Security

Everything about security-issues

How 950 Million Android Devices became vulnerable (Stagefright Vulnerability)

Imagine remotely executing code by sending an MMS to your victim, crazy right? It’s not that crazy now, considering that researcher  Joshua J. Drake just discovered a very intrusive vulnerability in the Android operating system. It is estimated that this vulnerability exposes 95% of all Android devices.

Stagefright is a library in Android that is responsible for all the media processing. It provides a playback engine and the codecs necessary to playback a variety of media formats. Media processing is a very resource intensive functionality which needs to run as efficient as possible. In order to achieve this, the library is implemented in the C-language (native code). This language is, in contrast with Java, an unsafe language. The reason C is considered unsafe, is due to the fact that a developer writing C code is responsible for controlling the memory region that his code needs. This gives possibilities to a variety of vulnerabilities that can arise due to insufficient bound checks on input data that is being handled by a C routine. The vulnerability in the Stagefright library is an example of a memory vulnerability, which allows an attacker to perform remote code execution.

The Stagefright vulnerability

Not a lot of technical details are known about the vulnerability. This is probably because the vulnerability is going to be presented at Black Hat USA on August 5 and DEF CON 23 on August 7. However, it seems that the specific attacks that are possible, are the attacks that researchers call a ‘buffer overflow attack“. It seems that Cyanogenmod already provided some patches, the following figure shows the patches for the MPEG-4 processing module of Stagefright. The commit comes with a comment that describes a part of the vulnerability in some technical details:

When the ‘chunk_data_size’ variable is less than ‘kSkipBytesOfDataBox’, an integer underflow can occur. This causes an extraordinarily large value to be passed to MetaData::setData, leading to a buffer overflow.

Should I be scared?

No, it’s a serious issue, but you should not go all paranoid. Some precautions can be taken to prevent an attack from executing successfully. In order to trigger the exploit in the Stagefright library, you’d have to execute media first. For the case of SMS/MMS, just disable MMS. Don’t play content that you don’t trust, this includes but is not limited to: MMS (why even use those?), URLs or content from spam e-mails, strange-looking URLs that load in the browser, etc. Using some common sense could bring you a long way.

That’s for the common sense part. Now the technical part is somewhat more reassuring. Android has several security boundaries built-in to contain and block memory exploits from successfully executing. Without going in a lot of details, some of the countermeasures are ASLR and DEP. Which make a memory attack quite difficult to execute, and for the real technical part I refer to a previous article I wrote, on another Android vulnerability. This proves that it is a very intrusive vulnerability but it is not something that should keep you awake at night 😉

Who is to blame?

Collin Mulliner, senior research scientist at Northeastern University, said in an interview, “In this case Google is not the actual one to blame. It’s ultimately the manufacturer of your phone, in combination possibly with your carrier…If you can save money by not producing updates, you’re not going to do that. Since the market is moving that fast, it sometimes doesn’t make sense for the manufacturer to provide an update.”

Sources:

http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/

http://www.npr.org/sections/alltechconsidered/2015/07/27/426613020/major-flaw-in-android-phones-would-let-hackers-in-with-just-a-text

http://www.extremetech.com/mobile/210906-950m-phones-at-risk-for-stagefright-text-hack-thanks-to-android-fragmentation

Advertisements

Privacy: The Nothing to Hide Argument

When I am having a discussion about mass surveillance and privacy, it is far to often the case that the discussion gets stuck on the argument: if you have nothing to hide, you have nothing to fear. It seems that a lot of people are convinced that the idea of more security for less privacy is a valid reason for giving up on privacy. Not only is this a destructive argument (it makes further discussion completely impossible), it is also a faulty premise. The usage of this argument is a reason to make the reasoning that a lot of people see privacy as hiding something bad or illegal. Why is this? If this were the case, that privacy has this purpose, why is it a human right (see art 12)?

What is privacy?

Understanding privacy is a crucial step, before you can have any valuable or non-destructive discussion. It should be clear that privacy comes in different forms. Privacy is something that is defined by the culture in which you try to define it. The concept of privacy has changed throughout the years due to the introduction of new technologies (i.e. Internet, smartphones, etc ).

