Go Back   SOCNET: The Special Operations Community Network > Areas of Expertise > Technology and Communications

Reply
 
Thread Tools Display Modes
  #41  
Old 10 June 2013, 08:55
Guy's Avatar
Guy Guy is offline
#AllLionsMatter
 
Join Date: Dec 2001
Location: CONUS @ the moment
Posts: 12,816
Interesting...

Quote:
Originally Posted by anachranerd View Post
Anyways, today a friend discovered an app called "Ghostery". It is a browser plug in that shows you all the different tracking widgets present on the websites you visit. It also gives you the option to pick and choose which ones you want to be enabled/disabled.

http://www.ghostery.com/

Check it out. Warning- some of the results are disturbing.
Screen shot on what "was" tracking....
Attached Images
File Type: jpg Screen Shot 2013-06-10 at 5.22.37 PM.jpg (31.9 KB, 431 views)
__________________
Quote:
Originally Posted by 8654maine

There is a limit to compassion.
Reply With Quote
  #42  
Old 10 June 2013, 10:03
EightyDeuce EightyDeuce is offline
Puttin' on the foil
 
Join Date: Oct 2003
Location: East Coast
Posts: 935
On Countermail....

I get how countermail is great at sending between countermail users but how is it different when something is sent to say a gmail or roadrunner email account from my countermail address? It can be seen by those who are scanning since there is no encryption between countermail and gmail for this example, is that correct?
Reply With Quote
  #43  
Old 10 June 2013, 12:24
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
Yes. If you don't encrypt to a non-CM recipient, the body can be read, just like any other email. But the benefits are still miles better than a US provider, even if you don't encrypt:

Quote:
How do you handle court orders? What information can you provide them with?

Countermail will not accept an order from any organization or investigative agency that is outside Sweden. If we get a court order from the Swedish police, we can give them some account data, but most of the data is only available in encrypted form*. We don't log IP-addresses. We don't store account passwords. Since we are using end-to-end encryption, the encryption/decryption process will be done locally on the users computer, not on our servers, so there is no need for us to store passwords. The payment information for premium accounts is stored for 14 days.

*The following data is encrypted: email bodies, email attachments, your Private Key, all data under Contacts, all data in your Calendar and all POP3 information. The following data is not encrypted (in stored emails): Header-fields like From, To, Subject, Date, and Folder names. The reason for this is that the SMTP & IMAP protocols can not handle encrypted headers. We are going to add a feature to convert a whole folder to a database, all info in "database-folders" will be 100% encrypted. The disadvantage with a "database-folder" is that it will only be accessible from our web mail interface.
P
Reply With Quote
  #44  
Old 10 June 2013, 14:36
Glock-A-Roo Glock-A-Roo is offline
Registered User
 
Join Date: Dec 2003
Location: US of A
Posts: 35
Very grateful for this thread. It will probably relieve guys like Poly, CV, etc from endless PMs asking 'hey can you steer me right on this whole computer security thing...?'. +1 on Ghostery. Encouraging note: Ghostery's report on socnet.com says "no trackers found"...!

I now understand that metadata is a big issue, almost as much as actual content of comms. Does a VPN act to disrupt a metadata trail? And, do the VPN services allow more than 1 login, i.e. do I have to buy a subscription for each person or computer in my home?

Aren't there objects embedded in many websites that scan and harvest cookies then send them in aggregate for mining, linked to your IP address? My understanding is that this is how Facebook and Twitter collect your browsing history. Wouldn't you have to turn off all cookies to counter this? I use a FireFox add-on called 'self-destructing cookies' that lets you whitelist cookies from certain sites, but if the scanning objects are not blocked they'd still see the whitelisted cookies right?

So much to consider.
Reply With Quote
  #45  
Old 11 June 2013, 08:41
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
Quote:
Originally Posted by Glock-A-Roo View Post

I now understand that metadata is a big issue, almost as much as actual content of comms. Does a VPN act to disrupt a metadata trail? And, do the VPN services allow more than 1 login, i.e. do I have to buy a subscription for each person or computer in my home?

Aren't there objects embedded in many websites that scan and harvest cookies then send them in aggregate for mining, linked to your IP address? My understanding is that this is how Facebook and Twitter collect your browsing history. Wouldn't you have to turn off all cookies to counter this? I use a FireFox add-on called 'self-destructing cookies' that lets you whitelist cookies from certain sites, but if the scanning objects are not blocked they'd still see the whitelisted cookies right?

So much to consider.
This isn't a 'one app solution' type of thing...which is why few even try, sadly. But all you need to do is research a little bit on how computers and networks work, as well as what data goes where, and you can limit what gets vacuumed up.

A VPN does a few things. First, it blinds your ISP (and anyone else between you and the VPN entry server). So you're ahead of the game right out of the block - there is no meta data about where you go on the internet.

