[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTinUMit8Fx7M76XyEtKKsxVqu5HyYABadtDKv4Ve@mail.gmail.com>
Date: Wed, 26 May 2010 01:25:25 +0545
From: Bipin Gautam <bipin.gautam@...il.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Stealthier Internet access
Following is a linkedin posting from a discussion group. This is just
a random note for archive purpose. I lack interest to write this
article in details. The article and content are of poor quality so
ignore...... :)
thanks,
-bipin
____________________________________
Stealthier Internet access
I wrote a small tutorial on something related. This doesnt reflect
anything update topics or cover any current knowledge or belief. I
lack the motivation to improve it so for the curious few, here is it;
www.mail-archive.com/foss-nepal@...glegroups.com/msg04248.html
[On Wed, Feb 20, 2008]
---quote---
On Wed, Feb 20, 2008 at 11:45 PM, Bipin Gautam <[EMAIL PROTECTED]>
wrote:
>
> Firstly, please don't expect this reply as a walkthrough on the
> topic... just a small push in the right direction to the curious few,
> if any. As said earlier, this topic is very vague and beyond the scope
> of this text for an in-depth explanation.
>
> Nevertheless anonymous and secure communication in the world today is
> still possible, it's just that the bar has been slightly raised… ;)
>
> Rule 1: hide everything you can, best you can all the time and of
> create decoys in things you are intentionally revealing…
>
> Let's begin:
> Topic: Anonymous Communication (web, mail)
>
> 1). Os of choice
> a). anonymos-shmoo.iso, live CD. It is a hardened OS and transparently
> tunnels all your communication via TOR.
> OS in r/w medium it leaves back track of your activities in details
> in the storage.
>
> b).Check and disable self updating components (softwares, plugin etc)
> in your OS that might bypass proxy rules, leak confidential
> information. It includes disabling self updates from your hardware
> firewall. At OS use application level firewall. Use snifters to
> monitor your tools of choice over time and ensure they are following
> proxy/vpn rules.
>
> 2). Place/means
>
> a).behind NAT. better someone else/different MAC address, auth, IP
> b). Free hotspot : hotel, office, …..?
> c). Cyber, public computer
> If it's not the place you own, better.
> Check for cctv or other logging / monitoring device around. Appear
> common. Too many unfamiliar screens on your computer screen draw
> attention of side by. Get the idea…
>
> Technology:
> Consider chaining anonymous technologies listed below (google about it
> in details). Always insure 1 or few layers of encryption on content
> you are trying to hide using different tools that follow different
> protocols and use different encryption algorithm to secure your data
> as you may not want to relie the confidentiality of your entire
> procedure on the strength/weakness of just one tool, one protocol and
> one algorithm. Is performance and work overhead of using these
> multiple layers worthwhile?
>
> If you are selecting multiple encryptions and hashing algorithm make
> sure your choice is redundant… i.e. don't just use algo approved by
> American standard, consider using European standard as well (eg:
> Whirlpool hashing algorithm adopted by NESSIE, SHA512 American
> Standard, NIST.
> Rijndael (latter to be chosen as AES) was chosen over Serpent (despite
> added security in serpent) for performance reasons. Though both
> algorithm are similar and has no known attack that has broken them
> till date. You may want to use other algorithms as well. In properly
> designed software encrypted output doesn't leak the name of algorithm
> used to produce the content which means attacker can just assume
> tools, protocols and algorithms used to produce the content to start
> brut forcing. Considering 'just this fact' as stated above Truecrypt
> is better over PGP disk encryption suit.
>
> Make sure to hide trivia things like file extensions, meta-data,
> timestamp (?) even with encrypted output.
>
> -For some ssh tunnel to the private mail server listening on loopback
> to access gpg encrypted mail is enough security... but it might not
> guarantee enough anonymity. Route your traffic through f2f and TOR and
> proxy chaining. Use port knocking to temporarily redirect port 80 to
> 22 locally(example) so that you can access port 22 via proxy chaining
> will add a layer of anonymity. Think creative.
>
> Research on these terms:
>
> -F2F network (example: Freenet, anoNet)
>
> -TOR (run in server mode if you use it too often, some plausible
> deniability feature as it is difficult for the attacker to insure if
> the traffic being transmitted is generated locally or being relayed
> from another node)
> TOR servers don't relay standard SMTP traffic by default. But many
> mail providers/ servers listen to different except the standard.
>
> -Proxy Chaining
>
> -Open SMTP relay, have email account on servers in third world
>
> -Open Proxy Servers
>
> Though above technologies are vulnerable to traffic analysis from
> observers who can watch both ends of a user's connection and it has no
> defend against timing analysis.
>
> If you can enforce a particular routing of your data across
> predetermined servers, better. Though routing table can change often.
> Its better if you can insure your anonymous data is routed across
> several countries with different legal and political jurisdictions
> (rivals!.... better ;)
>
> Establish strict protocol between sender and receiver in a way... what
> to use to communicate, how to use, in what order and change it every
> few month including secret key, private/public key, passwords etc and
> medium and pattern of communication including changing of email
> address etc. Destroy everything you send/receive unless NECESSARY to
> store.
>
> -Data destruction would mean shredding the storage medium to not
> larger than 1mm and smelting (NIST standard for secure data disposal)
>
> -Software disk Wiping:
> Wipe KEY, header of your encrypted storage volume (first few mb, ref
> specific manual) Ref using Peter Gutmann standard of data wipeing (35
> wipes)
> And wipe entire storage using U.S. DoD 5200.28-STD (7 wipes)
>
> OS keep multiple copies of partition header and store it in different
> places of hdd to insure recovery incase of data corruption, virus
> infection etc. This fact depends on the file-system use. (ref FS and
> OS specific manual)
>
> Avoid solid state memory for data storage when possible, prefer
> magnetic storage.
