Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - astor

Pages: 1 ... 83 84 [85] 86 87 ... 208
1261
Security / Re: Forensic analysis of Tor use
« on: May 22, 2013, 02:59 pm »
dont mean to sound ignorant, but are there instances when accessing Tor is illegal in and of itself?? or are the implications that one would not want to leave traces on a shared machine or for forensic analysis?

There are plenty of instances where it is illegal, in China, Iran, Syria. Even if no law exists on the books, they may arbitrarily imprison or torture you for using Tor. However, I've never heard of someone in a Western country being prosecuted for merely using Tor.

Yes, the threat model for us is to avoid leaving traces of Tor use that help to build a case against us.


Looks like I'm getting another hard drive tomorrow :/ My first Tor & SR usage was from a regular desktop when I was new and I still have that computer since I don't use SR through it for any orders etc. Guess it could do with a storage upgrade anyway.

You could save some money by DBANing it and reinstalling the OS.  http://dban.org


1262
The 40,000 figure was surprising. I doubt the vast majority of them are web sites. They may be addresses used to access bots running over Tor.

The attack on HSDirs is concerning. It seems easier to pull off than an attack on intro points. You don't need to brute force a fingerprint that exactly matches the descriptor ID. You only need to brute a fingerprint that is closer than other relays. Apparently you can do that within a day or two, so someone running 12-18 servers, as the author points out, can reliably position himself as all 6 HSDirs, returning 404 for the descriptor and DOSing the hidden service.

You can't solve this problem by increasing the number of HSDirs that your hidden service publishes its descriptor to, since users' clients will ignore the others, nor by running multiple instances of Tor, since they will all publish to the same HSDirs. This is the bottleneck where client and service meet.

The only defenses that I can think of off the top of my head are to distribute a custom TBB to SR users that queries up to N HSDirs, where N can be as high as 100 if needed to mitigate an attack, or to run your own relays which obtain the HSDir flag and brute force their fingerprints closer to the descriptor ID than the attacker manages to do.

Both defenses have complications, though.

Hopefully there are more innovative defenses.

1263
Newbie discussion / Re: Newbie PGP Club
« on: May 22, 2013, 07:32 am »
@partycat

It works. :)

1264
Tor was used with no encryption.
A laptop that may have been used for SR transactions by someone I know has been confiscated and federal charges are likely to follow.

I believe there was nothing saved on it but wondered if they could find traces of any transactions on the computer alone. There are bookmarks to the SR login page. -> I'm hoping the bitcoins are not traceable and that there is no cached/saved information on the computer without access to the SR account.

What could they possibly find??

If you are asking whether the act of browsing SR left a trace on the computer, no. TorBrowser does a good job of state isolation. It caches nothing to disk, flushes browsing history, cookies and various other things on shutdown, uses separate plugins, so even if you used Flash, that would no mix state with a system installed version.

The only way it leaks browsing activity is through positive actions taken by the user, such saving bookmarks. (It even goes so far as to disable some positive actions, like saving passwords)

The biggest thing in your case is the bookmark to SR.

1265
PC yes. No encryption no. Sr bookmarks in Tor. Guilty. (FECK!)

If LE intercepted a package and did a controlled delivery, any plausible deniability you might have had would be destroyed when they found links to SR on your computer. Many small data points add up to a tell a story. Having a bookmark to SR alone doesn't prove anything. Lots of curious people visit the site without buying anything. But having a package of drugs with your name on it, AND links to SR, and AND a PGP key, all add up to tell a story: that you were buying drugs online.


Im not sure if my PGP private key is encrypted. No unencrypted messages stored.

Do you need a password to decrypt messages? Then your private key is encrypted.

Im thinking to set up all of this bizzo on a USB stick and have no trace on my PC, i have a laptop/pc and access to many computers so i want it to be flexible and portable with no trace left on the computers i use.

I just downloaded keypassx then and am gonna look at it.

Tails is for my USB stick yeh? Ill download that now too.

Thanks Astor true bro.

Those are good choices. :)

1266
It also pre-configures a lot of applications to use Tor out the box, including web browser (TorBrowser), instant messaging, email, etc. Plus it implements some enhanced anonymity features like stream isolation. It's an excellent out of the box solution for beginners.

