Security IT/Print version
This is the print version of Security IT You won't see this message or any elements not part of the book's content when you print or preview this page. |
The current, editable version of this book is available in Wikibooks, the open-content textbooks collection, at
https://en.wikibooks.org/wiki/Security_IT
Authenticity
aded, even totally free software can end wrong if you download them with the suspects sources. Let us remember that the basic principle is always download applications from the manufacturer, do not use aggregators such eg. Softonic.
the sites have the possibility of annoying - not enough that no download of such sites proper software just web-installer depending on which site they call it "download assistant" which only the start process for downloading applications in a similar way as file managers it another annoying thing is pressing us on the strength of additional software which we had intended to do to download as suspicious unknown applications" cleansing "of the computer or toolbars, change homesite in web browser and more useless things.
checksums
editchecksums make it possible to verify that the data contained in the file have not been changed during the transfer of information from one medium to another. It is produced by the summation or perform other mathematical operations on data transferred, transmitted together with the data and used to validate the data being processed.
In Windows checksum can check app eg. md5sum.exe
In Linux can check checksum for app hash:
md5sum FILE shasum FILE sha256sum -b FILE cksum FILE
GPG - import:
gpg --keyserver keyserver.domain.com --recv-key "4655 4C4C 204B 4559 0A" gpg --verify sha256sum.txt.gpg sha256sum.txt
Methods
Current methods
editThe system blocks content by preventing IP addresses from being routed through. It consists of standard firewalls and proxy servers at the Internet gateways. The system also selectively engages in DNS poisoning when particular sites are requested. The government does not appear to be systematically examining Internet content, as this seems to be technically impractical.
Effectiveness of Internet censorship measures is never complete, as there are multiple ways of circumventing them (depending on the given measure).
Over-blocking occurs when a legal content that should not be blocked is accidentally blocked by a given censorship measure. Depending on the particular scheme chosen this might be a problem pronounced more or less, but it is always present and inevitable. It does not relate to situations where the block list intentionally contains certain content that should not officially be blocked.
Similarly, under-blocking is content that officially should be blocked, but accidentally isn't. It is not content accessible by circumvention, but simply content that is accessible without using any special techniques that "slipped through the fingers" of the particular censorship scheme.
Both the resources required (equipment, processing power, bandwidth) and the cost of handling the list of blocked content also vary between censorship schemes and depend on method used.
Whether or not a method employs deep packet inspection (DPI) is indicative of both how intrusive and how resource-intensive it is
Method | risk of over-blocking | risk under-blocking | resources required | A service charge list | Bypass | DPI |
---|---|---|---|---|---|---|
IP blocking | High | Medium | Low | Medium | Very easy | No |
DNS spoofing/DNS cache poisoning | High | Medium | Low | Medium | Very easy | No |
URL filtering | Low | High | Medium | High | medium demanding | Yes |
QoS filtering | Medium | Medium | High | High | hard | Yes |
Man-in-the-middle attack | High | High | Medium | Very high | required encrypted connection | Yes |
TCP connection reset | High | Medium | Medium | Medium | required encrypted connection | Yes |
Network disconnection | Very high | Very high | Medium | None | Satelite connection required. See also alternative for internet: packet radio and meshnet | No |
VPN blocking | high | medium | Low | medium | most servers is available to pay only | Yes |
Network enumeration | low | low | Very high | high | hard | Yes |
Keywords | high | high | Very high | Low | medium demanding | Yes |
Hash | low | high | Very high | High | medium demanding | Yes |
Dynamics (eg. image recognition) | high | high | Very high | low | medium demanding | Yes |
Hybrid (eg. based on IP adress + hash) | low | high | medium | High | medium demanding | Yes |
IP blocking
editThe access to a certain IP address is denied. If the target Web site is hosted in a shared hosting server, all Web sites on the same server will be blocked. This affects all IP protocols (mostly TCP) such as HTTP, FTP or POP. A typical circumvention method is to find proxies that have access to the target Web sites, but proxies may be jammed or blocked. Some large Web sites allocated additional IP addresses (for instance, an IPv6 address) to circumvent the block, but later the block may be extended to cover the new addresses.
DNS spoofing/DNS cache poisoning
editThe DNS doesn't resolve domain names or returns incorrect IP addresses.This affects all IP protocols such as HTTP, FTP or POP. A typical circumvention method is to find a domain name server that resolves domain names correctly, but domain name servers are subject to blockage as well, especially IP blocking. Another workaround is to bypass DNS if the IP address is obtainable from other sources and is not blocked. Examples are modifying the Hosts file or typing the IP address instead of the domain name in a Web browser.
