Feeds

Do-it-yourself Internet anonymity

A step-by-step tutorial

  • alert
  • submit to reddit

SANS - Survey on application security programs

Along with the recent government hysteria over terrorists, we've seen legislative measures and 'emergency powers' inviting law-enforcement agencies worldwide to conduct Internet surveillance on an unprecedented scale. But because the state-of-the-art of electronic dragnets makes it difficult if not impossible to exclude the comings and goings of innocent citizens, we thought this a good time to run down the basic techniques for ordinary, law-abiding folk to come and go anonymously on the Net, and keep their private business private.

How do you make a truly anonymous post to a newsgroup or a BBS? How do you keep the Web sites you visit a secret? How do you send e-mail and ensure that its contents can't be read by someone who intercepts it? How do you chat anonymously?

We'll invoke our foil, Windows addict Harry Homeowner, and lay it out in terms the average user can profit from, though with hopes that even you power users might learn a thing or two in the process.

Proxies

These are your first line of defense, so let's start with them. Proxies provide a useful layer of mediation between your machine and the Internet. There are several types, but Web proxies and Socks proxies are the two most relevant to our purposes.

Grossly oversimplified, a proxy is a remote machine which you connect through to the Net, which forwards your IP traffic, and which you then appear to be originating from. When you contact a Web site via an anonymous proxy, it's the proxy's IP which shows in their logs.

You can use either Web or Socks proxies with your browser, and Socks proxies with other Net clients to obscure your IP from prying eyes. But you do have to choose them with care.

Socks proxies are the best, general-purpose proxies. This is so because Socks are non-caching, which means, for example, that there won't be a record of the Web pages you fetched while connecting through one, except on your own machine -- and this you can fix rather easily (more on that in 'Browser Settings'). It also means they're slow, but if you want anonymity, you shouldn't quibble.

But older versions of Internet Explorer and Netscape don't support Socks. What to do? You can upgrade, but I prefer an older browser with fewer 'features', which I equate with fewer security leaks (though these should be patched regularly, of course). Rather than upgrade, you can download an application called SocksCap, and use it to 'socksify' any IP client you use. It will work with browsers, e-mail clients, telnet, SSH, chat clients, even your l4me e-mail bomber. Test it; socksify your e-mail client and send a message from one of your accounts to another. Check the header. Is the originating IP your proxy? If so, your e-mail now appears to originate from the proxy's IP. This can be extremely useful, as we'll see below.

Useful but not foolproof. Of course the proxy machine's admin can easily learn that you connected to it after perusing his logs, so a proxy doesn't actually conceal you; it just adds a layer between you and whatever you're contacting on the Net. This layer can be thick or thin, depending on where the proxy machine is physically located. If your proxy is located in a country unlikely to cooperate with requests for their logs from foreign officials, or a country where your mother tongue is rarely spoken, it can be, in practical terms if not theoretical terms, quite an effective layer of protection.

It's easy to determine a proxy's country of origin with the $20.00 Patrick Project DNS utility, which will resolve IPs to addresses and vice versa, and a good deal more to boot. You cheapskates out there can go to SamSpade.org and do it all for free.

Now you know how to determine your proxy's location. The more exotic the better: Korea is better than Japan; Thailand is better than Korea; Indonesia is better than Thailand; Papua New Guinea is pure gold. Kenya is better than Morocco; Ghana is better than Kenya; Guinea is better than Ghana; Burkina Faso is pure gold. You get the picture.

Now you need to test the proxy for anonymity. Some of them can leak appalling amounts of information, like your true IP, for example. There are several environmental variables checkers on line which will tell you just what information your proxy is leaking to the world, and a nice links page to a heap of them is located at Proxys4all.com.

And what do env checkers tell you? The chief variables you need to know about are:

REMOTE_ADDR: Your apparent IP, which should be the proxy. If not, use another proxy.
REMOTE_HOST: Your apparent address, which should resolve to the proxy IP. or better yet not be resolvable at all. If it resolves to you, use another proxy.
HTTP_X_FORWARDED_FOR: Sometimes your true IP is revealed -- get another proxy.
HTTP_USER_AGENT: Your browser type -- unimportant.
FORWARDED: Reveals the fact that you're using a proxy; not fatal, but better if blank.
VIA: Reveals the fact that you're using a proxy; not fatal, but better if blank.
CLIENT_IP: Sometimes your IP is revealed -- use another proxy.
HTTP_FROM: Sometimes your IP is revealed -- use another proxy.

You can use a free application called ProxyHunter to scan ranges of IPs and find your own proxies. These you can evaluate, determining location and anonymity according to the guidelines above.

A scan such as this is non-invasive and non-destructive, but it's still possible one may get a nastygram from one's ISP for performing them.