The web site is here:  https://tails.boum.org

And a good guide on setting it up is here: http://dkn255hz262ypmii.onion/index.php?topic=114141.0

1267
Yeah, this sucks. The forensic analysis will depend on your set up, as others have mentioned, but probably also the extent of the charges against you, your jurisdiction, the "level" of LE you're dealing with (local cops vs DEA), etc.


What sort of set up do you guys run ?

This would be a good opportunity for someone to give me a run down on an excellent security set up

Im using PC Win 7 ToR and PGP ... what else should i know?

Not hijacking or anything

Good: an encrypted thumb drive with the browser bundle and a portable PGP program like GPG4USB.

Great: Tails on a thumb drive with the persistent volume enabled.


Your setup: potentially very bad. I'm assuming that you're not using any type of encryption. Do you have bookmarks to SR and the forum in TorBrowser, or a text file? Do you have passwords saved anywhere? Your PGP private key is encrypted, but do you have encrypted messages stored on the hard drive? Do you have *unencrypted* messages stored on the hard drive? Even if the messages are encrypted, there's a saying that "metadata in aggregate is content". LE can find the key IDs in the encrypted PGP messages and match them up to key IDs of vendors on SR, thus proving evidence that you were communicating with them. There are ways to anonymize the recipients, but you'd have to convince the vendors to do. It's better to keep all that data on an encrypted volume than to rely on someone else doing the right thing for your security.

1268
Newbie discussion / Re: Newbie PGP Club
« on: May 22, 2013, 06:14 am »
I think I have the basic concept down, now what remains is if this works in practice! I'm a bit curious if there's a particular etiquette with how public keys are exchanged between two people. I know there are databases for public keys, but should I expect the other person to be able to search up my key, or is it more common to link them directly to the key, or maybe include the key inside the encrypted message?

You should never post your key to a clearnet key server. LE could ask the operators for server logs and get the IP addresses that the keys were posted from. It would be trivial to learn the identities of many people in the community if we all did that.

There are ways to make some PGP programs use proxies, but that's an advanced trick and it's possible to get DNS leaks, among other things, so it's not recommended for beginners.

The proper way to exchange keys is to simply send someone your public key, whether it's in an email, a forum post or PM, or an SR message, and ask for their key in return.


Edit: Also, the following key is a temporary one until TorMail works again since I'd like to have an email there for this particular purpose.


Here's a message:

-----BEGIN PGP MESSAGE-----

hQIMA/+n5QPMklrXAQ//e2meIZp+hcehQRv3PHdaq5t2Uq4x96nO0iTvkFAquJ9T
041EVg9b6+8ajRUYMO/IyjrR8X8QCA4Rp8E1sb26/yRU9BbmMZHmvR2aPgJsF8hE
6UKZuaxPwnS6W9vLKHdER6IblUSlhBaMprFA6AUFs5q/jJX9hdVAR++GxE0sOLrK
safUy+xBXzawLWkfsBRgS81D2Qxk57/X3OtD4qIZqLkNxrrVGsIYVBTWbeZQFwEJ
ny2o5sKb/QblivhvnzW2ggv5yw18l2lrKlu5tlBDH2Ircw9G3XJ7cQNMSHsMnl9V
SkPPviPp8ErgcuUumo5j1Zbq5Csw/7uuFx7gldc3RQKSBITfCOHI/pkDtTvLU3WL
WCRxOe2PtxZufshWrSaUwI2Ou2DdQj4hUERcv7gaRn96kgcriwnEmHRFaihuLOEI
4w4u1hs695OM6syBTRQCS4nK8smRPa8QxvCXPY75ux0kXBrxTL/iRdkGNLs3tsK9
dvkwdeyOKN2DvBChhlSICOD2PO+peanxEw6BuiMu6H61VWO0F0yfbZqBpjUe1hBm
t4UldDq42tJRAwkah9yYJ/dkXNSdTPvHerYu65fqvUBV/J9+gwDmmbOQnisGX9TG
6Ue2epFnsw/bbf+Qkb+741Yh8m2kY1Z8Qxhz3o4CwonW+ec3/RABtDJryOTel32F
Aw4DwnYoVc8CeJsQC/9Ybkdvn5FW3B0tsLL7OUK4h9/o8I3/yl93jup5YuIActoW
r3FoKHCrR+pb0e0vzyT0iQgI+3+ImK1VP7cSXk6oRiqXEH0bOqIFWU0hMs4hI7a8
4Y+L8BgP2rZMUPW2WPCnUhAdy6LyUq5OeNfZVwrvnnkRL7O7LXp9rgpOBRjTBGoF
GfM62K+3QOmj3FfBiKfCLuOAE62djTGY2nbtIdola9hyKayyUyFUbQHgpRfaJ5YG
pFJHXYZTj5NcUc+OZN8mMvGSC4qmdM7itoeu9w6/1foKsTS4v3leG0PBX8o/HmxX
WoRLiVIwHMdHkqL54my9/9idlneyuZ8Q3Cj2PToZrOcrdTdBAwVVNvnxI++YXiLI
ku4NumzaRHZEC0ellwJ57546AT5mE4NhT3mzvHLAmzeI+4ASZct6UpA+/QcUfFdF
oQLVqeCz3By5esOfwEqI7pVRLFVrUEWSOVaz1khfWnsGAR1tUNQ/4ZgEe47BlOxW
0//i3PLKX29iMpMlqx0MAIHFxrwTwbvnk27PpGpLS3JL2fQQNSos2/5OMIJAOUs6
FHWBCcqFRMeA/04AtXofYEZf6rPLIJK3DYQvGbD/vI5aY9zEp8NJtGfNthirXLFC
nljHhfleWN4v892JCTCiGHXwoklef8trYcDE02KzVtzj9UKSK1bCKKKgFB+euUEv
5hdFahHcAVApmrMihS0vrOMx7BX0sntJ2vz9p2BG0Lc1nswkHwgkPVnvMJH2GHs5
uriBheqw/X4f4TjsZ24K5mVKbGyIKC5Sy+X1lnkTyRJx8oQTCplaCXpfiA0BYqef
a/5Ct2naLZmz4CAG6kYhvmidcNw65iZfea5LaM1fAQcfmZhlXiGbOXtR9evd1iMr
YROv47WdTQ5SMAz1MZSlyftfxnE3+WxrXSA8u4UuAyrW3nwfL/Bt1Y1FvXAvH4l1
qqZo44fAAS0M+bzRZXfDOo0x1Qtknl/dqX5y+T7UqxWCh1uauo1GwDUCs2IbkWLn
aB2HW0pYkiFfYL2TY84Jk9LACQHVUNRk6lK12Mk4bK+zyApqms5SUxHhNJswpYdk
MYdJYffL4hCoxQG5xH4DAb+V48dUilu1qGtWQ9yEKeh3UDbCLkw1hz9c0F5BtLSj
WHkBfsZpqvz4dHAY9ldhijCjvtol0vGgu9aO82ZtIjLf2Lo4EsgKWFzRJaQwMDVN
X/TDcT2dh1mZ5iKFLa26oRpl/mwyp0BSaffbgG3TlJsCcs/yPbWieqZhm5LaYWxX
7HElNJxslJoKjOrSePKfTOhGM5OGS1VnDKX6Jg==
=dyVv
-----END PGP MESSAGE-----

1269
It's probably this issue:  http://dkn255hz262ypmii.onion/index.php?topic=161015.0

Just disable it.

1270
Newbie discussion / Re: Newbie PGP Club
« on: May 22, 2013, 03:11 am »
@Kallous

Who did you encrypt that message to? You have to import someone's public key and select it to encrypt a message to them.

If you don't know, then you probably encrypted it with your public key, meaning only you can decrypt it.

1271
Security / Re: Forensic analysis of Tor use
« on: May 22, 2013, 01:31 am »
The long-awaited part two is here!

======

Forensic Analysis of Tor on Windows

As part of a deliverable for two Tor Project sponsors (Sponsor J, Sponsor L), I have been working on a forensic analysis of the Tor Browser Bundle. In this three part series, I will summarize the most interesting or significant traces left behind after using the bundle, deleting it, and then shutting down the computer. Part one covered Debian Linux (#8166), this part will cover Windows 7 (#6845), and part three will cover OS X 10.8 (#6846).

Process

I set up a virtual machine with a fresh install of Windows 7, logged in with the default admin account, installed available updates, and shut it down cleanly. I connected the virtual drive to another virtual machine, used hashdeep to compute hashes for every file on the drive, and then rsync to copy all the files over to an external drive.