- Easiest way it change DNS provider, best with DNSSEC. However, it should be remembered that simply using secure DNS servers, without the use of cryptography at the application level, still allows you to perform an attack of poisoning
- Use random ports
URL filtering
editScan the requested URL string for target keywords regardless of the domain name specified in the URL. This affects the Hypertext Transfer Protocol. Typical circumvention methods are to use escaped characters in the URL, or to use encrypted protocols such as VPN and SSL
MiTM
editGFW can use a root certificate from CNNIC, which is found in most operating systems and browsers, to make a MITM attack. On 26 Jan 2013, the GitHub SSL certificate was replaced with a self-signed certificate in China by, generally believed, the GFW.
TCP reset attack
editIf a previous TCP connection is blocked by the filter, future connection attempts from both sides will also be blocked for up to 30 minutes. Depending on the location of the block, other users or Web sites may be also blocked if the communications are routed to the location of the block. A circumvention method is to ignore the reset packet sent by the firewall
Network disconnection
editA technically simpler method of Internet censorship is to completely cut off all routers, either by software or by hardware (turning off machines, pulling out cables). This appears to have been the case on 27/28 January 2011 during the 2011 Egyptian protests, in what has been widely described as an "unprecedented" internet block. About 3500 Border Gateway Protocol (BGP) routes to Egyptian networks were shut down from about 22:10 to 22:35 UTC 27 January This full block was implemented without cutting off major intercontinental fibre-optic links, with Renesys stating on 27 January, "Critical European-Asian fiber-optic routes through Egypt appear to be unaffected for now. Full blocks also occurred in Myanmar/Burma in 2007, Libya in 2011 and Syria during the Syrian civil war. A circumvention method could be to use a satellite ISP to access Internet
VPN blocking
editBeginning in 2011, users reported disruptions of VPN services In late 2012, the Great Firewall was able to "learn, discover and block" the encrypted communications methods used by a number of different VPN systems. China Unicom, one of the biggest telecoms providers in the country was terminating connections where a VPN is detected, according to one company with a number of users in China.
Network enumerating
editIt has been reported that unknown entities within China, likely with DPI capabilities, have initiated unsolicited TCP/IP connections to computers within the United States for the purported purpose of network enumeration of services, in particular TLS/SSL and Tor services, with the aim of facilitating IP blocking. A circumvention method is hard and knowledge about networks and operating systems is required. The probably easiest way to use fail2ban in the beginning.
Keywords
editThis method uses deep packet inspection to read the contents of data being transmitted, and compares it with a list of keywords, or with image samples or video (depending on the content type).
It has a very serious potential for over-blocking (consider blocking all references to "Essex" based on the keyword "sex"; consider blocking Wikipedia articles or biology texts related to human reproduction), and of under-blocking (website operators can simply avoid using known keywords, or use strange spelling, for instance: "s3x").
Combating under-blocking with extending keyword lists only exacerbates the over-blocking problem. Combating over-blocking with complicated keyword rule-sets (i.e. "sex, but only if there are white-space characters around it") only makes it easier to circumvent it for website operators (i.e. "sexuality" instead of "sexual").
List handling costs are low, but this method requires huge computing and bandwidth resources, as each and every data-stream on the network needs to be inspected, scanned and compared to keywords and samples. It is especially costly for images, videos and other non-text media.
This method is often combined with silent post - It consists of that post which stay on eg. social service is visible just for you, not for other.
Dynamics
editThis method uses deep packet inspection to read the contents of data being transmitted, and compares it with a list of keywords, or with image samples or video (depending on the content type).
It has a very serious potential for over-blocking (consider blocking all references to "Essex" based on the keyword "sex"; consider blocking Wikipedia articles or biology texts related to human reproduction), and of under-blocking (website operators can simply avoid using known keywords, or use strange spelling, for instance: "s3x").
Combating under-blocking with extending keyword lists only exacerbates the over-blocking problem. Combating over-blocking with complicated keyword rule-sets (i.e. "sex, but only if there are white-space characters around it") only makes it easier to circumvent it for website operators (i.e. "sexuality" instead of "sexual").
List handling costs are low, but this method requires huge computing and bandwidth resources, as each and every data-stream on the network needs to be inspected, scanned and compared to keywords and samples. It is especially costly for images, videos and other non-text media.
