Long story short, there is literally no way to have no fingerprint on the internet because you do not have control once you leave the internal network and do not have any idea as to what is going on once you leave the internal network, such as logging and sniffing and such. This is the reason for the title of this article. “Here be Dragons” was a medieval practice of putting that text in blank areas of maps that were not explored. It’s my opinion this should be used in the cloud (internet) as well because a user literally has no idea what’s being done with their data or much (if any) control over it once it’s out there.
The point of this writing is not to beat into your head the importance of not being an idiot when it comes to general internet privacy. Honestly, I have enough problems and don’t really care about yours personally - however when faced with the sheer number of all of the collective "yous" out there as a whole I obviously care enough to take time out of my schedule to sit and write this up in an attempt to help you out.
That’s right, I’m awesome. No need to email me to confirm. I know. Thanks though.
Moving right along...
You may or may not be been aware of the growing number of ways different interested parties are compiling your information. Information, like your general geographic location, what web browser and/or operating system (and version of each) you use, your internet provider, the language you read, the sites you visit and how often and how and at what time you visited them, etc.
Of course that’s not considering what you've done yourself, like for example upload a picture, put your full name and address in a web form or email, confirmed something with your birthday, bought something with your credit card number, entered your phone number, etc.
For the sake of brevity, lets just say that it’s likely possible to pull your entire life off of the internet if someone or some organization really wanted to...And also for the sake of brevity, lets just say that and I think that’s bullshit, which is why I’m going to tell you how to become a ghost of the net.
Before I go any further, I need to make this next point very clear:
This is in no way foolproof. There is a good chance that there is absolutely no way that any of the information on you that’s presently being stored will ever go away regardless of the specified holding time until the data is "destroyed" simply based on caches, redundancy and backups, but I can neither confirm nor deny this. So this is not a golden hacker ninja tutorial, but rather a method of REDUCING your computer and online footprint, specifically reducing the ability to trace your activity. I'll go over it as well as I can in as simple terms as possible. Also don’t use any of this advice to do anything malicious or illegal or any other word that can possibly put me, you or anyone else or any other thing in any possible sort of trouble. If you do, you're an asshole. There, I said it.
Ok, so now that I covered my butt, let’s get down to business.
There are only a few ways to trace/track the activity of a computer. It really breaks down into two categories, physical (meaning within the machine itself) and network (any communications done within the network or on the net). Each of those categories can be further broken down as well. Remember, this is just a general breakdown.
Physical:
HDDs (hard drive disks)
DRAM/SRAM
Network:
Router/switch logs
Ethernet
TCP/IP
The Internet (remote location server logs)
As you can see, there aren’t many ways to pull information from a system in the grand scheme of things.
I’m going to briefly gloss over each area and explain what "fingerprints" are left, why they are left there and how to avoid them being left there to the best of my ability.
Let’s start with HDDs (Hard drive disks).
Most people, even those that are self proclaimed "computer illiterate" are usually aware that hard drives save things. What you may not be aware of is just how much you are saving. Many operating systems and other software save quite a bit of information on your hard drive in the background without the user being aware of it. This data is generally to help the system or software function in a smoother manner and for convenience such as protecting a user from accidentally deleting their files or to recover from a software crash.
More to the point, even deleting a file doesn’t necessarily mean it’s gone. (Most?) Operating systems don’t actually remove the contents of a file when it deletes it; rather it simply removes the file from the file system and marks the space it’s in as space to write over if/when needed. The actual data is still there, just kind of invisible to the end user. This is mainly done because it takes less work on the part of the operating system and is therefore faster, thus this is more efficient... and by the way - even if the operating system DOES write over that file you deleted that doesn’t mean that it cant be recovered either, but it IS harder to do because it can involve needing to disassembling the drive and directly accessing/reading from its components which because it requires experts and a lab can be rather expensive. The reason I add "most" is because I haven't come across a system that could not have deleted files or partitions recovered (my experience is limited to windows and linux) and therefore believe since that is the case this applies to the majority of operating systems out there. That's not to say that there aren't some that do not operate like I described above, just that I haven't run across them personally.
So then, what’s a paranoid party to do about this?
There are quite a few ways to try to avoid your information from being pulled from the hard drive of your computer. These include encryption, overwriting, degaussing, etc. You can also go for the gold and straight up destroy the physical disk, but that’s actually harder than you would expect. Data has been recovered from hard drives that have been at the bottom of a lake for three months as well as thrown into a campfire.