After having secured a copy of the clean virtual machine, I rebooted the system, connected an external drive, and copied the Tor Browser Bundle (version 2.3.25-6, 64-bit) from the external drive to the Desktop. I extracted the package archive by clicking on the file, then started the Tor Browser Bundle by going into the Tor Browser folder and clicking on Start Tor Browser.exe.

Once the Tor Browser was up and running, I browsed to a few pages, read a few paragraphs here and there, clicked on a few links, and then shut it down by closing the Tor Browser and clicking on the Exit-button in Vidalia. The Tor Browser did not crash and I did not see any error messages. I deleted the Tor Browser folder and the package archive by moving the folder and the archive into the Recycle Bin, right-clicking on it and choosing Empty Recycle Bin.

I repeated the steps with hashdeep and rsync to create a copy of the tainted virtual machine. I also used Noriben, written by Brian Baskin, to create a report of everything the Tor Browser Bundle did while it was running.

Results

Using hashdeep, I compared the hashes from the tainted virtual machine against the hashes from the clean virtual machine: 256 files have hashes that do not match any of the hashes in the clean set. Additionally, the Noriben output shows the Tor Browser Bundle create, edit, and remove a bunch of files.

I have sorted the most interesting findings into different groups, depending on the location, how they were created, and so on. Windows 7 has built-in symbolic links designed for backward compatibility, which is why Noriben and hashdeep list the same files in different locations.

Prefetch

Windows keeps track of the way the system starts and which programs the user commonly opens. This information is saved as a number of small files in the prefetch folder:

    C:\Windows\Prefetch\START TOR BROWSER.EXE-F5557FAC.pf
    C:\Windows\Prefetch\TBB-FIREFOX.EXE-350502C5.pf
    C:\Windows\Prefetch\TOR-BROWSER-2.3.25-6_EN-US.EX-1354A499.pf
    C:\Windows\Prefetch\TOR.EXE-D7159D93.pf
    C:\Windows\Prefetch\VIDALIA.EXE-5167E0BC.pf

The following cache files are most likely similar to prefetch files and might contain traces of the Tor Browser Bundle:

    C:\Users\runa\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
    C:\Users\runa\AppData\Local\Microsoft\Windows\Caches{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
    C:\Windows\AppCompat\Programs\RecentFileCache.bcf

I have created #8916 for this issue.

SetupAPI

SetupAPI and the Plug and Play (PnP) manager write entries to SetupAPI.dev.log and SetupAPI.app.log about operations that install devices and drivers. The following files contain information about the attached external drive:

    C:\Windows\inf\setupapi.dev.log
    C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_ neutral_0725c2806a159a9d\usbstor.PNF

Thumbnail Cache

Windows stores thumbnails of graphics files, and certain document and movie files, in Thumbnail Cache files. The following files contain the Onion Logo icon associated with the Tor Browser Bundle:

    C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
    C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
    C:\Users\Runa\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

Other Thumbnail Cache files, such as thumbcache_1024.db, thumbcache_sr.db, thumbcache_idx.db, and IconCache.db, may also contain the Onion Logo icon. I have created #8921 for this issue.

Windows Defender

Windows Defender is the default anti-virus software on Windows 7. Windows Defender will write log files to the following location:

    C:\ProgramData\Microsoft\Windows Defender\Support\

The log files will contain traces of the Tor Browser Bundle if Windows Defender ever decides to flag it as malware. This is true for any anti-virus software.

Windows Error Reporting (WER)

Windows Error Reporting (WER) captures and logs information about software crashes and other issues. I found information about the attached external drive in the following file:

    C:\Users\runa\AppData\Local\Microsoft\Windows\WER\ReportQueue\NonCritical_x64_ 84cd279a5e83221bfa7edcb36665592c1974e4_cab_0b21673a/DMI671B.tmp.log.xml

The logs will probably contain traces of the Tor Browser Bundle if any part of the bundle, such as the Tor Browser or Vidalia, ever hangs or crashes.

Windows Event Log

The following two event logs contain information about the attached external drive:

    C:\Windows\System32\winevt\Logs\Application.evtx
    C:\Windows\System32\winevt\Logs\System.evtx

Windows Paging File

Microsoft Windows uses a paging file, called pagefile.sys, to store frames of memory that do not currently fit into physical memory. The file C:\pagefile.sys contains information about the attached external drive, as well as the filename for the Tor Browser Bundle executable. I have created #8918 for this issue.