For my discussion, I would like to define the concept of privacy as follows. Privacy, in our western culture, is the ability to have control over you information when you share it over media and, when using common sense, expect implied privacy. The concept of implied privacy: if I say something in a private chat to my friend X, I expect the notion of ‘implied privacy’. If I share it with my friend X, I don’t expect my message to end up in some sort of mass surveillance program. If I walk in a public space, and my face is recorded on a CCTV camera, I don’t expect it to be linked with my online messages. Why? Because it is my choice if I want to disclose the link between my location (where the camera has recorded me) and my online conversations or even search history on search engines.

Problems with mass surveillance

The privacy problem I would like to touch here, are the problems that arise with mass surveillance. This type of data gathering is an attack on the fundamentals of free speech and personal privacy. Data is being gathered from the biggest social media and search engines, wires are being tapped and even routers are being backdoored to get to your data.

The problem with mass surveillance on this scale, is the fact that data is stored in central data centers. Pieces of data are linked together behind the user his back. Aleksandr Solzhenitsyn declared:

Everyone is guilty of something or has something to conceal. All one has to do is look hard enough to find what it is.

Which is an ironic remark on the fact, that if you piece data together in some specific way you can make a case against somebody. The context of the data is lost when it is being tapped or gathered, the intention or purpose of the data is not recorded, together with a non-transparant data-gathering program, this is a recipe for privacy breaching measures or wrongfully incriminating an individual. It can be best describe with this scene in Friedrich Dürrenmatt’s novella “Traps,” which involves a seemingly innocent man put on trial by a group of retired lawyers in a mock-trial game, the man inquires what his crime shall be. “An altogether minor matter,” replies the prosecutor. “A crime can always be found.”

Although my article used examples and facts about the spying programs of the NSA, it should be noted that all big governments have these programs. As ordinary people we should demand privacy and take this right in our own hands. We shouldn’t give up on privacy for a deal on more security. The perfect end to this blogpost is a quote of Mikko, which I used in a previous blogpost aswel:

Privacy is implied, privacy is not up for discussion. This is not a question between privacy against security. It’s a question of freedom against control.

h4oxer

References:

Android Security: Dangers of hybrid frameworks (XDA:Devcon14 write-up)

At the end of September I gave a presentation at xda:devcon14 which gave an overview of attack surfaces in Android and security issues in web-based applications. I have put my slides online on slideshare, and a lot of people were asking questions, so I decided to post a write-up.

Attack Surfaces

A big part of the presentation covers attack surfaces in Android, what are they?

Attack surfaces are pieces of code which are executable by everyone who has access to a system. They are called the open flanks of a system and allow input or code execution, not necessarily from a malicious user. A hacker will usually search in these places as these are the most interesting to manipulate.

In order to decide which attack surfaces an attacker will try to attack some properties of the surface are considered, as mentioned in the slides. These properties determine what the gain is for an attacker once he successfully compromises the surface entirely or just the code behind the surface. The general rule here to follow, is that an attacker will try to gain as much privileges as possible with the least amount of investment of resources and time.

I will not cover all the attack surfaces but only the one that is interesting for web-based applications. This is called the remote attack surface, more specific the WebView component. This is a class which offers functionality to render web content using the webkit render engine. This is a broad attack surface as a lot of web technologies and protocols need to be supported. These all represent an attack surface on their own, with their own vulnerabilities and security models which can be in conflict with the Android security model. Which is the case when we consider hybrid frameworks.

To be on the same page, I define a web-based Android application as an application who uses the Webview class to render web content.

JavaScript-Java Bridges, burn them

Security issues arise when you use a JavaScript-Java bridge in your web-based application. Android allows in the Webview class to call Java native code from Javascript, you can register the native code that can be called by using addJavaScriptInterface(). The security issues become apparent when you don’t know which content you are loading.

What happens with JavaScript being loaded in an iFrame? Or more general with JavaScript coming from a third party source?

