Silk Road forums
Discussion => Security => Topic started by: peach on August 06, 2013, 01:22 pm
-
1st) It is not really javascript the problem (actually javascript is quite harmless) , it was a browser's bug handling javascript that allowed this exploitation. Still, considering the potential risks, disable javascript in the browser AND enable NoScript to block everything.
2nd) In the same fashion images (jpegs, gifs, pngs, etc...) can be used to to create similar exploits, if a bug is discovered in Firefox's graphics rendering engine. Yes, imagine opening a cat's image, and bam, you are owned. It happened in the past, it can happen today, and it could be tomorrow's headline. If you want to prevent potential hackings, disable images. I know that it sounds extreme, but this type of exploitation is as possible as the javascript exploitation that has affected tor users. Both are not common, but both are doable.
3rd) Third-party browser plugins and addons are common attack vectors. Forget about flash, Java (which is NOT the same as javascript, Java is EVIL, javascript is OKAY... but still disable it just in case), ADOBE (Adobe is also a common way to hack-in: pdf, png, psd, etc... have been actively exploited to penetrate systems), and other streaming codecs, and default players. All of them are extremely common way of exploiting your browser. Get rid all of them, and never ever install them.
4rd) If possible, get rid of Windows. But Mac users, you guys are the next in line, so don't be smug and don't feel secure. Mac users and Linux users are also vulnerable, the *ONLY* reason that this time they weren't affected is simply because THEY WEREN'T TARGETED.
Whatever is the OS you are using, always use a sandbox or a VM for browsing.
If you must use windows, ALWAYS use Sandboxie for your browser. SANDBOXIE IS YOUR INTERNET CONDOM.
Otherwise, use Whonix as recommended by Astor (https://whonix.org/wiki/Main_Page)
5th) I was traditionally against using VPN+TOR but considering the nature of these attacks, I think that the tradeoff is worth it.
Only hire VPNs WITHOUT jurisdiction in the US (read their terms and conditions), PAY IN BITCOINS ONLY, and be sure they don't keep logs (pay attention to see who are managing the companies, use VPNs managed by libertarians/anarchists/hacktivists).
Use OpenVPN, never PPTP. You can know that a company is serious about security when they offer OpenVPN.
6th) Always keep your browser updated. ALWAYS. If Tor homepage shows that there is a new bundle, don't procrastinate.
7th) I strongly recommend to use Tor only for hidden services (.onion sites), don't browse the clearnet from Tor.
For Clearnet browsing, use a normal browser without tor, especially for non-criminal activities. Keep both activities separate, compartmentalized. There is a rationale behind this, but I don't want to bore you with the details... but potentially it will prevent many sophisticated attacks in the future.
Edit: Added Whonix
-
I agree with all of your points other than 7. Use Tor for everything that can not be linked to your real identity (ie: don't use it for facebook). I also would kind of say that javascript is the problem. I know people like to argue that javascript is fine and dandy and the browser or whatever is at fault, and technically that is true, but it is also true that not having javascript enabled makes you way less vulnerable to hacking attacks like this. Javascript should always be disabled, it is required for a lot of browser hacks to work, disabling it automatically protects you from a lot of potential 0-day attacks.
-
Thank you peach
-
I think they have my IP. Is it enough to justify a raid ? (I'm not in the USA).
-
An anonymizing middle box solves all your problems without having to disable anything. Basically if we should all start using the Whonix Gateway with any operating system we want in a separate VM, transparently proxied through the gateway.
-
An anonymizing middle box solves all your problems without having to disable anything. Basically if we should all start using the Whonix Gateway with any operating system we want in a separate VM, transparently proxied through the gateway.
astor - i really appreciate all you've done and will do, but for the techo challenged (like me) you might as well have made that stmt in greek
sandboxie - i get the idea, but apparently it doesn't work in linux. am i wrong
-
astor - i really appreciate all you've done and will do, but for the techo challenged (like me) you might as well have made that stmt in greek
There was a very easy to follow tutorial on how to setup a Whonix VM by the same astor but alas the thread exists no more (and I don't know why). I actually have a copy of it that I took from that thread and that I used to create mine. It is very simple to do, no matter how un-techie you are. Moreover it has the great advantage that you can then use a VM with the OS you prefer, so this is actually in favor of non-techie people because they can use Windows with it without many problems (differently from usually).
