User Controls
Pimp my network
-
2016-01-27 at 5:16 PM UTCSo I've got a little home network going that I eventually want to build a Pentesting lab in. My dad and I are working on a larger project together, but I kind of wanted your input on what I can do until then. At this point, I kinda just want to make it as secure as possible and see if we can hook something up. I figured it would be fun to discuss and I value a lot of you guys' input.
Router
Right now I have a cheap little $50 router. I need to upgrade to an IPV6 compatible router very soon because my ISP is no longer supporting the older one. It drops the connection probably once every three and a half hours. Any ideas on what I should get budget wise with security in mind?
After classes today I'm planning on doing all in my power to make it as secure as possible until I buy something better. Right now the router has a 12+ character password of numbers / symbols / capitals / lowercase. The network's SSID name was also changed as to not reveal what type it is. The traffic is encrypted through WPA2. The network password is also a 12+ character password with the same parameters.
I'm going to enable MAC enhancementing.
Questions:
Is there a cool program out there that let's me see who is on my wifi and what they're doing? I'm familiar with TCP dump and Wireshark, but I've heard there are super easy programs out there that have sexy interfaces that make it even easier.
Modem
Questions:
Should I even do anything with this?
Battle Stations
Right now I have 4 Laptops.
Cloudbook - This is probably the most insecure computer on the network. It's a brand new Cloudbook running Windows 10 (it's for the female in the house who doesn't want to use it for anything but school). I run Lavasoft AdAware on it and a Firewall is enabled on it. I'm thinking about using a VPN but I'm not sure if it's really worth it.
Notebook - The second one is my personal notebook - an Compaq Cm2130. As of right now, I'm running Linux Mint on it. I DBANed the original computer, overwrote all the hard drive space on install, and it's is encrypted with a 40+ character password. I have the password written on a piece of paper that I keep on me all times and it's written as a calculus equation - the answer of which is a series of numbers that I can translate into a series of symbols, lowercase, and uppercase characters through a personal cipher I've memorized and actively used since 2011.
I'm planning on using Firefox, Disabling Java, and installing No Script.
Laptop - The other is a full Toshiba Satellite that I just DBANed. It has no operating system installed on it. I was thinking about using Linux Lite on it but honestly I'm probably going to run Kali on it (for pentesting).
Macbook - I have a very old macbook I "discovered" a few years ago at a school. It's old as shit and I'm having a hard time even installing anything on it. I'm thinking of maybe mining it for parts or turning it into a chromebook if possible. Puppy Linux might run on it, but I don't even know what I'm going to do with it.
I never shared this with you guys, but I made a very small portable solar powered Micro-PC out of a Raspberry Pi and an old pencil box (It even locks up with a key). It also takes outlet power, so I've been thinking about turning it into a Linux server for pentesting.
Questions: What do you guys think? What's my current security rating? What else should I add?
What do you guys think about using TOR, Freenet, or VPNs?
I always got the impression that using TOR or Freenet made your ISP able to see that your data is encrypted and would bring more suspicion to you than anything, but I guess that's only if they have a reason to watch you anyway. I guess what I'm saying is that I have experience with it but never really used it. The same thing goes for VPNs. I'm not going to pay for one, so is a free VPN even worth using?
Any browser add-ons or stuff that would be worth adding? I know Sophie mentioned that he has a button he can push that changes his IP and stuff. Any ideas about what I should do with this network? Any glaring security holes? -
2016-01-27 at 5:27 PM UTCSend a 420gbps microwave vacuum solar transmitter Into space nigga and you can shitpost on the mooooon
-
2016-01-27 at 6:03 PM UTCThere are plenty of network security tutorials: http://bfy.tw/3wwl and http://bfy.tw/3wxC
This is a good outline: http://w3-o.cs.hm.edu/mediapool/soceanu/pmcio/Network_Security_Vulnerabilities_Threats_Attacks.pdf
Use one of those systems as an IDS (like snort, ossec, ossim*) maybe even a honeypot (honeyd) once you learn more.