Basically there is nothing stopping them from calling your Java native code associated with the JavaScript bridge. Android uses a permissions model to allow apps to do certain actions. Third-party JavaScript can call the same public methods associated with the JS bridge. This is because the Same-Origin-Policy is not applied to the bridge. It is in conflict with at one side native code running in a permissions security model and on the other side web content, which is bound to the SOP. These two security models do not interleave perfectly and thus allows attackers to use functionality the user never granted permissions for.

Hybrid Frameworks (Apache Cordova, Sencha Touch, …)

Hybrid frameworks are frameworks who let you develop a web application using HTML5, CSS and JavaScript for example. They allow you to pack your application to run cross-platform. Benefits of this approach is the fact you only need to develop your application once and you can pack it for the different platforms. This saves you time and money if you need to pay the developers.

When packing your application for Android, the following happens. Your web application is nothing more than web-content running in a Webview class. These frameworks come default with a Java-JS bridge which are publicly available. The same problems arise as mentioned here above with simple Webview applications. There are however solutions to these problems.

Domain Whitelisting

Just implement your own origin policy! You decide which third parties you trust. For hybrid frameworks it is fairly easy, just use the domain whitelisting functionality. The funny part here, is the fact that default this is implemented as allow every domain. Yeah, you’re welcome.

In applications using a Webview-component the solution is to just intercept pageloads and resource loading requests and implement whitelist logic to deny loading if you don’t trust the origin. The slides give you the two interesting methods which you need to override in the Webview class: shouldOverrideUrlLoading() and shouldInterceptRequest()

When a third-party ad-network is used the same vulnerabilities are present as ad-networks can inject third-party content. Recent study of MWRLabs discovered the following numbers:

A script was then crafted to automatically download Android applications, decompile them and identify if an ad network was in use, and if so determine if it is vulnerable. Out of the 1,000 top applications 570 were found to be vulnerable.

This means that over 50% of the Top 1000 web-based Android applications are vulnerable. Makes you think, if security is a key aspect and concern, stay away from web-based applications. It is very tricky to get it right, and in the end native coding is more fun 😉

H4

PS: Those who want to see the talk, it was filmed, but is not yet online. Keep an eye on this blog or my twitter feed 😉

Serious crypto vulnerability in Android

The whole mobile/android world was shocked when a new vulnerability was disclosed which, to sum it up, weakens the security of the built-in KeyStore. However, the Android fanboy in me, couldn’t help but notice that a lot of media fail to cover the story in a correct manner. Bear with me here, it will get a little bit technical.

“The vulnerability resides in the Android KeyStore, a highly sensitive region of the Google-made operating system dedicated to storing cryptographic keys and similar credentials, according to an advisory published this week by IBM security researchers. By exploiting the bug, attackers can execute malicious code that leaks keys used by banking and other sensitive apps, virtual private network services, and the PIN or finger patterns used to unlock handsets. The advisory said Google has patched the stack-based buffer overflow only in version 4.4, aka KitKat, of Android. In an update, IBM said the vulnerability affected only version 4.3, which runs on about 10.3 percent of handsets.”

Now, a stack-based overflow itself is not that hard to exploit. However, every self-respecting security team in a big software company knows and implements countermeasures against these exploits/overflows. Android for example uses as 2 major ones: data execution prevention and address space layout randomization (ASLR). Without the technical details, this makes it pretty hard for an attacker to execute its own malicious code. But assume for now, that an attacker has the possibility to do this. It’s still pretty difficult to actually exploit this. Whenever you inject code into the stack on the Android OS, the code is converted to an ASCII 7-bit representation. So what, you may ask. Well basically this reduces the set of instructions that can be executed. Because of this 7-bit representation, the most significant bit is changed to 0 and you can’t encode values less than b’0011000. This restricts us to code words of the form b’ 0xxxxxxx 0xxxxxxx 0xxxxxxx 0xxxxxxx. Now consider this chart which represents the instruction set for an ARMv7 CPU, frequently used in Android devices.