Now, is a VPN going to help you if you are on it, and decide to log in to Google? Well, the connection to them will appear from somewhere else, and your ISP is still blind, but the fact that you are telling them who you are, by logging in, throws all that out the window, get it?

You need to combine VPNs with other privacy tools like Firefox Ad-ons for cookies, trackers, block lists, referrers, Java Script, etc... Just type "tracking" or "privacy" into the Firefox or Chrome Ad-ons store and there are a ton.

It depends on the provider, on how many connections they allow per account. Some allow more than one (Mullvad and Bohle I think) and some allow only one, like Air. But Air allows you to run it on a router, so your whole house is covered.

P
Reply With Quote
  #46  
Old 11 June 2013, 14:38
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,195
Quote:
Originally Posted by Polypro View Post
The flip side is that very few people write attack code for an OS that nobody uses.

It's also easier to hide something with co-operation...look up CryptoAG.

My opinion only, but there is no way in hell I'd use Microsoft Bit Locker, or Symantec PGP....over TrueCrypt or GPG/OpenPGP.

P


That's true, but it's getting less true every day, since more and more people are using the user-friendly new Linux distros. I don't trust "security through obscurity." If I can write exploits for it, it isn't secure. Sadly, that covers ALL the OSs...so I have to go for locking my system down as much as possible beyond the factory settings of the OS...
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #47  
Old 11 June 2013, 16:05
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,298
Quote:
Originally Posted by BOFH View Post
That's true, but it's getting less true every day, since more and more people are using the user-friendly new Linux distros. I don't trust "security through obscurity." If I can write exploits for it, it isn't secure. Sadly, that covers ALL the OSs...so I have to go for locking my system down as much as possible beyond the factory settings of the OS...
I reside mostly on a locked-down version of a Linux distro I use for pentesting, but I can still break the crap out of it. Defense-in-depth can be your friend.

For all other non-techies: making yourself a harder target is the name of the game. It's just not worth attacking a system that is hardened when there are so many other soft targets in the vast sea of the internet.

Some reasonable things you can do:
  • Always use WPA2 on your home wireless router. I, as in me, can break WEP with my laptop in around 5 minutes--and that's on the slow side. I've seen rigs do it in mere seconds.
  • Be suspect of connecting to routers that don't use WPA2.
  • Never connect to a network that you don't know.
  • Deploy a Firewall. This can be as simple as an application firewall. For people feeling frisky, hardware-based firewalls can be golden (takes advanced knowledge).
  • ALWAYS use anti-virus. There's another sticky here on the topic. The free options out there are usually more than adequate and 100% better than NO protection.
  • Use a VPN. Poly and others have given a pretty good review of this topic in this thread.
  • Proxy servers are for anonymity, not necessarily security. Man-in-the-Middle attacks are the biggest threat. You're connecting through someone else's computer to reach the internet. That said, they can be a good thing. Just don't check your bank account, or any other personal account, while connected.
  • Share as little about yourself as possible on the internet and limit your footprint. Social engineering attacks are not only fun for the attacker, but it can really screw your day up if they start targeting critical information via friends, family, and coworkers.
  • Disconnect your high-speed internet router from the wall (not just power off) when you go away for an extended time unless you have the proper controls (i.e. firewall, et al.)
  • Don't get on social media and blab about what you are, where you're from, or what you're doing. I get more information from YOU, the user, than I ever do through any technical control. I'm repeating the social engineering mantra for a reason. It's effective, cheap, requires no technical background, and is the most effective way of "hacking" into your life.
  • You WILL visit your bank while online. Don't lie. I know you will. If you do, pay attention to the certificates that are used. In most modern browsers you will see a GREEN connection and the prefix HTTPS: --Make sure it has this. I could go into this topic in depth, but it will go over many of your heads. It's not a 100% guarantee to be secure, but that's not the point of this thread. Make sure it's there
  • Set your browser to log out of websites (clear cookies) when you close the window. Sure, it's a pain in the butt, but you want a fresh login every time you visit a website. SOCNET included. If you need help remembering your passwords like I do, get something like LASTPASS. It's secure and you can put it on a thumb-drive (that you later encrypt).
  • ENCRYPT your harddrive. If there's ever been a reason to, now is the time. Protect yourself, your information, and your rights. Do it. I use TrueCrypt and it works like a charm. If you need help, you can ask here and I'm sure one of us can help you get it figured out.
  • If you can afford it, grab a Virtualization software package. Not only does it let you play with various operating systems on your single machine, it is a secure way to browse the internet if set up correctly.
  • Easier said than done: get your kids off of Facebook. They are a fountain of information for those who would footprint your activities.