Maybe astor can tell us why that thread has been deleted.
-
thanks but i was hoping for a "box" i could use in Tails, that would give a techo idiot like me a little more of the "warm & fuzzy" factor
and i noticed Astor tutorial on GPG also disappeared - assumed he had it on a FH server
-
I agree with all of your points other than 7. Use Tor for everything that can not be linked to your real identity (ie: don't use it for facebook). I also would kind of say that javascript is the problem. I know people like to argue that javascript is fine and dandy and the browser or whatever is at fault, and technically that is true, but it is also true that not having javascript enabled makes you way less vulnerable to hacking attacks like this. Javascript should always be disabled, it is required for a lot of browser hacks to work, disabling it automatically protects you from a lot of potential 0-day attacks.
The reason I made the point 7 is because of a nefarious scenario that is potentially exploitable if the NSA and FBI work together in an effort to deanonymize THE WHOLE TOR USERBASE (with the exception of those using it only for hidden services).
If you are curious, hit me a PM and I'll share it with you.
I agree, for prophylactic measures, javascript should be disabled.
-
With Whonix, you run two virtual machines on any operating system on any computer. You don't have to use Tails, and it's more secure than Tails.
However, the reason I took the tutorial down is because I decided newbies shouldn't be running any random OS in the Workstation VM. Yes, it's safer at the network layer in that Tor can't be bypassed, but that's like 20% of what can deanonymize you. Your behavior online can deanonymize you. Leaving unencrypted emails on a server that is seized by LE can deanonymize you. An operating system update that sends your license to Microsoft can deanonymize you. I think random newbs should run the Workstation that Whonix supplies.
https://whonix.org/wiki/Main_Page
-
With Whonix, you run two virtual machines on any operating system on any computer. You don't have to use Tails, and it's more secure than Tails.
However, the reason I took the tutorial down is because I decided newbies shouldn't be running any random OS in the Workstation VM. Yes, it's safer at the network layer in that Tor can't be bypassed, but that's like 20% of what can deanonymize you. Your behavior online can deanonymize you. Leaving unencrypted emails on a server that is seized by LE can deanonymize you. An operating system update that sends your license to Microsoft can deanonymize you. I think random newbs should run the Workstation that Whonix supplies.
https://whonix.org/wiki/Main_Page
I'm really interested to learn about whonix , It sounds like it can be a really good setup but is it that you have to configure routes for different applications and just isn't too user friendly to the noob,
I'm no genius but am quite a tech person so would be interested to know for starters how is it better than me running linux in a standard VMware VM with anonymous vpn.
Will it block for example flash or java calling home out of the box as at first glance that seems to be it's main benefit
-
I'm really interested to learn about whonix , It sounds like it can be a really good setup but is it that you have to configure routes for different applications and just isn't too user friendly to the noob,
No, everything is transparently proxied over Tor by default. There's no way to disable it from within the Workstation VM.
There is an option for stream isolation, but you don't have to worry about that starting out.
I'm no genius but am quite a tech person so would be interested to know for starters how is it better than me running linux in a standard VMware VM with anonymous vpn.
If that VM is rooted, the attacker can bypass Tor. In the Whonix setup, Tor runs in a separate VM, called the Gateway, so the attacker would have to break out of the VM, which seems to be much harder than rooting an operating system, even Linux. I've always heard it's possible, but I've never seen a single article, blog post or security advisory about it happening in the wild.
-
Also, a VPN offers zero security if the attacker is LE. Once they root your operating system, phone home to their server, and determine you are accessing the internet from a VPN IP address, they simply subpoena the the provider to get your identity.
Oh, your provider promises they don't log? Right.
I don't want to base my security on a "promise".
-
If that VM is rooted, the attacker can bypass Tor. In the Whonix setup, Tor runs in a separate VM, called the Gateway, so the attacker would have to break out of the VM, which seems to be much harder than rooting an operating system, even Linux. I've always heard it's possible, but I've never seen a single article, blog post or security advisory about it happening in the wild.
Ahh now I understand, That sounds like the perfect solution to mitigate the type of attack that happened through Tormail alright.