Instruction set ARMv7 CPU

Instruction set ARMv7 CPU

If you look at the chart and interpret the 7-bit representation explained above correctly, you can see that all condition codes must start with a 0. That immediately throws out “always execute”. So every instruction you encode will be conditional. Furthermore, your Rd register always starts with a 0, pain in the ass but not something you can’t bypass. Basically you can only write to half the registers, bummer. Consider the compare functions, these require all a non-ASCII character. Whoops, no comparisons for you. To finish off with, the ADD instruction. The values you can add are constrained by the requirement that they do not include ASCII values below 0x30, so depending on what operand you choose you can only pass in certain values. To sum it up, you can’t use most of the instructions, write to most of the registers and your immediate operands are sharply constrained. Nevertheless the exploit is something that should be taken care off, but not something that should keep you awake at night.

I am hacked, so what ?

Often I hear people say they don’t really bother with security on their computers or smartphones. Very often those people use arguments as “I don’t have important information” or “I know what I do, I don’t need protection”.

Now, what truly bothers me is the fact that people don’t look beyond their own interest. They don’t know that once one of your accounts is hacked, your friends are vulnerable for cyber crimes too. Since the uprising of social networks, a certain hack is widely used and has always been the most exploited, it’s called social engineering.

Proof of concept : Imagine your Facebook account gets hacked. The attacker controls your login and can use your entire account. At this point, if you got no personal information on your account because you’re just using it to browse Facebook, you’re lucky. But the chances of that being true is, well let’s face it, very small. Everybody that has a Facebook account puts certain private information online, for (hopefully if you used the correct settings) all of your friends to see.

The cracker has now enough information to take over your identity, combined with other information coming from search engines. He monitors your Facebook account and sees your friend updating his status “Excited, just bought a new laptop online”. Chances are the attacker will sent your friend an e-mail, impersonating the staff of PayPal or some creditcard company. A lot of people are fooled to give up their CC info by this method called ‘phishing’. In particular your friend is vulnerable as he as just bought something online, so for him it’s easy to assume something went wrong with his payment, and hence answers the mail.

The attacker goes on and sends something to your friend. ‘Hi man, check out this photo from you, took it last night at the party.’ Chances are your friend is now infected with a trojan horse or a keylogger.

Hope the bigger picture becomes clear, once an account of yours gets compromised, you don’t only risk your own identity and safety but also the ones you’re connected to. As the attacker has now the ability to use your trusted reputation to perform his attacks.

Some tips :

– Never, ever, ever, …. , surf to unencrypted sites when using a public AP. Always use the https:// prefix when supported. This gives some protection against sniffing your passwords.
– Never, ever, ever, …. , give up CC info in mails. Company’s will never ask you that. The same holds for login credentials.
– Never, ever, ever, …. , follow a link without checking the URL. A link like http://fcebook.com is probably a trap.
– Always use a firewall. Experience crackers can circumvent this, but at least you’re protected against script kiddies.
– Always use anti-virus in the unfortunate event you’re bound to use a Windows system ( :p ).

Maybe a more technical post is coming in the future that explains how crackers can circumvent your firewalls and anti-virus systems.

Cheers,

H4

Android systems , secure or not ?

By the end of this current year, 1.4 billion smartphones will be in use: 798 million of them will run Android, 294 million will run Apple’s iOS, and 45 million will run Windows Phone, according to a new study by ABI Research.

Source: BusinessInsider

This is an incredible number of smartphone users which are connected to the big wide web. But how secure are they ? Is it possible for a mobile operating system to be secure ? Or is it insecure from the roots up ?

As you already might guess I will only be covering the Android part, not surprisingly they have the bigger marketshare. So, how do you ‘test’ a secure mobile system ?

A system can be locked down extremely but this can have an impact on the user friendliness, where do you draw the line ? How do we test if a given Android system is secure. Do we forget the user friendliness or are we considering the bigger picture : a secure , user friendly, Android system. I think considering the bigger picture is a more realistic impact as it includes the user’s behavior, which makes up a great part of the system’s security.

Let’s take a look at the security mechanisms Android has implemented for save distribution of applications. Android applications are shared through the Google Play Store. Android has two important security mechanisms which involve distribution and installation of apps in order to protect the installing user from malicious actions.