> Note: Though, pen drives (solid state memory) can be quickly hammered
> to pieces and flushed. They are economically very cheap too. Your
> choice of cost vs level of security for data disposal depends on what
> is the value of information you are trying to hide and how far would
> you go to assure what are you trying to accomplish?
>
>
> Don't choose passwords that matches with your interests, backgrounds,
> music, bike, sports, quotes etc This information can be used to create
> specific password dictionary for brutforce.
> Using password (something you know) + key (something you have)
> better. i.e. two ways token for authentication.
> Some ideas generating/using a secure key:
> • Generate SHA hash and MD5 hash of two-three secure passwords that
> is
> easy to remember and XOR it simultaneously, then append or delete some
> characters on the output. Use this final output as your password.
> • Or how about using hash of Google's logo as password starting from
> byte x to byte y… (avoid file headers, footers) If the logo of the
> search engine changes ref search engine cache, archive.com etc ;) This
> way you have a secure key but you don't have to store it locally.Just
> remember few things.
> Get creative about choosing your password. See, you can easily create
> passwords easy to remember but difficult to predict/ brutforce. Be
> cautious while choosing a key/password. If a attacker cant attack a
> design flaw he second thing they will try to attack is the key.
>
> - WASTE (ref unofficial release) it is a chat and file sharing f2f
> network and support some degree of anonymity even on standalone use.
> It has the some capability of evading Traffic Analysis by masking the
> channel by sending dummy encrypted traffic keeping the channel 100%
> busy.
>
>
> Using different browsers per unique work is good. Say, using safari to
> access web mail and online transaction, internet explorer for trusted
> site, firefox for regular searching, and opera for browsing etc.
> Maintaining separation of duties per browser ensures cookie
> information even when leaked can be confined to particular
> work/interest.
>
> Embedded contents like audio, video, flash, pdf, docs, java, js,
> exploits :P may-or may not follow proxy rules. Some applications cant
> be forced to follow proxy rules. They leak vital and unique
> information about your system, browser activity and internal network.
> So know what you'd installed, know what is running. Tracking plug-in
> and their activity can be difficult so be it for your browser, or your
> media player or your word processor or your IM.
>
> Example how anonymity breaks:
> Suppose you are searching something anonymously in google and
> meanwhile you logon to your GMAIL that has your actual identity. Now
> your web search, this gmail account, and the webpage you visited from
> Google add sense can all be tied to point a single person, you! The
> anonymity of your activity is blown right away.
>
> Further your web browsing patterns, your topic of interests,
> bookmarks, time you come online, internet speed, browser and OS
> fingerprint, plugins and features your browser support, your
> language/interest pattern etc can all serve as a intelligent
> fingerprint REGARDLESS OF YOUR IP address and you can be tracked
> uniquely in the internet regardless of the IP.
>
> Clear cookie, cache as you close your browser window, clearing all
> cache is necessary, not just cookie as they can have capabilities as
> that of cookie. Disable auto reloading content, advertisement etc
> Things as such, messenger (away in 5 minutes of interactivity)
> behavior etc can leak your uptime, bandwith utilization etc!
>
> (ask.com (ask eraser), customize google plugin, noscript)
>
> Another example:
> There are browser plugins, tools… that can be use to change your user
> agent but BAD thing about using such tools are instead of hiding your
> identity they make you stand like an ostrich in swarm of crow.
> Let me explain, suppose opera released critical update to all versions
> of its browser today so most of the computer user that are online with
> opera browser is sure to auto update their browser within few weeks...
> but as you are just changing your user agent appearing as some version
> of opera you will stand infront of intelligence analyst like a
> gentleman appears to be using opera but your user agent dates back to
> opera released 3 year ago, unique features of browsers indicate you
> are forging user-agent using patterns of tool x that has opera user
> agent with version y hard coded which you are using. Further, an
> attacker can know what plug-in your browser supports and what browser
> specific features you have disabled combination of all intelligence
> analysis data can create a unique fingerprint making tools you used to
> be more anonymous, more secure backfire and these information can be
> used by the attacker (Big Brother?) to instead create a unique pattern
> of your identity makes you less anonymous even if you are able to use
> different IPs all the time.
>
> Real IP is something that can be associated to you if discovered. But
> if you use anonymous technology haphazardly you give away unique
> identity/behavior pattern that can be as good as obtaining real IP
> information. Know to strike the right balance… or am I being too
> paranoid?
>
> See, Intelligence analysis is very hard to fool.
>
>
>
> Anonymous email:
>
> 1). Encrypt and base64 encode the content securely to guarantee
> point-to-point (p2p) confidentiality.
>
> 2). While sending and receiving email, force the final output to be
> read as ASCII as text format can be OS specific: DOS (CRLF), UNIX (LF)
> and Macintosh (CR) which can leak your OS. Grammar and spelling
> correction in text can be analyzed to know which version of word
> processor is used to create it; it can leak OS specific information
> even with normal plain text!
>
> 3). Re-mailers
> Google: Mixminion /mixmaster /Cyberpunk remailers
> Basically, they route you email through several mail relay servers of
> your choose striping headers that can leak the source of the email as
> they pass by from one server to another. They provide feature of
> redundancy that can assure delivery of email to higher degree and
> employ random delays and random message padding before forwarding
> message.