I never got around to trying my experiment of virtualbox linux inside of VMmware xp but this I think I will testrun Whonix and post my newbie mistakes as I go
Also, a VPN offers zero security if the attacker is LE. Once they root your operating system, phone home to their server, and determine you are accessing the internet from a VPN IP address, they simply subpoena the the provider to get your identity.
Oh, your provider promises they don't log? Right.
I don't want to base my security on a "promise".
Devils advocate here, I should know more but what if my anonymous vpn provider did by acident have logs then all LE would have is a list of everyone sharing the same VPN node as that time.
Hypothetically there is 50 users online sharing my node right now, Does LE then have to bust all 50 or take their investigation form there or can they just see who viewed what.
I need to read up more...One good thing to come from all this drama is the want to learn that's for sure
-
Subbed and don't have anything intelligent to contribute to this conversation.
-
Devils advocate here, I should know more but what if my anonymous vpn provider did by acident have logs then all LE would have is a list of everyone sharing the same VPN node as that time.
Hypothetically there is 50 users online sharing my node right now, Does LE then have to bust all 50 or take their investigation form there or can they just see who viewed what.
That depends on the level of logging they are doing. LE could ask them to log source and destination IP addresses, then they look at who sent requests to LE's server.
-
Buy a hardware firewall using pfsense or m0n0wall or openbsd. http://www.pfsense.org/index.php@option=com_content&task=view&id=44&Itemid=50.html
Now your computer is behind NAT, with useless local IP much like a VM. If your entire computer box is compromised the hardware firewall saves your ass by locking out any traffic phoning home outside of your VPN or Tor. You can now alter your eth0 ethernet mac safely too.
Speaking of VPNs...
This guy seems intent on finding a Tor covert channel http://www.informatik.uni-trier.de/~ley/pers/hd/l/Ling:Zhen which means they would stamp your traffic from a compromised host like the FH bust, then look for it at the ISP level after it passes the other hops. Since we live in a fully Orwellian surveillance state now this is entirely feasible.
Consider tunneling your Tor traffic through Jondonym mixmaster servers. They accept bitcoins, and it's much more resistant than a single VPN operator to intimidation from US feds as the Pirate political party in Germany runs a mixmaster. Your Tor traffic then originates encrypted on your computer, then is tunneled through a second encrypted padding (Jondonym encryption) which would then be passed through those mixmasters and encrypted Tor traffic comes out the other side looking for a first hop in Germany or Austria. A covert channel would be impossible to follow unless they could gain cooperation of all the servers in 3 different countries. Your ISP would see a VPN connection to Germany not any Tor traffic.
https://anonymous-proxy-servers.net/en/operators.html they have a Live CD too.
Benefits:
- local archiving of traffic useless due to double encryption
- extra obfuscation to prevent Tor traffic analysis
- covert channels useless
- your ISP doesn't see any direct Tor connections when they grep the logs for the DEA
- disable Tor, use the mixmaster for clearnet applications that don't accept Tor exit relay IPs like bitcoin exchanges
-
wtf is this? How the fuck do computer science majors end up becoming SR vendors? How/where do I learn all this shit?
P.S. I plan on majoring in computer science. you are all seriously making me reconsider.
-
Your behavior online can deanonymize you. Leaving unencrypted emails on a server that is seized by LE can deanonymize you. An operating system update that sends your license to Microsoft can deanonymize you. I think random newbs should run the Workstation that Whonix supplies.
However in the tutorial you wrote you specified all these things. I mean, if someone for example leaves Java enabled on the browser or enables updates for Windows s/he will clearly make mistakes in any other circumstances, ESPECIALLY if they use only the ToR bundle (that, let's face it, the majority of users adopt and that's all). At last with a Whonix VM you can be sure that many attacks cannot take place, differently from normal and it is more user-friendly than Tails (that for newbies can be a great motivation to update to this form a ToR bundle instead than Tails).
I personally would like that tutorial to be uploaded again, and if you are really paranoid about a possible bad use write a caveat at beginning, but imo it's not good that newbies have not an easy step by step tutorial on how to setup a Whonix VM here, because it is a good step up in their security from using only the ToR bundle (for example inside an hidden container on Windows that leaks traces everywhere for LE to find and exposes you to a lot of attacks) and a newbie is much more prone to want to do this to upgrade his security instead than jumping both feet on Tails just because they can keep using their Windows OS they are so accustomed used with just some precautions.