  • applications need to be signed
  • applications need permissions to access phone functions

Applications need to be signed with a special unique key that a developer can obtain. The signing of an application can be thought of as providing the application of a digital certificate. With this certificate Android aims on establishing trust relationships between applications. For example consider an app which we call “AppX”. If “AppX” is first installed, it is signed with a specific private key. If the developer upgrades “AppX” to “AppX2”, he needs to use the same key which he used to sign “AppX”. This creates a trusted relationship between “AppX” and “AppX2”, because only the developer that holds the key for “AppX” can develop an upgrade for the app. But is this waterproof ?

Probably u know the answer already because else I wouldn’t have hinted it. Well, no this is not waterproof. A rather invasive bug was found in the signing process.

The core issue is that Android package (APK) files are parsed and verified by a different implementation of “unzip a file” than the code that eventually loads content from the package: the files are verified in Java, using Harmony’s ZipFile implementation from libcore, while the data is loaded from a C re-implementation.

The way that these two implementations handle multiple files with the same name occurring in the zip file differs. The way the Java implementation reads the file is that it goes through the “central directory” and adds each entry to a LinkedHashMap. The key the entry is stored using is the name of the file.

Later, the PackageParser goes through each entry in the zip file, verifying that the file was signed with a consistent signature. This code iterates over the LinkedHashMap. The result is that only the last entry with a given name is considered for signature verification: all previous duplicates are discarded.

Source : Saurik

This is a rather technical explanation of the bug, so a more noob explanation follows. As .APK files are nothing more than JAR files, this is where the problem lies. Where a JAR stands for Java ARchive, a sort of folder with all your Java code. If you want to ensure the integrity of a JAR as a self-contained entity such as an Application then the ability to sign individual files is not a requirement. In fact it is difficult to see in what circumstances the ability to sign individual files and only individual files could be a requirement.

Because it is only possible to sign individual files, a signed JAR is really nothing more than a collection of files which may or may not be signed and the verification of a signed JAR is a very convoluted way of determining into which category each file belongs. All of which leads us to question of what signed JARs are actually for ?

The ability to package files in this way was presumably considered useful when the specification was produced but it is clear that it is a decidedly sub-optimal way of attempting to ensure the integrity of an Application made up of a number of files which have been packaged as a ZIP file.

While signed JARs undoubtedly constitute a flexible mechanism for doing something, its just not clear what, they do so at a cost.

As we have seen the cost is the complexity of the verification process and the inconclusiveness of the result.

The process of verification is ridiculously complicated and consequently dangerously error-prone which is not what you want from something which is a key part of ensuring the security of your platform. (Source : Simon Lewis)

Now, what can a user do about this ? Nothing much actually. The bug is known for some time now, the only actions Google has taken so far was to change something in the .APK submission in the play store. A fix to the devices is coming with Android 4.3 . Older devices need to install the CyanogenMod custom ROM. They have included the 4 LINE BUGFIX, which google failed to deliver OTA.

Next up on the list was “Permissions”. Every app needs specific permissions to access phone functions. As an example I will include permissions my currently developing app needs :


<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.WRITE_INTERNAL_STORAGE" />
<uses-permission android:name="android.permission.READ_LOGS"/>
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE"/>
<uses-permission android:name="android.permission.WAKE_LOCK" />
<uses-permission android:name="com.google.android.c2dm.permission.RECEIVE" />

These permissions look like they’re asking a lot, but the only access they give to the phone are :

  • The use of internet
  • Ability to write to SD card(= caching images) and internal memory (= for settings)
  • Read error log on crash to send back a detailed error log to me
  • Google Cloud Messaging service
  • Accessing the network state , to check if there’s an internet connection
  • And wake lock, my app uses a service that needs to run with or without the app running , so the services needs a wake lock

These permissions will be shown to the user upon install. So this is the part where the user’s common sense plays a big part. If you want to play a game and the game asks for a whole list of permissions, the game is usual spyware. It will collect as much info as it can and will send it back to a server. The maintainers of this server will use the information to sell to advertising companies. So reading through the permissions is not time lost, as they can be pretty invasive on the privacy of the phone user.