>
> Notes:
> - Don't trust the server blindly assuming they will guarantee your
> anonymity needs. Operators have to comply with local law all the time.
> Assume, they can be monitored, logged, hacked and bugged. Use other
> intermediate means of anonymity before you choose to these services.
> - Keep message size normal.
> -consult re-mailer statistics sites to know about history of the
> operator, security track record of the OS they use, country in which
> these servers are situated etc
>
> 4). User should take great care stripping meta data while emailing
> images, audio, video files, documents etc as they may embed and store
> information within them about the user or system that created/modified
> the file. This information can be retrieved when transmitted and can
> be uniquely associated to you.
> Like, they might store and leak registered Unique IDs of a product
> that created the content, embed your hardware serial number (like
> Ethernet MAC address CPU info etc) this information can be used to
> track you down to a country or region where the particular sales
> happened. Microsoft Windows Activation, Microsoft Office… infamous
> example.
>
> 5). Technologies as f2f network, open proxies that cross different
> geographical boundaries etc can be chained together so that you can
> relay your communication through open smtp relays from china :P ,free
> mail servers from third world where logging, monitoring and technical
> capabilities are primitive or you could use your own SMTP server to
> route your (encrypted) mail directly to the destination. There are
> online sites that claim to provide disposable email address for email
> delivery or retrieval.
>
> Anonymous-Sender.com, Pookmail.com (Research…)
> Example: [EMAIL PROTECTED] is common emails add. How about you write
> an article about features pookmail in dig with a test example,
> [EMAIL PROTECTED] While [EMAIL PROTECTED] gets thousand of hits you send
> your private encrypted content in that crowd for delivery to your
> receiving party, or how about using steganography and posting a secret
> content to a website/forum embedding it as pornography. This can act
> as a drop zone. The content can be retrived by the receiving party.
> Think creative… its not necessary text communication should happen
> through @email_address! You could use free file upload server to
> accomplish the same. Upload 10 files of similar size using
> steganography. Embed one video with encrypted content and rest 9
> videos just random data (decoy). The receiver who knows the key can
> easily extract the encrypted content while an attacker will have to
> try and brut force all the obtained files. Similar can be used for
> encrypted volume.
>
> 6). While sending anonymous email make sure trivia things like
> X-Mailer string, your time zone (GMT) doesn't gets leaked or best
> forged if intentionally leaked. Version info of encryption technology
> you use can sometime serve as a advantage to the attacker. Example,
> GPG software version you are using can leak from your Public Key.
>
> Conclusion:
> Anonymous and secure communication is not about just using the right
> tools and its not just about focusing on application layer, link laye
> bla… bla….:P
> It's about truly knowing what you are doing in fine details.
> Flexibility and security is always like opposite poles of a sea-saw.
>
> There are many of things I skipped which are beyond the scope of this
> email but this should be a good push to the curious starters. All I
> recommend you if to prioritize on is right intelligence and in-depth
> understanding of the subject matter over any tools or technologies
> because no matter what technologies you use it only stands a slim
> chance over intelligence analysis in right direction.
>
...
Browser Extension:
Customize FF: Disable all auto updates & in about:config you may want
to remove any third party urls that starts with the keyword google,
yahoo etc...
Useful Plugin: Private Browsing, NoScript, User Agent Switcher,
RefControl, Ghostery, CookieSafe, Optimize Google, Close n forget,
Better Privecy, Adblock Plus (disable plugin's autoupdate features as
well)
...
& On a related paper from EFF Published just recently we share the
similar notion.
>>From open source only rare few people like Henrik Gemal, (
http://browserspy.dk/ ) are known people to have early knowledge
(~1999) on this topic.
(Source) http://www.eff.org/press/archives/2010/05/13
May 17th, 2010
Web Browsers Leave 'Fingerprints' Behind as You Surf the Net
EFF Research Shows More Than 8 in 10 Browsers Have Unique, Trackable Signatures
San Francisco - New research by the Electronic Frontier Foundation
(EFF) has found that an overwhelming majority of web browsers have
unique signatures -- creating identifiable "fingerprints" that could
be used to track you as you surf the Internet.
The findings were the result of an experiment EFF conducted with
volunteers who visited http://panopticlick.eff.org/ . The website
anonymously logged the configuration and version information from each
participant's operating system, browser, and browser plug-ins --
information that websites routinely access each time you visit -- and
compared that information to a database of configurations collected
from almost a million other visitors. EFF found that 84% of the
configuration combinations were unique and identifiable, creating
unique and identifiable browser "fingerprints." Browsers with Adobe
Flash or Java plug-ins installed were 94% unique and trackable.
"We took measures to keep participants in our experiment anonymous,
but most sites don't do that," said EFF Senior Staff Technologist
Peter Eckersley. "In fact, several companies are already selling
products that claim to use browser fingerprinting to help websites
identify users and their online activities. This experiment is an
important reality check, showing just how powerful these tracking
mechanisms are."
EFF found that some browsers were less likely to contain unique
configurations, including those that block JavaScript, and some
browser plug-ins may be able to be configured to limit the information
your browser shares with the websites you visit. But overall, it is
very difficult to reconfigure your browser to make it less
identifiable. The best solution for web users may be to insist that
new privacy protections be built into the browsers themselves.