Users still can circumvent the block in several ways.
Hash
editHash-based blocking uses deep packet inspection to inspect the contents of data-streams, hashes them with cryptographic hash functions and compares to a known database of hashes to be blocked. It has a low potential for over-blocking (depending on the quality of hash functions used), but a very high potential for under-blocking, as a single small change to the content entails a change of the hash, and hence content not being blocked.
Resource needs here are very high, as not only all the data-streams need to be inspected in real-time, they also need to be hashed (hash functions are computationally costly) and the hashes compared against a database. Costs of handling the hash-lists are also considerable.
Hybrid
editIn order to compromise between high-resource, low-over-blocking hash-based blocking and low-resource, high-over-blocking IP- or DNS-based solutions, a hybrid solution might be proposed. Usually it means that there is a list of IP addresses or domain names for which the hash-based blocking is enabled, hence only operating for a small part of content. This method does employ deep packet inspection.
Required resources and list handling costs are still considerable, and under-blocking probability is high, while circumvention by users is not any harder than for hash-based block.
DPI
editAs Internet censorship requires deep packet inspection, once such a system is deployed, there are no technical issues stopping those in control to modify the communications in transit. That opens the door to even broader set of possibilities for a willing politician, including false flag operations, sowing dissent among the ranks of opposition, and similar actions.
- Easy way to bypass is use SSH tunnel
- The encapsulation of SSL control protocols by the record protocol means that if an active session is renegotiated the control protocols will be transmitted securely. If there was no previous session, the Null cipher suite is used, which means there will be no encryption and messages will have no integrity digests, until the session has been established.
Bypass
The Net interprets censorship as damage and routes around it. — John Gilmore
Level 1: without configuration
editCached Pages
editSome search engines keep cached pages, copies of previously indexed Web pages, and these pages are not always blocked. Cached pages may be identified with a small link labeled "cached" in a list of search results. Google allows the retrieval of cached pages by entering "cache:some-blocked-url" as a search request. Other method it use google translate - worked smilar to web-proxy.
Mirror and archive sites
editCopies of web sites or pages may be available at mirror or archive sites such as www.archive.org and the alternate sites may not be blocked.
Web to E-mail services
editWeb to e-mail services such as www.web2mail.com will return the contents of web pages with or without images as an e-mail message and such access may not be blocked.
RSS aggregators
editRSS aggregators such as Google Reader and Bloglines may be able to receive and pass on RSS feeds that are blocked when accessed directly.
URL filtering
editAlternative domain names may not be blocked. For example, the following domain names all refer to the same web site: http://wikimedia.org, http://www.wikimedia.org, http://web.archive.org/web/20120224022641/http://text.wikimedia.org:80/ , and http://web.archive.org/web/20120224030658/http://text.pmtpa.wikimedia.org:80/ .
Or alternative URLs may not be blocked. For example: www.blocked.com vs. www.blocked.com/, blocked.com, blocked.com/, www.blocked.com/index.htm, and www.blocked.com/index.html.
Entering an IP address rather than a domain name (http:// or a domain name rather than an IP address (http://wikimedia.org) will sometimes allow access to a blocked site.
Level 2: Configuration connect
editIP blocking
editProxy isn't encrypted! |
Similar to DNS, here it's just as easy. Must use some web proxy (usually doesen't work JS), proxy (which you need to set the browser) or 7 proxies (eg. proxychain) A reverse proxy is (usually) an Internet-facing proxy used as a front-end to control and protect access to a server on a private network, commonly also performing tasks such as load-balancing, authentication, decryption or caching. Websites could use reverse proxy to reroute traffic to avoid censorship.
We'll start with web proxy - are those pages which simply enter the address the page and the service assigns you the other external IP. often you need to try to find the right server and the IP address that is not banned, but allow login (cookies) and as normal surfing. They have one but wade - not always with their level of the page to load correctly (usually about Javacsript) so require such party. CAPTHA They don't display correctly.
To skip this, you become more yourself and try skonifigurować yourself proxy browser. The list of free proxy servers find here 'Firefox'
- We enter the Tools> Options (or Edit> Preferences on Linux)
- Select the tab Advanced> Network and select 'Settings ...' '
- Select the option 'Manual proxy configuration' '
- In the 'HTTP Proxy' 'Enter IP address (or host) and port eg. 3128
- Click Use this proxy server for all protocols
- Then click OK to confirm everything and ready.
- When you want to stop using a proxy simply select Settings No proxy
You can also use the plugin called AnonymoX, which automatic pulls and joins the list of available proxy fastest.
For the other programs should review their documentation.
DNS
editIs to very simple, just use other DNS provider eg. OpenNIC here you find configuration DNS for popular systems.
Level 3: Encrypted connect
editMan-in-the-middle attack
editelectronic signature
VPN blocked
editif your network administrator blocks the standard port (PPTP or L2TP), just switch to another port (like 80 or 53) of the your VPN client. if blocked afther IP Try other server - eg. VPNgate share over 3000 servers for free. if blocked connect VPN by DPI, can establishing an SSH/TLS tunnel, a user can forward all their traffic over an encrypted channel, so both outgoing requests for blocked sites and the response from those sites are hidden from the censors, for whom it appears as unreadable SSH traffic. Some VPN providers offer it called stealth VPN.
Network enumeration
editthat the system was the least vulnerable are:
1. Evently update system
sudo apt-get autoclean sudo apt-get autoremove sudo apt-get update sudo apt-get dist-upgrade
2. Evently change password
3. Activate firewall
4. Use antivirus
5. check system files for presence rootkits.
Keywords
editTry hybrid methods from DNS, proxy or VPN.
Level 4: Manipulation packets
editTCP reset attack
editIf you drop all the reset packets at both ends of the connection, which is relatively trivial to do, the Web page is transferred just fine.
Level 5: Steganography
editThe practice of embedding useful data in what looks like something irrelevant. The simplest method it includes text of a document can be broken into its constituent bytes, which are added to the pixels of an apparently innocent picture. The effect is barely visible on the picture, but the recipient can extract it with the right software. Effective for getting information out, but slow.
methods hide information on other covers in next book
References
edit
Bypass firewalls
Port fordwarding required! if you not sure how fix NAT issue, try it this |
Bypassing firewall is easy, just look for a host name.
Sometimes, the host name is a web page that you can access for free like (wikipedia.org/free.Facebook or a webpage when you don't have data your ISP send you to).
Download port scanner and put the host name, it will give you the IP address and the port number.
Put them in settings on APN and you will need xp psiphon apk and type the address and port numbers.
Or download openvpn and create an account online on tcpvpn.com then download the .ovpn file.
Or download psiphon pro .it will automatically connect and you can download for free and access web pages that restrict when you access them.
Linux
- Install server
apt-get install openssh-server
- open 22 port:
iptables -I INPUT -p tcp --dcport 22 -j ACCEPT
- Reset server
/etc/init.d/ssh restart
- Connect with our server:
ssh wikibooks@192.168.1.5
- change port make in file:
/etc/ssh/sshd_config
to use it for tunneling apps, enter IP address and port in proxy settings SOCKS.
Police
Two holy rules
edit- At home you do not keep anything illegal or even something that legal status is not clear.
- The whole computer you have encrypted cryptsetup or something comparable, you know the password to memory, has a minimum of 30 characters and consist of letters, numbers and special characters. You can use the hidden volume.
NAT
nat was created as a response to the shrinking pool of IP addresses. in short, we get one variable IP address from an ISP defined from a specific APN, goes through the router and directs to a specific computer in own WAN network with private addresses.
bypass NAT restrictions
editFull-cone NAT
editusually do not need to do here, sometimes must use port forwarding
(Address)-restricted-cone NAT
edit- Run uPnP/NAT-PMP/UPnP-IGD/PCP
- Set static private IP, optionally DDNS.
- if doesn't work, use port forwarding
- If doesn't work, use Port Triggering
- If doesn't work, use DMZ
Port-restricted cone NAT
edit- use UDP hole punching
- if doesn't work, try TCP hole punching
- optionally, try ICMP hole punching
- UDP multi-hole punching (mirror)
Symmetric NAT
edit- sequential hole punching
- Use Supernode
Cgnat
editInvestigation
- The only reliable solution that I've found so far has been to use IPsec VPNs initiated from behind the NAT.
- ZeroTier can traversable CGNAT. If you follow the recommendations) (It mainly boils down to opening the port in the firewall) it is the probability that value
"tcpFallbackActive": false
For all types NAT (probably)
edit- Install zerotier and set bridge mode. It possible bypass NAT and open port
External links
edit
LiveCD
Despite the various precautions, it is difficult to gain 100% confidence that the system will not leave unwanted traces of anonymous user activity. Another risk is gaps, errors and software that do not respect even the proxy settings. To remedy this, specialized operating systems for use with Tor arise - for example in the form of a live system, booted from a CD or USB stick, or disk image for use with a virtual machine. Below are a few of these types of products. First, I will give a definition of both terms:
- Virtual machine - controls all references of the launched program directly to the hardware or operating system and ensures their support. Thanks to this program running on the virtual machine "thoughts" that works on real hardware, while in fact works on virtual equipment, "faked" by the appropriate software (virtual machine).
- LiveCD - operating system (usually with bundled software) installed on a carrier with its own boot loader, allowing it to be run in RAM, without the need to install it on the computer's hard drive.
the virtual machine is that thanks to it we can predict what could happen on our real OS if, for example, we installed suspicious (in our shading) software or performed potential dangerous tasks (which would result in some damage). Unfortunately, before we use it, you should:
- Download the program (eg VirtualBox) and download the operating system we are interested in
- Configure the program so that it can open the system we downloaded and allocate some space for it on the hard disk
- Install the system on the machine (one-off operation, if after the installation we make a snapshot of a fresh "installation")
- Install the appropriate software (if you want to get into the .onion network) unless you have installed the distribution by default with such software (more on that later)
this way is good if you want to test an unknown operating system without compromising your current system and time to install two. It may be time-consuming but thanks to this we will know what distribution then save on your carrier to fully use the LiveCD. However, this method is not suitable as an alternative to the LiveCD for several reasons:
- The virtual machine requires: The real operating system already installed, the use of a part of your hard disk to create a virtual HDD. This is very demanding for the computer, therefore this task can not be dealt with by any older / weaker computer and the necessity of using a hard disk in contrast to the LiveCD.
- Configuring the program and installing the system is a very labor-intensive activity. This can not be replaced by a LiveCD because it slows down the emulator and this solution is completely useless.
When testing one of the distributions on a virtual machine, I recommend caution - even though we will use an emulated, independent system, the internet is from our connection. Browsing onion sites on a virtual machine without first securing the real system will allow tracking. |
LiveCD features simplicity, virtually no prerequisites, especially if we used a CD for LiveCD. If instead of a disc we used, for example, Pendrive, sometimes it is required to configure the BIOS so that it looks for the system on this medium. After that, you do not need anything more, it works anytime, anywhere (even on a virus-infected computer) and that's why we'll take care of this technology.
Below are a few Linux distributions that contain the TOR:
- Tor VM
- The Amnesic Incognito Live System in shortcut Tails.
- Incognito LiveCD
- JanusVM
- JanusPA
- Tork LiveCD
- Privatix
- Tor-ramdisk
most of them do not leave any traces - apart from the fact that on disks (which every LiveCD distribution can do) it also automatically erases the contents of RAM (which protects against Cold boot attacks)
After the author has tested several of the above I recommend using TAILS for distribution. It is at the moment the most extensive, detects a large number of backdoors that would allow tracking and in addition is rapidly developed. By the way, if we are not supporters of Linux and their GUI TAILS, it can be made similar to Windows XP (after loading the system after clicking "log in" in the next window, we can choose the "Windows XP camouflage" option).
we can also use non-specialized distributions such as Puppy linux which allows you to save sessions (it is therefore suitable for performing work operations).
another system ensuring even greater anonymity is Whonix - an operating system with two virtual machines embedded (described VirtualBox at the beginning of this article). Whonix-Gateway is only used as a TOR gateway (such as onion.to page) second, Whonix-Workstation is used for normal sufra. We want to say something in the past, so we need to use both virtual machines to do this.
Forgery
Most server in clearnet give register on own page. Usually it's nick, e-mail and password. Hoverer on most popular website's how Facebook or Amazon or simply eBay or other site servies eg. Internet domains required more information - this latest even SSL or activate phone. What do, if not want give personal information? Simply not give? Yes! Give fake information about us in internet it very important step in anonymity. In article use for this purpose some services:
- Fake Name Generator - can almost all
- Receive SMS - create temporary telephone number (it's phrase to search)
- BigHugeLabs - create fake picture ID.
Fake Name generator
editharder termins:
- Phone - Here just random numbers, if site required activate from telephone, must use some server with receive SMS.
- e-mail - site can do temporary mail for generated ID. Something some site can blocked this address (name server after sign @ - eg. Twitter have white list)