoucandothis: NavigatehereintheRegistry(ifyoudonotknowwhatyouaredoing,thenIDONOTRECOMMEND THIS):[HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\Windows\Shell] LeftclickontheShellkeyandintherightpane,ifyoucanseeBagMRUSizethenthereisnoneedto undertakethisstep.Ifitisn'ttherehowever,rightclickandselectNew>DWORD32bitValueandname itBagMRUSize.Nowsetthisvalueto0inDecimalview. WindowsusesthefollowingRegistrykeystosavethefoldersinformation: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell HKEY_CURRENT_USER\Software\Classes\LocalSettings\Software\Microsoft\Windows\Shell (OnlyinWindowsVista)
4.8
To start, there is a feature that began with Windows XP that is known as Windows Prefetching. Windows Prefetch files are designed to speed up the application startup process. Prefetch files contain the name of the executable (the program you are running), a Unicode list of DLLs (Dynamic Link Libraries;filesthatsupportstheprograminordertorun)usedbythatexecutable,acountofhowmany times the executable has been run, and a timestamp indicating the last time the program was run. This meansthatifyouaretryingtouseprogramssuchasTrueCryptorsecuredeletionprogramsorotherfile encryption programs, a Prefetch file will be created thus alerting the forensic investigators. This is not usually an issue unless you are trying to counter forensic techniques without letting the investigator know.
P a g e |34 An example where Prefetching is troublesome is when you are trying to change the Windows Timestamps for files. Every time a file is created, accessed, or modified a Timestamp is created. Changing the timestamps are a good idea to throw the investigators off. Also, it is easy to change as there are programs that can do that for you. A popular program is TimeStop; but an investigator can investigate the Prefetch file and determine that the program was run. When this happens they can be reasonably certain that the timestamps were changed maliciously. So, before you download the file I wouldpackthefileusingaprogramsuchasUPX(UltimatePackerforeXecutables).Thiswillchangethe hashofthefilesotheinvestigatordoesnotknowTimeStopwasusedwhenexaminingthePrefetchfiles.
4.9
Event Logs
Event logs are special files that record significant events on your computer, such as when a user logs on to the computer or when a program encounters an error. Whenever these types of events occur, WindowsrecordstheeventinaneventlogthatyoucanreadbyusingEventViewer.Aninvestigatorcan determine security related information (These events are called audits and are described as successful or failed depending on the event, such as whether a user trying to log on to Windows was successful), application and service information, and more. As security information is not incriminating, investigators can tell when you attempted to log in and out of the computer, which can correspond to suspected times. Also, application data might not be incriminating, but depending on what the applicationactuallylogs,filenamesandotherincriminatingevidencemightberecorded. Try it out Erase event logs 1. OpentheStartMenuandgotoControlPanel 2. ClickonAdministrativeToolsandopenEventViewer 3. ExpandWindowsLogsontheleft 4. RightclickApplication,Security,andSystemandclickClearLog
P a g e |35 Theshadowfile(.SHD)cancontaininformationaboutthejobitself,suchasthe printer name,computer name, files accessed to enable printing, user account that created the print job, the selected print processor and format, the application used to print the file, and the name of the printed file (which can betheURLifafileisprintedfromtheweb).AllofthisdatacanbeseeninUnicodeusingahexeditoror forensicsoftware. Spool files (.SPL) on the other hand contain the actual data to be printed. This means that if you print a picture for example, a copy of the picture is created and temporarily stored in the spool folder. Next, the print job is finally sent to the printer and both the .SHD file and the .SPL file are deleted. If there is anerrorwhereasthedocumentwaitsinthequeuelist,thesefilescaneasilybereadandthecontentsof thefilerevealed.Itisalsoimportanttonotethatthesetwofilesweredeletedinsecurely,sothereisthe possibilityofrecovery. Since 2002, every copier has the capacity to store copies of the documents that are copied or printed. Furthermore, copiers mark the documents they copy with a hidden code to provide an identifier for the copier. This means that printed documents and copies might be stored on the printers hard drive, or they might be recoverable if they were already deleted. There is also a security concern whereas printed documents can be tied to specific printers. Lastly, print documents can be captured if you are sending them to a printer that is located over the network. Currently, it is up to the manufacturer to providesecuritywhensendingjobstoaprinter. Try it out Read spool data 1. Iamgoingtoassumethatyoualreadyhaveaprinterinstalledonyourmachine 2. Disconnecttheprinterspowersource.Thiswillallowustoviewthe.SHDfileandthe.SPLfile 3. Sendaprintjobtothatprinterthatyoujustdisconnected 4. OpenWindowsExplorerandintheaddressbar,typein%windir%\System32\spool\PRINTERS 5. YoushouldnoticethetwofilesImentioned:a.SHDfileanda.SPLfile.Ifyouhavemorethan twofiles,thenyoumighthaveadditionalprintjobsinthequeue 6. Selectthefilewiththeextension.SPL,rightclickandselectCopy.Pastethefileinthelocation ofyourchoice. 7. DownloadandinstalltheprogramSPLViewfromthemanufacturerswebsite:clickhere. 8. EitheropenthefilefromwithinSPLView,orifyouassociatethe.SPLextensionwiththe program,youcansimplydoubleclickthefile 9. ToviewSHDfile,IrecommenddownloadingausingSPLViewer:clickhere.Ifthefileislocked, youcanfollowTryitoutremovingservicesinsection5.2,anddisablethePrintSpoolerservice 10. TurntheprinterbackontofinishprintingthedocumentordeletethefileswhenthePrint Spoolerserviceisstopped(Tryitoutremovingservicesinsection5.2)
P a g e |36
P a g e |37 You should also know that pictures are not the only material that can contain sensitive information. Documents can include Microsoft Office documents (Word, Excel, PowerPoint), OpenOffice.org documents, PDF documents, and popular image and media file types such as JPEG, JPEG 2000, PNG, SVG, AVI, WAVE, AIFF, MP3, MP4, and F4V. It is best to either remove the data from these files before sharing them or it is best not to share them all together. You should know that changing the file extensiondoesnottricktheinvestigators.Theyusefileheaderinformationtogatherpictures/videos. As we are talking about pictures, you should also be concerned what is in the pictures themselves. Law
Enforcement Agencies have teams of analysts that pick apart background data to determine names, addresses, geographic data, demographics, and etc. As the case provided, detectives were able to determinewherethesuspectlivedbasedonatoybunnyandanorangesweatshirtasseeninoneofthe photos. You should attempt to remove all information that includes names, dates, addresses, paraphernalia or anything in nature that is region specific, or anything else that can be identifiable. Tattoos, and other body parts (not specific to the face) are identifiable too. For example, veins on the penis can be linked to a specific person. Recently, somebody was taking photos of his underage daughter and posting them online. The problem is he posted one with a clear view of a prescription bottleinthebackgroundandgotbusted.Notsmart;dontmakethejobsoftheLEAeasier. When editing a photo for the first time, I usually crop the sides of the image, add blurring (even though some investigators have recently been able to reverse the blurring process and render this useless) and the halo effect, smooth physical features of adults, remove items that are identifiable, and sometimes replace the background altogether. If you really want to get involved, you can change physical features such as eye or hair color. Doing this will not trick an investigator, but it will obscure the features of a photo making it harder for someone to identify you. Also, if done correctly, it will enhance the photo visuallyandthepresentationwillbemuchbetter.
P a g e |38 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR and the setupapi.log file can be found here: %windir%\setupapi.log. All of the subkeys under USBSTOR will contain information about every device that was plugged into your computer via the USB. The setupapi.log file contains information about device changes, driver changes, and major system changes, such as service pack installationsandhotfixinstallations. To delete this registry key and or subkeys you must first rightclick the key and choose permissions. You can then set the everyone group with full permission to the key or subkeys so that they can then be deleted. Im sure it isnt too difficult to whip up a script or piece of software to automate this. Also, if youhavesystemrestoreenabled,theinformationmightbecontainedinthereaswell.Thesetupapi.log file should be securely deleted as you would with anything sensitive. As pointed out to me by a forum thatIfrequent,hereisaprogramthatwilldothisforyou:https://code.google.com/p/usboblivion/.
P a g e |39
Partitionmanagers Passwordrecoverytools
P a g e |40
Chapter 5_ Continuity
ervice and data continuity is the activity performed by you to ensure that files and services will be available to yourself and others for the applicable lifetime. There are several methods to provide continuedsupportincluding:backingupdata,usingcontrolsandtechniquestorestrictaccess,and implementing controls on servers, networks, and other devices. None of these controls should be skippedastheyareallequallyimportant.Thisstepisoftenoverlookedwhen securingyourinformation butassuresavailabilityismet.