"Browser fingerprinting is a powerful technique, and fingerprints must
be considered alongside cookies and IP addresses when we discuss web
privacy and user trackability," said Eckersley. "We hope that browser
developers will work to reduce these privacy risks in future versions
of their code."
EFF's paper on Panopticlick will be formally presented at the Privacy
Enhancing Technologies Symposium (PETS 2010) in Berlin in July.
For the full white paper: How Unique is Your Web Browser?:
https://panopticlick.eff.org/browser-uniqueness.pdf
For more details on Pantopticlick:
http://www.eff.org/deeplinks/2010/05/every-browser-unique-results-fom-pa ...
For more on online behavioral tracking:
http://www.eff.org/issues/online-behavioral-tracking
...
#
(Here are few basic bookmarks to improve Stealthier internet access for windows)
Scan for missing system updates (Shortcoming : Lack CLI Version)
secunia.com/vulnerability_scanning/personal/
The Secunia PSI is aFREE security tool designed to detect vulnerable
and out-dated programs and plug-ins which expose your PC to attacks.
...
Microsoft windows Fixes 16 year old vulnerability, ref its migration section
seclists.org/fulldisclosure/2010/Jan/341
...
(Harden Windows to Minimum configuration) www.nliteos.com/guide/
nLite allows you to customize your installation of Windows XP, Windows
2000, or Windows 2003. You can integrate service packs and hotfixes.
...
Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD
www.nu2.nu/pebuilder/
...
Preventing USB devices spreading viruses
seclists.org/fulldisclosure/2008/Nov/481
Change permission of driver folder and critical autorun registry
entries to everyone:R (cacls, regedit)
...
Easy software to prevent windows listening in 135,445,137-139, UPNP
and Messenger ports)
www.softpedia.com/get/Security/Firewall/Windows-Worms-Doors-Cleaner.shtml
Anti Keylogger Test
www.softpedia.com/get/Security/Firewall/Anti-KeyLogger-Tester.shtml
...
Here are a few bookmarks, that readers might want to further explore:
(Windows checks for digital signature of executing installer revealing
installation of a specific software on the user system to
Certification Authority like Symantec compromising privecy, never
trust CA blindly, cert from public CA is week security )
supportforums.vizioncore.com/thread.jspa?threadID=22276&tstart=-2
news.netcraft.com/archives/2010/05/20/symantec_buys_large_share_of_ssl_market.html
...
(Basic Monitoring)www.sysinternals.com/ (Autoruns, Process Explorer,
TCPView , ShareEnum)
Startup Programs and Removing Them
www.marksanborn.net/howto/startup-programs-and-removing-them/
...
Use anonymous computer/netbios name while OS setup and during software
installation.
Disable Unnecessary Windows Services (disable SSDP/UPNP, windows
client, auto update, bits, system restore, remote registry, windows
time, tcp over net bios, windows, indexing, help and support etc)
www.pc-washer.com/optimize-windows/disable-unnecessary-windows-service.php
www.marksanborn.net/howto/turn-off-unnecessary-windows-services/
...
Use application isolation, and use software restriction policy in
sandbox dir http://www.sandboxie.com/
portableapps.com/
Prefer using portable application in jailed, user privilege only,
locked down read only mode.
...
Use third party manual software uninstaller to monitor registry and fs
modification over time.
www.revouninstaller.com/revo_uninstaller_free_download.html
...
Free Antivirus :
www.free-av.com/
www.threatfire.com/
www.iantivirus.com/
...
Online Antivirus scanner
antivirus.about.com/od/freeantivirussoftware/tp/aaonline.htm
Online Port Scanner (To check your firewall leak from outside)
www.google.com/search?q=online+port+scanner
...
QEMU, dont use virtual machine acceleration. Use User mode emulation
and run the guest OS from limited privilege and emulate your guest os
on other architecture EXCEPT X86 cpu emulation (or architecture
distinct to host OS) in the VM for added security/delay attack?
QEMU is able to not just emulate a full system, but also to run a
normal program that was compiled for another architecture. This is
done when it cannot be recompiled because the source code is
unavailable, or when the program's architecture does not permit
running it under all architectures
en.wikipedia.org/wiki/QEMU
...
* free, fast-booting Linux distros that aren't Chrome OS
www.downloadsquad.com/2009/12/30/10-free-fast-booting-linux-distros-that-arent-chrome-os/
(Recommended: Mobin, Jolicloud)
Google Chrome OS follows Good security practice, But the OS has a Bad
privecy trackrecord) en.wikipedia.org/wiki/Google_Chrome_OS
...
Packet Capturing Tool:
download.netwitness.com/download.php?src=DIRECT
www.wireshark.org/download.html
...
Core Force was best personal firewall for windows.
en.wikipedia.org/wiki/Core_force
...
www3.untangle.com/Product-Overview
Untangle provides a powerful suite of Internet management applications
for small-to-medium businesses and education institutions.
...
Do web facing activity inside VM, still a tutorial on stealthier
internet access from windows OS is beyond the scope of this text.
_____________________
In other news, DARPA looks for stealthier Internet access
http://gcn.com/articles/2010/05/21/darpa-safer-solicitation.aspx
In particular, DARPA is interested in technologies that “allow
anonymous Internet communications to bypass techniques that suppress,
localize and/or corrupt information.”
The technologies the Defense Department is interested in circumventing
include IP-address filtering or "blocking," which can deny user
access; Domain Naming Service hijacking, which redirects a user to a
different Web site or service from what the user intended; and content
filtering, which captures and analyzes the content of the user's
network traffic through deep packet inspection.
