Questions about this topic? Sign up to ask in the talk tab.

Anonymity

From NetSec
Jump to: navigation, search
RPU0j.png This article needs immediate attention, and is in desperate need of more content.

Introduction

Anonymity is the practice of being unidentifiable from everyone else. The act of being anonymous is distinct from having a secure and/or private environment. All three however make up the "Holy Trinity" [create page(s)] of good OPSEC.

General Services

Virtual Private Servers

A VPS is your own personal server, hosted within a Virtual Machine. This is not as private as a Dedicated Server, as your information is accessible within a Shared environment, however they are cheap and can be useful in VPN chaining to distribute the web of trust among many providers.

Virtual Private Networks

A Virtual Private Network is an encrypted tunnel to a remote server running a VPN daemon such as OpenVPN. This allows you to authenticate over IPSEC and many other protocols to access remote networks as if they were local, depending on the configuration of your VPN. VPN Providers provide a simple tunnel, but not usually remote network resources. Essentially, VPN providers just offer an encrypted tunnel to proxy your connection from. However, using a VPS with TUN/TAP, or a Dedicated Server with OpenVPN running, you can setup your own network with internal resources. One VPN, who does not beyond a reasonable doubt store network logs and operators outside of the 14 Eyes nations, is a minimum to anonymous network usage.

SSH Tunneling

An SSH tunnel is the process of encapsulating another Internet protocol within an existing SSH connection. This is often used for secured web-browsing, breaking out from restrictive firewalls or adding encryption to otherwise unencrypted traffic.

You can effectively tunnel all of your local traffic through a remote server that you have an SSH account enabled on. Not only will your traffic appear to be originating from the remote servers IP address, but all traffic between yourself, your remote server and the final destination will be encrypted using the SSH protocol. This is a great technique for anonymity as it hides your original IP address and adds an extra layer of security to your communications.

Basic Example of SSH Tunneling

Terminal

localhost:~ $ ssh -D 8080 [email protected]

What this does is tells your computer to listen on localhost:8080, and forward all requests to [email protected] Set your browser or application to use 127.0.0.1:8080 as a SOCKS5 proxy, and it will forward your traffic, provided your sshd_config is set to permit tunnel traffic.

Shell Accounts

Shell accounts are simply a term for individual accounts on an SSH server. There are hundreds of providers of free shells accounts online, that will give you your own non-root account with SSH access on their server. Paid shell accounts also exist and usually supply you with more features such as root access or unrestricted outbound access. These accounts, free or paid, are a quick and easy way to create a secured proxy via SSH tunnelling. Often times you will be able to use the account for other things such as email or IRC access. The link below contains a rather large list of free and paid shell account providers, detailing which features are offered at each host and other important information.

http://shells.red-pill.eu/

FTP / Telnet

Regular FTP and Telnet communications are outdated and generally considered to be very insecure. You are not suggested to use these protocols if you have any of the above methods available to you.

Suggested replacements for these protocol include:

  • SFTP
  • SCP
  • FTPS (Command and Data channel)

SSH is the logical replacement for Telnet, however there are plenty of tools to wrap a telnet-style session in SSL/TLS layers, such as NCAT

Obfuscation

All irregular (see: deviating from the 95% of "regular" (see: chronic YouTube/Reddit/Facebook users) internet users) connections such as SSH/VPN/TOR/I2P/etc. are flagged from the get-go. It's important to employ obfuscation technology to not put you into a position where someone would want to invest more resources into tracking you. Obfs4 proxies which obfuscate your connections under protocols of interest, transforming their appearance to less of interest ones such as HTTP, and bypassing deep packet inspection.