Encryption seems to be simple enough but that can be also be bypassed by cold boot attacks (we'll get into that later) and other methods.
Overwriting can work as well, however some areas of the disk may not be written to (bad sectors, etc) and it takes a long time depending on the size of the drive and that it can also take several passes to do it.
Degaussing is basically just messing with or removing the magnetic field of a disk drive. A degausser is a tool specifically designed to purge a hard drive. The NSA (National Security Agency) uses it, it must be good.
So what’s the final verdict? The safest bet to be sure no one can access the data on your hard drive?
I hope you read this far before you ran out and bought that deguasser.
The "best" solution is to not use a hard drive at all.
Surprise!
I suggest using a live disk.
A live disc is a CD or DVD containing a bootable computer operating system. Live CDs are interesting in that they have the ability to run a complete operating system on a computer without secondary storage, such as a hard drive. It is able to run by placing the files that typically would be stored on a hard drive into the computers RAM. (This isn’t case closed quite yet folks, we'll get into RAM exploits and how to avoid them in a moment)
There are live USB flash drives as well but they can be written to, and anything with write access is potentially vulnerable to pulling information off of it. Let me also be clear that live disks, while usually running linux operating systems can also run windows operating systems, a popular example is BartPE.
So let’s recap:
First place data can be obtained from the hard drive.
Solution:
Don’t use a hard drive (see: live disk)
Ok then, as promised lets move on to RAM, particularly DRAM.
DRAM stands for dynamic random access memory. DRAM is also the main memory used in personal computers and laptops. The way DRAM works is it stores each bit of data in a separate capacitor within an integrated circuit and since capacitors leak charge, the information stored eventually fades unless the capacitors charge is refreshed or the physical chip is put into a state where that data leakage is lessened – that is to say the data leak rate slows – which is at colder temperatures.
Most people will tell you that DRAM, since its volatile memory, will be cleared when the computer is powered off, which is almost true. The DRAM will EVENTUALLY be cleared when the computer is powered off. The reality is that there is a certain time frame in which the information in the DRAM can be accessed even after power is removed.
Allow me to clarify. A fellow admin at informationleak reviewing this article (H4z3) mentioned (and I quote)
Quote:
Good point, sir. That "stepping on an ant" bit is a perfect analogy... well, almost perfect.Its more like stepping on the abdomen and thorax of an ant but not the head, causing it to not die immediately but rather live for maybe about 30 seconds after being stepped on in such a manner which gave us some time for a field interrogation. "HEY ANT, WHERE IS YOUR QUEEN?!"Of course if we require more information from this horribly wounded ant, we cant allow it to die. Well, not in 30 seconds at least, so we keep it in a cryogenic (frozen) state in order to keep it alive for as long as possible while we examine it and continue questioning "WAS THE ATTACK ON OUR PICNIC A CRIME OF CHANCE OR PREMEDITATED?!"I hope you were able to look past the lunacy of that explanation and that it helped you better understand or fortified your understanding.
So back to being able to access DRAM memory after the machine has been powered off...
Holy crap.
Yeah, that’s pretty crazy, but this data retention period has a relatively small window of time, usually in the seconds to minutes range, and when I say minutes its only a couple of minutes, maybe two or three. Note that those times are based on operating temperature as I alluded to earlier. More on that in a moment.
This somewhat lesser known exploit is called a “cold boot attack” and can be used to gain crypto keys and physical access to hard drives.
Wait a second. Didn’t we just determine that we weren’t even going to use a hard drive?
We sure did, however I mention this because what this all comes down to is that by using this method even though there aren’t any traces of activity on the computers hard drive (if a hard drive is even physically present) the same or similar information that could have been gleaned from the hard drive could be captured from DRAM using this method if the computer is still turned on or recently turned off, which is no good for the intents and purposes of this article.
I mentioned earlier that keeping the hardware cool can reduce the data leak rate and significantly add to the time frame that this type of exploit is feasible. It turns out that
Quote:
That’s a word for word description from one of the researchers that found this exploit.
Its also been determined that for a time even when the bits start to fade from the DRAM they can be reconstructed because they fade away in a predicable manner.
So how do we easily circumvent this from happening? I’m sure you already know.
Simply power off the device, that’s all. Sleep mode won’t save you in this instance folks.
I would suggest using a laptop that uses DRAM with that live disk, ideally running without a battery if possible. Using a laptop you are less likely to want to keep the computer powered on unless you are actively using it. Also, the simple act of disconnecting the power supply cable would cause a loss of power and thus quickly drops charge to the DRAM causing the data to leak. The RAM access is also rather easily accessible in the case of most laptops, so having the port open or easily accessible (screws out) could be used to pull the chips out and snap them, making any attempt to repair and recover the information from the modules almost infinitesimal. Of course, there will likely be some nice burns on your fingers from such actions. RAM gets hot.