At last think about it.
-
I trust that most VPNs who say they don't keep logs in fact don't keep logs. Most.
It's what ensures 90% of their revenue I'm sure, so if it leaked that they did keep logs, their business would be toast.
But that's not the biggest issue IMO since Tor is primarily being used on top of the VPN. What is more likely to deanonymize you is your behavior. What time you come online, what time you do this or that, when you're home, where you go, (all stuff from cell phone), etc.. This stuff isn't really strong statistically until a lot of time has passed. Which is why I plan to track my own behavior, and change things up with surgical precision every so often.
-
I made another two posts about this, but I made a mistake and then took a lot of time to explain it and kind of messed my thread up, so let me give this one more shot.
This guy seems intent on finding a Tor covert channel http://www.informatik.uni-trier.de/~ley/pers/hd/l/Ling:Zhen which means they would stamp your traffic from a compromised host like the FH bust, then look for it at the ISP level after it passes the other hops. Since we live in a fully Orwellian surveillance state now this is entirely feasible.
Usually those sorts of attacks are called watermarking or tagging attacks (the source of my original confusion and mistake), but I see now that watermarking attacks actually use covert channels, so it is not incorrect to call them covert channel attacks. In any case, watermarking attacks are not particularly worrying because the attacker still needs to see the watermarked traffic at entry and exit. On the Tor network, and most other low latency networks (all implemented ones afaik), passive traffic correlation attacks can be used to accomplish everything that active traffic watermarking attacks accomplish. In the past Tor Project officials have expressed the belief that people focusing on watermarking attacks against Tor are often confused, as they are not really adding new capabilities to attack Tor (since all watermarking attacks are no more effective than passive correlation attacks against Tor traffic).
Consider tunneling your Tor traffic through Jondonym mixmaster servers.
You are a bit confused, mixmaster is a high latency E-mail specific network. JonDoNym routing nodes are called mixes, but this is hotly debated terminology (nobody else calls them mixes) because they don't actually do mixing (mixmaster routing nodes, on the other hand, do indeed engage in mixing). That said, yeah JonDoNym is often seen as a better solution than most VPN providers.
A covert channel would be impossible to follow unless they could gain cooperation of all the servers in 3 different countries. Your ISP would see a VPN connection to Germany not any Tor traffic.
Here you are misunderstanding the goal of a watermarking attack. The attacker does not need to follow the traffic flow, if they had to follow the traffic flow through all hops there would be no real point to a watermarking attack. Watermarking attacks are so that in a scenario such as this:
Alice - Node 1 - Node 2 - Node 3 - Node 4 - Node 5 - Node 6 - Node 7 - Destination
Node 1 can watermark the traffic, and then when it gets to node 7 the watermark can be extracted. This allows the attacker who owns node 1 and 7 to link Alice to her destination without having to observe the traffic as it passes from node 2 to node 6. The watermark can be seen as being sent through a covert channel from node 1 to node 7, which is why I now see that it isn't really incorrect to call these covert channel attacks (but I don't think I have ever heard them that before, almost always watermarking attacks). The thing is though that if the same attacker owns node 1 and 7, they don't even need to insert a watermark at node 1, because all of the low latency anonymity networks are already weak to passive traffic timing correlation attacks.
-
Also, a VPN offers zero security if the attacker is LE. Once they root your operating system, phone home to their server, and determine you are accessing the internet from a VPN IP address, they simply subpoena the the provider to get your identity.
Oh, your provider promises they don't log? Right.
I don't want to base my security on a "promise".
Depending on who is your VPN, if you were careful in picking up your provider, it can actually be used to buy you some time before you get the feds on your door. Just like an early detection system, so if they ever get an official request, you get immediately notified.
-
Astor, can you please explain in what specific areas having a whonix VM is superior to tails+bridges? Also, on what OS are you able to have the whonix VM? Could one pad tails with whonix?
To the group: do you or do you not recommend VPNs? I had always assumed the general consensus was that these were the major layer protecting the user from their ISP. Either that or bridges, and quite frankly I don't like the bridge concept very much (trusting random IPs for so-called "secure" connection does not sit well with me, especially when anyone can start one). And now a mix operator? I have never even heard of the concept. We need to come to a consensus on a basic list of security features the average user should have, and an advanced list for users whose security is worth more to them. Personally, however I can improve my security, I will do it. I would simply like everyone to agree on what is the most superior security option(s).