Setup a dedicated firewall if your router isn't capable. Install custom firmware on router (openwrt, ddwrt) might be able to use ipv6 with router you have..
Read as much as possible, try and fail and learn. Learn more about os security, maybe open bsd look into debian or rhel.
Definitely use tor, for everything if possible. I use it for a lot of automated functionality like this: https://github.com/EtiennePerot/parcimonie.sh
'night -
2016-01-27 at 6:09 PM UTC
There are plenty of network security tutorials: http://bfy.tw/3wwl and http://bfy.tw/3wxC
This is a good outline: http://w3-o.cs.hm.edu/mediapool/soceanu/pmcio/Network_Security_Vulnerabilities_Threats_Attacks.pdf
Use one of those systems as an IDS (like snort, ossec, ossim*) maybe even a honeypot (honeyd) once you learn more.
Setup a dedicated firewall if your router isn't capable. Install custom firmware on router (openwrt, ddwrt) might be able to use ipv6 with router you have..
Read as much as possible, try and fail and learn. Learn more about os security, maybe open bsd look into debian or rhel.
Definitely use tor, for everything if possible. I use it for a lot of automated functionality like this: https://github.com/EtiennePerot/parcimonie.sh
'night
Thanks for this.
Do you like Freenet at all?
-
2016-01-28 at 2:14 PM UTCI really like the honeypot/ids idea. I wanted to do something similar with my raspberry pi, but right now I only use it for a git + mpd + backup server.
Btw, everytime you use a ssl site (ie. everytime you google something) your traffic is encrypted and unless your ISP is monitoring at least ports, they wouldnt be able to discern ssl traffic from tor from vpn traffic. Apart from ports and dpi, are the any other ways?
I'm also interested in the topic of free vpns. I wanted to use one, not for anything illegal, just to enjoy a bit more privacy. -
2016-01-28 at 6:48 PM UTCSo I'm going to weigh in on some commonly held axioms of anonymity and privacy. As per my reputation, I'm pretty paranoid about the fact that we have no privacy anymore, and am known to disseminate false information about myself just to further obscure who I actually am. As a matter of fact, I'm probably going to disappear from the community again for a while. Privacy isn't necessarily security, but it's worth mentioning since that's where the conversation is going.
TOR and VPNs are usually the "go-to" when people talk about online privacy. VPNs are not a bad thing, but they're highly overrated in respect to how much privacy they actually afford you. Not sure if you guys remember, but Lulzsec got busted because their VPN turned their information over to the police when it was requested. Most if not all VPNs would do the exact same thing - paid or otherwise. Even if you're doing something as benign as downloading music or Adobe suite, why would a business risk losing money to protect you? If you want to do something banal like look at vanilla porn at the office or something, you can probably get away with using a VPN for a while (unless an admin where you work feels like being a dick or is vigilant). VPNs can also help you do basic stuff like get back onto services you've been banned from (Omegle, tinychat, whatever), but at that rate you might as well just spoof your MAC and/or change your IP.
A VPN is just basically going to hide your datagrams between the VPN client and the destination server. Any data before that point or outside of those two points is still using your traditional means of communication, meaning it isn't secure. Furthermore, it doesn't mean that your destination isn't going to see you have a VPN enabled so they know you're trying to hide something. And let's think about this, when using a VPN service, a lot of people are handing over credit card or personal information to a company under the auspices of doing so for privacy (which is pretty ironic when you think about it).