Windows Registry

The Windows Registry is a databse that stores various configuration settings and options for the operating system. HKEY_CURRENT_USER, abbreviated HKCU, stores settings that are specific to the currently logged-in user. Each user’s settings are stored in files called NTUSER.DAT and UsrClass.dat.

The path to the Tor Browser Bundle executable is listed in the following two files:

    C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat
    C:\Users\runa\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1

I did not find traces of the Tor Browser Bundle in any of the NTUSER.DAT files. I have created #8919 for this issue.

Additionally, the output from Noriben indicates that the Tor Browser Bundle touches the registry by creating keys and setting values. The following value points to the Tor Browser Bundle executable on the attached external drive:

    [Set Value] Explorer.EXE:1196 > HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\E:\tor-browser-2.3.25-6_en-US.exe = 7z SFX

The output also makes it look like the Tor Browser Bundle adds the following keys and values:

    [Set Value] tbb-firefox.exe:1124 > HKCU\Software\Classes\Local Settings\MuiCache\11\52C64B7E\LanguageList = en-US, en
    [CreateKey] tbb-firefox.exe:1124 > HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}
    [CreateKey] tbb-firefox.exe:1124 > HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count
    [CreateKey] tbb-firefox.exe:1124 > HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}
    [CreateKey] tbb-firefox.exe:1124 > HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\Count

I found that these keys and values are present on a clean Windows 7 system where the Tor Browser Bundle has never been used. I also downloaded and tested the German version of the Tor Browser Bundle to make sure that the LanguageList value does not represent the language of the Tor Browser Bundle.

Windows Search

Windows Search, which is enabled by default, builds a full-text index of files on the computer. One component of Windows Search is the Indexer, which crawls the file system on initial setup, and then listens for file system notifications to index changed files. Windows Search writes a number of files to the following location:

    C:\ProgramData\Microsoft\Search\Data\Applications\Windows\

I have not found a way to read the Windows Search database files, but I would say it is likely that Windows Search picked up the Tor Browser Bundle at some point. I have created #8920 for this issue.

======

As expected, it leaves a lot more traces on Windows.


References

http://blog.encrypted.cc/blog/2013/05/20/forensic-analysis-of-tor-on-windows/
https://trac.torproject.org/projects/tor/ticket/6845
https://trac.torproject.org/projects/tor/ticket/8916
https://trac.torproject.org/projects/tor/ticket/8921
https://trac.torproject.org/projects/tor/ticket/8918
https://trac.torproject.org/projects/tor/ticket/8919
https://trac.torproject.org/projects/tor/ticket/8920

1272
Security / Re: Crypto migration plan for hidden services
« on: May 21, 2013, 10:52 pm »
Some relays are already using AES-NI, which should be even more efficient, since it's specifically designed for crypto operations. Crypto still seems to be the bottle neck.

1273
Security / Re: Law Enforcement on SR??? PLEASE READ
« on: May 21, 2013, 10:46 pm »
I "cleaned" the files, rebooted and now there are more rootkits.

Anti-virus programs are fucking snake oil. It's a sham industry. If you got hit with this, format your hard drive and do a clean reinstall.

I'm deleting my VM now...

1274
Security / Re: Law Enforcement on SR??? PLEASE READ
« on: May 21, 2013, 10:29 pm »
This is the exact malware on that site. It's a Trojan downloader:

https://www.virustotal.com/en/file/35970e91c4d3364f8b05f5b40d892224084c7fc207af4db8165ebf6ca9bd5357/analysis/

The checksums on the Client.jar file are the same.

AVG has also detected rootkits in my VM.

On Windows XP, the files ntoskrnl.exe and hal.dll get infected.

1275
Security / Re: Deleting Encrypted Documents
« on: May 21, 2013, 10:10 pm »
Then what I would do is create a new encrypted volume, copy the files you want to keep into it, and destroy the first encrypted volume by writing over the first few megabytes, destroying the decryption key. And from now on, use separate encrypted volumes for different things.

That's not a perfect solution, because the hard drive may have been defragmented, leaving other copies of the encrypted file in other locations, but I doubt LE is going to forensically analyze the free space of a small time drug user/dealer. That takes a lot of time and costs money. Bradley Manning, yes. A low level drug buyer, no.


Pages: 1 ... 83 84 [85] 86 87 ... 208