Remember: DEFENSE-IN-DEPTH --it's an actual INFOSEC catch-phrase for a reason. Layer several security practices on top of each other to reach a higher threshold of protection from unwanted access and control of your info. Everything I've listed is easily enacted by a non-technical person. It might take a little bit of time to get there, but it's not unimaginable nor cost-prohibitive.

Last edited by CV; 11 June 2013 at 16:26.
Reply With Quote
  #48  
Old 13 June 2013, 16:06
CombatMedic1981's Avatar
CombatMedic1981 CombatMedic1981 is offline
Confirmed User
 
Join Date: Nov 2006
Location: PA
Posts: 321
Is Red Phone an App? I'm having trouble finding it.
__________________
"Just know that in the heart of your soul that you cannot quit. The pain of hard work and deprivation is soon forgotten. The pain of quitting stings forever. " - The Fat Guy
Reply With Quote
  #49  
Old 13 June 2013, 16:39
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,195
Quote:
Originally Posted by CombatMedic1981 View Post
Is Red Phone an App? I'm having trouble finding it.

It is...should be in the Android market. RedPhone, all one word.
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #50  
Old 13 June 2013, 19:13
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
Link:

https://play.google.com/store/apps/d...redphone&hl=en

P
Reply With Quote
  #51  
Old 13 June 2013, 19:30
CombatMedic1981's Avatar
CombatMedic1981 CombatMedic1981 is offline
Confirmed User
 
Join Date: Nov 2006
Location: PA
Posts: 321
Got it. Thanks guys.
__________________
"Just know that in the heart of your soul that you cannot quit. The pain of hard work and deprivation is soon forgotten. The pain of quitting stings forever. " - The Fat Guy
Reply With Quote
  #52  
Old 13 June 2013, 19:33
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
OSTEL is at a new and improved home:

https://ostel.co/

Cross Platform encrypted calls using SRTP or ZRTP

iOS users get the non-open sourced shaft again, you have to pay for the Groundwire app. $10 or $35 if you want ZRTP. But at least there's an app and it's a one time fee. Android users just use CSIP Simple. Other platforms supported as well.

P
Reply With Quote
  #53  
Old 18 June 2013, 07:50
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,298
A word of warning. With all of the NSA leak stories and commentary about government intrusion into our privacy, please be careful about the products you see being developed in the coming months and years. There will be organizations and individuals that want to take advantage of this by offering services and products that are just not up to snuff. If you have any questions about a product or service, do your research before committing to it.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #54  
Old 18 June 2013, 09:23
Macka's Avatar
Macka Macka is offline
Confirmed User
 
Join Date: Sep 2001
Location: SOCNET-Northeast
Posts: 2,182
I would think if you're going to start using a VPN, you will want to open a new email address while connected to the VPN. I'm thinking if you use you're old email address, and your email recipient doesn't use a VPN/TOR/etc, you're email can still be tracked somehow by name if you use the same one?

Thoughts?
__________________
Freedom costs a Buck 0-5
Reply With Quote
  #55  
Old 18 June 2013, 12:55
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,298
The mailbox (server) that receives your email will have the header information of where the delivered message came from. VPNs help with prevent man-in-the-middle attacks and snooping. This helps to validate confidentiality. TOR is different than a VPN because it acts as a proxy service. A proxy != to VPN. Make sure to understand their differences. If you want me to get in more depth, let me know.

Email accounts are so easily available that to help "start fresh" you can always create a new one. It doesn't hurt if you're going for anonymity.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #56  
Old 18 June 2013, 13:55
assertnull's Avatar
assertnull assertnull is offline
Confirmed User
 
Join Date: May 2011
Location: SE Texas
Posts: 3,024
Something to consider for anyone who's confused into believing simply ticking the boxes, and using the right ${cryptoproduct} is going to effortlessly make their data impervious to compromise:

http://blog.cryptographyengineering....n-app.html?m=1

Especially important to understand in the context of this second permutation of CALEA, namely, how one should be especially careful in what one chooses, as there's a not terribly remote chance Federal law will soon mandate vendors of cryptographic tools include backdoors for law enforcement - which could well mean the options are either a)use a foreign-built product, that isn't subject to this law, b)stick with open source, which, for whatever other pitfalls it has, this will not be one of them.

The takeaway from that piece, among other things, is that none of this is point-and-click, and there's still a level of diligence required.
Reply With Quote
  #57  
Old 18 June 2013, 17:49
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
Good article. Something to think about, but I think the things we are recommending are G2G. Just keep all your old installers for GPG, OpenVPN, and TrueCrypt.

As far as the email question, I had a long, detailed post, but...

Just buy a Countermail account and use alias' for any anon communication. Connect via VPN if you want, pay anonymously if you want...but just using that service solves 99% of the problem.

Unless they're a honey pot J/K, Gotta trust someone...

Or run your own email server, but that's not anonymous...

Hey! Do both!