WarXing

Just by having a network under your name (through your ISP) or originating from a place near you, already compromises your anonymity. WarXing can mitigate this, because by definition, you are connecting to the internet with someone else's connection. The easiest way it to only use public connections as originators, i.e the very first access point (AP) your device connects to, and then have everything tunneled out to your bridge/VPN/etc. The most basic is to sit in a coffee shop and use their wifi, but your anonymity can be compromised trivially. A step up (recommended) is to use a modified wifi antenna to pick up APs from distances away and to connect from there. The design for these can range from the simplest wire around a wire coat hangar to full-on reflector dishes hooked up to your network card. [maybe add schematics]

Payments

[insert later]

Web-Browsing

General

Best Practices

  • Unless you have referrers turned off with an addon or browser configuration, it's usually better to copy and paste links to a different tab/window/browser to avoid referrer or link tracking from affecting you.
  • Don't do your personal browsing from the same user profile (or same computer if possible) as your business/important browsing, e.g. Banking Sites or Work Websites.
  • If personal information is not required, don't give it out. If a form requires values in a field, many pieces of software as well as web applications fail to validate the user's purported identity. As a result, these softwares are responsible for a large amount of online fraud.
  • Be mindful of checkboxes, especially if ask if you want to be subscribed to a mailing list. This should be obvious, but it needs to be said.

Firefox

Firefox is recommended because of the plethora of customization options available through about:config, which can be accessed straight from the URL bar.

Fingerprinting

Absolutely no extensions are recommended... with JavaScript enabled. Anonymity is separate from security and privacy. By having any extensions present you allow browser fingerprinting, i.e making it easier to track and identify who you are. JavaScript is the main culprit in identifying extensions, but now HTML5 canvas can deanonymize you. JS can be turned off globally (with about:config javascript.enabled) to stop extension fingerprinting, but be warned that disabling it will also create a fingerprint of "no javascript" which is unusual in this age. HTML5 canvas does not have a reasonable reason to be disabled outright because it leaves a more serious "no canvas" fingerprint, which is only "acceptable" for very old browsers, which narrows your fingerprint.

Extensions

[table needed][enumeration needed]


Configuring for Anonymity

Firefox is not your friend out of the box, but it can be if you chain it up and take away all of the things it can hurt you (see: compromise your anonymity) with. Here is an example of how much freedom you have to harden the base browser. It also contains many optimizations for security and privacy too, but it is important to audit everything yourself and be scrupulous with the setup yourself, instead of trusting anyone else with your anonymity.


c3el4.png The latest version of torbutton does not allow toggling the tor proxy on and off. You should use the Tor Browser Bundle instead

TODO

- Cookies & cache
- Proxies
- Tor
- Privoxy
- Using SSH tunnels as a SOCKS5 proxy
- Online purchases
- Private browsing
- Google vs Scroogle (Note: Scroogle is now dead: http://www.scroogle.org/sucks.html)
- Google vs StartPage vs DuckDuckGo
- Personal Identifiable Information

Email Privacy

PGP / GNUPG Encryption

PGP is an encryption method based on private and public key files, which can be used to easily encrypt or sign messages. The PGP software is available for all major operating systems and is very easy to setup and use. When you first setup PGP, you will create a key pair that is used for all future encryption and signing. It is also possible to digitally 'sign' a message or file using your PGP key pair. When your key pair is created, it is given a unique signature that is specific to you and your email address.

By signing a message or file, your PGP signature is attached to the document and can be used to verify that you are who you say you are. This is very useful for email correspondence where it is possible for messages to be intercepted or otherwise tampered with. If you encrypt and sign an email message using PGP, you are verifying to the recipient that you are the original sender and also making sure that your message cannot be read during transmission.

PGP is a public key encryption system. Each user has a keypair, a public and a private key. A message to the recipient is encrypted with *his* public key, and then can only be decrypted with his private key. A user gives their public key to their friends/coworkers/whoever themselves, or publishes the key in a keypool.

Anyone who has access to your private key is capable of decrypting messages were encrypted using your public key. Your private key, on the other hand, should not be given out to anyone and you must keep it in a safe location to avoid theft or copying. If your private key is stolen, it would be possible for the attacker to sign and encrypt messages using your digital identity. Most private keys are encrypted with a passphrase to help defend against theft.