So I did not reach a conclusion, as it as a whole research on its own (maybe a master thesis ? 😉 ). But I hope I gave some pointers that there’s a huge gap between user friendliness and optimal security of a mobile system. Any comments or questions, shoot !

Help, my child is on Facebook !

Often I get the question : “What is your view on online privacy with all those social networks invading it ?”. Well, in short I usually answer it with : “Dangerous if you don’t know how to use it. Easy,awesome and interesting when used correctly.” I will only focus on the dangers, because I think everybody knows how awesome and interesting social networks are when used safe.

Connected with the world

People usually forget they are connected with the internet, by extend to almost the whole world. Internet is rather a dark place. However you should not fear it, but you should travel it with a torch in your hand. How does this relate to Facebook you may ask ? Well, Facebook is connected through the internet, without internet Facebook would not exist. I find it ridiculous how a ten year old can make an account and connect with almost 2 billion people with some clicks on a button. Aight, I hear you, it’s not Facebook’s fault. I agree, but some things must change in society’s view on social networks.

Dark corners of Facebook

Parents should be aware of the dangers a social network can have. Children are the weakest to fall for phishing attacks. Hackers are constantly sharking on children’s forums trying to get login information. A sentence often used “Omg, is this you on this photograph ?! http://www.ishouldneverclickthis.com”, sounds familiar ? Hackers are interested in this information for the sole purpose of selling it to a criminal organization. More specifically, to child traffickers. They use the info from these profiles to generate false passports. Nowadays a Facebook profile is almost a blueprint of someone’s life. This is dangerous in many ways. Not to forget for personal attacks on victims or robbery’s.

Children should be taught how to use social networks. Chances are if you ask children in a classroom : “Who has a Facebook profile ?” that almost everybody puts their fingers up.

I am disgusted

I am disgusted with the educational organization in my country, Belgium. Mainly, we have two kinds of schools. Public state schools and Catholic schools. I was shocked by the latter. They cancelled the IT course and defend it by saying it should be integrated into the other courses. I agree with the fact that it should be integrated in different courses. But I am strongly, STRONGLY recommending to have additional hours of IT course. LEARN CHILDREN TO USE A COMPUTER. What better way to learn children about the dangers on social networks than in schools ? They should know how to safely use a computer in general. Children should not be the victim of a retarded ideology (Yes! I am looking at you, Catholic education).

I simply cannot understand how a society, so entangled with computers, does not educate their children appropriate when it comes to cyber security. *sarcasm* The fact I had to teach my IT teacher what PHP was in my 3th year of secondary school is totally out of the picture. */sarcasm*

It’s our duty

It’s our duty, as a parent, brother, sister, teacher to educate our children. People should understand what impact computers can have in our life. Privacy is a valued thing, that needs, nay demands protection. The era that computers were for the rich is past us. Almost everybody has access to a computer, yet few have an appropriate basic understanding on how to use it safe. Reach out to me with any questions or comments. Please share this idea with other, whoever you think should know this.

Hacktivism

Hacktivism is a word you see surfacing a lot in the news lately. You must have been living on Mars if you did not heard once about Anonymous. What is this new movement ? Why are they doing this ? Is this legal , or just ethical justified ?

Hacktivism

Hacktivism is the use of computers and computer networks as a means of protest to promote political ends.

This is the definition for hacktivism according to Wikipedia. Hacktivist use their knowledge about computer technology and cybersecurity to fight for an idea. They feel an authority is treating them unfair. Anonymous , the example for hacktivism, fights for the right on information freedom, a more equal division of money. These are considered their main fighting cause.

Some say, information freedom is dangerous. For example : the Wikileaks documents are considered a threat for the soldiers still fighting in the war-zones : Iraq, Afghanistan, … True , some information can be dangerous and are not for terrorist eyes to be seen. But, it is a price you pay as a government for decades of  cover-up operations. How can people trust their governments , if they are not honest towards their people.

A lot of people do not know what soldiers are doing in those foreign war countries, murdering innocent people. A couple of graphical hints :

http://wikileaks.org/wiki/Collateral_Murder,_5_Apr_2010

Be warned : these videos are not for the faint hearted.