P
Reply With Quote
  #58  
Old 18 June 2013, 20:41
Glock-A-Roo Glock-A-Roo is offline
Registered User
 
Join Date: Dec 2003
Location: US of A
Posts: 35
Quote:
Originally Posted by CV View Post
A proxy != to VPN. Make sure to understand their differences. If you want me to get in more depth, let me know.
Yes, please do if you can spare some time. Last night I got Mullvad running quickly, easily, and cheaply. I am mostly concerned with locking down metadata to give the finger to my ISP et al, not going up against the best and brightest from 3-letter agencies, so I paid via PayPal but they do accept cash in the mail. Mullvad is based in Sweden so that adds a layer of jurisdictional hassle to the mix. I'm now looking into CounterMail, and am ready to learn about proxies/Tor.

Already got AdBlock+, Better Privacy, Ghostery, and NoScript running on FireFox.

For those looking into VPNs, I found this thread at Wilders Security to be very helpful.
Reply With Quote
  #59  
Old 18 June 2013, 20:51
Sharky's Avatar
Sharky Sharky is offline
Administrator
 
Join Date: Dec 1999
Location: SOCNET
Posts: 17,907
This is the VPN I use.

Lots of sites that do VPN comparisons. I saw several sites where this was the top rated VPN. Another one that rated high was "Hide My Ass" and it is slightly cheaper. I did have one issue getting a device registered but I jumped on the customer support live chat and I was up and running in minutes. I like it so far. No complaints.
__________________
Out of the night that covers me,
Black as the Pit from pole to pole,
I thank whatever gods may be
For my unconquerable soul.
In the fell clutch of circumstance
I have not winced nor cried aloud.
Under the bludgeonings of chance
My head is bloody, but unbowed.
Beyond this place of wrath and tears
Looms but the Horror of the shade
And yet the menace of the years
Finds, and shall find, me unafraid.
It matters not how strait the gate,
How charged with punishments the scroll,
I am the master of my fate
I am the captain of my soul.
-Invictus
Reply With Quote
  #60  
Old 19 June 2013, 07:50
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,298
Quote:
Originally Posted by Glock-A-Roo View Post
Yes, please do if you can spare some time. Last night I got Mullvad running quickly, easily, and cheaply. I am mostly concerned with locking down metadata to give the finger to my ISP et al, not going up against the best and brightest from 3-letter agencies, so I paid via PayPal but they do accept cash in the mail. Mullvad is based in Sweden so that adds a layer of jurisdictional hassle to the mix. I'm now looking into CounterMail, and am ready to learn about proxies/Tor.

Already got AdBlock+, Better Privacy, Ghostery, and NoScript running on FireFox.

For those looking into VPNs, I found this thread at Wilders Security to be very helpful.
I have used Mullvad in the past and they are a great option. It's one layer needed amongst multiple. Think of your connection to the Internet as a pipe and the information within as water. You need to protect it from getting contaminating from point A (your computer) to point B (the distand end). It can get pricy both monitarily, and with the knowledge curve. It all depends on how much you think it needs to be protected.

Let's start at your home. You want to protect your information before it even leaves your router. Once it hits your router, it can be contaminated by your ISP. In fact, your ISP can fully negotiate with the router they issued you, so they can actually get into your internal network if they really wanted to (don't laugh at my tin-foil hat. It's pretty). Verizon has been known to sneak in via Port 4567, so if you're a FIOS user, lock that one down. ANYWAYS: There are a slew of topologies you can go with, but I'll try to keep it simple. Also, there are a lot of intricacies, so errors in my simple image might exist.



Via the bastion host and the firewall, you can protect and lockdown a good bit of information before it even leaves your network and touches their router. I purposely leave my guest access outside of my protected network so that friends and family can use the internet while at my house without having any clue what my internal network might look like. I'll even use it for simple devices like my Xbox. My ISP can snoop all they want, but they're only really going to see Firewall #1, their own WAP, and any clients connected (like my Xbox). A correctly configured firewall will prevent them from getting anything else. This setup allows for some additional configuration as well. If I wanted to host my own website, I could stick a webserver in the DMZ (the area between the two sandwiched firewalls). Again, it prevents people from getting to my internal network. What I detailed in the image above is nothing unusual. It is a standard topology that many businesses use to protect their infrastructure. The bastion host is there to obsure and obfuscate meta-data from my internal machines. It is also where I can perform analytics and forestics on the traffic that's hitting my network. It's not really required for a home network, but if you can manage to get it stood up, it can provide a lot of benefits.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo

Last edited by CV; 19 June 2013 at 07:57.
Reply With Quote
Reply

Thread Tools
Display Modes

Our new posting rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -4. The time now is 03:28.
Powered by vBulletin® Version 3.8.3
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Socnet.com All Rights Reserved
SOCNET