The Safer Warfighter Communications (SAFER) program (DARPA-BAA-10-69)
covers applications such as instant messaging, electronic mail, social
networking, streaming video, voice over IP and video conferencing.
DARPA’s particular technical areas of interest include measurement,
circumvention and testbed and evaluation support.
However, these same tools could also be used by “those determined to
get around measures designed to thwart copyright violators and
extreme-porn aficionados,” wrote Lewis Page in a story posted by U.K.
publication The Register.
...
#
Non-Classical Computer Forensics
http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Krawetz.pdf
Windows Forensics/Antiforensics is another important topic which is an
ocean on its own but sadly beyond the scope of this text. (
http://www.forensicfocus.com )
Anti-Forensics Intro
Lack of evidence also evidence
Storage
Magnetic Storage
Hard Disk
Data Hiding
Bad Cluster
Negative Disk
Slack Space
Alternate Data Streme (with examples all)
ATA-3 mode
Data Wipeing
ZIP drive and Floppy Disk
CD/DVD
Recording and wipeing
Solid State Memory
Error Levelling
Cryptography (30 Pages least,www.schneier.com)
Strength/Weekness
Digital Signature, executable file
Checksum
Symmetric/Asymmetric
Tools/Choices
Bruteforce, other backdoor/program flaws (random no gen, key initilization etc)
File/Disk Encryption
Encrypted hdd
PGP Disk
True Crypt
EFS
openssl features
FUSE (user land file system)
Firefox Browser plug-in for file encryption.
Remote Storage
File Hosting Servers
Remote Backup Servers
Web Hosting
Undelete Data
Secure Data wipeing
Quick Erase
Disk and Memory
dd, shred.exe, bcwipe, floppy auto wipe hdd (tool)
Hibrination File, Page File, NTUSER.dat, REGISTRY, Temp directory
Logs
Internet/Email History
Discuss all popular Browsers
Slack Space
Printer
Picture
Thumbs.db
Meta Data
EXIF description
Document File (PDF/DOC)
Meta Data
Revision history
MAC in document from Computer of origin
Other file Format
Audio
Video
DRM, Call back Home
Propwrity Formats
Water Marking
Harrypotter book Example
Steganography
Picture,Audio, Video, Executables(-ve operation)
Covert Channel TCP/IP and more
Timestamp
Cellphone Forensics
Mobile Logs, data, SMS, Communication, Tracking/Location,
IMEI, SIM,Enctryped SMS/MMS, Wipe Mobile OS, Prepaied SIM,
Change IMEI Mibile through software/hardware, tools etc
...
Some software in the OSS that are Rugged/Modular Designs.
Applications like Sumatra PDF Reader (
http://blog.kowalczyk.info/software/sumatrapdf ), multi messenger
clients like www.pidgin.im, www.miranda-im.org,
www.FreeDownloadManager.org as download manager, www.OpenOffice.org,
to handle office documents, should be run inside a VM whenever
possible. Questionable documents from third party should be opened as
google cache (If publically accessible web document, Syntax "cache:
http://example.com/example1.pdf ", or mailed to yourself in the gmail
and viewed as html or in google docs)
Documents from Multiple file formats can be converted and viewed
online from just browser. Like google on "Online PDF to HTML
Conversion". Even, Audio and video file from untrusted source can be
equally dangerous. You can normalize such attack by first uploading
such audio, video or document files on an intermediate service
providers for online file format conversion. They provide free
services to convert say flv encoded received information to .wmv
output and viewed as wmv instead. There are plenty of web services
that provide such facility. The output file wmv should be opened
instead of the original flv. Files received from third untrusted party
should only be opened after such normalization to migrate attack
vectors.
www.clamwin.com anti-virus (very buggy) as manual av scanner,
www.7-zip.org to handle archive are also nice tools.
IMPORTANT: When you are done with "experiments" and have settled on a
preference. Create a checklist of your knowledge and start a CLEAN
configured installations of your OS.
A free open source disk imager
http://en.wikipedia.org/wiki/Acronis_True_Image
http://odin-win.sourceforge.net/
How many hours did you spend in setting up your Windows system?
Setting up the operating system, installing programs, customizing to
your personal needs. Do you want to be protected against hard disk
failures, viruses or other malware? Just restore your system within
minutes. Why spend money for a commercial solution? ODIN supports
snapshots can be run from command line or with a GUI and runs on
32-Bit and 46-Bit operating systems.
(Latter, when you restore the image run one time update on all
software and installation modules from previous backup to assure
latest protection via manual automatic updates. )
...
Move on from Antivirus to Application whitelists solutions:
http://en.wikipedia.org/wiki/Whitelist#Application_whitelists
...
#
(Windows XP Security Checklist)
http://www.google.com/search?q=windows+xp+security+checklist
http://labmice.techtarget.com/articles/winxpsecuritychecklist.htm
Windows Secure Build Checklist
http://seclists.org/basics/2009/Feb/199
DoD General Purpose STIG, Checklist, and Tool Compilation CD
http://iase.disa.mil/stigs/checklist/index.html
Windows XP Baseline Security Checklists
http://technet.microsoft.com/en-us/library/cc751488.aspx
Checklist: Securing your computers using Security Configuration Manager
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sce_pols_check.mspx
...
[This is IMPORTANT ] For the audience who are experiencing the 'Avatar' blues...
edition.cnn.com/2010/SHOWBIZ/Movies/01/11/avatar.movie.blues/index.html
So, if you are you are experiencing Windows Blues with these new tools
and its LOOKS? Here is a little therapy...