Ethics

Is this legal ? No, this is not legal. Most information is obtained by breaking into secured computer systems. Is this ethical justified ? Well, this question should be answered by everybody individual.

After Mastercard, Visa , Paypal closed all accounts owned by Wikileaks, Anonymous stood up. They found it was not ethical justified to cut the funds Wikileaks has the right to receive. The result : Anonymous put up an incredible big offensive. They gathered with over 4000 anons, sympathisants,.. to DDOS the servers of these company’s. This resulted in the sites not being accessible ranging from a couple of hours to 1-2 days. I see this as a cyber sit-in. When you protest on the streets you can deny access to a building by sitting with a whole group of people in front of the entrance. DDOS does exactly the same, only it’s over the internet. The servers are flooded with requests until they shut down and need to be reset. No information is being leaked in the process, nor damage other than economical damage is being made.

It’s a personal question wether or not you find it ethical justified to use cyber force to fight for a cause. Share your thoughts in the comments below.. keep it friendly and clean 🙂

An idea is bulletproof.

Greetz, H4

How to be Anonymous on the web

Some people ask how to be truly anonymous on the web, or how to protect your privacy on the internet. A lot of people don’t know that quite a bit of information can be collected by websites or hackers without you even being aware of it. This post will try to make clear what actions you can take on protecting your privacy on the web.

Everything you read here is for security and educational purposes only. If you use this information for any illegal actions this is on your own responsibility.

I will be covering some techniques to protect your privacy on the web. However keep in mind that you will never be 100% anonymous. It just depends on how much time and money they want to waste on finding you.

What information can they gather about me ?

Well, the answer is really easy. Almost everything they want : ip-adress, location, internet service provider (isp) , browser you’re using, … If you want to check what a webserver can tell about you, you can simply use this website : http://www.whatsmyip.org/more-info-about-you/

If you scroll down the middle of the page you’ll see they can also determine what plugins you have installed on your machine, this in particular can come in handy for hackers to exploit bugs in these plugins.

How to hide this information ?

Well , just switching off the plugins is the only way to protect against exploit or bugs in these plugins. To truely stay anonymous on the web you will have to scramble your ip-adress. The only way to this, is by using other machines to access a given webserver.

Proxies

A proxy server can be seen as a box with a lot of incoming connections with different IP-adresses and one outgoing IP-adress. If you browse to a webserver using a proxy server your request will first be sent to the proxy server. The proxy server will ask the information at the webserver and redirects the information to your machine. The result ? The webserver will only see the IP-adress of the proxy server you used. So if you live in Belgium you can use a proxy server located in France to browse to a webserver in Italy. If the proxy server doesn’t keep logs of the connections it’s very hard to determine who connected to the proxy server. So if you choose a proxy server make sure you choose one without logs that are being kept. Some good proxy servers can be found here : http://www.socks24.org/

Proxies can be chained to scramble even more the path between the server and your machine. For a tutorial check google and firefox users maybe want to check the FoxyProxy plugin. But sometimes even proxy’s aren’t enough.

The TOR Project

The TOR Project was developed to provide a secure line for the US Military forces to transmit information and create an encrypted network. After the project became open source it is now used to browse anonymously on the web. The key principle used in TOR is based on connecting different nodes to each other using encrypted connections. It is build in an onion kind of way. When a user requests a certain webpage the request will go through different layers using encrypted connections. The n-th node doesn’t know anything about the n-1-th node. Following image shows how the network works :
Every time a request is sent a new random path is chosen , this is a solution to protect yourself against traffic analysis.

However some say the Tor network is being infiltrated by the government that installs exit nodes that keeps information about your machine. It’s recommended to switch off the Java plugin when using Tor. Sometimes a webpage can ask for permission to run a java applet, this is a perfect manner to obtain the IP-adress of a machine. How than may you ask ? Well, in short , Java applications run in a Java Virtual Machine. Tor can protect your IP-adress when you’re using firefox (with the Tor plugin) but it can’t route your information through the network when the request is being launched from the JVM. Interested to start using Tor or to learn more about it : https://www.torproject.org

Be warned, the Tor network is not for the fainthearted. Tor is being used also by criminals that use it to share : child pornography, black market , racism forums, etc.. Use it wisely. But can we even be more anonymous?