Socks proxies are located on port 1080, so you'll want to use that in most searches with ProxyHunter. HTTP proxies on ports 80, 3128 and 8080 are useful, and can be loaded directly into your browser, but they're not quite as secure.

You can load a good Socks in your chat clients like IRC and ICQ; and with SocksCap you can run your telnet and e-mail clients and browser through one as well.

For even more anonymous surfing, you can give yourself an added measure of security by connecting to a Web proxy like Anonymizer through a Socks (or even a decent HTTP proxy). Feel free to e-mail me if you can't figure all this stuff out -- but please, I beg you, give it a fair go on your own first. I'm a humble news reporter, not a help desk.

When you find a Socks proxy with ProxyHunter, or by perusing the many public Web sites where they're listed, and you get satisfactory results from the env check, and your proxy is located on some God-forsaken corner of the Earth, then you've acquired a decent layer of protection. Congratulations. But that's far from the whole shebang.

Anonymous dialups

Whenever you dial in to an Internet connection, your ISP can determine your phone number with caller ID. This information is recorded, and can be turned over to nosy Feds on request with an administrative subpoena, which doesn't require a judge's approval.

If you've got a regular ISP account billed to a credit card, your ISP knows perfectly well who and where you are, so concealing your phone number from them is hardly an obstacle to associating you with your Net activity. In much of Europe, the telco is the ISP, so the possibility of making anonymous dial-ups is remote. In that case, all I can suggest is trying to find a data-capable pay-as-you-go mobile phone, and of course paying cash for it. If you're asked your name, lie. If you're asked for ID, leave.

However, there are free ISPs like NetZero on which you can register with totally fictitious personal information, and to which you can connect with caller ID disabled. This isn't a solution in itself, but combined with the judicious use of good proxies, it can add a second layer of anonymity to your comings and goings. It can make you a bit more difficult to identify.

These ISPs don't allow you much free surfing time -- usually something like ten hours a month; and they feed adverts to you and they're slow (made slower still by proxy use); but they can be a superb means of connecting when you need to be even more anonymous than usual, such as when you make a controversial post to a newsgroup or BBS, or send a sensitive e-mail.

Get your ducks in a row: first, go to an Internet cafe or a library. If they require identification, go elsewhere. When you find a public place where you can surf anonymously, set up an account with NetZero using fictitious personal information. Even better, go through a Web proxy while you're at it.

Record your login, password, and a dialup number convenient for your home location. Now go home, and disable caller ID (contact your phone company for instructions), and dial in to your new fictitious account. And always dial in with caller ID disabled.

Finally, use an anonymous Socks proxy with your e-mail client for newsgroups, and a Socks along with a Web proxy for BBS posts. Theoretically, you can still be traced because the phone company knows what you're up to; but unless you're under active surveillance by the Feds, you can safely gamble that no one from NetZero is ever going to peg you.

You're getting very close to effective anonymity, and you still haven't gone beyond what our friend Harry Homeowner can handle.

There are other things you can do with this caller-ID-off+Netzero+Socks+Web-proxy setup. You can, for example, open a Web-based e-mail account with fictitious personal information and send and receive anonymously, so long as you set up your NetZero account properly, and always connect to it with caller ID disabled, always use a Socks with your browser, and/or always use a Web proxy.

You've got ten hours a month. Spend them wisely, and you can surf almost anywhere or post almost anything on line with no repercussions.

But what if your e-mail is intercepted by something hideous like the FBI's packet sniffer Carnivore? Unless you stupidly identify yourself in your mail, you're almost certain not to be identified -- but you still may not want the contents read by anyone but the intended recipient. You don't have to be a criminal to desire privacy, much as the Feds like to pretend otherwise.

Crypto

Now this is funny. If you use a nice, free crypto program like PGP, you can easily encrypt your e-mail. Just follow the instructions -- there's really nothing to it.

The problem here is that the Feds, if they happen to be watching, can gather that you sent an encrypted message to Recipient X, a fact which you may not wish them to know.

If you follow the scheme above, you can send a message anonymously via a Web-based account. But unless I'm missing something, you can't use PGP to encrypt Web-based e-mail messages.

So how do you have your cake and eat it too? It's quite simple: you create an encrypted text file and attach it to your Web-based anonymous e-mail, or copy it into the message body.

Now all the Feds can determine is that Recipient X got an e-mail message with an encrypted body or an attachment from Monica_Lewinski666@hotmail.com or whatever.

Easy peasy, even for our Harry.

Browser settings

Proxy or not, your browser can leak ghastly amounts of information about you. Fortunately, tightening it up is easy when you know what to do.

Since our Harry almost certainly uses MS Internet Explorer, we'll deal with that, though Netscape users should find this information easy to apply to their own setups.