We seem to have now covered that:
Running data can be obtained from RAM.
Solution:
Power down, only power machine when actively in use, and when in a bind remove and snap modules to further reduce any chance of data recovery to pretty much nothing.
Well, we’re halfway home. We have just done a pretty good job of making sure that our computer contains no traces of our information and/or activity. How awesome is that? I would congratulate you at this point but remember that a pat on the back is just a few inches from a kick in the ass… and we are about to get to the heavy stuff.
Welcome to the network.
You may know of a few services that offer to do what we are going to cover. Ive never used any of them so I cannot personally vouch for their reliability with your identity or how well they do obfiscating your information/location. Sadly, thats all I can say about that. Lets move on.
There are a few things we can start off by saying about networks. First of all, we need to differentiate between an internal and external network. For the sake of this article we are going to say that internal network means all the activity up to the CSU/DSU, which is the thing (router, switch, etc) that’s right before the modem. External network means the point from (and including) the modem out into the web.
It should also be noted that unlike data in physical media like hard drives and such, network data is generally volatile and dynamic; meaning that after the data is transmitted it is for all intents and purposes, gone.
I would like to take a moment at this point to insert yet another thing to ponder, and that is the pros and cons of using your own network versus using someone elses (for example connecting to a wifi signal). Again, there a so many reasons for and against each but I would like to quickly summerize some of the major points:
Using your own Network:
Pro: You control your network. You can disable logging. You can configure other encryptions and identify obfiscation tools and protocols such as IPSec, You can monitor and secure the network against attacks such as MITM (man in the middle) or other data capturing attacks.
Con: The trail ends at your network. If all fails and your traffic is traced back it is traced back to you.
Using another Network:
Pro: Especially if you are using a wireless connection into this network, the trail ends at THEM (the network you are on) and not YOU as an individual.
Con: You have no idea what kind of logging and security measures are in place. You dont know if or how (ie - what methods being used) your traffic is being monitored. You cannot (to a degree) control the protocols and encryptions and configurations being used on the network.
Now then, that being said you are going to notice this is geared more towards using others networks, simply because its wise to know the logging methods and such, as well as how to overcome them for the point of this article.
There are a few ways of capturing network information and these include capture and examination of ALL traffic or capture and examination of TARGETED traffic. Most of the time it’s the latter we are dealing with - simply because capturing all of the packets in a network can require enormous storage and can add significant latency to the network as well, which is not very cost effective. Even if all the traffic is being captured regularly, its usually the case that its in a cyclic backup which means that the backup medium is rotated every X amount of time (usually weekly). This is also fairly common with general data backups as well. What this means is that if something happens on a Tuesday and goes unnoticed until the following Wednesday, the logs of the source of whatever happened last Tuesday have been overwritten. Of course larger corporations and such usually don’t rely on this weekly purge situation but many small to medium size businesses do.
Anyway, networks are very intricate things and I could literally write an entire book on just this section alone. I’m certain many already have done so because Ive read many myself, thus there is no point for me to cover everything in depth in this particular article. I plan now to concentrate on the simplest way to bypass these logging attempts.
Since we cannot manipulate the data we are forced to obfuscate it. The general idea behind this being that only thing better than leaving no information is leaving useless information.
Great… So how does one go about doing that?
Without going into great detail on the workings of a network the first thing needed to connect to a network is a NIC (network interface card). NICs can be hard wired or wireless in type. The NIC has a number hard coded onto it, which makes it identifiable. This number is called a MAC (media access control) address. In the terms of network forensics, this can be used to trace a connection back to the machine of origin, sometimes even to the person who purchased the machine itself using the MACs OUI (organizationally unique identifier).
Ok, I hear you saying “Seriously, what’s with all the acronyms? Can you speed this up?”
My answer is “No. Shut up and pay attention.”
As I was saying, the MACs OUI is a way to identify the organization that manufactured the NIC. It could theoretically be traced back to the manufacturer and from there presumably traced further to whomever purchased it.
Lucky for us, it is possible to change the MAC address on most modern NICs, and that is called MAC spoofing. There are several ways to spoof a MAC address, and there are articles on how to do so that are readily available, so in the interest of keeping this from becoming any more of a novel length article than it already is, I will simply say to look into that. There a variety of methods and tools to accomplish this. I will however mention that you may want to use an address that is obviously fake (like 01:10:02:20:03:ab for example). This will help avoid collisions and may raise less eyebrows in the grand scheme of things as the less “noise” on the network the better to avoid detection while connected, and also sometimes the act of searching out something that is obviously faked is usually not worth doing or going any further. It’s kind of like catching someone with a mask on a security camera. Not much help there.
So now we’ve concluded spoofing your NICs MAC is a good idea in terms of hiding some of your information, but as long as we’ve gone this far, may as well take it to the next level and also use a NIC that was purchased in cash or otherwise obtained with no paper trail in conjunction with the spoofing. Replacing or using a different NIC than the built-in is pretty simple and they are so cheap these days its almost silly to not do this simply for the sake of doing it in conjunction with spoofing the MAC once its done. It also helps that since spoofing the NICs MAC works on a software level while the NICs real MAC is on a hardware level there is no clear path to trace the fake MAC to the machine you are using when using a live disk since all that information is wiped soon after the machine is powered down. Sure there may be software on the disk that allows MAC spoofing, but no way to prove it was done from that machine.
Of course even though at this point we are only traced back to something useless, we’ve only covered the “where” part of the equation. We now need to cover the “what” which is what we’re doing. This is done easily enough with encryption. Most modern encryption types are incredibly hard (note I never use the word impossible) to break. By encrypting our network data with something like GPG, blowfish, ssh, or other types (depending on the types of things we are doing and programs we are using) even if we are being actively sniffed (monitored on the network) the packets cannot be fully decoded or decoded at all, which further helps our stealthy agenda.
This leaves us able to traverse through the internal network without any readily traceable identifiers. Sweet.
Now we move on to dealing with those aforementioned dragons in the cloud.
Once we’ve pushed our way out of the internal network and into the word wide web we have really just entered the very lair of the dragon, except that its not one dragons lair, its many lairs we go through one after the other, and each lair has another dragon or dragons in it.
How do we defend ourselves against each lair? It’s easy to remember:
You defeat lairs with layers.
Ok, so that was kind of a cheesy play on words but using layers remains one of the best ways to hide where you are and to an extent what you’re doing.
The layers I refer to are related to a process called onion routing. If you haven’t guessed it, I’m talking about Tor. For those that haven’t guessed it I suppose I should give a (very) brief explanation on what Tor, and more importantly onion routing is.
As we learned in the movie Shrek, onions, like ogres, have layers.
Here’s that brief explanation I promised:
The Tor network runs a proxy server on the computer using it. This means other users in the Tor network can access the web through it. All traffic is encrypted with multiple layers of encryption and forwarded from router to router through the Tor network at random. Each time it is forwarded another layer of encryption is removed until finally at the last layer of it is forwarded out from whatever endpoint its currently at into the cloud (aka internet) through that endpoints gateway.
So to simplify that:
Basically it bounces your data around all over the place until it eventually goes to the net. No one knows which endpoint (exit node) you data will end up ultimately using. Your traceable IP address will be that of the exit nodes from that point.
Of course, there are always issues with anything – so it’s possible that the information can be sniffed at the endpoint/exit node. DRAGON ALERT! That’s why we are going to add another layer to this situation to further protect ourselves, but before we go into that Id like to pause for a moment to clarify something.
At some point your data is going to go across the internet unencrypted and from somewhere traceable. Even if the information being sent may readily identify WHO you are (social network account, personal blog, email, etc) we can at least make it difficult to determine WHERE you are. This is somewhat important in that the difference between who and where can be very important since to determine who it’s usually necessary to prove where as well.
Wait, what?
More simply put, it isn’t readily provable that YOU logged into that email account or whatever, even if it is “yours” from a forensics standpoint. Using an email account as an example, all that’s provable is that SOMEONE (or even something from the standpoint of a program) logged into that account (logs available from provider), at what time and from where (IP address). Remove the where from that last sentence and you begin to realize that tracking the wrong address to a dead end is akin to not tracking at all.
Imagine if a helicopter dropped someone off in the snow and picked them back up again a few minutes later and you had to track them down using only their footprints. The footprints start and end abruptly. From the trackers standpoint, now what? How do you track that person? The answer is simply that you can’t. You know there was someone there, and that they went so far, but where they came from and where they went are unknown. That’s about as simple as I can explain it.
Back to Tor for the time being and lets finish up what we started.
What we need to do once we exit the Tor network is to hide just a little bit more because there may be a dragon sniffing at the endpoint/exit node.
This is done by proxy chaining.
The best method of doing this in my opinion that Ive used is called JonDo. What it does is forwards your data through multiple servers, via multiple encrypted connections, to further hide your IP address, much like Tor. What’s neat about it is that it uses mostly European-based servers and that you can pick and choose the servers you would like to use so you could presumably tweak for speed, the number of servers to bounce through and even the servers you use to establish a level of trust if you or someone you know and trust is running one of the remote servers. You cant pick and choose with Tor because they are ALL anonymous.
So why are European servers so great? Well, the USA can monitor all domestic internet activity ever since the introduction of the Communications Assistance for Law Enforcement Act of 1994 – including from the end point of the Tor network. Guess what isn’t domestic internet activity? If you guessed a plethora of servers in other countries, you’d be right. Add to the mix the red tape of trying to navigate through different countries laws and law enforcement agencies and couple that with the fact that most JonDo operators have voluntarily chosen to not keep logs anyway… well…
...lets just say the end result is that you are basically nobody twice.
A slow nobody.
All this bouncing around causes latency and you will certainly notice.
Speed is the price you pay for a level of anonymity.
So to recap you can obfuscate your computer, network and online footprint rather well by using a laptop with a live disk without a HDD to mitigate risk of local information being saved, a third party NIC without a paper trail coupled with MAC spoofing, using encryption and use of the Tor and JonDo networks in conjunction with each other.
At this point of the article I should wrap it up but you may be asking yourself how the hell am I supposed to add all that software to a live disk?
This can be done by as such. I should note that I went over how to do it in linux, so that the truly paranoid could presumably create a custom live disk from a generic live disk to keep their anonymity to a degree.
Honestly I haven't tried creating a custom live disk from a generic live disk yet - but it sounds interesting, wouldn't you agree? Try it out before I do and let me know how it went and I'll update the article accordingly and award you +1 internets.
It should also be noted that I’m using the latest release of ubuntu at the time of this writing for this example. Im using Ubuntu simply because thats the distro Im most familiar with.
Lets do this.
$ sudo apt-get install squashfs-tools chroot
$ mkdir /tmp/livecd
$ sudo mount -o loop ~/Desktop/ubuntu-10.04-desktop-i386.iso /tmp/livecd
$ mkdir ~/livecd
$ mkdir ~/livecd/cd
$ rsync --exclude=/WE/filesystem.squashfs -a /tmp/livecd/ ~/livecd/cd
$ mkdir ~/livecd/squashfs
$ mkdir ~/livecd/custom
$ sudo modprobe squashfs
$ sudo mount -t squashfs -o loop /tmp/livecd/WE/filesystem.squashfs ~/livecd/squashfs/
$ sudo cp -a ~/livecd/squashfs/* ~/livecd/custom
$ sudo cp /etc/resolv.conf /etc/hosts ~/livecd/custom/etc/
$ sudo chroot ~/livecd/custom
# mount -t proc none /proc/
# mount -t sysfs none /sys/
# export HOME=/root
At this point you can install or uninstall whatever you want if you want to or update the image, whatever you feel inclined to do.
Then clean house:
# apt-get clean
# rm -rf /tmp/*
# rm -f /etc/hosts /etc/resolv.conf
Then we prepare:
# umount /proc/
# umount /sys/
# exit
Then we repack:
$ chmod +w ~/livecd/cd/WE/filesystem.manifest
$ sudo chroot ~/livecd/custom dpkg-query -W --showformat='${Package} ${Version}\n' > ~/livecd/cd/WE/filesystem.manifest
sudo cp ~/livecd/cd/WE/filesystem.manifest ~/livecd/cd/WE/filesystem.manifest-desktop
$ sudo mksquashfs ~/livecd/custom ~/livecd/cd/WE/filesystem.squashfs
$ sudo rm ~/livecd/cd/md5sum.txt
$ sudo -s
# (cd ~/livecd/cd && find . -type f -print0 | xargs -0 md5sum > md5sum.txt)
$ cd ~/livecd/cd
$ sudo mkisofs -r -V "Ubuntu" -b isolinux/isolinux.bin -c isolinux/boot.cat -cache-inodes -J -l -no-emul-boot -boot-load-size 4 -boot-info-table -o ~/Desktop/Ubuntu-10.04.iso .
Well there you have it… that is, if you made it this far.
Thanks for reading and I hope you enjoyed it. Until next time…
Carpe System,
-Halla
Comments
No Comments Exist
Be the first, drop a comment!