Virtual Private Networks (VPN’s)

A virtual private network (VPN) is a network that uses primarily public telecommunication infrastructure, such as the Internet, to provide remote offices or traveling users access to a central organizational network.
VPNs typically require remote users of the network to be authenticated, and often secure data with encryption technologies to prevent disclosure of private information to unauthorized parties.

The Wikipedia quote above sums it pretty much all up. The ideal situation is to use a VPN in addition to TOR. The best VPN services are often paid. I prefer GhostVPN : http://cyberghostvpn.com/ and here’s a list with some other good VPN’s :

  • http://www.swissvpn.net
  • http://perfect-privacy.com
  • https://www.ipredator.se
  • http://www.anonine.se
  • SSL and HTTPS

    A last tip is the fact you should use the HTTPSEverywhere plugin for firefox. This plugin will make sure your machine connects to every webserver (where possible) through an encrypted connection using the SSL encryption protocol. Very simple said : it will scramble the text you send over a network and the receiving machine is capable to put it back into readable text. For example use Facebook secure : https://facebook.com notice the ‘https’ prefix. This protects you from eavesdroppers on a local network, in a college house for example.

    Conclusion

    This is just a basic summary in internet security. But it already shows that a secure internet connection needs a lot of knowledge. Use this information to protect and secure your own privacy. Be anonymous, and enjoy. Any questions or remarks : comment below.

Hash Functies

Een cryptografische hash geeft een hashwaarde die na berekening met behulp van bv RSA een elektronische handtekening geeft van een tekst of data file. Het kan niet echt als een soort van encryptie beschouwd worden, omdat het in wezen een ‘one way ticket’ is. Een hash kan niet gedecrypt worden naar de originele file. Waarom en hoe zou men dit dan gebruiken?

Men zal vooral hashes gaan vergelijken, aangezien een SHA-1 hash functie een 160-bit (of 20-byte) digested message zal maken van een file.

Mogelijke scenario’s :

Wachtwoord validatie : Men zou bijvoorbeeld de hash-voorstelling van het wachtwoord kunnen opslaan in een database. Vervolgens gaat men van het ingevoerde wachtwoord op dezelfde werkwijze een hash-voorstelling maken en deze twee vergelijken.

Challenge hash authentication : Er bestaat een reeël gevaar dat een wachtwoord onderschept wordt bij communicatie tussen een cliënt en een server. Dus men zal dan eerder de hash van het wachtwoord doorsturen zodat de server op zijn beurt een validatie uitvoert.

Digitale handtekening van een file : Vaak wil men verifiëren of men een origineel bestand heeft. De programmeur zal dan bij zijn download link op de website de handtekening vermelden dat zijn programma zogezegd zou moeten hebben. Als je dan wilt verifiëren of er iets gewijzigd werd aan jouw kopie dan kan je met behulp van zijn public key, waarmee zijn handtekening vercijfert is mbv RSA, jouw hash van het programma vergelijken met de hash van de programmeur. (*)

(*)SHA-1 en MD5 zijn niet meer veilig genoeg. Vaak zal men gebruik maken van RIPEMD-320.

Enkele voorbeelden waar SHA-1 nog wordt gebruikt :

– SSL (Secure Sockets Level, denk aan e-mail beveiliging bijvoorbeeld)

– PGP (Pretty Good Privacy)

– XML signatures

– Microsoft Xbox games zijn SHA1 gehandtekend.

Verder is er ook nog SHA-0 ontwikkeld, maar er werd ondervonden dat er serieuze beveiligingsfouten waren in het algoritme en deze is dus nooit echt populair geweest. Naar aanleiding van deze beveiligingsfouten werd de SHA-1 hash functie ontwikkeld. Dit is dus met andere woorden een verbeterde SHA-0 hash functie.

Zie je een fout of heb je vragen ? Comment below.

*EDITED on 6/02/2011