-
Astor, can you please explain in what specific areas having a whonix VM is superior to tails+bridges? Also, on what OS are you able to have the whonix VM? Could one pad tails with whonix?
To the group: do you or do you not recommend VPNs? I had always assumed the general consensus was that these were the major layer protecting the user from their ISP. Either that or bridges, and quite frankly I don't like the bridge concept very much (trusting random IPs for so-called "secure" connection does not sit well with me, especially when anyone can start one). And now a mix operator? I have never even heard of the concept. We need to come to a consensus on a basic list of security features the average user should have, and an advanced list for users whose security is worth more to them. Personally, however I can improve my security, I will do it. I would simply like everyone to agree on what is the most superior security option(s).
I think at the end of the day nobody wants to endorse any one particular option as if we all end up with the "best security" we end up with no security as LE only had to figure out how to crack one system.
-
I made another two posts about this, but I made a mistake and then took a lot of time to explain it and kind of messed my thread up, so let me give this one more shot.
This guy seems intent on finding a Tor covert channel http://www.informatik.uni-trier.de/~ley/pers/hd/l/Ling:Zhen which means they would stamp your traffic from a compromised host like the FH bust, then look for it at the ISP level after it passes the other hops. Since we live in a fully Orwellian surveillance state now this is entirely feasible.
Usually those sorts of attacks are called watermarking or tagging attacks (the source of my original confusion and mistake), but I see now that watermarking attacks actually use covert channels, so it is not incorrect to call them covert channel attacks. In any case, watermarking attacks are not particularly worrying because the attacker still needs to see the watermarked traffic at entry and exit. On the Tor network, and most other low latency networks (all implemented ones afaik), passive traffic correlation attacks can be used to accomplish everything that active traffic watermarking attacks accomplish. In the past Tor Project officials have expressed the belief that people focusing on watermarking attacks against Tor are often confused, as they are not really adding new capabilities to attack Tor (since all watermarking attacks are no more effective than passive correlation attacks against Tor traffic).
Consider tunneling your Tor traffic through Jondonym mixmaster servers.
You are a bit confused, mixmaster is a high latency E-mail specific network. JonDoNym routing nodes are called mixes, but this is hotly debated terminology (nobody else calls them mixes) because they don't actually do mixing (mixmaster routing nodes, on the other hand, do indeed engage in mixing). That said, yeah JonDoNym is often seen as a better solution than most VPN providers.
A covert channel would be impossible to follow unless they could gain cooperation of all the servers in 3 different countries. Your ISP would see a VPN connection to Germany not any Tor traffic.
Here you are misunderstanding the goal of a watermarking attack. The attacker does not need to follow the traffic flow, if they had to follow the traffic flow through all hops there would be no real point to a watermarking attack. Watermarking attacks are so that in a scenario such as this:
Alice - Node 1 - Node 2 - Node 3 - Node 4 - Node 5 - Node 6 - Node 7 - Destination
Node 1 can watermark the traffic, and then when it gets to node 7 the watermark can be extracted. This allows the attacker who owns node 1 and 7 to link Alice to her destination without having to observe the traffic as it passes from node 2 to node 6. The watermark can be seen as being sent through a covert channel from node 1 to node 7, which is why I now see that it isn't really incorrect to call these covert channel attacks (but I don't think I have ever heard them that before, almost always watermarking attacks). The thing is though that if the same attacker owns node 1 and 7, they don't even need to insert a watermark at node 1, because all of the low latency anonymity networks are already weak to passive traffic timing correlation attacks.
A covert channel is basically just information exchange covertly which is the same thing but you're right the established term for this would be watermarking I guess. You're right about mixes and mixmaster, I knew that too guess this is what happens when you smoke a giant bowl and troll these forums too late at night. With the NSA, DEA and even local law enforcement lines totally blurred I don't trust my ISP at all to not be recording literally all my traffic and archiving it, plus with the NSA docs leaked how they tapped ocean fiber cables I'd rather protect my local Tor traffic to prevent snooping and potential archival then decloaking 6 years from now if a major crypto engineering flaw is found in the protocol. Lately I've been going through NSA recommendations for securing consumer devices on their mailing lists and design documents. They insist a secure tunnel must always be used regardless if the traffic being tunneled through it is already encrypted, and said tunnel must be a different algorithm. They're telling us something by recommending that and I don't think it's just whitehat paranoia.
