Security IT/Print version


Security IT

The current, editable version of this book is available in Wikibooks, the open-content textbooks collection, at
https://en.wikibooks.org/wiki/Security_IT

Permission is granted to copy, distribute, and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 3.0 License.

Authenticity

aded, even totally free software can end wrong if you download them with the suspects sources. Let us remember that the basic principle is always download applications from the manufacturer, do not use aggregators such eg. Softonic.

the sites have the possibility of annoying - not enough that no download of such sites proper software just web-installer depending on which site they call it "download assistant" which only the start process for downloading applications in a similar way as file managers it another annoying thing is pressing us on the strength of additional software which we had intended to do to download as suspicious unknown applications" cleansing "of the computer or toolbars, change homesite in web browser and more useless things.

checksums

edit

checksums make it possible to verify that the data contained in the file have not been changed during the transfer of information from one medium to another. It is produced by the summation or perform other mathematical operations on data transferred, transmitted together with the data and used to validate the data being processed.

In Windows checksum can check app eg. md5sum.exe

In Linux can check checksum for app hash:

md5sum FILE
shasum FILE
sha256sum -b FILE
cksum FILE

GPG - import:

gpg --keyserver keyserver.domain.com --recv-key "4655 4C4C 204B 4559 0A"
gpg --verify sha256sum.txt.gpg sha256sum.txt


Methods

Current methods

edit

The system blocks content by preventing IP addresses from being routed through. It consists of standard firewalls and proxy servers at the Internet gateways. The system also selectively engages in DNS poisoning when particular sites are requested. The government does not appear to be systematically examining Internet content, as this seems to be technically impractical.

Effectiveness of Internet censorship measures is never complete, as there are multiple ways of circumventing them (depending on the given measure).

Over-blocking occurs when a legal content that should not be blocked is accidentally blocked by a given censorship measure. Depending on the particular scheme chosen this might be a problem pronounced more or less, but it is always present and inevitable. It does not relate to situations where the block list intentionally contains certain content that should not officially be blocked.

Similarly, under-blocking is content that officially should be blocked, but accidentally isn't. It is not content accessible by circumvention, but simply content that is accessible without using any special techniques that "slipped through the fingers" of the particular censorship scheme.

Both the resources required (equipment, processing power, bandwidth) and the cost of handling the list of blocked content also vary between censorship schemes and depend on method used.

Whether or not a method employs deep packet inspection (DPI) is indicative of both how intrusive and how resource-intensive it is

Method risk of over-blocking risk under-blocking resources required A service charge list Bypass DPI
IP blocking High Medium Low Medium Very easy No
DNS spoofing/DNS cache poisoning High Medium Low Medium Very easy No
URL filtering Low High Medium High medium demanding Yes
QoS filtering Medium Medium High High hard Yes
Man-in-the-middle attack High High Medium Very high required encrypted connection Yes
TCP connection reset High Medium Medium Medium required encrypted connection Yes
Network disconnection Very high Very high Medium None Satelite connection required. See also alternative for internet: packet radio and meshnet No
VPN blocking high medium Low medium most servers is available to pay only Yes
Network enumeration low low Very high high hard Yes
Keywords high high Very high Low medium demanding Yes
Hash low high Very high High medium demanding Yes
Dynamics (eg. image recognition) high high Very high low medium demanding Yes
Hybrid (eg. based on IP adress + hash) low high medium High medium demanding Yes

IP blocking

edit

The access to a certain IP address is denied. If the target Web site is hosted in a shared hosting server, all Web sites on the same server will be blocked. This affects all IP protocols (mostly TCP) such as HTTP, FTP or POP. A typical circumvention method is to find proxies that have access to the target Web sites, but proxies may be jammed or blocked. Some large Web sites allocated additional IP addresses (for instance, an IPv6 address) to circumvent the block, but later the block may be extended to cover the new addresses.

DNS spoofing/DNS cache poisoning

edit

The DNS doesn't resolve domain names or returns incorrect IP addresses.This affects all IP protocols such as HTTP, FTP or POP. A typical circumvention method is to find a domain name server that resolves domain names correctly, but domain name servers are subject to blockage as well, especially IP blocking. Another workaround is to bypass DNS if the IP address is obtainable from other sources and is not blocked. Examples are modifying the Hosts file or typing the IP address instead of the domain name in a Web browser.

  1. Easiest way it change DNS provider, best with DNSSEC. However, it should be remembered that simply using secure DNS servers, without the use of cryptography at the application level, still allows you to perform an attack of poisoning
  2. Use random ports

URL filtering

edit

Scan the requested URL string for target keywords regardless of the domain name specified in the URL. This affects the Hypertext Transfer Protocol. Typical circumvention methods are to use escaped characters in the URL, or to use encrypted protocols such as VPN and SSL

MiTM

edit

GFW can use a root certificate from CNNIC, which is found in most operating systems and browsers, to make a MITM attack. On 26 Jan 2013, the GitHub SSL certificate was replaced with a self-signed certificate in China by, generally believed, the GFW.

TCP reset attack

edit

If a previous TCP connection is blocked by the filter, future connection attempts from both sides will also be blocked for up to 30 minutes. Depending on the location of the block, other users or Web sites may be also blocked if the communications are routed to the location of the block. A circumvention method is to ignore the reset packet sent by the firewall

Network disconnection

edit

A technically simpler method of Internet censorship is to completely cut off all routers, either by software or by hardware (turning off machines, pulling out cables). This appears to have been the case on 27/28 January 2011 during the 2011 Egyptian protests, in what has been widely described as an "unprecedented" internet block. About 3500 Border Gateway Protocol (BGP) routes to Egyptian networks were shut down from about 22:10 to 22:35 UTC 27 January This full block was implemented without cutting off major intercontinental fibre-optic links, with Renesys stating on 27 January, "Critical European-Asian fiber-optic routes through Egypt appear to be unaffected for now. Full blocks also occurred in Myanmar/Burma in 2007, Libya in 2011 and Syria during the Syrian civil war. A circumvention method could be to use a satellite ISP to access Internet

VPN blocking

edit

Beginning in 2011, users reported disruptions of VPN services In late 2012, the Great Firewall was able to "learn, discover and block" the encrypted communications methods used by a number of different VPN systems. China Unicom, one of the biggest telecoms providers in the country was terminating connections where a VPN is detected, according to one company with a number of users in China.

Network enumerating

edit

It has been reported that unknown entities within China, likely with DPI capabilities, have initiated unsolicited TCP/IP connections to computers within the United States for the purported purpose of network enumeration of services, in particular TLS/SSL and Tor services, with the aim of facilitating IP blocking. A circumvention method is hard and knowledge about networks and operating systems is required. The probably easiest way to use fail2ban in the beginning.

Keywords

edit

This method uses deep packet inspection to read the contents of data being transmitted, and compares it with a list of keywords, or with image samples or video (depending on the content type).

It has a very serious potential for over-blocking (consider blocking all references to "Essex" based on the keyword "sex"; consider blocking Wikipedia articles or biology texts related to human reproduction), and of under-blocking (website operators can simply avoid using known keywords, or use strange spelling, for instance: "s3x").

Combating under-blocking with extending keyword lists only exacerbates the over-blocking problem. Combating over-blocking with complicated keyword rule-sets (i.e. "sex, but only if there are white-space characters around it") only makes it easier to circumvent it for website operators (i.e. "sexuality" instead of "sexual").

List handling costs are low, but this method requires huge computing and bandwidth resources, as each and every data-stream on the network needs to be inspected, scanned and compared to keywords and samples. It is especially costly for images, videos and other non-text media.

This method is often combined with silent post - It consists of that post which stay on eg. social service is visible just for you, not for other.

Dynamics

edit

This method uses deep packet inspection to read the contents of data being transmitted, and compares it with a list of keywords, or with image samples or video (depending on the content type).

It has a very serious potential for over-blocking (consider blocking all references to "Essex" based on the keyword "sex"; consider blocking Wikipedia articles or biology texts related to human reproduction), and of under-blocking (website operators can simply avoid using known keywords, or use strange spelling, for instance: "s3x").

Combating under-blocking with extending keyword lists only exacerbates the over-blocking problem. Combating over-blocking with complicated keyword rule-sets (i.e. "sex, but only if there are white-space characters around it") only makes it easier to circumvent it for website operators (i.e. "sexuality" instead of "sexual").

List handling costs are low, but this method requires huge computing and bandwidth resources, as each and every data-stream on the network needs to be inspected, scanned and compared to keywords and samples. It is especially costly for images, videos and other non-text media.

Users still can circumvent the block in several ways.

Hash

edit

Hash-based blocking uses deep packet inspection to inspect the contents of data-streams, hashes them with cryptographic hash functions and compares to a known database of hashes to be blocked. It has a low potential for over-blocking (depending on the quality of hash functions used), but a very high potential for under-blocking, as a single small change to the content entails a change of the hash, and hence content not being blocked.

Resource needs here are very high, as not only all the data-streams need to be inspected in real-time, they also need to be hashed (hash functions are computationally costly) and the hashes compared against a database. Costs of handling the hash-lists are also considerable.

Hybrid

edit

In order to compromise between high-resource, low-over-blocking hash-based blocking and low-resource, high-over-blocking IP- or DNS-based solutions, a hybrid solution might be proposed. Usually it means that there is a list of IP addresses or domain names for which the hash-based blocking is enabled, hence only operating for a small part of content. This method does employ deep packet inspection.

Required resources and list handling costs are still considerable, and under-blocking probability is high, while circumvention by users is not any harder than for hash-based block.

As Internet censorship requires deep packet inspection, once such a system is deployed, there are no technical issues stopping those in control to modify the communications in transit. That opens the door to even broader set of possibilities for a willing politician, including false flag operations, sowing dissent among the ranks of opposition, and similar actions.

  1. Easy way to bypass is use SSH tunnel
  2. The encapsulation of SSL control protocols by the record protocol means that if an active session is renegotiated the control protocols will be transmitted securely. If there was no previous session, the Null cipher suite is used, which means there will be no encryption and messages will have no integrity digests, until the session has been established.


Bypass

The Net interprets censorship as damage and routes around it. — John Gilmore

Level 1: without configuration

edit

Cached Pages

edit

Some search engines keep cached pages, copies of previously indexed Web pages, and these pages are not always blocked. Cached pages may be identified with a small link labeled "cached" in a list of search results. Google allows the retrieval of cached pages by entering "cache:some-blocked-url" as a search request. Other method it use google translate - worked smilar to web-proxy.

Mirror and archive sites

edit

Copies of web sites or pages may be available at mirror or archive sites such as www.archive.org and the alternate sites may not be blocked.

Web to E-mail services

edit

Web to e-mail services such as www.web2mail.com will return the contents of web pages with or without images as an e-mail message and such access may not be blocked.

RSS aggregators

edit

RSS aggregators such as Google Reader and Bloglines may be able to receive and pass on RSS feeds that are blocked when accessed directly.

URL filtering

edit

Alternative domain names may not be blocked. For example, the following domain names all refer to the same web site: http://wikimedia.org, http://www.wikimedia.org, http://web.archive.org/web/20120224022641/http://text.wikimedia.org:80/ , and http://web.archive.org/web/20120224030658/http://text.pmtpa.wikimedia.org:80/ .

Or alternative URLs may not be blocked. For example: www.blocked.com vs. www.blocked.com/, blocked.com, blocked.com/, www.blocked.com/index.htm, and www.blocked.com/index.html.

Entering an IP address rather than a domain name (http:// or a domain name rather than an IP address (http://wikimedia.org) will sometimes allow access to a blocked site.

Level 2: Configuration connect

edit

IP blocking

edit

Similar to DNS, here it's just as easy. Must use some web proxy (usually doesen't work JS), proxy (which you need to set the browser) or 7 proxies (eg. proxychain) A reverse proxy is (usually) an Internet-facing proxy used as a front-end to control and protect access to a server on a private network, commonly also performing tasks such as load-balancing, authentication, decryption or caching. Websites could use reverse proxy to reroute traffic to avoid censorship.

We'll start with web proxy - are those pages which simply enter the address the page and the service assigns you the other external IP. often you need to try to find the right server and the IP address that is not banned, but allow login (cookies) and as normal surfing. They have one but wade - not always with their level of the page to load correctly (usually about Javacsript) so require such party. CAPTHA They don't display correctly.

To skip this, you become more yourself and try skonifigurować yourself proxy browser. The list of free proxy servers find here 'Firefox'

  1. We enter the Tools> Options (or Edit> Preferences on Linux)
  2. Select the tab Advanced> Network and select 'Settings ...' '
  3. Select the option 'Manual proxy configuration' '
  4. In the 'HTTP Proxy' 'Enter IP address (or host) and port eg. 3128
  5. Click Use this proxy server for all protocols
  6. Then click OK to confirm everything and ready.
  7. When you want to stop using a proxy simply select Settings No proxy

You can also use the plugin called AnonymoX, which automatic pulls and joins the list of available proxy fastest.

For the other programs should review their documentation.

Is to very simple, just use other DNS provider eg. OpenNIC here you find configuration DNS for popular systems.

Level 3: Encrypted connect

edit

Man-in-the-middle attack

edit

electronic signature

VPN blocked

edit

if your network administrator blocks the standard port (PPTP or L2TP), just switch to another port (like 80 or 53) of the your VPN client. if blocked afther IP Try other server - eg. VPNgate share over 3000 servers for free. if blocked connect VPN by DPI, can establishing an SSH/TLS tunnel, a user can forward all their traffic over an encrypted channel, so both outgoing requests for blocked sites and the response from those sites are hidden from the censors, for whom it appears as unreadable SSH traffic. Some VPN providers offer it called stealth VPN.

Network enumeration

edit

that the system was the least vulnerable are:
1. Evently update system

sudo apt-get autoclean
sudo apt-get autoremove
sudo apt-get update
sudo apt-get dist-upgrade

2. Evently change password
3. Activate firewall
4. Use antivirus
5. check system files for presence rootkits.

Keywords

edit

Try hybrid methods from DNS, proxy or VPN.

Level 4: Manipulation packets

edit

TCP reset attack

edit

If you drop all the reset packets at both ends of the connection, which is relatively trivial to do, the Web page is transferred just fine.

Level 5: Steganography

edit

The practice of embedding useful data in what looks like something irrelevant. The simplest method it includes text of a document can be broken into its constituent bytes, which are added to the pixels of an apparently innocent picture. The effect is barely visible on the picture, but the recipient can extract it with the right software. Effective for getting information out, but slow.

methods hide information on other covers in next book

References

edit


Bypass firewalls

Bypassing firewall is easy, just look for a host name.

Sometimes, the host name is a web page that you can access for free like (wikipedia.org/free.Facebook or a webpage when you don't have data your ISP send you to).

Download port scanner and put the host name, it will give you the IP address and the port number.

Put them in settings on APN and you will need xp psiphon apk and type the address and port numbers.

Or download openvpn and create an account online on tcpvpn.com then download the .ovpn file.

Or download psiphon pro .it will automatically connect and you can download for free and access web pages that restrict when you access them.

Linux

  1. Install server
apt-get install openssh-server
  1. open 22 port:
iptables -I INPUT -p tcp --dcport 22 -j ACCEPT
  1. Reset server
/etc/init.d/ssh restart
  1. Connect with our server:
ssh wikibooks@192.168.1.5
  1. change port make in file:
/etc/ssh/sshd_config

to use it for tunneling apps, enter IP address and port in proxy settings SOCKS.


Police

Two holy rules

edit
  1. At home you do not keep anything illegal or even something that legal status is not clear.
  2. The whole computer you have encrypted cryptsetup or something comparable, you know the password to memory, has a minimum of 30 characters and consist of letters, numbers and special characters. You can use the hidden volume.


NAT

nat was created as a response to the shrinking pool of IP addresses. in short, we get one variable IP address from an ISP defined from a specific APN, goes through the router and directs to a specific computer in own WAN network with private addresses.

bypass NAT restrictions

edit

a few words explaining

Full-cone NAT

edit

usually do not need to do here, sometimes must use port forwarding

(Address)-restricted-cone NAT

edit
  1. Run uPnP/NAT-PMP/UPnP-IGD/PCP
  2. Set static private IP, optionally DDNS.
  3. if doesn't work, use port forwarding
  4. If doesn't work, use Port Triggering
  5. If doesn't work, use DMZ

Port-restricted cone NAT

edit
  1. use UDP hole punching
  2. if doesn't work, try TCP hole punching
  3. optionally, try ICMP hole punching
  4. UDP multi-hole punching (mirror)

Symmetric NAT

edit
  1. sequential hole punching
  2. Use Supernode

Cgnat

edit

Investigation

  • The only reliable solution that I've found so far has been to use IPsec VPNs initiated from behind the NAT.
  • ZeroTier can traversable CGNAT. If you follow the recommendations) (It mainly boils down to opening the port in the firewall) it is the probability that value
"tcpFallbackActive": false

For all types NAT (probably)

edit
edit


LiveCD

Despite the various precautions, it is difficult to gain 100% confidence that the system will not leave unwanted traces of anonymous user activity. Another risk is gaps, errors and software that do not respect even the proxy settings. To remedy this, specialized operating systems for use with Tor arise - for example in the form of a live system, booted from a CD or USB stick, or disk image for use with a virtual machine. Below are a few of these types of products. First, I will give a definition of both terms:

  • Virtual machine - controls all references of the launched program directly to the hardware or operating system and ensures their support. Thanks to this program running on the virtual machine "thoughts" that works on real hardware, while in fact works on virtual equipment, "faked" by the appropriate software (virtual machine).
  • LiveCD - operating system (usually with bundled software) installed on a carrier with its own boot loader, allowing it to be run in RAM, without the need to install it on the computer's hard drive.

the virtual machine is that thanks to it we can predict what could happen on our real OS if, for example, we installed suspicious (in our shading) software or performed potential dangerous tasks (which would result in some damage). Unfortunately, before we use it, you should:

  1. Download the program (eg VirtualBox) and download the operating system we are interested in
  2. Configure the program so that it can open the system we downloaded and allocate some space for it on the hard disk
  3. Install the system on the machine (one-off operation, if after the installation we make a snapshot of a fresh "installation")
  4. Install the appropriate software (if you want to get into the .onion network) unless you have installed the distribution by default with such software (more on that later)

this way is good if you want to test an unknown operating system without compromising your current system and time to install two. It may be time-consuming but thanks to this we will know what distribution then save on your carrier to fully use the LiveCD. However, this method is not suitable as an alternative to the LiveCD for several reasons:

  • The virtual machine requires: The real operating system already installed, the use of a part of your hard disk to create a virtual HDD. This is very demanding for the computer, therefore this task can not be dealt with by any older / weaker computer and the necessity of using a hard disk in contrast to the LiveCD.
  •  Configuring the program and installing the system is a very labor-intensive activity. This can not be replaced by a LiveCD because it slows down the emulator and this solution is completely useless.

LiveCD features simplicity, virtually no prerequisites, especially if we used a CD for LiveCD. If instead of a disc we used, for example, Pendrive, sometimes it is required to configure the BIOS so that it looks for the system on this medium. After that, you do not need anything more, it works anytime, anywhere (even on a virus-infected computer) and that's why we'll take care of this technology.

Below are a few Linux distributions that contain the TOR:

most of them do not leave any traces - apart from the fact that on disks (which every LiveCD distribution can do) it also automatically erases the contents of RAM (which protects against Cold boot attacks)

After the author has tested several of the above I recommend using TAILS for distribution. It is at the moment the most extensive, detects a large number of backdoors that would allow tracking and in addition is rapidly developed. By the way, if we are not supporters of Linux and their GUI TAILS, it can be made similar to Windows XP (after loading the system after clicking "log in" in the next window, we can choose the "Windows XP camouflage" option).

we can also use non-specialized distributions such as Puppy linux which allows you to save sessions (it is therefore suitable for performing work operations).

another system ensuring even greater anonymity is Whonix - an operating system with two virtual machines embedded (described VirtualBox at the beginning of this article). Whonix-Gateway is only used as a TOR gateway (such as onion.to page) second, Whonix-Workstation is used for normal sufra. We want to say something in the past, so we need to use both virtual machines to do this.


Forgery

Most server in clearnet give register on own page. Usually it's nick, e-mail and password. Hoverer on most popular website's how Facebook or Amazon or simply eBay or other site servies eg. Internet domains required more information - this latest even SSL or activate phone. What do, if not want give personal information? Simply not give? Yes! Give fake information about us in internet it very important step in anonymity. In article use for this purpose some services:

Fake Name generator

edit

harder termins:

  • Phone - Here just random numbers, if site required activate from telephone, must use some server with receive SMS.
  • e-mail - site can do temporary mail for generated ID. Something some site can blocked this address (name server after sign @ - eg. Twitter have white list)