As far as TOR is concerned, I've heard a lot of worship about how this is the end all be all of privacy. I'd like to think a lot of the guys here are savvy enough to know that's not true. Sure, it's probably the minimal standard of what you'd want to do to remain somewhat anonymous online, but even upon downloading the TOR client, there's a lot of other things you need to do in order to ensure basic privacy (I'm a big fan of add-ons). Even so, people who want to find out who you are can still control TOR Nodes or even potentially flood other nodes with data in order to navigate your traffic to nodes that are being monitored. It's not really debated that TOR has been compromised. Big secure deepweb / darknet sites get shut down all the time and users are regularly arrested in the process. In fact, less than a week before this post, the New York times did an article about how the FBI recently took down a deep web criminal site, moved the servers to Washington, and collected data on something like 10,000 registered users that were using its services for a two week period. So even if you're pretty technologically literate, you're still at risk of getting into trouble if you're doing something illegal online. Part of the reason is because you might have to enable javascript, download something, or give up a drop house in order to complete your goal of what you're on the deepweb for in the first place. All of these things compromise your security.
Furthermore, I think a lot of people forget that there's an ISP that can see everything you do if their engineers feel like you're a person of interest. Don't forget, it's possible to be arrested for cocaine you sold years ago, so just because you haven't had the police banging on your door yet doesn't mean they won't eventually. In the US, there was talk of ISPs being required to store records of who visited what for like six months at a time. I'm not sure if they ever went through with it in this country, but they definitely did so in many others. It's also really not questionable that the NSA and the government work pretty closely with ISPs. Also, your ISP is going to be able to see if you're using TOR or encrypting all your data, and most user agreements with your ISP give them the liberty spy on your traffic just because they want to. Usually people rush in at this point to say "Well if I'm not doing anything bad enough to warrant attention then that means I'm okay!", but that's not a very reasonable strategy. It fundamentally ignores the fact that they can analyze what traffic they want, whenever they want to.
At the end of the day, it depends on why you want to keep your privacy. In my case, I like to keep my privacy for work related reasons. I like forums and having discourses with you guys on Tinychat and stuff, but I could lose my job if someone found out where I worked and told them I was affiliated with this website. There's no FBI guys looking for me and, if there were, they probably saw everything about me and get a good laugh about it. For those of you guys who come onto forums and boast about doing drugs, looking at CP, selling fake coupons, carding, hacking, or whatever else, you should be very vigilant because you're basically inviting scrutiny. I think what people fail to realize is that the dudes using stuff like silkroad, posting shady teen pics to 4chan, people who discuss carding, those who admit to breaking the law on sites like evilzone, or even people who spam hate on stormfront probably have enough evidence secured to charge them with a crime. Ad hoc post ergo hoc reasoning that "they didn't do it so that means they won't" doesn't logically follow. In all honesty, it probably hasn't been done because it isn't financially worth it to do and there are bigger fish to fry.
So what can you do?
My first advice is don't do anything illegal. It not only prevents you from being investigated, but a clear conscience is a joy forever. That doesn't mean you don't need to protect yourself. There's tons of creative and intelligent strategies and technologies to help your cause. I just wanted to give my two cents on the "common wisdom" because, as usual, it isn't correct.
-
2016-01-28 at 9:23 PM UTC
So I'm going to weigh in on some commonly held axioms of anonymity and privacy. As per my reputation, I'm pretty paranoid about the fact that we have no privacy anymore, and am known to disseminate false information about myself just to further obscure who I actually am. As a matter of fact, I'm probably going to disappear from the community again for a while. Privacy isn't necessarily security, but it's worth mentioning since that's where the conversation is going.
TOR and VPNs are usually the "go-to" when people talk about online privacy. VPNs are not a bad thing, but they're highly overrated in respect to how much privacy they actually afford you. Not sure if you guys remember, but Lulzsec got busted because their VPN turned their information over to the police when it was requested. Most if not all VPNs would do the exact same thing - paid or otherwise. Even if you're doing something as benign as downloading music or Adobe suite, why would a business risk losing money to protect you? If you want to do something banal like look at vanilla porn at the office or something, you can probably get away with using a VPN for a while (unless an admin where you work feels like being a dick or is vigilant). VPNs can also help you do basic stuff like get back onto services you've been banned from (Omegle, tinychat, whatever), but at that rate you might as well just spoof your MAC and/or change your IP.
A VPN is just basically going to hide your datagrams between the VPN client and the destination server. Any data before that point or outside of those two points is still using your traditional means of communication, meaning it isn't secure. Furthermore, it doesn't mean that your destination isn't going to see you have a VPN enabled so they know you're trying to hide something. And let's think about this, when using a VPN service, a lot of people are handing over credit card or personal information to a company under the auspices of doing so for privacy (which is pretty ironic when you think about it).
As far as TOR is concerned, I've heard a lot of worship about how this is the end all be all of privacy. I'd like to think a lot of the guys here are savvy enough to know that's not true. Sure, it's probably the minimal standard of what you'd want to do to remain somewhat anonymous online, but even upon downloading the TOR client, there's a lot of other things you need to do in order to ensure basic privacy (I'm a big fan of add-ons). Even so, people who want to find out who you are can still control TOR Nodes or even potentially flood other nodes with data in order to navigate your traffic to nodes that are being monitored. It's not really debated that TOR has been compromised. Big secure deepweb / darknet sites get shut down all the time and users are regularly arrested in the process. In fact, less than a week before this post, the New York times did an article about how the FBI recently took down a deep web criminal site, moved the servers to Washington, and collected data on something like 10,000 registered users that were using its services for a two week period. So even if you're pretty technologically literate, you're still at risk of getting into trouble if you're doing something illegal online. Part of the reason is because you might have to enable javascript, download something, or give up a drop house in order to complete your goal of what you're on the deepweb for in the first place. All of these things compromise your security.
Furthermore, I think a lot of people forget that there's an ISP that can see everything you do if their engineers feel like you're a person of interest. Don't forget, it's possible to be arrested for cocaine you sold years ago, so just because you haven't had the police banging on your door yet doesn't mean they won't eventually. In the US, there was talk of ISPs being required to store records of who visited what for like six months at a time. I'm not sure if they ever went through with it in this country, but they definitely did so in many others. It's also really not questionable that the NSA and the government work pretty closely with ISPs. Also, your ISP is going to be able to see if you're using TOR or encrypting all your data, and most user agreements with your ISP give them the liberty spy on your traffic just because they want to. Usually people rush in at this point to say "Well if I'm not doing anything bad enough to warrant attention then that means I'm okay!", but that's not a very reasonable strategy. It fundamentally ignores the fact that they can analyze what traffic they want, whenever they want to.
At the end of the day, it depends on why you want to keep your privacy. In my case, I like to keep my privacy for work related reasons. I like forums and having discourses with you guys on Tinychat and stuff, but I could lose my job if someone found out where I worked and told them I was affiliated with this website. There's no FBI guys looking for me and, if there were, they probably saw everything about me and get a good laugh about it. For those of you guys who come onto forums and boast about doing drugs, looking at CP, selling fake coupons, carding, hacking, or whatever else, you should be very vigilant because you're basically inviting scrutiny. I think what people fail to realize is that the dudes using stuff like silkroad, posting shady teen pics to 4chan, people who discuss carding, those who admit to breaking the law on sites like evilzone, or even people who spam hate on stormfront probably have enough evidence secured to charge them with a crime. Ad hoc post ergo hoc reasoning that "they didn't do it so that means they won't" doesn't logically follow. In all honesty, it probably hasn't been done because it isn't financially worth it to do and there are bigger fish to fry.
So what can you do?
My first advice is don't do anything illegal. It not only prevents you from being investigated, but a clear conscience is a joy forever. That doesn't mean you don't need to protect yourself. There's tons of creative and intelligent strategies and technologies to help your cause. I just wanted to give my two cents on the "common wisdom" because, as usual, it isn't correct.
Don't be silly.
Your box -> Hidden VeraCrypt Volume -> Favorite distro in VM -> TOR -> Anonymous VPS paid in crypto -> scripts/tools -> target. -
2016-01-28 at 10:54 PM UTC
Don't be silly.
Your box -> Hidden VeraCrypt Volume -> Favorite distro in VM -> TOR -> Anonymous VPS paid in crypto -> scripts/tools -> target.
This doesn't really address my point at all seeing as you're talking about a pretty decent set-up. The average person isn't using that many layers of anonymity, which is what I was talking about. Using a VPN and TOR was the discussion at hand, which in and of themselves don't t leave people as anonymous as most of them think they are. I've even heard this kind of talk in tinychat where people think they're invincible because they're on TOR.
Also I don't use VeraCrypt.
I'm pretty happy with my setup.
-
2016-01-28 at 11:47 PM UTC
This doesn't really address my point at all seeing as you're talking about a pretty decent set-up. The average person isn't using that many layers of anonymity, which is what I was talking about. Using a VPN and TOR was the discussion at hand, which in and of themselves don't t leave people as anonymous as most of them think they are. I've even heard this kind of talk in tinychat where people think they're invincible because they're on TOR.
Also I don't use VeraCrypt.
I'm pretty happy with my setup.
Sorry i didn't read your post entirely, in any event though, if people don't opsec, that's their problem not mine. -
2016-01-28 at 11:57 PM UTC
Sorry i didn't read your post entirely, in any event though, if people don't opsec, that's their problem not mine.
Yeah basically.
Hey I thought everyone was staying away from Veracrypt? -
2016-01-29 at 12 AM UTC
Yeah basically.
Hey I thought everyone was staying away from Veracrypt?
Nope that's TrueCrypt. -
2016-01-29 at 12:26 AM UTCWhat's wrong with TrueCrypt?
-
2016-01-29 at 1:43 AM UTCInteresting turn of discussion. Would you say that security is a spectrum and while protecting yourself against your nosy neighbor-skiddie at home or asshole-sysadmin at work is a bit different than protecting yourself against an enemy with relatively infinite resources compared to you (state sponsored)?
I try to keep myself secure against skiddies. Anything else - I'm not qualified enough to do with any degree of certainty.It's stuff like this -> http://www.wired.com/2013/07/nsa-cracked-kryptos-before-cia/ (nsa decyphered something that the cia was working on to decipher years before the latter - but they didnt say they did) why I can't have any reasonable degree of certainty. -
2016-01-29 at 1:58 AM UTC
What's wrong with TrueCrypt?
Development for TrueCrypt stopped in early 2014 after it was endorsed by Edward Snowden and the group actively encourages you to switch to more secure software. TrueCrypt is open source. I thought I had heard that VeraCrypt was also bad news but I'll have to check that again now.Interesting turn of discussion. Would you say that security is a spectrum and while protecting yourself against your nosy neighbor-skiddie at home or asshole-sysadmin at work is a bit different than protecting yourself against an enemy with relatively infinite resources compared to you (state sponsored)?
I try to keep myself secure against skiddies. Anything else - I'm not qualified enough to do with any degree of certainty.It's stuff like this -> http://www.wired.com/2013/07/nsa-cra...os-before-cia/ (nsa decyphered something that the cia was working on to decipher years before the latter - but they didnt say they did) why I can't have any reasonable degree of certainty.
The NSA and American government's major tactic is misinformation. It works in their favor to get people to believe that they're peeking through every webcam, listening to every phone call, and browsing everyone's internet traffic to see what we're looking at. The reality is that they do not have the resources or competence to accomplish anything to this scale. This is not to say that their power should be taken lightly but, to answer your question, the same principles apply in either scenario. Whether you're protecting yourself from nosy neighbors, protecting your identity when making online purchases, or even just want to protect the sanctity of your email, you can employ many of the same tactics to the same result. Believe it or not, there have been many cases where the law enforcement confiscates computer equipment that they cannot analyze or do not know how to use.
The question is what lengths you want to go to in order to protect your information. I think calling it a spectrum is a good idea, because you're always just adding layers. I go to some pretty obscene lengths to protect my data and identity simply because I find computer science interesting (and I also don't want people finding out who I am).