Topics
P a g e |41
5.1
Tostart,WindowsbackupandrestoreisafeatureofWindowsanddoesexactlyasitimplies;itbacksup your data. Without much explanation, there are three types of Windows backups: full, differential, and incremental.Afullbackupprovidesabackupregardlessofpreviousbackups.ADifferentialbackuponly backsupdatathatwaschangedsincethelastfullbackupandanincrementalbackupbacksupdatathat waschangedfromthelastfullbackup,orthelastincrementalbackup. I know I am stating the obvious, but make sure that you do not backup anything that is confidential. Whether by accident or on purpose, once you backup sensitive data, it does not matter if you remove the file from your computer because a copy is already made. Personally, I keep all my sensitive informationinanencryptedcontainerbyitselfsoIdontconfuseitwithmyotherstuff.AfterImoveall of my sensitive information into a container by itself I have ensured two things, 1) my information is securedand2)nothingisbeingbackedupthatisnotsupposedto.
5.2
If you use sleep or hibernation, the encryption keys and everything else that is open at that time is saved, allowing a third party to bypass the security measures you have in place. For example, everything that you have opened at this moment, including mounted containers and open documents, will be viewable by forensic investigators. The best mitigation technique is not to use them or to disable both hibernation andsleepaltogether.
5.3
Keepingabackupofallyourprivate/sensitivematerialsisagoodideaforthecontinuityofsuchdata,as long as that data is secure. Securely storing data has been discussed in another section, so I will only make a recommendation. I would create a container with TrueCrypt and store all sensitive data within
P a g e |42 that container before saving the backup somewhere else. Doing this will achieve two goals in the CIA triad,confidentialityandavailability. Therearetwolocationsthatneedtobeconsideredwhenbackingupdata:locallyandremotely.Alocal copy is a good idea when data loss occurs and you want an immediate, speedy recovery of the backed updata.Butwhatifanaturaldisasterorafireoccursanditdestroysbothyourcomputerandyourlocal backupdevice?Thisiswherearemotebackupsolutioncomesin;itpreventsdatalossinoffchancethat this happens. Common methods of remote backups are remote backup services, tapes, external drives, orhostedservices.Anothercommonmethodisfindingsomeoneelseinanotherlocation(anotherstate preferably)andyoueachkeepabackupforoneanother. Forexample:letssaythatIhaveafriend(okay,Ididsayasanexample)andthatfriendlivesinanother state. One good way that I can back up my data at his place and his at mine, is we setup a VPN to connectournetworkstogether.Thisway,wecansendthefilessecurelyovertheinternetwithoutmuch complication. Make sure however, that you trust the other party as they will have your Public IP Address.Anotherdevice thatallowsforstorageredundancyisa RAIDdevice.RAID (redundantarrayof independent disks) is a storage technology that combines multiple disk drive components into a logical unit. Basically, it is adevicethatiscomprisedofseveraldisksforthepurposethatif Note:NASstandsfor one (or more) drive(s) fail, data is not lost. This can come in the Network AttachedStorage form of a RAID controller (or software controller) on your andisintendedtostore computer,oranetworkdevice(suchasaNASbox). informationoverthe network. There are a few more solutions if you are going to set up a service that you host and are concerned with continuity and service availability. All these methods are assuming that you have multiple servers available and can configure them and the network they reside in. Firstly, you can configure the site for mirroring which is the act is creating an exact copy of one server to another server. Clustering (or failover clustering) is another method of ensuring availability as it is a group of devices that act as a single device. When one device fails in a cluster, another device starts providing the service (a process known as a failover). And finally, you can implement load balancing on your network which distributes the traffic load between several devices in yournetwork.
5.4
DoS (Denial of Service) attacks are the acts of making resources for legitimate users unavailable. DDoS (Distributed Denial of Service) attacks are the same thing as DoS attacks, but they use hundreds (even thousands)ofmachinestodisruptaccesstoresources.Usuallythisisperformedbyfloodingtheservice with ICMP packets forcing the router (or server) to respond to the attackers request (by replying to the
P a g e |43 ICMPpacket).OtherattacksincludingsendingmalformedICMPpackets,floodingthesitewithresource requests,orSYNfloodattacks. Even though ICMP traffic uses the TCP protocol, it is not supported via Tor. This attack will be best accomplished with Clearnet sites. Ping of Death attacks can be accomplished in two ways:the attacker can send too many packets or they can send malformed packets. For example, Windows has a packet size limit of 65500. So anything received that is higher, might crash the machine or enable the attacker to successfully perform a privilege escalation attack. Flooding the site with requests for resources (videos, pictures, login requests, etc.) is an example of a DoS attack that is more commonly used with Torsites. These attacks are mostly an issue that has to be prevented with hardware controls versus implementations within the website itself. Assuming that you are hosting and managing the website andtheserverthewebsiteresideson,youcanimplementingressfilteringonyournetworktohelpblock some of the attack. The backscatter traceback method is a good strategy for that. Also, I would block ICMP packets on your external interface (WAN interface). You should also make sure that all "unallocated source address'" are blocked. This means that you should block all packets with private IP addressthatarecomingintoyournetwork.YoucannotstopDDoSattacks,onlymitigatetheeffect. Tools for DDoS attacks ToinitiateDDoSattacks,youwillneedtorighttoolsbasedonyourpreferencesandotherfactorssuchas yourplatformofattack.ThefollowingaresamplesofDDoSattacktools: LowOrbitIonCannonLOICattacksaserverbyfloodingtheserverwithTCPorUPDtraffic. Specifically,itmostlyfloodstheserverwithICMPtrafficwhichispingtraffic TrinooTrinooiseasytouseandhastheabilitytocommandandcontrolmanysystemsto launchanattack TribalFloodNetworkTFNcanlaunchICMP,ICMPSmurf,UDP,andSYNFloodattacksagainsta victim.ThistoolwasthefirstpublicallyavailableDDoStool StacheldrahtThistoolfeaturesthatareseeninbothTrinooandTFNandsendscommandsvia ICMPandTCPpacketstocoordinateanattack.AnotherfeatureofStacheldrahtisthatitcan encryptthecommunicationbetweentheclienttothehandlers TFN2KAnupgradetoTFN,thisprogramofferssomemoreadvancedfeaturesincluding spoofingofpacketsandportconfigurationoptions ShaftThisworksmuchthesamewayasTrinooexceptitincludestheabilityfortheclientto configurethesizeofthefloodingpacketsandthedurationoftheattack MStreamThisprogramutilizesspoofedTCPpacketstoattackadesignatedvictim TrinityThisperformsseveralDDoSfunctionsincluding:fraggle,fragment,SYN,RST,ACK,and others
P a g e |44 What do they mean? Letmetakeasecondtodefinesomeoftheattackturnsaspresentedabove: ICMPDOSAn attacker can use either the ICMP "Time exceeded" or "Destination
unreachable" messages. Both of these ICMP messages can cause a host to immediately drop a connection ICMPpacketmagnificationAn attacker sends forged ICMP packets to bring down a host. As an example (as presented above), Windowshasapacketsizelimitof65500.So
anythingreceivedthatishigherwillbefragmented.Sincethemachinecannotreassemblethe packet,itmightcrashorreboot ICMPSmurfattackAn attacker sends forged ICMP echo packets to vulnerable
networks' broadcast addresses. Doing this will tell all the systems on the network (inside the broadcast domain) to send ICMP echo replies to the victim, consuming the targets available bandwidth
P a g e |45
Topics
P a g e |46
6.1.
Thefirststepinhardeningasystemistoremoveunnecessaryprograms.Startbyremovingunnecessary third party programs that are installed on the machine. You also want to look at programs that were installed when downloading or installing other products, whether intentional or not. For example, when you purchase a machine there is a bunch of software that comes preinstalled that you probably never use. I would recommend reviewing everything that is installed and remove all software that you donotneed. Try it out Uninstalling software 1. OpentheStartMenuandgotoControlPanel 2. SelectUninstallaprogramorAdd/RemoveProgram 3. RightclicktheunnecessaryprogramsfromthelistandclickUninstall
6.2.
Onceallofthesoftwarehasbeenuninstalledfromthemachine,youshouldthenstartbydisablingallof the unnecessary services that are running in the background. Each service will provide support for the application that they support; many of them providing functionality for Windows. You should get a listing of all the system services running on the system and evaluate whether each service is needed. Also know that I am more referring to thirdparty services versus Windows services. Make sure to do yourresearchoneachservicebeforedisablinganything. Try it out Removing services 1. OpentheStartMenuandgotoControlPanel 2. SelectAdministrativeToolsandopenServices 3. Reviewandidentifyeachunnecessaryservice 4. RightclicktheunnecessaryserviceandselectDisabledinthedropdownboxnexttoStartup type.StoptheserviceandpressOK
P a g e |47
6.3.
Anaspectthatisoverlookedoftenisdisablingaccountsthatarenotcurrentlybeingused.Youwillneed to determine if you need information from that account (if you remove account data) or to use services that can only be used from within that account. Windows XP has the administrative account enabled with a blank password be default whereas Windows Vista and 7 disable the account by default. Also, a quick word from the real world, make sure when creating a user account to not use anything that can possibly identity you as doing something illegal. A real world example, someone actually created a separateaccountnamechildporn,sohecanhideallhisillegalmaterialsinthataccount.Betteryet,he hid all materials in a folder on his desktop named childporn! (NOT smart) Not only can forensic investigatorsseealltheaccountsthatarecurrentlyonthemachine,buttheycanseepreviouslydeleted accountsaswell. Try it out Removing user accounts 1. OpentheStartMenuandgotoControlPanel 2. ExpandUserAccountsandselecttheaccountyouwishtodelete 3. ClickDeletetheaccount
P a g e |48
6.4.
AnotherstepinhardeningthesystemisupdatingtheOperationSystemandallsoftwareinstalledonthe machine. When you patch the system, you are applying security fixes to known vulnerabilities to the software that is running on the system. These vulnerabilities are what remote attackers use to gain accesstothesystem.Withoutpatchingthesystem,youareopeningupyourmachinetoattackbythese malicioushackers.
Windows updates should be enabled as they provide many fixes concerning Windows security. Individual software and applications should also be updated as soon as a known stable version of the updateisavailable.Usually,whenvendorsreleaseanupdate,theyarestableunlessstatedotherwise.I recommend the use of a tool that checks the programs installed on the machine and reports the ones that are outofdate. A good program for this purpose is Secunia PSI. This program will constantly check the programs installed on your machine and report which ones are outofdate, which ones are scheduledforanupdate,andwhichonescanbeupdatedmanually.
6.5.
Password Protection
A final practice you should incorporate in system hardening is password protecting your devices. On your computer, you should make sure that all of the user accounts that are enabled are password protected. This is especially true when folder shares are involved. Make sure that the passwords on your machine are all strong so an attacker cannot use that account to gain access to your machine. For example, when you mount a TrueCrypt container, it can be explored though another computer in the network using an account on the local machine if they have the correct permission. This means that even if you have the worlds strongest password for TC, an attacker can still gain access to its contents using your Windows password over the network. Also, by default Windows XP has the administrative account enabled without a password by default. Windows 7 and 8 has this administrative account disabledbydefault.
P a g e |49 Try it out Password protect computer accounts 1. OpentheStartMenuandgotoControlPanel 2. ExpandUserAccountsandselecttheaccountwhichyouwanttocreateapasswordfor 3. ClickChangePassword Try it out Explore your computer from another machine 1. FindyourIPaddressonyourcomputer.Startthecommandprompt:Start>Run>cmd>OK *WindowsVista/7,typecmdinSearchProgramsandFeatures.Ablackboxshouldpopup 2. Typeinipconfigandundertheadapteryouareusing,recordtheIPaddressnexttoIPv4 (example:192.168.1.5)*rarelywillpeopleuseIPv6 3. HopontotheothercomputerandopenupWindowsExplorer 4. Intheaddressare,typein\\followedbyyourcomputersIPaddressfinishedwitha\,your driveletteranda$(usuallyC).Forexample,Itypein\\192.168.1.5\C$ 5. Youwillbepromptedtoentertheusernameandpasswordforyourmachine
P a g e |50
Topics
P a g e |51
7.1.
Antivirus
'Malware'isageneraltermusedtorefertoavarietyofformsofhostile,intrusive,orannoyingsoftware. This software comes in several different flavors, but we will only be talking about Spyware and Trojan Horses.Trojanhorsesareoftendeliveredthroughanemailmessagewhereitmasqueradesasanimage or joke, or by a malicious website, which installs the Trojan horse on a computer through vulnerabilities in web browser software such as Microsoft Internet Explorer. Spyware on the other hand covertly monitors your activity on your computer, gathering personal information, such as usernames, passwords,accountnumbers,files,andevendriverslicenseorsocialsecuritynumbers. Antivirus software can protect you from viruses, worms, Trojan horse and other types of malicious programs. More recent versions of antivirus programs can also protect from spyware and potentially unwanted programs such as adware. Having security software gives you control over software you may notwantandprotectsyoufromonline threatsisessentialtostayingsafeontheInternet. Yourantivirus and antispyware software should be configured to update itself, and it should do so every time you connecttotheInternet.
Case:TheComputerandInternetProtocolAddressVerifier(CIPAV)isanillegaldatagathering toolthattheFederalBureauofInvestigation(FBI)usestotrackandgatherlocationdataon suspectsunderelectronicsurveillance.Thesoftwareoperatesonthetargetcomputermuch likeotherformsofillegalspyware,whereasitisunknowntotheoperatorthatthesoftware hasbeeninstalledandismonitoringandreportingontheiractivities. Locationrelatedinformation,suchas:IPaddress,MACaddress,openports,running programs,operatingsystemandinstalledapplicationregistrationandversioninformation, defaultwebbrowser,andlastvisitedURLwascaptured.Oncethatinitialinventoryis conducted,theCIPAVslipsintothebackgroundandsilentlymonitorsalloutbound communication,loggingeveryIPaddresstowhichthecomputerconnects,andtimeanddate stampingeach.
7.2.
Hardware Keyloggers
Hardware keyloggers are used for keystroke logging, a method of capturing and recording computer users' keystrokes, including sensitive passwords. They can be implemented via BIOSlevel firmware, or alternatively, via a device plugged inline between a computer keyboard and a computer. They log all
P a g e |52 keyboard activity to their internal memory. Hardware keyloggers have an advantage over software keyloggers as they can begin logging from the moment a computer is turned on (and are therefore able tointerceptpasswordsfortheBIOSordiskencryptionsoftware). You might think that physical inspections are one way to defend against hardware keyloggers, but it is not. Nor is using a wireless keyboard, as that sort of keylogger, doesn't necessarily have to be hidden outsideofthekeyboard.Adedicatedattackermayjustaswellplaceanextrachipinsideofthekeyboard or replace it all together by a manipulated keyboard of the same model to record keystrokes without anyobviousvisualcues.So,thebestwaymaytotheusedifferentkeyboardlayoutsbeforeenteringthe password.Furthermore,youcanalsoenterrandomdatawithinthepasswordandgoingbacktoremove themlater.Andfinally,youcanusetokensaswellasapasswordwhenloggingintoyourcomputer.
7.3.
Firewalls
A firewall is usually your computer's first line of defenseit controls who and what can communicate with your computer online. You could think of a firewall as a sort of "policeman" that watches all the data attempting to flow in and out of your computer, allowing communications that it knows are safe and blocking "bad" traffic such as attacks from ever reaching your computer. Configuring your firewall can prevent Spyware or other confidential data from leaving your network entirely. It can also prevent remote attackers from hacking into your computer. Most AIO (allinone) security solutions such as Norton or McAfee or BitDefender have a firewall built in. For a free firewall, Comodo firewall is a good alternative: https://personalfirewall.comodo.com/. Note:InmostLinuxdistros includingRedhat/CentOS/ FedoraLinuxinstallsiptables bydefault.Ithasbecomea standardoptioninall distros.Ifitisnotinstalled, youcanusethecommand yuminstalliptablesorapt getinstalliptablesifyouare usingUbuntu.
7.4.
DLPs
Data leakage prevention solution is a system that is designed to detect potential data breach incidents in timely manner and preventthembymonitoringdatawhileinuse(endpointactions), inmotion (network traffic), and atrest (data storage). Importantly, personal DLP software can protect you from accidently disclosing confidential or sensitive data. Some AIO securitysoftwaredoesthisaswellasfreesoftware.
P a g e |53
7.5.
The principle operation of a HIDS (Host Intrusion Detection System) depends on the fact that successful intruders (hackers) will generally leave a trace of their activities. In fact, such intruders often want to own the computer they have attacked, and will establish their "ownership" by installing software that will grant the intruders future access to carry out whatever activity (keystroke logging, identity theft, spamming,botnetactivity,spywareusageetc.)theyenvisage. Intheory,acomputeruserhastheabilitytodetectanysuchmodifications,andtheHIDSattemptstodo just that and reports its findings. Intrusion attempts can be keylogger attempts (spyware), Internet Explorerleaks,DLLinjections,malwaredrivers,etc.HIDSsareinstalledonyourmachineandabaseline must be performed before HIDSs can detect any anomalies. Many antivirus programs have a basic HIDSbuiltintothesoftwareasanaddedfeature. Network IDSs on the other hand sit on your network to monitor all traffic coming into your network to alert you to any attacks. There are several methods of detecting an attack including anomaly based detection and signature based detection. Also, there is either a passive or active based detection depending on if you want the IDS to actually take action or not. You should know when setting up an IDS, that there will be false positives as it takes a while for the IDS to learn and for you to teach. Also, you will need to be there to monitor the alerts. Snort is a good, free NIDS and is widely used in businesses.
7.6.
Other Considerations
Whatyoudownloadcanaffectsecurity.Makesurethatwhatyoudownloadissafe;itshouldgowithout saying, but is good to hear nonetheless. PDF, word documents, executables, broken pictures, and binders are all security issues. Make sure that you protect yourself by downloading alternative PDF viewers (or block your PDF application from connecting to the internet), disable Macros if you use Microsoft Office programs, disable JavaScript in Adobe Acrobat/Reader if you use it, etc. Lastly, make sure that you are updating your web browser, and if you are using the Tor Bundle, you update that as well. These releases are extremely important for security and often include patcheswhat for found vulnerabilities.
P a g e |54
Chapter 8_ Networks
eeping your network secure is a must to ensure to keep intruders out and your information from getting into the wrong hands. Furthermore, it protects you from other people hopping on your network,doingsomethingillegal,andhavingtheevidencepointtoyou.Networksecuritycoversa varietyofcomputernetworks,bothpublicandprivate,andyoushouldconcernyourselfwithboth.This chapter will explain some of the common methods of security and a brief introduction on a few networking terms as well as security concerns when hopping on another persons network. This will includebothhardwareandsoftwaremethodstoensurethissecurity.
Topics
P a g e |55
8.1.
AprivateIPaddress(assignedbytheownerswirelessdevice)isassignedperdeviceinthenetworkfrom a DHCP pool. DHCP pulls a list of available IP addresses and assigns it when a device is attached to the network. A certain IP address is not assigned to a specific device (there is no static mapping) therefor people cannot use IP addresses to located your specify device. Static IP addressing can be used, but typicallyisnotusedinahomeenvironment.Whenyouconnecttoawirelessdevice,itispossiblethatit changes each and every time you connect, depending on what else is connected to the network. Also, unlesstheIP addressiscurrentlyleased out,nobodywillbeabletolookinalog(typically)todetermine whatIPaddresswhatconnectedwhen. The other IP address is known as a Public IP address. This type of address is what your ISP (Internet Search Provider) uses to identify you. When you log into a website, this is the IP address that is logged. When you use proxy or VPN services, the Public IP address that is hidden and the VPN/proxy IP address is exposed. If somebody has your IP address, they can get the geographical location of where you live whereas your ISP has your name, telephone number, home address, and whatever else you have given them.Lastly,whenyouareconnectedtoapersondirectly(DCC,videochat,P2P,etc.);theycanalsolog yourPublicIPaddress.
8.2.
MAC Address
ThinkofaMACaddresslikeabankaccountnumber;weareeachgivenabankaccountnumbersowhen we make a purchase, at a grocery store for example, the grocery store knows how to send the payment to your bank and viceversa. Similarly, a MAC address, which is unique to your wireless card, allows the routerto knowwheretosend thedata.Andifyoureallycare, theMACaddressisheldinanARP table, butwewontgetintothat. When you connect to a network, the router logs the computers MAC address and temporary saves the computers IP address. People can also sniff the network to see what you are doing and record your MAC address that way. And yet another way people can get your MAC address is if they use software thatmonitorsthenetworkandrecordsallthedevicesautomatically.Allthesemethodshaveonethisin common(besidestheobvious),theycanonlyrecordtheaddressesthatarebroadcasted,meaningifyou changeyourMACaddress,thesemethodsareuseless.
P a g e |56 People use MAC address changers for many reasons; mostly for getting free WiFi by bypassing MAC address filtering or performing MAC flood attacks. If you connect to a public network, or your neighbors network, I would use a MAC address changer to make it hard to locate you. Earlier, we said that a MAC address is unique to your computer; so if they were to look at all of the devices in your house, they wont find the device with the MAC address that was logged because it has been changed. The easiest way to change the MAC address is to download a program to do it for you; otherwise you can change it in your network settings. Win7 MAC Address Changer Portable is a good program to do thisforyou. Asaquicknote,anotherrecentdiscoverythatcanidentifyindividualcomputersthatcannotbespoofed (as of yet) is with using the computers graphics card. The PUFFIN Project (physically unclonable functions found in standard PC components) has brought forward research suggesting that GPU manufacturing processes leave each product with a unique "fingerprint." The PUFFIN team has created software that can detect these physical differences between GPUs. This is another way that someone can determine whether your device was used in a crime if your GPU fingerprint was obtained. PUFFINsresearchwillrununtil2015.
8.3.
Public Wireless
It is up to you whether or not to stop using the neighbors wireless. But know they can see Tor traffic if they: use a packet sniffer and perform a MiTM attack if their wireless network is not protected, if they were using a network hub which broadcasts information out of all ports, if they have a managed switch and enable port mirroring, or if they change the MAC address of their computer to that of the AP (Access Point). Even though they can see Tor traffic, they cannot see what you are doing inside of Tor and they still will have no clue that it was you. If they could, the purpose of Tor would be defeated. They are other risks with using public networks (or your neighbors network) therefore it is not recommended(unlessyouareabsolutelysurethatyouaresafe). These risks includes attackers remotely logging into your computer via a known backdoor or an exploit. The best known Operating System to attack a machine is Backtrack. BackTrack is a Linuxbased
P a g e |57 penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking. The methods of attack in BackTrack are against operating systems, applications, phones, networks, internet protocols, websites, and etc. The best part about BackTrack is that it is free! I would start with getting a good firewall and antivirus for your computer. Also, make sure you follow System Hardening (Section 6) section to help correctly configure yourmachine. As always, I would use Tor for all sensitive information in which you do not want anyone to learn your location or monitor your browsing habits. To protect all other sensitive data that does not require such autonymity,IwouldrecommendtheuseofaVPN.AVPNreroutesallcomputertrafficthroughasecure tunneltoatrustedthirdparty(oradesignated network)beforetheinformationreachesitsdestination. This provides security against anyone sniffing your computer traffic as all information is encrypted. Common reasons for a VPN is when: checking emails, checking your bank account, application data security, or transmitting insecure data over a secure data stream. The difference between Tor and a VPNisthatwhenusingTor,nobodyknowswhoyouarewhereasinaVPNsomebodyalwaysdoes.
Network Sniffing Tools Thereareseveralsniffingtoolsavailable.Listedbelowaresomeofthecommontools: WiresharkOneofthemostpopularpacketsniffingprogramsavailableandisasuccessorto Etheralofferingatremendousnumberoffeaturestoassistdissectingandanalyzingtraffic OmnipeekCreatedandmanufacturedbyWildpackets,Omnipeekisacommercialproductthat istheevolutionofEtherpeek DsniffAsuiteoftoolsdesignedtoperformsniffingaswellasothertoolstorevealpasswords. DsniffisdesignedforUNIXandLinuxplatformsanddoesnothaveacompleteequivalentfor Windows CainandAbleandAbleprovidesmuchofthesametoolsasDsniffbutalsoprovidesfeatures suchARPPoisoning(MiTMattackcanbeperformedinsideanetwork),enumerationofWindows systems,andpasswordcracking EtherapeAUNIX/Linuxtoolsthatwasdesignedtoshowtheconnectiongoinginandoutofthe systemgraphically NetwitnessInvestigatorAfreetoolthatallowsausertoperformnetworkanalysistoolsas wellaspacketreassembleanddissection
P a g e |58
8.4.
Security Protocols
Securing your network should be as important as securing your computer. Allowing people access to yournetworkopensyouuptoattackandaspreviouslystated,legalissues,becausethey cangotcaught doingsomethingtheywerentsupposedtoonyournetwork.Ifyouaredoingeverythingsecureonyour network computer but someone gets caught downloading child porn, the government is coming after you. There are several ways to protect your network depending on your equipment and if you use customfirmwareornot.Ifyougetarouter,plugitin,andstartusingit;youareNOTprotected! Thefirstthingthatanybodyneedstodoischangethedefaultpasswordforthedevicesonobodycanlog in and change the security settings. Followed by changing the device password, you should create a wireless password to limit the people who can get on the device in the first place. There are several types of protocols that limit access: WEP, WPA, WPA2, MAC Address Filtering, etc. WEP, WPA, and WPA2 are protocols that rely on password authentication to accept users who are trying to connect to your wireless device. MAC Address Filtering on the other hand only allows specific wireless devices accesstothenetworkdependingontheMACaddresses. WEP has been demonstrated to have numerous flaws and has been deprecated in favor of newer standardssuchasWPAandWPA2.WPAisalsodeprecated makingtherecommendedsecurityprotocol WPA2. WPA2 is the strongest protocol as it has not been cracked, yet it might not be supported by all devices. MAC address filtering filters wireless devices allowing only those that are allowed into the network. The problem is however, it can be easily defeated if someone changes their MAC address to onethatisallowed. Wireless Hacking Tools IrecommendobtainingacopyofBacktrackastherearemanywirelesshackingtoolsalreadyinstalled. KismetUsingKismetonecanseealltheopenwirelessnetworks,aswellasthoseWireless NetworkswhichdontbroadcasttheirSSIDs.Itsamatterofminutestousethistooland identifynetworksaroundyou NetstumblerNetStumblerisafreewareWiFihackingtoolthatscompatiblewithWindows only.Itcanbeusedtosearchopenwirelessnetworksandestablishunauthorizedconnections withthem MedievalBluetoothScannerThisprogramcananalyzeandscanyourBluetoothnetwork findingBluetoothdevicesthatcanbeattacked(seebluejackingorbluesnarfingorbluebugging) CoreimpactThisitiswidelyconsideredtobethemostpowerfulexploitationtoolavailable. However,CoreImpactisnotcheapandwillsetanybodybackatleast$30,000
P a g e |59 WiresharkWiresharkWiFihackingtoolnotonlyallowshackerstofindoutallavailable wirelessnetworks,butalsokeepstheconnectionactiveandhelpsthehackertosniffthedata flowingthroughthenetwork AirSnortMostWiFihackingtoolsworkonlywhenthereisnoencryptedsecuritysettings. WhileNetStumblrandKismetfailtoworkifthereisawirelessencryptionsecuritybeingused, AirSnortworkstobreakthenetworkkeytogetyouinsidethenetwork CowPattyCowPattyisananotherWiFinetworkhackingtoolthathascrackgotaWPAPSK protectionfeatureandusingthishackerscanevenbreakintomoresecureWiFienvironments ReaverThisprogramtakesadvantageoftheweaknessinherentwithWPS(WiFiProtected Setup)
8.5.
Some people where asking me about the risks involved in Omegle and downloading pictures to your computer.So,briefly,IamgoingtodescribeherewhatItoldthem.Firstlyandmostobviously,Tordoes not support cam sites for the reason listed in section 9.11. Quite simply, Tor does not support UDP trafficinwhichvideostreamingoperates.So,ifyouwonderinghowpeopleactuallycapturesthistraffic andobtainsyourIPaddress,thisishow: Capture IP Address from Omegle 1. First,youwillneedtodownloadapacketsniffer.IwouldeitheruseWireshark,Ethereal,or NetWitnessInvestigator.Thefirsttwowillsimplycapturethepacketswhereasthelatterwill capturesthepacketsandhastheabilitytoputthembacktogether.Thisisusefulifyouwantto rebuildthevideothatwasstreaming. 2. StartOmegle(oranalternativechatsite)andgetconnectedtosomebodyontheotherend. CapturingtheIPaddresscanalsobedoneviatext,butforthismethod,youmustuseyour camera. 3. Startthepacketsnifferofchoice;forthisexampleIwillbeusingWireshark. 4. ToselecttheinterfaceyouwillneedtoselectCapturethanInterfaces. 5. Determinetheinterfacethatyouareusing(usuallytheonewiththemostpackets)andpress Starttostartcapturingthepackets. 6. Allyouneedisafewpackets,eventhoughyouwillgetafewhundredtoafewthousand.Once youhaveenoughpacketspressStoptherunninglivecapture.Thisisdenotedbytheforth iconatthetopwiththeXoryoucanselectStopunderCapture.FAILURETOSTOPTHE CAPTUREWILLCRASHYOURMACHINE!THEAMOUNTOFPACKETSYOUCANCAPTUREIS DEPENDENTONTHEAMOUNTOFMEMORYYOURMACHINEHAS! 7. YouareonlyconcernedwithUDPtraffic,sointheFilterfield,enterudp 8. Now,youwillnoticethatthereismoreUDPtrafficfromtwospecificIPaddressesthananything else;theseIPaddresseswillbeyourIPaddressandtheindividualontheotherendofthe webcam.YourIPaddresswilleitherstartwitha192.x.x.xora10.x.x.xorpossiblya172.x.x.x. Mostlikely,a192.x.x.x.Therearerestrictions,soifyouhaveanyquestions,askorrefertoa PrivateIPaddresslist.TheotherIPaddresswillbetheirs. 9. CopytheirIPaddress.Thiscanbedenotedviafouroctetsseparatedbydecimalsorwithdashes.
P a g e |60 Itcanalsocontainwordsorletters.93.53.23.231,pd935323231,or935223 231.abc.dgf.netwillallbethesamething.Ineithercase,youwanttocopyitdownas 93.53.23.231.Noticethatthewordsmightbedifferent;onlyconcernyourselfwiththe numbers. 10. Thatisit;youcanuseareverseIPaddresslookuptofindbasicinformation. That described simply how to capture the IP address via a packet sniffer. When connected, this connection can also be seen in your netstat list; you should not worry yourself about this. The reason being is UDP traffic connects directly to your machine. TCP traffic connects to a third party site such as Omelge. Another method is getting the person to go to a honeypot that captures the users IP address whentheyclickonalinkandnavigatetothatsite.Theyareafewoutthere,anditiseasyforpeopleto bebaitedintonavigatingtothesesites. If you are really interested there are two things that happen when you are connected via webcam. The first thing is the handshake or the initial connection and is facilitated by the chat website (Omegle, ChatRoulette, etc). This connection is the first step that is performed to connect you to the other person whom you are trying to connect with. After this initial process is complete, you are now directly connected to the person you are chatting with. At this point, the stream is no longer being passed throughthechatwebsite.ThewebcamtrafficisUDPtraffic,whichisnotsupportedbyTor. Another popular method of getting IP addresses and other computer information such as usernames, passwords,keystrokes,screenshotsandetc.,ifwiththeuseofspyware.Iamnotgoingtogointodetail about spyware (or a keylogger or malware), but I will go over a popular delivery method. When people send pictures or videos via TorChat or an alternative medium, they can use a binder program to attachapicturefiletoanexecutable.Whenthefileisopened,thepictureappearsasnormalalongwith thespywareinthebackground. To protect yourself when dealing with UDP information (audio or video chat), you can use a UDP proxy, a VPN, or configure a VPN over Tor. I usually just use a VPN that claims to not log any traffic; but who knowsifthatclaimholdsmerit.SimpletextchatusesTCPpacketswhichTorcanprotect.Obviously,do not use shortlinks as they can link to a honeypot or another rouge site. And if you do decided to open linksyouareunsureabout,makesureyoudoviaTorwithJSdisabled.
P a g e |61
8.6.
Other Considerations
Most people have home routers with stock firmware, so most of this does not apply. For those of you interested in having more granular control of your router, you can search the internet for custom firmware;forexample,DDWRTisagoodLinuxbasedfirmware.Also,youcanpurchasemanagedports andwirelessaccesspointsspecificallyforthispurpose.MostcommercialequipmentcanmanagewhatI amabouttotalkabout,buttheyusuallyrunintheseveralthousands,ifnothundredsofthousands. One of the basic hardening techniques for wireless security is the use of VLANs. If the attacker passes your security controls and into your network, VLANs will ensure that they cannot read your network traffic.LetssaysomeportsonswitchAareinVLAN10andotherportsonswitchBcanareinVLAN10. Broadcasts between these devices will not be seen on any other port in any other VLAN, other than 10. However,thesedevicescanallcommunicatebecausetheyareonthesameVLAN.Youshouldalsoknow thatVLANscanbesetuponthesameswitch. WPS,orWiFiProtectedSetup,isawayforindividualstoeasilyconnectdevicestothewirelessrouter.In this method, the standard requires a PIN to be used during the setup phase. As it is not a technique to add security to the network, you should know that WPS should be disabled at all times. The vulnerability discovered in WPS makes that PIN highly susceptible to brute force attempts. It takes approximately410hourstobreakWPSpins(passwords)withReaver. You should also know about rouge APs; specifically when an attacker impersonates an SSID. Rouge Access Points are a security concern because an attacker can set up a device such as a router or computer to haveasimilarorthesameSSIDas the wirelessAccessPointyou connect to. Unscrupulous parties can connect to this rouge device and all traffic can be logged and MiTM attacks can be performed.Thisthreatisoflowconcernbecauseitisnotverylikelytohappen. One final security configuration I am going to mention is a DMZ. The purpose of a Demilitarized Zone is to add an additional layer of security to your local area network (LAN Private network); an external attackeronlyhasaccesstoequipmentintheDMZ,ratherthantheentirenetwork.Thiswouldbeifyou were setting up anything that you want people from outside your network to have access to whilst protecting your internal network. Examples of such services would be Websites, IRC servers and relay servers.
P a g e |62
8.7.
Extra:
Two methods I want to talk about are: ARP poisoning and MAC address spoofing. As many of you already know MAC address spoofing is also a way to hide your computer or to get free Internet when places either filter computers by MAC addresses or have a pay tousesystem. A few of you have asked how this works and instead of reinventing the wheel each and every time I decided to create this fundamental, quick howitworks guide. These are a couple of reasons why you should lock down your privatenetworkandneverusepublicnetworks. Whenacomputerdecidesitwantstotalktoanothercomputeronthenetworkithasfourprimaryfields it uses to communicate. In a packet, these fields are: source IP address, destination IP address, source MAC address, and destination MAC address. Again, most of you even know about IP addresses so we wontgetintothatatall.Butwhatmostofyoudontknowisthecomputertransferstrafficbasedonthe computers MAC address (which is a unique identifier for each device) and not the computers IP address. The computer uses the IP address to learn the MAC address but does not actually send data withit.Letmeexplain. Lets say Bob wants to talk the Alisha on the same network (send data). There is a protocol called ARP, whichstandsforAddressResolutionProtocol,thatwillsendarequesttotheswitch(orallofthedevices in the network if youre using a hub) that you are trying to communicate with Alisha. When Alisha responds,shewillsendbacktheMACaddressofhercomputertotheswitch.Theswitch,willthenlearn Alishas MAC address if it doesnt already know and send it back to Bob. Now Bob, having Alishas MAC address, will fill in the destination MAC address (which is Alishas computer) and send data using that information. Heresanexample:BobwantstosendAlishaafileoverthenetwork.BobfirstsendsanARPrequestto the switch (most, if not all, home routers have a switch build in) saying hey, I want to talk to Alisha, here is her IP address. What is her MAC address so I can send the data? The switch looks in the MAC addresstableanddeterminesthatAlishasMACaddressisF026:EA98:EB03:C68E(ifthe MACaddressis not known, it sends the ARP request to ALL of the computers on the network, except for Bobs, until Alisha responds back, Its me!) Once the MAC address is determined, it is sent back to Bob so he can transferthedata. This is where MAC address spoofing comes in, because as you just learned, computers do not transfer datausingtheIPaddress,butinsteadtheMACaddress.SoMACaddressspoofing,trickstheswitchinto thinking your computer (lets say you are Steve), is actually Alishas computer. So now when Bob wants to send data to Alisha, half the packets will go to Alisha and half the packets will go to Steve. For the samereasonthisworks,thepaytousesystemcanbedefeatedaswell.Thispaytousesystemusesthe MACaddressestosenddatatoalreadyauthorizedcomputerswhichinturnistrickedanddataissentto youwithoutcharge.
P a g e |63 ARP poisoning on the other hand when an attacker is able to compromise the ARP table on the other machines and changes the MAC address so that the IP address points to another machine. If the attacker makes the compromised devices IP address point to his own MAC address then he would be able to steal the information, or simply eavesdrop and forward on communications meant for the victim. THIS IS EDUCATIONAL AND PROVIDED TO HELP YOU PROTECT YOURSELF BY EXPLAINING THE METHODS OF ATTACKS BY OFFENDERS. I DID NOT WRITE THIS WITH THE INTENTION FOR ANYBODY TO USE IT AGAINSTANYONEELSE.SOPLEASEDON'T! ARP Poisoning Demonstration: 1. OpenCain(youwillneedCainandAbleinstalledonyourmachine) 2. ClicktheSniffertabandturnonthenetworksniffer(thenetworkinterfacebuttonnexttothe foldericononthesecondrow) 3. Thisshouldalreadybeselected,butensurethattheHoststabisselectedatthebottom 4. Atthetop,clickthebluePlusbuttontoscanforMACaddresses.Alternatively,youcanright clickanywhereinthedatagrid(whitebox)andselectScanMACAddresses. 5. OncepopulatedwithdevicesotherthanyourDefaultGateway(usuallyanyIPaddressending withtheoctetof1)oryourcomputer,selecttheAPRtabatthebottom 6. MakesureAPRisselectedoverontheleftandclickanywhereinthetopdatagrid(thetopfield thatisblank).ThePlusbuttonatthetopshouldnolongerbegreyedout. 7. OncetheNewAPRPoisoningRoutingdialogboxappears,youwillselectthecomputersthat youwishtoattack 8. Overontheleft,youwillselectyourDefaultGatewayandoverontherightyouwillselectthe computeryouwishtoattack(thedatagridontherightwillpopulateoncetheGWisselectedon theleft)*DoingthishasthepotentialofcausingaDoSattackwhereasthevictimcannotaccess theinternetoranydatainthenetwork 9. Finally,selectthesessionthatyoujustcreated(underStatus,itwillsayIdle)andclicktheARP Poisoningbuttononthetopthatisnexttothesnifferbuttonyouclickedonearlier.If successful,thestatuswillchangefromIdletoPoisoning 10. Fromhere,youcancapturedatapackets,usernames,passwords,emailaddresses,andetc. 11. TheonlywaytodefeatthisistouseencryptionsuchandclienttohostsVPNs,PKI,orTor 12. Tostoptheattack,youcanclicktheARPPoisoningbuttonandtheSnifferbuttononcemore Again, I should provide the warning that there are other ways they can see your traffic if they: use a packetsnifferandperformaMiTMattackiftheirwirelessnetworkisnotprotected,iftheywereusinga network hub which broadcasts information out of all ports, if they have a managed switch and enable port mirroring, or if they change the MAC address of their computer to that of the AP (Access Point) as mentionedabove.
P a g e |64
n this section, I will talk about several vulnerabilities, what they accomplish, and the mitigation techniques. Because web browsers are used so frequently, it is vital to configure them securely. Often, the web browser that comes with an operating system is not set up in a secure default configuration. Not securing your web browser can lead quickly to a variety of computer problems caused by anything from spyware being installed without your knowledge to intruders taking control of your computer to websites obtaining your IP address and running malicious scripts when you navigate to their webpage. I will briefly go over some other security considerations, dealing primarily with web browsers.Thissectiondoesnotencompasseverything,sofurtherresearchisnecessarily!
Topics
ThisChapterwillcoverthefollowingtopics: DownloadingandUsingtheTorBrowserBundle WhatisSandboxingandWhatisJITHardening,andWhyDoICare? JavaScript CookieProtectionandSessionHijackingattacks Caching Referers CSRF/CSRFAttacks(XSSAttack) ProtectBrowserSettings DNSLeaks UserAwareness,AccidentsandSystemUpdates ConfiguringWebBrowsersandApplicationstoUseTor
P a g e |65 Lets start by talking about the browser itself. Personally, I use the Tor Bundle with Firefox, as do most. Moreso, using Tails is recommended because of way it was designed; all traffic will run through Tor regardlessofthesourceandifisnotrunningthroughTor,itisdropped.Astudywasdonethoughandit wasconcludedthat GoogleChromeisthemostsecurebrowserlargelybecauseofChromessandboxing and plugin security. Comparatively, Internet Explorer implemented (lacking industry standard) sandboxing and JIT Hardening whereas Firefox falls behind on sandboxing and does not implement JIT hardening.
9.1.
The Tor Project describes Tor as Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location. Tor works with many of your existing applications, including web browsers,instantmessagingclients,remotelogin,andotherapplicationsbasedontheTCPprotocol. I recommend downloading and using the Tor Browser Bundle even though I provided a stepbystep exercise on how to configure your existing browsers to run through Tor (Section 9.11). Many people in the past have used the Tor Button for Firefox which is no longer supported due to its fairly new rapid releasecycle ofFirefox.Also,theuseofawebproxy isnotneededifyouarejustbrowsing theinternet usingthe Tor Browser Bundle. I would recommend using the hardening techniques as described below. YoushouldknowthateventhoughyouareusingTor,youdataiscompromisedattheTorExitNodeif youarebrowsingtheinternet(nononionwebsites).
P a g e |66 Download and Start the Tor Browser Bundle 1. NavigatetotheTorwebsite. 2. UnderTorBrowserBundleforWindows/Mac/Linux,selecttheappropriateversion(32bitvs. 64bit).ForWindows,justselecttheappropriatelanguage. 3. ClickSaveFile 4. Oncethefileisdownloaded,openit.AnexamplefileIjustdownloadedwas,torbrowser 2.2.391_enUS.exe.Yourversionwillprobablybedifferentthanmine. 5. Itisaselfextractingarchive.SelectyourpreferredlocationandpressExtract. 6. NavigatetoandopenthefolderandrunStartTorBrowser. 7. OnceTorestablishesaconnection,aFirefoxbrowserwillopen. 8. YoucannowbrowsetheinternetasyouwouldnormallywithoutyourISPoranotherpartyfrom seeingwhatyouaredoingwithinToritself.Thereareothervulnerabilitiesthatshouldbe addressed,soIrecommendreadingon. Tor Links When you download and use Tor you can go to many .onion sites that are hidden from the clear internet. Using these sites are completely anonymous as nobody knows you specifically are navigating there;notevenyourexitnode.HereisalistofafewTorsites: MainPagehttp:/kpvz7ki2v5agwt35.onion/wiki/index.php/Main_Page.Thislinkistothemain HiddenWikithathostslinkstootherhiddenTorwebsites.Viewthissiteforthefulllisting. SilkRoadhttp://silkroadvb5piz3r.onion/.SilkRoadPrivatemarketplacewithescrow(Bitcoin). Youcanpurchaseanythingfromillegalpicturesandvideo,todrugsanddrugparaphernalia,to armsandammunition. HackBBhttp://clsvtzwzdgzkjda7.onion/.Forumsforhacking,carding,cracking,programming, antiforensics,andothertechtopics.Alsoamarketplacewithescrow. TorMailhttp://jhiwjjlqpyawmpjx.onion/.Cansend/receivemailfrominsideandoutsideTor withayou@tormail.netaddress. FreedomHostinghttp://xqz3u5drneuzhaeo.onion/.HostingServicewithPHP/MySQL.Asof 20110604,ithostsabout50%oftheliveOnionWebbyonion. HardCandyhttp://kpvz7ki2v5agwt35.onion/wiki/index.php/Hard_Candy.HiddenWikilinkto sitescontainingmaterialthatisintendedforpeoplewhoareattractedtochildren. LolitaCityhttp://m3hjrfh4hlqc67gb.onion/.DescribedasthebiggestCPsiteintheOnionland. Light,moderatelyfastcollection,witha(ofteninvaluable)tag,searchandcommentsystem.As ofNovember2012ithostsover1000000images. OPVA2(OnionPedoVideoArchive)http://opva2pilsncvtwmh.onion/.Videoarchivewith comments,tagsandsearchsystem.MostlycontainsCP. PedoSupportCommunityhttp://f3wjuyqroxyz2z3w.onion/.Supportandresourcecommunity forpeoplewholovechildren.Thissitedoesnotcontainanypictures/videosofCPandonly allowsforindividualstojoiniftheylovechildrenanddonotseektohurtthem.
P a g e |67
9.2.
Here, I am going to be talking about using Tor to encrypt HTTP traffic as well as FTP and SSL. To accomplishthiswewillbeusingToraswellasPolipo,awebcachingwebproxy.Basically,wearegoing to send all the traffic to the port that Polipo is listening on and forwarding that traffic through Tor. DoingthiswillencryptallHTTP,FTPandSSLtraffic.ThisisasubstitutetousingtheTorBrowserBundle. As stated above, you should know that even though you are using Tor, you data is compromised at theTorExitNodeifyouarebrowsingtheinternet(nononionwebsites).
The first thing we need to do is download the Vidalia Bundle. This bundle includes Tor, Vidalia, and Polipo. We are going to be configuring Firefox for this article. You should know however that all other browsersandapplicationsthatallowforproxysettingswillusethesameconfigurations.Howeverthere arelimitationswhichwewilldiscussfurtherdown. Starting the services 1. StartPolipo. 2. StartVidalia. 3. OnceyouareconnectedtoTor(ConnectedtotheTornetworkintheVidaliaControlPanel) wewillbeginsettingtheproxysettingsforFirefox. Firefox 1. StartFirefox. 2. ClickTools(ifyoudonotseethemenubarpresstheAltkeyonyourkeyboard.Themenubar shouldappear.). 3. ClickOptionsfollowedbyAdvanced.SelecttheNetworktab. 4. UndertheConnectiongroupselectSettings 5. ChecktheManualproxyconfigurationcheckbox. 6. ForHTTP,SSL,SOCKSandFTPyouwilluse(127.0.0.1withPort8118).
P a g e |68
9.3.
Wikipedia defines a sandbox as a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified thirdparties, suppliers, untrusted users and untrusted websites. Basically, think of it as, well a sandbox. If you put a whole bunch of kidsinasandboxandwantthemtostaythere,theycantleave.Sandboxesrestrictsysteminformation, whichisextremelyimportantforourpurposes.Furthermore,asanadditionallayerofsecurity,IuseThe TorBundleinavirtualenvironment(avirtualapplicationbutavirtualmachineisalsorecommended). JIThardeningkeepsthebrowserfromcompilingJavaScriptthatcannotberunontheuserscomputer. Basically, it is code that is compiled (compiling is like writing a book; you write several pages before you bind the book together) onthefly to improve the runtime performance of the JS. Attackers have long relied on JIT techniques to convert JavaScript into malicious machine code that bypasses exploit mitigationssuchasASLR.
9.4.
JavaScript
Javascript is just as it implies; a script that is executed in the browser or where it is run from. JavaScript is a programming language that allows access to system resources of the system running the script. It runs when the webpage is loaded or an event is triggered and is denoted by <script> and </script> alike. These scripts can interface with all aspects of an OS just like programming languages, such as the C language. This means that JScript, when executed, can potentiality damage the system or be used to send information to unauthorized persons. Obviously, this is not allinclusive and further vulnerabilities/exploitscanbemanagedbyusingJavaScript. What should be pulled out of this is Javascript only runs scripts that are on the webpage;it cannot magically get your IP address without it being explicitly written in the script. Thus, enabling JS on sites that are known to be trusted, such as this site, you can be relatively safe in knowing that system information(oryourPublicIPaddress)isnotbeingleaked.But,however,asyoumayhaveguessed,this is assuming that the scripts are not compromised which is a possibility at any time (though unlikely). In anyotherscenario,youshoulddisableJSforthesitecompletely. NoScript is recommended when dealing with JavaScript as it blocked all scripts unless explicitly defined (as per script or site). Make sure when using NoScript, that Disable Scripts Globally is checked, because if it enabled globally, you would defeat the purpose of the addon. By default, it is already turned on. When using The Tor Bundle or the outdated Tor Button, it is also good to know that dangerous JavaScript is already hooked. Javascript is injected into pages to hook the Date object to
P a g e |69 mask your timezone, and to hook the navigator object to mask OS and user agent properties not handled by the standard Firefox user agent override settings. You can also disable JavaScript directly fromthebrowser.
9.5.
Wikipedia defines a cookie as a small piece of data sent from a website and stored in a user's web browserwhileauseris browsingawebsite.When theuserbrowsesthesame websiteinthefuture,the data stored in the cookie can be retrieved by the website to notify the website of the user's previous activity.Whenyoulogintoawebpage,thatsessionisalsostoredonyourcomputerasacookie.More onionwebsitesareusingcookiesforseveralreasons,includingDoSattacksandsessionhijackingattacks. Asessionhijackingattack basicallyallowsathirdpartyattackertoconnectto awebsiteandaccesstheir session.Forexample,whenyoulogintoawebsite,youhavejustcreatedasession.Therearetwomain waysthey performasessionhijacking attack:sessionIDguessingandstolen sessioncookies.Sessionis usually not as big of an issue because of the length of the session ID (mostly). And the other way someone could steal a session cookie, is at the Tor Endpoint when they are performing a MiTM attack. Sadly,MiTMattackscannotbemitigatedandcookiehijackingisarealthreat. Cookies,ingeneralarenotdangerous,howeverallthirdparty cookiesshould beblockedinthe browser settings to stop tracking from a third party. A third party cookie places a cookie from one site for another site. For example, if you visit www.widgets.com and the cookie placed on your computer says www.statsforfree.com,thenthisisathirdpartycookie. Firefox (version 10.0.5) 1. StartFirefox 2. ClickTools(ifyoudonotseethemenubarpresstheAltkeyonyourkeyboard.Themenubar shouldappear.) 3. ClickOptions 4. ClickPrivacy 5. Check,TellwebsitesIdonotwanttobetrackedandeitherTorBrowserwill:neverremember myhistoryORuncheckAcceptthirdpartycookies.Note,thisdoesnotstopalltrackers websitesdoNOThavetoabidebytheTellwebsitesIdonotwanttobetrackedfeatureand thisisnottheonlymethod.
9.6.