So if you are experiencing 'Windows Media Player' blues, you can
always do a makeover of VLC Player with Windows media player like skin
from, www.videolan.org/vlc/skins.php
There are also, "MSN Messenger like" skin for Miranda & Pidgin IM, to
get over MSN Messenger Blues.
addons.miranda-im.org/index.php?action=display&id=67&sort=dlcount&order=desc
www.youtube.com/results?search_query=pidgin+skin
To get over IE blues, you can Make Firefox Look Like Internet Explorer 7
www.howtogeek.com/howto/internet/firefox/make-firefox-look-like-internet-explorer-7mostly-on-windows-vista/
Ok, finally to use Linux that looks like Windows, but secure... there
is; ylmf.org/en/
...
FF: Search-engine auto suggest, block "reported attack website" and
"web forgeries" check are bad features from privecy prospective.
...
Recommendations: Delete Inbuilt zip manager & wordpad like softwares
using nLite or XPlite ( www.litepc.com/download.html )
...
Here is a customized_nlite_session for you as a sample for a jump
start, groups.google.com/group/nepsecure/web/nlite_SESSION.INI
nliteos.com
Have you ever wanted to remove Windows components like Media Player,
Internet Explorer, Outlook Express, MSN Explorer, Messenger... How
about not even to install them with Windows ?
nLite is a tool for pre-installation Windows configuration and
component removal at your choice. Optional bootable image ready for
burning on media or testing in virtual machines. With nLite you will
be able to have Windows installation which on install does not
include, or even contain on media, the unwanted components.
…
Disable send of AV quarentine file and fs scan report to av vendor.
They leak your OS directory structure.
...
Map your Desktop and my document folder in encrypted truecrypt volume,
truecrypt full hdd encryption or use segate encrypted hdd.
...
...
Program used to create one's own CD, with all the personalizations one likes
en.wikipedia.org/wiki/FreeSBIE
en.wikipedia.org/wiki/Incognito_(Linux)
The main feature being the inclusion of anonymity and security tools
such as Tor by default.
...
Cygwin is a Linux-like environment for Windows.
www.cygwin.com/
...
...
Windows Volume serial number:
www.digital-detective.co.uk/documents/Volume%20Serial%20Numbers.pdf
...
forensic analysis of windows registry:
www.forensicfocus.com/forensic-analysis-windows-registry
www.eptuners.com/forensics/contents/A_Forensic_Examination_of_the_Windows_Registry.pdf
Registry Quick Find Chart.backup.fm
www.accessdata.com/media/en_us/print/papers/wp.Registry_Quick_Find_Chart.en_us.pdf
www.forensicfocus.com/downloads/windows-registry-quick-reference.pdf
Registry Viewer
www.logon-int.com/Product.asp?sProdClassCode=ACD-P-0007
...
picture forensics: www.hackerfactor.com/papers/bh-usa-07-krawetz-wp.pdf
...
en.wikipedia.org/wiki/Windows_thumbnail_cache
Vinetto is a forensics tool to examine Thumbs.db files.
vinetto.sourceforge.net/#overview
...
www.narus.com/products/intercept.html
...
Windows uniquely logs Mounted USB Devices by hardware SSID. It is used
to identify if a pendrive / usb device has been inserted in a computer
or not.
scissec.scis.ecu.edu.au/proceedings/2007/forensics/23_Luo_Tracing_USB_Device_artefacts_on_Windows_XP.pdf
Delete USB Device History from the Windows Registry (USBSTOR key) and
the setupapi.log
www.anti-forensics.com/delete-usb-device-history-from-the-windows-registry-usbstor-key-and-the-setupapilog
...
Preventing SSL Traffic Analysis with Realistic Cover Traffic
www.cs.uiuc.edu/homes/nschear2/ccs09-poster.pdf
...
In your emil client, disable automatic display of picture as
attachment and disable html email
...
third-party closed source device driver are security issues
...
Change your online nick/identity often
...
atomicparsley.sourceforge.net/
AtomicParsley is a lightweight command line program for reading,
parsing and setting metadata into MPEG-4 files supporting these styles
of metadata:
iTunes-style metadata into .mp4, .m4a, .m4p, .m4v, .m4b files
3gp-style assets (3GPP TS 26.444 version 6.4.0 Release 6 specification
conforming) in 3GPP, 3GPP2, MobileMP4 & derivatives
ISO copyright notices at movie & track level for MPEG-4 & derivative files
uuid private user extension text & file embedding for MPEG-4 & derivative file
...
DocuColor Tracking Dot Decoding Guide
w2.eff.org/Privacy/printers/docucolor/
FTC Investigating Privacy Risks of Digital Copiers
www.eweek.com/c/a/Data-Storage/FTC-Investigating-Privacy-Risks-of-Digital-Copiers-465059/
...
use "isoinfo" in linux to get any forensic info left in a CD
Nero keeps log of burned cd at: \Program Files\Ahead\Nero\NeroHistory.log
It contains info about the Physical memory, CD burned, CD size,
hardware device used to burn the cd etc
…
Burning CD and DVD can leak your CD/DVD hardware Manufacture Information:
CD-R Manufacturer Code
www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=3078
CDR ATIP Reader read information from CD-R/RW media ATIP section and
output it for user in raw binary data view, in fields values view and
in translated view. That information can contain media manufacturer
name, disc type and additional information.
Also, www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=2961
...