Anonymous Remailers

There are four types of remailers - Cypherpunk (Type I), Mixmaster (Type II), Mixminion (Type III) and Pseudonymous Remailers.

Cypherpunk Remailers (Type I)

Mixmaster Remailers (Type II)

Mixminion Remailers (Type III)

Pseudonymous Remailers

Throw-away Accounts

Throw-away account are one-time-usage email accounts that when paired with message encryption and some form of traffic proxying (Tor, SSH tunnel, etc) provide a very good method for sending or receiving anonymous emails. There are services that will provide free throw-away accounts but these generally limit you to either sending or receiving only and for a limited period of time. If this is not ideal for your situation, you could always create a free email account with any provider and simply use the account for a specific period of time or specific purpose.

When using throw-away accounts, it is very important that you take all the usual steps in protecting your identity and anonymity. This includes making sure your IP address is hidden via proxying, avoiding DNS leaks and encryption the messages you send or receive. If you are not using a throw-away email service, make sure you delete your messages from the Inbox and Sent Messages after every single correspondence.

IM & Chat

Instant Messaging

Pidgin

Pidgin is an easy to use and free chat client used by millions. Connect to AIM, MSN, Yahoo, and more chat networks all at once.

You can download pidgin from http://pidgin.im/

Using OTR

OTR, which stands for Off The Record is a plugin for various IM clients that will encrypt your IMs and provide deniability for your messages. It's extremely useful for anyone wanting to communicate knowing that nobody is reading their messages!

You can download OTR here http://www.cypherpunks.ca/otr/index.php

TorChat

TorPM

ICQ

Chat

IRC

Using OTR

SILC

Key based authentication

Utilising IRC Bouncers

Files & Hard-Disk Encryption

- TrueCrypt
- One Time Pads
- Full Disk Encryption
- IronKey USB drives
- Operating System logs
- System memory
- Forensics


Possible Downfalls

Network Performance

When using multiple proxies or other means of hiding your IP address, one of the main downfalls is latency. With more connections and hops that need to be made between you and your final destination, the connection will take longer and longer to be made. This is most evident in systems like the TOR network, for example. While TOR does provide reasonably good anonymity, it also takes much longer for connections to occur.

Personal Information

Social Aspect

A majority of people that get doxed or raided fail in the most important aspect of staying anonymous and that is social interaction. It's good to have acquaintances online and have people you can talk to however... You should never trust anyone on the Internet that you don't know in real life. No exceptions. You should never let any personal information leak out.

There are obvious things like your name, city, age, state, etc but there's also people that will social engineer you into giving that info out or you may just accidently say it during friendly conversation. A good example would be time zones. If someone asks you what time it is you should never reply with your actual time but instead google a time zone very far away. Why? Think about how much easier it is for authorities to catch on to you if they go from knowing nothing about you to now pinpointing your timezone. Little bits of information leaking is what will be the most useful thing for anyone trying to locate you especially law enforcement! It's also highly recommended you immediately delete any social networking accounts you own. They're unnecessary and pose a huge risk to your anonymity even with their privacy settings there's always a chance for something to go wrong!

Aliases

This is an extremely important step is remaining anonymous. Law enforcement dox people just like hackers do. Having a common alias or keeping your alias the same makes it too easy to get v&, Internet fame is bad. Always. You want to have different aliases as often as possible. At the bare minimum you need a different aliases for ever IRC server you connect to. You also need to have a common alias. The more common the word and the more people that use the same alias the better off you are. Some good examples are any one of the following: Potato, God, Unicorn, anonymous, Hacker, etc etc. The more common and used the better. If you want to be famous this is not the place for you.

Always use random alises, never give any info out no mater how tiny the detail, and most importantly... trust no one. Be aware of what you say and be cautious!

IP Leaks

Add content here

DNS Leaks

Add content here