Caching
Internetcacheisisacomponentthattransparentlystoresdatasothatfuturerequestsforthatdatacan be served faster. Whenever you go to a website, internet cached is created and saved on your computer for faster viewing. This means that when you go to a picture site, all the pictures that are
P a g e |70 loaded on the screen are saved on your computer for future viewing. Obviously, this is a huge security risk and if someone were to gain access to your system and view the cache, they would know what you havebeenlookingat. As a real quick side note, in the USA at least, it is not illegal to view the images, just download them. Now,ifyouhaveadequateknowledge,theycanclaimthatyouknewthecachedimageswerethereand you kept them there as an attempt to download the images. You can configure the browser settings or have a program erase the cache securely. CCleaner is a good, recommended (and free!) program that doesthat. Firefox (version 10.0.5) 1. StartFirefox 2. ClickTools(ifyoudonotseethemenubarpresstheAltkeyonyourkeyboard.Themenubar shouldappear.) 3. ClickOptions 4. ClickPrivacy 5. SelectTorBrowserwill:UsecustomsettingsforhistoryNote,thisisnottheonlymethod
9.7.
Referers
Wikipedia defines referers as occurs as an HTTP header field identifies, from the point of view of an Internet webpage or resource, the address of the webpage (commonly the Uniform Resource Locator (URL). Basically, when you click on a picture for example (or when a picture loads in a webpage), the website that hosts the information is sent a request that contains the last page you were in. Most recently, on one of the sites that I frequent, there was an attack done whereas somebody performed sessionhijackingattacksusingreferrerinformation This was possible because the session ID was in the URL (again, the address of the webpage) and with the use of referers, when a user loaded a page with live previews (or when a link was pressed), the sessionwasgiventotheattackerwhichallowedthemtodowhatevertheywantedtotheusersaccount. Disablingreferersonthebrowserisrecommended.Thistypeofattackisanotherreasonsomesitesare notrequiringcookies. Disabling referers in the browsers setting or downloading an addon is recommended. RefControl, https://addons.mozilla.org/enUS/firefox/addon/refcontrol/ is a good addon that accomplishes this. Youcanalsodisablereferersinthebrowsersettingsassuch:
P a g e |71 Firefox Intheaddressbar,typeabout:configpressEnter Accepttheprompt Typenetwork.http.sendRefererHeaderintotheFilterfield Doubleclicknetwork.http.sendRefererHeaderunderPreferenceName Inthewhitebox,enter1.Thedefaultvalueistwo Next,typenetwork.http.sendSecureXSiteReferrerintotheFilterfield Doubleclicknetwork.http.sendSecureXSiteReferrerunderPreferenceName.Thevalue shouldchangetoFalse 8. Click"OK"andclosetheabout:configwindow 1. 2. 3. 4. 5. 6. 7.
9.8.
Wikipedia defines this attack as a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. I wont go into much detail about XSS attacks because there are so many. Basically, this is another way that an attacker might be able to gain control of your session. I recommend the addon RequestPolicy: https://addons.mozilla.org/en US/firefox/addon/requestpolicy/
9.9.
No amount of configurations will help if maleware on your machine is able to change your browser settings. One popular attack is changing the proxy settings of the browser which will transmit anything to a third party location versus through Tor. Another example is if software or maleware changes your search settings. You might unknowing type something in that you did not want searched with a particular search engine. For this, I would recommend BrowserProtect: https://addons.mozilla.org/en US/firefox/addon/browserprotect/ which protects your browsers settings and preference from being changed.
P a g e |72 Vista/7 1. OpenNetworkConnectionsbyclickingtheStartbutton ,clickingControlPanel,clicking NetworkandInternet,clickingNetworkandSharingCenter,andthenclickingManagenetwork connections. 2. Rightclicktheconnectionthatyouwanttochange,andthenclickProperties. Ifyouare promptedforanadministratorpasswordorconfirmation,typethepasswordorprovide confirmation.LocalAreaConnectionisusuallythewiredconnectionandWirelessiswireless. Forotheradapters(dongles,etc.),youwillhavetorightclickthoseorusethesoftwareprovided withthedevice. 3. ClicktheNetworkingtab.UnderThisconnectionusesthefollowingitems,clickeitherInternet ProtocolVersion4(TCP/IPv4). 4. TospecifyDNSserveraddresssettings,dooneofthefollowing: 5. TospecifyaDNSserveraddress,clickUsethefollowingDNSserveraddresses,andthen,inthe PreferredDNSserverandAlternateDNSserverboxes,typetheaddressesoftheprimaryand secondaryDNSservers(127.0.0.1). XP 1. 2. 3. 4. 5. LocateandopenNetworkConnections. DoubleClickyourdefaultNetworkConnectionfromtheavailablelist. ClickProperties. HighlightInternetProtocol(TCP/IP)andclickonPropertiesagain. TospecifyaDNSserveraddress,clickUsethefollowingDNSserveraddresses,andthen,inthe PreferredDNSserverandAlternateDNSserverboxes,typetheaddressesoftheprimaryand secondaryDNSservers(127.0.0.1).
P a g e |73
9.12. Limitations WhenusingTorpeoplebelievethatalltrafficisencrypted;thisisnotthecase.Itisagoodidea that people know when traffic will be sent in cleartext. As I said before, Tor works with many applications including your instant messaging applications, remote logins and many other applications based on the TCP protocol, but not the UDP protocol. Voice and video traffic are examples of data that will likely be using UDP traffic; this means they are generally not safe to use. This includes programs such as Skype, Google Voice, ChatRoulette, or Omegle. Those
programs/websites(whenusingwebcam)willnotbeencryptedtherefortheyhavenoanonymity.
Eventhough Iwouldnotrecommendit,youcansendalltraffic throughaVPN andrun the VPNthrough Tor. Make sure to configure the VPN to use TCP traffic instead of the default UDP traffic though first. Also know that there will be extreme performance degradation when doing this, so you might not even considerthisfeasible.
9.13. Extra
There are also more advanced features of Polipo that you could look into that offer additional security. Polipo offers the option to censor given HTTP headers in both client requests and server replies. The main application of this feature is to very slightly improve the user's privacy by eliminating cookies and some contentnegotiation headers.This can also be done using the FireFox windows (about:config) by configuring the Header and Referrer information. As a number of HTTP servers and CGI scripts serve incorrect HTTP headers, Polipo uses a lax parser, meaningthatincorrectHTTPheaderswillbeignored(awarningwillbeloggedbydefault).Ifthevariable laxHttpParser is not set (it is set by default), Polipo will use a strict parser, and refuse to serve an instance unless it could parse all the headers. Recently, as per a new vulnerability, you should set network.websocket.enabled to False.
P a g e |74 If you are using Linux you can create rules in the firewall (iptables) to only allow traffic through Tor and block everything else. Doing so ensures that nothing is accidently leaked (traffic wise). When using the Tor Browser Bundle, or a computer that is multipurpose, I would recommend blocking UDP port 53. Port 53 is used for DNS, or Domain Name Service, and will ensure that your computer will not resolve websiteswithoutgoingthroughTor.
P a g e |75
P a g e |76
P a g e |77 TFN(DDoSAttackTool)http://packetstormsecurity.org/distributed/tfn2k.tgz Stacheldraht(DDoSAttackTool)http://packetstormsecurity.org/distributed/stachel.tgz SecuniaPSI(UpdateTool)http://secunia.com/vulnerability_scanning/personal/ SuperAntiSpyware(SpywareRemover)http://superantispyware.com/download.html Comodo(Firewall)https://personalfirewall.comodo.com/ Snort(IDS)http://www.snort.org/start/download BackTrack(PenetrationTestingTool)http://www.backtracklinux.org/downloads/ Wireshark(PacketSniffer)http://www.wireshark.org/download.html Ethereal(PacketSniffer)http://ethereal.com/download.html Omnipeek(PacketSniffer)http://www.wildpackets.com/ Dsniff(NetworkAuditing)http://www.monkey.org/~dugsong/dsniff/ CainandAble(VariousTools)http://www.oxid.it/cain.html Etherape(PacketSniffer)http://etherape.sourceforge.net/ NetwitnessInvestigator(PacketSniffer)http://www.netwitness.com/ Kismet(PacketSniffer)http://kismetwireless.net/download.shtml NetStumbler(PacketSniffer)http://stumbler.net/ MedievalBluetoothScanner(BluetoothScanner)Unknownmanufacturespage CoreImpact(PenetrationTesting)http://www.coresecurity.com/ AirSnort(WirelessHacking)http://sourceforge.net/projects/airsnort/files/ CowPatty(WirelessHacking)http://www.willhackforsushi.com/Cowpatty.html Reaver(WirelessHacking)http://code.google.com/p/reaverwps/
P a g e |78 ThankstoCuriousVendettaandallforreviewingtheguide