HSF54 >> Radio Frequency / Microwave / EMF Shielding Paint <<
www.safelivingtechnologies.ca/rf/Products_RF_Shielding_Paint_HSF54.htm
www.schneier.com/blog/archives/2004/12/wifi_shielding.html
...
Visualizing Online Social Networks
www.ire.org/sna/
internetbusinessmodels.org/visualizing-online-social-networks/
Inferring and Visualizing Social Networks on IRC
www.jibble.org/piespy/
...
Protecting Secure Facilities with Sound Masking
svconline.com/web_exclusives/sound_masking/
…
(Only communication in either plain text or encrypted)
Removing Sensitive Data from Documents (Microsoft Word/Excel/ppt, pdf)
www.timeatlas.com/reviews/reviews/removing_sensitive_data_from_documents
www.pcworld.com/article/119674/free_tool_identifies_hidden_data_in_microsoft_office_docs.html
Microsoft Word Metadata Scrubber
www.ghacks.net/2008/11/18/microsoft-word-metadata-scrubber/
Open office: lawyerist.com/how-to-quickly-and-easily-remove-meta-data/
(Anti forensic)
www.blackhat.com/presentations/bh-usa-05/bh-us-05-foster-liu-update.pdf
(Resource) www.forensics.nl/presentations
geschonneck.com/security/forensics/
Steganography & Data Hiding - Links & Whitepapers : data-hiding.com/
Steganography, Steganalysis, & Cryptanalysis
www.defcon.org/images/defcon-12/dc-12-presentations/Raggo/dc-12-raggo.ppt
…
NTFS hidden data analysis:
www.forensicfocus.com/downloads/ntfs-hidden-data-analysis.pdf
...
Password Recovery Speeds
www.lockdown.co.uk/?pg=combi
This document shows the approximate amount of time required for a
computer or a cluster of computers to guess various passwords.
...
Full Disk Encryption: What It Can And Can't Do For Your Data
mobile.darkreading.com/9299/show/1a4113a09b515ef7a3d175e5e4be1446&t=18029ea8440795f55be33bb23c5f46af
en.wikipedia.org/wiki/Comparison_of_disk_encryption_software
...
Darik's Boot and Nuke
www.dban.org/
("DBAN") is a self-contained boot disk that securely wipes the hard
disks of most computers. DBAN will automatically and completely delete
the contents of any hard disk that it can detect, which makes it an
appropriate utility for bulk or emergency data destruction.
www.garykessler.net/library/fsc_stego.html
An Overview of Steganography for the Computer Forensics Examiner
...
Pentagon sets its sights on social networking websites
www.abovetopsecret.com/forum/thread211526/pg1
“I AM continually shocked and appalled at the details people
voluntarily post online about themselves.” So says Jon Callas, chief
security officer at PGP, a Silicon Valley-based maker of encryption
software. He is far from alone in noticing that fast-growing social
networking websites such as MySpace and Friendster are a snoop’s
dream.
I Spy : Amateur satellite spotters can track everything government
spymasters blast into orbit. Except the stealth bird codenamed Misty.
www.wired.com/wired/archive/14.02/spy.html
www.heavens-above.com/
spy satallites in sky: For America, having others know the precise
time its eyes will be overhead poses a huge strategic problem. India's
nuclear tests in the Rajasthan desert in 1998 caught US intelligence
unawares because the Indians had ascertained the orbits of US
satellites and hid their operations accordingly.
...
www.darknet.org.uk/2006/03/10-best-security-live-cd-distros-pen-test-forensics-recovery/
Application Whitelisting: Allow Known Good to Prevent the Bad
In the days following the recent IE vulnerability (Aurora) attacks,
Gartner’s Neil MacDonald advised, "Application whitelisting at the
endpoints would have stopped these attacks." Shortly after, companies
targeted by this attack chose Bit9 – named 2010 Technology of the Year
by InfoWorld – to protect their systems.
...
news.com.com/Hidden+text+shows+SCO+prepped+lawsuit+against+BofA/2100-7344_3-5170073.html?tag=nl
A Microsoft Word document of SCO's suit against DaimlerChrysler, seen
by CNET News.com, originally identified Bank of America as the
defendant instead of the automaker. This revision and others in the
document can be seen through powerful but often forgotten features in
Microsoft Word known as invisible electronic ink.
A feature in the word-processing software tracks changes to documents,
who made those changes, and when they were made.
...
Geotagging invades Privacy (Flickr, Twitter, Facebook, Pisica all bad ):
www.aguntherphotography.com/geotagging-invades-privacy.html
The prices for GPS receivers have eroded. Even my iPhone has one
already built in. It takes photographs and automatically attaches GPS
data. Jobo and other accessory makers have developed GPS receivers
that record a location every time you press the shutter release button
on your camera, allowing you to combine them later on your PC. For
several years, I used to carry a small Garmin GPS, recording track
logs and using programs like JetPhoto Studio, Google gpicsync or
Microsoft Location Stamper to put the GPS data into my digital files.
Geotagging is now a mainstream technology and is more popular than
ever.
Geolocation: en.wikipedia.org/wiki/Geolocation
en.wikipedia.org/wiki/Geocoded_photo
How to Geotag Your Photos : www.wired.com/gadgetlab/2008/05/how-to-geotag-y/
Privacy nightmare: Geotagging in Twitter goes live
www.geek.com/articles/mobile/privacy-nightmare-geotagging-in-twitter-goes-live-20100315/
…
Cropping Pictures with Adobe Photoshop Can Be Dangerous
labnol.blogspot.com/2006/11/cropping-pictures-with-adobe-photoshop.html
…
Photo Studio
www.stuffware.co.uk/photostudio/
Photo Studio is also a useful tool for exploring the meta data stored
along with your image files. The program supports a wide variety of
meta data standards, including EXIF, CIFF, Olympus, JFIF and
Photoshop. EXIF data will be of particular interest to digital camera
users - it is the format used by most digital cameras to store camera
settings along with an image.