Get into Tools/Internet Options. Set 'days to keep pages in history' to zero. Go to Tools/Internet Options/Security. Go to 'Custom Level' and disable 'Download unsigned ActiveX Controls' and 'Initialize and script ActiveX Controls not marked safe for scripting'; set 'Java permissions' to 'High Safety'; disable 'Meta Refresh'; disable 'Launching programs and files in an IFRAME'; set 'Software Channel permissions' to 'High Safety', disable 'Userdata persistence'; disable 'Active scripting', 'Allow paste operations via script', and 'scripting of Java applets'.

Accept session cookies but not stored cookies. Never use in-line auto-complete, and never allow Windows to save any of your passwords.

Now go to Tools/Internet Options/Advanced and clear 'Enable Profile Assistant', select 'Do not save encrypted pages to disk', clear 'Enable page hit counting', and select 'Empty Temporary Internet Files folder when browser is closed'.

That should about do it.

While you're about it, pop over to Control Panel/Network and ensure that File and Printer sharing are disabled.

Spyware

While you're on the job, never do anything with your company's computer that you wouldn't want your Grandmother to know about. Spyware is ubiquitous in the work place. Don't even mess with a company-issued laptop, which may well contain 'remote administration' features which will enable a company admin to connect to it. If you want to be anonymous, use your own equipment. If you're using anyone else's hardware, assume that anonymity is impossible.

You can get a fab program for detecting Trojans called The Cleaner for $30.00 from Moosoft. A number of Trojans fail to be detected by the fine products of the popular anti-virus companies, in spite of their powerful suggestions to the contrary. Moosoft picks up most of them.

Most software firewalls are notoriously bad at stopping, or even notifying you, when a malicious program sends data out from your machine. An application like The Cleaner can go a long way towards assuring you that no such contaminant exists on your box.

PC Hygiene

There's a crucial difference between deleting a file and wiping it. A deletion leaves a file's entire contents on your disk, until the space it occupied happens to be overwritten by a subsequent file. In the mean time, the data can be recovered with forensic techniques. A proper wipe, on the other hand, overwrites that space immediately so the file's contents can't be recovered. Utilities capable of this include BCWipe, Norton Wipeinfo, Evidence Eraser, and PGP.

The only certain way to keep your machine free of incriminating files and alien malware is to wipe your HDD periodically and clean-install your OS from original media while preserving those files and progies you can't do without. If you're serious about anonymity and file preservation, then you'll cough up the $200.00 or so needed to maintain two HDDs, because nothing beats a spare, non-removable magnetic storage device; and nothing beats a true file wipe, which is the only insurance against forensic probing.

This is how I do it -- and I do it frequently: I have two HDDs in my Windows box. When I get ready to wipe my primary, I've already done an fdisk and format /u and a thorough 'government wipe' on the secondary using Norton Wipeinfo. I simply copy all the files and progies I wish to preserve onto that thoroughly-wiped secondary disk. I then switch the primary and secondary, and install Windows from original media onto the wiped disk, from which I'll boot. I install Norton Utilities, naturally.

I then fdisk and format /u the former primary and do a thorough 'government wipe' using Norton Wipeinfo. Thus it's ready, and spotless, whenever I need it. I tend to do this every two or three months, depending on what I've been up to.

As soon as I get a sense that my current primary contains material I'd rather not preserve for posterity, I repeat the process. With two HDDs, it all takes about forty-five minutes. With this method you wipe not only your files, but your registry and swap file too. Forensics, as it's normally practiced, becomes futile.

If this seems too extreme, a utility called the Evidence Eliminator Eliminator (E3) by Radsoft (not to be confused with Robin Hood Software's lame 'Evidence Eliminator') will wipe a good many of your messes and excesses for a cool $80.00. It's considerably cheaper than a spare HDD, and pretty thorough. It doesn't merely delete files, it wipes them properly. To add to its effectiveness, you can use a proper file wipe utility like BCWipe or Norton Wipeinfo to eliminate your swap file, where a good deal of what you've been up to is stored. The file is in your C:\ directory and is named Win386.swp.

One final item; whenever you clean-install your OS and apps, always use an alias for yourself and your machine. MS Word, for example, includes user info in your documents. So make sure this info is not specific to you. And never send any MS Office document to any destination when you're concerned about privacy. Just copy the contents into a text editor like Notepad and send the .txt file, or copy and paste it into the body of an e-mail.

Follow these basic guidelines, and you'll be quite safe, though not perfectly safe. It's a bit like copulation -- there are quite effective birth control methods, but the only way to be absolutely certain you won't ever get pregnant is not to do the deed.

But that's no fun. And neither is never using a computer. So practice safe computing and stop fretting. As with the pill, the odds are immensely in your favor. So smile, relax, and enjoy. ®

Personal note
In an 18 October article entitled SafeWeb ain't all that I'd promised to post this follow-up in a week's time. Unfortunately a family emergency intervened, and subsequent news demanded my attention. My apologies to those who've been waiting. -- tcg

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.