If you're interested in crypto engineering side channels these guy's offer a free challenge which is a good learning tool http://www.matasano.com/articles/crypto-challenges/ obviously you would sign up anonymously, through a non traceable email account and not ever reveal you are from these forums. Answers can be submitted in Lisp or any language you want. You will start to question the reliability of OTR afterwards. I don't blindly trust OTR anymore, everytime I use it I end up just pasting in PGP so hardly use it at all now. I cringe at all the convos I had years ago over clearnet with it before I discovered how fatally flawed a lot of open source crypto engineering truly is. If you don't know any languages just pickup the SICP book or watch some coursera.org courses.
-
Astor, can you please explain in what specific areas having a whonix VM is superior to tails+bridges?
Whonix is superior to Tails because Tor runs in a separate virtual machine (the Gateway) from the main operating system (the Workstation), so an attacker has to find an exploit to break out of the Workstation VM to bypass Tor and determine your real IP address. On Tails, an attacker has to find a privilege escalation exploit to gain administrator privileges. Privilege escalation bugs for Linux are more common than VM escape bugs for VirtualBox. If you read through security announcements, you'll see multiple privilege escalation bugs over the last few years, but I haven't heard of any bugs that allow someone to escape a VirtualBox VM.
Both are far more secure than running TBB on Windows or even a regular Linux distribution. The only thing more secure than Whonix is running Tor on a physically separate computer than sits between your main computer and the internet, which we call an anonymizing middle box.
Also, you can configure the Whonix Gateway to use bridges just like with Tails.
Also, on what OS are you able to have the whonix VM?
Whonix is a pair of VM images that you import into an application called VirtualBox, which runs on Windows, OS X, and Linux. So you can get better security than Tails without leaving your favorite operating system for non-Tor things. Best of all, you don't have to reboot to switch between the two activities.
Could one pad tails with whonix?
You could "pad" Tails by running it as the Workstation VM and routing its connections through the Gateway VM but I wouldn't recommend it, because you run into the "Tor over Tor" problem, where one Tor doesn't know what the other is doing, and you might end up with the same relay for your entry guard and exit node, which would kill your anonymity.
-
Astor, can you please explain in what specific areas having a whonix VM is superior to tails+bridges? Also, on what OS are you able to have the whonix VM? Could one pad tails with whonix?
To the group: do you or do you not recommend VPNs? I had always assumed the general consensus was that these were the major layer protecting the user from their ISP. Either that or bridges, and quite frankly I don't like the bridge concept very much (trusting random IPs for so-called "secure" connection does not sit well with me, especially when anyone can start one). And now a mix operator? I have never even heard of the concept. We need to come to a consensus on a basic list of security features the average user should have, and an advanced list for users whose security is worth more to them. Personally, however I can improve my security, I will do it. I would simply like everyone to agree on what is the most superior security option(s).
I think at the end of the day nobody wants to endorse any one particular option as if we all end up with the "best security" we end up with no security as LE only had to figure out how to crack one system.
I will endorse Qubes, Whonix and manual isolation with virtual machines. These techniques are the current cutting edge of computer security IMO. Some people will disagree, but thing is even if you had javascript enabled on a vulnerable version of the browser in a Windows VM, feds wouldn't have been able to pwn you if you had it isolated properly. Isolation is the final strong layer of security that keeps you safe when all else has failed, and not having it means that when all else fails you are fucked.
-
Where and how do I enable Noscript?
thanks
-
b0lixtrader, run Tor Browser and check the "S" icon next to the adress bar.
S crossed over - It's on
Exclamation point over S - It's off
Qubes will become really interesting when (if) FDE and Tor AppVM will become default.
-
Lately I've been going through NSA recommendations for securing consumer devices on their mailing lists and design documents.
Link and summary of the content?
-
Note that NSA has a list of all public VPN sellers and most likely sniffs all the traffic between USA and those VPN IP adresses.