The tool also has basic support for some movie formats - AVI and
QuickTime/JPEG, as recorded by some older digital cameras. The tool
can play back, as well as extract video, audio and stills from these
files.
...
atomicparsley.sourceforge.net/
AtomicParsley is a lightweight command line program for reading,
parsing and setting metadata into MPEG-4 files supporting these styles
of metadata:
iTunes-style metadata into .mp4, .m4a, .m4p, .m4v, .m4b files
3gp-style assets (3GPP TS 26.444 version 6.4.0 Release 6 specification
conforming) in 3GPP, 3GPP2, MobileMP4 & derivatives
ISO copyright notices at movie & track level for MPEG-4 & derivative files
uuid private user extension text & file embedding for MPEG-4 & derivative file
…
TEMPEST 101
www.tscm.com/TSCM101tempest.html
TEMPEST is an official acronym for "Telecommunications Electronics
Material Protected From Emanating Spurious Transmissions" and includes
technical security countermeasures; standards, and instrumentation,
which prevent (or minimize) the exploitation of security
vulnerabilities by technical means. TEMPEST is nothing more then a
fancy name for protecting against technical surveillance or
eavesdropping of UNMODIFIED equipment (the unmodified part is
important).
Video eavesdropping demo at CeBIT 2006
www.lightbluetouchpaper.org/2006/03/09/video-eavesdropping-demo-at-cebit-2006/
...
ACK Tunneling Trojans
www.ntsecurity.nu/papers/acktunneling/
...
Zfone™ is a new secure VoIP phone software product which lets you make
encrypted phone calls over the Internet. : zfoneproject.com/
…
OpenID is a privecy risk
en.wikipedia.org/wiki/OpenID
…
Keys Can be Copied From Afar, Jacobs School Computer Scientists Show
www.jacobsschool.ucsd.edu/news/news_releases/release.sfe?id=791
San Diego computer scientists have built a software program that can
perform key duplication without having the key. Instead, the computer
scientists only need a photograph of the key!
…
How to use your PC and Webcam as a motion-detecting and recording
security camera
www.simplehelp.net/2006/09/27/how-to-use-your-pc-and-webcam-as-a-motion-detecting-and-recording-security-camera/
...
MadMACs: MAC Address Spoofing And Host Name Randomizing App For Windows
www.irongeek.com/i.php?page=security/madmacs-mac-spoofer
…
Serious Issue, Block UpnP and “windows time”,time synchronization for windows.
www.sans.org/security-resources/malwarefaq/win_upnp.php
www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/RegistryTips/Network/DisableWindowsMessengerbroadcastsonUDPport1900.html
…
Surf Jack – HTTPS will not save you
enablesecurity.com/2008/08/11/surf-jack-https-will-not-save-you/
...
reDuh - TCP Redirection over HTTP
www.sensepost.com/labs/tools/pentest/reduh
reDuh is actually a tool that can be used to create a TCP circuit
through validly formed HTTP requests. Essentially this means that if
we can upload a JSP/PHP/ASP page on a server, we can connect to hosts
behind that server trivially.
...
In 1992 as a quick hack, I happened to demonstrate that you can send
TCP packets with bad checksums (subtract 1), which provides a
near-invisible "covert channel" that penetrates everywhere with very
low probability of detection or interception. This channel is still
wide open, and a far better channel than stego-over-VoIP for the same
target devices.
spectrum.ieee.org/telecom/internet/vice-over-ip-the-voip-steganography-threat/0
...
Why Skype is evil
ultraparanoid.wordpress.com/2007/06/19/why-skype-is-evil/
...
( Timestomp and Slacker is a poor POC from anti-forensic prospective)
www.metasploit.com/research/projects/antiforensics/#Confrences
Basic Windows Anti-forensics: www.system7.org/docs/WinAFCheatsheet.pdf
…
What is Social Engineering ?
Basically, social engineering is the art and science of getting people
to comply to your wishes. It is not a way of mind control, it will not
allow you to get people to perform tasks wildly outside of their
normal behaviour and it is far from foolproof.
packetstormsecurity.nl/docs/social-engineering/aaatalk.html
…
Open Source Intelligence - OSINT
www.onstrat.com/osint/
...
Maltego is an open source intelligence and forensics application. It
will offer you timous mining and gathering of information as well as
the representation of this information in a easy to understand format.
www.paterva.com/web4/index.php/maltego
…
There are even tools like Fake Voice
Fake Voice allows you to change your voice. You can be anyone you want
to be, including a male, female, an old or young person. You can also
add real-time effects to your voice for concealing or having fun with
your voice.
www.google.com/search?q=free+Fake+Voice+software
www.soft32.com/download_206007.html
…
EFF Launches Surveillance Self-Defense site : https://ssd.eff.org/
Mar 2009
The Electronic Frontier Foundation (EFF) has created this Surveillance
Self-Defense site to educate the American public about the law and
technology of government surveillance in the United States, providing
the information and tools necessary to evaluate the threat of
surveillance and take appropriate steps to defend against it.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists