Reflecting on Security

General technological topics without their own forum go here

Reflecting on Security

Post by -Ninjex- on Mon Aug 05, 2013 6:10 am
([msg=76753]see Reflecting on Security[/msg])

If you haven't heard of the recent zero day exploit that affected a large portion of the tor based websites, please check out this post made by limdis: viewtopic.php?f=37&t=10422, as well as giving limdis a big thanks for bringing this to all of our attention.

Alright, so the point of this post is going to be about reflecting how keep yourself as safe as possible and to reflect on some of the issues that allowed this to be pulled off.

So, the undoubtedly obvious issues we should cover are:

1. The Tor Browser Bundle used Firefox version 17, which is a bit outdated.
2. The zero day exploit took advantage of JavaScript.
3. Possible user end errors or mistakes such as misconfiguration, leaks, or poor anonymous tactics.
4. Tor is designed for anonymity, not security, so there can and will be flaws that exist inside of Tor.

So, I'm not the greatest person in networking, as many of you know, but here are some things that I thought should be kept in mind. Also, if I am wrong about anything correct me, because as I said shit networking skills, and I don't want to feed off bad habits on this post.

Okay, so let's tackle these issues down one by one, and see if we can better ensure the quality of our anonymity.

First up: The Tor Browser Bundle used Firefox version 17, which is a bit outdated.
Here is a screenshot I just took from the browser the tor bundle uses:

Image

Using outdated software usually can lead to that software being exploited. Most of the time updates are put into action to prevent exploit(s) in the said software. With that being said, avoiding updates will play a big factor on whether you are keeping your anonymity to the fullest level possible.
So, what's the alternative?
Well, I use linux, and I couldn't tell you anything much about how to do this on Windows, Mac, etc, so if someone else knows and feels like posting it, below, feel free to do that. However, what we will do on a linux based system is to install tor from it's repository. In Ubunu or similar based systems, you can do this with:
Code: Select all
sudo apt-get update && sudo apt-get install tor

This will install tor on your system, but that's about it. You still need a few things to do, to have this up and working correctly. The first thing you are going to want to do is to see what port tor is running on (you can change this if you like as well), and configure your browser properly to use those settings. To do this, we need to edit the configuration file, which should be located under /etc/torsocks.conf, so we run the following code: (You can use any editor other than vim, such as gedit or nano)
Code: Select all
sudo vim /etc/torsocks.conf

Image

As you can see above, the server needs to be configured to 127.0.0.1 (localhost), and I have the tor service port assigned to listen on 9050. Once that is done, save the file, and we will get started on configuring Firefox correctly.

With Firefox, the first thing you want to do is check for updates, to see what the current version of Firefox you have is, go to the Help tab and then choose About Firefox (Help -> About Firefox). Check your version number with the latest stable release, and update if you need to.
The next step will be to adjust the settings to allow the browser to work in compliance with the tor service. To do this, you will need to select Edit, then click Preferences (Edit -> Preferences) Once Edit is highlighted you can find the location from the highlighted drop down menu below:
Image

Next, you will proceed to go to Advanced -> Network -> Settings...
This is demonstrated in the pictures below:
Locating network settings:
Image
The network settings:
Image
As you can see, located under manual proxy configuration, we have set it up to use the correct host and port in accordance to the torsocks.conf file. The next step is to actually run the tor service. To do this, we issue the following command:
Code: Select all
sudo /etc/init.d/tor start

This should give you a message, detailing the start up of the tor service. Once the service is started, you should now be able to browse the web using the most updated version of Firefox, in compliance with the Tor services. You can check to make sure you IP is being masked correctly from numerous sites, but one of the most used sites is http://www.whatismyip.com

Once this is working, we are going to want to do a couple more things to improve our security. The first, being to disable JavaScript, which you could do through the settings in Firefox, but we can also use a nice little addon to do this for us. This will rule out number 2 on our list of security issues. Anyways, the addon to use is called NoScript, and I am sure many of you are familiar with it, it can be located, downloaded, and installed here: https://addons.mozilla.org/en-us/firefo ... /noscript/

We should also make use of some other really neat addons:
Ghostery - https://addons.mozilla.org/en-us/firefox/addon/ghostery
Adblock Plus - https://addons.mozilla.org/en-us/firefo ... block-plus
BetterPrivacy - https://addons.mozilla.org/en-us/firefo ... terprivacy
SSLGuard - https://addons.mozilla.org/en-us/firefox/addon/sslguard
HTTPS Finder - https://addons.mozilla.org/en-US/firefo ... tps-finder

Alright, so now we should have some decent security flying about, yes? Well, let's give it a go. Fire up the tor service and check your IP, and also ensure that your addons are working properly. Everything looking good so far? It should seem so.
Alright, now we will do a little test and point out one of the issues in issue number 3 -- Possible user end errors or mistakes such as misconfiguration, leaks, or poor anonymous tactics.

For this example you will need root access, as we will be using tcpdump and it requires root privileges to execute.
First step is to grab tcpdump, if you don't already have it:
Code: Select all
sudo apt-get update && sudo apt-get install tcpdump


Once it installs, we need to figure out which interface we are connecting from, to do this we can issue the command:
Code: Select all
sudo ifconfig

and scan the output until we see a valid internet address, like below
Image
Looking at all the detail on the inet addr, we can see that wlan0 is our interface.

Once we have our interface, we can run some tests with tcpdump. Let's issue the following (replace wlan0 with your interface)

Code: Select all
sudo tcpdump -v -i wlan0

Visit a site of your choice like google or facebook now.
We should then see a great deal of information intercepted and displayed into your terminal, this is good, it means tcpdump is working correctly.
The next thing you will want to check is what type of information can be seen on port 53 specifically, since it's used for DNS (Domain Name System), it will allow you to check and see if you have any DNS leaks.

To do this, we can issue the following command:
Code: Select all
sudo tcpdump -i wlan0 -n 'udp and dst port 53'

If you visit a site like facebook or google now, you should still be able to see some information being leaked out from port 53. This is not a good thing... So how do we prevent this? We need to edit Firefox just a tad bit more, to help prevent those pesky DNS leaks.
To do this, open up a new tab. In the URL bar, you will type in: "about:config". You will then receive a warranty void message, you can ignore that and proceed by clicking "I'll be careful, I promise!". Now, in the search bar at the top, you are going to want to type in: "network.proxy.socks", which should bring up your proxy server and port. Now in the list you will see "network.proxy.socks_remote_dns" and it will be set to the value false. You will want to double click on this value and change it to true. This will prevent the DNS leaks you seen before.
Image

Now, retry the same test before:
Code: Select all
sudo tcpdump -i wlan0 -n 'udp and dst port 53'


You shouldn't receive any information from port 53 anymore.
To trail on with security issue #3, doing things like using the same alias on hidden services as you do on the surface web, giving out credentials, etc, all falls under this category. Tor is not perfect, and if the user using the tor service is an idiot, odds are it will not be very beneficial to that person.

Now I will tackle this one very quickly and not dive into much depth, since I'm not all too familiar with the concepts and ideology.
4. Tor is designed for anonymity, not security, so there can and will be flaws that exist inside of Tor.

Tor offers several layers of encryption. It received the famous onion icon as well as some other things, based on the fact that it's encryption works in layers, and an onion has... layers. So if there was three hops between you and the site you need to go to, you would get secure encryption from you, and in between each hop from one node to another. So if you wanted to visit, say evilhacks.com, and need to establish three hops (let's give the hops the names a, b, c, for simplicity), it would be similar to the following:
The following assumes you are sending a request to the server, when the server responds, it would work in a similar fashion except in reverse.
You -> encryption -> a -> encryption -> b -> encryption -> c -> evilhacks.com

The problem with this, is that someone could configure their machine to act as a tor exit node. So let's say that c is the exit node owned by "MaliciousJoe", he will be the one left with the information, and could in theory sniff that data and try to execute some attacks on the user sending the request to evilhacks.com. This is why SSL comes in handy, and we have addons in place to attempt and prevent SSL Stripping.
If you use plain text protocols to access something, it can be sniffed, and you can be exploited.

This is just some stuff that I figured could be talked about. Like I said, feel free to add onto this and to help educate us all on the best security measures. If I am wrong on anything in here, please correct it and possibly give links to places to look over the facts.

Educate everyone...
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1184
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)


Re: Reflecting on Security

Post by Tentra on Mon Aug 05, 2013 9:45 am
([msg=76754]see Re: Reflecting on Security[/msg])

-Ninjex- wrote:1. The Tor Browser Bundle used Firefox version 17, which is a bit outdated.
2. The zero day exploit took advantage of JavaScript.
3. Possible user end errors or mistakes such as misconfiguration, leaks, or poor anonymous tactics.
4. Tor is designed for anonymity, not security, so there can and will be flaws that exist inside of Tor.

I just wanted to point out that the potential 0-day will only target Firefox 17.x on Windows. However, it is not yet known if the exploit can be modified to to work on Linux or OSX. It is also unknown if the websites hosting the exploit were hacked or if Eric Eoin Marques, owner of Tor Freedom Hosting, was coerced into surrendering his login credentials, allowing direct modification of the websites source. In my opinion, the best idea is to install NoScript and Flashblock, regardless of browser or OS, to keep potential attack vectors at a minimum until more is known about this attack.

As far as I'm aware this is the first time the U.S. government has used methods like this to gain information about alleged criminals, it could be the first step in a string of operations targeting cybercrime.
User avatar
Tentra
Poster
Poster
 
Posts: 161
Joined: Wed Apr 30, 2008 4:52 pm
Blog: View Blog (0)


Re: Reflecting on Security

Post by -Ninjex- on Mon Aug 05, 2013 12:48 pm
([msg=76757]see Re: Reflecting on Security[/msg])

Tentra wrote:I just wanted to point out that the potential 0-day will only target Firefox 17.x on Windows.


I knew it was targeting up to version 17.0.6, but I didn't know it was simply exploiting Windows users.
The problem is that Tor's version of Firefox called the TorBrowser used Firefox ESR (Extended Support Release) and the latest release version at the time was 17.0.6, they have since released 17.0.7 with a patch of the zero day exploit. I also thought that this was simply taking advantage of the exploit in the browser and using JavaScript to point out IP's linked to the DNS of Freedom Hosting sites. I didn't think this had anything to do with what operating system was in use, but it may have bypassed some security on Windows users or something, I'm unsure.

I personally would feel a lot safer just using the latest release of Firefox how I showed above.
If you're not willing to learn, no one can help you. If you're determined to learn, no one can stop you.⠠⠵
The absence of evidence is not evidence of absence.
I can explain it for you, but I can't understand it for you.
User avatar
-Ninjex-
Addict
Addict
 
Posts: 1184
Joined: Sun Sep 02, 2012 8:02 pm
Blog: View Blog (0)



Return to General

Who is online

Users browsing this forum: No registered users and 0 guests