I guess what I'm saying is don't underestimate the power of a curious, intelligent person who knows their way around a computer. All the highest paid agents in the world with the best resources still can't hold a candle to really good principles of opsec. -
2016-01-29 at 2 AM UTCFor me, there's also an element of "fuck you, big brother." There's a mass informational campaign out there to get Americans afraid of the all seeing eye, and implementing really good electronic security measures allows me to exercise my freedom in a way that's kind of liberating.
I mean, I've got some cool shit here. -
2016-01-29 at 1:08 PM UTC
Development for TrueCrypt stopped in early 2014 after it was endorsed by Edward Snowden and the group actively encourages you to switch to more secure software. TrueCrypt is open source. I thought I had heard that VeraCrypt was also bad news but I'll have to check that again now.
http://www.pcworld.com/article/2987439/encryption/newly-found-truecrypt-flaw-allows-full-system-compromise.html
Just one of 100 articles like that discussing various TrueCrypt vulnerabilities.
-
2016-01-29 at 3:09 PM UTC
http://www.pcworld.com/article/2987439/encryption/newly-found-truecrypt-flaw-allows-full-system-compromise.html
Just one of 100 articles like that discussing various TrueCrypt vulnerabilities.
So what do you think about just encrypting your drives when you install the Linux Distro and adding a 35+ character password? What if I already did this, should I encrypt it again through VeraCrypt? Suppose I already encrypted my home folder, my drive, and put a 17+ character password to lock my HDD.
Speaking of OS encryption, believe it or not, for a while one of the strongest encryption algorithms was actually in Windows XP! It's outdated now, but many Cyber Forensics textbooks (as recent as 2008) explore the difficulties of trying to recover data encrypted through Window's XP's cipher command. Not a lot of people knew about it, but you could encrypt stuff very easily right through your command line prompt.
Anyway, this kind of brings me to my point about cryptography. The computers of today can break (many of) the encryptions of yesterday's computers somewhat easily. You have to keep up with Cryptography in order to make it useful and, if that algorithm gets compromised, your data is vulnerable. This is easy to keep up with, but that assumes you have access to your computer.
I can't find the article, but there was a dude who got arrested for a computer that was confiscated over 14 years ago. They took over a decade to break the encryption, but as technology progressed, he didn't have it in his hands to do anything about it.
My point is that cryptography is an old workhorse and has proven itself to be very useful, but it's not my end-all-be-all of data security. It's more like my last line of defense.
Also check this out for laughs
-
2016-01-29 at 4:31 PM UTC
So what do you think about just encrypting your drives when you install the Linux Distro and adding a 35+ character password? What if I already did this, should I encrypt it again through VeraCrypt? Suppose I already encrypted my home folder, my drive, and put a 17+ character password to lock my HDD.
Can't have enough encryption lol. But i take it you mean encrypting your Linux install during the installation process?
-
2016-01-29 at 4:45 PM UTC
Can't have enough encryption lol. But i take it you mean encrypting your Linux install during the installation process?
Yeah basically.
I overwrote existing disk space and then selected the encrypt option when installing my distro. Afterwards I created a temporary user, logged in, encrypted my home folder, logged into my user account, deleted the temp user and destroyed the logs.
Then I toyed around and changed the splash screen and stuff.
I have a math exam I've been studying for so I haven't been paying as much attention to my computers. I plan on installing VeraCrypt tonight if I don't wind up seeing this MILF tonight. -
2016-01-29 at 4:48 PM UTC
Yeah basically.
I overwrote existing disk space and then selected the encrypt option when installing my distro. Afterwards I created a temporary user, logged in, encrypted my home folder, logged into my user account, deleted the temp user and destroyed the logs.
Then I toyed around and changed the splash screen and stuff.
I have a math exam I've been studying for so I haven't been paying as much attention to my computers. I plan on installing VeraCrypt tonight if I don't wind up seeing this MILF tonight.
Sure thing, like i said, the more encryption you have the better you frustrate forensic efforts. In my opinion VeraCrypt is one of the best encryption tools out there and i would reccomend looking into it for sure.